Building an IR playbook

Things to be considered

What are the initiating conditions? This will really be the basis of the rest of the playbook

What will the playbook steps look like? Consider communications with other departments and how the skill and availability of other teams may affect your IR team

How to incorporate existing policies and procedures? One common mistake with letting operators be the sole creators of the playbook is that they sometimes overlook policies and procedures. This could be a legal or operational landmine. Always operate within the framework of overall IR and security policies

Desired goals

What is the intended or desired outcome of initiating and incident?

Regulations

This component deals with regulatory and legal compliance. For example, if during the event of investigation your discover illegal content, how do we report it to law enforcement and when?

Creating a playbook

To create an effective playbook, there are a few things to consider.

Step 1 - Identify initiating events

First, you need to identify the initiating conditions, which are the events or conditions that trigger the incident response process. This could be something like a malware infection being detected or a successful phishing attack.

Step 2 - Decide on desired responses and outcomes

Next, you need to decide on the steps that should be taken in response to each initiating condition. This includes considering how to communicate with other departments and what resources you may need from them. It's also important to align your playbook with existing policies and procedures to ensure consistency and effectiveness.

Another important aspect is defining the desired outcome or goal of the incident response. This goal should align with the overall corporate strategy and focus on minimizing damage and getting back to normal operations as quickly as possible.

You also need to consider any regulations or legal requirements that may apply, such as reporting illegal content to law enforcement.

List all possible responses to each initiating event:

• Drafting this list should include operators

• Include previous response documentation and logs as supporting material

• Include laws, regulations and other corporate or organizational administrative requirements

Step 3 - Categorize responses

Organize responses by criticality and importance

Make sure each response is mapped to a step or IR phase

What response steps/processes are required?

Which are optional?

• First draft should include only required steps

• Add optional things after

Step 4 - Inventory capabilities, tools and other resources

What skills exist internally to match up with the requirements?

What tools currently exist in the enterprise to meet the requirements?

Identify gaps request budget to fill

• Even if budget request is unsuccessful, you still need to document the process, justifications and answers

Step 5 - Test and formalize playbook

Remember to document what worked well and what didn't

Revisit often