Foreword
Over the past decade, Cisco’s Computer Security Incident Response Team (CSIRT) has participated in countless customer meetings where we sat down and explained how we had protected one of the most attacked and interconnected companies in the world. As we reviewed the tools, people, and process for protecting large organizations, the “playbook” featured heavily. At the end of each one of these sessions, the group we were sharing with always asked, “Can I have a copy of this playbook?” We initially distributed some early sanitized versions—but soon it got too big, too company specific, and too full of things that were impossible to sanitize to share. Now, with this book, we can finally answer “yes, you can!”
When I started the Cisco CSIRT at the beginning of this century, I had always hoped we could do something that had more relevance than protecting one company. Cisco has benefited from the interconnectivity it has provided, and I felt we had a responsibility to use some of those resources to help protect the same people we had connected. More specifically, I wanted to help groups that may not be able to afford a large CSIRT. Cisco has been very supportive of the team’s efforts to share cybersecurity information and has provided resources and time to allow us to realize my hope.
At the time this book was written in 2014, the world witnessed a cataclysmic failure of cybersecurity efforts across the board, with large organizations seemingly hacked at will. Extremely damaging hacks to large retailers, entertainment companies, restaurant chains, and hundreds of others have ushered in the end of reliance on automated incident detection tools like security information and event management (SIEM) systems.
The Cisco CSIRT was at the forefront of the idea that people, not tools, were the answer to protecting organizations. This book details what some of the smartest people in this field have done to detect, identify, isolate, and mitigate cyber security threats. It started simply enough—if we had an incident that we didn’t detect, we would look and see if there was any commonality about the attack that we could detect with normally available detection tools (intrusion detection systems, packet capture, logs, etc.). If there was, we would string together a detection method, or “play,” to look for it. If the play was useful, we would keep it. If not, we would drop it. Then it would eventually be added to the daily work of our security operations center. So the body of work this book represents was baked in the crucible of ongoing attacks and response over a very busy decade.
I am more proud of the work that this team has done than anything else in my professional career. I am really excited they took the time and effort to share the work at this level and depth. The information provided here can be used as a baseline for both new and old teams facing similar challenges. I hope that sharing like this can signal another watershed in the history of cybersecurity—when the good guys started hitting back.
Get Crafting the InfoSec Playbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
