Hello everyone and welcome to Conf42 Incident Management 2024 conference. Imagine your organization facing a major security issue. Time is running out, things are chaotic, and everyone is scrambling to fix the problem to fix the problem. And to make the situation more interesting, communications are falling apart. Does it sound familiar? As a cybersecurity analyst, we spend a whole lot of our time building security controls that we hope will prevent an incident from happening in the first place. But the reality is that the incident happens or will happen. What if you have had a clear step by step guide to tackle any incident quickly and efficiently? Which is why a cyber security team or an organization is expected to have a strong understanding of what to do or how to do or what to do when things go wrong. In today's talk, I'll be exploring what an incident response playbook is and how we can implement one. for listening. My name is Chinye Chinekizi. I'm an SUL security analyst with Saifal Technologies. And on today's talk, I'll be looking at master incident response, elevate efficiency with playbook. Let's dive into it. So in order to, drive this talk, I'll be looking at some outline. One of them is understanding what incident response is. We also be considering the challenges that in incident management. What is incident response playbook is, we also be considering the benefits of using incident response playbook. Then the guide to creating one. We also consider looking at the elements of an effective incident playbook. And then we look at an example, the tools and technology, and then we conclude. Understanding incident response. According to NIST, NIST actually defined incident response as a systematic process for handling cyber security incidents. Incidents like data breaches or malware infection or any form of cyber security incidents. Why do we actually need incident response? One of the reasons why we need it. It's because it actually helps to reduce damage and downtime. It also ensures business continuity and protects sensitive data from being exploited by the tracked actors when there is an incident. And in order to do this, or to be able to effectively protect our data from being exploited, NIST actually provided us with four guides. These four guides are preparations. We have the detection and analysis. We have the curtailment and eradication and recovery. We also have the post incident activities. We also have the sound incident response, which actually also states or outline the steps that could be taken in order to detect and prepare for an incident. Now we're looking at the challenges in incident management. One of the challenges in incident management is lack of clear procedures. Without a clear process, there is a risk of confusion and delay in response, especially when something goes wrong. And also, there is bound to be an error in the incident management process, because at that point, The team might end up working on an assumption without a clear path to follow. We also have inadequate incident categorization and prioritization. This is a major issue. Where incidents are not properly categorized, it can lead to the team giving top priority to the least expected, incidents. Thanks. Lack of tools and resources, where there is no tools and resources, it becomes a challenge to effectively manage or, quickly respond to the incident. We have the inadequate training, where there is no training, it makes it difficult for the team to effectively, jump at the incident when it happens. We have lack of communication and collaborations. And now we're looking at what incident response playbook is. An incident response playbook is a detailed, structured set of procedures that actually outlines what an organization should do in an event an incident happens. It tells them how to detect it, how to respond to it, and how to recover from the cybersecurity incident. One primary goal of incident response is to help organization minimize the impact of breaches and to ensure they restore back to normal. Or they return back to business as quickly as possible. So there are different types of playbooks that an organization can actually decide to develop. And this is based on the potential threat identified in the environment. As well as the kind of operation they are into. And as well as their sizes. So there are different playbooks that they could choose from. This is a list of some playbooks. There are more playbooks that could be exploited, but this one listed here are just few. One is the Ransom playbook. We also have the DataBridge. We have the Marwell playbook. We have up to the Zero Day Variability playbook. This list are just few. There are many other playbooks that could be developed by an organization based on their identified traits within their business operations as well as their sizes. Then we look at the benefits of incident response playbook. One of the benefits of incident playbook is improved efficiencies. Because there's already streamlined process, it helps the team to quickly respond to the incident and then reduce the downtime or the impact of those incidents. You have the enhanced effectiveness. Because of the clear procedures that are already outlined what they to do and how they are to go about it, it helps the decision making very fast. And then they end up making an impactful action or taking a more impactful action. It also increase collaboration where there is a well defined role. It helps them to be able to know who to escalate to because they already have The role metrics that spells out what school they are to escalate to in an event something goes wrong. So it shows the chain of escalation, making the coordination of the incident very smooth. And then we have guides to creating incidents playbook. One important thing to note is that before an organization can go ahead in, Developing an instant playbook, there's need for them to actually understand their security posture. And this is actually done by, identifying the potential variability and threats that are specific to the operations. And by so doing, they are able to come up with the strategy to curtail those identified weaknesses. And this is done by performing penetration testing. Or, We're really assessment. These two testing actually gives them an overview of how that environment is as well as the witnesses and possible remediation of what they can do to ensuring a stronger security posture and you have creates reporting. Checklist. would like to also mention before I go to create a reporting checklist that This test actually helps them to determine the severity as well as also be able to define the priorities because identifying those vulnerabilities within the environment will help them to be able to have a proper categorization as well as prioritizing those incidents based on their severity and impact on their businesses. I move on to the CREATE REPORTING CHECKLIST. So this checklist is like a template that helps the team to be able to document their findings during the investigation and be able to enter the activities that are executed in order to, curtail those incidents. They will have defined a clear procedures. Like we rightly mentioned, there are different types of playbooks. And these playbooks should have a clear process for detecting, investigating and also identifying the potential security and then prioritizing them based on their severity and impact. This can only be achieved where the organization already have a clear understanding of what poses a threat in their environment. They have established roles and responsibilities. This is very key because it helps in the escalation point. Also have developed communication plans. Then you have tests. After developing those processes, there is a need to actually test to know the effectiveness of those processes, of those tools that have been implemented, to detect and actually help this, the organization's security. This can be done by performing a tabletop exercise. This tabletop exercise helps to determine the readiness of the team in fighting against incidents. And then we have the reform, the refined. The refined actually helps in identifying the gaps and possible improvements of the processes. When an exercise is done, the tabletop exercise is done, then you're able to identify what is not properly taken care of and you're able to improve on it by refining those processes as needed. And taking into account the new identifying gaps is and how they could build a stronger security posture. And then we have the next four phase explained. These four steps actually gives a better understanding to the organization or the security team on how they could know be incident ready. Firstly, I would like to highlight that for any organization to be able to have And if effective playbook there is need for them to have a better understanding of what needs guideline incident guideline is, which has a clear understanding of what needs guideline is, it's very difficult for them to be able to, take into account these four phases and be able to get ready for any form of incident. So in order to have this incident properly outlined, and, in line with the best practices. It is important the organization understand this framework and by so doing, they are able to build it into this process and then have an effective playbook. Now we'll be looking at the key elements of an effective incident playbook. So the key elements are four. One is the initiating condition. This particular one defines What the trigger is, then you have the process steps. This actually spelled out the step by step instruction on how to execute the playbook. Like I said, there are different types of playbook and each playbooks has its unique processes. The way phishing playbook is actually different from how the malware playbook is, because the flow of the two are actually different. And so the steps to curtailing them also differs. So the playbook actually spelled out how this can be executed. Then you have the roles and responsibilities. This actually tells you which of the team is responsible for what, which must be in line with the best practices. And then we have the communication. Here describes the internal and external communication procedures. With the communication metrics, you are able to identify the escalation points for the escalation. Line or chain, which helps to the team to be able to coordinate properly. Now we're looking at a typical example of efficient attack response playbook. This is not the best of it, but this is just for the purpose of learning. So I'll be assuming it. A large organization, a financial organization, faced a suffocated phishing attack targeting its employees. The attacker aimed to steal sensitive information and gain unauthorized access to the complaint system. Remember the first thing we said, trigger, which is the initiating condition. The employer, the employee reports a suspicious email or the security team detected the unusual logging attempt and flagged them as potential phishing attempts. So this is a trigger. The employee reports it as a suspicious email. Or, the security team are able to detect it using any of the automated tools. Now, we'll go to how this can be built into the NIST Incident Response Plan. One, we have the detection state. Or, Remember we said it's a phishing email. So the first thing is to verify that it's a phishing attempt because the trigger said it's a phishing attempt to steal information. in verifying the phishing attempt, we're going to be considering looking at the IOCs. We're talking about the malicious link, the attachments, and the impersonated domains using some threat intelligent platforms. let's such as Recorded Future or SODAN or Abuse IDP, IDPX, sorry. So in such situation, the team goes in there to check and see if there have been any reported abuse on the identified hiruses. And then we move to containment. Containment has to do with stopping this freight. And stopping this thread is stated that you block the sender's email address. You quarantine the affected email. You also revoke any access that is granted by the compromise credentials. So I'll move to the eradication. So you have scanned the affected endpoint. You also review the logs to ensure that there is no other employee who must have clicked on the, compromised or interacted with the emails. If there is any, you reset their passwords just to ensure that there is no more spread. Then we go to the recovery. Here you are ensuring that all the compromised accounts on the system are secured. You can test by also stimulating the potential phishing exploits to be sure that there is no residue remaining within the environment. Then you post incident activity. There you are reviewing the attack details. The response efforts and the results, you're looking at what you've done and you're trying to identify the gaps as well as what you can do better to improve on the pull on the security posture and here you can determine or begin to consider looking at strengthening the email filters and possible also providing possible trainings to the employee to ensure that they are actually phishing aware, especially when they see any of those emails being sent by the threat actors. So this is a sample of possible phishing response playbook that could be developed to, prevent a spread of phishing attack. This is not the best of it, but just to give us an idea of how efficient response playbook look like. And then we look at the tools. These tools are actually used to automate the playbooks. One of them is the security information and events management, which is the same. And under this team, there are different, SIM tools that could be used. One of them is Plum, and you have the list of orders. You also have the endpoints detection and response, tools. An example, you have the Carbon Black, you have the Microsoft Defender, and we have the SOAR, which is also the Security Orchestration, Automation, and Response tools. One of the examples is Microsoft Sentinel. So there are different tools that could be used in that regards. We also have the Incident Management tools. So we have different tools within that square that could be used. We also have the Threat Intelligence Platform. One of them is Recorded Future, and you have all the rest of others that could be used. In using this tool, we cannot rule out the woman factor or the woman intelligence, because the woman intelligence helps to analyze some of the, identified, threat indicators, and they are able to, speak to those issues. Actually, when In especially when in identifying the incidents, in, in identifying those incidents, you either be true or false. Sometimes you have some incidents that are false positive. So with the women intelligence, you're able to identify and look at the behavior as well as their normalities and be able to determine if they're true or they're false. This is also the role of woman intelligence in deter in playbooks and also in. Ensuring the security of incidents. then we have common pitfalls to avoid. One is outdated playbook. Due to the evolving nature of technology, the cyber actors or the threat actors also keep improving their tactics on how to get into our system and steal valuable information. So organizations need to ensure that their playbooks are updated and updated. And they are also up to the current security, trend. They have lack of testing where processes or tools are not tested to validate their effectiveness in detecting those abnormalities, those incidents. It can be an issue and that should be avoided. And then we have poor communication where there is no proper definition of communication metrics. It becomes a challenge because You wouldn't know who to escalate to. So the chain of communication becomes a challenge, so that need to be avoided. And then in conclusion, I will say that by using a well designed incident response playbook, organizations are able to enhance efficiency and reduce downtime, and also improve on their role. overall security posture. Thank you for listening.