WEBVTT 0:00:05.060000 --> 0:00:06.460000 incident response playbooks. 0:00:06.460000 --> 0:00:10.680000 So in this video, as the title suggests, we're going to be taking a closer 0:00:10.680000 --> 0:00:13.620000 look at incident response playbooks. 0:00:13.620000 --> 0:00:17.280000 And in the next video, we're going to be taking a look at an example of 0:00:17.280000 --> 0:00:21.440000 an, you know, very detailed incident response playbook, to sort of give 0:00:21.440000 --> 0:00:26.380000 you an idea as to what a playbook looks like. 0:00:26.380000 --> 0:00:31.140000 And, you know, typically the detail that needs to go into a playbook in 0:00:31.140000 --> 0:00:36.060000 order for it to be considered an effective and repeatable playbook. 0:00:36.060000 --> 0:00:43.100000 So an incident response playbook is, and this is very important, a specific 0:00:43.100000 --> 0:00:49.460000 actionable step-by-step guide designed to handle a particular type of 0:00:49.460000 --> 0:00:51.040000 security incident. 0:00:51.040000 --> 0:00:56.180000 To make that even clearer, incident response playbooks are sort of detailed 0:00:56.180000 --> 0:01:02.740000 action guides, or playbooks as it were, that outline the specific steps 0:01:02.740000 --> 0:01:08.120000 to be taken when responding to particular types of security incidents. 0:01:08.120000 --> 0:01:12.120000 Unlike, you know, broader incident response plans, playbooks function 0:01:12.120000 --> 0:01:17.280000 more like checklists, you know, that are designed for targeted or specific 0:01:17.280000 --> 0:01:23.280000 scenarios. For example, like a phishing attack or information leaks, ransomware 0:01:23.280000 --> 0:01:28.480000 infections, denial of service attacks, website defacements, and similar 0:01:28.480000 --> 0:01:34.120000 threats. So just like, you know, being a pilot, you have checklists, your 0:01:34.120000 --> 0:01:38.320000 preflight checklist, your pre, you know, pre takeoff checklist, your landing 0:01:38.320000 --> 0:01:44.520000 checklist, they essentially very specific steps or procedures, you know, 0:01:44.520000 --> 0:01:50.740000 that need to be taken or performed before you do something or as you're 0:01:50.740000 --> 0:01:57.180000 doing something and they essentially ensure a level of standardization 0:01:57.180000 --> 0:02:04.680000 and, you know, ensure that specific incidents in this particular case 0:02:04.680000 --> 0:02:06.640000 are dealt with in the same way. 0:02:06.640000 --> 0:02:10.680000 So they're very, very important in the incident response process, right? 0:02:10.680000 --> 0:02:15.420000 Now, a playbook provides prescriptive instructions tailored to that specific 0:02:15.420000 --> 0:02:19.880000 incident, including how to detect the incident. 0:02:19.880000 --> 0:02:22.640000 There are some incident response playbooks, like the one we'll take a 0:02:22.640000 --> 0:02:28.980000 look at in the next video that actually include steps on preparation or 0:02:28.980000 --> 0:02:30.060000 instructions on preparation. 0:02:30.060000 --> 0:02:35.400000 So think of, you know, the tools required to deal with a specific type 0:02:35.400000 --> 0:02:39.380000 of incident, but generally speaking, you're going to have, you know, instructions 0:02:39.380000 --> 0:02:44.340000 on how to detect the incident, how to analyze it, how to contain and eradicate 0:02:44.340000 --> 0:02:50.060000 it, the specific evidence to collect, and then specific communication 0:02:50.060000 --> 0:02:51.780000 or escalation steps. 0:02:51.780000 --> 0:02:56.040000 The best way to think of a playbook is to think of it as a detailed response 0:02:56.040000 --> 0:03:01.120000 manual for a specific incident category or to be able to do something. 0:03:01.120000 --> 0:03:05.480000 So, you know, a typical incident response playbook will include a trigger 0:03:05.480000 --> 0:03:10.880000 or trigger conditions that define when the playbook should be initiated. 0:03:10.880000 --> 0:03:14.280000 So when does this playbook come into play, right? 0:03:14.280000 --> 0:03:20.820000 So, if there's a phishing email and you have your phishing playbook, then 0:03:20.820000 --> 0:03:25.060000 the trigger would be, you know, something, or let's say, pay phishing 0:03:25.060000 --> 0:03:32.240000 email detected, but you then need to go into how it's detected. 0:03:32.240000 --> 0:03:35.680000 And so you may find that there's different types of playbooks to deal 0:03:35.680000 --> 0:03:38.320000 with the same type of incident. 0:03:38.320000 --> 0:03:42.560000 So, you know, multiple in this case, in the case of the example, multiple 0:03:42.560000 --> 0:03:46.260000 types of phishing playbooks, but that's getting a bit too detailed. 0:03:46.260000 --> 0:03:49.740000 In any case, you'll also have step-by-step workflows. 0:03:49.740000 --> 0:03:53.500000 And this is sort of the key here that outline the actions that responders 0:03:53.500000 --> 0:03:58.220000 must follow. And then there's obviously going to be a criteria for incident 0:03:58.220000 --> 0:04:02.320000 closure to determine when the response effort is considered complete. 0:04:02.320000 --> 0:04:07.140000 So, when are you done responding to a phishing-related incident if I'm 0:04:07.140000 --> 0:04:09.280000 to use the example again? 0:04:09.280000 --> 0:04:13.440000 Now, the great thing is, you know, regardless of whether or not you're 0:04:13.440000 --> 0:04:16.460000 an incident respond already, is that there's several publicly available 0:04:16.460000 --> 0:04:21.600000 resources that offer IR playbook templates or examples that you can sort 0:04:21.600000 --> 0:04:25.840000 of use to understand playbooks, but more importantly, learn how to develop 0:04:25.840000 --> 0:04:29.040000 your own based on your organizational needs and requirements. 0:04:29.040000 --> 0:04:33.340000 So these templates can serve as valuable starting points, allowing you 0:04:33.340000 --> 0:04:36.780000 to customize and build your own playbooks tailored to your organization's 0:04:36.780000 --> 0:04:39.420000 environment and threat landscape. 0:04:39.420000 --> 0:04:44.240000 So, to summarize this, the IR plan that we covered in the previous video 0:04:44.240000 --> 0:04:47.280000 is like a fire department's emergency handbook. 0:04:47.280000 --> 0:04:49.620000 So, think of it as a handbook. 0:04:49.620000 --> 0:04:54.520000 And then the IR playbook is like the exact procedure or a specific page 0:04:54.520000 --> 0:04:59.420000 or set of pages that deal with responding to, let's say, a house fire 0:04:59.420000 --> 0:05:01.120000 or a chemical spill. 0:05:01.120000 --> 0:05:04.980000 So, if, you know, we're taking using the example of a fire department's 0:05:04.980000 --> 0:05:10.140000 emergency handbook, that would essentially represent the IR plan. 0:05:10.140000 --> 0:05:14.600000 The playbook or playbooks, as it were, would be, let's say, specific chapters 0:05:14.600000 --> 0:05:21.920000 dealing with or addressing a house fire or a fire caused by a fire caused, 0:05:21.920000 --> 0:05:27.440000 you know, by the stove or something like this or a chemical spill. 0:05:27.440000 --> 0:05:31.420000 And the key point here is that both are essential, but one defines the 0:05:31.420000 --> 0:05:35.800000 overall system and the other provides tactical execution for specific 0:05:35.800000 --> 0:05:40.320000 threats. And over here, I've sort of outlined some examples of playbooks 0:05:40.320000 --> 0:05:43.860000 as well as templates, one of which we're actually going to be exploring 0:05:43.860000 --> 0:05:45.500000 in the next video. 0:05:45.500000 --> 0:05:49.840000 So the first is the instant playbook, which is essentially instant response 0:05:49.840000 --> 0:05:54.100000 playbooks that have been mapped to the MITATAC framework, more specifically 0:05:54.100000 --> 0:05:58.300000 TTPs. And then you have public playbooks, which is the key one will be 0:05:58.300000 --> 0:06:02.520000 exploring. This is a repository of playbooks and workflows that is, you 0:06:02.520000 --> 0:06:08.520000 know, based on the NIST 861 Special Publication Revision to guide that 0:06:08.520000 --> 0:06:10.640000 we're already familiar with. 0:06:10.640000 --> 0:06:14.100000 So with that being said, that's going to be it for this video, and I will 0:06:14.100000 --> 0:06:15.860000 be seeing you in the next video.