Playbook Oriented Cyber Response

Applebaum, Andy; Johnson, Shawn; Limiero, Michael; Smith, Michael B.

doi:10.1109/ncs.2018.00007

Cited by 8 publications

(10 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, despite their partial relevance, we provide detailed analyses for six incident response formats only. Following the inception of the Integrated Adaptive Cyber Defense (IACD) Framework [39] in 2014, subsequently, the formats Open Command and Control (OpenC2) [40], Collaborative Open Playbook Standard (COPS) [38], Collaborative Automated Course of Action Operations (CACAO) for Cyber Security [37], Resilient Event Conditions Action System against Threats (RECAST) Framework [42] and RE&CT Framework [41] have been introduced (see Figure 4).…”

Section: Incident Response Formatsmentioning

confidence: 99%

“…Several papers cover the overall IACD project and its reference architecture [108], [109], [110], [111], [112]. Besides, [100] and [42] mention the IACD approach and playbook format in connection with other incident response formats. • Gray literature on IACD includes first and foremost the playbook specification [39] and documentation covering the overarching reference architecture [107].…”

Section: Cops -Summary and Recommendationsmentioning

confidence: 99%

“…[120], [100], [121], [122] and [123] briefly describe OpenC2 or highlight its use within the scope of adjacent research. Applebaum et al [42] emphasize integration of OpenC2 with their proposed playbook specification format RECAST. • Gray literature on OpenC2 includes numerous news articles about the ideas of OpenC2 and its supporters, listed on the OpenC2 website 8 .…”

Section: Iacd -Summary and Recommendationsmentioning

confidence: 99%

“…Our contribution then extends to a comprehensive and detailed analysis of 6 incident response formats. Precisely, we analyze Collaborative Automated Course of Action Operations (CACAO) for Cyber Security [37], Collaborative Open Playbook Standard (COPS) [38], Integrated Adaptive Cyber Defense (IACD) Framework [39] as well as Open Command and Control (OpenC2) [40], RE&CT Framework [41], and Resilient Event Conditions Action System against Threats (RECAST) Framework [42]. Beyond the analyzed formats, we also document the larger product ecosystem.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective

Schlette

Caselli

Pernul

2021

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

IEEE Communications Surveys & Tutorials IEEE COMMUNICATIONS SURVEYS & TUTORIALS 2 followed by Detection & Analysis, Containment, Eradication & Recovery and concludes with Post-Incident Activity. It is worth mentioning that between the four phases feedback loops exist. Other incident handling process models (e.g., CERT/CC [24], ITIL [25], [26], [27]) are in line with the NIST incident response life cycle. Nevertheless, often incident response is narrowed down to only the Containment, Eradication & Recovery activities, whereas incident management and incident handling provide the larger reference framework [27], [21]. We follow this more precise approach and center on the pivotal activities of incident response. An elementary subarea in conjunction with incident response and its community is digital forensics. Digital forensics concerns data gathering and the detailed analysis of circumstances surrounding a security incident [26]. Within the NIST incident response life cycle, digital forensics mainly precedes the incident response action itself and can be attributed to Detection & Analysis. For our work, we separate between digital forensics and incident response and exclude the former. However, due to the nature of the analyzed data formats, there is at times overlap concerning investigative incident response activities. This situation leads to the focus of this survey described in Figure 2. The starting point of incident response and its standardization is hereby defined as trigger, alert, or event detected by an Intrusion Detection System (IDS), Security Information and Event Management (SIEM), or similar system, which then requires incident response actions. Also, CTI feeds, and structured threat reports are possible external starting points.

show abstract

Section: Incident Response Formatsmentioning

confidence: 99%

Section: Cops -Summary and Recommendationsmentioning

confidence: 99%

Section: Iacd -Summary and Recommendationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective

Schlette

Caselli

Pernul

2021

IEEE Commun. Surv. Tutorials

View full text Add to dashboard Cite

show abstract

“…Further research is necessary to show how different training methods can be applied in the context of SOCs and measure their effectiveness. An interesting approach to improve on-the-job learning and training is pursued by Applebaum et al [95] by developing playbooks that provide analysts with an overview of tasks and actions based on the experience of other analysts. Also, knowledge graphs representing the domain knowledge and experience of SOC analysts enable better learning and training for others [89], [95].…”

Section: ) Training and Awarenessmentioning

confidence: 99%