Rick Howard lines up a Security Slap Shot on improving security by going after attacker playbooks Credit: REUTERS/USA Today Sports High-performance teams rely on defined processes. Sometimes these are called playbooks.Turns out disciplined attackers use playbooks, too.Rick Howard (LinkedIn, Twitter) suggests that knowledge might be the key to a different way to improve and automate security. A 23-year military veteran, Howard is the chief security officer for Palo Alto Networks where he continues to build out the Unit 42 Threat Intelligence Team, supports the company’s product lines and is a respected thought leader and company evangelist in the cybersecurity community space. He has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors.Rick Howard’s Security Slap Shot: There are less than 100 attacker playbooks in use right now. If we automatically generate defender playbooks against them, it will be a game changer.Most network defenders are familiar with the idea of a defensive playbook. These playbooks hold a set of predefined actions that we can run when a recurring situation occurs within our operational purview. Instead of reacting on the fly each time a situation arises, we roll out the play that best worked the last time we dealt with the same situation. Each time a play is run, we try to incrementally improve it so that the next time we encounter the same situation, our reaction will be even better.The thing that network defenders must also remember is that cyber adversaries also use playbooks to execute their attacks. Cyber adversaries don’t make up new offensive attack sequences each time they target a new victim. They don’t invent new delivery schemes for each new attack, nor do they invent new zero-day exploits, new command and control infrastructure, new ways to move laterally, or new ways to exfiltrate data. Adversaries reuse the same attack sequences that worked on previous victims time and In other words, they reuse the same offensive playbooks until they no longer work.This begs the question: how many offensive playbooks are active on the Internet on any given day? When cyber adversaries come to work in the morning holding their cups of coffee in one hand and their offensive attack notebooks in the other, and they sit down at their terminals to attack a new victim, and they open their attack notebook to page one and read the first instruction, how many notebooks actually exist in the world at that moment? At this point, the network defender community as a whole does not have a good answer for this. I have asked government cyber intelligence organizations from all over the world. They all think the number of playbooks that exist is small, perhaps less than 100. I have also talked to commercial network defenders who don’t hold clearances and they think the number is bigger, closer to 20,000. But here is the point: it is not a million. In the worst case, the upper limit established by the network defender community is 20,000, and that’s not a big number in this context. If the network defender community collaborated to automatically share changes to these 20,000 adversary playbooks in real-time every day, then the entire world could receive blanket protections for all known adversary playbooks as they evolve. That could be a game changer and it’s exactly what the Cyber Threat Alliance is trying to do.My analysis (color commentary)I frequently help leaders and their teams to develop systems to elevate their performance and accelerate their results. Rick pointed out that successful attackers do the same basic thing — and knowing this, we can turn it around.I like the idea of learning, sharing, and exploiting the information to automate defenses. It means our collective knowledge and experience serves to increase the friction for attackers. And while it means they’ll just develop new playbooks, the process takes time and creates noise in the process. Your turn — react!What do you think about turning the tables on attackers and automating our defenses against their playbooks?Post your comments on our Facebook page, or take it to Twitter and talk with me (@catalyst), Rick (@raceBannon99) and others.Ready … set … REACT! Related content opinion Want to be a better security leader? Embrace your red team CyberArk CEO Udi Mokady lines up for a Security Slap Shot on the need for security leaders to be productively paranoid. By Michael Santarcangelo Sep 29, 2017 4 mins Risk Management Vulnerabilities IT Leadership opinion To combat phishing, you must change your approach Kevin O’Brien, CEO of GreatHorn, discusses why employee training isn't effective in combatting phishing and what companies should do instead. By Michael Santarcangelo Sep 27, 2017 7 mins Phishing IT Leadership opinion Are you ready for ‘Moneyball’ security? Mike McKee, CEO of ObserveIT, lines up for a Security Slap Shot on the benefits of an evidence-based approach to security. By Michael Santarcangelo Sep 20, 2017 4 mins IT Leadership opinion Your security scars are the key to innovation Ben Johnson, CTO and co-founder of Obsidian Security, lines up for a Security Slap Shot on driving innovation in security and business based on experience. By Michael Santarcangelo Sep 14, 2017 4 mins IT Strategy Careers IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe