Stremlining Incident Response & Recovery with IRIS’s Risk-based Response and Self-Recovery Module

In today’s digital landscape, organizations face an ever-evolving array of cybersecurity threats. From ransomware attacks to data breaches, the need for efficient incident response has never been more critical. Thankfully, advancements in Security Orchestration, Automation and Response (SOAR) technologies are providing solutions to streamline this process, empowering organizations to effectively mitigate risks and safeguard their assets. At the forefront of this technological evolution is IRIS’s Risk-based Response and Self-Recovery (RRR) module. Designed to enhance security operations within smart cities and beyond, RRR leverages structured response workflows to guide security teams in effectively responding to security incidents and threats.

Next, we delve deeper into the workings of the RRR module, shedding light on its autonomous risk-based response and self-recovery capabilities and how these capabilities can empower organizations to proactively mitigate risks and safeguard their digital assets in an ever-changing threat landscape.

Structured Response Workflows: RRR serves as a risk-based decision-support framework powering the IRIS platform’s incident response and self-recovery procedures. Leveraging optimization, and machine learning algorithms, RRR evaluates the incident data and dynamically formulates the optimal Course of Action (CoA) concerning a detected threat or vulnerability. RRR’s relies on a well-defined response dictionary to categorize a wide array of incident scenarios and prescribe specific CoA for each. With three action types available (‘contain,’ ‘harden,’ and ‘recover’), IRIS ensures that security teams can swiftly identify and implement the most suitable response actions tailored to the unique characteristics of each incident. Following the definition of optimal response actions, RRR establishes structured response workflows, outlining predetermined actions to be taken during security incidents. These workflows serve as a blueprint guiding CERT/CSIRT teams through the containment, hardening, and recovery phases.

STIX/CACAO Playbooks – Standardizing RRR’s Response Workflows: Recognizing the importance of standardized incident response workflows, RRR embraces machine-readable STIX/CACAO playbooks. These playbooks provide guidelines for building action plans before, during, and after a cyber-attack, incorporating best practices and RRR’s selected optimal response strategies. This conversion process ensures seamless interoperability across diverse security environments facilitating the smooth sharing of commands, response workflows, and intelligence between security platforms and stakeholders, and fostering collaboration and synergy in the face of cyber threats. Moreover, the machine-readability of STIX/CACAO playbooks enables automation at scale, empowering organizations to respond rapidly and effectively to security incidents minimizing human error and response times.

Self-Recovery Mechanism – Bridging the Gap: RRR builds upon innovations in SOAR technologies as well as in threat intelligence execution. In achieving so, it incorporates a self-recovery mechanism that adapts a programmable API connecting seamlessly with external APIs to effect remediation actions without the need for human intervention. By harnessing the power of programmable APIs, this mechanism can execute selected remediation actions autonomously, streamlining the entire self-recovery process within the IRIS’s operational framework. Whether the objective is to isolate compromised systems, apply necessary patches to vulnerabilities, or restore configurations to their prior state, RRR can not only contain the impact of security incidents but may also restore functionality swiftly, thereby minimizing downtime and mitigating potential losses.

Automating response with policy-driven rules: RRR’s decision-support framework is supervised by policies to determine whether the recommended response and recovery workflow will be automatically enacted or if review and approval from the critical infrastructure (CI) operator are necessary. These policies delineate the conditions under which the RRR module is empowered to autonomously initiate specific actions (categorized as ‘contain,’ ‘harden,’ or ‘recover’) during the containment, eradication, and recovery phase of the incident response. When an action policy within a response category is designated as ‘enabled,’ it signifies that the CoA suggested by RRR can be executed automatically via RESTful interfaces and external APIs. Conversely, if an action is designated as ‘disabled,’ the IRIS orchestrator forwards the response recommendations to the CERT/CSIRT operators for review and approval and refrains from executing the remediation automatically.

Human Oversight – A Critical Component: By default, all policies are set to “disabled” or a “request for approval” mode, ensuring that any recommendation generated by the RRR module necessitates explicit approval from the CI operator before it can be executed. This cautious step ensures that human oversight and judgment are central in RRR’s decision-making process, maintaining a crucial layer of control over automated responses. Through interaction with the IRIS-Enhanced MeliCERTes Ecosystem (EME), the CI operator has the flexibility to enable these policies according to the self-recovery requirements of their organisation and the available resources (e.g., the cybersecurity budget allocated, the specialised hardware and software in place, etc) ensuring a tailored approach to incident containment, eradication, and recovery.

Looking Ahead: The release of the RRR module in November 2023 marked a significant advancement in the evolution of IRIS’s cybersecurity automation and incident response capabilities. As we move forward, validation of the RRR module in the context of IRIS pilot use cases during 2024 will further demonstrate its efficacy in enhancing defense mechanisms against evolving threats aimed at IoT and AI-provisioned infrastructures. We encourage you to stay tuned for forthcoming updates from the pilot sites as we continue to refine and optimize IRIS’s functionalities to meet the evolving cybersecurity landscape.