What should a cyber incident playbook include?

Published: Monday, 04 March 2019 10:20

Charlie Maclean Bristol explains why developing a playbook for the main types of cyber attacks will help businesses response effectively when an attack occurs. He also provides a checklist covering the areas that such a playbook should include.

When I first thought about cyber playbooks I envisaged the playbook helping senior management or the crisis team make a key decision in a cyber incident, such as, whether or not to unplug the organization from the internet and prevent any network traffic on the organization’s IT network. As this is a critical decision for the organization and the consequences of making the wrong decision are huge, this type of playbook would help the team understand, at short notice, what factors they should consider and the impact of the different decisions they could make.

I was running a cyber exercise a couple of weeks ago and suddenly thought that there was a need for another type of playbook, which is basically a plan for how to deal with different types of cyber attack. As we know, the more planning we do the better prepared we will be for managing an incident, and thinking through how we would respond throws up questions and issues which we can work to solve, without the cold sweat and pressure of the incident taking place.

Cyber response should be in two parts. Firstly, you need an incident management team to manage the consequences of the cyber-attack. This team is separate from a cyber incident response team, who should deal with the technical response, and should concentrate on restoring the organization’s IT service. The organization’s incident management team can be the same as the crisis management team, as they are going to be dealing with the reputation and strategic impacts of the incident.

The second part of the response should be a contingency plan for a specific type of incident. I know that incidents don’t always fit the plan, but I think some of the detailed planning is worth carrying out. The sort of cyber incident playbooks should be written for are the basic attacks including ransomware, DDoS attacks and data loss (this might want to be segregated into the different types of data the organization holds). It is only worth writing these playbooks for larger incidents which would have a reputational impact as, for smaller incidents, an IT response plan is sufficient.

These are the headings I think the playbook should have:

I am sure there might be a few additional things we could think of to add to the list.

Cyber incidents by their nature are difficult to manage, especially at the beginning of the incident. If your headquarters burns down, the incident and the consequences are obvious, but if there is a cyber breach then there is nothing to see, so it can take a while to understand the true impact of the incident. As with all business continuity, the more you plan, exercise and think about your response, the more you realise what you can do now, which will help your response on the day. The old army adage comes to mind 'train hard, fight easy'.

The author

Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.