Automatic incident response solutions: A review of proposed solutions' input and output

Abstract

Many organizations are exposed to the risk of cyber attacks that penetrate their computer networks. When such cyber attacks occur, e.g. a ransomware outbreak, it is desirable to quickly respond by containing the threat or limit its consequences. Technologies that support this process have been widely used for decades, including antivirus software and deep-packet inspection firewalls. A large number of researches on cyber security have been initiated to automate the incident handling process further, often motivated by the need to respond to more advanced cyber attacks or the increasing cyber risks at stake. This paper reviews the research on automatic incident response solutions published since the year 2000, in order to identify gaps as well as guide further research. The proposed solutions are categorized in terms of the input they use (e.g. intrusion signals) and the output they perform (e.g. reconfiguring a network) using the D3FEND framework. The solutions presented in 45 papers published in the academic literature are analyzed and compared to four commercially available solutions for automatic response. Many of the 45 papers described input and output in vague terms. The most common inputs were from asset inventories, platform monitoring and network traffic analysis. The most common output was network isolation measures, e.g. to reconfigure firewalls. Commercially available solutions focus more on looking for identifiers in reputation systems and individual analyzing files.