Automatic Incident Response — The Key to Robust Institutional Cybersecurity

Web3 users lost nearly $1 billion to various hacks, scams, and exploits as of August 2023. Q3 2023 alone saw over $700 million in losses.

Experts from the Forta community identified that projects fail to act in time and stop attacks, despite real-time threat detection by efficient detector bots. This stems from an excessive (or, obsessive) focus on code, vis-à-vis a more holistic approach to smart contract security.

Proactive threat mitigation is thus the need of the hour as blockchain-powered use cases regain traction after a year-long slump. The stakes are growing with a rise in daily Unique Active Wallet (dUAW) interactions, trading volumes, and institutional participation.

Forta’s Attack Detector Bot has already proven its mettle in real-time threat and anomaly detection using advanced AI and ML models. Their developers’ community is now leveraging OpenZeppelin’s innovative Incident Response (IR) framework to solve the prevention side of the problem.

The Significance of Automatic Threat Prevention

Web3 is one of the fastest growing industries, yet most Web3 protocols can’t stop an exploit even when it’s detected minutes in advance.

They ‘can’t do anything that fast.’ It takes about 24 hours to pause the protocol, which is often the only option to prevent identified threats. For an industry where scaling means succeeding, that’s more than an eternity.

An exchange or marketplace, where thousands of users move assets worth millions of dollars can’t take an entire day to respond to a threat. Because malicious actors are constantly inventing new ways to execute more devastating exploits—it’s their way of scaling.

The Web3 industry must either keep pace with its enemies or perish. There are no two ways about it.

However, hyper-centralized security architecture of Web2 isn’t an option. It’s crucial to build and adopt Web3-native systems based on progressive principles: decentralization, automation, transparency, and community-orientation.

To this end, code-based, self-executing threat mitigation and response systems are a perfect alternative. They unlock a holistic security paradigm where efficient detector bots and circuit breakers work in sync. And this groundbreaking development will particularly well serve institutional use cases, where the cost of exploit and cybersecurity are both very high.

How Incident Response (IR) Works

OpenZeppelin integrated IR into its Defender v2, enabling ‘you to instantly detect, respond, and resolve threats and attacks with predefined actions and scenarios.’

Besides conducting attack simulations and testing real-world scenarios, you can use IR to:

Build self-executing threat mitigation workflows that automatically perform preventive actions in pre-defined scenarios.
Combine IR with real-time threat detection and monitoring protocols to leverage the power of ML and AI in cybersecurity, identifying anomalous patterns and threats before they occur.
Reduce response time from ~24 hours to a few seconds at most.
Access ‘Runbooks’ to decentralize and streamline security operations across the board.

Actions

IR has two types of actions as its key building blocks: Automatic Actions and Transaction Templates. The former involves automated transactions triggered by Relayer data or multisigs; the latter represents on-demand transactions defined via no-code forms.

In simple terms, Actions are an intuitive, developer/user-friendly way of constructing IR scenarios. They can be used, for example, to pause smart contracts, blacklist potentially malicious addresses based on data analysis and pattern recognition, notify team members via on-call paging systems or other channels, pull critical information for threat analysis, revoke privileged access if necessary, etc.

Though easy to use, IR Actions cover every key aspect of Web3 threat mitigation, at least from the PoV of external or systemic attack vectors. When combined with high-quality, bug-free code, this will ensure the resilience Web3 ecosystems need as they mature.

Now, let’s see how automatic threat response will shape the future of web3 security.

Preventing Web3 Attacks with IR

Since October 2022, Forta’s ML-powered detector bots have identified many major hacks/exploits before they occurred: Team Finance ($15.8 million), DFX Finance ($7.5 million), and, above all, Euler Finance ($197 million).

In the Euler Finance case, for example, Forta raised three critical alerts before the exploitation. First, when the hackers funded their attack using Tornado Cash. Second, when they created the suspicious contract. Third, when they deployed the contract from a TC-funded EOA.

Forta’s victim identification bot could also identify Euler Finance as the target, before the attack. But even with multiple real-time alerts through all the attack stages, we couldn’t stop 2023’s biggest DeFi hack. It’s a collective failure.

Using IR, however, will help prevent such incidents in the future. Team members, project managers, and developers have little control over Web3 protocols once they’re deployed—it’s a good thing, even if it makes life difficult from a cybersecurity perspective. The point is: one can’t altogether blame them for not acting in time to stop attacks—they simply can’t.

Yet, with pre-defined, community-vetted incident response scenarios, it’s now possible to automatically trigger preventive measures based on alerts from Forta’s bots. For example, you can flag transactions involving Tornado Cash funding or suspicious Flashloans using alerts from respective detector bots.

It’s an effective way to delay attack transactions, at the least, giving the community or team members the time to take further action. And these are only two examples.

Since Forta is a community-driven network, you can build custom detector-mitigator bots to best serve your needs. You can also earn for your contributions via bounties, subscriptions, community rewards, and other revenue streams.

We’re promoting an all-inclusive, win-win scenario so that individual security analysts, developers, and end-users reap lucrative benefits while Web3 becomes more secure, more robust, and more resilient as a whole.

It’s a mission to transform the future of cybersecurity in a decentralized, community-driven manner. You are welcome to join us on this journey, scaling new heights all the way from the very beginning.