An autonomous resiliency toolkit - needs, challenges, and concepts for next generation cyber defense platforms

Cyber defense today relies heavily on teams of Subject Matter Experts (SMEs), e.g., Cyber Protection Teams (CPTs). Although simple tasks can be automated or scripted, complex decision processes-increasingly needed to counter cyber threats-require SME insight and manual execution. As a result, cyber-defense operations tend to emphasize collection and archiving of data over real-time decision making and response, postponing actionable analysis and response until later, where “later” is frequently “too late.” In contrast, adversaries are readily using automation tools to minimize manual work and encapsulate autonomous behaviors into botnets and viruses that adapt to changing conditions. This imbalance puts the adversary in a position of advantage, a situation the research presented in this paper aims to remedy. The scarcity of cyber SMEs and the high cost of involving them in manual cyber responses are among the main factors contributing to the imbalance. The approach we describe aims to reduce the reliance on human SMEs, drive down the cost, and increase the effectiveness of CPTs by capturing expert knowledge in a tool that will automate the identification of known and unknown threats and the launching of mitigations to counter ongoing attacks at system speeds.