More about playbooks

Previously, you learned that playbooks are tools used by cybersecurity professionals to identify and respond to security issues. In this reading, you’ll learn more about playbooks and their purpose in the field of cybersecurity.

Playbook overview

A playbook is a manual that provides details about any operational action. Essentially, a playbook provides a predefined and up-to-date list of steps to perform when responding to an incident.

Playbooks are accompanied by a strategy. The strategy outlines expectations of team members who are assigned a task, and some playbooks also list the individuals responsible. The outlined expectations are accompanied by a plan. The plan dictates how the specific task outlined in the playbook must be completed.

Playbooks should be treated as living documents, which means that they are frequently updated by security team members to address industry changes and new threats. Playbooks are generally managed as a collaborative effort, since security team members have different levels of expertise.

Updates are often made if:

A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself.
There is a change in industry standards, such as changes in laws or regulatory compliance.
The cybersecurity landscape changes due to evolving threat actor tactics and techniques.

Types of playbooks

Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware, vishing, business email compromise (BEC), and other attacks previously discussed. Incident and vulnerability response playbooks are very common, but they are not the only types of playbooks organizations develop.

Each organization has a different set of playbook tools, methodologies, protocols, and procedures that they adhere to, and different individuals are involved at each step of the response process, depending on the country they are in. For example, incident notification requirements from government-imposed laws and regulations, along with compliance standards, affect the content in the playbooks. These requirements are subject to change based on where the incident originated and the type of data affected.

Incident and vulnerability response playbooks

Incident and vulnerability response playbooks are commonly used by entry-level cybersecurity professionals. They are developed based on the goals outlined in an organization’s business continuity plan. A business continuity plan is an established path forward allowing a business to recover and continue to operate as normal, despite a disruption like a security breach.

These two types of playbooks are similar in that they both contain predefined and up-to-date lists of steps to perform when responding to an incident. Following these steps is necessary to ensure that you, as a security professional, are adhering to legal and organizational standards and protocols. These playbooks also help minimize errors and ensure that important actions are performed within a specific timeframe.

When an incident, threat, or vulnerability occurs or is identified, the level of risk to the organization depends on the potential damage to its assets. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. For this reason, a sense of urgency is essential. Following the steps outlined in playbooks is also important if any forensic task is being carried out. Mishandling data can easily compromise forensic data, rendering it unusable.

Common steps included in incident and vulnerability playbooks include:

Preparation
Detection
Analysis
Containment
Eradication
Recovery from an incident

Additional steps include performing post-incident activities, and a coordination of efforts throughout the investigation and incident and vulnerability response stages.

Key takeaways

It is essential to refine processes and procedures outlined in a playbook. With every documented incident, cybersecurity teams need to consider what was learned from the incident and what improvements should be made to handle incidents more effectively in the future. Playbooks create structure and ensure compliance with the law.

Resources for more information

Incident and vulnerability response playbooks are only two examples of the many playbooks that an organization uses. If you plan to work as a cybersecurity professional outside of the U.S., you may want to explore the following resources:

Play It Safe: Manage Security Risks Introduction to Cert 2

Course 2 overview

Google Cybersecurity Certificate glossary

Welcome to week 1

Explore the CISSP security domains, Part 1

Explore the CISSP security domains, Part 2

Security domains cybersecurity analysts need to know

Ashley: My path to cybersecurity

Threats, risks, and vulnerabilities

Herbert: Manage threats, risks, and vulnerabilities

NIST’s Risk Management Framework

Manage common threats, risks, and vulnerabilities

Wrap-up

Welcome to week 2

Frameworks

Controls

The relationship between frameworks and controls

Explore the CIA triad

Use the CIA triad to protect organizations

NIST frameworks

OWASP security principles

More about OWASP security principles

Wajih: Stay up-to-date on the latest cybersecurity threats

More about security audits

Welcome to week 3

Logs and SIEM tools

SIEM dashboards

The future of SIEM tools

Parisa: The parallels of accessibility and security

Explore common SIEM tools

More about cybersecurity tools

Talya: Myths about the cybersecurity field

Use SIEM tools to protect organizations

Wrap-up

Welcome to Week 4

Phases of an incident response playbook

More about playbooks

Zack: Incident response and the value of playbooks

Use a playbook to respond to threats, risks, or vulnerabilities

Erin: The importance of diversity of perspective on a security team

Playbooks, SIEM tools, and SOAR tools

Wrap-up

More about playbooks

Playbook overview

Types of playbooks

Incident and vulnerability response playbooks

Key takeaways

Resources for more information

No Comments