Maintaining an evolving knowledgebase of relevant Countermeasures is a core capability for Security Operations teams of even a few Tier 1 Analysts. Historically, such information has been fairly basic, and captured as “standard operating procedures” for fundamental computer restoration after a compromise.
Over the past 10-15 years, the exponential growth in attacks and compromises has led to the creation and standardization of “playbooks” or sets of vetted countermeasures that can be applied in real-time to support incident response (rather than simple, after-the-fact restoration) to recognizable threats. Security Operations teams have adopted sets of more active defensive techniques that range from intentional deception (e.g., honeypots, honeynets, etc.), to dynamic reconfiguration on-the-fly (e.g., terminating processes or connections, editing ACLs, disconnecting systems or services, reconfiguring networks, etc.), to leaving weaponized files for adversaries to exfiltrate (not advised).
Information on these continuously evolving Countermeasures needs to be deliberately managed to properly control their use; including the objectives they are intended to achieve, how and when they should be applied, what the costs or risks may be to apply them, and how effective they are at achieving their objective(s).
Perhaps most importantly, when incidents occur, information about relevant Countermeasures should be immediately and automatically presented to the Tier 1 Analyst. Including giving the Analyst the capability to automatically evaluate the potential business impacts that may result from employing each Countermeasure.
Here, we do not make any assumptions regarding who makes the decision on whether to apply an identified Countermeasure. Only that the Tier 1 Analyst needs an automated capability to build a Decision Space of countermeasure options that can be presented to whomever has the authority to decide under the given circumstances.
NOTE: Automating simple decisions, and implementing a countermeasure or executing response actions, is discussed further in the next article on Response Action Management.
However simple or advanced, establishing such a “Playbook” capability to automatically manage the Tier 1 Analyst’s “Decision Space” will significantly improve both the efficiency and effectiveness of your Security Operations.