The Use of Playbooks in Vulnerability Management

Everything You Need to Know to Understand Credential Stuffing

Today, most organizations face an asymmetric and uncertain scenario that challenges the most elaborate perspectives and strategies. Moreover, adversaries take advantage of the volatilities of cyber risks in an environment where digital density reveals previously non-existent possibilities. Thus, it is necessary to update the organizational “toolbox” to face the new unstable rules of the environment. Here, key uncertainties, playbooks, and dynamic risk management become basic references to specify the appetite for risk necessary to embark on navigating the deep waters of the digital context.

Organizations are rapidly shifting from their transition between analog and digital to a world of cyber-physical convergence. What was initially known and stable, such as information technology risk, has been transformed into the understanding of a cyber risk, which has a liquid form and moves and vanishes between the “hands”. 

Nothing is more volatile than the unknown or emerging relationships that arise between the participants of a business ecosystem. In this context, adversaries know that companies take risks (some calculated, others not so much), and many times they are not prepared to face the impacts that can be generated when one of them materializes.

Thus, it is necessary to update the current “toolbox” for the known risks of information technology and to meet the uncertainties of pursuing trends, appropriating them, and transforming them into novel proposals that change the status quo of your own industry. In this sense, it is not enough to follow the standards and good practices in security and control to account for the instabilities. It is necessary to “surf” and “navigate” amid the volatilities to specify new paths that lead to the transformation of the company and its own objectives.

Using Playbooks

In the current digital environment, it is evident that it is not feasible to anticipate the different bets and strategies of possible adversaries. Both the cybersecurity analyst and the aggressor do not have a clear and precise knowledge of reality, so each one must “make their moves” to tip the balance to their own side.

While traditional security and control analysts play with “open cards” based on reading standards and good practices, opponents “use cards from the deck of possibilities”, which generally exceed the known practices of professionals. 

In this context, it is necessary to go from the exercise of prevention, protection, and assurance, to the challenge of defense, anticipation, and deterrence. Here, nothing is written. There are no effective movements, just plays that each of the participants execute to gain an advantage in a moment of time.

Developing a business-level playbook is understanding the dynamics of the organization in the face of events that stress the security and control model to be able to move in unstable conditions that challenge its incident response procedures. Moreover, it is using a business’s creative ability to change and create greater uncertainty on its attacker’s game board. 

Playbooks are not static documents or steps to follow in a unique way to face the challenges of the adversary. They are possible frames of action that prepare the organization to move in a coordinated way and block the attacker’s attempts to create uncertainty and feelings of “no control”.

A simple example of a playbook

In this way, when an organization has a playbook (or a set of playbooks) that is properly defined, communicated, and practiced, it has an operational and strategic advantage. The company will be able to move with the events and translate the uncertainty generated by the attacker’s bets into coordinated action contexts, which reverse the tendency of the “error” towards the opponent’s field. Then, it will be the adversary who will have to deal with an unexpected scenario, which can translate into oversights that end up revealing sensitive information that cracks the anonymity of the attacker.

Implications for Business Cybersecurity

Understanding the new dynamics of the current environment requires a transformation of the business function. The business needs to see itself as not just generating value for the client but as the entity enriched with the digital trust necessary to connect the client with the challenges, dynamics, and opportunities of a digitally dense world.

In this sense, clients must be informed and be part of the new business bets that allow the organization to navigate amid uncertain seas and storms not yet revealed. In this environment, both individuals and business conglomerates are protagonists and participants who need to overcome turbulence zones. This means connecting people’s expectations with dynamic risk management, playbooks, and key uncertainties, as it is jointly possible to “surf” the instabilities proposed by a highly interconnected scenario.

Then, business cybersecurity (an organization’s capacity to defend against and anticipate digital threats and protect and ensure the resilience of the operations and the reputation of the company) becomes the new frontier of modern corporations. Business security goes beyond the known practices in security and control to connect with the dynamics of cyber risks.

Thus, it is necessary to break the technical and disciplinary paradigm that has been permeating in business cybersecurity bets today. It is necessary to plant and cultivate a new seed that understands cyber risks as business risks that impact the organization in an interdisciplinary way. 

This allows businesses to design unprecedented experiences for their clients with the clarity of a mutual agreement of imperfect digital trust. The inevitability of failure is a natural fact that does not divide or distance but rather connects and strengthens.

When it is possible to design such a cybersecurity posture, it is possible to inconvenience the adversary and their plans. The greater the connection between the different participants in the ecosystem, the greater the situational awareness and the level of foresight in the face of key uncertainties, and the fewer space adversaries will have to pose their challenges through their movements and actions.

Final Thoughts

When organizations recognize that they are moving in deep waters, they know that they have opted for a certain risk appetite. Therefore, they must assume that they will have moments of good winds where they will achieve partial victories and storm zones where the results will not be as expected. In any case, it all depends on the navigation that plots the course in the middle of a territory that changes as fast as the currents of the sea.

This metaphor illustrates how companies today must be willing to create learning windows. For this, it is imperative to specify psychologically safe areas where collaborators can launch themselves to propose alternatives, different and openly divergent points of view, which should be read as opportunities to see new spaces for collaboration and construction to understand the territory. 

Denying this opportunity is expanding the opponent’s territory where they will take advantage of fear and uncertainty to affect employee morale and degrade their ability to read the organization’s environment.

In this scenario, business cybersecurity must identify key uncertainties as a source of information that nourishes the decisions of the governing body to update its risk appetite. It must prepare and update the playbooks that allow accepting risks intelligently.