Open Source Playbooks
What is a Playbook?
For any Cyber Threat or Attack, the SOC team has to go through the following 3 high-level process, sequentially:-
Each of the high-level processes might contain a number of sub-process that require some step by step actions to be performed using various tools. All the individual stepped processes are playbooks, mapping to each other to create a long chained connection of playbooks to achieve/solve a bigger E2E type of attack rather termed as E2E Workflow. Playbooks (Sub-Process) could be shared between E2E Workflow.
Let’s discuss each of three high-level processes.
Detection – The detection phase itself will contain a set of sub-process with structured steps to monitor the network, SIEM, capture indicators etc. Each sub-process would be playbook either executed manually or automated.
Analysis – The analysis phase similarly will also have sub-process, for example, WHOIS IP lookup, Malware analysis using Sandbox, gathering indicators for analysis. These mentioned sub-processes are nothing but playbook, each playbook contributes to the E2E workflow.
Remediation – Remediation phase will contain multiple sub-processes for cleaning the assets, blocking the bad IP, banning the malware hash in endpoint tool. All these playbooks can be executed at once covering all the affected assets.
Summarizing, a handbook for Cyber Security, on what needs to be done when and how. These would be the standard playbooks that SOC team could utilize for analysis and remediation. If implemented and used well it would streamline and automate the process, empowering teams to better respond to incidents.
Need for Open Source Playbooks
Not many are discussing preparing a comprehensive organized handbook for SOC operation, which would serve as one single point of reference for SOC teams. It is very difficult for any one organization to prepare such a comprehensive guide and hence the need to have Open Sources standard playbooks that could be easily used and incorporated by everybody. In the current situation due to unavailability of standard playbooks, each individual is free to deal an incident in his/her own way, thus never knowing if there is a better efficient way to remediate or analyze a particular incident. This results in either the incident not remediated properly or the malware widespread not contained within time or not finding the adversaries, all having costly ramifications.
With Open Source playbooks we can achieve standardization, automation, wide acceptance which help with validation and continuous improvement, improved response time.
Now that we have concluded the need for Open Source Playbooks, let’s look at how it could be achieved. This just a bird’s eye view approach, actual would require more technical deep dive.
- Playbook Designer – Playbooks, as discussed, are process steps, so these can be defined.designed/documented in a workflow diagram, a workflow designer to build process steps graphically for documentation. This would be what used for standardizing the playbooks, that could be used as a handbook and shared across teams.
- Data representation – Convert the designed playbooks into any standard data representation like (JSON/XML) so that the backend engine can read and execute it. Standardize this data representation so that the upstream and downstream are loosely coupled and is independent of tools. This is where the standardizations happen such that tools are loosely coupled but the processes are tightly coupled.
- Automation Engine – Then the next flow goes to automation and orchestration tool, the purpose of such tools is to read the playbook (JSON/XML) and execute it. The real magic of automation. Implementation of the automation could be flexible with manual intervention as defined in the playbook. How much of automation is to be implemented is controlled by the Playbooks.
With this approach, we highly compliment the Open Source Concept, because the playbooks from playbook designer could be shareable as long it gets converted into a standard data representation which could be interpreted and executed by the backend engine.
- SOC Operation Processes as playbooks are Streamlined.
- SOC Operation Processes as playbooks are validated by the community and advanced continuously.
- SOC Operation Process as playbooks can be easily shared between teams, customers, partners.
- Automation can be achieved, along with decoupling the playbooks from automation and orchestration tools.
- Improved response time.