Incident response playbook in flux as services, tools arrive

Gunnar Assmy - Fotolia


How automating incident response benefits security programs

Automating incident response can benefit security both in the cloud and in traditional settings. Expert Dave Shackleford explains what it can be used for and how it helps.

Despite the increase in breaches and security incidents in the headlines today, many incident response teams are...

understaffed or struggling to find the right skill sets to get the work done.

As such, many enterprise incident response teams actively look for opportunities to automate processes that take up too much time for highly skilled analysts. These processes often require a lot of repetition and provide little value in investigations. Common activities that many teams consider automating include the following:

  • Identifying and correlating alerts. Many analysts spend inordinate amounts of time wading through repetitive alerts and alarms from many log and event sources and then spend time piecing together correlation strategies for similar events. While this is valuable for the later stages of investigations, it can also be highly repetitive and can be automated to some degree.
  • Identifying and suppressing false positives. This can be tedious work on a good day and overwhelming on a bad one. Identifying false positives can be streamlined or automated using modern event management and incident response automation tools.
  • Initial investigation and threat hunting. Analysts need to quickly find evidence of a compromised system or unusual activity, and they often need to do so at scale.
  • Opening and updating incident tickets/cases. Due to improved integration with ticketing systems, event management and monitoring tools used by response teams can generate tickets to the right team members and update these as evidence comes in.
  • Producing reports and metrics. Once evidence has been collected and cases are underway or resolved, generating reports and metrics can take a lot of analysts' time.

Incident response automation use cases

Automating incident response can enable organizations to rapidly respond to and mitigate security threats. Consider implementing one or more of the following use cases to improve incident response:

  • automated DNS lookups of domain names never seen before and driven by proxy and DNS logs;
  • automated searches for detected indicators of compromise;
  • automated forensic imaging of disk and memory from a suspect system driven by alerts triggered in network and host-based antimalware platforms and tools; and
  • network access controls automatically blocking outbound command-and-control channels from a suspected system.

Incident response automation can also help in forensic evidence gathering, threat hunting and even automated quarantine or remediation activities on suspect systems.

Vendors in automated incident response

Endpoint security vendors are emphasizing response automation activities and integration with detection, response and forensics capabilities. Analysts need to quickly identify indicators of compromise and perform lookup actions across other systems, as automating as much of this as possible is a common goal today.

There are a fair number of vendors and tools that can help integrate automation activities and unify disparate tools and platforms used for detection and response. These include Swimlane, FireEye Security Orchestrator, Fortinet CyberSponse, Splunk Phantom, IBM Resilient Security Orchestration, Automation and Response Platform and more. Most of these use APIs with other platforms and tools to enable them to share data and create streamlined response workflows.

Things to consider when evaluating these products include maturity of the vendor, integration partners and alignment with SIEM, as well as ease of use and implementation.

Automated incident response in the cloud

Incident response in the cloud may rely on scripting, automation and continuous monitoring more heavily than in-house incident response. Currently, many cloud detection and response tools are heavily geared toward automation capabilities.

Many tools tend to be written to work with a specific provider's APIs. For example, Teri Radichel wrote a paper on AWS automated incident response and released a simple toolkit to help with it as well. The ThreatResponse toolkit developed by Andrew Krug, Alex McCormack, Joel Ferrier and Jeff Parr can also be used when automating incident response collection, forensics and reporting for cloud environments in AWS. In other instances, incident response teams will need to build automated triggers for event types that run all the time -- such as Amazon CloudWatch filters -- especially as the environment gets more dynamic.

Cloud incident response automation use cases

The massive scale processing capability of security analytics automation has many potential implications on incident response. In a mature enterprise security operations center, analysts tend to spend the most time on a range of activities. Here is how cloud-based automation technology can help:

  • Alert identification and correlation. With large-scale cloud analytics in use, security alert identification can be automated to yield better and faster results than with in-house platforms.
  • False positive identification and suppression. New machine learning capabilities layered within cloud analytics processing can aid in reducing false positives over time.
  • Initial investigation and triage. With automation through cloud-native and third-party services, events can immediately trigger predefined analysis workflows that assess workloads, validate event information and more.
  • Ticket generation and updates. Automating ticket creation and updates can easily be handled by incident response automation tied to cloud processing and triggered automation sequences. However, ticketing systems must be integrated with the cloud environments in question.
  • Report generation. Tools create many reports automatically, while others will be assembled after manual investigative steps. Cloud event analytics and automation can aid with automated report generation as needed.

Deciding what triggers to implement and what actions to take is the most time-consuming aspect of building a semiautomated or automated response framework in the cloud. Do you focus on user actions? Specific events generated by instances or storage objects? Failure events? Spending time learning about cloud environment behaviors and working to better understand normal patterns of use may be invaluable here.

None of these tools or methods will replace skilled, knowledgeable security analysts who understand the environment and how to properly react during an incident scenario. However, unless security practitioners start detecting and responding more quickly, it will be impossible to get ahead of the attackers of today and tomorrow.

This was last published in June 2020

Dig Deeper on Security operations and management