How to build an incident response playbook

A playbook is defined as a set of rules, describing at least one action to be executed with input data and triggered by one or more events. It is a critical component of cybersecurity—especially in relation to security orchestration, automation and response (SOAR). It’s meant to represent a basic security process in a generalized way that can be used across a variety of organizations.

According to IACD, “playbooks bridge the gap between an organization’s policies and procedures and a security automation and orchestration (SAO) [solution].”

Incident response playbooks can be shared across organizations and include common components, such as:

  • Initiating condition: The first event of the playbook process triggers the rest of the steps and is often the security issue addressed by the entire playbook.
  • Process steps: This includes all major activations organizations should conduct to satisfy the policies and procedures triggered by the initiating condition. This is the core component of a playbook and includes key steps like generating response actions, authorizing responses, quarantining, etc. These steps typically encourage future automation (with human oversight), even if the organization does not currently have those capabilities.
  • Best practices and local policies: These are dependent on the organization’s specific industry. It includes activities that may be conducted in addition to the core process steps.
  • End state: This is the end goal of the playbook. It is the desired outcome based on the initiating condition that represents the playbook’s completion.
  • Relation to governance and regulatory requirements: This component relates key process steps to those required for various compliance and regulatory laws.

How to Build a Cybersecurity Playbook

Here are the steps the IACD recommends following to construct a playbook:

  1. Identify the initiating condition.
  2. List all possible actions that could occur in response to the initiating condition.
  3. Categorize all possible actions into “required” and must occur to mitigate the threat, or “optional” and considered more of a best practice.
  4. Build the playbook process order using only the “required” elements determined in step 3.
  5. Determine if steps from the “optional” category can be grouped by activity or function (e.g., monitoring, enriching, responding, verifying, or mitigating).
  6. Modify the process created in step 4 to indicate where any optional processes would occur.
  7. Insert the categorized optional actions into the options box below the process steps box.
  8. Identify the end state or another initiating condition to another playbook.
  9. List the regulatory laws and requirements that the playbook satisfies.

Incident Response Playbook Example

The following is an example of a phishing playbook that an organization may utilize:

incident response playbook example



*** This is a Security Bloggers Network syndicated blog from Swimlane authored by Sydni Williams-Shaw. Read the original post at: https://swimlane.com/blog/incident-response-playbook/