As cyberattacks evolve and become more complex, defenders require advanced tools for effective incident response. In the H2020 project CyberSEAS, the Fraunhofer Institute for Applied Information Technology FIT developed a prototype for a cybersecurity playbook management system, called SASP in short, that provides a robust framework for creating, maintaining, and sharing standardized incident response procedures. The pilot validation indicates how the system can be integrated in current cybersecurity processes and help achieving compliance with the latest security recommendations and directives. The pilot code is now open source, and you are invited to have a look at the tool.

In today’s continuously evolving digital landscape, enhancing cybersecurity practices is more critical than ever. Companies need to be on the lookout and be ready to adapt their cybersecurity measures quickly. Official recommendations, such as the BSI IT-Grundschutz or the NIST Incident Response Life Cycle, or imminent regulations, such as the EU's Network and Information Security Directive (NIS2), increasingly shape organizations’ handling of cybersecurity threats. Especially NIS2 emphasizes the importance of inter-organizational exchange regarding cyber incidents. This trend goes along with standardization efforts for security-related information. For example, cybersecurity playbooks already play a crucial role within organizations as they entail documentation how to prevent and react to cyber incidents. However, their non-standardized in-house maintenance creates additional hurdles for the necessary adaptivity and required exchanges. Standardization efforts have started to tackle these issues, e.g., the OASIS Foundation is developing the Collaborative Automated Course of Action Operations (CACAO) standard for the design and sharing of cybersecurity playbooks. Still, the transition toward compliance with recommendations and regulations cannot be accomplished overnight.

This is where the SASP tool is meant to support: SASP is a playbook management tool that offers a structured and practical approach for collaborative incident response and that enables standardized reporting procedures of cyber indents. This way, SASP can reduce the efforts required to implement the information exchange with national Computer Emergency Response Teams (CERTs) that is mandated by NIS2. As such, SASP can offer a cooperative environment for a cross-European increase of cyber resilience.

The SASP playbook management tool is designed for creating, maintaining, sharing, visualizing, and exporting cybersecurity playbooks. It features a user interface for creating playbooks, visualizing them in Business Process Model and Notation (BPMN), exporting them in JSON format, and sharing them with other organizations or CERTs. By supporting the OASIS CACAO playbook format, we ensure playbooks are machine-readable and standardized. During the piloting phase, various methods for playbook management and sharing were utilized to establish standardized procedures for handling well-known attack scenarios, emphasizing governance aligned with NIS2 requirements.

At this point, Fraunhofer FIT is happy to release its SASP pilot as open source to foster community engagement and collaborative improvement. You can find SASP's source code on GitHub: https://github.com/Fraunhofer-FIT-DSAI/SASP

For further information about the CyberSEAS project, please visit the project website: https://cyberseas.eu. More about Fraunhofer FIT’s research in enhancing the resilience of critical infrastructure from emerging cyber threats at https://www.fit.fraunhofer.de.

Funding note: The CyberSEAS project has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement 101020560.