High-performance teams rely on defined processes. Sometimes these are called playbooks.Turns out disciplined attackers use playbooks, too.Rick Howard (LinkedIn, Twitter)\u00a0suggests that knowledge might be the key to a different way to improve and automate security. A 23-year military veteran, Howard is the chief security officer for Palo Alto Networks where he continues to build out the Unit 42 Threat Intelligence Team, supports the company\u2019s product lines and is a respected thought leader and company evangelist in the cybersecurity community space. He has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors.Rick Howard\u2019s Security Slap Shot:There are less than 100 attacker playbooks in use right now. If we automatically generate defender playbooks against them, it will be a game changer.Most network defenders are familiar with the idea of a defensive playbook. These playbooks hold a set of predefined actions that we can run when a recurring situation occurs within our operational purview. Instead of reacting on the fly each time a situation arises, we roll out the play that best worked the last time we dealt with the same situation. Each time a play is run, we try to incrementally improve it so that the next time we encounter the same situation, our reaction will be even better.The thing that network defenders must also remember is that cyber adversaries also use playbooks to execute their attacks. Cyber adversaries don\u2019t make up new offensive attack sequences each time they target a new victim. They don\u2019t invent new delivery schemes for each new attack, nor do they invent new zero-day exploits, new command and control infrastructure, new ways to move laterally, or new ways to exfiltrate data. Adversaries reuse the same attack sequences that worked on previous victims time andAdversaries reuse the same attack sequences that worked on previous victims time and again until the network defender community determines how to stop them.\u00a0In other words, they reuse the same offensive playbooks until they no longer work.This begs the question: how many offensive playbooks are active on the Internet on any given day? When cyber adversaries come to work in the morning holding their cups of coffee in one hand and their offensive attack notebooks in the other, and they sit down at their terminals to attack a new victim, and they open their attack notebook to page one and read the first instruction, how many notebooks actually exist in the world at that moment?\u00a0At this point, the network defender community as a whole does not have a good answer for this. I have asked government cyber intelligence organizations from all over the world. They all think the number of playbooks that exist is small, perhaps less than 100. I have also talked to commercial network defenders who don\u2019t hold clearances and they think the number is bigger, closer to 20,000.\u00a0But here is the point: it is not a million. In the worst case, the upper limit established by the network defender community is 20,000, and that\u2019s not a big number in this context. If the network defender community collaborated to automatically share changes to these 20,000 adversary playbooks in real-time every day, then the entire world could receive blanket protections for all known adversary playbooks as they evolve. That could be a game changer and it\u2019s exactly what the\u00a0Cyber Threat Alliance\u00a0is trying to do.My analysis (color commentary)I frequently help leaders and their teams to develop systems to elevate their performance and accelerate their results. Rick pointed out that successful attackers do the same basic thing \u2014 and knowing this, we can turn it around.I like the idea of learning, sharing, and exploiting the information to automate defenses. It means our collective knowledge and experience serves to increase the friction for attackers. And while it means they\u2019ll just develop new playbooks, the process takes time and creates noise in the process.Your turn \u2014 react!What do you think about turning the tables on attackers and automating our defenses against their playbooks?Post your comments on our Facebook page, or take it to Twitter and talk with me (@catalyst), Rick (@raceBannon99) and others.Ready \u2026 set \u2026 REACT!