Active mitigation support against advanced persistent threat risks

    Research output: Chapter in Book/Report/Conference proceedingConference abstract in proceedingsScientific

    Abstract

    Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.
    Original languageEnglish
    Title of host publicationSRA Nordic 2017 Abstracts
    PublisherAalto University
    Publication statusPublished - 2017
    EventSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017 - Espoo, Finland
    Duration: 2 Nov 20173 Nov 2017
    https://blogs.aalto.fi/risk2017/ (Web page)

    Conference

    ConferenceSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017
    Abbreviated titleRISK 2017
    CountryFinland
    CityEspoo
    Period2/11/173/11/17
    Internet address

    Fingerprint

    mitigation
    infrastructure
    computer system
    expert system
    banking
    decision support system
    automation
    hazard
    resource
    information infrastructure
    defence

    Keywords

    • artificial intelligence
    • decision support
    • expert systems
    • information security
    • mitigation
    • network security

    Cite this

    @inbook{583a07e2036448c1aa5db7f4e966730d,
    title = "Active mitigation support against advanced persistent threat risks",
    abstract = "Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.",
    keywords = "artificial intelligence, decision support, expert systems, information security, mitigation, network security",
    author = "Ilkka Karanta and Mika Rautila",
    year = "2017",
    language = "English",
    booktitle = "SRA Nordic 2017 Abstracts",
    publisher = "Aalto University",
    address = "Finland",

    }

    Karanta, I & Rautila, M 2017, Active mitigation support against advanced persistent threat risks. in SRA Nordic 2017 Abstracts. Aalto University, Society for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017, Espoo, Finland, 2/11/17.

    Active mitigation support against advanced persistent threat risks. / Karanta, Ilkka; Rautila, Mika.

    SRA Nordic 2017 Abstracts. Aalto University, 2017.

    Research output: Chapter in Book/Report/Conference proceedingConference abstract in proceedingsScientific

    TY - CHAP

    T1 - Active mitigation support against advanced persistent threat risks

    AU - Karanta, Ilkka

    AU - Rautila, Mika

    PY - 2017

    Y1 - 2017

    N2 - Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.

    AB - Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.

    KW - artificial intelligence

    KW - decision support

    KW - expert systems

    KW - information security

    KW - mitigation

    KW - network security

    M3 - Conference abstract in proceedings

    BT - SRA Nordic 2017 Abstracts

    PB - Aalto University

    ER -