Active mitigation support against advanced persistent threat risks

Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) supporting e.g. critical infrastructures (CI). Due to their nature, APT's are usually very difficult to detect, and even if detected, difficult to recover from. Further, new forms of APT are probably being developed all the time, with considerable resources. Thus, the defenders of the infrastructure - typically, the personnel of a security operating center (SOC) - face a formidable task in mitigation and need assistance. Existing incident management systems generally do not provide active mitigation assistance. If mitigation-related information is only available in a passive form (e.g. as part of help files), the defenders are unlikely to find the needed information or even search for it in a meaningful way. Thus, there is a need for active decision support system that provides the defenders with advice on how to proceed with mitigation, given the current phase in the attack lifecycle and various kinds of information available on the II, CI, and APT attacks. We propose a framework for active mitigation support against APTs to SOC personnel. Operational information is collected, and, combined with information about the structure and functioning of the II and CI, and possible threats, used to provide advice to the defenders on what mitigation actions to take in different phases of defense lifecycle (preparation, detection, resolution and closure). The framework uses ontologies for knowledge representation, and expert systems for selecting appropriate mitigation actions for a given situation. Altogether, the actions constitute a mitigation process that covers the whole defense lifecycle. We briefly describe a demonstration prototype constructed for the resolution phase, and its use as a part of a larger demonstration covering the defense of a banking infrastructure against APT. We propose that active mitigation support could be a useful means of the management of information security risks more generally, and could also provide a basis for the automation of mitigation against information security risks.