Model-Based Incident Response Playbooks

Avi Shaked; Yulia Cherdantseva; Pete Burnap

doi:10.1145/3538969.3538976

Model-Based Incident Response Playbooks

Avi Shaked^*, Yulia Cherdantseva, Pete Burnap

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the form of playbooks as recipes for handling incidents as they occur. However, current practices and mechanisms do not offer a disciplined approach to designing and representing playbooks, risking the effectiveness of the playbooks in directing and coordinating incident response. In this paper, we propose a formal, model-based design approach to designing cyber security incident response playbooks. We provide a tool prototype for the approach, developed using the Eclipse framework, and demonstrate how it can accommodate playbooks. Finally, we discuss how the approach can improve aspects of incident response throughout its lifecycle, by correctly prescribing and coordinating response actions as well as supporting organizational learning.

Original language	English
Title of host publication	Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450396707
DOIs	https://doi.org/10.1145/3538969.3538976
State	Published - 23 Aug 2022
Externally published	Yes
Event	17th International Conference on Availability, Reliability and Security, ARES 2022 - Vienna, Austria Duration: 23 Aug 2022 → 26 Aug 2022

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	17th International Conference on Availability, Reliability and Security, ARES 2022
Country/Territory	Austria
City	Vienna
Period	23/08/22 → 26/08/22

Keywords

Cyber Security
Incident Response
Metamodeling
Model-based Design
Playbooks
Process Models

Access to Document

10.1145/3538969.3538976

Cite this

@inproceedings{1fa097248286423c8962097b68da6f5b,

title = "Model-Based Incident Response Playbooks",

abstract = "Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the form of playbooks as recipes for handling incidents as they occur. However, current practices and mechanisms do not offer a disciplined approach to designing and representing playbooks, risking the effectiveness of the playbooks in directing and coordinating incident response. In this paper, we propose a formal, model-based design approach to designing cyber security incident response playbooks. We provide a tool prototype for the approach, developed using the Eclipse framework, and demonstrate how it can accommodate playbooks. Finally, we discuss how the approach can improve aspects of incident response throughout its lifecycle, by correctly prescribing and coordinating response actions as well as supporting organizational learning.",

keywords = "Cyber Security, Incident Response, Metamodeling, Model-based Design, Playbooks, Process Models",

author = "Avi Shaked and Yulia Cherdantseva and Pete Burnap",

note = "Publisher Copyright: {\textcopyright} 2022 ACM.; 17th International Conference on Availability, Reliability and Security, ARES 2022 ; Conference date: 23-08-2022 Through 26-08-2022",

year = "2022",

month = aug,

day = "23",

doi = "10.1145/3538969.3538976",

language = "אנגלית",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022",

}

Shaked, A, Cherdantseva, Y & Burnap, P 2022, Model-Based Incident Response Playbooks. in Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022., 26, ACM International Conference Proceeding Series, Association for Computing Machinery, 17th International Conference on Availability, Reliability and Security, ARES 2022, Vienna, Austria, 23/08/22. https://doi.org/10.1145/3538969.3538976

Model-Based Incident Response Playbooks. / Shaked, Avi; Cherdantseva, Yulia; Burnap, Pete.
Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, 2022. 26 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Model-Based Incident Response Playbooks

AU - Shaked, Avi

AU - Cherdantseva, Yulia

AU - Burnap, Pete

PY - 2022/8/23

Y1 - 2022/8/23

N2 - Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the form of playbooks as recipes for handling incidents as they occur. However, current practices and mechanisms do not offer a disciplined approach to designing and representing playbooks, risking the effectiveness of the playbooks in directing and coordinating incident response. In this paper, we propose a formal, model-based design approach to designing cyber security incident response playbooks. We provide a tool prototype for the approach, developed using the Eclipse framework, and demonstrate how it can accommodate playbooks. Finally, we discuss how the approach can improve aspects of incident response throughout its lifecycle, by correctly prescribing and coordinating response actions as well as supporting organizational learning.

AB - Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the form of playbooks as recipes for handling incidents as they occur. However, current practices and mechanisms do not offer a disciplined approach to designing and representing playbooks, risking the effectiveness of the playbooks in directing and coordinating incident response. In this paper, we propose a formal, model-based design approach to designing cyber security incident response playbooks. We provide a tool prototype for the approach, developed using the Eclipse framework, and demonstrate how it can accommodate playbooks. Finally, we discuss how the approach can improve aspects of incident response throughout its lifecycle, by correctly prescribing and coordinating response actions as well as supporting organizational learning.

KW - Cyber Security

KW - Incident Response

KW - Metamodeling

KW - Model-based Design

KW - Playbooks

KW - Process Models

UR - http://www.scopus.com/inward/record.url?scp=85137002034&partnerID=8YFLogxK

U2 - 10.1145/3538969.3538976

DO - 10.1145/3538969.3538976

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85137002034

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022

PB - Association for Computing Machinery

T2 - 17th International Conference on Availability, Reliability and Security, ARES 2022

Y2 - 23 August 2022 through 26 August 2022

ER -

Model-Based Incident Response Playbooks

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this