Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Driving Security Orchestration with Your Cyber Threat Intelligence Playbook

A newish buzzword in the cybersecurity world is “orchestration”. Which to me is the junction where people, process and technology all come together. It’s where people build automation into process and consume information and insight generated by technology. 

A newish buzzword in the cybersecurity world is “orchestration”. Which to me is the junction where people, process and technology all come together. It’s where people build automation into process and consume information and insight generated by technology. 

The goal makes sense… to operationalize all of the disparate data, tools, platforms, into one cohesive, agile, functioning security program. An important component of security orchestration is to have agile “playbooks”. A playbook can tell you what to do if/when you see a certain threat or when an attack happens. Just like in football – where if you see the offense line up in a certain formation, the defense has clues for calling the right defensive scheme – a playbook can help defenders enact the most effective tactics for the situation. Similarly, playbooks can be used to prepare and plan for impending threats (as opposed to only reactive/responsive plays). 

Most of the security playbook discussions have been focused around incident response workflows and automation via security orchestration. These playbooks are typically very tactical in nature and specifically created for the SOC. But security playbooks can and should go well beyond response and be used more pre-emptively to drive better outcomes. 

Think about it this way – you cannot possibly address every threat – and with your digital footprint being nearly impossible to fully manage, you’re in a constant state of reacting and responding to security events (some of which may be really important, while others might not be). So understanding your greatest areas of concern and the threats that can exploit those areas should be where you focus your game plan.

Sticking with the football analogy here, think of it like watching game film. By looking at previous games and dissecting formations, plays and how each side reacted to one another, you can gather critical intel such as:

What went wrong?

What worked?

How can we improve the outcome?

How do we put ourselves in a better position?

How does all of this intel help us craft a game plan moving forward?

From a cyber perspective, this all applies. So what do playbooks for the strategic and operational levels look like? 

At the strategic level, it’s all about looking at business risk and deriving the best “decision-making” plays. Each situation is unique and so the play might have different routes for you to defend against. From a strategic perspective, it’s looking at what is most critical for you to protect and then plan as best as possible to guard it. It’s to help move from uncertainty to more certainty, from unknowns to known. A good way to think about this would be the difference between breach response versus incident response. Some examples of strategic questions that your playbook should address:

What are the risks due to the threat to each line of business or operating zone?

What are my response options from a breach perspective?

What are the potential near term and long-term impacts based on our decisions?

What resource(s) do I need to deploy? I.e. People, Process & Technology

At the operational level it’s looking at common malicious actor Tactics, Techniques, and Procedures (TTPs) and putting a game plan together to thwart or severely limit that threat. What countermeasures will give you the best bang for your buck based on impact of the threat, cost to implement a solution and the effort that is required to implement that countermeasure? Operational-level examples your playbook should address include:

• What are the Actor’s potential Capabilities, Motivations and Intentions?

• What is the Actor’s “Avenue of Approach”?

• What opportunities am I presenting to the Actor that will allow them to be successful?

• What are the recommended countermeasures to deploy based on cost, effort and impact?

While the industry has so far concentrated on “playbooks” that support tactical-level needs using orchestration for SOC operations, there is a very obvious need for playbooks that guide business risk decision makers. These playbooks can provide key stakeholders with courses of action that help position the organization into achieving better threat outcomes, namely:

• Knowing where to position resources for a given threat scenario

• Enabling the right countermeasures for the threat

• Ensuring a faster, more effective response process for a threat scenario if it occurs 

• Breach response recommendations if the threat scenario is successful

Threat intelligence playbooks that support strategic and operational levels help teams be more effective, more certain in their actions and allow security programs to be agile/maintained as situations change. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...