Incident Response Playbook


Why

Responding to security incidents should not be an improvised or non-scripted activity. It is important that workflows and action-plans are created in advance, so that the team’s response to an incident is consistent, focused and repeatable.

What

  • Create incident response playbook that can be used by the Community

Outcomes

  • Incident response playbook

Synopsis and Takeaways

Goals

  • IR from a developer’s perspective
  • Don’t cover entire IR field, just developer’s roles and responsibilities
  • Reinforce how other best practices, such as threat models, support the IR process.

Preparation

  • Conduct fire drill – consider tabletop exercises
  • Assign points of contact (e.g. Security Champions)
  • Rapid deployment plan
  • Logging

Questions that will be asked

  • Is it our data?
  • Is it a breach?
  • What app/service provides the data?
  • Where did data come from?
  • Can the data be time stamped?
  • What does it mean?
  • Does it have value?
  • Can we roll back to last known ‘good’ state?

Response to incident

  • Rapid deployment, owners have to know their roles
  • Communication – keep people updated with minimal publicity
  • Log what happens, and when, so people coming in as the crisis develops can be brought up to speed quickly
  • Stagger engineering team so that 24/7 coverage is possible (people need to rest, eat, etc.)
  • The benefit of a situation dealt with quickly and efficiently outweigh the cost of the remedy and the cost to the business

Post Mortem

  • Did the threat model cover this?
  • Bug Bounty the target?
  • Why it happened?
  • How did we react?
  • Was best practice followed?
  • If not, why not?
  • Tuning web application firewalls

Lessons learnt / next steps

  • How many pre-requisites were satisfied
  • Was Playbook appropriate?
  • Variables will cause gaps in PB
  • What adjustments need to be made

Overall outcome

  • We feel that a Preparation Guide could satisfy needs in this area, perhaps building on Tom Brennan’s OWASP Incident Response Project

Who

The target audience for this Working Session is:

  • Security teams
  • SOC teams

References


Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Content

  • Draft version of an incident respose playbook


Back to list of all Working Sessions and Tracks

Edit this page here