Automated Incident Response: Streamlining Your SecOps

We’ve arrived at a point where it’s unreasonable for security operations centers (SOCS) to be entirely human-powered. IT infrastructure is sprawling with the prevalence of SaaS apps and public cloud usage. Security incidents are more common than ever; ransomware is being deployed within days, not weeks, of vulnerability exploitation, and cybersecurity devices continue to expand their telemetry—and, as a side effect, inundate analysts with loads of alert data, which can result in alert fatigue.

Large language models (LLMs) like GPT4 have been posited as a potential solution to manual efforts (we believe there’s merit there as well), but artificial intelligence (AI) isn’t going to magically solve all of your problems.

This blog focuses on what you can do today to incorporate a more automated approach to incident response and incident management in your environment. We’ll also interject where we think machine learning and LLMs can be used today or in the future to accelerate the process.

Everyone’s incident response process, security tools, and ability/willingness to code vary dramatically when addressing these issues, so we’re illustrating high-level concepts that may require some massaging for your specific environment.

What is Automated Incident Response?

Plainly, incident response automation involves going from threat or cyber attack identification to eradication and remediation with as few humans in the loop as possible. This fits into three (3) primary buckets of activity:

1. Incident Detection - How do you identify when an activity is suspicious enough to warrant further inspection?
2. Investigation - How do you take an initial lead (alert) and identify whether it’s benign or malicious behavior?
3. Remediation - How do you contain the threat and “stop the bleeding” in your environment?

Automating Detection

Generally there are two types of activities that teams want to automate:

1. Generate detection content
2. Tune existing detections

In recent years, generated detection content has been surprisingly less of an ask from security teams. Generally, native security tools come with their own rules that are out of the box and cover a broader set of use cases that are typically MITRE ATT&CK focused. While having reasonable coverage of MITRE ATT&CK tactics is a great place to start, if you’re looking for additional rule coverage, LLMs are quite good at building rule content given a guided prompt, which we discussed in a previous blog.

Tuning is generally the greater challenge. So many out-of-the-box rules from different security products create too much of a signal for security teams to handle. We’ve discussed how to build a strong process to address tuning, and with some clever scripting and periodic automation, there’s no reason you can’t automate this process.

Automating Investigation

This may be the hardest of the bunch to automate successfully. There’s no shortage of workflow, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools you may have in your tool belt to help with this problem, but there are some challenges.

• SOAR tools require a good amount of heavy lifting from your team to get started. Whether that’s dragging and dropping workflows into place or writing some code to transform data into an investigative format that makes sense.
• There is so much variation when it comes to investigation that building static workflows for most alert types might leave you with an enriched alert, but without definitive answers.
• SIEMs lack deep contextual awareness, limiting their ability to fully automate accurate investigations.

We believe building investigations and dynamic plans is one of the areas that LLMs will help with most in the future, but today, focus on enriching your alert with as much threat intelligence and contextual data as possible to minimize false positives and reduce the cycles it takes for your team to interpret what’s happening.

• Enrich IPs with infrastructure metadata including reputation scores, or if they are a known TOR node, proxy, or hosting provider. 
• For alerts relating to identities, try to pull in some historical context programmatically (how often do they login from this location? Is there an endpoint detection and response agent that exists on this IP address?) so that users can differentiate between legitimate standard activity and what may be happening in the investigation.

Ultimately, you won’t be hands-off with an off-the-shelf approach to investigation, but you may significantly reduce the effort of manual data collection for incident responders and, hence, improve your response capabilities.

Automating Remediation

Seconds matter when it comes to active threat activity, like active malware or security breaches, and real-time mitigation is essential. This means that building incident response playbooks that automatically contain assets, block process execution or IP traffic, and ban malicious binaries identified across the environment are solid wins.

1. Revoke sessions for a specific user identity
2. Disable a user identity
3. Contain an endpoint
4. Kill a process
5. Ban a binary by hash
6. Block an IP

For extremely high-confidence detections, you may want to automate a subset of these response actions on detection triggers to create an automated response strategy.

Closing Thoughts

Unfortunately, teams are saddled with the responsibility of building automation prior to threat identification to manage inbound alert notification queues and respond fast enough to contain modern cyber threats. Using native API integrations with your existing security tools and a good bit of elbow grease, you can reduce the amount of energy needed to manage detections, enrich alerts, and respond effectively to known threats. Ultimately, this will reduce response times and accelerate threat remediation.

The challenge is that incident response automation requires its own development cycle, with each alert requiring its own type of planning, integrations, and automation that puts a different strain on your team. Creating an automated incident response plan is no mean feat.

At Prophet Security, we’re building a different security future for teams with our AI-powered, out-of-the-box automation for alert triage and investigation for any security alert (including custom detections), so your teams can respond effectively without the cycle of prep work. Try out Prophet Security today to streamline your security operations.

Further Reading

• SOC metrics that matter
• What is MFA fatigue attack?
• Investigating geo-impossible travel alert
• Top 3 scenarios for auto remediation
• Key SOC tools every security operations needs
• Demystifying SOC automation
• Alert triage and investigation in cybersecurity: best practices
• SOC challenges for analysts and managers
• Alert tuning best practices: keys to reducing false positives
• How to investigate Okta alerts
• AI SOC: Key to solving persistent challenges
• AI SOC Analyst: A comprehensive guide
• Will AI replace cybersecurity jobs?