D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype15-09-2020
This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.
SOC Automation 101: Let’s Make the SOC Great (-er) Again!17-07-2020
Wednesday August 26, 2020 4:00 PM – 5:10 PM CEST
SOCCRATES and the SECO institute jointly organize a webinar on August 26th (4 PM-5.10 PM CEST) about SOC automation. During this webinar we’ll evaluate automation as one of the solutions to overcoming major challenges that Security Operations Centers face today. We’ll evaluate time consuming tasks that could be automated to increase the efficiency of a SOC and help the Security Analyst to evolve from a fire-fighter to a more proactive response expert.
Rob van Os (SOC Manager at de Volksbank and member of the SOCCRATES stakeholder group) explains why and how a SOC should embrace automation to deal with ‘alert overkill’; manage security tools that generate a lot of data; increase SOC efficiency and outputs; and make the Security Analyst job ‘Great Again’. Erik Ringdahl and Frank Fransen from SOCCRATES deliver a short presentation and a demo of the Attack Defence Graph Analyser, that automatically and continuously generates models of IT architectures in a SOC to perform automated attack simulations and threat modelling, predict how attacks might propagate and suggest mitigations.
Participation is free upon timely registration:
SOCCRATES and SAPPAN organise International Workshop on NG SOC in conjunction with ARES, August 25, 202007-07-2020
Organisations in Europe face the difficult task of detecting and responding to increasing numbers of cyber-attacks and threats, given that their own ICT infrastructures are complex, constantly changing (e.g. by introduction of new technologies) and there is a shortage of qualified cybersecurity experts. There is a great need to drastically reduce the time to detect and respond to cyber-attacks. A key means for organizations to stay ahead of the threat is through the establishment of a Security Operations Center (SOC). The primary purpose of a SOC is to monitor, assess and defend the information assets of an enterprise, both on a technical and organizational level.
The aim of the NG-SOC 2020 workshop is to create a forum for researchers and practitioners to discuss the challenges associated with SOC operations and focus on research contributions that can be applied to address these challenges. The workshop will draw on expertise from two EU-funded H2020 projects: SAPPAN (https://sappan-project.eu/) and SOCCRATES (https://www.soccrates.eu/). Selected members of the projects’ consortia will present their research activities. The workshop will include a panel session to foster discussion on the major operational challenges that enterprises and SOC operators face and provide insights into promising research-based solutions
The workshop is jointly organized by two H2020 projects that are funded by the European Commission:
SOCCRATES project (https://www.soccrates.eu/) will develop and implement a new security platform for Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs), that will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks. The SOCCRATES Platform consists of an orchestrating function and a set of innovative components for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat trend prediction, and automated analysis using attack defence graphs and business impact modelling to aid human analysis and decision making on response actions, and enable the execution of defensive actions at machine-speed. The SOCCRATES Platform aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the SOC. The outcomes of the project will contribute to a more secure cyberspace and strengthen competitiveness in the EU digital single market.
SAPPAN project (https://sappan-project.eu/) aims to enable efficient protection of modern ICT infrastructures via advanced data acquisition, threat analysis, and privacy-aware sharing and distribution of threat intelligence aimed to dynamically support human operators in response and recovery actions. The SAPPAN project will develop a collaborative, federated, and scalable attack detection to support response activities and allow for timely responses to newly emerging threats supporting different privacy-levels. We plan to identify a standard for the interoperable and machine-readable description of incident response reports and recovery solutions. The risk assessment, privacy, and security will be addressed in the standard design. Results of both attack detection and recovery and response processes will be shared on a global level to achieve an advanced response and recovery via knowledge sharing and federated learning. We develop a mechanism for sharing information on threat intelligence, which implements a combination of encryption and anonymization to achieve GDPR compliance. Novel visualization techniques will be developed to assist security and IT personnel and provide an enhanced content of context of the response and recovery, and improved visual presentation of the process.
Topics of interest include, but are not limited to:
Security Operation Center (SOC)
Network Intrusion Detection Systems
Domain Generation Algorithms
Cyber Threat Intelligence Utilization
Privacy-aware Threat Intelligence Sharing
Business Impact Modelling
Attack Analysis with Attack Defence Graphs (ADGs)
Visual Presentation to Support Response and Recovery Actions
Workshop Agenda (Tuesday, 25th of August 2020 | 9:00 – 17:45)
|Session 1 (Ewa Piatkowska)||90|
|09:00||09:05||Welcome Ewa Piatkowska||5|
|09:05||9:25||The SOCCRATES Project: Overview and Objectives Frank Fransen (TNO)||20|
|9:25||9:45||The SAPPAN Project: Overview and Objectives Avikarsha Mandal (Fraunhofer FIT)||20|
|9:45||10:30||Keynote: Semi-Automated Cyber Threat Intelligence (ACT) Martin Eian (Mnemonic)||45|
|Session 2 (Tomas Jirsik)||100|
|11:00||11:20||Monitoring Malicious Infrastructures to Produce Threat Intelligence Piotr Kijewski (Shadowserver)||20|
|11:20||11:40||Pipeline development for Automatically Generated Domain detection Irina Chiscop (TNO)||20|
|11:40||12:00||Leveraging Machine Learning for DGA Detection Arthur Drichel (RWTH Aachen University)||20|
|12:00||12:20||Knowledge Management and Anonymization Techniques in Cyber-Threat Intelligence Lasse Nitz, Mehdi Akbari Gurabi (Fraunhofer FIT)||20|
|12:20||12:40||Reputation Management Techniques for IP addresses, domains, and mail Mischa Obrecht (DreamLab)||20|
|Session 3 (Avikarsha Mandal)||80|
|13:45||14:05||Host and Application Behaviour Modelling Tomas Jirsik (Masaryk University) and Sebastian Schaefer (RWTH Aachen University)||20|
|14:05||14:25||L-ADS: Live Anomaly Detection System Alejandro Garcia Bedoya (ATOS)||20|
|14:25||14:45||Adversarial Examples against Intrusion Detection Systems Ewa Piatkowska (AIT)||20|
|14:45||15:05||Fast and Scalable Cybersecurity Data Processing Josef Niedermeier, Gabriela Aumayr (HPE)||20|
|Session 4 (Irina Chiscop)||80|
|15:30||15:50||Attack Analysis with Attack Defence Graphs Erik Ringdahl (Foreseeti)||20|
|15:50||16:10||Attack Graph-based Courses of Action for Defense Wojciech Widel (KTH)||20|
|16:10||16:30||Visual Analytics for Cyber Security Data Christoph Müller and Franziska Becker (University of Stuttgart)||20|
|16:30||16:50||Endpoint Protection Paolo Palumbo (FSecure)||20|
|17:05||17:35||Discussion on Future Challenges for SOC Speakers: Pavel Kacha (CESNET) Sarka Pekarova (DreamLab) Paul Smith (AIT) Panel chair: Tomas Jirsik (Masaryk University)||30|
|17:35||17:45||Wrap up Ewa Piatkowska (AIT)||10|
Venue and Registration
NG-SOC 2020 workshop is organised in conjunction with the ARES 2020 conference, which this year will be held all-digital. Registration for the workshop is required and costs 40€ (Regular Attendee) or 20€ (Student attendee). The registration fee includes the entrance to all ARES & CD-MAKE conference and workshop sessions. If you want to attend, please register at https://www.ares-conference.eu/registration-all-digital-conference .
First SOCCRATES video released28-05-2020
We are very proud to release the first SOCCRATES video. It introduces the project and its goals and shows the underlying concepts in a way that is easy understandable.
SOCCRATES featured on Openaccessgovernment.org25-03-2020
‘The Horizon 2020 project SOCCRATES brings together some of the best expertise in the field to develop, implement and evaluate an automated security platform to defend against complex cyber-attacks, more of which is explained here by Reinder Wolthuis from TNO.’
See the article on https://www.openaccessgovernment.org/soccrates-complex-cyber-attacks/84079/
Frank Fransen presents SOCCRATES on the market day cyber security at TNO13-03-2020
TNO organized a market day cyber security on March 12th 2020 at the Hague Security Delta in the Hague. For this event, people from cyber security industry and end users of cyber security solutions were invited. Maarten Tossings, member of the board of TNO opened the day on which results of recent TNO cyber security projects were highlighted with presentations, demo’s and posters. Frank Fransen, technical coordinator of SOCCRATES presented the SOCCRATES project, its vision and first results. SOCCRATES was very well received by the visitors of the event. For more information on cybersecurity at TNO, visit the TNO cybersecurity page.
SOCCRATES presented on Symposium on Power System Cyber Security at TU Delft March 11th 202010-03-2020
Frank Fransen, technical coordinator of SOCCRATES, will present SOCCRATES on the Symposium on Power System Cyber Security at TU Delft on March 11th 2020. In the program, Frank will replace Dr. Anurag K Srivastava who is unable to attend. See for more information: https://www.tudelft.nl/powerweb-institute/newsevents/symposium-power-system-cyber-security/
SOCCRATES second meeting in Helsinki25-02-2020
On January 21st and 22nd, SOCCRATES had its second consortium meeting, hosted by F-Secure. It was a very fruitful meeting, in which besides the overall progress discussion, each Work Package had their own meeting. Good progress was made on several relevant subjects. In particular we had good discussions on the infrastructure modelling module, which resulted in a shared view.
We also had a joint session with the SAPPAN project (funded in the same call as SOCCRATES (H2020 SU-ICT-01-2018) in which F-Secure also participates. We agreed to jointly organize a workshop, look into forming a liaison beweteen the projects and investigate potential synergies and areas of cooperation between the projects.
SOCCRATES delivers first results10-12-2019
On December 1st 2019, the first batch of SOCCRATES results was delivered on time. One of the results is the external website, which is now fully functional and on-line. Part of the deliverables are internal deliverables. This includes cooperation tools for project members, information platform for stakeholder group and advisory board and a project handbook. But there also two important external deliverables that can be found under the results page of the website:
- D2.1 – SOCCRATES use cases definition & pilot sites requirements
- D8.2 – SOCCRATES dissemination plan
We are very happy that we are now up to speed and are very satisfied with these first deliverables. We look forward to the interesting activities and deliverables that will follow in the coming years.
SOCCRATES has started22-11-2019
In 2018, the SOCCRATEs consortium submitted a proposal to work on security automation in H2020. This proposal was rewarded in December 2018 and after preparations have been completed, SOCCCRATES started on September 1st, 2019. SOCCRATES had its kick off meeting in the Hague on September 2nd and 3rd, where all partners assembled and the activities were started. The ‘vibe’ was already very good and all partners look forward to cooperate in this exciting venture, that will last three years until August 31st, 2022.
ARES conference Canterbury 201931-10-2019
International Workshop on Next Generation Security Operations Centers (NG-SOC 2019)
in conjunction with 14th International Conference on Availability, Reliability and Security (ARES 2019)
August 26 – August 29, 2019, University of Kent, Canterbury, UK
The first SOCCRATES project workshop was organized within the ARES EU Project Symposium held in conjunction with the 14th International Conference on Availability, Reliability and Security (ARES 2019). It took place on Monday, 26th of August 2019 at the University of Kent, Canterbury, UK.
The workshop introduced the newly-awarded SOCCRATES project which aims to enable organisations to improve the resilience of their infrastructures and increase productivity and efficiency at the Security Operation Centres (SOCs). SOCCRATES will develop and implement a new security platform for SOC, which will significantly improve an organisation’s capability to quickly and effectively detect and respond to new cyber threats and ongoing attacks.
The goal of this workshop was to create a forum for researchers and practitioners to discuss the challenges associated with operations of the SOCs and focus on research contributions that can be applied to address these challenges. Selected members of the SOCCRATES consortium presented their past and proposed project activities. The workshop was concluded with the open discussion on the major operational challenges that enterprises and SOC operators face and insights into promising research-based solutions.
The following presentations were given at the workshop:
- The SOCCRATES Project: Motivation and Aims Reinder Wolthuis (TNO)
- ACT: Cyber Threat Intelligence Platform Siri Bromander (Mnemonic)
- Threat modelling and attack simulations with MAL and securiCAD Per Eliasson (Foreseeti)
- Automated Response based on SecuriCAD recommendations Frank Fransen (TNO)
- Anomaly Detection (DNS Ninja & ABC tool) Irina Chiscop (TNO)
- Adversarial Machine Learning Ewa Piatkowska (AIT)
We concluded with the open discussion about future challenges for SOCs, moderated by Frank Fransen (TNO).