Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2017
10:30 AM
Liz Maida
Liz Maida
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Throw Out the Playbooks to Win at Incident Response

Four reasons why enterprises that rely on playbooks give hackers an advantage.

For coaches and athletes, playbooks are invaluable. Games played by a set of known rules can benefit from playbooks that help teams use variations of known tactics against known opponents to gain a competitive advantage. But for enterprise security teams, playbooks can be more like an Achilles heel, especially as an incident response tactic. They create a sense of false security because playbooks are only useful against known threats, using known tactics against known adversaries.

Unlike athletes in organized sports, hackers play by their own set of rules, and threat tactics are ever-evolving. This means playbooks, by definition, leave gaps in security because they rely on established criteria. Additionally, playbooks place a heavy workload on security teams, creating even more vulnerabilities for enterprises.

First, playbooks consist of a pre-assembled set of tasks triggered by the detection of a recognized threat. Many organizations use some form of workflow orchestration to create and/or automate a task list, but the actual tasks are still manually performed by a security analyst. This means that teams get bogged down in reactive, tactical responses, instead of placing more effort into strategic, proactive activity to help prevent attacks.

Second, playbooks are very static, as they involve translating response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations. Playbooks and orchestration are just continuing the tradition of viewing incident response as a process problem.

Third, since playbooks create a standard response to threats, hackers can easily determine how a specific organization will respond to a known threat. It’s the equivalent of a defensive line already knowing where the quarterback is going to throw the ball. Hackers use playbooks as a distraction by targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction. This results in a loss of productivity and increases the chances that the real attack achieves its intended purpose.  

Lastly, the use of playbooks caters to the skills gap that is plaguing security teams, rather than encouraging skill advancement. Reliance on playbooks has created an environment in which analysts only learn what it takes to complete the series of tasks, and that requires a broad, lower level understanding of a known threat. This has hindered the skills growth and put the business at risk. Playbooks do not take into account organization-specific factors or the skill advancement of the analyst, because she does not get to apply her own insight into the response and build her skillset based on what she may have learned through this experience.

Enterprises relying on playbooks for incident response are doing themselves a disservice. While they may survive an attack today, they are not taking a forward-looking approach to keeping pace with the threats of tomorrow. 

Related Content:

 

 

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 3:25:58 PM
Re: Dynamic vs Disposal
Agree - it must be a dynamic, living document as the threat landscape is the same.  But, also, it must first EXIST and I would wager that the staff at Merck dearly wished they had one earlier in June!!!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 7:42:51 AM
Playbooks provide format
ONLY - and they need to be constantly revised and updated, like disaster recovery plans for business continuity.  I have seen copies of this document on business shelves from 3 years ago - OH, I think the business has changed somewhat since 2003, right?  Secondly, we are always 15 minutes behind the hackers.  They are forever ahead of us and so our plans have to be consistently updated.  Third, playbook should NOT be written in STONE forever.  The Royal Navy in the age of sail concentrated every single act and policy to FIGHTING INSTRUCTIONS which could never EVER be deviated from.  Rigid.  Malware plans have to be flexible to encounter the New and Unexpected situations where no malware response has gone before.  
rkappam
50%
50%
rkappam,
User Rank: Apprentice
7/31/2017 | 2:08:06 PM
Re: Dynamic vs Disposal
Sounds interesting, but play book can be predicted by any IT Security experienced guy. Moreoever it would only give us how the incident would be handeled, which means we are talking about which already detected. Once you detect, we would some how remediate/ format/ getover it. 

Any smart hacker would try to hide himself, so he should try to focus on detection system company has it. Then he will make SOC busy with known attacks and slowly would try to get into network through non-detected place. 

I believe, rather looking at play book, person would focus on detection system. Or vulnerability in detection system. 

These information would be known by ex-employees of company. We should be more think about it. 

 
LMaida
50%
50%
LMaida,
User Rank: Author
7/28/2017 | 3:20:27 PM
Re: Dynamic vs Disposal
Yes, it's just dependent on how you define playbook and whether you believe they are inherently static/pre-configured. There's also an aspect of the level of human involvement in redefining the playbook vs software automation. 
InfosecCanuck
100%
0%
InfosecCanuck,
User Rank: Apprentice
7/28/2017 | 11:05:28 AM
Dynamic vs Disposal
I actually agree with almost everything here but I would tend to think a dynamic, evolving playbook would be the solution as opposed to throwing out the playbook. Organizations need to have some documented standard as to how they respond, no? Perhaps that was the point you were getting at and I missed it.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...