Dynamic cyber-incident response

Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profi t or non-commercial purposes is granted providing that copies bear this notice and a full citation on the first page. Any other reproduction or transmission requires prior written permission by NATO CCD COE.Traditional cyber-incident response models have not changed significantly since the early days of the Computer Incident Response with even the most recent incident response life cycle model advocated by the US National Institute of Standards and Technology (Cichonski, Millar, Grance, & Scarfone, 2012) bearing a striking resemblance to the models proposed by early leaders in the field e.g. Carnegie-Mellon University (West-Brown, et al., 2003) and the SANS Institute (Northcutt, 2003). Whilst serving the purpose of producing coherent and effective response plans, these models appear to be created from the perspectives of Computer Security professionals with no referenced academic grounding. They attempt to defend against, halt and recover from a cyber-attack as quickly as possible. However, other actors inside an organisation may have priorities which conflict with these traditional approaches and may ultimately better serve the longer-term goals and objectives of an organisation

Sonification of Network Traffic Flow for Monitoring and Situational Awareness

Maintaining situational awareness of what is happening within a network is challenging, not least because the behaviour happens within computers and communications networks, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation is widely used to present information about the dynamics of network traffic dynamics. Although it provides operators with an overall view and specific information about particular traffic or attacks on the network, it often fails to represent the events in an understandable way. Visualisations require visual attention and so are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Situational awareness is critical and essential for decision-making in the domain of computer network monitoring where it is vital to be able to identify and recognize network environment behaviours.Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system to be used in the monitoring of computer networks to support the situational awareness of network administrators. SoNSTAR provides an auditory representation of all the TCP/IP protocol traffic within a network based on the different traffic flows between between network hosts. SoNSTAR raises situational awareness levels for computer network defence by allowing operators to achieve better understanding and performance while imposing less workload compared to visual techniques. SoNSTAR identifies the features of network traffic flows by inspecting the status flags of TCP/IP packet headers and mapping traffic events to recorded sounds to generate a soundscape representing the real-time status of the network traffic environment. Listening to the soundscape allows the administrator to recognise anomalous behaviour quickly and without having to continuously watch a computer screen.Comment: 17 pages, 7 figures plus supplemental material in Github repositor

Insight:an application of information visualisation techniques to digital forensics investigations

As digital devices are becoming ever more ubiquitous in our day to day lives, more of our personal information and behavioural patterns are recorded on these devices. The volume of data held on these devices is substantial, and people investigating these datasets are facing growing backlog as a result. This is worsened by the fact that many software tools used in this area are text based and do not lend themselves to rapid processing by humans.This body of work looks at several case studies in which these datasets were visualised in attempt to expedite processing by humans. A number of different 2D and 3D visualisation methods were trialled, and the results from these case studies fed into the design of a final tool which was tested with the assistance of a group of individuals studying Digital Forensics.The results of this research show some encouraging results which indicate visualisation may assist analysis in some aspects, and indicates useful paths for future work

Expanding alliance: ANZUS cooperation and Asia–Pacific security

Is an alliance conceived as a bulwark against a resurgence of Japanese militarism and which cut its military and intelligence teeth in the Cold War is still relevant to today’s strategic concerns? Overview The alliance between Australia and the US, underpinned by the formal ANZUS Treaty of 1951, continues to be a central part of Australian defence and security thinking and an instrument of American policy in the Asia–Pacific. How is it that an alliance conceived as a bulwark against a resurgence of Japanese militarism and which cut its military and intelligence teeth in the Cold War is still relevant to today’s strategic concerns? The answer is partly—and importantly—that the core values of the ANZUS members are strongly aligned, and successive Australian governments and American presidential administrations have seen great value in working with like-minded partners to ensure Asia–Pacific security. Far from becoming a historical curiosity, today it’s not just relevant, but of greater importance than has been the case in the past few decades. To explore new ideas on how to strengthen the US–Australia alliance, ASPI conducted a high-level strategic dialogue in Honolulu in July this year. Discussions canvassed the future strategic environment; the forthcoming Australian Defence White Paper; budget, sovereignty and expectation risks; and cooperation in the maritime, land, air, cyber, space and intelligence domains. A key purpose of the Honolulu dialogue was to help ASPI develop policy recommendations on the alliance relationship for government. This report is the product of those discussions