AutoCRAT: Automatic Cumulative Reconstruction of Alert Trees

TL;DR

AutoCRAT is an automated system that reconstructs alert trees to help cyber defenders quickly identify compromised systems and assess threat severity during network attacks.

Contribution

It introduces AutoCRAT, a novel system for automatic reconstruction of alert trees to improve cyber triage and incident response efficiency.

Findings

Reconstructs alert trees efficiently from real-world data

Facilitates data visualization for incident response

Assists in threat intelligence analysis

Abstract

When a network is attacked, cyber defenders need to precisely identify which systems (i.e., computers or devices) were compromised and what damage may have been inflicted. This process is sometimes referred to as cyber triage and is an important part of the incident response procedure. Cyber triage is challenging because the impacts of a network breach can be far-reaching with unpredictable consequences. This highlights the importance of automating this process. In this paper we propose AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cyber triage activities during incident response. Specifically, AutoCRAT automatically reconstructs what we call alert trees, which track network security events emanating from, or leading to, a particular computer on the network. We validate the usefulness of AutoCRAT using a real-world dataset. Experimental results show that our prototype system can reconstruct alert trees efficiently and can facilitate data visualization in both incident response and threat intelligence analysis.