D2.1 Cyber Incident Handling Trend Analysis
Total Page:16
File Type:pdf, Size:1020Kb
D2.1 Cyber Incident handling Trend Analysis Project number: 833683 Project acronym: CyberSANE Cyber Security Incident Handling, Warning and Project title: Response System for the European Critical Infrastructures Start date of the project: 1st September, 2019 Duration: 36 months Programme: H2020-SU-ICT-2018 Deliverable type: Report DS-01-833683 / D2.1/ Final | 0.8 Deliverable reference number: 2020_CSN_RP_05_Deliverable 2.1_Cyber Incident Handling Trend Analysis_v1 Work package contributing to the WP 2 deliverable: Due date: 01/03/2020 Actual submission date: 02/03/2020 Responsible organisation: Inria Editor: Inria Dissemination level: PU Revision: V2.0 This deliverable describes the different incident handling trend analysis performed in Task T2.1. It provides a categorisation of attacks, a description of the different tools Abstract: identified to be used in the design and development of the CyberSANE infrastructure. In addition, it reviews the related standards and provides the best practices to follow in the rest of the project. Keywords: Attacks categorisation and trends, standards, tools The project CyberSANE has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No 833683. D2.1 – Cyber Incident Handling Trend Analysis Editor Nathalie Mitton (Inria) Contributors (ordered according to beneficiary numbers) Luís Landeiro Ribeiro (PDMFC) Luis Miguel Campos (PDMFC) Oleksii Osliak (CNR) Stefen Beyer (S2) Sergio Zamarripa (S2) Valeria Loscri (Inria) Nathalie Mitton (Inria) Edward Staddon (Inria) Mania Hatzikou (MAG) Athanasios Karantjias (MAG) Spyridon Papastergiou (MAG) Sophia Karagiorgou (UBI) Manos Athanatos (FORTH) Georgios Spanoudakis (STS) Paris-Alexandros Karypidis (SID) Anastasios Lytos (SID) Umar Ismail (UoB) Haris Mouratidis (UoB) Disclaimer The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose. The content of this document reflects only the author`s view – the European Commission is not responsible for any use that may be made of the information it contains. The users use the information at their sole risk and liability CyberSANE D2.1 Page I D2.1 – Cyber Incident Handling Trend Analysis Contents 1. Introduction .................................................................................................................. 1 2. Cyber Threat and Attacks ............................................................................................. 2 2.1. Categorisation of threats ............................................................................................... 2 2.2. Application to Critical Information Infrastructures (CIIs) ............................................... 12 2.3. Requirements for Critical Information Infrastructures (CIIs) .......................................... 13 3. Background Solutions Relevant to CyberSANE ........................................................... 14 3.1. eMAS SOM .............................................................................................................. 14 3.2. SiVi Tool .................................................................................................................. 16 3.3. L-ADS ..................................................................................................................... 17 3.4. XL-SIEM ................................................................................................................. 18 3.5. CARMEN ................................................................................................................. 20 3.6. OLISTIC Enterprise Risk Management Suite ............................................................... 21 3.7. MEDUSA Cyber Intelligence Suite ............................................................................. 23 3.8. Evidence-driven Maritime Supply Chain Risk Assessment (MITIGATE) System ............. 24 3.9. Metadon SIEM .......................................................................................................... 29 3.10. Chimera ................................................................................................................ 31 3.11. SPA ...................................................................................................................... 33 3.12. Other Solutions ...................................................................................................... 35 4. Standards, guidelines and best practices ...................................................................... 62 4.1. Security Management Standards.................................................................................. 62 4.2. Mapping of CyberSANE Solutions to Domains ............................................................ 73 4.3. Open issues, and future challenges in Critical Information Infrastructure Protection ......... 74 5. Conclusion .................................................................................................................. 77 6. List of Abbreviations ................................................................................................... 79 7. References ................................................................................................................... 84 CyberSANE D2.1 Page II D2.1 – Cyber Incident Handling Trend Analysis List of Figures Figure 1: OSI model, Internet / IoT stack comparison ...................................................................................... 3 Figure 2: Generalised categorisation for Cyber-Attacks ................................................................................... 3 Figure 3: Network-Layer example of the Cyber-Attack Categorisation ........................................................... 3 Figure 4: Incident Handling Life Cycle [94] ..................................................................................................... 4 Figure 5: emas® SOM default operational process diagram ............................................................................ 15 Figure 6: SiVi Tool User Interface .................................................................................................................. 16 Figure 7: L-ADS concepts chart ...................................................................................................................... 18 Figure 8: XL-SIEM concept chart ................................................................................................................... 19 Figure 9: Evidence-driven Maritime Supply Chain Risk Assessment (MITIGATE) System ......................... 26 Figure 10: MITIGATE High Level Architecture ............................................................................................ 27 Figure 11: Chimera Diagram ........................................................................................................................... 31 Figure 12: Chimera Supported Connectors ..................................................................................................... 32 Figure 13: Example of Data Anonymisation with Hashing ............................................................................. 33 Figure 14: Elastic SIEM Stack ........................................................................................................................ 37 Figure 15: IBM Resilient ................................................................................................................................. 40 Figure 16: Splunk Phantom Example [138] .................................................................................................... 40 Figure 17: Splunk Phantom Playbook Example .............................................................................................. 41 Figure 18: Types of Cyber Attacks on CI. Image source [48] ......................................................................... 75 List of Tables Table 1: Strengths and Weaknesses of emas® SOM ....................................................................................... 16 Table 2: Strengths and Weaknesses of L-ADS................................................................................................ 18 Table 3: Strengths and Weaknesses of XL-SIEM ........................................................................................... 20 Table 4: Strengths and Weaknesses of CARMEN .......................................................................................... 21 Table 5: Strengths and Weaknesses of Metadon ............................................................................................. 31 Table 6: Strengths and Weaknesses of Chimera.............................................................................................. 33 Table 7: Strengths and Weaknesses of SPA .................................................................................................... 34 Table 8: SIEM Pros and Cons ......................................................................................................................... 57 Table 9: SOAR Pros and Cons ........................................................................................................................ 57 Table 10: Forensics Pros and Cons .................................................................................................................. 58 Table 11: NBADS Pros and Cons ..................................................................................................................