Comprehending Security Events - Context-Based Identification and Explanation
Thijs van Ede is a PhD student in the department Semantics, Cybersecurity & Services. (Co)Promotors are prof.dr.ir. M.R. van Steen, prof.dr. A. Peter and dr.ir. A. Continella from the faculty of Electrical Engineering, Mathematics and Computer Science.
With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss. As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity. By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization. This detection can be done internally or is outsourced to a Security Operations Center (SOC). The SOC deploys automated detectors that monitor devices and network traffic for suspicious events, which are subsequently sent to the SOC. Here, security operators manually analyze these events, verify whether they constitute an attack and, if required, take action.
Analyzing security events is not straightforward and requires highly skilled operators. We identified three major challenges that operators face during analysis:
- Operators need to invest time to keep up with the latest developments in attack patterns to accurately identify threats and find appropriate mitigations.
- Operators analyze a vast number of events, which often leads to alert fatigue where operators investigate so many events it impairs their ability to correctly distinguish malicious behavior from falsely flagged events.
- Operators require sufficient contextual information to assess security events.
This work aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis. Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers. In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies. Second, we study the event investigation process known as triaging. Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level. Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it. This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity. Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations. This case study demonstrates the potential for our methods in future work.
Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.