What should a cyber incident playbook include?
- Published: Monday, 04 March 2019 10:20
Charlie Maclean Bristol explains why developing a playbook for the main types of cyber attacks will help businesses response effectively when an attack occurs. He also provides a checklist covering the areas that such a playbook should include.
When I first thought about cyber playbooks I envisaged the playbook helping senior management or the crisis team make a key decision in a cyber incident, such as, whether or not to unplug the organization from the internet and prevent any network traffic on the organization’s IT network. As this is a critical decision for the organization and the consequences of making the wrong decision are huge, this type of playbook would help the team understand, at short notice, what factors they should consider and the impact of the different decisions they could make.
I was running a cyber exercise a couple of weeks ago and suddenly thought that there was a need for another type of playbook, which is basically a plan for how to deal with different types of cyber attack. As we know, the more planning we do the better prepared we will be for managing an incident, and thinking through how we would respond throws up questions and issues which we can work to solve, without the cold sweat and pressure of the incident taking place.
Cyber response should be in two parts. Firstly, you need an incident management team to manage the consequences of the cyber-attack. This team is separate from a cyber incident response team, who should deal with the technical response, and should concentrate on restoring the organization’s IT service. The organization’s incident management team can be the same as the crisis management team, as they are going to be dealing with the reputation and strategic impacts of the incident.
The second part of the response should be a contingency plan for a specific type of incident. I know that incidents don’t always fit the plan, but I think some of the detailed planning is worth carrying out. The sort of cyber incident playbooks should be written for are the basic attacks including ransomware, DDoS attacks and data loss (this might want to be segregated into the different types of data the organization holds). It is only worth writing these playbooks for larger incidents which would have a reputational impact as, for smaller incidents, an IT response plan is sufficient.
These are the headings I think the playbook should have:
- Type of incident – DDoS etc.
- Likely means of detection – include the main ways the incident could be detected.
- Likely impacts – which part of the organization might be affected? E.g. ransomware could stop all company systems, but data loss will have no impact on actual systems.
- IT plans in place for dealing with it and their strategy for recovery – cross reference the relevant IT plans.
- Who needs to be informed of the incident, internally and externally? I think this is a key part so that you can quickly identify all those who might be affected. These should be segregated, so don’t just include ‘staff’, as there could be contractors, temporary staff, those off sick, maternity/paternity leave, staff that have left and retirees. I also think there should be information on how to contact your staff, as well as a plan on how to get in contact if the IT systems are down.
- What regulatory and statutory notifications are required, including time frames and what information is needed? For example, reporting to regulators, Information Commissioners Office (if in the UK) and the stock market.
- How will the incident be managed and are there any requirements for specialists joining the incident team? Which team will manage the incident, and do you need specialists, such as external public relations help, plus legal and compliance people on the team?
- What third party support is required? This could include forensic IT specialists.
- Risks, decisions and issues to consider – put down as many as you can think of.
- Guidance on communications and lines to take – this could be debated and exercised so that there is a structure in place already.
- Relevant business continuity plans and recovery strategies – are there business continuity plans and manual workarounds which can help the response?
- What actions can be taken to support those affected, and what support are you going to give the victims of the incident?
- What matrices should be used and monitored to check the effect on the organization? How do you tell if your response plans are being successful?
- Priorities and predetermined objectives for this type of incident – can you write them now?
- Other – under this heading, when choosing an example, I wrote 'what data we hold', so if this playbook was for a breach of the staff database, we know what data we hold on staff.
I am sure there might be a few additional things we could think of to add to the list.
Cyber incidents by their nature are difficult to manage, especially at the beginning of the incident. If your headquarters burns down, the incident and the consequences are obvious, but if there is a cyber breach then there is nothing to see, so it can take a while to understand the true impact of the incident. As with all business continuity, the more you plan, exercise and think about your response, the more you realise what you can do now, which will help your response on the day. The old army adage comes to mind 'train hard, fight easy'.
Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.