Security Playbook Automation through CONCORDIA

Security Playbook Automation through CONCORDIA

The ability to quickly identify and understand the nature of cyber threats as they emerge, but also acting with agility in applying effective cyber controls to prevent and respond to continuously evolving cyberattacks is of undeniable importance.

As the typical time an attacker needs from the initial compromise to complete take-over of company infrastructures has been greatly reduced, it is of great necessity to also automate our response actions, towards effective mitigation, containment, or outmaneuver of attacks.

In an era of proliferating cyberattacks, CONCORDIA with significant partnerships and collaboration has set a goal of providing cyber defenders with ways of responding to emerging cyberthreats in cyber-relevant time. This requires partially or fully automating repetitive tasks in security operations and incident response. The University of Oslo, SIEMENS, and DFN-CERT through CONCORDIA unite their powers for developing technologies for sharing and automating courses of action for cyber defense.

Security playbooks is a way of documenting knowledge acquired from particular security incidents and methodologies of processing and analyzing events triggered by a security solution. Most of the times, consumption of such playbooks in an automated fashion is impossible due to their non-standardized and non-machine-readable nature. In many cases, though, organizations of high-security maturity use proprietary technology to automate such playbooks partially.

Automation is a crucial enabler to information exchange and incident response. It is widely known that the task of receiving actionable information and appropriately responding in the light of this information in cyber-relevant time is quite challenging. Sharing security/response playbooks in a standardized way will allow organizations to consume such actions in response to an incident at machine time. Such playbooks can be shared as part of cyber threat intelligence such as CTI platforms like MISP (Malware Information Sharing Platform) or threat information sharing languages like STIX (Structured Threat Information eXpression). This approach has many advantages such as that analysts can reduce the time needed to validate an alert allowing them to handle a lot more incoming alerts and increase their confidence in responding to incidents, and threat actors are far less likely to bypass a defense with well-defined and tested strategies.

CONCORDIA is developing a flexible and adaptive machine-readable language for coordinating/orchestrating courses of action through security playbooks with a future plan to integrate a proof of concept implementation of this work at MISP.

In support to this effort, CONCORDIA has also joined a new working group known as Collaborative Automated Course of Action Operations for Cyber Security (CACAO), where governments, organizations, and security vendors work together on standardizing security playbooks.

(By Vasileios Mavroeidis – Security Researcher – Digital Security Group – University of Oslo (UiO))