An Update on Security Playbook Standardization

An Update on Security Playbook Standardization

A year ago, we supported creating a technical committee within the Organization for the Advancement of Structured Information Standards (OASIS) to work on defining a standard way for documenting security playbooks that are both human-understandable and machine-executable. Today we have published our first committee specification, getting closer to having a standard approved and released. This blog post will give you a status update about the CACAO Security Playbooks standards-track work.

Security playbooks document processes and procedures for cybersecurity and can be used to guide and speed up security operations, ensure organizational policy and regulatory framework compliance, or purely drive automation functions. Thus, security playbooks can be derived in both human-understandable and machine-executable formats. Today, defining security playbooks is based on proprietary templating approaches that prevent programmatic cross-utilization and sharing, and make it hard for users to compare generic playbooks and understand which offer the best models to leverage.

The Collaborative Automated Course of Action Operations (CACAO) Security Playbooks is a standards-track work that defines a playbook schema and taxonomy for the purpose of standardizing the way we create, document, and share security playbooks.

CACAO playbooks are ad-hoc components to threat information sharing approaches and provide the knowledge required and the methodology to detect or respond to cyber-attacks faster. Defenders utilizing security orchestration, automation, and response technologies (SOAR) can benefit from shared playbooks that can programmatically be translated or natively consumed by their tool.

A CACAO playbook is a workflow for security orchestration containing a set of steps to perform based on a logical process and may be triggered by an automated or manual event or observation. In other words, playbooks are the driving force of integrated defense, allowing systems, subsystems, and human agents to operate synergistically using automation for the purpose of executing a course of action. At a high-level, playbooks are defined modularly by combining a set of workflow steps that utilize logic to control the commands to be executed or performed, a set of commands to execute or perform, and targets that accept, receive, process, or execute the commands.

CACAO defines two classes of playbooks.

  • Executable: an executable playbook is intended to be immediately actionable in an organization’s security infrastructure without requiring modifying or updating the workflow and commands.
  • Template: a playbook template provides reference actions related to a particular security incident, malware, vulnerability, or other security operation. A template playbook will not be immediately executable by a receiving organization.

CACAO defines the following playbook types.

  • Notification playbook: a notification playbook primarily focuses on the orchestration steps required to notify and disseminate information and other playbooks about a security event, incident, or other threat. For example, a notification playbook can be used to notify multiple entities about an attack and disseminate other playbooks to detect and mitigate it as quickly as possible.
  • Detection playbook: a detection playbook primarily focuses on the orchestration steps to detect a known security event, detect other known or expected security-relevant activity, or for threat hunting.
  • Investigation playbook: an investigation playbook primarily focuses on the orchestration steps required to investigate what a security event, incident, or other security-relevant activity has caused. Investigation playbooks will likely inform other subsequent actions upon completion of the investigation.
  • Prevention playbook: a prevention playbook primarily focuses on the orchestration steps required to prevent a known or expected security event, incident, or threat from occurring. Prevention playbooks are often designed and deployed as part of best practices to safeguard organizations from known and perceived threats and behaviors associated with suspicious activity.
  • Mitigation playbook: a mitigation playbook primarily focuses on the orchestration steps required to mitigate a security event or incident that has occurred when remediation is not initially possible. Mitigation playbooks are designed to reduce or limit the impact of suspicious or confirmed malicious activity. For example, a mitigation playbook can be used to quarantine affected users, devices, or applications from the network temporarily to prevent additional problems. Mitigation usually precedes remediation, after which the mitigation actions are reversed.
  • Remediation playbook: a remediation playbook primarily focuses on the orchestration steps required to remediate, resolve, or fix the resultant state of a security event or incident, and return the system, device, or network back to a nominal operating state. Remediation playbooks can fix affected assets by selectively correcting problems due to malicious activity by reverting the system or network to a known good state.
  • Attack playbook: an attack playbook primarily focuses on the orchestration steps required to execute a penetration test or attack simulation to test or verify security controls or identify vulnerabilities within an organization’s environment.

If you are interested to learn more about the CACAO Security Playbooks visit:

(By Vasileios Mavroeidis, Digital Security Group – University of Oslo (UiO))