Results

SOCCRATES at 35th Annual FIRST Conference

Martin Eian (mnemonic) and Frank Fransen (TNO) presented SOCCRATES at the 35th Annual FIRST Conference, June 4-9, 2023 in Montréal, Canada.  

In the session, Martin and Frank first introduced the SOCCRATES project and next discussed the three main innovations:

• A machine-readable model of the ICT infrastructure
• Automated security reasoning (Attack Simulation & Real-time Business Impact Assessment)
• Automated generation, assessment and execution of response actions

The presentation was concluded with lessons learned.

ETIS webinar on the SOCCRATES project with live demonstration

The SOCCRATES project ended in October 2022. In the following months, the results of the project have been presented and demonstrations of the SOCCRATES Platform have been given.  On December 14th 2022, ETIS organised a webinar. This webinar has been recorded and is now available on vimeo.

Agenda:

• Brief introduction of SOCCRATES project and partners involved [1:08]
• SOCCRATES vision and walkthrough of platform capabilities [7:50]
• Live demonstration of SOCCRATES platform [36:50]
• Reflection on lessons learned and next steps [1:02:40]

Paper on AI-based Detection of DNS Misuse for Network Security

I. Chiscop, F. Soro, P. Smith, “AI-based Detection of DNS Misuse for Network Security”.
NativeNi ’22: Proceedings of the 1st International Workshop on Native Network Intelligence, December 2022
Download

4th SOCCRATES article in Dutch IB Magazine from PvIB

Susana González Zarzosa and Jesus Villalobos Nieto (both Atos Research & Innovation, Spain), “SOCCRATES – Automation and Orchestration of Security Operations”, IB magazine, 2023, Edition 1. This fourth article in PvIB magazine focuses on the SOCCRATES Orchestrator and Integration Engine which is at the core of the SOCCRATES platform providing automation and orchestration of security operations to response.

D8.4 White paper

This deliverable contains the SOCCRATES (high level) results and experiences in an easily accessible way, suitable for policy makers and higher management of stakeholders. It will be available on-line. It is more or less a management summary of D2.4 (Vision paper) and D7.2 (pilot evaluation) complemented with some high-level experiences from D7.3 (best practices guide).

D5.4 Evaluation and validation report

This deliverable describes the evaluation and validation outcome of the Impact Analyser and Response Planner component on the use cases and experimentation platforms of the SOCCRATES project

D6.4 Final version of the SOCCRATES Platform

This deliverable describes the final version of the SOCCRATES Platform prototype. It includes an overview of all software components. This deliverable is accompanied by a webpage on the SOCCRATES website.

D7.2 Pilot Application and Evaluations

This deliverable presents the results from pilots in the SOCCRATES project: the pilot implementation, alterations to the initial plan, measurement results and ethical and privacy considerations for the pilot implementations. The goal of the pilots was to validate the SOCCRATES platform in a realistic environment.

D8.5 Final Dissemination report

This document reports the dissemination activities and results that were conducted and achieved during the first half of the of the SOCCRATES project.

D7.3 SOCCRATES Platform Best Practices Guide

This deliverable delivers lessons learned of the implementation of the SOCCRATES platform in an actual SOC environment, described in a best practice guide.

SOCCRATES deliverable 8.6 Exploitation Plan

This deliverable describes the SOCCRATES exploitation plan. The plan lists for each of the foreseen results the exploitation by the SOCCRATES consortium partners, as well as uptake by organisations outside the consortium.

3rd SOCCRATES article in Dutch IB Magazine from PvIB

Reinder Wolthuis and Frank Fransen, “SOCCRATES – SOCCRATES – Vision & Roadmap for SOC & CSIRTs”, IB magazine, 2022, Edition 5. It is a summary of the ‘vision, roadmap and guidance for SOC’ booklet that was recently published.

SOCCRATES leaflet

Two page overview of the SOCCRATES project.

SOCCRATES Vision Paper

Continuous innovation and investment in automation is needed in SOCs and CSIRTs to stay ahead of the threats. The SOCCRATES Vision Paper provides a vision and concrete next steps on innovative security automation and answers questions such as ‘Why should we invest in automated security and how do you start?’, ‘What does the Next Generation SOC looks like?’ and ‘How can we integrate automation into our way of working?’.

D6.3 SOCCRATES testing and verification report

This deliverable describes the approach and re-sults of the testing and verification of the SOCCRATES Platform. It includes a description of the testing environments, the tests and results.

D6.2 Initial version of the SOCCRATES platform

This deliverable describes the initial version of the SOCCRATES Platform prototype with the integration of the different components through the SOCCRATES Orchestrator and Integration Engine.

D5.3 Business Logic Modelling and Impact Analyser & Response Planner – Final prototype

This deliverable describes the final prototype of the Business Impact Analyser, Business Logic Modelling and Response Planner components. It describes their functionalities, their integration with the SOCCRATES platform, as well as the final version of the graphical interfaces.

D4.5 Report on the Threat of Adversarial Examples on AI for Cyber Security

This deliverable presents the results from two studies on adversarial machine learning (ML). Their goal is to examine the nature of this risk for cybersecurity-related applications of ML and to highlight the importance of training models in adversarial settings.

D4.4 Tactical Threat Intelligence for Attack Defence Graphs

This deliverable describes the developed demonstrator to enable automatic generation of Adversary Emulation Plans (AEPs). Furthermore, we show how this is integrated in the SOCCRATES Threat Intelligence Platform (TIP), and how the AEPs can be used by the SOCCRATES Attack Defence Graph (ADG) Analyser.

D4.3 Threat Identification and Threat Trend prediction – Final Prototype

This deliverable provides an overview of the prototyping work carried out as part of Task T4.2 in WP4: Threat Identification and Threat Trend Prediction.
It provides an overview of the platform developed for DNS/DGA threat identification and trend prediction. It goes in depth into DGA research with a focus on machine learning algorithms and their effectiveness at identifying DGA based threats.

D3.2 Final ADG based Attack prototypes

The overall objective of Work Package 3 is to develop the Infrastructure Modelling and Attack Defence Graph analyser & Course of Action Generator components of the SOCCRATES Platform. This deliverable describes the final versions of the Infrastructure Modelling Component, Attack Defence Graph analyser and Course of Action generator components.

D2.4 SOCCRATES Vision, Roadmap & Guidance for SOC

This deliverable will describe the vision and provide a roadmap with further developments of the SOCCRATES platform. It will also provide guidance for deployment of the SOCCRATES platform and on utilization of the SOC / CSIRT workforce in the near future.

November 18th 2021, SOCCRATES presented at FIRST TC Norway

Adversary Emulation Planner Based On MITRE ATT&CK | Siri Bromander, mnemonic

The MITRE Adversary Tactics, Techniques and Common Knowledge  (ATT&CK) knowledge base is a very useful resource for information  security professionals. ATT&CK has become the de facto industry  standard for tactical threat intelligence.

ATT&CK contains adversary tactics and techniques, as well as  relationships linking techniques to adversary groups and software.  However, ATT&CK does not describe any relationships or dependencies  between techniques. This makes generating adversary emulation  plans hard, since sequencing of techniques must be done manually, i.e.  assigning techniques to different stages of an intrusion.

Our first step towards automating the generation of adversary emulation  plans is semantic modelling of dependencies between ATT&CK  techniques and development of tool support to generate attack stages  based on techniques in ATT&CK.

This presentation covers how and why we selected our modelling approach,  the tools that we developed, and use cases with examples highlighting  how the tools are useful.

Siri Bromander leads  the Research and Development team at mnemonic.  She holds a PhD from the  University of Oslo and a MsC in telematics/information security from  NTNU. She has worked in mnemonic since 2008  and has more than 14 years of work experience in IT security and  information security research roles, including serving as Security  Manager at mnemonic for five years.

https://www.coldincidentresponse.no/schedule/first-tc-oslo-2021/

SOCCRATES at EU MITRE ATT&CK® Community Workshops

Martin Eian (mnemonic) has given a presentation at the eight EU MITRE ATT&CK® Community Workshops that took place on 22 October 2021. The workshop was supported by CERT-EU, CIRCL and the MITRE Engenuity Center for Threat-Informed Defense. Martin talked about ‘Adversary Emulation: Generating MITRE ATT&CK Technique Sequences’. The slides are available below.

2nd SOCCRATES article in Dutch IB Magazine from PvIB

Reinder Wolthuis and Frank Fransen, “SOCCRATES – Real-time threat, impact analysis and response automation for SOC/CSIRT operations”, IB magazine, 2021, Edition 5.

SOCCRATES at ONE conference 2021

Martin Eian (mnemonic) has given a presentation at the ONE conference 2021 on ‘SOCCRATES Project – Automating Threat Intelligence and Adversary Emulation’. A video of the presentation can be viewed here. 

D5.2 Business Logic Modelling and Impact Analyser & Response Planner – Initial prototype

This deliverable describes the initial prototype of the Business Impact Analyser, Business Logic Modelling and Response Planner components. It describes their functionalities, their integration with the SOCCRATES platform, as well as the cur-rent version of the graphical interfaces.

D3.3 Specification of the common ICT infrastructure reference meta model

The overall objective of Work Package 3 is to develop the Infrastructure Modelling and Attack De-fence Graph analyser & Course of Action Genera-tor components of the SOCCRATES Platform. This deliverable describes the concepts and structures of the infrastructure reference meta model which underpins these components.

D2.3 System Architecture and Interface Specification – Final version

This is the final version of the system architecture and interface specification. It describes all components of the full integrated version of the SOCCRATES platform, interfaces, and a description of how the platform is applied in each of the use cases.

DGA Detective

TNO has released a Python package to perform DGA domain classification.

Available on GitHub and GitLab

Article in Dutch IB Magazine from PvIB

Reinder Wolthuis and Frank Fransen, “SOCCRATES – Security automation in SOC & CSIRT envirnment”, IB magazine, 2021, Edition 4.

Paper at IEEE CSR 2021 conference (Best Paper Award)

A. Gylling, M. Ekstedt, Z. Afzal, and P. Eliasson, “Mapping cyber threat intelligence to probabilistic attack graphs”, 2021 IEEE International Conference on Cyber Security and Resilience, July 2021. (Best research paper award). A summary of the paper can be found here.

The paper is based on the Master Thesis of Andreas Gylling, and can be found here.

SOCCRATES at Webinar SOC developments and pilots in CEF and H2020 projects, July 19th 2021

This Monday a webinar is organized by the EU about SOC developments and pilots in CEF and H2020 projects. The webinar aims at supporting knowledge exchange on recent and future SOC (SOC-relevant ICT solutions) developments between beneficiaries, European Commission, ENISA and HaDEA. It helps finding synergies and maximizing the impact of projects by bringing together policy and projects with a specific focus on developing and establishing European SOCs included as a priority in the EU’s Cybersecurity Strategy for the Digital Decade. 

Reinder Wolthuis (TNO) is invited to present SOCCRATES

Adversary Emulation Planner

mnemonic has released the tool called AEP that can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage.

Available on GitHub

SOCCRATES at 33rd Annual FIRST Conference

SOCCRATES provided two presentation at the (virtual) 33rd Annual FIRST Conference: “Crossing Uncertain Times,” on June 7-9, 2021.

* Martin Eian (mnemonic) provided a presentation on: ‘Adversary Emulation – Generating MITRE ATT&CK Technique Sequences’. The video is available on youtube.

* Erik Ringdahl (foreseeti) and Frank Fransen (TNO) provided a presentation on: ‘Attack Defense Graph Analysis for Supporting SOC and CSIRT Operations’. The video is available on youtube and slides are available below.

D8.3 – SOCCRATES First dissemination report

This document is the intermediate report on dissemination activities and contains the progress of dissemination activities and standardization activities in the first half of the SOCCRATES project. We also have included the first ideas for exploitation of results during and after the project. Additionally, we report on the progress on the dissemination KPI’s as defined in the SOCCRATES Dissemination Plan.

D3.1 Initial ADG based Attack prototypes

The SOCCRATES platform consists of eleven components. This deliverable describes the initial prototype implementations of two of the components, the Infrastructure modelling component (IMC) and Attack Defence Graph.

Paper at GraMSec 2020

S. Katsikeas, S. Hacks, P. Johnson, M. Ekstedt, R. Lagerström, J Jacobsson, “An Attack simulation language for the IT domain”, International Workshop on Graphical Models for Security, GraMSec 2020, 67 -86, June 2020 link

D7.1 Pilot specification and plan

This deliverable presents the plan for the pilots in the SOCCRATES project: experiment design, use cases and scenarios, metrics, measurement methodologies, assumptions, pilot site requirements, and deployment. The goal of the pilots is to validate the SOCCRATES platform in a realistic environment.

This deliverable is classified as Project internal and therefore is not publicly published.

Paper at CD-MAKE 2020

Martin Teuffenbach, Ewa Piatkowska, Paul Smith, “Subverting Network Intrusion Detection:
Crafting Adversarial Examples Accounting for Domain-Specific Constraints”, International IFIP
Cross Domain (CD) Conference for Machine Learning & Knowledge Extraction (MAKE) 2020,
Online Event, pp. 301-320, 2020 link

D6.1 Initial version of the SOCCRATES Platform Orchestration, Reconfiguration and Front-end

This deliverable details the initial results on the development of the SOCCRATES Orchestrator and Integration Engine and the plans for the development of the Reconfiguration capabilities and the SOCCRATES Web Front-end.

D5.1 Definition of the business model structure, inputs and interfaces

This deliverable describes the Business Logic modelling used for the Business Impact Analyser
of the SOCCRATES platform. It describes the model structure, inputs and interfaces.

D4.2 Threat Identification and Threat Trend Prediction – Initial Prototype

This deliverable provides an overview of the initial threat identification and trend prediction toolset prototyping carried out as part of Task 4.2 in WP4: Threat Identification and Threat Trend Prediction. A set of Dockerized tools utilizing ML and string similarity algorithms has been developed for the purpose of identifying and classifying DGA-based domains in large domain datasets derived from The Shadowserver Foundation’s malware sandbox.

D4.1 AI-based Attack Detection to Detect Advanced Threats

This deliverable provides an overview of all the algorithms and models to be used in the AI-based Attack Detection (AAD) component of the SOCCRATES platform. A set of intrusion detection tools and the over-arching reasoning engine used for correlating the produced alerts are described in detail. The efficiency of the pro-posed AAD component is illustrated by means of numerical experiments on the CIDDS public dataset. Integration and deployment matters are also addressed.

D2.2 System Architecture & Interface Specifications (Initial)

This deliverable describes the system architecture and interface specification of the SOCCRATES platform to support the SOCCRATES use cases.

This deliverable has been submitted to the EU, but please be aware that acceptance by the EU of this deliverable is outstanding.

SOCCRATES introduction video

This video introduces SOCCRATES and its underlying concepts in an easy understandable way.

D1.4 Data Management Plan

This document details the Voluntary DMP (VDMP) of the SOCCRATES project (deliverable D1.4) describing the chosen approach with regard to the management of the various categories of data processed by the project.

This deliverable has been submitted to the EU, but please be aware that acceptance by the EU of this deliverable is outstanding.

SOCCRATES general presentation

This general presentation on the SOCCRATES project provides a summary on the SOCCRATES project: its partners, goals, concepts and approach.

D8.2 Dissemination plan

This document contains the approach, activities, target groups, channels and high level planning for the dissemination of the SOCCRATES results to relevant stakeholders.

This deliverable has been submitted to the EU, but please be aware that acceptance by the EU of this deliverable is outstanding.

D2.1 Use cases definition & pilot sites requirements

This deliverable describes the five use cases that represent different security operations that the SOCCRATES platform should support, as well as the pilot site requirements for the Vattenfall, mnemonic and Shadowserver pilots.

This deliverable has been submitted to the EU, but please be aware that acceptance by the EU of this deliverable is outstanding.