Review of human decision-making during computer security incident analysis

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis

Maritime Cyber Security Incident Data Reporting for Autonomous Ships

The main research objective of this thesis was to find a suitable data model to be used for incident reporting purposes in the use case of autonomous shipping. To reach this objective, some research into the maritime industry, autonomous shipping, and incident management and reporting was needed. Research into these topics was conducted via a literature review. After these topics were investigated, some current incident data modeling and sharing methods were researched. Out of these IODEF seemed like the most suitable one for our use case, so it was chosen for further inspection. The IODEF specification was looked into more closely and a conclusion was ultimately made that the IODEF data model is suitable for reporting incident data from autonomous ships to the shore control center. However, the model was still missing some key information needed for this use case, so an extension for the data model was designed. The data model and extension were then put to test via different use scenarios to test applicability for the needs of autonomous shipping. From these use scenarios it was inferred that the model is applicable for the many different incident data reporting needs of autonomous shipping. Further analysis and testing was then conducted, including a transport test over cellular and satellite connections. The test and analysis further validated the use of the data model. All in all, the research was a success and a good data model was found for reporting incidents from autonomous ships. The work with the data model will continue further outside this thesis

Human decision-making in computer security incident response

Background: Cybersecurity has risen to international importance. Almost every organization will fall victim to a successful cyberattack. Yet, guidance for computer security incident response analysts is inadequate. Research Questions: What heuristics should an incident analyst use to construct general knowledge and analyse attacks? Can we construct formal tools to enable automated decision support for the analyst with such heuristics and knowledge? Method: We take an interdisciplinary approach. To answer the first question, we use the research tradition of philosophy of science, specifically the study of mechanisms. To answer the question on formal tools, we use the research tradition of program verification and logic, specifically Separation Logic. Results: We identify several heuristics from biological sciences that cybersecurity researchers have re-invented to varying degrees. We consolidate the new mechanisms literature to yield heuristics related to the fact that knowledge is of clusters of multi-field mechanism schema on four dimensions. General knowledge structures such as the intrusion kill chain provide context and provide hypotheses for filling in details. The philosophical analysis answers this research question, and also provides constraints on building the logic. Finally, we succeed in defining an incident analysis logic resembling Separation Logic and translating the kill chain into it as a proof of concept. Conclusion: These results benefits incident analysis, enabling it to expand from a tradecraft or art to also integrate science. Future research might realize our logic into automated decision-support. Additionally, we have opened the field of cybersecuity to collaboration with philosophers of science and logicians