Active mitigation support against advanced persistent threat risks

Research output: Chapter in Book/Report/Conference proceedingConference abstract in proceedingsScientific

Abstract

Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.
Original languageEnglish
Title of host publicationSRA Nordic 2017 Abstracts
PublisherAalto University
Publication statusPublished - 2017
EventSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017 - Espoo, Finland
Duration: 2 Nov 20173 Nov 2017
https://blogs.aalto.fi/risk2017/ (Web page)

Conference

ConferenceSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017
Abbreviated titleRISK 2017
CountryFinland
CityEspoo
Period2/11/173/11/17
Internet address

Fingerprint

mitigation
infrastructure
computer system
expert system
banking
decision support system
automation
hazard
resource
information infrastructure
defence

Keywords

  • artificial intelligence
  • decision support
  • expert systems
  • information security
  • mitigation
  • network security

Cite this

@inbook{583a07e2036448c1aa5db7f4e966730d,
title = "Active mitigation support against advanced persistent threat risks",
abstract = "Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.",
keywords = "artificial intelligence, decision support, expert systems, information security, mitigation, network security",
author = "Ilkka Karanta and Mika Rautila",
year = "2017",
language = "English",
booktitle = "SRA Nordic 2017 Abstracts",
publisher = "Aalto University",
address = "Finland",

}

Karanta, I & Rautila, M 2017, Active mitigation support against advanced persistent threat risks. in SRA Nordic 2017 Abstracts. Aalto University, Society for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017, Espoo, Finland, 2/11/17.

Active mitigation support against advanced persistent threat risks. / Karanta, Ilkka; Rautila, Mika.

SRA Nordic 2017 Abstracts. Aalto University, 2017.

Research output: Chapter in Book/Report/Conference proceedingConference abstract in proceedingsScientific

TY - CHAP

T1 - Active mitigation support against advanced persistent threat risks

AU - Karanta, Ilkka

AU - Rautila, Mika

PY - 2017

Y1 - 2017

N2 - Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.

AB - Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.

KW - artificial intelligence

KW - decision support

KW - expert systems

KW - information security

KW - mitigation

KW - network security

M3 - Conference abstract in proceedings

BT - SRA Nordic 2017 Abstracts

PB - Aalto University

ER -