Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrated Cyber October 16-17, 2017

Published byPaul Walters Modified over 6 years ago

Similar presentations

Presentation on theme: "Integrated Cyber October 16-17, 2017"— Presentation transcript:

1 Integrated Cyber October 16-17, 2017
How to Build a Playbook? How to Build a Playbook? This short video describes the process of how to go about building an IACD playbook. But why do we need to define the process of how to build a playbook, anyway? Why not have all IACD participants construct Playbooks as they see fit? The answer goes back to consistency again! Because Playbooks are meant to be used and shared among and across organizations, the vast IACD community needs a common process for how to build a Playbook, as a key component in creating common Playbook formats and speaking the same language! Integrated Cyber October 16-17, 2017 © 2017 by The Johns Hopkins Applied Physics Laboratory. How to Build a Playbook? is made available under the Creative Commons Attribution 4.0 International License.

2 Rebuild Server Playbook
Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Authorize Response Reimage Server Select Verification Select Mitigation Execute Verification Execute Mitigation Bring Server Back On - line Server Back Online Backup Server Image Perform Vulnerability Scan of Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Response Options from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Here is an example Playbook on Rebuilding a Server. A Playbook is, first and foremost, a set of process-oriented steps that enable an organization to meet the requirements specified in its policies and procedures. It represents a general security process at its most basic level and identifies industry best practices associated with oversight process steps, which means a playbook can be implemented in a completely manual fashion or increasingly automated, as appropriate for an organization. Playbooks are written for a human to understand, not a machine. You and I are the target audience. Let’s step through the process steps involved in building this example Playbook that can be applied in creating all IACD Playbooks. This playbook maintains the effectiveness of a subset of controls associated with NIST Cybersecurity Framework: PR.MA-1, PR.PT-5, RC.RP-1

3 Rebuild Server Playbook
Step 1 Decision Made to Rebuild Server Step 1: Identify the Initiating Condition Ask yourself, “What event or condition is going to start this playbook?” This could be a time-based trigger, the detection of an event, or the decision to act. In this case, the Initiating Condition is that the decision has been made to rebuild the server.

4 Rebuild Server Playbook
Step 2 Power Cycle Server Perform Vulnerability Scan of Server Verify Critical Services are Running Execute Mitigation Actions Generate Response Actions Bring Server Back On - line Reimage Server Verify Server and Application Configurations Isolate Server from Operations Reimage Server from Media Verify Image Installation Backup Server Image Step 2: List all possible actions that could occur in response to this Initiating Condition Ask yourself, “How could I respond to this condition?” “What steps would I take to mitigate this threat?” Do not worry about order right now! Reset Passwords Enable Network Connectivity for Network Reimaging Upgrade , Patch or Reconfigure Server Software Execute Verification Actions Reimage Server over the Network Verify Network Connectivity

5 Rebuild Server Playbook
Step 3 Power Cycle Server Reimage Server Generate Response Actions Bring Server Back On - line Execute Verification Actions Execute Mitigation Actions Required Optional Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Verify Critical Services are Running Backup Server Image Step 3: Categorize each action listed in Step 2 as either a required or optional step Ask yourself, “Is this step necessary to mitigate or investigate this event, or is it a best practice?” Some best practices have become standardized or widely implemented, while others may be considered extraneous. It’s okay if it is unclear whether some actions are required or optional; you are the one making the decisions and can categorize according to your criteria. Reimage Server from Media Reset Passwords Upgrade , Patch or Reconfigure Server Software Enable Network Connectivity for Network Reimaging Perform Vulnerability Scan of Server Reimage Server over the Network Verify Network Connectivity

6 Rebuild Server Playbook
Step 4 Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Reimage Server Execute Verification Execute Mitigation Bring Server Back On - line Optional Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Verify Critical Services are Running Backup Server Image Step 4: Build the Playbook Process Step diagram using the required steps identified in Step 3 Ask yourself, “What order makes the most sense for performing the process steps?” Now is the time to think about the order in which you would perform these actions. Reimage Server from Media Reset Passwords Upgrade , Patch or Reconfigure Server Software Enable Network Connectivity for Network Reimaging Perform Vulnerability Scan of Server Reimage Server over the Network Verify Network Connectivity

7 Rebuild Server Playbook
Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Step 5 Reimage Server from Media Isolate Server from Operations Verify Image Installation Verify Server and Application Configurations Perform Vulnerability Scan of Server Backup Server Image Step 5: Decide whether the optional actions identified in Step 3 can be grouped by activity or function (e.g., Monitoring, Enrichment, Response, Verification, or Mitigation) Ask yourself, “Are there possible actions that can only take place in certain parts of the playbook?” This is how you would group the actions. Reimage Server over the Network Enable Network Connectivity for Network Reimaging Verify Critical Services are Running Verify Network Connectivity Upgrade , Patch or Reconfigure Server Software Reset Passwords Response Options Verification Options Mitigation Options

8 Rebuild Server Playbook
Step 6 Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Actions Select Verification Actions Select Mitigation Actions Response Options Reimage Server from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Backup Server Image Perform Vulnerability Scan of Server Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Step 6: Modify the Playbook Process Step diagram from Step 4 to include the points where optional actions would be selected After the process step to Generate Response Actions, a human would Authorize Response Actions. After the process step to Reimage Server, a human would Select Verification Actions. And after the process step to Execute Verification Actions, a human would Select Mitigation Actions. To indicate where optional actions would be selected, use either of the following templates.

9 Template Example 1: Template Example 2:
Optional action In Template Example 1, the automated process step to Generate Response Action would be followed by the human process step to Authorize Response Actions. And in Template Example 2, the human process step to Select Mitigation Actions would be followed by the automated process step to Execute Mitigation Actions. The dashed lines indicate that the optional actions can be automated or performed by a human. And taking things further, the process steps of authorizing or selecting and then executing the optional actions could be entirely automated, based on an organization’s comfort level! Optional action Generate optional Response Actions, then have a human authorize the actions Have a human Select optional Mitigation Actions, then automate the execution

10 Rebuild Server Playbook
Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Actions Select Verification Actions Select Mitigation Actions Step 7 Response Options Reimage Server from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Backup Server Image Perform Vulnerability Scan of Server Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Step 7: Insert the grouped optional actions from Step 5 into the action options box below the Process Steps These are the optional Best Practices & Local Policies to choose from.

11 Rebuild Server Playbook
Step 8 Server Back Online Decision Made to Rebuild Server Generate Response Execute Verification Execute Mitigation Bring Server Back Power Cycle Server Reimage Server Actions Actions Actions On - line Authorize Response Select Verification Select Mitigation Actions Actions Actions Verify Server and Perform Step 8: Identify the End State; or alternatively, an Initiating Condition to another Playbook Ask yourself, “Does this playbook result in a discrete end state?” “Could this playbook initiate a different or complementary playbook?” The playbook should not end with ambiguity. Also, the playbook(s), which this current playbook initiates, may not even exist yet – and that’s okay! Use this guide to make as many playbooks as you need. In this case, the End State is that the server is back online. Reimage Server Isolate Server from Verify Image Application Vulnerability Scan of Backup Server from Media Operations Installation Configurations Server Image Reimage Server over Enable Network Verify Critical Verify Network Upgrade , Patch , or the Network Connectivity for Services are Running Connectivity Reconfigure Server Reset Passwords Network Reimaging Software Response Options Verification Options Mitigation Options

12 Rebuild Server Playbook
Decision Made to Rebuild Server Generate Response Actions Power Cycle Server Authorize Response Reimage Server Select Verification Select Mitigation Execute Verification Execute Mitigation Bring Server Back On - line Server Back Online Backup Server Image Perform Vulnerability Scan of Upgrade , Patch or Reconfigure Server Software Reset Passwords Mitigation Options Verify Image Installation Verify Critical Services are Running Verify Server and Application Configurations Verify Network Connectivity Verification Options Response Options from Media Reimage Server over the Network Isolate Server from Operations Enable Network Connectivity for Network Reimaging Step 9: Identify the Regulatory Controls or Requirements that the actions in this Playbook satisfy Ask yourself, “What is the relationship of this playbook to governance or regulatory requirements?” “Will this playbook satisfy them?” List them at the bottom. Step 9 This playbook maintains the effectiveness of a subset of controls associated with NIST Cybersecurity Framework: PR.MA-1, PR.PT-5, RC.RP-1

Download ppt "Integrated Cyber October 16-17, 2017"

Similar presentations

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.

An Adaptive Policy-Based Framework for Network Service Management Leonidas Lymberopoulos Emil Lupu Morris Sloman Department of Computing Imperial College.
Cyber-Safety Instructors: Connie Hutchison & Christopher McCoy.

Cyber-Safety Instructors: Connie Hutchison & Christopher McCoy.
SACM Terminology Nancy Cam-Winget, David Waltermire, March.

SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
© 2010 VMware Inc. All rights reserved Data Protection Module 10.

© 2010 VMware Inc. All rights reserved Data Protection Module 10.
MKCL’s Quasi Online Examination - Practice Exam System

MKCL’s Quasi Online Examination - Practice Exam System
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
© 2010 VMware Inc. All rights reserved Patch Management Module 13.

© 2010 VMware Inc. All rights reserved Patch Management Module 13.
ITEC224 Database Programming

ITEC224 Database Programming
FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.

FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.

Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Database Design and Management CPTG 424. 10/23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
C6 Databases. 2 Traditional file environment Data Redundancy and Inconsistency: –Data redundancy: The presence of duplicate data in multiple data files.

C6 Databases. 2 Traditional file environment Data Redundancy and Inconsistency: –Data redundancy: The presence of duplicate data in multiple data files.

Similar presentations

Ads by Google