Cyber Incident Management Playbooks - an example?

This is from my BC blog last week and I thought I would share it on LinkedIn as well. I am interested in hearing people's thoughts on my example; whether it fits their idea of what a playbook should contain, and is there anything which can be added?

A while ago, I wrote what I thought were the contents of a cyber playbook, and through my reading I thought I had a consensus of what one should contain. After having delivered a number of cyber public and private training courses, I have realised that there are a large variety of documents called playbooks, and they mean different things to different people and organisations. Some organisations are using them as a substitute description of their crisis plans, whilst others are using them to detail information on how to respond to a cyber event at a technical level.

I thought for this bulletin I would share an example of a playbook from the 'Managing and Preparing for Cyber Incidents' course.

This example would be one of a number of plays which make up the playbook, and would cross reference the organisation's strategic and tactical plans.

Play / scenario covered

1. Whether to cut off our internal systems from the external environment

When is this likely to be used. 

1. In response to a major and sustained DDoS attack
2. In response to malware which is spreading through the organisation or externally, where disconnecting from the external environment may stop the attack or it spreading internally

Options

1. Keep systems connected
2. Disconnect all systems

Clear decisions

1. Low – If IT feel they can deal with the attack and they can withstand or contain it then stay connected
2. High – If the systems are already being damaged or have started to shut down then disconnect

How long will it take to initiate the cut off

1. It will take 2 hours to completely cut off the entire network

Questions the team might want to ask before making a decision

1. How powerful is the DDoS attack? 
2. Is it just our organisation being targeted, or have others been affected? 
3. Do we know where the attack is coming from? 
4. Which systems have been affected?
5. Is there any Government advice on what to do?

What are the advantages and disadvantages of disconnecting the systems

1. Advantages:

•  Protect our systems, some of which can take up to 3 days to recover if not shut down correctly.
•  Prevent corruption and loss of data.
•  Recovery after the attack will be quicker.
•  The website will stay up as it is hosted outside our system.

1. Disadvantages:

•  We will lose all email, telecoms, and access to all internal systems.
•  All company work will cease.
•  We will lose all our main methods of communication.

Who will make the decision?

1. The decision to cut off will be suggested by IT but must be signed off by any member of the Incident Management Team (IMT).

Who needs to carry out the action?

1. Once the decision is made IT have plans in place to implement the disconnect.

Who needs to be informed of the decision?

1. All members of the IMT, all staff, the board and the executive team.

Any further actions to be taken

1. All further communications will be by mobile and the pre - agreed WhatsApp groups.

To me, the purpose of this is to give the facts and considerations for the team to make a decision, and to have them readily available so if they need to make a decision at short notice they are seeking minimum information from elsewhere. The circumstances are likely to be different each time, but the advantages and disadvantages may stay the same.

Your thoughts?