SASP: A Semantic web-based Approach for management of Sharable cybersecurity Playbooks

Abstract

In incident management, response and recovery actions are designed to effectively mitigate ongoing or future cyberattacks. A security playbook consists of a pipeline of instructions to document necessary response and recovery actions to deal with a specific type of incident. Since many organisations lack the resources, expertise and know-how to handle incidents, sharing playbooks across organisations could significantly improve their response capabilities against cyberattacks. However, playbooks are often organisation specific and usually not machine-readable, sharable and interoperable. In this work, we propose a semantic web-based approach to capture the knowledge of incident response and recovery steps to support sharing of playbooks based on a standardised and common vocabulary. To further demonstrate our approach, we introduce SASP, a proof-of-concept tool based on Semantic MediaWiki for playbook management. In this paper, we describe the key requirements from incident handlers to share playbooks, SASP architecture design, and its core components and functionalities. We then discuss the results of our user-centric evaluation conducted on members of different Security Operation Centres and the further potential of the solution.