Cyber Security Incident Handling, Warning and Response System for the European Critical Infrastructures

Europe’s critical information infrastructure (CII) are those interconnected information and communication infrastructures essential for the maintenance of vital societal functions (health, safety, security, economic or social well-being of people). Any disruption or destruction would have serious consequences. In today’s digital era, the increased usage of information technology in modern CIIs makes them vulnerable to cyber-related crime. The EU-funded CyberSANE project aimed to create a platform to enhance their security and resilience by providing a dynamic collaborative warning and response system.

The CyberSANE project designed and implemented an advanced one-stop-shop Security and Privacy Incident Handling System, that is configurable and adaptable, composed of five independent but collaborative components:
• Livenet (Live Security Monitoring and Analysis), which is used to monitor, analyze, and visualize organizations’ internal live network traffic in real time;
• Darknet (Deep and Dark Web Mining and Intelligence) monitors the Dark and Deep Web in order to grasp and analyze the big picture of global malware/ cybersecurity activities;
• Hybridnet (Data Fusion, Risk Evaluation and Event Management) receives information on potential cyber threats from both LiveNet and Darknet in order to analyze and evaluate the security situation inside an organization;
• ShareNet (Intelligence and Information Sharing and Dissemination) disseminates and shares information of useful incident-related information with relevant parties;
• PrivacyNet (Privacy & Data Protection Orchestrator) provides a set of privacy (anonymization, pseudonymization, obfuscation), data protection, orchestration and consistency capabilities;
• CyberSANE central engine coordinates the core platform with every specific tool available.
These 5 components work together to improve, intensify and coordinate the overall security efforts for the effective and efficient identification, investigation, mitigation and reporting of realistic multi-dimensional attacks within the interconnected web of cyber assets in the CIIs and security events.

Through extensive validation, CyberSANE acts as a catalyst for improving the innovation in cybersecurity capacity by increasing the privacy and the security of critical infrastructures, in which this platform aims to support and guide security officers to recognize, identify, dynamically analyze, forecast, treat and respond to advanced persistent threats and handle their daily cyber incidents utilizing and combining both structured data and unstructured data coming from social networks and the dark web.

The CyberSANE project aimed to improve the overall security of Critical Information Infrastructures (CIIs).
A centralized Platform was created, where cybersecurity incidents can be managed. There are recipes to deal with security incidents aligned with ATTCK Mitre taxonomy, and possibility of integration and coordination with multiple cybersecurity tools and devices (such as firewalls, EDS, IDPS, WAFs, and others). Multi-modal inputs can summarize in a straightforward way the current and past security posture, providing a set of high-level dashboards and specific lower level Dashboards for the incident handling phases, identification, detection, protection, response and recovery.
Within the platform a user can perform rapid information exchange; harmonization of information security management systems with similar partners; sharing of incidents which may help avoid new attacks. CyberSANE includes advanced threat identification and classification, deep packet inspection and traffic signature analysis, AI Models trainable to help reduce false positives, custom rules and sharing & anonymization policies built-in.

The key points of the CyberSANE project include:
• Optimizing collaboration and effective interaction among Critical Information Infrastructure (CII) operators
• Development of advanced persistent threat taxonomy and models
• Uniting web crawling and data aggregation technologies for necessary semantic structure and tool creation for data analysis and interlinking
• Development of correlation techniques for automatic analysis of large amounts of data in a privacy-aware manner for identifying malicious actions
• Specifying appropriate forecasting procedures and models to assist CII operators and security experts
• Establishment of a simulation environment for the detection, analysis, visualization, containing and eradication of security events and propagation effects
• Enabling identification and standardization of required information for sharing with relevant parties
• Promotion and facilitation of trusted, secure and privacy-aware data communication, maintenance and storage of forensic artifacts and evidential data
• Integration of CyberSANE components into the system
• Deployment and validation of the CyberSANE system in real-world environments

By the end of the project the CyberSANE system has exceeded expectations in terms of automation, streamlining incident handling processes and reducing the need for manual intervention.
The system has achieved a high level of integration between its different components and tools, allowing for seamless and efficient incident management.
Also, the system's automation and integration features have made it a valuable asset for security teams, allowing them to quickly and efficiently handle a wide range of incidents.

CyberSANE brings significant potential impacts, in terms of automation and integration improvements, that could be significant for incident handling and response within Critical Information Infrastructures.
Some possible impacts include:
• Increased efficiency: Automation and integration can reduce the need for manual intervention, which can save time and resources.
• Improved incident response time: Automation and integration can help speed up the incident response process, allowing teams to address incidents more quickly and effectively.
• Reduced risk: Automated incident handling and integrated tools can help reduce the risk of human error, which can improve overall security.
• Improved collaboration: Integration of different tools and platforms can facilitate collaboration between different teams and departments, which can help to improve incident response.
• Better decision making: Automation and integration can provide security teams with real-time information and analytics, which can help them to make better informed decisions.

While implementing this project the Critical Infrastructures organizations, in the areas of utilities, transportation, health, were the primary targets.
But the platform is generic enough to useful for other areas, such as financial, telcos and public sector.
In terms of go-to-market CyberSANE has two installation options, SaaS and on-premises, and offers a subscription (yearly/monthly) model or a perpetual license acquisition.