Remediation procedures and automated cybersecurity incident response

Digital transformation in recent years has fostered the adoption of interconnected technologies such as scalable cloud services, the pervasive internet of things, and artificial intelligence, altering the approach organizations take to their routine operations. While these advancements bring benefits, they also expand the attack surface, exposing organizations to more frequent and sophisticated cybersecurity threats. Attackers leverage emerging technologies to orchestrate targeted campaigns, highlighting the need for automated and standardized Incident Response processes. Despite efforts to improve automation, the diversity of attack types and environments spanning traditional information technology, cloud platforms, and industrial control system, makes one-size-fits-all solutions impractical. There is thus a growing need to abstract response procedures from specific technologies and encode them for interoperability without constant manual adaptation. Standardized formats for representing incident response actions facilitate automation, integration, and transformation of heterogeneous procedures into homogeneous playbooks. This enables teams to focus on strategic decision making while routine actions are handled automatically, reducing response times. This thesis presents a framework for procedural and automated remediation based on security playbooks, designed within the Security Orchestration, Automation, and Response (SOAR) paradigm. This approach also enables the subsequent sharing of remediation strategies, similarly to Cyber Threat Intelligence (CTI). The proposed tool maps alerts to corrective actions defined in structured playbooks and translates them into executable instances, preserving complex logical structures such as conditions, loops, and parallel actions. A novelty of this work is the design and implementation of a security automation framework tailored for modern cloud-native environments, such as Kubernetes clusters, in addition to traditional on-premises infrastructure.