Periodic Reporting for period 1 - CyberSANE (Cyber Security Incident Handling, Warning and Response System for the European Critical Infrastructures)
Reporting period: 2019-09-01 to 2021-02-28
CyberSANE aims to design and implement an advanced, configurable and adaptable, Security and Privacy Incident Handling Systems, towards security incident detection and handling, composed of five independent but collaborative components: LiveNet (Live Security Monitoring and Analysis), DarkNet (Deep and Dark Web Mining and Intelligence), HybridNet (Data Fusion, Risk Evaluation and Event Management), ShareNet (Intelligence and Information Sharing and Dissemination), and PrivacyNet (Privacy & Data Protection Orchestrator). These five components work together to improve, intensify and coordinate the overall security efforts for the effective and efficient identification, investigation, mitigation and reporting of realistic multi-dimensional attacks within the interconnected web of cyber assets in the CIIs and security events. Through extensive validation, CyberSANE will act as a catalyst for improving the innovation in cybersecurity capacity by increasing the privacy and the security of online healthcare, energy, and maritime transportation services.
Regarding the work performed from the begging of the project till the end of this period we can claim the following:
In terms of the CyberSANE Core we have already designed and set up the provisioning mechanisms required in order for organizations and end users to be able to register and gain access to the platform services. All implemented services and their usage flows follow the NIST guide that has been adopted in the project and the first integration with the LiveNet, the DarkNet and the Hybrid adapters has been completed.
Concerning the LiveNet component, we have already proposed and adopted the Elastic Common Schema for setting up the data modeling of the LiveNet adapter, which already integrates the first tools.
For the DarkNet component, the almost final version of the corresponding adapter is already completed, enabling end users to search the deep and dark web for specific articles that includes all preferred topics and keywords. Therefore, the integration with the crawler has been already completed and further analysis on the data provided from the searching process has been successfully performed.
Regarding the HybridNet component, the project has already set up the HybridNet adapter enabling the first integrated tools to provide attack patterns and anomalies based on the identified security incidents. Moreover, the first version of the Simulation environment is up and running enabling security professionals to build all possible attack paths based on the organizational asset inventory.
Last but not least, during this period we have successfully integrated the ShareNet and PrivacyNet components which will enable the project in the upcoming period to eventually build the corresponding adapters and provide sharing and privacy capabilities.
In terms of the CyberSANE Core we have already designed and set up the provisioning mechanisms required in order for organizations and end users to be able to register and gain access to the platform services. All implemented services and their usage flows follow the NIST guide that has been adopted in the project and the first integration with the LiveNet, the DarkNet and the Hybrid adapters has been completed.
Concerning the LiveNet component, we have already proposed and adopted the Elastic Common Schema for setting up the data modeling of the LiveNet adapter, which already integrates the first tools.
For the DarkNet component, the almost final version of the corresponding adapter is already completed, enabling end users to search the deep and dark web for specific articles that includes all preferred topics and keywords. Therefore, the integration with the crawler has been already completed and further analysis on the data provided from the searching process has been successfully performed.
Regarding the HybridNet component, the project has already set up the HybridNet adapter enabling the first integrated tools to provide attack patterns and anomalies based on the identified security incidents. Moreover, the first version of the Simulation environment is up and running enabling security professionals to build all possible attack paths based on the organizational asset inventory.
Last but not least, during this period we have successfully integrated the ShareNet and PrivacyNet components which will enable the project in the upcoming period to eventually build the corresponding adapters and provide sharing and privacy capabilities.
Regarding the progress for this period beyond the state of the art, the expected results until the end of the project and their potential impacts the project has already proposed several enhancements.
Among others, we can report the following:
- Proceed to network segmentation and log the critical information in a usable format including timestamps and network links that will make easier the identification process of compromised sectors, restrict access and scan logs. For this, handlers for various file types will be utilized, encoding of data under DTD format for evidence correlation and event display purposes
- Identify attacker’s origin by deploying forensics traceback techniques upon the critical security components of the system. Track-back techniques include ICMP-based, IP marking, IP tunneling techniques, as well as IDS that make use of Intruder Detection and Isolation Protocol approaches (bricolage strategies).
- GUI enhancements that include but not limited to implementation of a time-lining technique, which displays identified events under a chronological sequence with their expected impact and interconnections. Moreover, these enhancements include the provision of a heatmap of events to human operators
- Hardware-based digital signatures for the generation of evidences and store of the latter into a graph-based structure. A semantically rich solution like an OWL or RDF database could assist to evidence correlation and the execution of special purpose queries.
Among others, we can report the following:
- Proceed to network segmentation and log the critical information in a usable format including timestamps and network links that will make easier the identification process of compromised sectors, restrict access and scan logs. For this, handlers for various file types will be utilized, encoding of data under DTD format for evidence correlation and event display purposes
- Identify attacker’s origin by deploying forensics traceback techniques upon the critical security components of the system. Track-back techniques include ICMP-based, IP marking, IP tunneling techniques, as well as IDS that make use of Intruder Detection and Isolation Protocol approaches (bricolage strategies).
- GUI enhancements that include but not limited to implementation of a time-lining technique, which displays identified events under a chronological sequence with their expected impact and interconnections. Moreover, these enhancements include the provision of a heatmap of events to human operators
- Hardware-based digital signatures for the generation of evidences and store of the latter into a graph-based structure. A semantically rich solution like an OWL or RDF database could assist to evidence correlation and the execution of special purpose queries.