Vulnerabilities / Threats

7/28/2017
10:30 AM
Liz Maida
Liz Maida
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Throw Out the Playbooks to Win at Incident Response

Four reasons why enterprises that rely on playbooks give hackers an advantage.

For coaches and athletes, playbooks are invaluable. Games played by a set of known rules can benefit from playbooks that help teams use variations of known tactics against known opponents to gain a competitive advantage. But for enterprise security teams, playbooks can be more like an Achilles heel, especially as an incident response tactic. They create a sense of false security because playbooks are only useful against known threats, using known tactics against known adversaries.

Unlike athletes in organized sports, hackers play by their own set of rules, and threat tactics are ever-evolving. This means playbooks, by definition, leave gaps in security because they rely on established criteria. Additionally, playbooks place a heavy workload on security teams, creating even more vulnerabilities for enterprises.

First, playbooks consist of a pre-assembled set of tasks triggered by the detection of a recognized threat. Many organizations use some form of workflow orchestration to create and/or automate a task list, but the actual tasks are still manually performed by a security analyst. This means that teams get bogged down in reactive, tactical responses, instead of placing more effort into strategic, proactive activity to help prevent attacks.

Second, playbooks are very static, as they involve translating response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations. Playbooks and orchestration are just continuing the tradition of viewing incident response as a process problem.

Third, since playbooks create a standard response to threats, hackers can easily determine how a specific organization will respond to a known threat. It’s the equivalent of a defensive line already knowing where the quarterback is going to throw the ball. Hackers use playbooks as a distraction by targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction. This results in a loss of productivity and increases the chances that the real attack achieves its intended purpose.  

Lastly, the use of playbooks caters to the skills gap that is plaguing security teams, rather than encouraging skill advancement. Reliance on playbooks has created an environment in which analysts only learn what it takes to complete the series of tasks, and that requires a broad, lower level understanding of a known threat. This has hindered the skills growth and put the business at risk. Playbooks do not take into account organization-specific factors or the skill advancement of the analyst, because she does not get to apply her own insight into the response and build her skillset based on what she may have learned through this experience.

Enterprises relying on playbooks for incident response are doing themselves a disservice. While they may survive an attack today, they are not taking a forward-looking approach to keeping pace with the threats of tomorrow. 

Related Content:

 

 

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 3:25:58 PM
Re: Dynamic vs Disposal
Agree - it must be a dynamic, living document as the threat landscape is the same.  But, also, it must first EXIST and I would wager that the staff at Merck dearly wished they had one earlier in June!!!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/1/2017 | 7:42:51 AM
Playbooks provide format
ONLY - and they need to be constantly revised and updated, like disaster recovery plans for business continuity.  I have seen copies of this document on business shelves from 3 years ago - OH, I think the business has changed somewhat since 2003, right?  Secondly, we are always 15 minutes behind the hackers.  They are forever ahead of us and so our plans have to be consistently updated.  Third, playbook should NOT be written in STONE forever.  The Royal Navy in the age of sail concentrated every single act and policy to FIGHTING INSTRUCTIONS which could never EVER be deviated from.  Rigid.  Malware plans have to be flexible to encounter the New and Unexpected situations where no malware response has gone before.  
rkappam
50%
50%
rkappam,
User Rank: Apprentice
7/31/2017 | 2:08:06 PM
Re: Dynamic vs Disposal
Sounds interesting, but play book can be predicted by any IT Security experienced guy. Moreoever it would only give us how the incident would be handeled, which means we are talking about which already detected. Once you detect, we would some how remediate/ format/ getover it. 

Any smart hacker would try to hide himself, so he should try to focus on detection system company has it. Then he will make SOC busy with known attacks and slowly would try to get into network through non-detected place. 

I believe, rather looking at play book, person would focus on detection system. Or vulnerability in detection system. 

These information would be known by ex-employees of company. We should be more think about it. 

 
LMaida
50%
50%
LMaida,
User Rank: Author
7/28/2017 | 3:20:27 PM
Re: Dynamic vs Disposal
Yes, it's just dependent on how you define playbook and whether you believe they are inherently static/pre-configured. There's also an aspect of the level of human involvement in redefining the playbook vs software automation. 
InfosecCanuck
100%
0%
InfosecCanuck,
User Rank: Apprentice
7/28/2017 | 11:05:28 AM
Dynamic vs Disposal
I actually agree with almost everything here but I would tend to think a dynamic, evolving playbook would be the solution as opposed to throwing out the playbook. Organizations need to have some documented standard as to how they respond, no? Perhaps that was the point you were getting at and I missed it.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12716
PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...