2020-07-27T06:31:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 5
  • 1085

What is an incident response playbook and how is it used in SOAR?

Hi dear community,

Can you explain what an incident response playbook is and the role it plays in SOAR? How do you build an incident response playbook? 

Do SOAR solutions come with a pre-defined playbook as a starting point?

4
PeerSpot user
4 Answers
Maged Magdy - PeerSpot reviewer
Security Consultant at Global Solutions
Real User
Top 5
2021-03-15T10:04:30Z
Mar 15, 2021

Hi,


what an incident response playbook? 


Incident Response Playbook is the guide lines and group of processes, policies, plans, and procedures, along with appropriate oversight of response activities, that  the organization should take to make a proactive response, quick containment, effective remediation and action plan with "what if" scenario in case of certain cyber incident has taken place.




How do you build an incident response playbook?


Regarding to NIST, to build an Incident Response Playbook you need to design the process which contains 4 main phases:


1- Prepare.


2- Detect and Analyze.


3- Contain, Eradicate and Recover.


4- Post-Incident Handling.


*reference, NIST Computer Security Incident Handling Guide:


https://nvlpubs.nist.gov/nistp...


*reference, SANS Incident Handler's Handbook:


https://www.sans.org/reading-r...





Do SOAR solutions come with a pre-defined playbook as a starting point?


- Sure, most of SOAR solutions today comes with predefined templates. However, it's a double-bladed weapon based on Cyber Security Awareness and maturity level of the organization. If it's implemented with no or low maturity level, it may harm the organization production and utilize the resources improperly.



 

Search for a product comparison in IT Alerting and Incident Management
Real User
Top 5
2021-09-22T00:18:23Z
Sep 22, 2021

Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage.


Typical SOAR playbooks automate the response to detected threats.


- Create a Ticket to Track the Incident


- Identify the source and target


- Confirm the attack is suspicious (SOC Analyst Lookup, On known blacklist? other events?)


- Contain or Clean the Host (EDR, Patch, Update AV...)


- Block the Known Attacker (on a Firewall, IDS, etc...)


- Disable a Compromised Account


- Notify anyone necessary 


SOAR actions include scripts to set or fire off actions on devices.


A playbook usually has a series of actions when a threat/incident is detected.


Most SOARs include playbooks, but they have to be tailored and customized to the specific devices you have in your environment (Palo Alto Firewall vs. Checkpoint, Cylance vs. McAfee EPO...), Ticketing System integration, SIEM/UEBA threat detection integration...

Robert Cheruiyot - PeerSpot reviewer
IT Security Consultant at Microlan Kenya Limited
Real User
Top 5Leaderboard
2021-09-21T07:20:29Z
Sep 21, 2021

Hi Rony, 


Playbook automates the gathering of threat intelligence from a myriad of sources of threat intelligence. Playbooks ingest alerts from tools like SIEM and scan the alerts against the threat intelligence sources like VirusTotal and others in order to get information related to the alert. Playbook for example can scan suspicious domains /IPs against virus total and provide reputation score of the domain/IP.


Depending on the workflow, the playbook may be configured to close a case if it's a false positive or pass the case together with threat intelligence gathered to SOC Analyst for further investigation. This way the playbook will reduce time spent on false-positive alerts. Also saves time for analysts by automatically gathering threat intelligence instead of analysts doing that manually. 


Be careful of cases where you set alerts to be automatically closed though. You can try this on some community editions soar platforms: Splunk phantom, SIEMplify ...


Building a playbook


Magdy has provided perfect industry standards for building playbooks. Just a little, the playbook mainly has actions and decisions. Actions: take an action against an alert (like scanning) and based on the results playbook decides what to do with the results: whether to close, do further scanning using other tools, pass it to the SOC analyst and this really depends on your workflow.


I am a junior but I love this SOAR thing.

Simon Thornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 501-1,000 employees
Real User
Top 10
2021-09-22T10:01:47Z
Sep 22, 2021

For a given incident type, it describes a series of actions that can be a mixture of automated and manual steps. When you start, the steps are often manual. As the playbook and confidence in the steps improve, you can start automating.


For example a playbook for a “suspicious email” might read as:

1) check if the case is already opened for this user and/or asset, if yes go to step 3open case


2) open case and record details


3) extract suspicious attachment


4) generate MD5 and SHA256 hashes


5) submit hashes to Virustotal and record results


6) if 50% (pick your threshold) of AV engines detect the sample skip to step 10


7) forward email attachment to sandbox


8) does a sandbox report indicate suspicious behavior? If yes escalate to T3


9) inform the user


10) open a ticket to IT to re-template PC or fix


11) when you receive a response from IT about the ticket, then close a SOC ticket with relevant closure details


This is a quick illustration of what steps should be included depending on your environment and how far you go. 


Each step could be related to different teams.

Find out what your peers are saying about PagerDuty, Everbridge, BigPanda and others in IT Alerting and Incident Management. Updated: November 2022.
653,522 professionals have used our research since 2012.
Related Questions
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 5, 2022
Hi community, What tools and solutions do you use to maximize the power of the automated incident response in a large organization?  Is it SOAR only? Others?Thanks!
2 out of 3 answers
Filip Stojkovski - PeerSpot reviewer
VP - Security Automation Lead at a financial services firm with 10,001+ employees
May 3, 2022
Mainly SOAR.
ES
TitleContract Program Manager for Dept of Education Security Engineering & Architecture SME at Delmock
Jul 19, 2022
SOAR - it uses AI/ML which can predict and execute...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Feb 1, 2022
Hi SOC analysts and other infosec professionals, Which standard/custom method do you use to decide about the alert severity in your SOC?  Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?
2 out of 6 answers
Robert Cheruiyot - PeerSpot reviewer
IT Security Consultant at Microlan Kenya Limited
Jan 20, 2022
Hi @Evgeny Belenky, I think as long as you do this thing manually, you will always have to be subjective. One will always say alerts from critical assets first, setting them with higher priority. But the concept of threat intelligence will help. Threat intelligence feeds will help in improving information about the threats you are handling. Without this, your assets and rules you set will always say "hey, this is a serious malicious activity" with brief information unlike when you get feeds from various sources of threat intelligence.  Fighting alert fatigue - It's good to have playbooks do some repetitive work. If an alert is generated, instead of jumping into all of them as analyst, playbook will help you automate some activities like checking file hashes in virus total. At least in the end one will be getting alerts that matters most and with sufficient information added by playbooks.
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Jan 20, 2022
Hi @Evgeny Belenky​, Below are a few strategies if taken into account can reduce cybersecurity alert fatigue in SOC. 1. Threat intelligence 2. Native integration 3. Machine learning 4. Watchlists 5. UEBA (User and Entity Behavior Analytics) 6. Automation
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
CristianoLima - PeerSpot reviewer
Senior IT Infrastructure Engineer at Tecnoage
Nov 5, 2021
Keeping up with the evolution of cybersecurity and the threats that are haunting the IT industry across all industries, this text pays special attention to ransomware, as this practice is on the rise in the world of cybercrime. Let's focus on the subject, specifically on the Healthcare sector. We are based on Sophos' annual report on cyber threats, which discusses the continuity of ransomware...
Netanya Carmi - PeerSpot reviewer
Content Manager at PeerSpot (formerly IT Central Station)
Oct 14, 2021
We receive alerts all day long - alerts about emails, incoming Whatsapps and SMSes, posts on social media, etc. At some point we become desensitized to these alerts and stop noticing them anymore - a phenomenon known as “alert fatigue.” Seventy percent of a SOC analyst’s workday is spent dealing with alerts, so SOC analysts are more at risk for alert fatigue than pretty much anyone else. SOC a...
Related Articles
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Spotlight #2 (Community Digest) by IT Central Station
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cy...
CristianoLima - PeerSpot reviewer
Senior IT Infrastructure Engineer at Tecnoage
Nov 5, 2021
An Overview of Ransomware in Healthcare Organizations in 2021
Keeping up with the evolution of cybersecurity and the threats that are haunting the IT industr...
Download Free Report
Download our free Security Orchestration Automation and Response (SOAR) Report and find out what your peers are saying about Palo Alto Networks, Splunk, Exabeam, and more! Updated: November 2022.
DOWNLOAD NOW
653,522 professionals have used our research since 2012.