Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Things to be considered
  • Creating a playbook
  • Step 1 - Identify initiating events
  • Step 2 - Decide on desired responses and outcomes
  • Step 3 - Categorize responses
  • Step 4 - Inventory capabilities, tools and other resources
  • Step 5 - Test and formalize playbook
  1. Incident Response Fundamentals

Building an IR playbook

Things to be considered

What are the initiating conditions? This will really be the basis of the rest of the playbook

What will the playbook steps look like? Consider communications with other departments and how the skill and availability of other teams may affect your IR team

How to incorporate existing policies and procedures? One common mistake with letting operators be the sole creators of the playbook is that they sometimes overlook policies and procedures. This could be a legal or operational landmine. Always operate within the framework of overall IR and security policies

Desired goals

What is the intended or desired outcome of initiating and incident?

Regulations

This component deals with regulatory and legal compliance. For example, if during the event of investigation your discover illegal content, how do we report it to law enforcement and when?

Creating a playbook

To create an effective playbook, there are a few things to consider.

Step 1 - Identify initiating events

First, you need to identify the initiating conditions, which are the events or conditions that trigger the incident response process. This could be something like a malware infection being detected or a successful phishing attack.

Step 2 - Decide on desired responses and outcomes

Next, you need to decide on the steps that should be taken in response to each initiating condition. This includes considering how to communicate with other departments and what resources you may need from them. It's also important to align your playbook with existing policies and procedures to ensure consistency and effectiveness.

Another important aspect is defining the desired outcome or goal of the incident response. This goal should align with the overall corporate strategy and focus on minimizing damage and getting back to normal operations as quickly as possible.

You also need to consider any regulations or legal requirements that may apply, such as reporting illegal content to law enforcement.

List all possible responses to each initiating event:

  • Drafting this list should include operators

  • Include previous response documentation and logs as supporting material

  • Include laws, regulations and other corporate or organizational administrative requirements

Step 3 - Categorize responses

Organize responses by criticality and importance

Make sure each response is mapped to a step or IR phase

What response steps/processes are required?

Which are optional?

  • First draft should include only required steps

  • Add optional things after

Step 4 - Inventory capabilities, tools and other resources

What skills exist internally to match up with the requirements?

What tools currently exist in the enterprise to meet the requirements?

Identify gaps request budget to fill

  • Even if budget request is unsuccessful, you still need to document the process, justifications and answers

Step 5 - Test and formalize playbook

Remember to document what worked well and what didn't

Revisit often

PreviousBusiness Continuity and Disaster Recovery rolesNextBuilding and IR team

Last updated 8 months ago