Active mitigation support against advanced persistent threat risks

    Research output: Chapter in Book/Report/Conference proceedingConference abstract in proceedingsScientific


    Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.
    Original languageEnglish
    Title of host publicationSRA Nordic 2017 Abstracts
    PublisherAalto University
    Publication statusPublished - 2017
    MoE publication typeNot Eligible
    EventSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017 - Espoo, Finland
    Duration: 2 Nov 20173 Nov 2017 (Web page)


    ConferenceSociety for Risk Analysis (SRA) Nordic Chapter Conference, RISK 2017
    Abbreviated titleRISK 2017
    Internet address



    • artificial intelligence
    • decision support
    • expert systems
    • information security
    • mitigation
    • network security

    Cite this