Capabilities and Skill Configurations of Information Security Incident Responders

This paper identifies skill sets that contribute to effective InfoSec incident response. Even though many organizations have staff dedicated to InfoSec incident response teams, there is a lack of consensus as to the skill set each team member needs to effectively perform his/her job, and general and specialized skills that need to be represented in incident response teams (but usually not all held by each team member). Previous guidance was offered based on non-empirical methods. In this study, we used the Repertory Grid (RepGrid) method to elicit lists of incident response skills from industry experts. Skill archetypes were then identified by clustering incident responders who share similar characteristics. The findings extend the Theory of Resource Complements and provide managers with practical guidance regarding the skill sets most critical to the incident response role

How National CSIRTs Leverage Public Data, OSINT and Free Tools in Operational Practices: An Empirical Study

Computer Security Incident Response Teams (CSIRTs) have been established at national and organisational levels to coordinate responses to computer security incidents. It is known that many CSIRTs, including national CSIRTs, routinely use public data, open-source intelligence (OSINT) and free tools in their work. However, the current literature lacks research on how such data and tools are used and perceived by the staff of national CSIRTs in their operational practices. To fill such a research gap, an online survey and twelve follow-up semi-structured interviews with staff of thirteen national CSIRTs from Asia, Europe, the Caribbean and North America were carried out. The aim was to gain detailed insights into how such data and tools are used and perceived by staff in national CSIRTs. The study was conducted in two stages: first with MyCERT (Malaysia’s national CSIRT) to get some initial results, and then with twelve other national CSIRTs to enlarge the results from the first stage. Thirteen participants from MyCERT completed the survey and seven of them took part in a semi-structured interview; twelve participants from eleven other national CSIRTs took the survey and five participants from five national CSIRTs took an interview. Results from the survey and the interviews led to three main findings. First, the active use of public data, OSINT and free tools by national CSIRT staff was confirmed, e.g., all 25 participants had used public data for incident investigation. Second, all except two (i.e., 23 out of 25, 92%) participants perceived public data, OSINT and free tools to be useful in their operational practices. Third, there is a number of operational challenges regarding the use of public data, OSINT and free tools. In particular, there is a lack of standard and systematic approaches on how such data and tools are used across different national CSIRTs. There is also a lack of standard and systematic processes for validating such dataand tools. These findings call for further research and development of guidelines to help CSIRTs to use such data and tools more effectively and more efficiently

Building General Knowledge of Mechanisms in Information Security

We show how more general knowledge can be built in information security, by the building of knowledge of mechanism clusters, some of which are multifield. By doing this, we address in a novel way the longstanding philosophical problem of how, if at all, we come to have knowledge that is in any way general, when we seem to be confined to particular experiences. We also address the issue of building knowledge of mechanisms by studying an area that is new to the mechanisms literature: the methods of what we shall call mechanism discovery in information security. This domain offers a fascinating novel constellation of challenges for building more general knowledge. Specifically, the building of stable communicable mechanistic knowledge is impeded by the inherent changeability of software, which is deployed by malicious actors constantly changing how their software attacks, and also by an ineliminable secrecy concerning the details of attacks not just by attackers (black hats), but also by information security defenders (white hats) as they protect their methods from both attackers and commercial competitors. We draw out ideas from the work of the mechanists Darden, Craver, and Glennan to yield an approach to how general knowledge of mechanisms can be painstakingly built. We then use three related examples of active research problems from information security (botnets, computer network attacks, and malware analysis) to develop philosophical thinking about building general knowledge using mechanisms, and also apply this to develop insights for information security. We show that further study would be instructive both for practitioners (who might welcome the help in conceptualizing what they do) and for philosophers (who will find novel insights into building general knowledge of a highly changeable domain that has been neglected within philosophy of science)

Measuring the performance of a Security Operations Centre (SOC) analyst: An industry-validated approach based on weighted SOC functions

Analysts who work in Security Operations Centres (SOCs) play a vital role in helping organisations protect their computer network systems against cyber attacks. It is the responsibility of an analyst to monitor, detect, investigate, and respond to cyber security incidents. It is essential, therefore, for analysts to maintain a high level of human performance because poor performance could negatively impact on the overall efficiency of a SOC. To manage analysts effectively and efficiently, SOC managers use performance metrics to measure analysts’ performance. However, the existing literature indicates that current metrics are inadequate because they overlook the key facets of analysts’ work. The literature also reveals a lack of a systematic approach for measuring analysts’ performance. Despite these problems, there has been very little effort by cyber security researchers to improve performance measurement methods for analysts. This study proposes a widely applicable method (referred to as the Security Operations Centre Analyst Assessment Method (SOC-AAM)) for measuring the performance of an analyst using the Design Science Research Process (DSRP). The novelty of the proposed method is that it captures the most common and significant analysts’ functions and has the potential to be adopted by SOCs worldwide. The proposed method simplifies the process of measuring analyst performance by consolidating existing assessment methods and providing a new formal method. Additionally, it provides a novel guideline for assessing the quality of incident analysis and the quality of incident report. The results of an empirical testing and evaluation of the SOC-AAM shows that the SOC-AAM offers a useful, easy-to-use and comprehensive approach to measuring an analyst’s performance. The SOC-AAM will facilitate SOC managers in overcoming the limitations of current performance metrics by offering a systematic method for measuring an analyst’s performance. It would also help analysts to demonstrate their performance across a variety of functions

Human decision-making in computer security incident response

Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians

Technology Assessment of Dual-Use ICTs - How to Assess Diffusion, Governance and Design

Technologies that can be used in military and civilian applications are referred to as dual-use. The dual-use nature of many information and communications technologies (ICTs) raises new questions for research and development for national, international, and human security. Measures to deal with the risks associated with the various dual-use technologies, including proliferation control, design approaches, and policy measures, vary widely. For example, Autonomous Weapon Systems (AWS) have not yet been regulated, while cryptographic products are subject to export and import controls. Innovations in artificial intelligence (AI), robotics, cybersecurity, and automated analysis of publicly available data raise new questions about their respective dual-use risks. Dual-use risks have been systematically discussed so far, especially in the life sciences, which have contributed to the development of methods for assessment and risk management. Dual-use risks arise, among other things, from the fact that safety-critical technologies can be easily disseminated or modified, as well as used as part of a weapon system. Therefore, the development and adaptation of robots and software requires an independent consideration that builds on the insights of related dual-use discourses. Therefore, this dissertation considers the management of such risks in terms of the proliferation, regulation, and design of individual dual-use information technologies. Technology Assessment (TA) is the epistemological framework for this work, bringing together the concepts and approaches of Critical Security Studies (CSS) and Human-Computer Interaction (HCI) to help evaluate and shape dual-use technologies. In order to identify the diffusion of dual-use at an early stage, the dissertation first examines the diffusion of dual-use innovations between civilian and military research in expert networks on LinkedIn, as well as on the basis of AI patents in a patent network. The results show low diffusion and tend to confirm existing studies on diffusion in patent networks. In the following section, the regulation of dual-use technologies is examined in the paper through two case studies. The first study uses a discourse analysis to show the value conflicts with regard to the regulation of autonomous weapons systems using the concept of Meaningful Human Control (MHC), while a second study, as a long-term comparative case study, analyzes the change and consequences of the regulation of strong cryptography in the U.S. as well as the programs of intelligence agencies for mass surveillance. Both cases point to the central role of private companies, both in the production of AWS and as intermediaries for the dissemination of encryption, as well as surveillance intermediaries. Subsequently, the dissertation examines the design of a dual-use technology using an Open Source Intelligence System (OSINT) for cybersecurity. For this purpose, conceptual, empirical, and technical studies are conducted as part of the Value-Sensitive Design (VSD) framework. During the studies, implications for research on and design of OSINT were identified. For example, the representative survey of the German population has shown that transparency of use while reducing mistrust is associated with higher acceptance of such systems. Additionally, it has been shown that data sparsity through the use of expert networks has many positive effects, not only improving the performance of the system, but is also preferable for legal and social reasons. Thus, the work contributes to the understanding of specific dual-use risks of AI, the regulation of AWS and cryptography, and the design of OSINT in cybersecurity. By combining concepts from CSS and participatory design methods in HCI, this work provides an interdisciplinary and multi-method contribution