Positive SOCCRATES mid term review
16-04-2021SOCCRATES already is halfway its project lifetime, so we had our mid-term review on Wednesday April 14th. We prepared for a day of presentations and demos and had very good questions from and discussions with our EU Project Officer (PO) and the three expert reviewers. They also provided us with some very useful suggestions. We received their first feedback at the end of the day (formal feedback report will follow). Although there were some attention points, overall feedback was that our PO and the reviewers were very happy with the progress we’ve made in the project. In particular the newly developed Adversary Emulation Plan tool, presented by Martin Eian (mnemonic), was considered to be really cool. It will be shared as Open Source soon. Our PO also requested us to share our vision on future SOC/CSIRT developments as early as possible, so this can serve as input on upcoming SOC/CSIRT initiatives at EU level. Of course we will gladly fulfill this honorable request.
3rd International Workshop on Next Generation Security Operations Centers (NG-SOC 2021)
15-03-2021Two H2020 projects: SOCCRATES (https://www.soccrates.eu/) and SAPPAN (https://sappan-project.eu/) jointly organize the NG-SOC 2021 workshop, to be held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021 – http://www.ares-conference.eu)
August 17 – August 20, 2021, Vienna, Austria
Important Dates
– Submission Deadline April 30, 2021
– Author Notification May 31, 2021
– Proceedings Version June 13, 2021
– ARES EU Symposium August 17, 2021
– Conference August 17 – August 20, 2021
Submission Guidelines
Th call for papers can also be found here: ARES Conference » NG-SOC 2021 (ares-conference.eu). The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found at https://www.ares-conference.eu/conference/submission/.
Workshop Description
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by the introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of this workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. Through cooperation among H2020 European projects, the workshop intends to provide a more comprehensive overview of the promising research-based solutions that enable timely response to emerging threats and support different aspects of the security analysis and recovery process.
Topics of interest include, but are not limited to:
• Collaborative Incident Response and Recovery
• Machine Learning for Security and Privacy
• Intrusion Detection
• Network Security
• Standardization and Sharing of Cybersecurity Knowledge
• Endpoint Security
• Privacy Aspects of Sharing in Cybersecurity
• Cyber Threat Intelligence Utilization
• Situation Awareness and Decision Support Tools for SOC
• Novel Visualization Tools and Approaches for SOC
• Security of Machine Learning
• Attacks against Deep Learning (e.g. Adversarial Examples)
• Malware Identification and Analysis
• Vulnerability Discovery
• Digital Forensics and Attack Attribution
• Natural Language Processing (NLP) for Security
• Threat Trend Modelling and Prediction
• Attack and Defence Modelling
• Host Behaviour Profiling
• User Behaviour Analytics (UBA)
• Advanced Persistent Threat Detection and Analysis
• Security Event Fusion, Correlation and Severity Analysis
Workshop Chairs
Irina Chiscop, TNO, Netherlands
Tomas Jirsik, Masaryk University, Brno, Czech Republic
Avikarsha Mandal, Fraunhofer FIT, Aachen, Germany
Ewa Piatkowska, AIT Austrian Institute of Technology, Austria
Program Committee
Ville Alkkiomäki, F-Secure, Finland
Manos Athanatos, FORTH-ICS, Greece
Mathias Ekstedt, KTH, Sweden
Muriel Figueredo Franco, University of Zurich UZH, Switzerland
Frank Fransen, TNO, The Netherlands
Leandros Maglaras, De Montfort University, Leicester, UK
Preetam Mukherjee, KTH, Sweden
Dimitrios Serpanos, Industrial Systems Institute, Greece
Edward Staddon, INRIA, France
Daniel Tovarnak, Masaryk University, Czech Republic
Ruben Trapero, ATOS, Spain
Petr Velan, Masaryk University, Czech Republic
Daniel Weber, LRZ, Germany
Markus Wurzenberger, AIT Austrian Institute of Technology, Austria
Martin Zadnik, CESNET, Czech Republic
Joint Standardisation Workshop of Dynamic countering of cyber-attacks projects
12-01-2021On January 22nd 2021 all projects that are funded in the H2020 call SU-ICT-01-2018 will have a joint workshop to exchange knowledge and to develop plans for collaborative standardisation and dissemination activities. We intend to utilise intra-project synergies to increase the overall impact of the projects and consequently increase the resilience of the EU community against cyber-attacks.
SOCCRATES PRESENTED AT ERICSSON BY SHADOWSERVER
03-11-2020At the Ericsson Internal Network Security Seminar on September 22nd 2020, The Shadowserver Foundation was invited to give a presentation. The presentation was Titled “Large Scale Internet Garbage Collection and sharing”.
Abstract:
The Shadowserver Foundation has been collecting network threat information on a big-data scale for many years with a mission to make the Internet a more secure environment for all. The collected data is shared with 112+ National CSIRTs and 5900+ network owners worldwide via the Shadowserver free daily remediation feeds and used to support various law enforcement investigations. Data collection and management on such a scale is a big challenge – the talk will give an overview of how Shadowserver operates, what data it collects and what threat information can be inferred from it, how the information is being shared and how Shadowserver has supported various malware botnet takedowns and disruptions.
D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype
15-09-2020This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.
SOC Automation 101: Let’s Make the SOC Great (-er) Again!
17-07-2020Wednesday August 26, 2020 4:00 PM – 5:10 PM CEST
SOCCRATES and the SECO institute jointly organize a webinar on August 26th (4 PM-5.10 PM CEST) about SOC automation. During this webinar we’ll evaluate automation as one of the solutions to overcoming major challenges that Security Operations Centers face today. We’ll evaluate time consuming tasks that could be automated to increase the efficiency of a SOC and help the Security Analyst to evolve from a fire-fighter to a more proactive response expert.
Rob van Os (SOC Manager at de Volksbank and member of the SOCCRATES stakeholder group) explains why and how a SOC should embrace automation to deal with ‘alert overkill’; manage security tools that generate a lot of data; increase SOC efficiency and outputs; and make the Security Analyst job ‘Great Again’. Erik Ringdahl and Frank Fransen from SOCCRATES deliver a short presentation and a demo of the Attack Defence Graph Analyser, that automatically and continuously generates models of IT architectures in a SOC to perform automated attack simulations and threat modelling, predict how attacks might propagate and suggest mitigations.
Participation is free upon timely registration:
https://register.gotowebinar.com/register/6946483974829535502
SOCCRATES and SAPPAN organise International Workshop on NG SOC in conjunction with ARES, August 25, 2020
07-07-2020Overview
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of the NG-SOC 2020 workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. The workshop will draw on expertise from two EU-funded H2020 projects: SAPPAN (https://sappan-project.eu/) and SOCCRATES (https://www.soccrates.eu/). Selected members of the projects’ consortia will present their research activities. The workshop will include a panel session to foster discussion on the major operational challenges that enterprises and SOC operators face and provide insights into promising research-based solutions
Project abstract
The workshop is jointly organized by two H2020 projects that are funded by the European Commission:
SOCCRATES project (https://www.soccrates.eu/) will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES Platform aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. The outcomes of the project will contribute to a more secure cyberspace and strengthen competitiveness in the EU digital single market.
SAPPAN project (https://sappan-project.eu/) aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy-levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.
Topics of interest include, but are not limited to:
Security Operation Center (SOC)
Anomaly Detection
Network Intrusion Detection Systems
Domain Generation Algorithms
Cyber Threat Intelligence Utilization
Privacy-aware Threat Intelligence Sharing
Business Impact Modelling
Attack Analysis with Attack Defence Graphs (ADGs)
Visual Presentation to Support Response and Recovery Actions
Workshop Agenda (Tuesday, 25th of August 2020 | 9:00 – 17:45)
| Time | Talk | Duration [min] | |
| Session 1 (Ewa Piatkowska) | 90 | ||
| 09:00 | 09:05 | Welcome Ewa Piatkowska | 5 |
| 09:05 | 9:25 | The SOCCRATES Project: Overview and Objectives Frank Fransen (TNO) | 20 |
| 9:25 | 9:45 | The SAPPAN Project: Overview and Objectives Avikarsha Mandal (Fraunhofer FIT) | 20 |
| 9:45 | 10:30 | Keynote: Semi-Automated Cyber Threat Intelligence (ACT) Martin Eian (Mnemonic) | 45 |
| 10:30 | 11:00 | Coffee break | 30 |
| Session 2 (Tomas Jirsik) | 100 | ||
| 11:00 | 11:20 | Monitoring Malicious Infrastructures to Produce Threat Intelligence Piotr Kijewski (Shadowserver) | 20 |
| 11:20 | 11:40 | Pipeline development for Automatically Generated Domain detection Irina Chiscop (TNO) | 20 |
| 11:40 | 12:00 | Leveraging Machine Learning for DGA Detection Arthur Drichel (RWTH Aachen University) | 20 |
| 12:00 | 12:20 | Knowledge Management and Anonymization Techniques in Cyber-Threat Intelligence Lasse Nitz, Mehdi Akbari Gurabi (Fraunhofer FIT) | 20 |
| 12:20 | 12:40 | Reputation Management Techniques for IP addresses, domains, and mail Mischa Obrecht (DreamLab) | 20 |
| 12:40 | 13:45 | Lunch break | 65 |
| Session 3 (Avikarsha Mandal) | 80 | ||
| 13:45 | 14:05 | Host and Application Behaviour Modelling Tomas Jirsik (Masaryk University) and Sebastian Schaefer (RWTH Aachen University) | 20 |
| 14:05 | 14:25 | L-ADS: Live Anomaly Detection System Alejandro Garcia Bedoya (ATOS) | 20 |
| 14:25 | 14:45 | Adversarial Examples against Intrusion Detection Systems Ewa Piatkowska (AIT) | 20 |
| 14:45 | 15:05 | Fast and Scalable Cybersecurity Data Processing Josef Niedermeier, Gabriela Aumayr (HPE) | 20 |
| 15:05 | 15:30 | Coffee break | 25 |
| Session 4 (Irina Chiscop) | 80 | ||
| 15:30 | 15:50 | Attack Analysis with Attack Defence Graphs Erik Ringdahl (Foreseeti) | 20 |
| 15:50 | 16:10 | Attack Graph-based Courses of Action for Defense Wojciech Widel (KTH) | 20 |
| 16:10 | 16:30 | Visual Analytics for Cyber Security Data Christoph Müller and Franziska Becker (University of Stuttgart) | 20 |
| 16:30 | 16:50 | Endpoint Protection Paolo Palumbo (FSecure) | 20 |
| 16:50 | 17:05 | Coffee break | 15 |
| Panel Session | 45 | ||
| 17:05 | 17:35 | Discussion on Future Challenges for SOC Speakers: Pavel Kacha (CESNET) Sarka Pekarova (DreamLab) Paul Smith (AIT) Panel chair: Tomas Jirsik (Masaryk University) | 30 |
| 17:35 | 17:45 | Wrap up Ewa Piatkowska (AIT) | 10 |
Workshop Website
Venue and Registration
NG-SOC 2020 workshop is organised in conjunction with the ARES 2020 conference, which this year will be held all-digital. Registration for the workshop is required and costs 40€ (Regular Attendee) or 20€ (Student attendee). The registration fee includes the entrance to all ARES & CD-MAKE conference and workshop sessions. If you want to attend, please register at https://www.ares-conference.eu/registration-all-digital-conference .
First SOCCRATES video released
28-05-2020We are very proud to release the first SOCCRATES video. It introduces the project and its goals and shows the underlying concepts in a way that is easy understandable.
SOCCRATES featured on Openaccessgovernment.org
25-03-2020‘The Horizon 2020 project SOCCRATES brings together some of the best expertise in the field to develop, implement and evaluate an automated security platform to defend against complex cyber-attacks, more of which is explained here by Reinder Wolthuis from TNO.’
See the article on https://www.openaccessgovernment.org/soccrates-complex-cyber-attacks/84079/
Frank Fransen presents SOCCRATES on the market day cyber security at TNO
13-03-2020TNO organized a market day cyber security on March 12th 2020 at the Hague Security Delta in the Hague. For this event, people from cyber security industry and end users of cyber security solutions were invited. Maarten Tossings, member of the board of TNO opened the day on which results of recent TNO cyber security projects were highlighted with presentations, demo’s and posters. Frank Fransen, technical coordinator of SOCCRATES presented the SOCCRATES project, its vision and first results. SOCCRATES was very well received by the visitors of the event. For more information on cybersecurity at TNO, visit the TNO cybersecurity page.
SOCCRATES presented on Symposium on Power System Cyber Security at TU Delft March 11th 2020
10-03-2020Frank Fransen, technical coordinator of SOCCRATES, will present SOCCRATES on the Symposium on Power System Cyber Security at TU Delft on March 11th 2020. In the program, Frank will replace Dr. Anurag K Srivastava who is unable to attend. See for more information: https://www.tudelft.nl/powerweb-institute/newsevents/symposium-power-system-cyber-security/
SOCCRATES second meeting in Helsinki
25-02-2020
On January 21st and 22nd, SOCCRATES had its second consortium meeting, hosted by F-Secure. It was a very fruitful meeting, in which besides the overall progress discussion, each Work Package had their own meeting. Good progress was made on several relevant subjects. In particular we had good discussions on the infrastructure modelling module, which resulted in a shared view.
We also had a joint session with the SAPPAN project (funded in the same call as SOCCRATES (H2020 SU-ICT-01-2018) in which F-Secure also participates. We agreed to jointly organize a workshop, look into forming a liaison beweteen the projects and investigate potential synergies and areas of cooperation between the projects.
SOCCRATES delivers first results
10-12-2019On December 1st 2019, the first batch of SOCCRATES results was delivered on time. One of the results is the external website, which is now fully functional and on-line. Part of the deliverables are internal deliverables. This includes cooperation tools for project members, information platform for stakeholder group and advisory board and a project handbook. But there also two important external deliverables that can be found under the results page of the website:
- D2.1 – SOCCRATES use cases definition & pilot sites requirements
- D8.2 – SOCCRATES dissemination plan
We are very happy that we are now up to speed and are very satisfied with these first deliverables. We look forward to the interesting activities and deliverables that will follow in the coming years.
SOCCRATES has started
22-11-2019In 2018, the SOCCRATEs consortium submitted a proposal to work on security automation in H2020. This proposal was rewarded in December 2018 and after preparations have been completed, SOCCCRATES started on September 1st, 2019. SOCCRATES had its kick off meeting in the Hague on September 2nd and 3rd, where all partners assembled and the activities were started. The ‘vibe’ was already very good and all partners look forward to cooperate in this exciting venture, that will last three years until August 31st, 2022.
ARES conference Canterbury 2019
31-10-2019International Workshop on Next Generation Security Operations Centers (NG-SOC 2019)
in conjunction with 14th International Conference on Availability, Reliability and Security (ARES 2019)
August 26 – August 29, 2019, University of Kent, Canterbury, UK
Overview
The first SOCCRATES project workshop was organized within the ARES EU Project Symposium held in conjunction with the 14th International Conference on Availability, Reliability and Security (ARES 2019). It took place on Monday, 26th of August 2019 at the University of Kent, Canterbury, UK.
The workshop introduced the newly-awarded SOCCRATES project which aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the Security Operation Centres (SOCs). SOCCRATES will develop and implement a new security platform for SOC, which will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks.
The goal of this workshop was to create a forum for researchers and practitioners to discuss the challenges associated with operations of the SOCs and focus on research contributions that can be applied to address these challenges. Selected members of the SOCCRATES consortium presented their past and proposed project activities. The workshop was concluded with the open discussion on the major operational challenges that enterprises and SOC operators face and insights into promising research-based solutions.
Workshop Programme
The following presentations were given at the workshop:
- The SOCCRATES Project: Motivation and Aims Reinder Wolthuis (TNO)
- ACT: Cyber Threat Intelligence Platform Siri Bromander (Mnemonic)
- Threat modelling and attack simulations with MAL and securiCAD Per Eliasson (Foreseeti)
- Automated Response based on SecuriCAD recommendations Frank Fransen (TNO)
- Anomaly Detection (DNS Ninja & ABC tool) Irina Chiscop (TNO)
- Adversarial Machine Learning Ewa Piatkowska (AIT)
We concluded with the open discussion about future challenges for SOCs, moderated by Frank Fransen (TNO).