CRUSOE: A Toolset for Cyber Situational Awareness and Decision Support in Incident Handling

The growing size and complexity of today’s computer network make it hard to achieve and maintain so-called cyber situational awareness, i.e., the ability to perceive and comprehend the cyber environment and be able to project the situation in the near future. Namely, the personnel of cybersecurity incident response teams or security operation centers should be aware of the security situation in the network to effectively prevent or mitigate cyber attacks and avoid mistakes in the process. In this paper, we present a toolset for achieving cyber situational awareness in a large and heterogeneous environment. Our goal is to support cybersecurity teams in iterating through the OODA loop (Observe, Orient, Decide, Act). We designed tools to help the operator make informed decisions in incident handling and response for each phase of the cycle. The Observe phase builds on common tools for active and passive network monitoring and vulnerability assessment. In the Orient phase, the data on the network are structured and presented in a comprehensible and visually appealing manner. The Decide phase opens opportunities for decision-support systems, in our case, a recommender system that suggests the most resilient configuration of the critical infrastructure. Finally, the Act phase is supported by a service that orchestrates network security tools and allows for prompt mitigation actions. Finally, we present lessons learned from the deployment of the toolset in the campus network and the results of a user evaluation study

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424

Mission Assurance: A Review of Continuity of Operations Guidance for Application to Cyber Incident Mission Impact Assessment (CIMIA)

Military organizations have embedded information technology (IT) into their core mission processes as a means to increase operational efficiency, improve decision-making quality, and shorten the sensor-to-shooter cycle. This IT-to-mission dependence can place the organizational mission at risk when an information incident (e.g., the loss or manipulation of a critical information resource) occurs. Non-military organizations typically address this type of IT risk through an introspective, enterprise-wide focused risk management program that continuously identifies, prioritizes, and documents risks so an economical set of control measures (e.g., people, processes, technology) can be selected to mitigate the risks to an acceptable level. The explicit valuation of information resources in terms of their ability to support the organizational mission objectives provides transparency and enables the creation of a continuity of operations plan and an incident recovery plan. While this type of planning has proven successful in static environments, military missions often involve dynamically changing, time-sensitive, complex, coordinated operations involving multiple organizational entities. As a consequence, risk mitigation efforts tend to be localized to each organizational entity making the enterprise-wide risk management approach to mission assurance infeasible. This thesis investigates the concept of mission assurance and presents a content analysis of existing continuity of operations elements within military and non-military guidance to assess the current policy landscape to highlight best practices and identify policy gaps in an effort to further enhance mission assurance by improving the timeliness and relevance of notification following an information incident

Malware Type Recognition and Cyber Situational Awareness

Current technologies for computer network and host defense do not provide suitable information to support strategic and tactical decision making processes. Although pattern-based malware detection is an active research area, the additional context of the type of malware can improve cyber situational awareness. This additional context is an indicator of threat capability thus allowing organizations to assess information losses and focus response actions appropriately. Malware Type Recognition (MaTR) is a research initiative extending detection technologies to provide the additional context of malware types using only static heuristics. Test results with MaTR demonstrate over a 99% accurate detection rate and 59% test accuracy in malware typing

Quantifying Impact of Cyber Actions on Missions or Business Processes: A Multilayer Propagative Approach

Ensuring the security of cyberspace is one of the most significant challenges of the modern world because of its complexity. As the cyber environment is getting more integrated with the real world, the direct impact of cybersecurity problems on actual business frequently occur. Therefore, operational and strategic decision makers in particular need to understand the cyber environment and its potential impact on business. Cyber risk has become a top agenda item for businesses all over the world and is listed as one of the most serious global risks with significant financial implications for businesses. Risk analysis is one of the primary tools used in this endeavor. Impact assessment, as an integral part of risk analysis, tries to estimate the possible damage of a cyber threat on business. It provides the main insight into risk prioritization as it incorporates business requirements into risk analysis for a better balance of security and usability. Moreover, impact assessment constitutes the main body of information flow between technical people and business leaders. Therefore, it requires the effective synergy of technological and business aspects of cybersecurity for protection against cyber threats. The purpose of this research is to develop a methodology to quantify the impact of cybersecurity events, incidents, and threats. The developed method addresses the issue of impact quantification from an interdependent system of systems point of view. The objectives of this research are (1) developing a quantitative model to determine the impact propagation within a layer of an enterprise (i.e., asset, service or business process layer); (2) developing a quantitative model to determine the impact propagation among different layers within an enterprise; (3) developing an approach to estimate the economic cost of a cyber incident or event. Although there are various studies in cybersecurity risk quantification, only a few studies focus on impact assessment at the business process layer by considering ripple effects at both the horizontal and vertical layers. This research develops an approach that quantifies the economic impact of cyber incidents, events and threats to business processes by considering the horizontal and vertical interdependencies and impact propagation within and among layers

DEFINING, MEASURING, AND ANALYZING DEFENSIBILITY IN THE DEFENSIVE CYBER OPERATIONS CONTEXT

When talking about cyber systems, both researchers and decision makers have used the term "defensibility" widely, but there is no universal definition for it and no method to observe and measure it. This study examines how defensibility can be defined in a defensive cyber operations context, what critical factors constitute it, and how those factors could be measured. This is done by first examining doctrine and research to create a framework of meaning for defensibility. Second, the study proposes seven fundamental capabilities that a defender needs to be able to perform in defensive cyber operations and a set of system attributes that affect those capabilities. Finally, a set of measures for those attributes is proposed to allow defensibility to be observed and measured. The results of this study are a definition of defensibility for the defensive cyber operations context, a list of system attributes that constitute its defensibility, and a set of associated measurements for these attributes. Using these, it is possible to analyze the defensibility of a system to indicate what restrictions a defender might have when conducting operations in the system and the areas where the system needs to improve. This work is the first step in building defensibility into a useful tool that highlights the needs of a defensive actor who conducts dynamic defensive operations in a system, versus the needs of an actor who implements static measures to increase cyber security.Löjtnant, Swedish NavyApproved for public release. Distribution is unlimited

Australia and Cyberwarfare

This book explores Australia’s prospective cyber-warfare requirements and challenges. It describes the current state of planning and thinking within the Australian Defence Force with respect to Network Centric Warfare, and discusses the vulnerabilities that accompany the use by Defence of the National Information Infrastructure (NII), as well as Defence’s responsibility for the protection of the NII. It notes the multitude of agencies concerned in various ways with information security, and argues that mechanisms are required to enhance coordination between them. It also argues that Australia has been laggard with respect to the development of offensive cyber-warfare plans and capabilities. Finally, it proposes the establishment of an Australian Cyber-warfare Centre responsible for the planning and conduct of both the defensive and offensive dimensions of cyber-warfare, for developing doctrine and operational concepts, and for identifying new capability requirements. It argues that the matter is urgent in order to ensure that Australia will have the necessary capabilities for conducting technically and strategically sophisticated cyber-warfare activities by the 2020s. The Foreword has been contributed by Professor Kim C. Beazley, former Minister for Defence (1984–90), who describes it as ‘a timely book which transcends old debates on priorities for the defence of Australia or forward commitments, [and] debates about globalism and regionalism’, and as ‘an invaluable compendium’ to the current process of refining the strategic guidance for Australia’s future defence policies and capabilities