Issue link: https://securitytechnologyexecutive.epubxp.com/i/917121
12 SECURIT Y TECHNOLOGY E XECUTIVE • November/December 2017 • www. SecurityInfoWatch.com CYBERSECURITY By Liz Maida F or enterprise security teams, playbooks have long been a staple of the incident response strategy. The common opinion is, the better your playbooks, the more protected you'll be in the event of a security incident. Teams lean on these documents to guide them through the response tactics of multiple threat scenarios, from ransomware to malware infection to the penetration of privileged user accounts. But there is a downside to playbooks that can also make them a major liability. Because playbooks are only useful against known threats, using known tac- tics against known adversaries, they can give a false sense of security. WannaCry: A wake-up call? For example, the WannaCry ransomware attack spread rapidly around the world, infecting more than 230,000 computers in 150 countries. Critical systems like the UK's National Health Service and a large telecom in Spain were caught up in the attack. Once infected, organizations were denied access to the encrypted files, applications and systems, receiving a display message from the hackers demanding the equivalent of $300 in bitcoin. While the hackers used a known vulnerability in Microsoft operating systems, the threat itself was unknown until it was too late. Ultimately, it came down to a security analyst in the UK who created a "kill switch" after reverse-engineering samples of the WannaCry malware code. Many security vendors have issued " WannaCry playbooks" since the attack, but the question is, how useful will they be? Even the cybersecurity researcher who stopped the attack warned that the threat wasn't over – hackers could easily evolve this code into some- thing even more resilient and sinister. While Wanna- Cry is now a known threat, "WannaCry 2.0" – or what- ever it will be called – won't be. The reality is, hackers play by their own set of rules, and the threat tactics they use are ever-evolving. This means playbooks leave gaps in security posture because they rely on established criteria. But that's not the only problem. Here are four more reasons the cybersecurity community must rethink the incident response playbook: 1. They're too tactical. Playbooks consist of a pre- assembled set of tasks triggered by the detection of a threat. This means that teams get bogged down in reactive, tactical checklists and steps, instead of placing more effort on strategic, proactive activity that can help prevent attacks. 2. They're not dynamic. Playbooks are static docu- ments that translate incident response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations. 3. They don't let security pros learn. Because of their static nature, playbooks can feed into the cybersecurity skills gap. Security analysts need to continue to learn about advanced analytics data so they can make informed decisions about emerging threat vectors, just as the security researcher did to create the WannaCry kill switch. That kind of prob- lem-solving requires critical thinking and the room to get creative. However, reliance on playbooks can result in an environment in which analysts only learn what it takes to complete a series of tasks. Playbooks should take into account organization- specific factors or the skill advancement of the analyst. But instead, security analysts cannot apply their own insight into the response based on what they learned from an incident. 4. Hackers love them. Because playbooks create a standard response to threats, hackers can eas- ily determine how a specific organization will respond to a known threat. It's the equivalent of a defensive line in football already knowing where the quarterback will throw the ball. Hackers are well-versed in the use of playbooks and often use them a distraction. By targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction, hackers can keep the response team busy while doing real damage. Enterprises must come to grips with the fact that rely- ing on traditional playbooks for incident response is not sustainable. While your business may survive an individual attack today, the failure to keeping pace with the threats of tomorrow will ultimately put you at risk. 4 reasons to rethink incident response playbooks Hackers love the static nature of concrete policy Liz Maida i s t h e C E O a n d c o - f o u n d e r o f U p l e v e l S e c u r i t y , a p r o v i d e r o f a n a d a p t i v e s y s t e m o f i n t e l l i g e n c e t o d e t e c t , a n a l y z e a n d r e s o l v e c y b e r s e c u r i t y t h r e a t s . P r e v i o u s l y , M a i d a w a s w i t h A k a m a i Te c h n o l o g i e s , s e r v i n g i n m u l t i p l e e x e c u t i v e r o l e s f o c u s e d o n t e c h n o l o g y s t r a t e g y a n d n e w p r o d u c t d e v e l o p m e n t , i n c l u d i n g D D o S m i t i g a t i o n , f r a u d d e t e c t i o n a n d m o r e . Continued on page 14