Building an Incident Response Playbook

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Much like the playbooks that are used in today’s National Football League, a playbook is a defined set of rules, describing the options that must be executed with input data and the situation. Playbooks are a critical component of cybersecurity, especially regarding security automation and orchestration. Its primary purpose is to represent a simplified process in a general way that can be used across a variety of corporations.


IR Playbook Components

Incident response playbooks can be used across a collection of different organizations and include some common components such as:

  • Initiating condition: All the following steps in the playbook are contingent upon the type of security issue is being dealt with in this first step.
  • Process steps: This includes all significant steps that should be followed to satisfy the operations triggered by the initiating condition. This is the main chunk of the playbook and consists of all steps including generating a response action, authorizing those responses, and quarantining, etc. These process steps typically influence future automation.
  • Best practices and company policies: This aspect of the playbook is entirely dependent upon an organization’s specific industry. It includes any additional activities that may be done after the core process steps have been completed.
  • Ending state: This is the ultimate goal of a playbook. It represents the desired solution based on the initiating condition. Reaching the end state is an indication that the playbook has been completed.


How to put together a Playbook

There is a lot of information out there about how to establish a well-equipped playbook. Most encompass the following points:

  1. Identify your initiating condition
  2. List all possible plans of action that can be taken in response to the specific initiating condition
  3. Begin to separate your list into steps that are completely necessary and those that are optional
  4. Build your plan of action based on the components you classified as “completely necessary.”
  5. Attempt to “group” your optional list into categories such as “verifying” or “responding.”
  6. Ensure that your “completely necessary” list encompasses the main groups of your optional list
  7. Insert any remaining optional steps into an “options” box
  8. Identify your ending state
Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?