Cyber Playbooks - Updated & Revisited
Charlie discusses developing a new kind of playbook which could help you plan for different types of cyber-attack.
This week I have had a bit of an epic journey. I started off in Shetland and ended the week in Abu Dhabi, having spent a couple of days in Riyadh, Saudi Arabia. I only visited one company in Saudi, but their business continuity was pretty impressive. I always enjoy going into companies and being delighted by the quality of their business continuity. On Monday I am delivering the two-day Managing and Preparing for Cyber Incidents course, so I thought this week I would share an update from the course, which involves developing a different kind of playbook.
When I wrote my first bulletin on playbooks, I envisaged the playbook helping senior management or the crisis team make a key decision in a cyber incident, such as, whether or not to unplug the organisation from the internet and prevent any network traffic on the organisation’s IT network. As this is a critical decision for the organisation and the consequences of making the wrong decision are huge, the playbook was produced to help the team understand, at short notice, what factors they should consider and the impact of the different decisions they could make.
I was running a cyber exercise a couple of weeks ago and suddenly thought that there was a need for another type of playbook, which is basically a plan for how to deal with different types of cyber-attack. As we know, the more planning we do the better prepared we will be for managing an incident, and thinking through how we would respond throws up questions and issues which we can work to solve, without the cold sweat and pressure of the incident taking place.
As I said in my first playbook bulletin, cyber response should be in two parts. Firstly, you need an incident management team to manage the consequences of the cyber-attack. This team is separate from a Cyber Incident Response Team, who should deal with the technical response, and should concentrate on restoring the organisation’s IT service. The organisation’s incident management team can be the same as the crisis management team, as they are going to be dealing with the reputation and strategic impacts of the incident. More details on how this team will operate can be found in my recent bulletin, Cyber Incident Management - Looking through the wrong end of the telescope.
The second part of the response should be a contingency plan for a specific type of incident. I know that incidents don’t always fit the plan, but I think some of the detailed planning is worth carrying out. The sort of cyber incident playbooks should be written for are the basic attacks including ransomware, DDoS attacks and data loss (this might want to be segregated into the different types of data the organisation hold). It is only worth writing these playbooks for larger incidents which would have a reputational impact, and for smaller incidents an IT response plan is sufficient.
These are the headings I think the playbook should have:
- Type of incident – DDoS etc.
- Likely means of detection – include the main ways the incident could be detected.
- Likely impacts – which part of the organisation might be affected? E.g. ransomware could stop all company systems, but data loss will have no impact on actual systems.
- IT plans in place for dealing with it and their strategy for recovery – cross reference the relevant IT plans.
- Who needs to be informed of the incident, internally and externally? I think this is a key part so that you can quickly identify all those who might be affected. These should be segregated, so don’t just include staff, as there could be contractors, temporary staff, those off sick, maternity/paternity leave, staff that have left and retirees. I also think there should be information on how to contact your staff, as well as a plan on how to get in contact if the IT systems are down.
- What regulatory and statutory notifications are required, including time frames and what information is needed? For example, reporting to regulators, Information Commissioners Office and the stock market.
- How will the incident be managed and are there any requirements for specialists joining the incident team? Which team will manage the incident, and do you need specialists, such as external public relations help, plus legal and compliance people on the team?
- What third party support is required? This could include forensic IT specialists.
- Risks, decisions and issues to consider – put down as many as you can think of.
- Guidance on communications and lines to take – this could be debated and exercised so that there is a structure in place already.
- Relevant business continuity plans and recovery strategies – are there business continuity plans and manual workarounds which can help the response?
- What actions can be taken to support those affected, and what support are you going to give the victims of the incident?
- What matrices should be used and monitored to check the effect on the organisation? How do you tell if your response plans are being successful?
- Priorities and predetermined objectives for this type of incident – can you write them now?
- Other – under this heading, when choosing an example, I wrote 'what data we hold', so if this playbook was for a breach of the staff database, we know what data we hold on staff.
I am sure there might be a few additional things we could think of to add to the list.
Cyber incidents by their nature are difficult to manage, especially at the beginning of the incident. If your headquarters burn down, the incident and the consequences are obvious, but if there is a cyber breach then there is nothing to see, so it can take a while to understand the true impact of the incident. As with all business continuity, the more you plan, exercise and think about your response, the more you realise what you can do now, which will help your response on the day. The old army adage comes to mind “train hard fight easy”.
Finally, I must give a mention to Vikas Vedak from Network Intelligence India, who I met at the BCI UAE Forum this week. He is a super fan of the bulletin and often uses the articles for reference. I am just happy that someone out there is reading it and getting benefit from it!