SEC10-BP04 Develop and test security incident response playbooks - Security Pillar

SEC10-BP04 Develop and test security incident response playbooks

A key part of preparing your incident response processes is developing playbooks. Incident response playbooks provide a series of prescriptive guidance and steps to follow when a security event occurs. Having clear structure and steps simplifies the response and reduces the likelihood for human error.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

Playbooks should be created for incident scenarios such as:

  • Expected incidents: Playbooks should be created for incidents you anticipate. This includes threats like denial of service (DoS), ransomware, and credential compromise.

  • Known security findings or alerts: Playbooks should be created for your known security findings and alerts, such as GuardDuty findings. You might receive a GuardDuty finding and think, "Now what?" To prevent the mishandling or ignoring of a GuardDuty finding, create a playbook for each potential GuardDuty finding. Some remediation details and guidance can be found in the GuardDuty documentation. It’s worth noting that GuardDuty is not enabled by default and does incur a cost. For more detail on GuardDuty, see Appendix A: Cloud capability definitions - Visibility and alerting.

Playbooks should contain technical steps for a security analyst to complete in order to adequately investigate and respond to a potential security incident.

Implementation steps

Items to include in a playbook include:

  • Playbook overview: What risk or incident scenario does this playbook address? What is the goal of the playbook?

  • Prerequisites: What logs, detection mechanisms, and automated tools are required for this incident scenario? What is the expected notification?

  • Communication and escalation information: Who is involved and what is their contact information? What are each of the stakeholders’ responsibilities?

  • Response steps: Across phases of incident response, what tactical steps should be taken? What queries should an analyst run? What code should be run to achieve the desired outcome?

    • Detect: How will the incident be detected?

    • Analyze: How will the scope of impact be determined?

    • Contain: How will the incident be isolated to limit scope?

    • Eradicate: How will the threat be removed from the environment?

    • Recover: How will the affected system or resource be brought back into production?

  • Expected outcomes: After queries and code are run, what is the expected result of the playbook?


Related Well-Architected best practices:

Related documents: