Automated Response to Cyber Security Threats

Cyber security threats continue to pose a major challenge to organizations. While there is an abun- dance of technologies and products assisting in the detection and investigation of cyber security threats, supporting security operation teams in responding to threats has received limited attention. Modern Intrusion Prevention Systems provide the possibility to react in real-time to cyber security threats but still lack the ability to predict the impact of the responses on the IT infrastructure.

This bachelor thesis builds on the proof of concept application developed in the student research project. The existing application is re-created with novel capabilities regarding the automated response to cyber security threats to assist in protecting IT infrastructures. The main focus is on supporting the cybersecurity analyst in the decision-making process selecting the best-suited response to a cyber security threat by providing additional information regarding the IT infrastructure.

The application fetches security alerts from a Security Information and Event Management system (SIEM) and processes the retrieved data. The responses of a predefined set are compared to the alert attributes to determine the possible responses and their impact on the IT environment. Addi- tionally, the possible responses are prioritized by calculating their impact cost based on the created cost function. Consequently, the analyst can decide on the preferred response, considering the impact on the IT environment. The application itself is a three-tier architecture that consists of a frontend, a backend and a persistence tier. The frontend provides a dashboard to the analyst and allows the inspection of an alert, containing the relevant information about the alert in order to decide on the best-suited response. Furthermore, it allows the triggering of the desired response. The backend is an API providing all required endpoints regarding the interaction with it, such as creating the abstracted environment model of the IT infrastructure and persisting it in a graph database.
The application implements different Threat Response Techniques to facilitate the handling of cyber security threats. It provides automated response determination capabilities, where the responses of the predefined set are matched to the alert, identifying the possible responses for the alert based on its attributes. Moreover, the impact calculation abstracts the impact of a response on the IT infras- tructure being represented by the environment model. Finally, the possible responses are prioritized by calculating their impact cost with the defined cost function, comprising the response’s impact as well as its attributes.