Canned Playbooks: Are They Realistic?

One of the new ideas we had for a 2019 research paper is something clients often (well, often–ish) ask about: what to do if you encounter a particular threat or a type of an incident? A sort of a playbook for confirmation, investigation and response to a particular threat type.

Naturally, most threats in real life would be relatively mundane and – here I will make a faux pas and call “a threat actor” a threat – not of the “OMG I MET A GOTHIC PANDA IN A DARK ALLEY” variety. You know, of the non-targeted / non-APT variety. So the list of the situations is finite and easily enumerable.

Now, admittedly SOAR vendors are doing this, with modicum of success. But even their playbooks suffer from the below problem and few if any are truly usable without changes.

So, here is our conundrum:

I. Such a project is realistic [but useless] at a high level of abstraction.

II. Such a project is likely unrealistic at a low level of abstraction since most people use different tools.

Here, choice #I
  1. Receive an indication of malware
  2. Confirm indication
  3. Remove malware.
  4. <eh? this is a waste of time!>

Now, choice #II

  1. See an alert in your SIEM (brand A) that says <this>
  2. Look at the field called <that>
  3. Use this EDR tool (brand B) that can …
  4. <loses patience, realizes the futility of this and leaves>

I’ve utilized the above logic as an excuse to not try it. However, organizations that are only starting their security operations, detection and response journeys are asking for it more and more.


  • Do you think this is worth doing?
  • Do you think this is actually doable?

Vaguely related posts:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: