IBM has released what it calls Dynamic Playbooks to remediate ransomware. It is aimed at helping organisations respond effectively when they become a victim to this type of attack. The Dynamic Playbook enables organisations to respond to attacks in real-time to limit their impact and start the recovery process.
John Bruce, CEO and Co-Founder of Resilient, an IBM Company said: “Fast-moving, sophisticated threats like ransomware require new and actively adaptive response methods. Resilient’s Dynamic Playbooks set another new standard for agility, intelligence, and sophistication in the battle to respond to and recover from today’s complex cyber threats. Ransomware is just one example of the cyberattacks facing companies today, but its growing rate of prevalence is threatening businesses like never before. This technology arms companies with a response approach that manages the intensity of the problem.”
What do Dynamic Playbooks do?
Dynamic Playbooks are part of the Resilient Incident Response Platform. They provide IT Security teams users with a workflow that adapts to an incident in real-time. It does this by gathering information in real-time. IBM claims that the Dynamic Playbooks support integration with: “more than 100 other systems that may be present in a typical security environment, providing Resilient clients with a seamless, centralized incident response hub.”
There is no list of what those systems might be. It is likely to include threat intelligence data and user roles and permissions. These two data sources provide information on Indicators of Compromise (IoC) and the risks posed by a particular victim. Once the data is gathered it is fed directly into the Dynamic Playbook for that incident. There is an audited list of what data was imported and its impact on the Playbook. That information is required in the Post Mortem evaluation of an incident.
The press release lists key three features of the Dynamic Playbooks:
- Agile: Resilient’s Dynamic Playbooks continually react to changes by leveraging rules and scripts that implement business logic and enriching incidents as they progress.
- Intelligent: By leveraging information from other connected systems, Dynamic Playbooks make rules-based decisions to take actions – such as increasing priority or involving other parts of the organization, such as legal. By the time an analyst opens an incident, many repetitive, initial triage steps have already been completed.
- Sophisticated: Dynamic Playbooks keep business rules separate from workflows, eliminating the need for a proliferation of static playbooks with only slight variations, and keeping management overhead to a minimum.
Remediating a cyber security attack is complex. Understanding how to identify an attack in progress is not simple. Even after an attack has been spotted there is a need to see if it is part of a bigger attack. This is where the use of IoC is important. Directing IT staff to check for and block IP address related to Command & Control (C&C) servers will limit an attack. It will also help spot other machines that are vulnerable.
There are other actions the Playbook can recommend. This includes the suspension of a potentially compromised user account. It could also mean blocking network access for a particular user so that an attack cannot spread. Alongside this is the legal requirement of who to inform and how to do that.
All of this is a significant challenge for enterprises that come under cyber attack today. While IBM has focused on ransomware for this announcement the approach can be applied to any attack. Any solution that speeds up the effective remediation of an attack security teams will welcome.