Incidence response machine learning optimization vs heuristic solutions

Scenario:

  • Imagine the network has been penetrated, and malware has loaded to various machines within the network in order to exfiltrate sensitive customer information (e.g., health care data).
  • An information security or forensics analyst is charged with completing multiple tasks that include discovering what exactly was stolen, attack vector and exfiltration, and remediations required to prevent the same or similar future attacks.

Expert Thinking:

This approach to problem-solving employs a heuristic approach to conducting the investigation and resolving the scenario. An analyst would conduct tasks such as the following:

  • Determine what has been stolen. Evaluate file access logs plus network traffic — looking for signs of access to sensitive files or large amounts of data flowing out of the network. Ana analyst may employ a product such as Splunk and firewall log file review.
  • Identify how the attacker gained a persistent foothold in the network. Perform malware analysis on any hosts that may be needed to track down known malware samples and determine if there are known signatures or other static computer code artifacts that identify the type of malware.
  • Analyze live systems — looking for unusual processes running or other anomalous behaviors.
  • Remove malware and repair infected host systems to prevent future attacks. Or completely rebuild systems and restore backups.

Machine Learning Solution:

This approach employs advanced algorithms and rules to perform early detection of malware and network compromise and to potentially complete early mitigations to halt active or lending threats.

  • A well-trained machine learning model will be able to identify unusual traffic on the network, and actively quarantine or shut down these connections or services.
  • Identify new samples of malware that can evade static anti-virus signatures, and quarantine these samples for further analysis.
  • Identify when an endpoint host itself is engaging in odd behavior.
  • Alert information security teams about potential threats.