A security practitioner’s take on CISA’s Incident and Vulnerability Response Playbooks

President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity tasked the U.S. Cybersecurity and Infrastructure Security Agency (CISA) with developing a standard set of operational procedures for the Federal Civilian Executive Branch (FCEB) to use when responding to incidents and vulnerabilities. CISA recently released the Cybersecurity Incident & Vulnerability Response Playbooks as a single document. While this guidance is intended for FCEBs, it may be applicable to other entities as well.

What follows is an analysis of that guidance from the perspective of a security practitioner.

Cybersecurity Incident Response Playbook: The good

 The Incident Response Playbook builds on the widely used NIST 800-61 r2 Computer Security Incident Handling Guide, which is referenced by countless organizations when it comes to building incident response (IR) capabilities and carrying out IR activities. This involves standard IR phases of:

• Preparation
• Detection and analysis
• Containment
• Eradication and recovery
• Post-incident activity
• Coordination

The guidance provides comprehensive details for each IR phase so that FCEB and other organizations leveraging the playbooks can take actionable steps to improve their IR processes.

Included in the preparation phase is the acknowledgement of how critical logging is for IR activities, and the playbooks direct agencies to align with the EO’s Sec. 8, which includes requirements for log collection, storage and integrity.

Adversarial tactics continue to change (while still exploiting the basics) and the playbook recommends leveraging cyber threat intelligence (CTI) to ensure your organization is tracking the latest tactics, techniques and procedures (TTPs). This is excellent advice given that organizations can learn the TTPs being used in the wild and fortify their organization accordingly with appropriate countermeasures before becoming a victim.

The guidance makes it clear that CISA is prepared to assist agencies with their IR activities. It also provides explicit data of common adversarial techniques, log and event sources to identify them, and indicators of behaviors that may be indicative of a malicious activity. This is great insight for FCEB and other organizations to use and is actionable. The guidance ultimately emphasizes CISA’s role as the “front door” for agencies IR response activities, providing a clear conduit to quickly begin addressing incidents as they occur. 

Cybersecurity Incident Response Playbook: The gaps

 While the IR playbook’s preparation phase directs agencies to align with Sec. 8 of the EO, it doesn’t go into enough detail regarding third-party service providers and partners that make up the broader ecosystem and supply chain. The reality is that today’s FECB as well as commercial organizations are using tens to hundreds of external service providers, especially when you account for cloud, particularly software as a service (SaaS). These external service providers often support critical business functions and store sensitive data, and logging from these sources is required to perform comprehensive IR activities.

Logging aside, the guidance also could have provided additional details on how organizations can establish service level agreements (SLAs) and other communication with external service providers who will inevitably be involved in several of the IR phases in many cases, and often outside of the control of your own organization. Organizations can and should make use of other guidance such as the Cloud Security Alliance’s Cloud Incident Response Framework.

The IR playbook also recommends conducting regular exercises to test the organizations continuity of operations and failover/backup capabilities. While this is sound guidance, the playbooks could go further by recommending FCEB and other organizations implement modern resilience testing such as chaos engineering, which is the “discipline of experimenting on a system in order to build confidence in the system’s capability to withstand turbulent conditions in production.”

Doing so goes beyond simple tabletop and theoretical exercises and actually injects faults and incidents into the system to test both technical and procedural capabilities to remain resilient in the face of incidents. Building on this line of thought, the guidance could have made recommendations related to the concept of purple teaming to bolster an organization’s defenses and IR capabilities.

While the playbook discusses capturing relevant artifacts for investigation, it doesn’t touch on the challenges associated with it such as those captured by the NIST Cloud Computing Forensic Science Challenges. The guidance also lacks recommendations that can be facilitated by modern technologies such as infrastructure as code (IaC), containers or cloud to quickly purge and recreate impacted environments.

Ultimately, the IR playbook provides comprehensive guidance for conducting IR activities. However, it falls short of leaning into modern technology and processes to maximize the improvements of agencies IR capabilities and maturity. 

Cybersecurity Vulnerability Response Playbook: The good

 The Vulnerability Response Playbook focuses on vulnerabilities that are being exploited in the wild. The guidance makes it clear that this playbook doesn’t replace mature vulnerability management programs and that having one in place can mitigate many risks to begin with. The VR process essentially builds on the IR playbook, leading to IR activities when a vulnerability is actively exploited within an organization.

The guidance provides clear direction for how organizations can both identify and evaluate their potential impact relating to vulnerabilities. This helps organizations categorize systems as being impacted, susceptible or worst of all, compromised. The guidance recognizes that some situations require alternatives to patching, such as when a patch can’t be applied quite yet, or simply doesn’t exist, and provides alternative options accordingly.

The end goal of vulnerability remediation includes categorizing systems as remediated, mitigated or susceptible/compromised. Doing so gives the organization insight into the security posture of their assets and lets them carry our vulnerability management activities accordingly. 

Cybersecurity Vulnerability Response Playbook: The gaps

 While the Vulnerability Response Playbook provides a great overview of vulnerability management, some areas could use additional details and elaboration. For example, the need to understand the relevance of vulnerabilities is only briefly touched. While the severity rating of the vulnerability is relevant, it shouldn’t be the only consideration. Each IT system is unique and has its own architecture, implementation and level of exploitability due to, for example, mitigating controls. Blindly chasing vulnerabilities based on severity only without taking into context its relevance to the system and exploitability won’t give you the greatest reduction in risk.

The guidance also didn’t mention vulnerability chaining, which is where multiple vulnerabilities are exploited in a single attack to compromise a target. Individuals such as Dr. Nikki Robinson have done a lot of research and speaking on this topic and it is a tactic that advseraries regularly use.

The CISA Incident and Vulnerability Response Playbooks provide sound guidance based on existing documentation from organizations such as NIST and others. That said, the guidance is also process oriented and doesn’t involve much insight into how to leverage the latest technologies such as cloud, IaC or containers to innovate the way organizations are conducting these activities. Coupling tried-and-true guidance and practices with the latest technological innovations can make the most security impact and mitigate the most risk.