Clear contributions beyond the state of the art include:
Security tools and components:
- CTI Discovery & Analytics: TII: The first tool within our knowledge that synchronizes with MISP to filter non-relevant information for every configured use case based on heuristic functions that use dynamic information, including external APIs, and infrastructure information, which can dynamically change using SBOM files in CycloneDX format.
- Attack Prediction, Response Recommendation & Adaptation: PMEM: The first AI based tool, to our knowledge, able to detect attacks, predict anomalies and provide the appropriate response, analysing in real time different types of data (network metadata and IoT devices) collected from various infrastructures, considering different protocols (DLMS/COSEM, LoRaWAN).
- Risk Impact Assessment & Prioritisation: CERCA: CERCA is the first tool, to our knowledge, that aims to change the traditional way risk assessment is conducted, providing dynamic risk assessment based on monitoring and delivering results both in a qualitatively and quantitatively fashion, facilitating the risk-based decision-making. It allows integration with other tools in real-time through multiple interfaces such as REST, MQTT, or Kafka.
- ROAR: The 1st CACAO Editor & Orchestrator implemented (worldwide); helped in moving the CACAO specification to V2.0 (the version due to become a standard).
- RPs: The most holistic approach (to our knowledge) in terms of processes covered by playbooks, and the 1st to use CACAO playbooks for Business Continuity; 1st application of CACAO (& ROAR) in novel UCs.
- RCR: A SoTA CR, integrating model-driven simulation & emulation of assets closely mapped to the actual infrastructure & FSM-based progress tracking; the 1st to focus on the use of a CR to assess Playbooks.
- Serious Games: The first approach for serious games on cybersecurity considering and improving accessibility and inclusiveness adding to a more complete result on the elicitation and ensuring inclusivity for all.
- SMIR: 1st tool (AFAWK) that tries to address lack of harmonization of mandatory incident reporting procedures facilitating the collection and reporting of incidents, challenges identified in CyberSec4Europe during the analysis done for the vertical Incident Reporting
Standards-based, interoperable information sharing standards’ contributions:
- CACAO Layout Extension: The cacao layout specification is a technical standard that harmonizes the way we graphically represent playbooks to support exchange readability and understandability.
- MISP Security Playbooks Object Template: PHOENI2X enhanced the MISP representation schema to support security playbooks (i.e. defensive tradecraft) and their connection with CTI. This enhanced the traditional CTI paradigm, which focused only on context and detection engineering, with defensemethodologies for prompt and timely incident response. This mechanism is now utilised by multiple EU national security authorities and CSIRTs.