Skip to content

Latest commit

 

History

History
125 lines (60 loc) · 3.49 KB

Playbook-Template.md

File metadata and controls

125 lines (60 loc) · 3.49 KB
Raw

Playbook:

Mitigation-Category:

MITRE

Tactic Technique ID Technique Name Sub-Technique Name Platforms Permissions Required Atomic Red Team Mapping 
(P) Preparation

Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.

Investigate

TODO: Expand investigation steps, including key questions and strategies, for <Type of Incident>.

Remediate

  • Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
  • Consider the timing and tradeoffs of remediation actions: your response has consequences.

Contain

TODO: Customize containment steps, tactical and strategic, for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

TODO: Consider automating containment measures using orchestration tools.

Eradicate

TODO: Customize eradication steps, tactical and strategic, for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

Reference: Remediation Resources

TODO: Specify financial, personnel, and logistical resources to accomplish remediation.

Communicate

TODO: Customize communication steps for <Type of Incident>

TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan.

In addition to the general steps and guidance in the incident response plan:

Recover

TODO: Customize recovery steps for <Type of Incident>.

TODO: Specify tools and procedures for each step, below.

In addition to the general steps and guidance in the incident response plan:

Lessons Learned

The goal of the phase is to discover how to improve the incident response process.
You need to answer some basic questions, using developed incident report:

  • What happened?
  • What did we do well?
  • What could we have done better?
  • What will we do differently next time?

The incident report is the key to improvements.

TODO: Add items that will occur post recover.

  1. Perform routine cyber hygiene due diligence
  2. Engage external cybersecurity-as-a-service providers and response professionals
Develop the incident report

Develop the Incident Report using your corporate template.

It should include:

  1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
  2. Detailed timeline of adversary actions mapped to ATT&CK tactics, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
  3. Detailed timeline of actions taken by Incident Response Team
  4. Root Cause Analysis and Recommendations for improvements based on its conclusion
  5. List of specialists involved in Incident Response with their roles

Resources

Additional Information

  1. "Title", Author Last Name (Date)