Security Experts:

Driving Security Orchestration with Your Cyber Threat Intelligence Playbook

A newish buzzword in the cybersecurity world is “orchestration”. Which to me is the junction where people, process and technology all come together. It's where people build automation into process and consume information and insight generated by technology. 

The goal makes sense… to operationalize all of the disparate data, tools, platforms, into one cohesive, agile, functioning security program. An important component of security orchestration is to have agile “playbooks”. A playbook can tell you what to do if/when you see a certain threat or when an attack happens. Just like in football - where if you see the offense line up in a certain formation, the defense has clues for calling the right defensive scheme - a playbook can help defenders enact the most effective tactics for the situation. Similarly, playbooks can be used to prepare and plan for impending threats (as opposed to only reactive/responsive plays). 

Most of the security playbook discussions have been focused around incident response workflows and automation via security orchestration. These playbooks are typically very tactical in nature and specifically created for the SOC. But security playbooks can and should go well beyond response and be used more pre-emptively to drive better outcomes. 

Think about it this way - you cannot possibly address every threat - and with your digital footprint being nearly impossible to fully manage, you’re in a constant state of reacting and responding to security events (some of which may be really important, while others might not be). So understanding your greatest areas of concern and the threats that can exploit those areas should be where you focus your game plan.

Sticking with the football analogy here, think of it like watching game film. By looking at previous games and dissecting formations, plays and how each side reacted to one another, you can gather critical intel such as:

What went wrong?

What worked?

How can we improve the outcome?

How do we put ourselves in a better position?

How does all of this intel help us craft a game plan moving forward?

From a cyber perspective, this all applies. So what do playbooks for the strategic and operational levels look like? 

At the strategic level, it’s all about looking at business risk and deriving the best “decision-making” plays. Each situation is unique and so the play might have different routes for you to defend against. From a strategic perspective, it’s looking at what is most critical for you to protect and then plan as best as possible to guard it. It’s to help move from uncertainty to more certainty, from unknowns to known. A good way to think about this would be the difference between breach response versus incident response. Some examples of strategic questions that your playbook should address:

What are the risks due to the threat to each line of business or operating zone?

What are my response options from a breach perspective?

What are the potential near term and long-term impacts based on our decisions?

What resource(s) do I need to deploy? I.e. People, Process & Technology

At the operational level it’s looking at common malicious actor Tactics, Techniques, and Procedures (TTPs) and putting a game plan together to thwart or severely limit that threat. What countermeasures will give you the best bang for your buck based on impact of the threat, cost to implement a solution and the effort that is required to implement that countermeasure? Operational-level examples your playbook should address include:

• What are the Actor’s potential Capabilities, Motivations and Intentions?

• What is the Actor’s “Avenue of Approach”?

• What opportunities am I presenting to the Actor that will allow them to be successful?

• What are the recommended countermeasures to deploy based on cost, effort and impact?

While the industry has so far concentrated on “playbooks” that support tactical-level needs using orchestration for SOC operations, there is a very obvious need for playbooks that guide business risk decision makers. These playbooks can provide key stakeholders with courses of action that help position the organization into achieving better threat outcomes, namely:

• Knowing where to position resources for a given threat scenario

• Enabling the right countermeasures for the threat

• Ensuring a faster, more effective response process for a threat scenario if it occurs 

• Breach response recommendations if the threat scenario is successful

Threat intelligence playbooks that support strategic and operational levels help teams be more effective, more certain in their actions and allow security programs to be agile/maintained as situations change. 

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.