Employing LLMs for Incident Response Planning and Review
Sam Hays, Jules White
TL;DR
The paper addresses the difficulty of creating and maintaining Incident Response Plans (IRPs) and SOPs amid complex environments and staff turnover. It proposes using Large Language Models (LLMs) to draft, review, and refine IRPs, with human oversight to ensure accuracy. The authors integrate the SMART framework, NIST 800-61 Rev. 2 guidance, and version-control concepts to structure AI-assisted planning. They illustrate practical patterns, including prompt design, goal-setting, context, and continuous improvement through post-mortems. The work offers a pragmatic path for organizations to boost incident readiness while highlighting limitations and governance needs.
Abstract
Incident Response Planning (IRP) is essential for effective cybersecurity management, requiring detailed documentation (or playbooks) to guide security personnel during incidents. Yet, creating comprehensive IRPs is often hindered by challenges such as complex systems, high turnover rates, and legacy technologies lacking documentation. This paper argues that, despite these obstacles, the development, review, and refinement of IRPs can be significantly enhanced through the utilization of Large Language Models (LLMs) like ChatGPT. By leveraging LLMs for tasks such as drafting initial plans, suggesting best practices, and identifying documentation gaps, organizations can overcome resource constraints and improve their readiness for cybersecurity incidents. We discuss the potential of LLMs to streamline IRP processes, while also considering the limitations and the need for human oversight in ensuring the accuracy and relevance of generated content. Our findings contribute to the cybersecurity field by demonstrating a novel approach to enhancing IRP with AI technologies, offering practical insights for organizations seeking to bolster their incident response capabilities.