SOCCRATES

SOC & CSIRT Response to Attacks & Threats based on attack defense graphs Evaluation Systems

Reinder Wolthuis

01 September 2019

31 August 2022

EC funded project

Over the past years, the cyber threat landscape has greatly evolved. Organizations are faced with a
challenging task of preventing attacks and have fast and effective detection and response mechanisms
if attacks cannot be prevented. In addition, it is commonly reported that the time to compromise is
typically very short (i.e. seconds to minutes), while the discovery time is more likely to be weeks or
months. In addition, the time from detection to containment of the attack may again take weeks.
To deal with these challenges, many organisations have setup so-called Security Operation Centres
(SOCs) and Computer Security Incident Response Teams (CSIRTs), or outsourced these tasks to a
Managed Security Service Provider (MSSP).
Nevertheless, the resilience of organisations is lagging behind the increasing threat. We mention here
the most important challenges and desired capabilities:

  • Improving and extending readiness to change.
  • Understanding the context.
  • Assessing the effective impact of an incident.
  • Mitigating attacks through recommended Course of Actions (CoAs).
  • Attributing malicious activity to known adversaries.
  • Automating CTI processes.
  • Shortage in qualified security staff

In addition, given the complexity and continuously evolving threat landscape and the speed at which
cyber-attacks occur and can propagate through an infrastructure, automation to aid human analysis
and decision making, and the execution of defensive actions at machine-speed are more and more
seen as prerequisites for an effective and efficient approach to cyber resilience. The above overview
of challenges leads to the following main challenge of SOCCRATES:
- How can SOC and CSIRT operations effectively improve their capability in detecting and managing
response to complex cyber-attacks and emerging threats, in complex and continuously evolving ICT
infrastructures while there is a shortage of qualified cybersecurity tal-ent?
The main objective of SOCCRATES is to develop and implement a security automation and decision
support platform (‘the SOCCRATES platform’) that will significantly improve an organisation’s
capability (usually implemented by a SOC and/or CSIRT) to quickly and effectively detect and
respond to new cyber threats and ongoing attacks.
The SOCCRATES platform consists of an orchestrating function and a set of innovative components
for automated infrastructure modelling, attack detection, cyber threat intelligence utilization, threat
trend prediction, and automated analysis using attack defence graphs and business impact modelling
to aid human analysis and decision making on response actions, and enable the execution of defensive
actions at machine-speed.

Category:

Vertical Category:

Past Events