6 Key Phases of an Effective Global Threat Response Playbook

Organizations continue to be challenged in their response to global threats, such as Log4j, but Log4j wasn’t the first global-scale cybersecurity threat, and it certainly won’t be the last. Organizations must balance their exposure to these threats with their risk appetite, while responding in a methodical manner. This piece provides a six-phase framework for building out a global threat response. 

Creating a Global Threat Response Playbook   

Playbooks must be specific to each organization and tailored to the unique circumstances and capabilities present. They should not be simply lifted from one organization and used by another without careful analysis, because a playbook may rely on skills or technical capabilities the receiving organization does not possess. Conversely, the original playbook may not represent the best course of action for another organization with additional skills or technical capabilities. 

Six main phases should be included in any global response playbook: 

• Decide whether to act 
• Evaluate the impact 
• Identify the scope 
• Determine the response options 
• Coordinate the response 
• Designate oversight 

The implementation of each phase will vary, according to a specific organization’s skills and capabilities. 

Phase 1. Decide Whether to Act   

Responses for global threats require mobilization of resources within the organization that distract from day-to-day operations and other planned initiatives. As such, response teams for global threats should be activated sparingly. By evaluating the impact before proceeding with a response, the risk of prematurely activating the response is partially mitigated. Therefore, the first step in any playbook is to determine as early as possible whether the situation warrants a fire drill-type of response. 

A technical stakeholder should be in charge of initiating the response and activating the response team; although, any stakeholder in the business should be able to make a request for a new response. Once the decision to respond is made, the factors that led to the decision to act must be documented. Any factors that would have moved the organization in a direction of inaction should be documented as well. It is critical this documentation be provided to the party responsible for response oversight. 

READ: 6 Key IR Responsibilities for Executives 

Phase 2. Evaluate the Impact 

Undoubtedly, the organization decided to act because of the potential of the global threat to adversely affect the business. The next step is determining exactly how the threat will affect the business if it isn’t adequately mitigated. 

Some will argue this step should be performed before the decision to act. In other words, they believe the decision to act should be driven by the projected impact to the organization. While this logic may not seem unreasonable, in practice, getting all the right stakeholders focused on evaluating impact is often impossible without first activating the response team. 

To effectively evaluate the impact, we recommend organizations should: 

• Ensure all aspects of security are considered: This includes the three pillars of confidentiality, integrity and availability. 
• Focus on the specifics of their environment: A common mistake global threat response teams make is to over-focus on the impacts being described widely in press coverage or other reporting. While it is appropriate to begin with these as considerations, stakeholders understand the specifics of their environment in a way that generic reporting doesn’t account for. As such, stakeholders should brainstorm possible impacts from the threat, especially including second order (and higher) impacts. 
• Involve the business early: Organizations should ensure business units are involved in this stage. Business unit stakeholders likely will not understand the technical implications of the global threat. Conversely, technical personnel are unlikely to fully grasp the business impact. Integrating technical and business personnel ensures all impacts are appropriately understood in the context of the organization’s profit centers. 

Once organizationally specific impacts have been determined, the organization should reevaluate whether a fire-drill response is indeed appropriate. The team should also create a written justification for the response, which helps avoid “moving the goal posts”—a common situation where a stakeholder is firmly entrenched in the notion that the issue requires an immediate response and, subsequently, realigns the organization’s risk tolerance to the situation to ensure a response occurs. 

Phase 3. Identify the Scope   

Once the impacts are understood at an organization-specific level, stakeholders must move to understand the scope of the response operation. Identifying the scope includes actions such as determining: 

• Number of impacted systems. 
• Personnel responsible for administering those systems. 
• Appropriate emergency outage windows for each system. 
• Whether third parties may also be vulnerable to the global threat in a way that impacts the organization’s own security posture. 

Note that at this stage of the process, the organization should not yet consider the specific remediation actions or response options that will be applied to each system. Doing so distracts from the complete identification of potentially impacted systems and can result in incomplete response. 

Pragmatically, there is another significant justification for this rigorous identification exercise. Many global threat responses require multiple rounds of patching and/or other mitigations before the threat has passed. This can be attributed to researchers paying additional attention to a particular application or library that had traditionally received little scrutiny. Researchers may also discover bypasses for mitigations that were originally believed to be sufficient. Finally, a patch may itself be incomplete, requiring organizations to apply additional patches to mitigate the original vulnerability. 

READ: How to Build a Proactive Threat Hunting Strategy 

Phase 4. Determine the Response Options 

It is rare for a global threat to have a single response option. Common options include: 

• Patching: This is the most common and, typically, most complete response option. However, there are many situations where it is not appropriate, and organizations may need to consider alternatives. 
• A workaround: Historically, most global threats have supported response options that would either eliminate or partially mitigate the threat ahead of a patch. A common justification for employing such a response is that a patch would require a reboot of the system, while the mitigation may allow the system to continue operating uninterrupted. Most such mitigations have potential second-order impacts. For instance, a mitigation for MS17-010 was to disable SMBv1. This prevented exploitation but simultaneously restricted interoperability with many legacy systems. 
• Disabling access to the affected system: This is an option many teams fail to identify, but often, teams can disable access to the affected system until a patch or other mitigation can be applied. In highly volatile situations with severe impacts, no response option should be taken off the table. In fact, disabling access to the affected system or service is often the most appropriate initial response if destructive impacts are expected or being experienced by other organizations. Teams should ensure they understand the conditions under which such a response is appropriate and conduct regular tabletop exercises to rehearse the involved workflows. 

READ: How to Choose the Right Incident Response Tool

In short, the response options chosen should be system-specific and account for constraints inherent in each individual system. 

Phase 5. Coordinate the Response

With response options appropriately identified and assigned for each affected system, the response begins. Coordination is required to ensure multiple response actions do not place the organization at undue risk. For example, coordination is important when: 

• Affected systems are load-balanced: For instance, patches may need to be applied to three web servers positioned behind a load balancer. If server admins patch all three servers simultaneously, this will result in an outage of the application they underpin. With appropriate coordination, the systems can be patched in serial, ensuring system availability throughout the response. 
• Affected systems have dependencies: If a particular application requires multiple systems to operate (e.g., different front- and back-end systems), patching these systems serially makes little sense. The coordination team should assist in mapping dependencies and minimizing downtime during the response. 

Phase 6. Designate Oversight

Oversight during the response is critical. As mentioned previously, the oversight team should be responsible for coordinating response actions in a way that minimizes downtime. The oversight team also has two other important responsibilities: 

• Reporting: Business unit stakeholders will often require updates about the status of the response to the global threat. Unfortunately, nothing delays a response more than frequent context-switching, where teams must stop what they’re doing to report back to the business. Such context-switching also often leads to higher incidence of partially completed remediations. However, with an oversight team in place, business unit leadership can be instructed to request this data only from the oversight team, leaving response teams to complete mitigation activities with minimal interruptions. 
• Situational awareness: As noted previously, global threats are often evolving situations. Mitigations identified may be subject to trivial bypasses, or additional patches may be required. Individual response teams should not be responsible for maintaining up-to-the-minute situational awareness on the status of the global threat. The oversight team offers an economy of scale in that a single team can check for situational changes. This, of course, also reduces the number of context switches required for each response team, allowing them to focus solely on remediating the global threat. 

Creating a Success Global Threat Response Playbook 

Organizations can and should create playbooks to facilitate appropriate responses to global threats. To ensure your playbooks are successful, be sure to: 

• Include all six phases: Your response must cover everything from deciding to act and determining impact to coordinating response and designating oversight. 
• Customize the response to your organization: Build playbooks that account for your specific skills and capabilities. 
• Minimize disruptions for technical teams: Never decide to act without fully measuring the ramifications, and ensure proper oversight is in place to reduce the need for teams to stop work to report to management or to continuously check how the implications of a global threat change over time. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.