Full Circle Detection: From Hunting to Actionable Detection
IR Playbooks – A New Open Source Resource
I often hear that Playbooks can’t be shared because they are org specific. I strongly believe this is not true. In most organizations I’ve worked with the exact same steps are taken when a specific security event occurs. When a malware is identified, almost everyone will at some point check the hash on VirusTotal.
In this talk I will present a “new” format of Playbook based on workflow and markdown files. I will also share a Git repo to find more playbooks to get your IR Program started.
For the last year, I was tasked with building IR Playbooks for my enterprise. When I asked the various stakeholders they all had a different vision. From OPS (SOC) to CISO & CFO the needs for such playbooks were different
I searched for various examples of playbooks. Most of the playbooks I found were more framework (rewording of NIST) then actual playbooks. There were the occasional technical ones such as SG-CERT (my former employer) but they are a bit outdated and the community can’t really update them.
I finally found a format I really liked (https://www.dfir.training/index.php?option=com_jreviews&format=ajax&url=media/download&m=14tt1&1600804844570) and I expanded on it. To this date we have created six playbooks. We used Draw.io to create the workflows and git to host a text version with collapsible sections.
The goal of the talk is to present our Playbooks for the SOC, Critical Incident Playbooks for Incident Handlers and our Crisis Management Playbooks for C-Level (this one won’t be public but will be described)
Hopefully this new resource will be adopted by the community and others will help make it better and more complete.