[BreachExchange] 4 reasons to rethink incident response playbooks

Audrey McNeil audrey at riskbasedsecurity.com
Mon Dec 18 18:59:43 EST 2017


http://www.securityinfowatch.com/article/12383809/4-
reasons-to-rethink-incident-response-playbooks

For enterprise security teams, playbooks have long been a staple of the
incident response strategy. The common opinion is, the better your
playbooks, the more protected you’ll be in the event of a security
incident. Teams lean on these documents to guide them through the response
tactics of multiple threat scenarios, from ransomware to malware infection
to the penetration of privileged user accounts.

But there is a downside to playbooks that can also make them a major
liability. Because playbooks are only useful against known threats, using
known tactics against known adversaries, they can give a false sense of
security.

WannaCry: A wake-up call?

For example, the WannaCry ransomware attack spread rapidly around the
world, infecting more than 230,000 computers in 150 countries. Critical
systems like the UK's National Health Service and a large telecom in Spain
were caught up in the attack. Once infected, organizations were denied
access to the encrypted files, applications and systems, receiving a
display message from the hackers demanding the equivalent of $300 in
bitcoin.

While the hackers used a known vulnerability in Microsoft operating
systems, the threat itself was unknown until it was too late. Ultimately,
it came down to a security analyst in the UK who created a “kill switch”
after reverse-engineering samples of the WannaCry malware code.

Many security vendors have issued “WannaCry playbooks” since the attack,
but the question is, how useful will they be? Even the cybersecurity
researcher who stopped the attack warned that the threat wasn’t over –
hackers could easily evolve this code into something even more resilient
and sinister. While WannaCry is now a known threat, “WannaCry 2.0” – or
whatever it will be called – won’t be.

The reality is, hackers play by their own set of rules, and the threat
tactics they use are ever-evolving. This means playbooks leave gaps in
security posture because they rely on established criteria. But that’s not
the only problem. Here are four more reasons the cybersecurity community
must rethink the incident response playbook:

1. They’re too tactical. Playbooks consist of a pre-assembled set of tasks
triggered by the detection of a threat. This means that teams get bogged
down in reactive, tactical checklists and steps, instead of placing more
effort on strategic, proactive activity that can help prevent attacks.

 2. They’re not dynamic. Playbooks are static documents that translate
incident response processes into integrations. If you change the process or
the involved systems, then you need to update the code that implements the
integrations.

3. They don’t let security pros learn. Because of their static nature,
playbooks can feed into the cybersecurity skills gap. Security analysts
need to continue to learn about advanced analytics data so they can make
informed decisions about emerging threat vectors, just as the security
researcher did to create the WannaCry kill switch. That kind of
problem-solving requires critical thinking and the room to get creative.
However, reliance on playbooks can result in an environment in which
analysts only learn what it takes to complete a series of tasks. Playbooks
should take into account organization-specific factors or the skill
advancement of the analyst. But instead, security analysts cannot apply
their own insight into the response based on what they learned from an
incident.

4. Hackers love them. Because playbooks create a standard response to
threats, hackers can easily determine how a specific organization will
respond to a known threat. It’s the equivalent of a defensive line in
football already knowing where the quarterback will throw the ball. Hackers
are well-versed in the use of playbooks and often use them a distraction.
By targeting an organization with a tactic that triggers a known response,
and then launching a new attack while the team is busy responding to the
distraction, hackers can keep the response team busy while doing real
damage.

Enterprises must come to grips with the fact that relying on traditional
playbooks for incident response is not sustainable. While your business may
survive an individual attack today, the failure to keeping pace with the
threats of tomorrow will ultimately put you at risk.

Evolving the playbook with data science

Cybersecurity attacks are occurring with increased complexity and
frequency, and they can no longer be addressed effectively with manual
processes or traditional workflow automation tools. The next generation of
response requires a deeper understanding of the data involved in each
attack, instead of a set list of tasks that may be outdated by the time the
next attack hits.

With the development of artificial intelligence (AI) and machine learning,
a new generation of response tools must have the ability to leverage
advanced data science to collect and contextualize cybersecurity data from
internal systems, such as a SIEM platform, and external sources, such as a
security analyst’s mitigation notes from a previous attack. This approach
will give security teams the power to extract meaningful insights and
provide more sophisticated automation throughout the entire incident
response lifecycle.

Implementing the capabilities of data science in response means that
traditional playbooks can now evolve into advanced, strategic tools that
consider previous threats and how the security team responded – learning
from past successes or failures. Instead of automating workflow or
processes, this new breed of solutions will use automation to transform
threat data into actionable intelligence, and can even escalate incidents
using machine learning to score the possible impact of potential threats.
This approach allows security analysts to make the call on what needs
immediate attention, as opposed to referring to the playbook for a list of
static steps that may or may not apply to a specific situation.

Under this new model, when incident alerts come into a security team,
security analysts can instantly see the direct relationships between past
incidents and current indicators, as well as indirect relationships that
are uncovered through advanced analysis. Then, the team can fully
understand the context associated with an individual alert or security
event, so they can take immediate action – no static checklists, no
outdated processes.

By moving away from playbooks and workflow orchestration and instead having
an aggregated, contextualized set of incident and threat data,
organizations can automatically create and monitor the customized metrics
they need to fully understand their cyber risk landscape and adapt to
today’s dynamic persistent attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171218/000cbe78/attachment.html>


More information about the BreachExchange mailing list