Develop a dynamic playbook to assist your incident response team to automatically determine the risk with the NCCIC Cyber Incident Scoring System
Cybercrime will generate over $1.5 trillion in profits in 2018, according to a new study presented by Dr. Michael McGuire at RSA, reaffirming the challenge defenders face against a growing cybercrime economy. Preventing cyberattacks is not easy for any organization. The well-known challenges to incident response teams include:
- A cyber skills shortage
- Too many alerts, and not enough time or resources
- Unrefined IR processes and communication
- Confusing regulatory landscape
- Complex, changing attacks
- Many disparate tools
Therefore, we need a solution to enable security teams to automate and orchestrate their IR (incident response) processes, with tight alignment with people, process, and technology across the organization. Without a systematic prioritization or risk assessment technique, incident responders may experience alert fatigue and ignore the crucial alerts.
The NCCIC Cyber Incident Scoring System (NCISS) was introduced to address this concern. NCISS uses a weighted arithmetic mean to produce a score between zero and 100. This score drives incident triage and escalation processes- determining the prioritization of limited incident response resources and the necessary level of support for each incident.
In this article, we will leverage the IBM Resilient Incident Response Platform and develop a dynamic playbook to assist the security team in determining the overall risk by integrating NCISS.
- An IBM Resilient Incident Response Platform with Action module enabled
- A user account with Master Administrator role (or with sufficient permission to design a playbook)
A dynamic playbook is the set of rules, conditions, business logic, workflows and tasks used to respond to an incident. The Resilient platform updates the response automatically as the incident progresses and is modified. Essentially, the playbook is the Resilient platform’s implementation of your incident response plan.
IBM Resilient provides many canned playbooks with comprehensive incident handling and response actions. Users can leverage these and also customize them to best fit their organization’s need. Please refer to Playbook Designer Guide for more detailed information.
Figure 1: Out-of-box playbook for Cyber: Malware
Designing Required Elements/Layout
For example, when an IR team receives a malware detection on a critical company asset, an incident is created and the playbook for Cyber: Malware is executed. There are many system tasks automatically generated for IR processes, as seen below:
Figure 2: Incident with automatically generated IR tasks for Cyber:Malware
There could be hundreds of similar incidents in a large organization. Intelligent strategy includes the prioritization of these incidents. This allows the IR team to devote their time to high severity incidents using a risk assessment. In order to have a quick risk assessment, we want to customize our playbook to adopt NCISS in the Initial Triage task. To customize the task, please go to Customization Settings > Phases & Tasks, and edit the Initial Triage task.
Figure 3: Customize existing system task
The user interface makes it easy to drag and drop the different elements into a layout. In the following example, we plan to add a data table (organizing the field values in a spreadsheet table format), and a custom field (to present the final calculated risk score). Please click Add Table to create a data table.
Figure 4: Add new data table
Then we can give the name of the data table. The first name is used for UI presentation, and the second name is used for API usage.
Figure 5: Name the data table
Next, we can create columns. Even when a data table is created, we can still add more or delete columns.
Figure 6: Create necessary columns
For each column, we give it the appropriate column name, data type, option values, default option, optional tooltip and make it required or not. In our example, we pre-defined the options listed in NCISS, and made the default value with the item unknown or with the lowest scoring.
Figure 7: Define column type and option values
After defining all the columns, we can open a preview and adjust the column width if applicable.
Figure 8: Finalize data table creation
After clicking Create, click Add Field to create a custom field. It is usually used when the default fields cannot fulfill our specific needs.
Like the columns in the data table, we also specify the data type and other requirements in the modal for field. In this example, we use Number type to present the calculated risk score.
Figure 9: Create Custom Field
After creating the data table and custom field, let’s use drag and drop to put them in the Incident Fields. Click Save and Close button to save the layout.
Figure 10: Drag and drop the data table and custom field to Incident Fields
Designing In-Product Scripts and Automatic Rules
With the necessary elements and layout prepared, it’s time for us to create the logic to process the user input data during incident initial triage.
The Resilient in-product scripts feature allows users to write Python scripts to access incident data, and implement more complex business logic. Scripts can be triggered by rules or workflows. For more details, please visit Learn about Scripts.
Create your first script via Customization Settings > Scripts page.
Tip: When we first experience the script implementation, we can create a simulation incident and use “log.info” and Run against the simulation incident for real-time result verification or troubleshooting.
Figure 11: Test execution result while editing script
When we are familiar with the script, we can remove the test codes and implement the programming logic to handle the user input, map the selected option to corresponding score, and use the suggested criteria to map the calculated risk score to different severity levels.
Figure 12: Map the calculated risk score to value of custom field
The script does not execute automatically. To make that happen, we need to create a rule or workflow to integrate with the script. In this example, we plan to create an automatic rule to trigger the script under certain conditions.
Please go to Customization Settings > Rules and click New Rule > Automatic.
First, we give it a name and select the object type that the rule applies to, and set the condition to automatically trigger the rule. In this example, we set the object type Data Table: Cyber Incident Risk Assessment and condition as Row is Created and trigger the script when the condition is matched. Therefore, as soon as the incident responder inputs the triage result, the rule executes the script to manipulate the data, calculate the risk score, and escalate the risk level in seconds.
Figure 13: Create automatic rule to trigger score calculation against the data table
Verifying Playbook Execution Results
When finished with the playbook design, the next step is to verify the execution result and adjust the logic if applicable.
We can create a simulated incident to deal with the Malware incident type. Then we go to Initial Triage task and click Edit.
Now we see the data table we created. We can use the drop-down menu to select the values in individual columns, and click √ to save the setting.
Figure 14: How to fill values in data table
After clicking √ to save, we can see the Calculated Score field has been updated with the risk score. If another row is added to reflect the latest status of the incident, the field will be updated immediately to reflect the result.
Figure 15: Verify the calculated risk score
If the score is over the pre-defined threshold, the Severity of the incident is automatically escalated to High.
Figure 16: Verify the risk escalation from automatic rule
Besides the advantages for incident responders to prioritize their tasks, if the risk is escalated to high, users can create other business logics. This includes escalating the incident to Tier-3 Analysts for their emergent attention, or escalating the event to a CISO or legal team for immediate risk mitigation.
Figure 17: Other potential actions for escalated risk
In conclusion, we’ve experienced the user-friendly interface, flexible and conditional incident handling, and powerful automation and orchestration capability in-product. This step-by-step introduction to enhancing risk assessments using the NCISS integration provides framework for an IR team to handle incidents more efficiently. To learn about the full features within IBM Resilient Incident Response Platform, please visit https://developer.ibm.com/security/resilient/.