CISA Issues Incident and Vulnerability Response PlaybooksGuides Are Part of Biden's May Executive Order on Cybersecurity Resilience
The U.S. Cybersecurity and Infrastructure Security Agency this week issued playbooks for incident and vulnerability response, providing federal civilian agencies with a standard set of procedures to both respond to incidents and address vulnerabilities on government networks.
CISA's incident response steps apply to incidents involving confirmed malicious cyberactivity, while its vulnerability playbook applies to vulnerabilities being used by adversaries, the agency said in a statement, suggesting that the guides "standardize" high-level processes.
The 43-page document builds on CISA's Binding Operational Directive 22-01, issued this month, in which federal civilian agencies were required to patch some 200 vulnerabilities known to be exploited in the wild - including short deadlines for urgent common vulnerabilities and exposures, or CVEs, and others requiring mitigation by May 2022 (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
CISA's playbook also addresses requirements laid out in President Joe Biden's May executive order on cybersecurity - which calls for a widespread technological modernization across the federal government, including efforts to implement multifactor authentication and zero trust architectures (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
Private Sector Adoption Encouraged
Though directed toward federal agencies, CISA said in its statement that it "strongly encourages" private sector partners to review the playbooks.
"The playbooks are intended to improve and standardize the approaches used by federal agencies to identify, remediate and recover from vulnerabilities and incidents affecting their systems," said Matt Hartman, deputy executive assistant director for cybersecurity at CISA.
"This important step, set in motion by President Biden's Cyber Executive Order, will enable more comprehensive analysis and mitigation of vulnerabilities and incidents across the civilian enterprise. We encourage our public and private sector partners to review the playbooks to take stock of their own vulnerability and incident response practices," Hartman says.
'Actionable, Prescriptive Information'
"These guides are just perfect, really well done [by CISA] - comprehensive [and] nothing to nitpick at," says Roger Grimes, a data-driven defense evangelist for the security firm KnowBe4. "You can tell it was authored and reviewed by people who were really in the trenches actively fighting malicious hackers and malware.
"It's not just the traditional statements from some inexperienced governmental bureaucrat. It is actionable, prescriptive information that anyone, or any organization, could and should use."
Still, according to Rosa Smothers, a former Central Intelligence Agency threat analyst and technical intelligence officer who is also with the firm KnowBe4, there is more work to be done at CISA.
"The EO cites 'prevention' multiple times, but they have not yet addressed the vast attack surface that is the entire employee population. I hope to see CISA issue additional playbooks in the near future [more] focused on preventative measures."
Grimes, however, praises CISA's aggressive output of late, noting: "They are turning out a ton of useful information. … It is not only recommendations, but new requirements and working behind the scenes at the national level … to improve cybersecurity defenses for everyone."
Understanding the Guide
CISA's guides include checklists for incident response, incident response preparation, and vulnerability response. They also clearly delineate interagency cybersecurity functions, outline CISA's role as the main response agency, and urge agencies to readily share information.
For instance, the guide reads: "For major incidents or incidents that may become major, CISA is the 'front door' for agencies for asset response. CISA will work with affected FCEB [federal civilian executive branch] agencies to determine their needs, provide recommendations for services, and coordinate with other agencies (e.g., NSA) to provide a whole-of-government response.
"By serving as a single coordination point, CISA can ease the burden on FCEB agencies by facilitating the assistance available across the government."
Incident Response Steps
On the incident response side, CISA urges agencies to "prepare for major incidents before they occur," and says this can be done by documenting and understanding policies and procedures, instrumenting the environment to detect malicious activity, establishing staffing plans, educating users and leveraging threat intelligence.
In the case of a security incident, however, CISA lays out several steps, including:
- Declare incident: Designate an agency lead and notify CISA.
- Identify the type and extent: Assess operational or informational impact.
- Collect and preserve data: Perform technical analysis to identify what the adversary was attempting to access.
- Correlate events: Establish a timeline by analyzing logs, and identify anomalous activity, including deviations from baseline.
- Identify root cause and enabling conditions: Collect threat information, document conditions, identify attack vector and assess all compromised systems.
- Review threat intelligence: Analyze adversary tools and share information with internal teams and CISA.
- Analyze for TTPs: Identify access techniques, command and control, persistence mechanisms, lateral movement, level of credential access and/or privilege escalation, or method used for exfiltration.
- Determine appropriate containment strategy: This includes system backups, coordinating with law enforcement agencies, isolating systems, closing ports, changing admin passwords, blocking unauthorized access, monitoring response, etc.
- Execute eradication plan: Consider alternative attack vectors, file incident status reports, remove incident artifacts, reimage systems, rebuild hardware and scan for malware.
- Eradication: Reset passwords, implement MFA, install updates and patches, tighten perimeter security, test systems and review threat intelligence.
- Post-incident: Document properly; inform agency leadership; adjust sensors, alerts and log collection; and monitor for persistence.
- Finalize reports: Provide updates required by law and policy.
- Perform hotwash: Conduct lessons learned analysis and identify success of IR processes or areas in need of modification.
CISA's playbook also offers a high-level process that agencies should follow when responding to urgent and high-priority vulnerabilities.
Mitigation steps include the following:
- Preparation: Inventory systems, plus those operated by contractors and cloud and service providers.
- Identification: Monitor CISA resources, NIST's vulnerability database and SOC feeds.
- Evaluation: Determine criticality of a vulnerability in the environment, sweep for known IOCs, investigate anomalous activity and begin incident response processes if exploited.
- Remediate exploited vulnerabilities: Limit access, isolate systems and make configuration changes.
- Where patches do not exist: Disable services, reconfigure firewalls and increase monitoring.
- Monitor status: Do this while systems are remediated.
- Reporting and notification: Share information on the exploitation.