The rise of cyberattacks impacting organizations has become a growing concern for companies, with recent high-profile breaches such as the UK outsourcing firm and government contractor Capita incurring recovery costs of up to £20 million. In response to this growing threat, organizations are increasingly looking towards new developments in artificial intelligence (AI) to better prepare, recover and adapt confidently to cyber incidents.
Generative AI is allowing attackers to innovate and escalate their approach, with Darktrace researchers observing a 135% increase in “novel social engineering attacks” across thousands of active customers from January to February 2023. This highlights the importance for organizations to focus more than ever on their cyber resilience, to be able to withstand, adapt and recover from cyberattacks that have achieved initial access.
However, the gap between the growing numbers of successful attacks and effective approaches to recovery continues to widen. With a growing skills shortage in the industry, it has become increasingly difficult for humans to keep up with incident management techniques and frameworks. Additionally, the costs associated with tabletop exercises, red/purple team activities, maintaining playbooks, and testing recovery stacks have become increasingly untenable.
Incident response playbooks outline the steps an organization should take to respond to and recover from a particular type of attack and are widely accepted as best practice. These are typically based on predefined, static views of an organization that quickly become outdated and are challenging to maintain and execute in a real-world incident. Similarly, published frameworks are another standard part of the cyber resilience toolkit. These templates and flowcharts tend to lay out discrete linear processes, which often result in lengthy steps designed to occur one after the other, with no concept of the frequent need to shift and adapt as new information arises. Dealing with the complexity gap between the necessarily concise framework and the variety and complexity of real incidents is left to human responders.
Tabletop exercises, in which stakeholders come together to test incident response plans, can be a useful way of developing experience in decision making. Still, they are time-intensive and will not test many of the technical tools and processes used in a real-world response.
Introducing self-learning AI into incident management can allow teams to engage an incident in more detail and at an earlier stage, minimizing disruption to the business. During an incident, AI-powered systems can offer full visibility into the scope and details of the compromise, creating a more informed basis on which to manage it.
By holding this complex understanding within the software, it can go further by automating much of recovery management. It can automatically adapt planned recovery steps to precise incident details and prioritize assets for remediation based on its deep understanding of that asset’s function and role within the incident and the business.
AI assistance doesn’t have to mean relinquishing human control. Rather, AI should augment human teams by presenting simple choices and recommendations based on real-time developments and simplify and automate technical steps where possible. Working together, AI can shorten time-consuming recovery processes while providing human teams with relevant and timely context to support faster decision-making when it counts.
Time savings from AI can extend to record-keeping during and after the incident. By collecting forensic evidence automatically and keeping a record of all defensive actions taken, AI can create incident reports at any time. These reports enable teams to communicate clearly to stakeholders what has happened, what they’ve done about it, and what further actions they will take.
In a landscape where vendor consolidation is top of mind for CISOs and CFOs, incident recovery products that can integrate with these other capabilities provide a compelling case for a single dashboard approach to cyber resilience.
The reality is that cyber incidents are a question of when and not if, so organizations that look to move beyond static incident playbooks and standard frameworks will remain ahead of the game. Leveraging AI and automation to deliver bespoke recovery plans that adapt in real-time will allow these companies to achieve new levels of cyber resilience in a fast-moving threat landscape.