Swimlane Blog

How to build an incident response playbook

A playbook is defined as a set of rules, describing at least one action to be executed with input data and triggered by one or more events. It is a critical component of cybersecurity—especially in relation to security automation and orchestration (SAO). It’s meant to represent a basic security process in a generalized way that can be used across a variety of organizations.

According to IACD, “playbooks bridge the gap between an organization’s policies and procedures and a security automation and orchestration (SAO) [solution].”

Incident response playbooks can be shared across organizations and include common components, such as:

  • Initiating condition: The first event of the playbook process triggers the rest of the steps and is often the security issue addressed by the entire playbook.
  • Process steps: This includes all major activations organizations should conduct to satisfy the policies and procedures triggered by the initiating condition. This is the core component of a playbook and includes key steps like generating response actions, authorizing responses, quarantining, etc. These steps typically encourage future automation (with human oversight), even if the organization does not currently have those capabilities.
  • Best practices and local policies: These are dependent on the organization’s specific industry. It includes activities that may be conducted in addition to the core process steps.
  • End state: This is the end goal of the playbook. It is the desired outcome based on the initiating condition that represents the playbook’s completion.
  • Relation to governance and regulatory requirements: This component relates key process steps to those required for various compliance and regulatory laws.

How to Build a Cybersecurity Playbook

Here are the steps the IACD recommends following to construct a playbook:

  1. Identify the initiating condition.
  2. List all possible actions that could occur in response to the initiating condition.
  3. Categorize all possible actions into “required” and must occur to mitigate the threat, or “optional” and considered more of a best practice.
  4. Build the playbook process order using only the “required” elements determined in step 3.
  5. Determine if steps from the “optional” category can be grouped by activity or function (e.g., monitoring, enriching, responding, verifying, or mitigating).
  6. Modify the process created in step 4 to indicate where any optional processes would occur.
  7. Insert the categorized optional actions into the options box below the process steps box.
  8. Identify the end state or another initiating condition to another playbook.
  9. List the regulatory laws and requirements that the playbook satisfies.

Incident Response Playbook Example

The following is an example of a phishing playbook that an organization may utilize:

incident response playbook example

Join the SecOps Hub Playbook Contest

SecOps Hub, a vendor-neutral community for security professionals sponsored by Swimlane, is holding an incident response playbook contest. The contest brings together the best incident response playbooks from the SecOps Hub community. It’s an open-ended contest - you pick the use case, draw up the playbook, and submit it to the community for consideration. The three top-voted playbooks will be awarded prizes. You also don’t need to be an incident response expert or even to know how to build a playbook to enter the contest. All participants are encouraged to work with others in the community to flesh out their ideas.

The incident response playbooks should answer some of the following questions:

  • What’s the best incident response strategy?
  • How much time can a strong incident response strategy save you?
  • How much of the incident response process can you automate?

Contest Requirements

As mentioned above, we are looking to see a variety of incident response playbooks for a range of tasks. We want to see what great ideas you can come up with. Using Visio or other diagram software, build a playbook that includes:

  • A minimum of three platforms/tools
  • A minimum of three decision points

Participants don’t need to build out downloadable or shareable content but only need to design the framework and decision points of the selected playbook. A submission should only require a few minutes of preparation.

Contest Deadlines

  • Submissions Accepted: April 23-May 14
  • Voting: May 14-21
  • Winners announced: May 21

Show Us Your Incident Response Playbook!

Join SecOps hub, create an incident response playbook and enter the playbook contest today.

Note: Many of the IADC recommendations are specific to IADC playbooks and best practices and include more detail than that is required for the playbook contest. Use the phishing playbook example as the basis for entry.

Tags: automated incident response, incident response playbook, security automation