Mastering Incident Response: A TLDR Guide to Playbooks and Runbooks with NIST Framework

By /

Welcome to another exciting blog post, students and aspiring cybersecurity professionals! Today, we have a topic that sits at the core of cybersecurity operations—Incident Response. It’s not just about detecting incidents but efficiently managing them to minimize damage and future risks. Whether you’re part of a small IT team or a large Security Operations Center (SOC), knowing how to respond to security incidents is crucial.

This post will give you a TLDR understanding of how to create and implement Incident Response Playbooks and Runbooks. We’re not just talking theory; we’re diving deep into the practical aspects by incorporating real-world technologies you’ll encounter in the field. From firewalls by Palo Alto and Cisco to Cloud-Based Web Application Firewalls (WAFs) like AWS WAF and CloudFlare, we’ve got it all covered.

We’re structuring our Playbooks and Runbooks around the robust NIST (National Institute of Standards and Technology) Framework, making them suitable for a variety of organizational setups. Plus, we’ll explore how ITSM tools can help you coordinate among various teams in an enterprise setting.

What is a Playbook:

A playbook in the context of cybersecurity incident response serves as a strategic guide that outlines the processes, procedures, and guidelines to follow when a security incident occurs. It is a high-level document that provides an overview of the response plan tailored to specific types of incidents. Each playbook is designed to align with an organization’s policies and is rooted in best practices, often conforming to frameworks like NIST. A playbook will typically cover the stages of preparation, detection, analysis, containment, eradication, recovery, and lessons learned. It describes the ‘what’—what needs to be done when a particular incident occurs. A well-crafted playbook acts as the cornerstone for effective incident management, helping teams to make quick and informed decisions, thereby minimizing the impact of the security incident.

What is a Runbook:

A runbook is a set of standardized, documented procedures that serve as a practical reference and guide for operational tasks, often presented in a step-by-step manner. In the realm of incident response, a runbook is the tactical extension of a playbook. Where a playbook describes what needs to be done during an incident, a runbook details how to do it. This can include specific commands to run, scripts to execute, checklists to go through, and even the templates for opening tickets in ITSM tools for inter-departmental coordination. The runbook is highly technical and specific to the technologies and tools used in an organization’s tech stack. It is essentially a “how-to” guide for your IT and security teams, offering granular instructions for responding to a variety of situations that may arise during a security incident.

Below are the sample excerpts from playbooks and nested runbooks for five scenarios. Each playbook includes its objectives, scope, and specific phases broken down into Detection and Analysis and Containment. The runbooks provide the technical, granular steps to be taken for each phase. You’ll notice that I skipped some steps in the NIST Incident Response framework

Playbook 1: Phishing Email Incident

Objective:

To efficiently detect, analyze, and contain phishing email incidents to minimize impact on business operations and data compromise.

Scope:

This playbook applies to all employees and contractors using company-provided email accounts.

Detection and Analysis

Playbook Steps:

  1. Verify the phishing email.
  2. Initiate the incident response team.
Runbook:
  1. Verify the Phishing Email with Proofpoint and Splunk
    • Use Proofpoint’s dashboard to identify email security alerts.
    • Search Splunk SIEM for related email logs.
  2. Initiate Incident Response Team
    • Open an ITSM ticket and assign it to the cybersecurity team with high priority.

Containment

Playbook Steps:

  1. Isolate the affected email account.
  2. Block the sender’s domain.
Runbook:
  1. Isolate Affected Email Account
    • Use Microsoft O365 to isolate the affected account.
    • Open an ITSM ticket for email admin team for further investigation.
  2. Block Sender’s Domain
    • Add the sender’s domain to Proofpoint’s blocklist.
    • Open an ITSM ticket for the network security team to block the domain on Palo Alto or Cisco ASA firewalls.

Playbook 2: Ransomware Attack

Objective:

To promptly detect, analyze, and contain ransomware attacks to prevent data loss and service disruption.

Scope:

This playbook applies to all servers, workstations, and storage systems.

Detection and Analysis

Playbook Steps:

  1. Identify affected files.
  2. Confirm ransomware activity.
Runbook:
  1. Identify Affected Files with Cylance and SentinelOne EDR
    • Use Cylance and SentinelOne dashboards to scan for ransomware activities.
  2. Correlate Events in Splunk
    • Query Splunk for abnormal file modifications and network activities to confirm the ransomware infection.

Containment

Playbook Steps:

  1. Disconnect affected systems.
  2. Begin restoration from backups.
Runbook:
  1. Disconnect Affected Systems
    • Utilize Cylance or SentinelOne to isolate affected systems.
  2. Restore from Backups
    • Open an ITSM ticket for the IT Ops team to initiate restoration from backups.

Playbook 3: Unauthorized Access

Objective:

To swiftly detect, analyze, and contain unauthorized access incidents to prevent data theft and unauthorized actions.

Scope:

This playbook applies to all servers, workstations, and user accounts.

Detection and Analysis

Playbook Steps:

  1. Monitor suspicious login activities.
  2. Confirm unauthorized access.
Runbook:
  1. Monitor Logs with Splunk
    • Query Splunk SIEM for abnormal login and access patterns.
  2. Confirm Unauthorized Access with BeyondTrust Password Vault
    • Cross-reference with Beyond Trust Password Vault for unauthorized use of privileged accounts.

Containment

Playbook Steps:

  1. Disable compromised accounts.
  2. Implement Multi-Factor Authentication (MFA) on critical systems.
Runbook:
  1. Disable User Account in Active Directory
    • Open an ITSM ticket for the AD admin team to disable the suspicious account.
  2. Implement MFA
    • Open an ITSM ticket for the identity and access management team to enforce MFA on critical systems.

Playbook 4: Insider Threat

Objective:

To effectively detect, analyze, and contain insider threats to safeguard organizational assets.

Scope:

This playbook applies to all employees, contractors, and third-party vendors with access to internal systems.

Detection and Analysis

Playbook Steps:

  1. Monitor abnormal data transfers.
  2. Validate insider threat indications.
Runbook:
  1. Monitor Suspicious Transfers with Forcepoint DLP
    • Use Forcepoint DLP to identify unauthorized data transfers.
  2. Confirm Insider Threat with Splunk
    • Correlate DLP alerts with Splunk logs to validate the threat.

Containment

Playbook Steps:

  1. Revoke user access.
  2. Initiate internal investigation.
Runbook:
  1. Revoke User Access
    • Utilize BeyondTrust Password Vault to revoke user’s privileged access.
    • Open an ITSM ticket to notify HR and Legal departments.
  2. Initiate Forensic Investigation
    • Open an ITSM ticket for the internal investigations team to initiate a forensic examination.

Playbook 5: DDoS Attack

Objective:

To quickly detect, analyze, and contain Distributed Denial of Service (DDoS) attacks to maintain service availability.

Scope:

This playbook applies to all externally facing services, including websites and APIs.

Detection and Analysis

Playbook Steps:

  1. Monitor for unusual traffic patterns.
  2. Confirm the DDoS attack.
Runbook:
  1. Monitor Traffic with Splunk
    • Use Splunk SIEM to track abnormal levels of incoming traffic.
  2. Confirm DDoS with AWS WAF or CloudFlare WAF
    • Cross-reference with AWS WAF or CloudFlare WAF dashboards to confirm the nature of the attack.

Containment

Playbook Steps:

  1. Enable rate limiting on Web Application Firewalls (WAFs).
  2. Coordinate with Internet Service Provider (ISP) and Network Teams for additional traffic filtering.
Runbook:
  1. Enable Rate Limiting on WAFs
    • Use AWS WAF or CloudFlare WAF to set up rate limiting.
  2. Coordinate with ISP and Network Teams
    • Open ITSM tickets to the network team to implement additional rate limiting on Palo Alto or Cisco ASA firewalls and to contact the ISP for further mitigation measures.

Conclusion

Understanding playbooks and runbooks is crucial in cybersecurity operations. A well-crafted playbook provides a strategic framework that offers guidelines and procedures for handling various types of incidents. Meanwhile, the runbook serves as a tactical guide that provides granular, step-by-step actions specific to your technology stack.

Although the playbooks and runbooks presented here provide a foundational approach based on the NIST framework for incident response, it’s important to understand that they are not exhaustive. Real-world incident response is dynamic, and these documents should continually be updated and customized to adapt to new threats, organizational changes, or new technologies.

Homework Assignment: Refining Your Incident Response Skills

  1. Gap Analysis: Compare these sample playbooks and runbooks to any existing documents or procedures your organization may have. Identify any gaps and recommend improvements.
  2. Customization Exercise: Tailor one of the sample playbooks and runbooks to fit a specific technology not covered in this exercise (e.g., a different firewall, EDR, or SIEM solution).
  3. Simulation Exercise: Team up with a partner and simulate a tabletop exercise using one of these playbooks. One person should act as the incident responder and the other as an observer who assesses how well the playbook and runbook are followed. Exchange roles and repeat.
  4. Feedback Loop: After completing the tabletop exercise, document any bottlenecks, challenges, or oversights you encountered. Consider how to incorporate these insights into the playbook and runbook for future revisions.
  5. Technology Integration: Write a short guide on how to integrate alerts and automation between ITSM tools and one of the technologies mentioned (like Palo Alto Firewalls or Splunk SIEM) to speed up the incident response process.

By completing these exercises, you will not only refine your understanding of incident response strategies but also develop practical skills in implementing and enhancing playbooks and runbooks for a more resilient cybersecurity posture.

Welcome to the next phase of honing your incident response skills! In this exercise, we’re introducing you to five brand new incident scenarios, each presenting unique cybersecurity challenges. Your task is to draft comprehensive Incident Response playbooks for each scenario.

These scenarios encompass a wide spectrum of incident types, ranging from technical challenges like malware outbreaks to more serious security breaches and insider threats. This diversity of scenarios is designed to provide you with a broader perspective of the potential incidents that can have cybersecurity implications. It also reflects the dynamic nature of the cybersecurity landscape, where adaptability and preparedness are essential.

So, let’s dive in and develop robust response strategies that will equip you to tackle a broad range of cybersecurity incidents effectively. Ready to take on the challenge?

Rogue IoT Device

Scenario: An unknown Internet of Things (IoT) device has appeared on your corporate network, potentially creating a security vulnerability. Develop a plan to identify, isolate, and investigate the device’s origin and purpose.

Credential Phishing Campaign

Scenario: Several employees report receiving suspicious emails asking for their login credentials. Upon investigation, it’s confirmed that a credential phishing campaign is underway. Create a response plan to identify affected accounts, reset compromised credentials, and educate employees about phishing risks.

Cryptojacking

Scenario: Server performance degrades significantly, and unusual spikes in CPU and memory usage are detected. Investigation reveals that the organization’s servers are being used for cryptojacking. Outline the steps to stop the unauthorized mining activity and secure affected systems.

Physical Security Breach

Scenario: A security guard notices a broken window in the office building, indicating a possible physical breach. Develop a response plan to secure the premises, assess the extent of the breach, and determine if any sensitive information or assets are compromised.

Social Media Account Compromise

Scenario: Your organization’s official social media account starts posting inappropriate content. It becomes evident that the account has been compromised. Create a plan to regain control of the account, investigate the breach, and prevent future unauthorized access.

Malware Outbreak

Scenario: Multiple employees report that their workstations are behaving erratically, with frequent system crashes and slow performance. Initial investigations suggest a malware outbreak. Determine the steps to contain and remediate the malware across affected systems.

Data Breach

Scenario: An external entity notifies your organization that they have discovered sensitive customer data on the dark web. The data appears to be from your organization’s database. Develop a plan to investigate the breach, assess the scope, and initiate notification procedures if necessary.

Insider Data Theft

Scenario: Suspicious data transfers from a user’s workstation to external sources are detected in logs. Further investigation reveals that the user is a disgruntled employee who has been stealing confidential data. Outline the steps to contain the insider threat, gather evidence, and initiate legal action.

Denial of Service (DoS) Attack

Scenario: Your organization’s website becomes unresponsive, and network traffic spikes. The initial analysis indicates a potential DoS attack. Develop a plan to mitigate the attack, restore service, and identify the attackers.

Unauthorized Access via Stolen Credentials

Scenario: An employee reports their credentials as stolen, and suspicious activity is detected on their account. Investigation shows that the attacker has already accessed critical systems. Outline the steps to prevent further unauthorized access, revoke stolen credentials, and investigate the incident.

Scroll to Top