{"id":1269,"date":"2021-10-01T13:56:54","date_gmt":"2021-10-01T13:56:54","guid":{"rendered":"https:\/\/sappan-project.eu\/?p=1269"},"modified":"2021-11-02T11:41:41","modified_gmt":"2021-11-02T11:41:41","slug":"sharing-of-incident-response-playbooks","status":"publish","type":"post","link":"https:\/\/sappan-project.eu\/?p=1269","title":{"rendered":"Sharing of incident response playbooks"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1269\" class=\"elementor elementor-1269\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-c50a6c6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"c50a6c6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-a98d477\" data-id=\"a98d477\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4bb2a57 elementor-widget elementor-widget-heading\" data-id=\"4bb2a57\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">By Martin \u017d\u00e1dn\u00edk (CESNET)<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2077e7e elementor-widget elementor-widget-heading\" data-id=\"2077e7e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">As an incident handler, have you wondered\nwhether the way how you deal with a cybersecurity incident can be improved, how\nothers deal with the same issues, whether the handling can be automatized? If\nyes, you are not alone. There is a whole community working on a standard to express\nincident response playbooks and SAPPAN contributes to the effort.<\/span><\/b><\/p><\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7bd6226 elementor-widget elementor-widget-text-editor\" data-id=\"7bd6226\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\"><span lang=\"EN-GB\">From what I had the opportunity to observe,\nincident handling is in a majority a repetitive work. A reaction to a large\nportion of incidents is the same. I mean the reaction vary, based on the incident,\nbut similar incidents happen again and again and the reaction to a similar\nincident follows the same pattern. <\/span><\/p>\n\n<p class=\"MsoNormal\"><span lang=\"EN-GB\">Now imagine similar incidents happen all over\nthe world constantly. Wouldn\u2019t it be great if these \u201cboring\u201d incidents were not\nhandled individually and manually? I wish there was a pool of knowledge on how\nto react to these incidents. Then the pieces of such knowledge can be shared, with\nsome customization, deployed in the infrastructure and automatically executed.<\/span><\/p>\n\n<p class=\"MsoNormal\"><span lang=\"EN-GB\">The representation of incident handling is\nthe key enabler to sharing. Since recently, I have not come across any standard\nto represent incident handling procedures. Organizations use either high-level\nplaybooks which are human readable <\/span><span style=\"mso-ansi-language:\nEN-US\" lang=\"EN-US\">(e.g. Figure 1)<\/span><span lang=\"EN-GB\"> but not machine readable, or\nscripts which are machine readable but not interoperable across organizations\nnor shareable and hard to understand by a human. I was simply missing a\nstandard that would fit both worlds &#8211; human readable but with a structure that\nwould allow for transforming the playbook into the instructions for a machine.<\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:SimSun;\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-alt:\u5b8b\u4f53;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-536870145 1107305727 0 0 415 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:238;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}@font-face\n\t{font-family:\"\\@SimSun\";\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:10.0pt;\n\tmargin-left:0cm;\n\tline-height:115%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-fareast-font-family:SimSun;\n\tmso-bidi-font-family:\"Times New Roman\";\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19060a0 elementor-widget elementor-widget-image\" data-id=\"19060a0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"600\" height=\"525\" src=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2021\/10\/Domain_Generation_Algorithm_DGA_detection_Steps_graph.png\" class=\"attachment-2048x2048 size-2048x2048 wp-image-1270\" alt=\"\" srcset=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2021\/10\/Domain_Generation_Algorithm_DGA_detection_Steps_graph.png 600w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2021\/10\/Domain_Generation_Algorithm_DGA_detection_Steps_graph-400x350.png 400w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: An example of a high-level playbook: simple DGA playbook<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a38a85 elementor-widget elementor-widget-text-editor\" data-id=\"3a38a85\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\"><span lang=\"EN-GB\">The SAPPAN project sets one of its goals to\nshare incident handling information. While I was working on this goal, I came\nacross the standardization effort organized within OASIS &#8211; Collaborative\nAutomated Course of Action Operations for Cyber Security Technical Committee\n[1]. This is exactly what I was looking for, I said to myself when I first read\nthe draft of the standard. Since I work with MISP (Malware Incident Sharing\nPlatform [2]) as the main sharing platform, I decided to prepare a MISP data\nmodel for the CACAO playbooks. I got in touch with the committee, and we thoroughly\ndiscussed various alternatives how to best model the CACAO playbooks in MISP.<\/span><\/p>\n\n<p class=\"MsoNormal\"><span lang=\"EN-GB\">In the end, we decided to take a\nstraight-forward approach and prepared a MISP playbook object with specific\nattributes only for the playbook metadata. The whole CACAO playbook is stored as\nan attachment attribute in the object. This allows to share also other playbook\nformats and does not require the transformation of the playbooks when it is\nshared and exported. Also, we discussed the playbook object with the MISP developers,\nand I am happy to announce it is now available in the official MISP object\nrepository [3] so that we can start to test its interoperability with other\npartners.<\/span><\/p>\n\n<p class=\"MsoNormal\"><span lang=\"EN-GB\">I am looking forward to the growth of the\nplaybook sharing community<\/span><span style=\"mso-ansi-language:\nEN-US\" lang=\"EN-US\">,<\/span><span lang=\"EN-GB\"> be it either publicly available or shared only\nwithin the closed communities of cybersecurity intelligence vendors and their\ncustomers. <\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:SimSun;\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-alt:\u5b8b\u4f53;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-536870145 1107305727 0 0 415 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:238;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}@font-face\n\t{font-family:\"\\@SimSun\";\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:10.0pt;\n\tmargin-left:0cm;\n\tline-height:115%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-fareast-font-family:SimSun;\n\tmso-bidi-font-family:\"Times New Roman\";\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a97c610 elementor-widget elementor-widget-heading\" data-id=\"a97c610\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<p class=\"elementor-heading-title elementor-size-default\">References:<\/p>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-89c75f2 elementor-widget elementor-widget-text-editor\" data-id=\"89c75f2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"line-height:150%\"><span style=\"font-family:\n&quot;Arial&quot;,sans-serif;mso-ansi-language:EN-US\" lang=\"EN-US\">[1] OASIS Collaborative Automated\nCourse of Action Operations (CACAO) for Cyber Security TC. CACAO Security\nplaybooks specification v1.0, available online:\nhttps:\/\/docs.oasis-open.org\/cacao\/security-playbooks\/v1.0\/cs01\/security-playbooks-v1.0-cs01.html<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"line-height:150%\"><span style=\"font-family:\n&quot;Arial&quot;,sans-serif\" lang=\"EN-GB\">[2] MISP &#8211; Open Source Threat Intelligence Platform &amp;\nOpen Standards For Threat Information Sharing, available online:\nhttps:\/\/www.misp-project.org<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"line-height:150%\"><span style=\"font-family:\n&quot;Arial&quot;,sans-serif\" lang=\"EN-GB\">[3] MISP repository, available online:\nhttps:\/\/github.com\/MISP\/misp-objects\/pull\/324#issue-1009464958<\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:SimSun;\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-alt:\u5b8b\u4f53;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-536870145 1107305727 0 0 415 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:238;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}@font-face\n\t{font-family:\"\\@SimSun\";\n\tpanose-1:2 1 6 0 3 1 1 1 1 1;\n\tmso-font-charset:134;\n\tmso-generic-font-family:auto;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 680460288 22 0 262145 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:10.0pt;\n\tmargin-left:0cm;\n\tline-height:115%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-fareast-font-family:SimSun;\n\tmso-bidi-font-family:\"Times New Roman\";\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-GB;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>By Martin \u017d\u00e1dn\u00edk (CESNET) As an incident handler, have you wondered whether the way how you deal with a cybersecurity incident can be improved, how others deal with the same issues, whether the handling can be automatized? If yes, you are not alone. There is a whole community working on a standard to express incident&hellip;<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[17],"tags":[],"coauthors":[21],"class_list":["post-1269","post","type-post","status-publish","format-standard","hentry","category-blog-post"],"_links":{"self":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1269"}],"version-history":[{"count":7,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1269\/revisions"}],"predecessor-version":[{"id":1611,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1269\/revisions\/1611"}],"wp:attachment":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1269"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcoauthors&post=1269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}