Automated Incident Response: Streamlining Your SecOps

We’ve arrived at a point where it’s unreasonable for security operations to be entirely human powered. IT infrastructure is sprawling with the prevalence of SaaS apps and public cloud usage, ransomware is being deployed within days, not weeks of a vulnerability exploitation, and security devices continue to expand their telemetry – and as a side effect, inundate analysts with loads of alert data.

Large language models (LLMs) like GPT4 have been posited as a potential solution to the manual efforts (we believe there’s merit there as well) – but AI isn’t going to magically solve all of your problems.

This blog focuses on what you can be doing today to incorporate a more automated approach to incident response in your environment. We’ll also interject where we think LLMs can be used today or in the future to accelerate the process.

Everyone’s incident response process, security tools, and ability/willingness to code vary dramatically when addressing these issues – so we’re illustrating high level concepts that may require some massaging for your specific environment.

What is Automated Incident Response?

Plainly, it’s going from threat identification to eradication and remediation with as few humans in the loop as possible. This fits into three (3) primary buckets of activity:

1. Detection - How do you identify when an activity is suspicious enough to warrant further inspection?
2. Investigation - How do you take an initial lead (alert) and identify whether it’s benign or malicious behavior?
3. Remediation - How do you contain the threat and “stop the bleeding” in your environment?

Automating Detection

Generally there are two types of activities that teams want to automate:

1. Generate detection content
2. Tune existing detections

In recent years, generated detection content is surprisingly less of an ask from security teams. Generally, native security tools come with their own rules out of the box that cover a broader set of use cases that are typically MITRE ATT&CK focused. While a having reasonable coverage of MITRE ATT&CK tactics is a great place to start, if you’re looking for additional rule coverage, LLMs are quite good at building rule content given a guided prompt, which we discussed in a previous blog.

Tuning is generally the greater challenge. With so many out-of-the-box rules from different security products, they create too much signal for security teams to handle. We’ve discussed how to build a strong process to address tuning – and with some clever scripting and periodic automation, there’s no reason you couldn’t automate this process.

Automating Investigation

This may be the hardest of the bunch to automate successfully. There’s no shortage of workflow and Security Automation, Orchestration, and Response (SOAR) tools you may have in your toolbelt to help with this problem, but there are some challenges.

• SOAR tools require a good amount of heavy lifting from your team to get started. Whether that’s dragging and dropping workflows into place or writing some code to transform data into an investigative format that makes sense.
• There is so much variation when it comes to investigation that building static workflows for most alert types might leave you with an enriched alert, but without definitive answers.

We believe building investigations and dynamic plans is one of the areas that LLMs will help with most in the future, but today, focus on enriching your alert as much as possible to reduce the cycles it takes for your team to interpret what’s happening.

• Enrich IPs with infrastructure metadata including reputation scores, or if they are a known TOR node, proxy, or hosting provider. 
• For alerts relating to identities, try to pull in some historical context programmatically (how often do they login from this location? Is there an EDR agent that exists on this IP address?) so that users can differentiate between legitimate standard activity and what may be happening in the investigation.

Ultimately, you won’t be hands off with an off-the-shelf approach for investigation, but you may significantly reduce the effort of a manual data collection.

Automating Remediation

Seconds matter when it comes to active threat activity, so building playbooks that automatically contain assets, block process execution or IP traffic, and ban malicious binaries identified across the environment are solid wins. At a minimum, have simple scripts that can be used in your SOAR platform or manually executed by analysts in the event that malicious activity is identified. Generally you’ll want to use API calls against your security stack to perform the following base actions:

1. Revoke sessions for a specific user identity
2. Disable a user identity
3. Contain an endpoint
4. Kill a process
5. Ban a binary by hash
6. Block an IP

For extremely high confidence detections, you may want to automate a subset of these actions on detection triggers.

Closing Thoughts

Unfortunately, teams are saddled with the responsibility of building automation prior to threat identification to manage inbound alert queues and respond fast enough to contain modern threats. Using native API integrations with your existing security tools and a good bit of elbow grease, you can reduce the amount of energy needed to manage detections, enrich alerts, and respond effectively to known threats. The challenge is that the need for automation is its own development cycle – with each alert requiring its own type of planning, integrations, and automation that put a different strain on your team.

At Prophet Security, we’re building a different security future for teams with our AI-powered, out-of-the-box automation for triage and investigation for any security alert (including custom rules), so your teams can respond effectively without the cycle of prep work. Try out Prophet Security today to streamline your security operations.