Enterprises are constantly under attack from sophisticated adversaries. These adversaries use a variety of techniques to first gain access to the enterprise, then spread laterally inside its networks, establish persistence, and finally exfiltrate sensitive data, or hold it for ransom. While historically, enterprises have used different Incident Response systems that monitor hosts, servers, or network devices to detect and report threats, these systems often need many analysts to triage and respond to alerts. However, the immense quantity of alerts to sift through, combined with the potential risk of missing a valid threat makes the task of the analyst challenging. To ease this manual and laborious process, researchers have proposed a variety of systems that perform automated attack investigations. These systems collect data, track causally related events, and present the analyst with an interpretable summary of the attack. In this paper, we present a survey of systems that perform automated attack investigation, and compare them based on their designs, goals, and heuristics. We discuss the challenges faced by these systems, and present a comparison in terms of their effectiveness, practicality, and ability to address these challenges. We conclude by discussing the future of these systems, and the open problems in this area.

翻译：企业持续面临来自复杂对手的攻击。这些对手采用多种技术首先获取企业访问权限，随后在其网络内部横向移动、建立持久化机制，最终窃取敏感数据或实施勒索。尽管历史上企业已采用多种监控主机、服务器或网络设备的应急响应系统来检测和报告威胁，但这些系统通常需要大量分析人员对告警进行分级处置。然而，海量告警的筛选工作与可能遗漏真实威胁的风险相结合，使得分析人员的任务极具挑战性。为减轻这种繁重的人工处理流程，研究人员提出了多种自动化攻击调查系统。这些系统通过收集数据、追踪因果关联事件，并向分析人员呈现可解释的攻击摘要。本文系统综述了自动化攻击调查系统，并依据其设计原理、目标与启发式策略进行比较分析。我们探讨了这些系统面临的挑战，并从效能、实用性和应对挑战的能力维度展开对比评估。最后通过讨论此类系统的未来发展方向及该领域的开放性问题作为总结。