Cyber Security Playbooks

Over time the WA SOC is establishing a set of playbooks, primarily focused on incident response that are suitable for cyber security teams with operational processes aligned to the CISA Cybersecurity Incident and Vulnerability Response Playbooks (508C) and the MITRE 11 Strategies of a World-Class Cybersecurity Operations Center.

1. Triage & Investigation

Under Review, see Sentinel Triage AssistanT (STAT) as an approach to standardise and automate common triage actions.

2. Incident Response

In the absence of an internal procedure the CERT Societe Generale IRM-2022 (Incident Response Methodologies 2022) are a good starting point covering the below common scenarios:

1. Worm Infection (pdf)
2. Windows Intrusion (pdf)
3. Unix, Linux Intrusion Detection (pdf)
4. Distributed Denial Of Service - DDOS (pdf)
5. Malicious Network Behaviour (pdf)
6. Website Defacement (pdf)
7. Windows Malware Detection (pdf)
8. Blackmail (pdf)
9. Smartphone Malware (pdf)
10. Social Engineering (pdf)
11. Information Leakage (pdf)
12. Insider Abuse (pdf)
13. Customer Phishing (pdf)
14. Scam (pdf)
15. Trademark infringement (pdf)
16. Phishing (pdf)
17. Ransomware (pdf)
18. Large scale compromise (pdf)

3. Vulnerability Response

Under Review, refer to Technical Example: Patch Operating Systems and Technical Example: Patch Applications for good approaches to automating baseline vulnerability management.

4. Threat Hunting

Under Review, Jupyter Notebooks are effective, and easily query datalake type repositories, see Use a Jupyter Notebook and kqlmagic extension to analyze data in Azure Data Explorer.

5. Digital Forensics

Under Review, see Collecting Evidence and Dissect (modern forensics tooling) to augment SIEM activities with in depth captures as needed.