Week 4: Use playbooks to respond to incidents

Hello and welcome back. You’ve reached the final
section of this course! Previously, we discussed
security information and event management, or SIEM tools, and how they can be used to help organizations
improve their security posture. Let’s continue our security
journey by exploring another tool security professionals use: playbooks. In this section, we’ll explore how
playbooks help security teams respond to threats, risks, or
vulnerabilities identified by SIEM tools. Then, we’ll discuss the six
phases of incident response. Let’s get started!

Phases of an incident response playbook in Cybersecurity

An incident response playbook is a guide that outlines the steps that an organization should take to respond to a security incident. Playbooks are essential for organizations of all sizes, as they can help to ensure that incidents are responded to quickly and effectively.

The six phases of an incident response playbook are:

1. Preparation: This phase involves developing and maintaining playbooks, identifying key stakeholders, and preparing for the possibility of an incident.
2. Detection: This phase involves identifying and analyzing potential incidents.
3. Containment: This phase involves limiting the damage caused by an incident and preventing it from spreading.
4. Eradication: This phase involves removing the cause of an incident and restoring systems to normal operation.
5. Recovery: This phase involves restoring data and systems that were lost or damaged during an incident.
6. Lessons learned: This phase involves reviewing the incident response process and identifying areas for improvement.

Phase 1: Preparation

The preparation phase is essential for building a successful incident response program. During this phase, organizations should:

• Develop and maintain playbooks that outline the steps that should be taken in response to different types of incidents.
• Identify key stakeholders who will be involved in the incident response process.
• Prepare for the possibility of an incident by conducting tabletop exercises and testing playbooks.

Phase 2: Detection

The detection phase involves identifying and analyzing potential incidents. This can be done through a variety of means, such as:

• Monitoring security logs and alerts
• Conducting vulnerability scans
• Using threat intelligence feeds

Phase 3: Containment

The containment phase involves limiting the damage caused by an incident and preventing it from spreading. This may involve taking actions such as:

• Isolating affected systems
• Changing passwords
• Disabling accounts

Phase 4: Eradication

The eradication phase involves removing the cause of an incident and restoring systems to normal operation. This may involve taking actions such as:

• Removing malware
• Patching vulnerabilities
• Restoring data from backups

Phase 5: Recovery

The recovery phase involves restoring data and systems that were lost or damaged during an incident. This may involve taking actions such as:

• Restoring data from backups
• Rebuilding systems
• Restoring access to services

Phase 6: Lessons learned

The lessons learned phase involves reviewing the incident response process and identifying areas for improvement. This may involve taking actions such as:

• Documenting the incident
• Identifying areas where the incident response process could be improved
• Training employees on lessons learned

By following these six phases, organizations can develop and implement an effective incident response playbook. This will help to ensure that incidents are responded to quickly and effectively, and that damage is minimized.

Additional tips for developing an incident response playbook:

• Make sure that the playbook is tailored to the specific needs of the organization.
• Keep the playbook up-to-date with the latest security threats and incident response best practices.
• Test the playbook regularly to ensure that it is effective and that all stakeholders are familiar with their roles and responsibilities.
• Communicate the playbook to all stakeholders and train them on its use.

Previously, we discussed
how SIEM tools are used to help protect an organization’s
critical assets and data. In this video, we’ll introduce another important tool for maintaining an
organization’s security, known as a playbook. A playbook is a
manual that provides details about any
operational action. Playbooks also
clarify what tools should be used in response
to a security incident. In the security field, playbooks are essential. Urgency, efficiency, and
accuracy are necessary to quickly identify and mitigate a security threat to
reduce potential risk. Playbooks ensure
that people follow a consistent list of actions
in a prescribed way, regardless of who is
working on the case. Different types of
playbooks are used. These include playbooks
for incident response, security alerts, teams-specific, and product-specific
purposes. Here, we’ll focus on a playbook
that’s commonly used in cybersecurity, called an
incident response playbook. Incident response
is an organization’s quick attempt to
identify an attack, contain the damage, and correct the effects
of a security breach. An incident response
playbook is a guide with six phases used to
help mitigate and manage security incidents
from beginning to end. Let’s discuss each phase. The first phase is preparation. Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by
documenting procedures, establishing staffing
plans, and educating users. Preparation sets the foundation for successful
incident response. For example, organizations can create incident
response plans and procedures that
outline the roles and responsibilities of each
security team member. The second phase is
detection and analysis. The objective of this phase
is to detect and analyze events using defined
processes and technology. Using appropriate tools and strategies during
this phase helps security analysts determine
whether a breach has occurred and analyze
its possible magnitude. The third phase is containment. The goal of containment
is to prevent further damage and reduce the immediate impact of
a security incident. During this phase, security
professionals take actions to contain an
incident and minimize damage. Containment is a high
priority for organizations because it helps prevent ongoing risks to critical
assets and data. The fourth phase in
an incident response playbook is eradication
and recovery. This phase involves the complete
removal of an incident’s artifacts so that
an organization can return to normal operations. During this phase, security professionals
eliminate artifacts of the incident by removing malicious code and
mitigating vulnerabilities. Once they’ve exercised
due diligence, they can begin to restore the affected environment
to a secure state. This is also known
as IT restoration. The fifth phase is post-incident
activity. This phase includes
documenting the incident, informing organizational
leadership, and applying lessons
learned to ensure that an organization is better prepared to handle
future incidents. Depending on the severity
of the incident, organizations can conduct a
full-scale incident analysis to determine the root cause of the incident and
implement various updates or improvements to enhance
its overall security posture. The sixth and final phase in an incident response
playbook is coordination. Coordination involves
reporting incidents and sharing
information, throughout the incident response
process, based on the organization’s
established standards. Coordination is important
for many reasons. It ensures that
organizations meet compliance requirements and it allows for coordinated
response and resolution. There are many ways security professionals may
be alerted to an incident. You recently learned about SIEM tools and how they
collect and analyze data. They use this data to
detect threats and generate alerts, which can inform the security team of
a potential incident. Then, when a security
analyst receives a SIEM alert, they can use the
appropriate playbook to guide the response process. SIEM tools and playbooks
work together to provide a structured and
efficient way of responding to potential
security incidents. Throughout the program, you’ll have opportunities
to continue to build your understanding of
these important concepts.

Which statements are true about playbooks? Select three answers.

• Playbooks ensure that people follow a consistent list of actions in a prescribed way.
• Playbooks are manuals that provide details about any operational action.
• Playbooks clarify what tools should be used to respond to security incidents.

Playbooks are manuals that provide details about any operational action, clarify what tools should be used, and ensure people follow a consistent list of actions to address security incidents.

My name is Zack. I’m a
Software Engineer on the security team in
Google Workspace. I have non-traditional
background. When I graduated
college, I originally thought that I would pursue law, but I was accepted and
I decided not to go. Instead, I joined
Google in recruiting. Through that work, I
did a little bit of strategy work where
I taught myself web scraping and I
really liked it, so I took one of Google’s internal training
courses that helped me move from recruiting to
software engineering. Processes and playbooks are documentation that software
engineers and other people at Google use to
determine how we can respond to things that happen. Whether that’s a security
or privacy incident, whether that’s an active attack, we have sets of guidelines or algorithms that we
use to determine the best course of action
to make sure that we manage people’s data and security well. I’m relatively new
to cybersecurity. I’ve been a software engineer
here for about two years, and I don’t have
enough knowledge to be able to respond to every single thing that could possibly come my way when I’m on call or when I’m helping
resolve a vulnerability. The playbooks are
super important to people like me and
other folks who are joining the industry new
because they allow you to solve the problem with the experience of a much more
experienced person, basically decades
of experience in your own resolution
because you can rely on this playbook and
other people’s advice. The kind of things that we use
playbooks for our open attacks, privacy incidents, data leaks, denial of service attacks, service alerts, and others. When I first started
out at Google, my first task on
the security team was to fix an externally
reported vulnerability. That means some
security researcher out in the wild was playing with our app and found
something that could potentially leak
our user’s data. When I received that, it was my first
task on the team. Looking back on it, it’s a relatively easy
thing to solve, but it felt really
overwhelming at the time. But when we receive a
vulnerability report, it comes with
remediation guidance. There were steps in
the bug that was sent to me saying this is the things that we
think that you should do. The things that I would say to somebody who’s interested
in starting out in cybersecurity is
talk to as many people in the
industry as you can. You’ll learn about
what the job is like. You’ll learn about
the skills that you need to get yourself there. If that’s something that
you’re interested in, you’ll learn about
open jobs and roles, what it’s like to work
at different companies. I wish people had told
me when I graduated college that what these
jobs are really like. I thought that coding
would be heads down, typing away at a computer and a dark office for
12 hours a day. But it’s not like that at all. 50% is communicating with other people and reviewing designs and talking about ideas. That’s really compelling and I think if somebody had said that to me at the beginning of my career would have been
totally different. Some teams come in
and out of fashion, but security is ever-present. It’s really important now it’s only getting more important. There’s a certain amount
of security that comes with being in a security team. Definitely, a good place to be.

Use a playbook to respond to threats, risks, or vulnerabilities in Cybersecurity

A playbook is a step-by-step guide that helps security professionals respond to security incidents in a timely and effective manner. Playbooks can be used to respond to a variety of threats, risks, and vulnerabilities, such as:

• Malware attacks
• Data breaches
• Denial-of-service attacks
• Insider threats

How to use a playbook

To use a playbook, you will first need to identify the specific threat, risk, or vulnerability that you are responding to. Once you have identified the threat, you can then select the appropriate playbook.

Playbooks typically include the following steps:

1. Assessment: Determine the scope and impact of the incident.
2. Containment: Isolate the affected systems to prevent the incident from spreading.
3. Eradication: Remove all traces of the incident and restore the affected systems to normal operations.
4. Recovery: Restore any lost or damaged data.
5. Post-incident analysis: Learn from the incident and update your security posture to reduce the likelihood and impact of future incidents.

Image:

Example

Let’s say that you are responding to a malware attack. You would first need to identify the specific malware that has infected your systems. Once you have identified the malware, you can then select the appropriate playbook.

The playbook might instruct you to perform the following steps:

1. Assessment: Identify all of the systems that have been infected with the malware.
2. Containment: Quarantine the infected systems to prevent the malware from spreading to other systems.
3. Eradication: Remove the malware from the infected systems.
4. Recovery: Restore any lost or damaged data.
5. Post-incident analysis: Identify the root cause of the infection and implement corrective actions to prevent future infections.

Benefits of using playbooks

Playbooks offer a number of benefits, including:

• Consistency: Playbooks ensure that security incidents are responded to in a consistent and repeatable manner.
• Efficiency: Playbooks can help security professionals to respond to incidents more quickly and efficiently.
• Effectiveness: Playbooks can help security professionals to respond to incidents more effectively, which can reduce the impact of the incident on the organization.

Conclusion

Playbooks are an essential tool for security professionals. By using playbooks, security professionals can respond to security incidents in a timely, efficient, and effective manner.

Welcome back! In this video, we’re going to revisit SIEM tools and how
they’re used alongside playbooks to reduce
organizational threats, risks, and vulnerabilities. An incident response playbook is a guide that helps
security professionals mitigate issues with
a heightened sense of urgency, while
maintaining accuracy. Playbooks create structure,
ensure compliance, and outline processes for communication and documentation. Organizations may use
different types of incident response playbooks
depending on the situation. For example, an
organization may have specific playbooks
for addressing different types of attacks, such as ransomware, malware, distributed denial of
service, and more. To start, let’s discuss how
a security analyst might use a playbook to address a SIEM alert,
like a potential malware attack. In this situation, a
playbook is invaluable for guiding an analyst through the necessary actions to
properly address the alert. The first action in the playbook
is to assess the alert. This means determining
if the alert is actually valid by identifying why the alert was
generated by the SIEM. This can be done by analyzing log data and related metrics. Next, the playbook outlines
the actions and tools to use to contain the malware
and reduce further damage. For example, this
playbook instructs the analyst to
isolate, or disconnect, the infected network
system to prevent the malware from spreading into other parts of the network. After containing the incident, step three of the playbook describes ways to eliminate all
traces of the incident and restore the affected systems back to normal operations. For example, the
playbook might instruct the analyst to restore the
impacted operating system, then restore the
affected data using a clean backup, created
before the malware outbreak. Finally, once the incident
has been resolved, step four of the playbook instructs
the analyst to perform various post-incident
activities and coordination efforts
with the security team. Some actions include
creating a final report to communicate the security
incident to stakeholders, or reporting the incident to
the appropriate authorities, like the U.S. Federal
Bureau of Investigations or other agencies that
investigate cyber crimes. This is just one example of how you might follow the
steps in a playbook, since organizations develop
their own internal procedures for addressing
security incidents. What’s most important to
understand is that playbooks provide a consistent process for security
professionals to follow. Note that playbooks
are living documents, meaning the security team
will make frequent changes, updates, and improvements to address new threats
and vulnerabilities. In addition,
organizations learn from past security incidents to improve their security posture, refine policies and procedures, and reduce the likelihood and
impact of future incidents. Then, they update their
playbooks accordingly. As an entry-level
security analyst, you may be required to
use playbooks frequently, especially when
monitoring networks and responding to incidents. Having an understanding of why playbooks are important
and how they can help you achieve your working
objectives will help ensure your success
within this field.

[MUSIC] Hi everyone.
My name is Erin and I am a privacy engineer at Google. I work on speculative and
emerging technology. So think of things that don’t
exist in the world, and that are coming within
the next two to five years. My role is basically to take a look at
all of the things that we are creating in terms of technology, and making
sure that privacy is embedded in that. I am thinking for
users before they even touch the product, making sure that when they utilize them, they’ll have some form of trust in
the engagement with that product. As well as knowing that we
are protecting their privacy, things that they don’t want to share or
broadcast, and making sure that they’re informed
before they even touch the product. I always talk about soft skills being the
most important thing over the technical skills. Because we can teach you anything but we
can’t teach you how to relate to people. That is something that
you bring to the table. Diversity of thought and diversity
of perspectives are very useful in understanding the world that we exist in. Because if we are designing products for
everyday people, we need everyday people to basically
help us understand those perspectives. Because I may look at something one way,
but my colleague may see it another way
based on their own experiences. And so, when you work together and come
from different environments, you actually bring more equity and more depth to
the things that you’re looking at. And the perspective that you bring
is the essential voice that is required in order to
make a product better. When you look at people who work in
journalism, or people who, like myself, worked in entertainment, they are bringing
a different perspective for how they would tackle something. Or if we have a product where we
are trying to convince a product team that maybe we shouldn’t do this, it’s always
helpful to say, from someone who worked in journalism, do we really want
this to end up in The Times? Probably not, right? And that is a way to come at people that,
on the ground floor, they understand what that looks like. All of the experiences that you have
had from the time you were born to now, they have been your experience. And you have to think about that in terms
of where we’re going with technology. When we’re developing for
a wide array of people, your experience may be
someone else’s experience. And so if we don’t have you in the room,
then we are missing the opportunity to actually bring something beautiful,
I would say, to the equation. Which is why I encourage people, please
come work with us in terms of technology. Get involved in STEM because
the equity across product security, privacy, you name it,
whether it be software engineering, everything requires a different voice. And it actually requires your voice. [MUSIC]

Let’s review what we
covered in this section. We began by discussing
the purpose of playbooks. Then, we examined the six phases
of an incident response playbook, including an example of how a playbook
might be used to address an incident. Playbooks are just one of the essential
tools you’ll use as a security analyst. They provide a structured, consistent
approach to handling security incidents and can help you respond to
security incidents quickly. Knowing how and when to use a playbook,
will allow you to make informed decisions about how to respond to
a security incident when it occurs and help to minimize the impact and damage it may cause your organization and
the people it serves. Following the steps of the playbook and
communicating appropriately with your team, will ensure your effectiveness
as a security professional.

Congratulations on completing this course! Let’s recap what we’ve covered so far. First, we reviewed CISSP’s
eight security domains and focused on threats, risks, and
vulnerabilities to business operations. Then, we explored security frameworks and
controls, and how they’re a starting point for creating policies and
processes for security management. This included a discussion of
the CIA triad, NIST frameworks, and security design principles, and how they
benefit the security community as a whole. This was followed by a discussion
about how frameworks, controls, and principles are related to security audits. We also explored basic security
tools, such as SIEM dashboards, and how they are used to protect
business operations. And finally, we covered how to protect
assets and data by using playbooks. As a security analyst, you may be
working on multiple tasks at once. Understanding the tools you
have at your disposal, and how to use them, will elevate your
knowledge in the field while helping you successfully accomplish
your everyday tasks. Coming up next in the program,
my colleague, Chris, will provide more details about
topics covered in this course and introduce you to some new
core security concepts. I’ve enjoyed sharing
this journey with you.