CISA reveals federal government cybersecurity incident and vulnerability response playbooks

vulnerability response

Continuing with the U.S. government measures to crack down on rising cybersecurity incidents and ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) released on Tuesday the federal government cybersecurity incident and vulnerability response playbooks. The playbooks ​​are for federal civilian executive branch (FCEB) entities to focus on criteria for response and thresholds for coordination and reporting. They include communications between FCEB entities and CISA, provide the connective coordination between incident and vulnerability response activities, and common definitions for key cybersecurity terms and aspects of the response process.

The incident response playbook can be used in those incidents that involve confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out. These would include incidents involving lateral movement, credential access, exfiltration of data, network intrusions involving more than one user or system, and compromised administrator accounts.

The playbook would not apply to those activities that do not appear to have such major incident potential, such as ‘spills’ of classified information or other incidents that are believed to result from unintentional behavior only, or where users click on phishing emails when no compromise results. It can also be deployed in commodity malware on a single machine or lost hardware that, in either case, is not likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the U.S. or to the public confidence, civil liberties, or public health and safety of the American people.

The Incident Response playbook applies to incidents that involve confirmed malicious cyber activity and for which a major incident, as defined according to the Office of Management and Budget (OMB), has been declared or not yet been reasonably ruled out. The Vulnerability Response Playbook applies to those vulnerabilities being actively exploited in the wild. As required by U.S. President Joe Biden’s May Executive Order 14028, the director of the OMB will issue guidance on FCEB agency use of these playbooks, it added.

The Vulnerability Response Playbook applies to any vulnerability that is observed to be used by adversaries to gain unauthorized entry into computing resources. This playbook builds on CISA’s Binding Operational Directive 22-01 and standardizes the high-level process that should be followed when responding to these vulnerabilities that pose significant risk across the federal government, private and public sectors.

The CISA issued earlier this month the Binding Operational Directive that called upon federal agencies to mitigate actively exploited vulnerabilities on their networks, and reduce the significant risk of known exploited vulnerabilities. It also looks towards establishing priorities for vulnerability management and provides an impetus for federal agencies to improve vulnerability management practices.

Vulnerabilities in scope for the latest playbook are those actively exploited ‘in the wild,’ namely, any vulnerability that is observed to be used by adversaries to gain unauthorized entry into computing resources.

Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these two playbooks to strengthen cybersecurity response practices and operational procedures not only for the federal government but also for public and private sector entities. The playbooks contain checklists for incident response, incident response preparation, and vulnerability response that can be adapted to any organization to track necessary activities to completion.

The playbooks fall in line with Executive Order 14028, ‘Improving the Nation’s Cybersecurity,’ which sets out to provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting the FCEB networks. These playbooks provide FCEB agencies with a standard set of procedures that aims to help them identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks.

The guidelines provide a standardized response process for cybersecurity incidents and describe the process and completion through the incident response phases as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2.5 including preparation, detection and analysis, containment, eradication and recovery, and post-incident activities.

CISA also lays down the process that FCEB agencies should follow in case of a confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out.

Incident response can be initiated by several types of events, including but not limited to automated detection systems or sensor alerts, agency user report, contractor or third-party service provider report, internal or external organizational component incident report, or situational awareness update. It also brought focus to third-party reporting of network activity to known compromised infrastructure, detection of malicious code, loss of services, etc. Analytics or hunt teams that identify potentially malicious or otherwise unauthorized activity.

“The playbooks we are releasing today are intended to improve and standardize the approaches used by federal agencies to identify, remediate, and recover from vulnerabilities and incidents affecting their systems,” Matt Hartman, deputy executive assistant director for cybersecurity at the CISA, said in a media statement. “We encourage our public and private sector partners to review the playbooks to take stock of their own vulnerability and incident response practices.”

Effective vulnerability response builds upon strong vulnerability management. It ensures that effective vulnerability management practices are being followed. Such practices include building and maintaining robust asset management that includes inventorying agency-operated systems and networks, systems and networks that involve partnerships with other organizations, and systems and networks operated by others, including cloud, contractor, and service provider systems.

Users must also have a process in place to understand the relevance of vulnerabilities to the environment by tracking operating systems and other applications for all systems, in addition to understanding how all systems might have vulnerabilities and the implication of potential vulnerabilities on operations.

The cybersecurity incident and vulnerability response playbooks add to several other initiatives taken up by the U.S. government in recent months to ramp up cybersecurity demands for protecting the critical assets and infrastructure of its critical infrastructure sector.

On Monday, the Department of Homeland Security (DHS) turned its focus towards improving federal cybersecurity talent, with the launch of the Cybersecurity Talent Management System (CTMS). This will improve federal hiring practices and work more aggressively towards recruiting, developing, and retaining top cybersecurity professionals.

The administration in August set up a voluntary industrial control systems (ICS) initiative and signed a national security memorandum that will enhance security for critical infrastructure control systems. This was followed by the CISA launching an effort called Joint Cyber Defense Collaborative (JCDC) to lead the development of the nation’s cyber defense plans by working across the public and private sectors to help defend U.S. critical infrastructure.