• United States



Exploit attacker playbooks to improve security

Jul 12, 20174 mins
Advanced Persistent ThreatsIT Leadership

Rick Howard lines up a Security Slap Shot on improving security by going after attacker playbooks

nfl football new york jets buffalo bills
Credit: REUTERS/USA Today Sports

High-performance teams rely on defined processes. Sometimes these are called playbooks.

Turns out disciplined attackers use playbooks, too.

Rick Howard (LinkedIn, Twitter) suggests that knowledge might be the key to a different way to improve and automate security. A 23-year military veteran, Howard is the chief security officer for Palo Alto Networks where he continues to build out the Unit 42 Threat Intelligence Team, supports the company’s product lines and is a respected thought leader and company evangelist in the cybersecurity community space. He has a vast background in several different areas of InfoSec, ranging from experiences within both the public and private sectors.

Rick Howard’s Security Slap Shot:

There are less than 100 attacker playbooks in use right now. If we automatically generate defender playbooks against them, it will be a game changer.

Most network defenders are familiar with the idea of a defensive playbook. These playbooks hold a set of predefined actions that we can run when a recurring situation occurs within our operational purview. Instead of reacting on the fly each time a situation arises, we roll out the play that best worked the last time we dealt with the same situation. Each time a play is run, we try to incrementally improve it so that the next time we encounter the same situation, our reaction will be even better.

The thing that network defenders must also remember is that cyber adversaries also use playbooks to execute their attacks. Cyber adversaries don’t make up new offensive attack sequences each time they target a new victim. They don’t invent new delivery schemes for each new attack, nor do they invent new zero-day exploits, new command and control infrastructure, new ways to move laterally, or new ways to exfiltrate data. Adversaries reuse the same attack sequences that worked on previous victims time and

In other words, they reuse the same offensive playbooks until they no longer work.

This begs the question: how many offensive playbooks are active on the Internet on any given day? When cyber adversaries come to work in the morning holding their cups of coffee in one hand and their offensive attack notebooks in the other, and they sit down at their terminals to attack a new victim, and they open their attack notebook to page one and read the first instruction, how many notebooks actually exist in the world at that moment? 

At this point, the network defender community as a whole does not have a good answer for this. I have asked government cyber intelligence organizations from all over the world. They all think the number of playbooks that exist is small, perhaps less than 100. I have also talked to commercial network defenders who don’t hold clearances and they think the number is bigger, closer to 20,000. 

But here is the point: it is not a million. In the worst case, the upper limit established by the network defender community is 20,000, and that’s not a big number in this context. If the network defender community collaborated to automatically share changes to these 20,000 adversary playbooks in real-time every day, then the entire world could receive blanket protections for all known adversary playbooks as they evolve. That could be a game changer and it’s exactly what the Cyber Threat Alliance is trying to do.

My analysis (color commentary)

I frequently help leaders and their teams to develop systems to elevate their performance and accelerate their results. Rick pointed out that successful attackers do the same basic thing — and knowing this, we can turn it around.

I like the idea of learning, sharing, and exploiting the information to automate defenses. It means our collective knowledge and experience serves to increase the friction for attackers. And while it means they’ll just develop new playbooks, the process takes time and creates noise in the process.

Your turn — react!

What do you think about turning the tables on attackers and automating our defenses against their playbooks?

Post your comments on our Facebook page, or take it to Twitter and talk with me (@catalyst), Rick (@raceBannon99) and others.

Ready … set … REACT!


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author