Right place, right time: machine learning in cyber incident response

Right place, right time: machine learning in cyber incident response

Garry Veale at Vectra AI describes why it’s important to make the most of machine learning when managing cyber-security incidents

Over recent years, global CISOs have learned the hard way that no organisation is 100% breach-proof. A highly motivated and well-resourced cyber-crime community now has a wide range of tactics, techniques and procedures (TTPs) at its disposal.

Meanwhile, the attack surface is widening, offering up even more opportunities for network compromise.

However, by focusing on rapid detection and response, organisations can still act against their adversaries before any serious damage can be caused. Machine learning and automation are increasingly vital, but effective incident response means knowing when to automate, and how to get the most out of AI across the entire detection and response process.

Facing a booming cyber-crime economy

Today’s multi-trillion dollar cyber-crime economy is worth more than the annual GDP of many countries. It represents a sophisticated, readymade market for the trade of stolen data and the sourcing of tools and know-how to launch virtually any kind of attack.

The growing threat of ransomware perfectly highlights the sophistication and effectiveness of this underground market economy. Initial threat actors sell network access to a range of affiliate groups, who then license the ransomware itself from developers in exchange for a cut of the spoils.

Whether it’s via a simple phishing attack, credential stuffing or a vulnerability exploit, attackers will gain access. Then, they use legitimate tools such as PSExec or Cobalt Strike to move laterally and exfiltrate data whilst slipping past defensive technologies.

Many techniques once the preserve of APT and nation state groups have been democratised via the cyber-crime underground. Many threats are available in “as-a-service” offerings, which have drawn in new affiliate groups keen to make their fortune. This makes behaviour-based detection critical to catching modern threats.

First responders buckling under the pressure

All this has turned security operations (SecOps) and incident response into an indispensable part of the cyber-security function. In the UK, around two-thirds of mid- and large organisations admitted to being breached in 2020. If no organisation can claim to be 100% secure, then the focus naturally turns to how quickly and effectively they can respond to signs of intrusion. 

Unfortunately, the ability of SecOps to respond effectively is currently being stunted by the sheer size of the attack surface. Experts believe digital transformation efforts accelerated by several years during the pandemic.

This has created an explosion in unmanaged home working endpoints, new cloud infrastructure and applications, unpatched remote working infrastructure, IoT devices and connected operational technologies—all providing new opportunities for attack.

The second major challenge for SecOps teams is the shortage of skilled professionals in the industry. Worldwide the industry needs around three million more professionals, and many of the best and brightest in Security Operations Centers (SOCs) are feeling burnt out and considering quitting. This stress is often caused by alert overload, and an inability to prioritise and work productively.

The need for speed

Speed is paramount to successful incident response. Accelerating the detection and response process means the threat actors have less time to access critical enterprise resources and cause damage. The longer they’re allowed inside victim networks undisturbed, the more expensive and potentially destructive the fallout. But, today it takes global organisations an average of 287 days to identify and contain a data breach.

Reducing threat actors’ dwell time limits the opportunity to cause damage. It can also force them to find new techniques to achieve their goals. Placing this extra burden on your adversary may force them to give up and try an easier target. But even for a determined attacker, it will take them longer to succeed—lowering their ROI.

So how can organisations accelerate incident response to unsettle their attackers and mitigate cyber risk? Automation and machine learning are critical. These technologies can work to minimise human error and take on a large amount of the tedious, repetitive work that security analysts would otherwise have to do by hand.

But they’re not a panacea. Being able to respond rapidly to attacks without compromising on threat awareness means understanding what tasks to automate to make the most of your security teams’ time. We can break down a typical detection and response process into three stages:

Spot the threat: initial visibility, detection and prioritisation

The network and its endpoints provide the initial detection data. This is when behaviour-based machine learning algorithms come into their own, searching that data for suspicious activity round-the-clock at speeds humans could never achieve. They’re able to filter out the noise for analysts by tying together multiple alerts to create a single incident and “storyline” of what happened.

This not only helps to reduce skills gaps and barriers of entry into SecOps for junior analysts, but also frees up the time of more skilled analysts to focus on higher value tasks—like threat hunting and offering risk advice to the business.

Joining the dots: correlation and analytics

Next, network and endpoint data are correlated with data from user, vulnerability and application management systems, as well as other security information like threat intelligence feeds. The goal is to verify the alert data prioritised from the previous stage and to choose the correct response based on severity and priority.

This is where human analysts provide an invaluable skill—making decisions based on the specific environment and business risk.

Time to act: coordination and response

Finally, their highly refined alerts are passed on to stage three, for coordination and response. Here again, automation plays a major role. Automation and orchestration playbooks take the data and coordinate a response across endpoints, networks, users, and application management systems—working at machine speed to minimise the risk of a threat spreading far and wide.

However, organisations can introduce human decision points at this stage to throttle the level of automation to appropriate levels for the situation.

The bottom line is that automation and machine learning can optimise incident response by spotting threats that human eyes might miss, prioritising alerts and accelerating a coordinated response.

This way, AI is giving security teams the context they need to support critical thinking and complex analysis, reducing pressure on them while keeping the business safe. Understanding this dynamic is the first step towards driving a more mature incident response function.


Garry Veale is UK&I Regional Director at Vectra AI

Main image courtesy of iStockPhoto.com

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]