Measured Response

We can all agree that automating corse responses like firewall rules to block networks is a bad idea. To be clear, that is not what I am advocating. For this model of automated response, we need granular response actions, and if warranted we will chain a few together as appropriate. We should be able to graduate response from simple forensic information gathering to process termination. Response actions should include:

Record all the open network connections to the process or system in question
Gather relevant process information like open files, open descriptors, memory map, environment variables, current user context, current binary executing in the process, instruction pointer value, etc.
Generate a core-like dump of the process memory space (or a relevant portion)
Fail or grant access to specific files or other system resources
Introduce system call delays relative to the severity
Terminate a specific network connection
Terminate a specific process

For now, response selection should probably remain human-decided and configuration-driven to a degree, so the output of the co-stimulation phase needs to be human mappable to a chain of response actions. Ideally response actions have precedence attributes that follow the order of volatility (remember Venema and Farmer), so the response system can automatically chain multiple responses in appropriate order without the operator having to think about it.