After the Breach: Incident Response within Enterprises

TL;DR

This paper surveys automated attack investigation systems in enterprise cybersecurity, comparing their designs, effectiveness, and challenges to improve incident response and reduce analyst workload.

Contribution

It provides a comprehensive comparison of existing automated attack investigation systems, highlighting their strengths, limitations, and future research directions.

Findings

Automated systems can effectively reduce analyst workload.

Current systems face challenges in accuracy and scalability.

Future research should focus on improving interpretability and real-time response.

Abstract

Enterprises are constantly under attack from sophisticated adversaries. These adversaries use a variety of techniques to first gain access to the enterprise, then spread laterally inside its networks, establish persistence, and finally exfiltrate sensitive data, or hold it for ransom. While historically, enterprises have used different Incident Response systems that monitor hosts, servers, or network devices to detect and report threats, these systems often need many analysts to triage and respond to alerts. However, the immense quantity of alerts to sift through, combined with the potential risk of missing a valid threat makes the task of the analyst challenging. To ease this manual and laborious process, researchers have proposed a variety of systems that perform automated attack investigations. These systems collect data, track causally related events, and present the analyst with an interpretable summary of the attack. In this paper, we present a survey of systems that perform automated attack investigation, and compare them based on their designs, goals, and heuristics. We discuss the challenges faced by these systems, and present a comparison in terms of their effectiveness, practicality, and ability to address these challenges. We conclude by discussing the future of these systems, and the open problems in this area.