A Design Science Artefact for Cyber Threat Detection and Actor Specific Communication

Over the past few decades, the number and variety of cyberattacks and malware patterns have increased immensely. As a countermeasure, computer emergency response teams were established with the responsibility of securing the cyber environment. However, recent studies revealed that currently performed manual processes and the unavailability of adequate tools impede the achievement of cybersecurity. To address these challenges, we followed the Design Science paradigm to develop an artefact that improves the evaluation of open-source intelligence obtained from Twitter as well as the actor-specific communication of cyber threat information. Subsequently, the implemented artefact will be evaluated through semi-structured interviews with subject matter experts. This research in progress article presents the identified research gap and describes the development process and the endeavor to contribute to the cybersecurity domain theoretically with design principles for the development of an instrument and practically by implementing an artefact that supports domain experts in their work

Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives

In the last couple of years, organizations have demonstrated an increased willingness to exchange information and knowledge regarding vulnerabilities, threats, incidents and mitigation strategies in order to collectively protect against today’s sophisticated cyberattacks. As a reaction to this trend, software vendors started to create offerings that facilitate this exchange and appear under the umbrella term “Threat Intelligence Sharing Platforms”. To which extent these platforms provide the needed means for exchange and information sharing remains unclear as they lack a common definition, innovation in this area is mostly driven by vendors and empirical research is rare. To close this gap, we examine the state-of-the-art software vendor landscape of these platforms, identify gaps and present arising research perspectives. Therefore, we conducted a systematic study of 22 threat intelligence sharing platforms and compared them. We derived eight key findings and discuss how existing gaps should be addressed by future research

How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations

An increasing number of cybersecurity incidents prompts organizations to explore alternative security solutions, such as threat intelligence programs. For such programs to succeed, data needs to be collected, validated, and recorded in relevant datastores. One potential source supplying these datastores is an organization’s security incident response team. However, researchers have argued that these teams focus more on eradication and recovery and less on providing feedback to enhance organizational security. This prompts the idea that data collected during security incident investigations may be of insufficient quality for threat intelligence analysis. While previous discussions focus on data quality issues from threat intelligence sharing perspectives, minimal research examines the data generated during incident response investigations. This paper presents the results of a case study identifying data quality challenges in a Fortune 500 organization’s incident response team. Furthermore, the paper provides the foundation for future research regarding data quality concerns in security incident response

On the assessment of completeness and timeliness of actionable cyber threat intelligence artefacts

In this paper we propose an approach for hunting adversarial tactics technics and procedures (TTPs) by leveraging information described in structured cyber threat intelligence (CTI) models. We focused on the properties of timeliness and completeness of CTI indicators to drive the discovery of TTPs placed highly on the so-called Pyramid of Pain (PoP). We used the unit42 playbooks dataset to evaluate the proposed approach and illustrate the limitations and opportunities of a systematic intelligence sharing process for high pain TTP discovery

Improving the Security of Critical Infrastructure: Metrics, Measurements, and Analysis

In this work, we propose three important contributions needed in the process of improving the security of the critical infrastructure: metrics, measurement, and analysis. To improve security, metrics are key to ensuring the accuracy of the assessment and evaluation. Measurements are the core of the process of identifying the causality and effectiveness of various behaviors, and accurate measurement with the right assumptions is a cornerstone for accurate analysis. Finally, contextualized analysis essential for understanding measurements. Different results can be derived for the same data according to the analysis method, and it can serve as a basis for understanding and improving systems security. In this dissertation, we look at whether these key concepts are well demonstrated in existing (networked) systems and research products. In the first thrust, we verified the validity of volume-based contribution evaluation metrics used in threat information sharing systems. Further, we proposed a qualitative evaluation as an alternative to supplement the shortcomings of the volume-based evaluation method. In the second thrust, we measured the effectiveness of the low-rate DDoS attacks in a realistic environment to highlight the importance of establishing assumptions grounded in reality for measurements. Moreover, we theoretically analyzed the low-rate DDoS attacks and conducted additional experiments to validate them. In the last thrust, we conducted a large-scale measurement and analyzed the behaviors of open resolvers, to estimate the potential threats of them. We then went beyond just figuring out the number of open resolvers and explored new implications that the behavioral analysis could provide. We also experimentally shown the existence of forwarding resolvers and their behavior by precisely analyzing DNS resolution packets

Cyber Threats and NATO 2030: Horizon Scanning and Analysis

The book includes 13 chapters that look ahead to how NATO can best address the cyber threats, as well as opportunities and challenges from emerging and disruptive technologies in the cyber domain over the next decade. The present volume addresses these conceptual and practical requirements and contributes constructively to the NATO 2030 discussions. The book is arranged in five short parts...All the chapters in this book have undergone double-blind peer review by at least two external experts.https://scholarworks.wm.edu/asbook/1038/thumbnail.jp

Ausgewählte Chancen und Herausforderungen der digitalen Transformation für die Produktentwicklung und Unternehmensorganisation im Finanzdienstleistungssektor

Vor dem Hintergrund der digitalen Transformation sind Finanzdienstleistungsunternehmen auf unterschiedlichen Ebenen zahlreichen Chancen sowie Herausforderungen ausgesetzt. Während der Einsatz neuer Technologien die Optimierung bestehender Geschäftsprozesse sowie das Angebot digitalisierter Finanzdienstleistungen ermöglicht, geht dies zugleich mit veränderten Arbeitsbedingungen innerhalb der Unternehmensorganisation einher. Darüber hinaus sind Finanzdienstleister dazu angehalten die sich ändernden Kundenerwartungen bei den bisherigen Geschäftsaktivitäten sowie bei der Produktentwicklung zu berücksichtigen. Das Ziel der vorliegenden kumulativen Dissertation ist es, bestehende Forschungsdesiderate hinsichtlich der Auswirkungen der digitalen Transformation auf den Finanzdienstleistungssektor, differenziert nach der Kunden- und Produktperspektive sowie der internen Unternehmensperspektive, vertiefend zu analysieren. Das Technology-Organization-Environment (TOE)-Framework von DePietro et al. (1990) wird dabei als theoretischer Rahmen zur Einordnung und Strukturierung der Forschungsmodule verwendet. Die Ergebnisse der acht Module zeigen, dass die Kundenbedürfnisse und –erwartungen im Finanzdienstleistungssektor verstärkt von der digitalen Transformation beeinflusst werden. Dies zeigt sich in der Beratungstätigkeit bspw. durch das Angebot neuer Kundenkanäle sowie der aus dem steigenden Wettbewerbsdruck resultierenden erhöhten Preistransparenz. Im Rahmen der Produktentwicklung sind zudem u. a. ESG-Risiken und Silent Cyber-Risiken zu beachten. Aus der Analyse der Auswirkungen der digitalen Transformation auf die Unternehmensorganisation geht hervor, dass über den Einsatz digitaler Innovationen innerhalb des Backoffice die Realisation von Effizienzgewinnen sowie das Entgegenwirken eines Personalmangels möglich ist. Darüber hinaus wird in den Modulen der Einfluss des Faktors Mensch auf die Cyber-Sicherheit hervorgehoben. Während dieser einerseits als „schwächstes Glied“ und potenzielles Angriffsziel im Sicherheitskonstrukt der Unternehmen dargestellt wird, ist andererseits das Potenzial der Beschäftigten zur Frühwarnung zu berücksichtigen

Architecture-centric support for security orchestration and automation

Security Orchestration, Automation and Response (SOAR) platforms leverage integration and orchestration technologies to (i) automate manual and repetitive labor-intensive tasks, (ii) provide a single panel of control to manage various types of security tools (e.g., intrusion detection system, antivirus and firewall) and (iii) streamline complex Incident Response Process (IRP) responses. SOAR platforms increase the operational efficiency of overwhelmed security teams in a Security Operation Centre (SOC) and accelerate the SOC’s defense and response capacity against ever-growing security incidents. Security tools, IRPs and security requirements form the underlying execution environment of SOAR platforms, which are changing rapidly due to the dynamic nature of security threats. A SOAR platform is expected to adapt continuously to these dynamic changes. Flexible integration, interpretation and interoperability of security tools are essential to ease the adaptation of a SOAR platform. However, most of the effort for designing and developing existing SOAR platforms are ad-hoc in nature, which introduces several engineering challenges and research challenges. For instance, the advancement of a SOAR platform increases its architectural complexity and makes the operation of such platforms difficult for end-users. These challenges come from a lack of a comprehensive view, design space and architectural support for SOAR platforms. This thesis aims to contribute to the growing realization that it is necessary to advance SOAR platforms by designing, implementing and evaluating architecture-centric support to address several of the existing challenges. The envisioned research and development activities require the identification of current practices and challenges of SOAR platforms; hence, a Multivocal Literature Review (MLR) has been designed, conducted and reported. The MLR identifies the functional and non-functional requirements, components and practices of a security orchestration domain, along with the open issues. This thesis advances the domain of a SOAR platform by providing a layered architecture, which considers the key functional and non-functional requirements of a SOAR platform. The proposed architecture is evaluated experimentally with a Proof of Concept (PoC) system, Security Tool Unifier (STUn), using seven security tools, a set of IRPs and playbooks. The research further identifies the need for and design of (i) an Artificial Intelligence (AI) based integration framework to interpret the activities of security tools and enable interoperability automatically, (ii) a semantic-based automated integration process to integrate security tools and (iii) AI-enabled design and generation of a declarative API from user query, namely DecOr, to hide the internal complexity of a SOAR platform from end-users. The experimental evaluation of the proposed approaches demonstrates that (i) consideration of architectural design decisions supports the development of an easy to interact with, modify and update SOAR platform, (ii) an AI-based integration framework and automated integration process provides effective and efficient integration and interpretation of security tools and IRPs and (iii) DecOr increases the usability and flexibility of a SOAR platform. This thesis is a useful resource and guideline for both practitioners and researchers who are working in the security orchestration domain. It provides an insight into how an architecture-centric approach, with incorporation of AI technologies, reduces the operational complexity of SOAR platforms.Thesis (Ph.D.) -- University of Adelaide, School of Computer Science, 202