Professional Documents
Culture Documents
Automate Response: Did You Know?
Automate Response: Did You Know?
Automate Response: Did You Know?
COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
-1-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
What is an incident response playbook? According to NIST Special Publication 800-61, an incident response process contains four main phases: preparation,
detection and analysis, containment/eradication/reocvery, and post-incident activity. Descriptions for each are included below:
DDoS
You’ve selected the “DDoS” playbook. On the pages that follow, you will find your incident response playbook
details broken down by the NIST incident handling categories.
-2-
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
P R E PA R E - D D O S
Determine Core
Ops Team Vulnerability Threat Risk
& Define Roles Manager Manager Manager
Dispute
Resolution
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
DETECT - DDOS
Prev
Step
Detection of unknown
Unknown or unexpected Peaked amount of or unidentified packets
incoming Internet traffic inbound data from unknown
senders
Define
Standard Threat Custom Custom Indicators
Indicators
Notification from
Alerting from Firewall outside organizations
and Intrusion Detection (ISP, business partners,
systems 3rd Party) Categorize
Incident
Request Packet
Capture
Conduct Scans
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
A N A LY Z E - D D O S
Prev
Step
Products/goods
Public or personnel Customers are affected
/services are affected by
safety affected by this incident
this attack
Ability to control/
record/measure/track This act is being
any significant amounts
of inventory/products/
launched by known Standard Define Risk
Factors
Custom Custom Factors
cash/revenue has been lost entities
Log Collection
Evidence Collection
Data Capture
Analysis
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
C O N TA I N - D D O S
Incident Threat
Identify critical choke Database Database
points or bottlenecks on
network that could
increase the effect
Identify additional
traffic rerouting or View Report View Record Details Select Records Copy Record Details
egress filtering to block
more traffic
Network
Identify the tools used
to detect the attack SIEM IDS Firewall Scanners Scanners
Antivirus Monitoring
Tools
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
E R A D I C AT E - D D O S
Prev
Step
Direct Conference
Phone Call Call
In-Person Intranet
Meeting Meeting
Communications
Mobile Internet
Messaging Meeting
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
RECOVER - DDOS
Prev
Step
Determine alternate
network ingress and
Recover Systems Reimage IDS/IPS &
Firewall Updates egress solutions if
malware causes DoS
Incident
Remediation
Next
Step
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
POST-INCIDENT - DDOS
Prev
Step
Sensitive
Electronic Personal
Incident Review Health Information
Government
Information
(ePHI) Compromised?
Compromised?
Response Workflow
Updated
INCIDENTRESPONSE.COM
INCIDENTRESPONSE.COM
ON L I N E I N C I D E N T R E S P ON S E CO M M U N I T Y
Effective Remediation
Organization and automation are key benefits that result in effective remediation. Automated playbooks help to Risk Management Benefits
organize security processes, mitigation plans and smooth communication between multiple departments. By • Communicate effectively to ensure risk
optimizing data collection, analysis, and communications you improve the odds for effective eradication, recovery mitigation methods are applied
with integrity and forensic-quality reporting. • Prioritize resources and activities where
they matter most
• Report and tune based on response
Action Plan learning, reducing risk moving forward
Having a view into what is possible is the first step in taking action. The next step is to bring your team together to
drive it toward reality. Email this guide to your peers and managers to begin sharing your playbook with them. Useful Links:
NIST Risk Management Framework Guide
With this playbook, you will be better prepared to handle the response. To help with the management and automation
Sample Policies and Plans
of this incident response playbook, consider working with CyberSponse and their partners. Come take a look at what
they do.
- 10 -
PRESENTED BY
To learn more about playbooks and incident response, visit IncidentResponse.com