What is an Incident Response Playbook?

04.04.2019 Read
What is an Incident Response Playbook?

Automation in security solutions has gained traction in the last 2-3 years and a SOAR solution is a prime example. SOAR stands for Security Orchestration, Automation, and Response. Without a doubt, automation is the need of the hour for an organization’s cyber security and SOAR rightly helps your SOC by enabling the internal security team to focus on serious and important events or incidents, instead of going through a plethora of events with no or minimal risk.

We have previously discussed two of the most important questions related to a SOAR solution i.e.

  1. Do you need a SOAR solution?
  2. If yes, how do you select a particular service provider?

In this post, we will discuss incident response playbooks which are the backbone of a SOAR solution.

Defining an incident response playbook

A SOAR solution has a set of standard use cases such as malware analysis, threat hunting, incident severity assignment, VPN Checks, phishing attacks, etc. Incident response playbooks ensure that the objectives of these use cases are met. An incident response playbook can be defined as a set of rules which get triggered due to one or more security events and accordingly, a pre-defined action is executed with input data.

For example, an employee receives a targeted email from an attacker containing malicious links. Immediately, the SOAR solution detects this event and triggers the corresponding playbook. This playbook examines the trustworthiness of the link and takes an action such as block the sender’s email from sending further email, log out the corresponding employee from his system, etc.

An ideal SOAR solution comes with a set of pre-defined and tested playbooks and depending upon further requirements of an organization, new playbooks can be created.

Can playbooks be shared across different organizations?

The answer to the above-given question is indeed affirmative and this sharing is often mutual where how a playbook is defined remains constant. We recommend must-have five components in a playbook –

  1. Initiation: The entire process of an incident response playbook is triggered upon detection of an event. The condition when a particular playbook comes into action directly related to a security issue.
  2. Process: This is a core component in an entire playbook and it incorporates certain key steps such as generation and authorization of response actions, quarantining, etc. Simultaneously, these steps improve the automation capability, although with human oversight.
  3. Best Practice & Local Policies: For mutual sharing of playbooks, similarity in this component is essential. As best practices and local policies vary from one industry to another, the scope of sharing of playbooks is somewhat restricted.
  4. Completion: In this component of the playbook, the desired action is taken depending upon the initiation component and accordingly, the playbook is completed.
  5. Governance & Regulatory Requirements: This component fulfils regulatory requirements such as recording logs, actions taken, etc. In case of a regulatory or a legal proceeding, this component assists an organization to prove that there was no negligence at their end.