Visible to the public Cyber threat intelligence enabled automated attack incident response

TitleCyber threat intelligence enabled automated attack incident response
Publication TypeConference Paper
Year of Publication2022
AuthorsKaiser, Florian K., Andris, Leon J., Tennig, Tim F., Iser, Jonas M., Wiens, Marcus, Schultmann, Frank
Conference Name2022 3rd International Conference on Next Generation Computing Applications (NextComp)
KeywordsAdaptive systems, artificial immune systems, automated incident response, Companies, cyber security, cyber threat intelligence, Heuristic algorithms, Information security, Knowledge engineering, Prediction algorithms, pubcrawl, resilience, Resiliency, Scalability, Security Heuristics
AbstractCyber attacks keep states, companies and individuals at bay, draining precious resources including time, money, and reputation. Attackers thereby seem to have a first mover advantage leading to a dynamic defender attacker game. Automated approaches taking advantage of Cyber Threat Intelligence on past attacks bear the potential to empower security professionals and hence increase cyber security. Consistently, there has been a lot of research on automated approaches in cyber risk management including works on predictive attack algorithms and threat hunting. Combining data on countermeasures from "MITRE Detection, Denial, and Disruption Framework Empowering Network Defense" and adversarial data from "MITRE Adversarial Tactics, Techniques and Common Knowledge" this work aims at developing methods that enable highly precise and efficient automatic incident response. We introduce Attack Incident Responder, a methodology working with simple heuristics to find the most efficient sets of counter-measures for hypothesized attacks. By doing so, the work contributes to narrowing the attackers first mover advantage. Experimental results are promising high average precisions in predicting effiective defenses when using the methodology. In addition, we compare the proposed defense measures against a static set of defensive techniques offering robust security against observed attacks. Furthermore, we combine the approach of automated incidence response to an approach for threat hunting enabling full automation of security operation centers. By this means, we define a threshold in the precision of attack hypothesis generation that must be met for predictive defense algorithms to outperform the baseline. The calculated threshold can be used to evaluate attack hypothesis generation algorithms. The presented methodology for automated incident response may be a valuable support for information security professionals. Last, the work elaborates on the combination of static base defense with adaptive incidence response for generating a bio-inspired artificial immune system for computerized networks.
DOI10.1109/NextComp55567.2022.9932254
Citation Keykaiser_cyber_2022