Using AI for incident response.

Darktrace is launching HEAL, a first-of-its-kind ability to safely simulate real-world incidents. (Source – Shutterstock)

Transforming incident response with AI-generated playbooks  

  • Darktrace’s HEAL is a first-of-its-kind ability to safely simulate real-world incidents for incident response. 
  • HEAL is capable of creating a picture of the attack and a bespoke, AI-generated, response playbook.

Incident response is the steps organizations undertake to prepare, detect, contain and recover data from a data breach. While the steps for incident response can vary slightly depending on the organization, most plans follow a common framework.

In the US, the National Institute of Standards and Technology (NIST) has prepared a cybersecurity framework for incident response that comes in four stages – preparation and prevention, detection and analysis, containment, eradication and recovery and post-incident activity.

Most cybersecurity companies will advise organizations on how they can best implement their incident response process. A strong incident response process can dramatically reduce the damage caused to an organization when a disaster strikes. However, there is still one problem though – the speed of getting the plan executed.

And this is where it gets interesting. Incident response has always been a highly manual area that is currently dominated by static, pre-defined playbooks and high-level, generic response exercises that don’t adequately prepare security teams for the pressure and complexity they face during an unfolding attack. This includes the long hours it takes on investigative work to build a complete picture of a cyberattack.

But the reality is, incident response is an that is ripe for AI and automation to augment human teams.

As such, Darktrace unveiled HEAL, a first-of-its-kind ability to safely simulate real-world incidents that are customized for their own environment, as well as bespoke AI-generated response playbooks that help prioritize remediation actions.

The final product in Darktrace’s Cyber AI Loop, HEAL uses AI that learns from each individual company’s data to help their security teams more effectively prepare for and respond to increasingly sophisticated attacks.

AI for incident response

HEAL leverages Darktrace’s self-learning AI to give security teams new abilities designed to build cyber resilience and help them more easily and confidently address live incidents. Put simply, security teams can:

  • Simulate real-world cyber incidents, allowing teams to prepare for and practice their response to complex attacks in their own environments.
  • Create bespoke, AI-generated playbooks as an attack unfolds based on the details of their environment, the attack, and lessons learned from their previous simulations. This reduces information overload, prioritizes actions, and enables faster decision-making at critical moments.
  • Automate actions from the response plan to rapidly stop and recover from the attack within the HEAL interface.
  • Create a full incident report, including an audit trail of the incident response with details of the attack, actions HEAL suggested, and actions taken by the security team for future learning and to support compliance efforts.

For example, when a live incident does occur, HEAL will use insights from Darktrace DETECT to create a picture of the attack and a bespoke, AI-generated, response playbook, built from Darktrace’s knowledge of the incident, the business’s environment, and lessons learned from the security team’s previous simulations. The solution will also recommend the priority order for remediation actions based on factors like further damage the compromised asset can cause, how much the attack is relying on that asset as a pivot or entry point, and its importance to the business.

This allows security teams the ability to adapt their defenses as an incident evolves, enabling them to end it more rapidly and with less overall disruption.

Jack Stockdale, Chief Technology Officer, Darktrace commented, “At Darktrace, we build technology by looking at where AI can be the most valuable in augmenting the people in a security team and how it can have the most positive impact on their work.  With HEAL, we’ve turned our attention to cyber resilience. We’re upskilling teams and reducing the overload analysts face during an attack, to help them recover and get back to business faster and more effectively.”

Another interesting component of HEAL is that it further enables security teams to quickly and efficiently manage and recover from live incidents by integrating with a variety of tools in a business’s wider security stack to automate actions. Within HEAL’s live playbooks, teams can activate and manage authorized tools from across their environment, from a single interface with a click of a button. At launch, HEAL will integrate with Microsoft Defender for Endpoint, Intune, Microsoft 365, Veeam, and Acronis.

“With the closing of Darktrace’s full Cyber AI Loop, security teams can maximize the time and talent of their human teams, enabling them to focus on critical and complex tasks with the knowledge that Darktrace AI is autonomously working in the background to prevent, detect, respond, and heal from cyber-attacks in a continuous, reinforcing loop,” added Stockdale.

Organizations like the City of Las Vegas, which hosts 32 million visitors each year and high-profile events like the Super Bowl and Las Vegas Grand Prix — have already adopted HEAL to instill more confidence that its teams and processes are ready to remediate and recover if an attack occurs.