Do incident response plans include playbooks?

The primary industry standard for playbooks is the Integrated Adaptive Cyber Defense (IACD) Research group, out of Maryland (John Hopkins).

These can constitute any type of cybersecurity response, at the event, alert, notable, or incident level -- for indications and indicators. Playbooks could be part of a CIRT (and therefore IR/DFIR planning), but they could also be part of other structures, such as Cyber Threat Intelligence, Threat Hunting, Security Operations, Security Engineering, Red Teaming, Cybersecurity Analytics, Cyber-Risk Management, and potentially many other specialty areas.

Playbooks are conditions, indicators, and controls that drive the need for cybersecurity responses [as] captured [via] orchestration services [for monitoring and execution].

Playbooks are process-oriented and:

• Reflect an org's policies and procedures
• List activities that may require human interaction
• Made sharable from organization to organization

At the highest level of abstraction, playbooks are a set of process oriented steps that enable an organization to meet the requirements specified in their policies and procedures. They are a set of human understandable actions that document an organizational process performed in response to a cyber-event or other defined trigger condition. Playbooks are meant to be generic enough for broad applicability between organizations while detailed enough to meet specific situations. Playbooks may invoke other playbooks, operate either serially or in parallel, or initiate a workflow depending on the situation or conditions facing the system.