Periodic Reporting for period 1 - CyberSANE (Cyber Security Incident Handling, Warning and Response System for the European Critical Infrastructures)
Période du rapport: 2019-09-01 au 2021-02-28
In terms of the CyberSANE Core we have already designed and set up the provisioning mechanisms required in order for organizations and end users to be able to register and gain access to the platform services. All implemented services and their usage flows follow the NIST guide that has been adopted in the project and the first integration with the LiveNet, the DarkNet and the Hybrid adapters has been completed.
Concerning the LiveNet component, we have already proposed and adopted the Elastic Common Schema for setting up the data modeling of the LiveNet adapter, which already integrates the first tools.
For the DarkNet component, the almost final version of the corresponding adapter is already completed, enabling end users to search the deep and dark web for specific articles that includes all preferred topics and keywords. Therefore, the integration with the crawler has been already completed and further analysis on the data provided from the searching process has been successfully performed.
Regarding the HybridNet component, the project has already set up the HybridNet adapter enabling the first integrated tools to provide attack patterns and anomalies based on the identified security incidents. Moreover, the first version of the Simulation environment is up and running enabling security professionals to build all possible attack paths based on the organizational asset inventory.
Last but not least, during this period we have successfully integrated the ShareNet and PrivacyNet components which will enable the project in the upcoming period to eventually build the corresponding adapters and provide sharing and privacy capabilities.
Among others, we can report the following:
- Proceed to network segmentation and log the critical information in a usable format including timestamps and network links that will make easier the identification process of compromised sectors, restrict access and scan logs. For this, handlers for various file types will be utilized, encoding of data under DTD format for evidence correlation and event display purposes
- Identify attacker’s origin by deploying forensics traceback techniques upon the critical security components of the system. Track-back techniques include ICMP-based, IP marking, IP tunneling techniques, as well as IDS that make use of Intruder Detection and Isolation Protocol approaches (bricolage strategies).
- GUI enhancements that include but not limited to implementation of a time-lining technique, which displays identified events under a chronological sequence with their expected impact and interconnections. Moreover, these enhancements include the provision of a heatmap of events to human operators
- Hardware-based digital signatures for the generation of evidences and store of the latter into a graph-based structure. A semantically rich solution like an OWL or RDF database could assist to evidence correlation and the execution of special purpose queries.