What is Autonomous Response and how does it work across the enterprise?
Article by Darktrace director of threat hunting, Max Heinemeyer.
With cyber-attacks getting faster and more furious, human teams alone cannot always be relied on to initiate a timely response. Naturally, humans need breaks, they are prone to error, and when confronted with hundreds of alerts on a daily basis, they inevitably miss things. Too often, by the time a serious attack has become apparent, it is often too late to avoid business disruption.
For these reasons, the cybersecurity industry has turned to response solutions that automatically contain in-progress cyber-attacks on behalf of human teams, giving them time to catch up and investigate an incident.
However, many automated response solutions in play today suffer from two fundamental drawbacks:
Firstly, these solutions are only able to take action in pre-defined ways, based on prior human input. This means that, by definition, they can only respond to known threats that can be defined in advance, and are useless in the face of ‘known unknowns’ & ‘unknown unknowns’ – threats that have never been seen before.
These tools may be able to block activity that has been pre-defined as ‘bad’, but what happens when they encounter something new? This is particularly relevant as the speed of attacker innovation jumps to new heights.
Secondly, these solutions are constricted in how they can respond. Usually, this is a binary choice: ‘allow’ or ‘block’. Either you quarantine a device completely or you don’t take an action at all.
Binary mechanisms like this tend to lead either to these solutions blocking too much – interrupting legitimate business activity – or blocking too little and allowing malicious activity to continue.
The most sophisticated automated response solutions – such as SOAR solutions – are still relying on this same approach. Their playbooks and workflows are more advanced, but ultimately they still have to be operated by human beings with the right expertise – and this can be difficult to find.
The beauty of context
The inherent problem with this approach is that all automated blocking solutions lack the context required to take targeted action. If an organisation tries to add context and make responses more contextualised, they do it by throwing humans at the problem – which costs a lot of money, doesn’t scale, and creates ongoing workflows for security teams.
Autonomous Response is inherently different. It works by learning the ‘pattern of life’ of every entity in an organisation, meaning it knows what constitutes ‘normal’ behaviour for any given device or user, in any given context, for any given organisation
In the event of an attack, it can enforce the ‘pattern of life’ of an infected device, blocking only the unusual behaviours that resulted from an attack. By enforcing normal behaviour, it strikes the perfect balance of interrupting a cyber-attack while allowing regular business activity to continue.
A self-learning technology
This unique approach offers several advantages over traditional, automated response tools. Because it learns the business by itself, it requires minimal oversight and maintenance from human security teams. It continually revises its understanding of ‘normal’ based on real-time data, so does not need to be updated as attacker techniques evolve – or as the business changes and grows.
Organisations transitioning to a cloud-first strategy can benefit from Autonomous Response learning from and taking action on cloud infrastructure as well as collaboration tools like Microsoft Teams and SharePoint. It also takes action at the email layer and on remote endpoints, protecting employees wherever they work.
In each case, Autonomous Response can use its awareness of its environment to decide for itself the most appropriate action to take (if any), for any given threat. Because it constantly updates its decision-making based on real-time data, it might start with a light touch, later escalating its response as an attacker starts changing tactics.
Building trust in AI decision-making
Allowing an AI to take action on your live environment might sound like a daunting prospect to some, who will need to have confidence that this decision-making is highly accurate and does not cause further disruption. Autonomous Response is configurable: many organisations initially set it in ‘human confirmation mode’ – showing what actions it would take in your environment, but leaving the human in the loop to stay in control and confirm the response.
But as the AI continues to learn its unique surroundings, the accuracy of its decision-making increases, and the switch to full ‘autonomous mode’ is often made within a few weeks. Autonomous Response does not take action on every small anomaly – it just acts on the highest-fidelity malicious activity such as ransomware, account takeovers or data exfiltration attempts. Human operators are still able to review its actions from within a dedicated user interface or via a mobile app.