SOAR Platform / Blog / Building an Incident Response Playbook

Building an Incident Response Playbook

Building an Incident Response Playbook

Much like the playbooks in today’s National Football League, a playbook is a set of rules defining and describing the options to execute with input data and the situation. An incident response playbook is a critical component of cybersecurity, especially regarding security automation and orchestration. Its primary purpose is to represent a simplified process in a general way that can also be used across a variety of corporations.

IR playbook components

A collection of different organizations utilize incident response playbooks. Playbooks include some common components, such as:

  • Initiating condition: All the following steps in the playbook are contingent upon the type of security issue is being dealt with in this first step. 
  • Process steps: This includes all significant steps that should be followed to satisfy the operations triggered by the initiating condition. This is the main chunk of the playbook and consists of all steps including generating a response action, authorizing those responses, and quarantining, etc. Moreover, these process steps typically influence future automation. 
  • Best practices and company policies: This aspect of the playbook is entirely dependent upon an organization’s specific industry. It also includes any additional activities that may be done after the core process steps have been completed. 
  • Ending state: This is the ultimate goal of an incident response playbook. It represents the desired solution based on the initiating condition. Thus, reaching the end state is an indication that the playbook has been completed.
How to put together an incident response playbook

There is a lot of information out there about how to establish a well-equipped playbook. Most encompass the following points:

  1. Identify your initiating condition 
  2. List all possible plans of action that can be taken in response to the specific initiating condition 
  3. Begin to separate your list into steps – those that are completely necessary and those that are optional 
  4. Build your plan of action based on the components you classified as “completely necessary” 
  5. Attempt to “group” your optional list into categories such as “verifying” or “responding” 
  6. Ensure that your “completely necessary” list encompasses the main groups of your optional list 
  7. Insert any remaining optional steps into an “options” box 
  8. Identify your ending state