Throw Out the Playbooks to Win at Incident Response

For coaches and athletes, playbooks are invaluable. Games played by a set of known rules can benefit from playbooks that help teams use variations of known tactics against known opponents to gain a competitive advantage. But for enterprise security teams, playbooks can be more like an Achilles heel, especially as an incident response tactic. They create a sense of false security because playbooks are only useful against known threats, using known tactics against known adversaries.

Unlike athletes in organized sports, hackers play by their own set of rules, and threat tactics are ever-evolving. This means playbooks, by definition, leave gaps in security because they rely on established criteria. Additionally, playbooks place a heavy workload on security teams, creating even more vulnerabilities for enterprises.

First, playbooks consist of a pre-assembled set of tasks triggered by the detection of a recognized threat. Many organizations use some form of workflow orchestration to create and/or automate a task list, but the actual tasks are still manually performed by a security analyst. This means that teams get bogged down in reactive, tactical responses, instead of placing more effort into strategic, proactive activity to help prevent attacks.

Second, playbooks are very static, as they involve translating response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations. Playbooks and orchestration are just continuing the tradition of viewing incident response as a process problem.

Third, since playbooks create a standard response to threats, hackers can easily determine how a specific organization will respond to a known threat. It’s the equivalent of a defensive line already knowing where the quarterback is going to throw the ball. Hackers use playbooks as a distraction by targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction. This results in a loss of productivity and increases the chances that the real attack achieves its intended purpose.  

Lastly, the use of playbooks caters to the skills gap that is plaguing security teams, rather than encouraging skill advancement. Reliance on playbooks has created an environment in which analysts only learn what it takes to complete the series of tasks, and that requires a broad, lower level understanding of a known threat. This has hindered the skills growth and put the business at risk. Playbooks do not take into account organization-specific factors or the skill advancement of the analyst, because she does not get to apply her own insight into the response and build her skillset based on what she may have learned through this experience.

Enterprises relying on playbooks for incident response are doing themselves a disservice. While they may survive an attack today, they are not taking a forward-looking approach to keeping pace with the threats of tomorrow. 

Related Content: