Periodic Reporting for period 1 - PHOENI2X (A EUROPEAN CYBER RESILIENCE FRAMEWORK WITH ARTIFICIAL INTELLIGENCE -ASSISTED ORCHESTRATION & AUTOMATION FOR BUSINESS CONTINUITY, INCIDENT RESPONSE & INFORMATION EXCHANGE)
Periodo di rendicontazione: 2022-07-01 al 2023-12-31
PHOENI2X aims to design, develop, and deliver a Cyber Resilience Framework providing Artificial Intelligence (AI) - assisted orchestration, automation & response capabilities for business continuity and recovery, incident response, and information exchange, tailored to the needs of Operators of Essential Services (OES) and of the EU Member State (MS) National Authorities entrusted with cybersecurity.
The key objectives of the project are:
Ο1: To provide trustworthy AI-assisted Situational Awareness & Prediction capabilities, with risk impact assessment, facilitating prioritisation, recommendation and adaptation of system response
Ο2: To design & develop Resilience Orchestration, Automation and Response mechanisms, encompassing proactive and reactive business continuity, recovery and incident handling tasks.
Ο3: To offer enhanced Preparedness through a Resilience Cyber Range and Serious Games.
Ο4: To provide Alerting, Reporting & Information Exchange mechanisms & processes enabling collaboration between private and public critical sector actors at the national and European level.
Ο5: To integrate, demonstrate, and validate PHOENi²X in the context of 3 Essential Service use cases (Energy, Transport, Health) involving two OES, a provider in the supply chain of an OES, a Telecom Operator and two National Cybersecurity Authorities.
Ο6: To maximise the project’s impact and results’ uptake, creating an open & sustainable solution.
The key objectives of the project are:
Ο1: To provide trustworthy AI-assisted Situational Awareness & Prediction capabilities, with risk impact assessment, facilitating prioritisation, recommendation and adaptation of system response
Ο2: To design & develop Resilience Orchestration, Automation and Response mechanisms, encompassing proactive and reactive business continuity, recovery and incident handling tasks.
Ο3: To offer enhanced Preparedness through a Resilience Cyber Range and Serious Games.
Ο4: To provide Alerting, Reporting & Information Exchange mechanisms & processes enabling collaboration between private and public critical sector actors at the national and European level.
Ο5: To integrate, demonstrate, and validate PHOENi²X in the context of 3 Essential Service use cases (Energy, Transport, Health) involving two OES, a provider in the supply chain of an OES, a Telecom Operator and two National Cybersecurity Authorities.
Ο6: To maximise the project’s impact and results’ uptake, creating an open & sustainable solution.
For the first reporting period the main activitities and achievements are presented below:
Requirements collection and Architecture design.
- Define and follow the overall PHOENI2X work methodology accommodating for the presence of RESTREINT UE/EU RESTRICTED content
- Identify and provide SotA updates in terms of available tools and technologies
- Collect and analyse all the requirements for the PHOENI2X solution
- Design the initial architecture and specification of the PHOENI2X solution
Design, development and delivery of the first release of the AI-assisted Situational Awareness, Prediction & Response Enablers:
- User & Entity Behaviour Analytics (AutoML-based UEBA, User Security Behaviour Scales)
- CTI Discovery, Analytics & Threat Hunting (CTI Discovery & Analytics, Threat Actor Context Ontology, Threat Intelligence Integrator)
- Attack Prediction, Response Recommendation & Adaptation (PMEM)
- Risk Impact Assessment & Prioritisation (CERCA)
Delivery of PoC version of key Coordinated Response & Preparedness Enablers including:
- Resilience Orchestration Automation & Response (ROAR) engine
- First set of ROAR playbooks (Demonstrator UC-specific IR Playbooks, High-level Business Continuity BC playbooks)
- Baseline alerting, reporting & information exchange mechanisms
- Baseline Cyber Range & Serious Games components
MVP version of the PHOENI2X platform developed and delivered:
- 3 UC testbeds (energy, transport, healthcare) set up
- MVP version of the PHOENI2X platform integrated with the 3 UC testbeds
- Scenarios of the 3 UCs specified in detail including 2 OES (PPC, FGC), 1 essential solution and infrastructure provider of an OES (NODALPOINT), 1 Telecom Op (COSMOTE), 2 NCAs (NCSA, DSA)
Requirements collection and Architecture design.
- Define and follow the overall PHOENI2X work methodology accommodating for the presence of RESTREINT UE/EU RESTRICTED content
- Identify and provide SotA updates in terms of available tools and technologies
- Collect and analyse all the requirements for the PHOENI2X solution
- Design the initial architecture and specification of the PHOENI2X solution
Design, development and delivery of the first release of the AI-assisted Situational Awareness, Prediction & Response Enablers:
- User & Entity Behaviour Analytics (AutoML-based UEBA, User Security Behaviour Scales)
- CTI Discovery, Analytics & Threat Hunting (CTI Discovery & Analytics, Threat Actor Context Ontology, Threat Intelligence Integrator)
- Attack Prediction, Response Recommendation & Adaptation (PMEM)
- Risk Impact Assessment & Prioritisation (CERCA)
Delivery of PoC version of key Coordinated Response & Preparedness Enablers including:
- Resilience Orchestration Automation & Response (ROAR) engine
- First set of ROAR playbooks (Demonstrator UC-specific IR Playbooks, High-level Business Continuity BC playbooks)
- Baseline alerting, reporting & information exchange mechanisms
- Baseline Cyber Range & Serious Games components
MVP version of the PHOENI2X platform developed and delivered:
- 3 UC testbeds (energy, transport, healthcare) set up
- MVP version of the PHOENI2X platform integrated with the 3 UC testbeds
- Scenarios of the 3 UCs specified in detail including 2 OES (PPC, FGC), 1 essential solution and infrastructure provider of an OES (NODALPOINT), 1 Telecom Op (COSMOTE), 2 NCAs (NCSA, DSA)
Clear contributions beyond the state of the art include:
Security tools and components:
- CTI Discovery & Analytics: TII: The first tool within our knowledge that synchronizes with MISP to filter non-relevant information for every configured use case based on heuristic functions that use dynamic information, including external APIs, and infrastructure information, which can dynamically change using SBOM files in CycloneDX format.
- Attack Prediction, Response Recommendation & Adaptation: PMEM: The first AI based tool, to our knowledge, able to detect attacks, predict anomalies and provide the appropriate response, analysing in real time different types of data (network metadata and IoT devices) collected from various infrastructures, considering different protocols (DLMS/COSEM, LoRaWAN).
- Risk Impact Assessment & Prioritisation: CERCA: CERCA is the first tool, to our knowledge, that aims to change the traditional way risk assessment is conducted, providing dynamic risk assessment based on monitoring and delivering results both in a qualitatively and quantitatively fashion, facilitating the risk-based decision-making. It allows integration with other tools in real-time through multiple interfaces such as REST, MQTT, or Kafka.
- ROAR: The 1st CACAO Editor & Orchestrator implemented (worldwide); helped in moving the CACAO specification to V2.0 (the version due to become a standard).
- RPs: The most holistic approach (to our knowledge) in terms of processes covered by playbooks, and the 1st to use CACAO playbooks for Business Continuity; 1st application of CACAO (& ROAR) in novel UCs.
- RCR: A SoTA CR, integrating model-driven simulation & emulation of assets closely mapped to the actual infrastructure & FSM-based progress tracking; the 1st to focus on the use of a CR to assess Playbooks.
- Serious Games: The first approach for serious games on cybersecurity considering and improving accessibility and inclusiveness adding to a more complete result on the elicitation and ensuring inclusivity for all.
- SMIR: 1st tool (AFAWK) that tries to address lack of harmonization of mandatory incident reporting procedures facilitating the collection and reporting of incidents, challenges identified in CyberSec4Europe during the analysis done for the vertical Incident Reporting
Standards-based, interoperable information sharing standards’ contributions:
- CACAO Layout Extension: The cacao layout specification is a technical standard that harmonizes the way we graphically represent playbooks to support exchange readability and understandability.
- MISP Security Playbooks Object Template: PHOENI2X enhanced the MISP representation schema to support security playbooks (i.e. defensive tradecraft) and their connection with CTI. This enhanced the traditional CTI paradigm, which focused only on context and detection engineering, with defensemethodologies for prompt and timely incident response. This mechanism is now utilised by multiple EU national security authorities and CSIRTs.
Security tools and components:
- CTI Discovery & Analytics: TII: The first tool within our knowledge that synchronizes with MISP to filter non-relevant information for every configured use case based on heuristic functions that use dynamic information, including external APIs, and infrastructure information, which can dynamically change using SBOM files in CycloneDX format.
- Attack Prediction, Response Recommendation & Adaptation: PMEM: The first AI based tool, to our knowledge, able to detect attacks, predict anomalies and provide the appropriate response, analysing in real time different types of data (network metadata and IoT devices) collected from various infrastructures, considering different protocols (DLMS/COSEM, LoRaWAN).
- Risk Impact Assessment & Prioritisation: CERCA: CERCA is the first tool, to our knowledge, that aims to change the traditional way risk assessment is conducted, providing dynamic risk assessment based on monitoring and delivering results both in a qualitatively and quantitatively fashion, facilitating the risk-based decision-making. It allows integration with other tools in real-time through multiple interfaces such as REST, MQTT, or Kafka.
- ROAR: The 1st CACAO Editor & Orchestrator implemented (worldwide); helped in moving the CACAO specification to V2.0 (the version due to become a standard).
- RPs: The most holistic approach (to our knowledge) in terms of processes covered by playbooks, and the 1st to use CACAO playbooks for Business Continuity; 1st application of CACAO (& ROAR) in novel UCs.
- RCR: A SoTA CR, integrating model-driven simulation & emulation of assets closely mapped to the actual infrastructure & FSM-based progress tracking; the 1st to focus on the use of a CR to assess Playbooks.
- Serious Games: The first approach for serious games on cybersecurity considering and improving accessibility and inclusiveness adding to a more complete result on the elicitation and ensuring inclusivity for all.
- SMIR: 1st tool (AFAWK) that tries to address lack of harmonization of mandatory incident reporting procedures facilitating the collection and reporting of incidents, challenges identified in CyberSec4Europe during the analysis done for the vertical Incident Reporting
Standards-based, interoperable information sharing standards’ contributions:
- CACAO Layout Extension: The cacao layout specification is a technical standard that harmonizes the way we graphically represent playbooks to support exchange readability and understandability.
- MISP Security Playbooks Object Template: PHOENI2X enhanced the MISP representation schema to support security playbooks (i.e. defensive tradecraft) and their connection with CTI. This enhanced the traditional CTI paradigm, which focused only on context and detection engineering, with defensemethodologies for prompt and timely incident response. This mechanism is now utilised by multiple EU national security authorities and CSIRTs.