Integrated Cyber October 16-17, 2017 How to Build a Playbook? How to Build a Playbook? This short video describes the process of how to go about building an IACD playbook. But why do we need to define the process of how to build a playbook, anyway? Why not have all IACD participants construct Playbooks as they see fit? The answer goes back to consistency again! Because Playbooks are meant to be used and shared among and across organizations, the vast IACD community needs a common process for how to build a Playbook, as a key component in creating common Playbook formats and speaking the same language! Integrated Cyber October 16-17, 2017 © 2017 by The Johns Hopkins Applied Physics Laboratory. How to Build a Playbook? is made available under the Creative Commons Attribution 4.0 International License.

Rebuild Server Playbook Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Authorize Response Reimage Server Select Verification Select Mitigation Execute Verification Execute Mitigation Bring Server Back On - line Server Back Online Backup Server Image Perform Vulnerability Scan of Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Response Options from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Here is an example Playbook on Rebuilding a Server. A Playbook is, first and foremost, a set of process-oriented steps that enable an organization to meet the requirements specified in its policies and procedures. It represents a general security process at its most basic level and identifies industry best practices associated with oversight process steps, which means a playbook can be implemented in a completely manual fashion or increasingly automated, as appropriate for an organization. Playbooks are written for a human to understand, not a machine. You and I are the target audience. Let’s step through the process steps involved in building this example Playbook that can be applied in creating all IACD Playbooks. This playbook maintains the effectiveness of a subset of controls associated with NIST Cybersecurity Framework: PR.MA-1, PR.PT-5, RC.RP-1

Rebuild Server Playbook Step 1 Decision Made to Rebuild Server Step 1: Identify the Initiating Condition Ask yourself, “What event or condition is going to start this playbook?” This could be a time-based trigger, the detection of an event, or the decision to act. In this case, the Initiating Condition is that the decision has been made to rebuild the server.

Rebuild Server Playbook Step 2 Power Cycle Server Perform Vulnerability Scan of Server Verify Critical Services are Running Execute Mitigation Actions Generate Response Actions Bring Server Back On - line Reimage Server Verify Server and Application Configurations Isolate Server from Operations Reimage Server from Media Verify Image Installation Backup Server Image Step 2: List all possible actions that could occur in response to this Initiating Condition Ask yourself, “How could I respond to this condition?” “What steps would I take to mitigate this threat?” Do not worry about order right now! Reset Passwords Enable Network Connectivity for Network Reimaging Upgrade , Patch or Reconfigure Server Software Execute Verification Actions Reimage Server over the Network Verify Network Connectivity

Rebuild Server Playbook Step 3 Power Cycle Server Reimage Server Generate Response Actions Bring Server Back On - line Execute Verification Actions Execute Mitigation Actions Required Optional Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Verify Critical Services are Running Backup Server Image Step 3: Categorize each action listed in Step 2 as either a required or optional step Ask yourself, “Is this step necessary to mitigate or investigate this event, or is it a best practice?” Some best practices have become standardized or widely implemented, while others may be considered extraneous. It’s okay if it is unclear whether some actions are required or optional; you are the one making the decisions and can categorize according to your criteria. Reimage Server from Media Reset Passwords Upgrade , Patch or Reconfigure Server Software Enable Network Connectivity for Network Reimaging Perform Vulnerability Scan of Server Reimage Server over the Network Verify Network Connectivity

Rebuild Server Playbook Step 4 Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Reimage Server Execute Verification Execute Mitigation Bring Server Back On - line Optional Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Verify Critical Services are Running Backup Server Image Step 4: Build the Playbook Process Step diagram using the required steps identified in Step 3 Ask yourself, “What order makes the most sense for performing the process steps?” Now is the time to think about the order in which you would perform these actions. Reimage Server from Media Reset Passwords Upgrade , Patch or Reconfigure Server Software Enable Network Connectivity for Network Reimaging Perform Vulnerability Scan of Server Reimage Server over the Network Verify Network Connectivity

Rebuild Server Playbook Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Step 5 Reimage Server from Media Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Perform Vulnerability Scan of Server Backup Server Image Step 5: Decide whether the optional actions identified in Step 3 can be grouped by activity or function (e.g., Monitoring, Enrichment, Response, Verification, or Mitigation) Ask yourself, “Are there possible actions that can only take place in certain parts of the playbook?” This is how you would group the actions. Reimage Server over the Network Enable Network Connectivity for Network Reimaging Verify Critical Services are Running Verify Network Connectivity Upgrade , Patch or Reconfigure Server Software Reset Passwords Response Options Verification Options Mitigation Options

Rebuild Server Playbook Step 6 Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Actions Select Verification Actions Select Mitigation Actions Response Options Reimage Server from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Backup Server Image Perform Vulnerability Scan of Server Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Step 6: Modify the Playbook Process Step diagram from Step 4 to include the points where optional actions would be selected After the process step to Generate Response Actions, a human would Authorize Response Actions. After the process step to Reimage Server, a human would Select Verification Actions. And after the process step to Execute Verification Actions, a human would Select Mitigation Actions. To indicate where optional actions would be selected, use either of the following templates.

Template Example 1: Template Example 2: Optional action In Template Example 1, the automated process step to Generate Response Action would be followed by the human process step to Authorize Response Actions. And in Template Example 2, the human process step to Select Mitigation Actions would be followed by the automated process step to Execute Mitigation Actions. The dashed lines indicate that the optional actions can be automated or performed by a human. And taking things further, the process steps of authorizing or selecting and then executing the optional actions could be entirely automated, based on an organization’s comfort level! Optional action Generate optional Response Actions, then have a human authorize the actions Have a human Select optional Mitigation Actions, then automate the execution

Rebuild Server Playbook Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Actions Select Verification Actions Select Mitigation Actions Step 7 Response Options Reimage Server from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Backup Server Image Perform Vulnerability Scan of Server Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Step 7: Insert the grouped optional actions from Step 5 into the action options box below the Process Steps These are the optional Best Practices & Local Policies to choose from.

Rebuild Server Playbook Step 8 Server Back Online Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Select Verification Select Mitigation Actions Actions Actions Verify Server and Perform Step 8: Identify the End State; or alternatively, an Initiating Condition to another Playbook Ask yourself, “Does this playbook result in a discrete end state?” “Could this playbook initiate a different or complementary playbook?” The playbook should not end with ambiguity. Also, the playbook(s), which this current playbook initiates, may not even exist yet – and that’s okay! Use this guide to make as many playbooks as you need. In this case, the End State is that the server is back online. Reimage Server Isolate Server from Verify Image Application Vulnerability Scan of Backup Server from Media Operations Installation Configurations Server Image Reimage Server over Enable Network Verify Critical Verify Network Upgrade , Patch , or the Network Connectivity for Services are Running Connectivity Reconfigure Server Reset Passwords Network Reimaging Software Response Options Verification Options Mitigation Options

Rebuild Server Playbook Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Authorize Response Reimage Server Select Verification Select Mitigation Execute Verification Execute Mitigation Bring Server Back On - line Server Back Online Backup Server Image Perform Vulnerability Scan of Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Response Options from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Step 9: Identify the Regulatory Controls or Requirements that the actions in this Playbook satisfy Ask yourself, “What is the relationship of this playbook to governance or regulatory requirements?” “Will this playbook satisfy them?” List them at the bottom. Step 9 This playbook maintains the effectiveness of a subset of controls associated with NIST Cybersecurity Framework: PR.MA-1, PR.PT-5, RC.RP-1