4 reasons to rethink incident response playbooks

Dec. 15, 2017
Hackers love the static nature of concrete policy

For enterprise security teams, playbooks have long been a staple of the incident response strategy. The common opinion is, the better your playbooks, the more protected you’ll be in the event of a security incident. Teams lean on these documents to guide them through the response tactics of multiple threat scenarios, from ransomware to malware infection to the penetration of privileged user accounts.

But there is a downside to playbooks that can also make them a major liability. Because playbooks are only useful against known threats, using known tactics against known adversaries, they can give a false sense of security.

WannaCry: A wake-up call?

For example, the WannaCry ransomware attack spread rapidly around the world, infecting more than 230,000 computers in 150 countries. Critical systems like the UK's National Health Service and a large telecom in Spain were caught up in the attack. Once infected, organizations were denied access to the encrypted files, applications and systems, receiving a display message from the hackers demanding the equivalent of $300 in bitcoin.

While the hackers used a known vulnerability in Microsoft operating systems, the threat itself was unknown until it was too late. Ultimately, it came down to a security analyst in the UK who created a “kill switch” after reverse-engineering samples of the WannaCry malware code.

Many security vendors have issued “WannaCry playbooks” since the attack, but the question is, how useful will they be? Even the cybersecurity researcher who stopped the attack warned that the threat wasn’t over – hackers could easily evolve this code into something even more resilient and sinister. While WannaCry is now a known threat, “WannaCry 2.0” – or whatever it will be called – won’t be.

The reality is, hackers play by their own set of rules, and the threat tactics they use are ever-evolving. This means playbooks leave gaps in security posture because they rely on established criteria. But that’s not the only problem. Here are four more reasons the cybersecurity community must rethink the incident response playbook:

  1. They’re too tactical. Playbooks consist of a pre-assembled set of tasks triggered by the detection of a threat. This means that teams get bogged down in reactive, tactical checklists and steps, instead of placing more effort on strategic, proactive activity that can help prevent attacks.

 2. They’re not dynamic. Playbooks are static documents that translate incident response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations.

  1. They don’t let security pros learn. Because of their static nature, playbooks can feed into the cybersecurity skills gap. Security analysts need to continue to learn about advanced analytics data so they can make informed decisions about emerging threat vectors, just as the security researcher did to create the WannaCry kill switch. That kind of problem-solving requires critical thinking and the room to get creative. However, reliance on playbooks can result in an environment in which analysts only learn what it takes to complete a series of tasks. Playbooks should take into account organization-specific factors or the skill advancement of the analyst. But instead, security analysts cannot apply their own insight into the response based on what they learned from an incident.
  1. Hackers love them. Because playbooks create a standard response to threats, hackers can easily determine how a specific organization will respond to a known threat. It’s the equivalent of a defensive line in football already knowing where the quarterback will throw the ball. Hackers are well-versed in the use of playbooks and often use them a distraction. By targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction, hackers can keep the response team busy while doing real damage.

Enterprises must come to grips with the fact that relying on traditional playbooks for incident response is not sustainable. While your business may survive an individual attack today, the failure to keeping pace with the threats of tomorrow will ultimately put you at risk.

Evolving the playbook with data science

Cybersecurity attacks are occurring with increased complexity and frequency, and they can no longer be addressed effectively with manual processes or traditional workflow automation tools. The next generation of response requires a deeper understanding of the data involved in each attack, instead of a set list of tasks that may be outdated by the time the next attack hits.

With the development of artificial intelligence (AI) and machine learning, a new generation of response tools must have the ability to leverage advanced data science to collect and contextualize cybersecurity data from internal systems, such as a SIEM platform, and external sources, such as a security analyst’s mitigation notes from a previous attack. This approach will give security teams the power to extract meaningful insights and provide more sophisticated automation throughout the entire incident response lifecycle.

Implementing the capabilities of data science in response means that traditional playbooks can now evolve into advanced, strategic tools that consider previous threats and how the security team responded – learning from past successes or failures. Instead of automating workflow or processes, this new breed of solutions will use automation to transform threat data into actionable intelligence, and can even escalate incidents using machine learning to score the possible impact of potential threats. This approach allows security analysts to make the call on what needs immediate attention, as opposed to referring to the playbook for a list of static steps that may or may not apply to a specific situation.

Under this new model, when incident alerts come into a security team, security analysts can instantly see the direct relationships between past incidents and current indicators, as well as indirect relationships that are uncovered through advanced analysis. Then, the team can fully understand the context associated with an individual alert or security event, so they can take immediate action – no static checklists, no outdated processes.

By moving away from playbooks and workflow orchestration and instead having an aggregated, contextualized set of incident and threat data, organizations can automatically create and monitor the customized metrics they need to fully understand their cyber risk landscape and adapt to today’s dynamic persistent attacks.

 About the author

Liz Maida is the CEO and co-founder of Uplevel Security, a provider of an adaptive system of intelligence to detect, analyze and resolve cybersecurity threats. Previously, Maida was with Akamai Technologies, serving in multiple executive roles focused on technology strategy and new product development, including DDoS mitigation, fraud detection and more.