Play it safe/Mod 4/use playbooks to respond to incidents
how often are playbooks updated?
A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself. There is a change in industry standards, such as changes in laws or regulatory compliance. The cybersecurity landscape changes due to evolving threat actor tactics and techniques.
playbook
A manual that provides details about any operational action, clarify what tools to use in response to a security incident.predefined and up-to-date list of steps to perform when responding to an incident.
step 3 eliminate all traces of the incident
After containing the incident, step three of the playbook, restore the affected systems back to normal operations. For example, the playbook might instruct the analyst to restore the impacted operating system, then restore the affected data using a clean backup, created before the malware outbreak.
Incident Response (playbook)
An organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
Post incident activity - Incident response
Analyze the incident and responses to identify whether procedures or systems could be improved. documenting the incident, Informing organization, applying lessons learned, ensure org prepared,full scale analysis, determine root cause,implement updates to improve/enhance security posture.
Playbook and SOAR tool
Playbooks are also used with SOAR tools. SOAR tools are similar to SIEM tools in that they are used for threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into their computer too many times with the wrong password, a SOAR would automatically block their account to stop a possible intrusion. Then, analysts would refer to a playbook to take steps to resolve the issue.
playbook and SIEM tools
Playbooks are used in event of an incident.,help security teams respond to incidents ,by ensuring that a consistent actions are followed in a prescribed way, can be very detailed and may include flow charts and tables to clarify actions to take, which order. used for recovery procedures in the event of a ransomware attack. types of security incidents have their own playbooks that detail who should take what action and when. Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior is flagged by a SIEM tool, a playbook provides analysts with instructions about how to address the issue.
are playbooks updated?
Playbooks should be treated as living documents, which means that they are frequently updated by security team members to address industry changes and new threats. Playbooks are generally managed as a collaborative effort, since security team members have different levels of expertise.
Types of Playbooks
Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware, vishing, business email compromise (BEC), and other attacks previously discussed. Incident and vulnerability response playbooks are very common, but they are not the only types of playbooks organizations develop.
In which incident response playbook phase would a security team document an incident to ensure that their organization is better prepared to handle future security events?
Post-incident activity
what are the 6 phases to incident response
Preparation, detection & analysis, containment, eradication & recovery, post-incident activity, and coordination.
Eradication and Recovery - Incident Response
Remove the cause of the incident and bring the system back to a secure state. eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they've exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.
In what ways do SIEM tools and playbooks help security teams respond to an incident? Select all that apply.
SIEM tools generate alerts, SIEM tools collect data, After receiving a SIEM alert, security teams use playbooks to guide their response process.
containment (incident response)
THIS involves stopping/prevent an incident from doing anymore damage or at least to lessen any ongoing harm. ex; if malware-infected by a remote attacker, this might involve disconnection, blocking with a firewall, and updating signatures or rules on an intrusion prevention system (IPS) to halt the malware traffic.
What kind of things do you use playbook for?
The kind of things that we use playbooks for our open attacks, privacy incidents, data leaks, denial of service attacks, service alerts, and others.
What is the relationship between SIEM tools and playbooks?
They work together to provide a structured and efficient way of responding to security incidents.
In the event of a security incident, when would it be appropriate to refer to an incident response playbook?
Throughout the entire incident
You're monitoring a SIEM dashboard and receive an alert about a suspicious file download. What's the first thing you should do?
access the alert by gathering more information
step 2 outline of playbook
actions and tools to use to contain the malware and reduce further damage. For example, this playbook instructs the analyst to isolate, or disconnect, the infected network system to prevent the malware from spreading into other parts of the network.
Which action can a security analyst take when they are assessing a SIEM alert?
analyze log data and related metrics
After you've taken all the necessary steps outlined in your organization's playbook to resolve the incident, what should you do?
communicate the incident to stakeholders
A security analyst reports to stakeholders about a security breach. They provide details based on the organization's established standards. What phase of an incident response playbook does this scenario describe?
coordination
Fill in the blank: Once a security incident is resolved, security analysts perform various post-incident activities and _____ efforts with the security team.
coordination
Fill in the blank: During the _____ phase, security professionals use tools and strategies to determine whether a breach has occurred and to evaluate its potential magnitude.
detection and analysis
A business recently experienced a security breach. Security professionals are currently restoring the affected data using a clean backup that was created before the incident. What playbook phase does this scenario describe?
eradication and recovery
Playbooks are permanent, best-practice documents, so a security team should not make changes to them.
false/ they are constantly updated
Fill in the blank: Incident response is an organization's quick attempt to _____ an attack, contain the damage, and correct its effects.
identify
Coordination- incident response
incidents-report, share info, based on org standards, ensures org meet compliance requirements /coordinated response /resoultion.
incident response playbook
is a guide that helps security professionals mitigate issues with a heightened sense of urgency, while maintaining accuracy
step one access the alert of playbook
means determining if the alert is actually valid by identifying why the alert was generated by the SIEM. This can be done by analyzing log data and related metrics.
Organization (incident response)
mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users. Preparation sets the foundation for successful incident response. For example, organizations can create incident response plans and procedures that outline the roles and responsibilities of each security team member.
playbook strategy
outlines expectations,list the individuals responsible, accompanied by a plan, plan dictates how the specific task outlined in the playbook must be completed.
step four of playbook instruct analyst
perform various post-incident activities and coordination efforts with the security team. Some actions include creating a final report to communicate the security incident to stakeholders, or reporting the incident to the appropriate authorities, like the U.S. Federal Bureau of Investigations or other agencies that investigate cyber crimes.
Which of the following statements accurately describe playbooks? Select three answers.
playbook is a manual that provides details about any operational action. Organizations use playbooks to ensure employees follow a consistent list of actions. A playbook clarifies what tools to use in response to a security incident.
Fill in the blank: During the _____ phase, security teams may conduct a full-scale analysis to determine the root cause of an incident and use what they learn to improve the company's overall security posture.
post incident activity
A security analyst documents procedures to be followed in the event of a security breach. They also establish staffing plans and educate employees. What phase of an incident response playbook does this scenario describe?
preparation
What are the primary goals of the containment phase of an incident response playbook? Select two answers.
prevent further damage, reduce the immediate impact
You determine that the suspicious file download alert is valid, so you follow the steps in your organization's playbook to contain and eliminate traces of the incident. What should you do next?
restore affected systems
detection and analysis (incident response)
the objective of this phase is to detect and analyze events using defined processes and technology. Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.
Fill in the blank: A security team _____ their playbook frequently by learning from past security incidents, then refining policies and procedures.
updates
what do playbooks provide?
urgency, efficiency, and accuracy to quickly identify & mitigate a security threat. they ensure people follow a consistant list of actions in prescribed way.
