AUTOMATING INCIDENT RESPONSE: SIT BACK AND RELAX BOTS ARE TAKING OVER… presented at BlackHatEU 2016

by Elvis Hovor, Mohamed El-sharkawi,

Summary : Our research focuses on illustrating the value of automating functions and processes within Incident Response. Traditional response capabilities are largely contingent upon highly-skilled, specialized resources. Reduction of such necessities and constraints through automation are a precursor to overcoming inefficiencies, and speeding up response and operations center capabilities.
To prove out our research, we developed an approach leveraging orchestration of cyber architectures and open-source IR tools. Taking into account the limited use of automation, we measure and contrast capabilities in human-driven versus automated incident response processes. Specifically, our solution automatically confirms alerts/events (typically analyzed manually), correlates events likely associated with an incident, and determines scope and context of potential breaches.
While our proposed automated capability may not comprehensively analyze all complex incidents with the highest degree of accuracy, it abstracts and automates processes/tasks typically considered mundane by swamped analysts or responders and further hunts for threats associated with the incident across a network. Machines and intelligence can't solve everything, while qualified human analysts don't scale. As such, IR teams are best served by having automated generation and prioritization of analytics and insights (actionable to humans), as opposed to having responders determine how to best crunch data while attempting to mitigate an incident.
An automated IR capability is most suitable for Security Operations Center (SOC) teams that encounter large swaths of security alerts frequently, have (relatively mature) IR processes, seek to ask more questions of data received, and adopt a more proactive detection, triage, and response capability.