Active mitigation support to security analysts and security engineers

Security specialists have a lot to remember and keep up with when it comes to mitigation. Giving context-aware advice to them may reduce their workload and improve the quality of their decisions.

Security expert job is demanding. Organizations whose operations are security-critical often have a security operations centre (SOC), a centralized unit that deals with security issues on an organizational and technical level. Security analysts and security engineers working in SOCs face a threat landscape that is very complex and constantly evolving.

Advanced persistent threat (APT) attacks are arguably among the most serious security hazards of computer systems and information networks (information infrastructure, II) vital to e.g. critical infrastructures (CI). They are very difficult to detect, and even if detected, difficult to recover from. New forms of APT are probably being developed all the time, with considerable resources. For example, it is suspected that Stuxnet, which substantially damaged Iran’s uranium enrichment capabilities, was developed and deployed by the Israeli and US intelligence services.

SOC personnel have a highly demanding job. They have to have expertise in their own II, the CI that it is protecting, threats that they may face, available defence mechanisms and their applicability and effectiveness, and available means of threat and incident mitigation. Further, they have to keep up with developments in all of these rapidly developing domains.

Mitigation comprises all the actions to prevent, detect, and recover from attacks against II. Mitigation is needed in all the phases of II defence lifecycle (Figure 1). The defence lifecycle is structured on the phases of an attack. In the preparation phase, no attack is ongoing (or detected), and mitigation consists of designing and equipping the II appropriately, training the personnel, and monitoring the assets. In the detection phase, anomalies are detected and attack type is identified. In the resolution phase, the attack is stopped, the II is cleaned, and the system is returned to working state. In the closure phase, lessons are learned from the attack, and put into practice.


Figure 1. The defence lifecycle and some mitigation actions associated with each phase

Defenders of security need assistance and advice in their task: they might lack experience in the particular threat the II is facing, they might be undermanned, and busy. It is unrealistic to expect that competent experts from beyond the SOC would be available at the time of an attack, or in recovery after it. Existing incident management systems do not provide active assistance in mitigation. If mitigation-related information is only available in a passive form, for example as a part of a help system, the user is unlikely to find the needed information or even search for it in a meaningful way. Therefore, having an automated system providing assistance could be very valuable.

Active mitigation support system gives advice in a context-aware way. Such a system has information about the II, the assets it is protecting, threats, and available defence and mitigation mechanisms, and is able to utilize to use this information and operational data in reasoning on what mitigation actions are needed in a particular situation for the particular II.

Artificial intelligence for active mitigation support implementation. VTT has implemented a demonstration prototype of an active mitigation support system. The core of the system is an expert system that contains the inference rules by which suitable mitigation actions are selected and communicated to the user. Knowledge is represented in the system using a mitigation ontology as the backbone. The system gives advice on mitigation against an APT in the resolution phase of the defence lifecycle, with a financial infrastructure as an example CI. The system presently consists of frames for knowledge representation and 24 rules, implementing support for selecting among 11 mitigation actions.

Active mitigation support has great possibilities. A comprehensive active mitigation support system would cover the whole defence lifecycle. It would adapt to changes in the II environment, the CI, and threats as automatically as possible. It would support mitigation against any threat conceivable against the II. It would use different kinds of data, and artificial intelligence and data science functionalities to aid deciding the best mitigation actions. Moreover, it could be used in automating mitigation actions. A sketch of the architecture of such a system is given in Figure 2.


Figure 2. An architecture for a future active mitigation support system.

More information on the subject:

Ilkka Karanta, Mika Rautila


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s