Cognitive Security for Incident Management Process

Andrade, Roberto; Torres, Jenny; Cadena, Susana

doi:10.1007/978-3-030-11890-7_59

Cited by 11 publications

(11 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The incident response process is well defined among many methodologies [55] [56]; a summary can be found in [57]. Many works define the particular subtactics, after the incident identification, such as containment, eradication, recovery and lessons learned [58], with little variation from this approach [59]. In any case, as we have stated before, SOC particular response activities depend on multiple factors, so these sub-tactics do not always apply; for example, a particular agreement with a customer may define the response to a specific incident type just as the notification of the action, or by automatic network block without further investigation or activities.…”

Section: Our Proposalmentioning

confidence: 99%

SOC Critical Path: A Defensive Kill Chain Model

2022

View full text Add to dashboard Cite

Different kill chain models have been defined and analyzed to provide a common sequence of actions followed in offensive cyber operations. These models allow analysts to identify these operations and to understand how they are executed. However, there is a lack of an equivalent model from a defensive point of view: this is, there is no common sequence of actions for the detection of threats and their accurate response. This lack causes not only problems such as unstructured approaches and conceptual errors but, what is most important, inefficiency in the detection and response to threats, as defensive tactics are not well identified. For this reason, in this work we present a defensive kill chain approach where tactics for teams in charge of cyber defense activities are structured and arranged. We introduce the concept of SOC Critical Path (SCP), a novel kill chain model to detect and neutralize threats. SCP is a technology-independent model that provides an arrangement of mandatory steps, in the form of tactics, to be executed by Computer Network Defense teams to detect hostile cyber operations. By adopting this novel model, these teams increase the performance and the effectiveness of their capabilities through a common framework that formalizes the steps to follow for the detection and neutralization of threats. In this way, our work can be used not only to identify detection and response gaps, but also to implement a continuous improvement cycle over time.

show abstract

Section: Our Proposalmentioning

confidence: 99%

SOC Critical Path: A Defensive Kill Chain Model

2022

View full text Add to dashboard Cite

show abstract

“…Andrade and Yoo, as well, investigate which part of the work can be automated to support security analysts [5]. Furthermore, Andrade et al conducted a literature review to pinpoint ways software tools and process can improve analysts' work [4]. Mullins et al designed a prototype dashboard and evaluated its usefulness to facilitate situational awareness in a team of security analysts [32].…”

Section: The Human Factor In Threat Identification and Incidence Resp...mentioning

confidence: 99%

“…Due to infrastructural limitations, we collect reports using an online survey. 3 Each group could report up to five 4 suspicious activities detected during the experiment. Table 4 provides an overview of the questions.…”

Section: Experiments Preparationmentioning

confidence: 99%

See 1 more Smart Citation

`SAIBERSOC` : A Methodology and Tool for Experimenting with Security Operation Centers

et al. 2022

View full text Add to dashboard Cite

In this paper we introduce SAIBERSOC ( S ynthetic A ttack I njection to B enchmark and E valuate the P er formance of S ecurity O peration C enters), a tool and methodology enabling security researchers and operators to evaluate the performance of deployed and operational Security Operation Centers (SOCs) (or any other security monitoring infrastructure). The methodology relies on the MITRE ATT&CK Framework to define a procedure to generate and automatically inject synthetic attacks in an operational SOC to evaluate any output metric of interest (e.g., detection accuracy, time-to-investigation, etc.). To evaluate the effectiveness of the proposed methodology, we devise an experiment with n=124 students playing the role of SOC analysts. The experiment relies on a real SOC infrastructure and assigns students to either a BADSOC or a GOODSOC experimental condition. Our results show that the proposed methodology is effective in identifying variations in SOC performance caused by (minimal) changes in SOC configuration. We release the SAIBERSOC tool implementation as free and open source software.

show abstract

“…For instance, NIST, in its special publication SP 800-61, defines five phases: (i) preparation, (ii) detection and analysis, (iii) containment, (iv) eradication and recovery, and (v) post-incident [43], [44]. In particular, the post-incident phase constitutes the final phase once an incident has been resolved.…”

Section: Introductionmentioning

confidence: 99%