Requirements for Playbook-Assisted Cyber Incident Response, Reporting and Automation-Reference-Cited by-同舟云学术

Requirements for Playbook-Assisted Cyber Incident Response, Reporting and Automation

Published:2024-08-23 Issue: Volume: Page:
ISSN:2576-5337
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats

Author:

Gurabi Mehdi Akbari¹^ORCID,Nitz Lasse¹^ORCID,Bregar Andrej²^ORCID,Popanda Jan³^ORCID,Siemers Christian⁴^ORCID,Matzutt Roman³^ORCID,Mandal Avikarsha³^ORCID

Affiliation:

1. Fraunhofer FIT, Germany and RWTH Aachen University, Germany

2. Informatika d.o.o., Slovenia

3. Fraunhofer FIT, Germany

4. Airbus Protect GmbH, Germany

Abstract

Cybersecurity playbooks assume an increasingly important role as threat-specific documents for guiding operators in the context of cyber incident response. However, these playbooks are mostly unstructured or semi-structured, which significantly limits their utility when it comes to automating response and reporting steps, complying with cybersecurity directives, or sharing best practices for incident response across organisations. We thus argue that cybersecurity playbooks must transition to interoperable and machine-readable formats from generation, via management and utilisation, to cross-organisational sharing. In this work, we identify and structure key requirements, based on expert interviews, as a first step toward this transition. From these requirements, we derive a framework for further guidance during the transition to structured security playbooks and their utilisation in a tool-assisted fashion. We discuss the implications of our framework and lessons learned, before outlining directions for future research.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3688810

Reference29 articles.

1. Cyber Threat Intelligence – Issue and Challenges

2. Mehdi Akbari Gurabi, Avikarsha Mandal, Jan Popanda, Robert Rapp, and Stefan Decker. 2022. SASP: a Semantic web-based Approach for management of Sharable cybersecurity Playbooks. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–8.

3. Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 2783–2800.

4. Roberto Andrade, Jenny Torres, and Susana Cadena. 2019. Cognitive security for incident management process. In Information Technology and Systems: Proceedings of ICITS 2019. Springer, 612–621.

5. Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response