Towards intelligence driven automated incident response

Nowadays an ever increasing number of cybersecurity threats is looming over organizations all over the world. Some of them have recently digitalized many of their assets, leading to an increased attack surface. This leaves the door open to threat actors, since a solid management of cybersecurity issues is often missing, especially in SMEs. Incident response teams dedicated to handle incidents are running low on personnel, and even when this is not the case are not, they get overwhelmed with new alerts, meaning they cannot keep the pace with new threats and adversaries. This is pushing an automation effort aimed at easing the burden of repetitive tasks on SOC teams. Many companies are proposing their own solution and these often take the form of integrated frameworks used to handle all aspects of security in an automated way, but all lacking interoperability. Another aspect reinforcing the need for automated security management is the integration of threat intelligence feeds into the defense stage. Feeds are used to share information about new threats, vulnerabilities, or incidents that have affected organizations. Feeds can improve the defense stage by enriching threat knowledge in an automated way, thus decreasing incident response times, and improving the defensive stance. The knowledge sharing effort though is still mainly limited to indicators of compromise, and secondary information such as those regarding the identity, the behavior, or the campaign history of a threat actor. What is still lacking is the coverage of actionable courses of action, that is, methods and approaches that can be taken in response to the given threat, or incident. In this thesis a comprehensive approach to automation, from knowledge sharing to incident response, is covered. This effort takes the form of a standard based framework that makes full use of emerging standards in the field. With this framework, automatable actions are defined by analysts as recipes, in a simplified high level security policy language. Courses of action together with threat details can be shared across teams, or exchanged machine to machine by means of threat feeds, enclosed in intelligence reports. Organization can deploy that course of action in a different operational environment, adapting to their unique incident situation, but still taking advantage of the shared intelligence. The STIX language is used to gather all relevant information about incident handling, and generate a report. The amount of information shared is bound to their confidentiality. Interoperability across different operational environments is guaranteed by wrapping recipe courses of action in a machine parsable structured language, that can embed in it all required deployment variables. A proof of concept will be shown, consisting of an emulated softwarized network landscape for which security alerts will be received. An interpreter will work as translator of high level policy language to the low level commands to be applied to the network environment, thus enforcing a given course of action. At the end of the remediation, a report will be produced, containing threat and incident response details. In the evaluation phase, it is shown how the system evolves its state in response to a new alert, optimizing service operations and resources.