During a breach event in an IT network or system of an organization, a critical incident response (CIR) staff (or similar personnel) is often encountered with a significant number of security related events and alerts, some of which can be related to an attacker attempting to access critical assets within the organization. Existing incident response approaches attempt to gather and filter security events, and correlate such events so as to potentially reduce the number of events which need to be examined by CIR staff. However, such approaches nonetheless leave a considerable number of events to be manually processed by a CIR staff (which is commonly a small team of individuals).
By way of example, many existing breach response tools are designed to detect attack patterns and detect when attacks are occurring by observing historical data from event logs and similar devices. However, such approaches do not make or identify a connection between a low-level attack progression and high-level enterprise processes which may contain data of interest. This is disadvantageous because while an attacker likely knows the identity of the ultimate asset of interest, the CIR personnel will need to evaluate the attacker's behavior and techniques from historical evidence in order to infer what the attacker is attempting to accomplish. Additionally, in existing approaches, CIR personnel examine and analyze information gathered after an event has occurred. If the event indicates some data loss, this loss has already occurred.
Accordingly, using existing approaches, once CIR personnel is able to identify that an attacker has penetrated a system, sufficient time may have elapsed so as to render the task of stopping an information leak considerably difficult.