Skip to main content

SOC & Csirt Response to Attacks & Threats based on attack defence graphs Evaluation Systems

Periodic Reporting for period 1 - SOCCRATES (SOC & Csirt Response to Attacks & Threats based on attack defence graphs Evaluation Systems)

Reporting period: 2019-09-01 to 2021-02-28

Over the past years, the cyber threat landscape has greatly evolved. Organizations are faced with a challenging task of preventing attacks and have fast and effective detection and response mechanisms if attacks cannot be prevented. In addition, it is commonly reported that the time to compromise is typically very short (i.e. seconds to minutes), while the discovery time is more likely to be weeks or months. In addition, the time from detection to containment of the attack may again take weeks.

To deal with these challenges, many organisations have setup so-called Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), or outsourced these tasks to a Managed Security Service Provider (MSSP).

Nevertheless, the resilience of organisations is lagging behind the increasing threat. We mention here the most important challenges and desired capabilities:

• Improving and extending readiness to change.
• Understanding the context.
• Assessing the effective impact of an incident.
• Mitigating attacks through recommended Course of Actions (CoAs).
• Attributing malicious activity to known adversaries.
• Automating CTI processes.
• Shortage in qualified security staff

In addition, given the complexity and continuously evolving threat landscape and the speed at which cyber-attacks occur and can propagate through an infrastructure, automation to aid human analysis and decision making, and the execution of defensive actions at machine-speed are more and more seen as prerequisites for an effective and efficient approach to cyber resilience. The above overview of challenges leads to the following main challenge of SOCCRATES:
- How can SOC and CSIRT operations effectively improve their capability in detecting and managing response to complex cyber-attacks and emerging threats, in complex and continuously evolving ICT infrastructures while there is a shortage of qualified cybersecurity tal-ent?

The main objective of SOCCRATES is to develop and implement a security automation and decision support platform (‘the SOCCRATES platform’) that will significantly improve an organisation’s capability (usually implemented by a SOC and/or CSIRT) to quickly and effectively detect and respond to new cyber threats and ongoing attacks.
The SOCCRATES platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed.
We have made the design and specification of the SOCCRATES platform, based on the use cases and including the component architecture and interface specification. We have developed and partially implemented the Orchestration and Integration Engine and (Automated) Reconfiguration. And we have implemented several modules, including their adaptors to connect to the orchestrator function:
• Infrastructure Modelling Component (IMC)
• Advanced Attack Detection (AAD)
• Threat Identification and Threat Trend Prediction (TIP) and Adversary Emulation Plans (AEP)
• Domain Generation Algorithm (DGA) detection
• Attack Defense Graph analyser (ADG)
• Course of Action Generator (CoA)

From all these modules prototypes are available and AAD, IMC and TIP are (technically) evaluated in the first pilot, but work will be ongoing to ensure a good implementation of the complete platform is available for the second pilot.
We have defined pilot KPIs to evaluate the effectiveness (measurable reduction of Mean Time To Detection (MTTD) and Mean Time To Respond (MTTR)) of the platform in SOC/CSIRT operations. A first pilot is started, this is a technical pilot
There have been initial demonstrations a.o. in the SOCCRATES webinars of several modules.

We have made preparations for contributing to standardization bodies, a.o. by setting up collaboration with the other 6 projects in H2020 call SU-ICT-01-2018 to join forces towards standardization bodies.

We have put much effort on dissemination activities, and created high visibility with events, LinkedIn and Twitter. We have organized many presentations, workshops, webinars and demonstrations of results so far during development of individual components. The audience for these events very much consisted of the audience we intend to reach (SOC/CSIRT operators and experts, security professionals), specifically our SOCAB, our stakeholder group and the interested participants in our public webinar series. These events confirmed that we are on the right track.

We have started thinking about exploitation already, which led to first ideas on commercial exploitation, open source strategy and training & education.

Our efforts towards submitting results to standardization efforts are at an early stage. To build on our initial efforts, we have joined forces with other H2020 projects and we anticipate that this will strengthen the visibility towards standardisation bodies. We will also reach out to communities associated with the MITRE ATT&CK Framework and FIRST.
We have made progress on state of art in all modules we have implemented. This is shown e.g. in the newly developed Orchestrating and Innovation engine, more reliable models of infrastructure, semi-automated generation of machine-readable Adversary Emulation Plans and additional possibilities to import ICT infrastructure configuration data in the existing SecuriCAD tool.
Until the end of the project we will:
• Implement the Business Impact analyser (BIA) and Response Planner (RP)
• Further finalize the implemented modules and orchestrating and innnovation engine
• Validate that the SOCCRATES platform can improve SOC operations by utilizing the SOCCRATES platform in two diverse real-life pilot environments
• Evaluate the pilot KPIs with the SOCCRATES use cases in those environments.
• Examine and illustrate the benefits of automation for selected SOC activities to help manage the cyber security skills gap in organizations
• Show all the benefits of the SOCCRATES platform and the advantages of automation in SOC/CSIRT operations, using the demo pilot.
• Contribute to appropriate standardisation groups
• Continue to organize dissemination activities, with a shift from disseminating individual modules to the SOCCRATES platform as a whole, learnings from the pilots and exploitation potential.
• Publish the SOCCRATES Vision, Roadmap & Guidance for SOC (D2.4) and the SOCCRATES white paper (D8.4) in which we will describe the learnings and the SOCCRATES vision.
• Prepare for successful exploitation by the SOCCRATES partners of the individual innovated components and the integrated SOCCRATES platform in commercial products that are offered to the market and are available for the European (business) community.
We think with the results described above, we can realize considerable impact both at existing SOCs and MSSPs, regulation and standardization and therefore also society.
The SOCCRATES platform