During the past few years, cybercrime had a strong presence world-wide judging by the impact of the recorded incidents. The financial damage caused by cybercrime globally is estimated to be about $450 billion and this number is predicted to reach $6 trillion by 2021. In response to these worrying figures, the security industry has developed a variety of products and solutions providing security event management and incident response.

An attempt towards detecting cyberattacks was the development of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), which monitor network traffic for suspicious patterns or behaviour. For instance, unusually high volumes of data from/to a given set of IP addresses would raise an alert. It is worth clarifying that an IDS is a passive system that would only raise alerts, whereas an IPS features firewall-like functionality and would generate and activate an appropriate rule to block the traffic from/to the offending IP addresses.

A different approach was followed by the Security Information and Event Management (SIEM) systems that work alongside with the key entities of a network (e.g. firewalls, antivirus, IDS/IPS), trying to collect and correlate information from them, as well as log and event data produced by applications and servers also belonging to the same network. Certain pieces of information originating from different sources may not reveal anything when examined individually. However, if correlated, they can provide an exceptionally informative picture about an organisation’s security level, by identifying security risks and events that individual products may fail to do so.

Nevertheless, when more sophisticated attacks appeared and given that it only takes one successful attempt before a great amount of damage has been dealt, the traditional approaches proved to be rather inadequate. For instance, an Advanced Persistent Threat (APT) is a stealthy and continuous computer hacking process that usually succeeds in “staying below the radar” of behaviour and pattern analysis security systems. Furthermore, the need for analysing huge amounts of both current and historical data gave birth to big data security analytics. This development was aided by the fact that it became affordable for most organisations to satisfy the underlying requirements for large storage and great computational power and they could now analyse large amounts of unstructured data in almost real time.

Once a threat has been detected, it can be analysed to unveil the way it operates (e.g. the way it enters a system, parts of the system it affects, files it creates or modifies). This cyberthreat information is very useful for other organisations and can be used either proactively for shielding against the given cyberthreat, or for detecting whether their information systems have fallen victims to the same cyberthreat. Cyberthreat knowledge sharing spares organisations precious time when dealing with the same re-occurring threats and vulnerabilities, and therefore increases their effectiveness and efficiency in confronting or shielding against cyberthreats.

Special protocols (e.g. STIX/TAXII) and tools have been developed to support such cyberthreat information exchanges among organisations and Computer Emergency Response Teams (CERTs). Such tools and technologies will be employed by CS-AWARE to provide high quality situational awareness to its end users.

Alexandros Papanikolaou
InnoSec, Greece