In response to an executive order signed by President Biden in May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two cybersecurity playbooks focusing on incident response and vulnerability response.
The executive order on improving the nation’s cybersecurity tasked CISA with developing playbooks for federal civilian agencies to help them plan and conduct vulnerability and incident response. While the playbooks have been created for federal civilian agencies and their contractors, CISA says the information could also be useful to critical infrastructure organizations and private sector companies.
The new playbooks are designed to provide agencies with a standard set of procedures for identifying, coordinating, remediating, recovering and tracking mitigations from incidents and vulnerabilities affecting their systems, data and networks.
The incident response playbook covers the steps that agencies need to take in case of a confirmed malicious cyber activity that could have significant consequences, including lateral movement, data exfiltration, network intrusions involving multiple users or systems, and compromised accounts.
The first phase in the incident response plan is the preparation phase, which includes documenting incident response policies and procedures, implementing systems for detecting suspicious and malicious activity, establishing staffing plans, educating users on cyber threats and notification procedures, and leveraging threat intelligence to proactively identify potential malicious activity.
In the detection and analysis phase, the steps that organizations need to take include declaring an incident by reporting it to CISA and IT leadership, determining the scope of the investigation, collecting and preserving data, and performing a technical analysis.
In the containment phase, organizations must isolate impacted systems and network segments, capture forensic images for legal purposes, update firewall filtering, block unauthorized access, close ports and relevant servers or services, change passwords and rotate cryptographic keys, and, in the case of advanced SOCs with mature capabilities, monitor the threat actor’s activities.
Eradication and recovery includes remediating compromised IT systems, reimaging impacted systems, rebuilding hardware, replacing compromised files with clean ones, installing patches, resetting passwords, looking for signs of attacker response to containment activities, reconnecting systems to networks, tightening perimeter security, testing systems, and monitoring operations for abnormal behavior.
Post-incident activities include documenting the incident, informing leadership, taking measures to prevent future incidents, and improving future incident response activities.
The vulnerability response playbook describes the high-level process that should be followed when responding to urgent and high-priority vulnerabilities. The document describes preparation, vulnerability response process, identification, evaluation, remediation, and reporting activities.
Recommendations include ensuring that effective vulnerability management practices are being followed, proactively identifying reports of actively exploited vulnerabilities, determining whether a vulnerability exists in the environment and its impact, patching or mitigating vulnerabilities, and sharing information with CISA so that the agency can help other organizations.