The 10 playbooks in this kit cover NIST IR phases 2–7 (Detection & Analysis through PIR / Improvement). Phase 1 — Preparation — is a program activity, not an incident-time activity. If the prerequisites below are not in place, the playbooks will not run as designed; they assume you can engage Counsel within minutes, snapshot a host before isolating, push a WAF rule under approval, page the right approver for a Tier-0 isolation. If those capabilities don't exist yet, fix them first.
| Prerequisite | Why this matters at incident time | Used in |
|---|---|---|
| External Counsel retainer (active, named, 24/7) | Counsel must contract External DFIR. Engaging DFIR before Counsel forfeits privilege over forensic findings. Privilege survives only if Counsel is the contracting party — set up before you need them. | pb-01pb-05pb-06pb-07pb-10 |
| External DFIR retainer (under Counsel) | 24/7 incident response capacity. Pre-negotiated SoW. Sample-handling chain-of-custody pre-agreed. Contract executed via Counsel. | all |
| Cyber-insurance policy + broker contact | Notification SLAs (typically 24-72h). Pre-approval requirement for ransom-payment decision. Insurer-approved DFIR + counsel panels. CFO + GC named as notification owners. | pb-01pb-08pb-10 |
| Approver register (named individuals + delegates) | Each approval gate names an approver. Roster covers nights, weekends, holidays. Delegate matrix in place. Includes: CISO, CIO, COO, CRO, CFO, GC, Head of HR, Treasury head, Banking-secrecy officer, MLRO, DPO, Customer Service head, Network Operations head, AppSec lead, Platform owner, Vendor Management head, Board / BRC chair. | all |
| CMT (Crisis Management Team) constitution + activation | Pre-defined activation criteria (Tier-0 compromise, customer-impact breach, ransom demand). Pre-rehearsed CMT membership. Decision authorities documented. | pb-01pb-06pb-08 |
| Sanctions / OFAC screening service | Pre-integrated screening API for ransom-counterparty wallet attribution. Manual fallback procedure documented. Sanctions Compliance Officer named. | pb-01pb-08 |
| Prerequisite | Why this matters at incident time | Used in |
|---|---|---|
| EDR coverage on all production endpoints + servers | Behavioural detection · process-tree query · network-isolation API · memory snapshot. EDR is the baseline for every endpoint / server playbook. | pb-01pb-03pb-05 |
| SIEM with 90+ days hot retention | Lateral-movement hunts go back to the suspected dwell-time start. 30-day retention misses most APT dwell windows. AD audit + Kerberos events ingested. CloudTrail / Activity logs for cloud accounts. | all |
| Sandbox / detonation infrastructure | Hash + URL detonation. Family classification. Secondary-payload extraction. Sandbox-evasion detection. Without sandbox, family-classification step gates to manual analysis (slow). | pb-01pb-02pb-03 |
| DLP + egress monitoring | Classification-rule trigger. DNS / HTTP / TLS metadata anomaly. SaaS audit-log alerts. Cloud-storage public-bucket detection. Without DLP, exfil detection depends on customer / regulator report — too late. | pb-07 |
| UEBA on identity + data-access | Insider-threat anomaly detection. Off-hours / impossible-travel signals. Mass-download triggers. Drives the insider sub-track of pb-07. | pb-04pb-07 |
| WAF + rate-limit infrastructure | Virtual-patching ability for web-app exploits. Rate-limit per endpoint. Geo-block capability. Without WAF, web-app containment depends on code deploy (hours-to-days). Bot-management for DDoS. | pb-04pb-08pb-09 |
| Web-shell scanner on webroots | Scheduled signature-based scan of webroot directories. Mtime-anomaly flagging. Without web-shell scanner, web-shell discovery is reactive (after lateral movement). | pb-05pb-09 |
| SAST + DAST in CI + on production | Vuln-class regression after code fix. Same-vuln-class hunt across the codebase. Pre-deployment validation. Without these, code-fix verification is manual / delayed. | pb-09 |
| Threat-intelligence platform + STIX/TAXII outbound | Hash / IOC enrichment. Sector ISAC ingest + share. Sanitisation gate for outbound shares. Without TI platform, IOC sharing is ad-hoc and slow. | all |
| Prerequisite | Why this matters at incident time | Used in |
|---|---|---|
| Immutable backups with annual full-restore drill | Backup-replication pause API. Immutability attestation. Tier-0 backup admin tier separation. Annual full-restore drill of Core Banking. Without immutability, ransomware-encrypted backups are the most-common path to forced ransom payment. | pb-01pb-05pb-06 |
| Tiered Administration (NSA model) | Tier-0 / Tier-1 / Tier-2 admin separation. Privileged Access Workstations (PAWs). Just-in-time admin via PIM / PAM. Phishing-resistant MFA on all admin accounts. AD audit logging at full detail. | pb-06 |
| Upstream DDoS-mitigation provider (contractually engaged) | Pre-negotiated capacity tier with emergency escalation. BGP route-announcement procedure tested. Activation criteria documented. Without contracted upstream, P1 DDoS depends on ISP coordination (hours, not minutes). | pb-08 |
| Status-page system + comms templates | Pre-staged holding statements per affected service in BM + EN. CMS-style publishing under MARCOM control. Cadence schedule. Without templates, status-page silence past 30 min becomes a customer-trust event in itself. | pb-08 |
| SBOM coverage across all production software | Without SBOM, supply-chain advisory response becomes a manual instance hunt — slow and incomplete. SBOM is the playbook for pb-10 supply-chain branch. | pb-10 |
| DR site + identity-tier isolation from prod AD | DR must not propagate AD compromise. Identity-recovery environment maintained separately. Without isolation, DR is contaminated by the same Tier-0 compromise. | pb-01pb-06 |
| Prerequisite | Why this matters at incident time | Used in |
|---|---|---|
| Annual scenario tabletop per playbook | Each scenario rehearsed at least annually with the named approvers. Findings tracked. Approver-roster validated under fatigue / off-hours conditions. Without rehearsal, the first time the gates fire is the real incident. | all |
| Regulator contact register (current) | Banking supervisor desk officer + back-up. National cyber regulator portal credentials. Data-protection authority notification template + portal. Card scheme contact + scheme rules version-pinned. SWIFT CSP team contact (if SWIFT in scope). PFI panel pre-engaged. | pb-01pb-06pb-07pb-08 |
| Banking-secrecy compliance officer + decision tree | Named officer with authority to approve / block external sharing. Pre-disclosure decision tree documented. Disclosure register operational. Without this, the no-timeout banking-secrecy gate has no one to fire it. | pb-07 |
| HR + Legal joint-workflow procedure (insider sub-track) | Pre-agreed activation criteria. Equipment-seizure procedure documented. Privacy-respecting forensic scope rules. Disciplinary-process integration. Without joint workflow, insider response defaults to either premature suspension (evidence destroyed) or under-action (evidence preserved but employment-law exposure). | pb-07 |
| Telco partner SIM-swap escalation channel | Contracted SIM-swap suspension + notification. Named telco liaison. SIM-swap event log obtainable on request (banking-secrecy assessment for cross-org sharing). | pb-04 |
| Vendor-management TPSP-to-IBS register | Each TPSP classified by tier (1=critical, 2=material, 3=other) and mapped to the Important Business Services it supports. Concentration-risk register operational. Exit / step-out plans documented per Tier-1 TPSP and rehearsed annually. | pb-10 |