CRUSOE: A Toolset for Cyber Situational Awareness and Decision Support in Incident Handling

Investor logo

Warning

This publication doesn't include Faculty of Economics and Administration. It includes Institute of Computer Science. Official publication website can be found on muni.cz.
Authors

HUSÁK Martin SADLEK Lukáš ŠPAČEK Stanislav LAŠTOVIČKA Martin JAVORNÍK Michal KOMÁRKOVÁ Jana

Year of publication 2022
Type Article in Periodical
Magazine / Source Computers & Security
MU Faculty or unit

Institute of Computer Science

Citation
Web https://www.sciencedirect.com/science/article/pii/S0167404822000086
Doi http://dx.doi.org/10.1016/j.cose.2022.102609
Keywords Cyber situational awareness;OODA Loop;Decision support;Network monitoring;Incident response
Attached files
Description The growing size and complexity of today’s computer network make it hard to achieve and maintain so-called cyber situational awareness, i.e., the ability to perceive and comprehend the cyber environment and be able to project the situation in the near future. Namely, the personnel of cybersecurity incident response teams or security operation centers should be aware of the security situation in the network to effectively prevent or mitigate cyber attacks and avoid mistakes in the process. In this paper, we present a toolset for achieving cyber situational awareness in a large and heterogeneous environment. Our goal is to support cybersecurity teams in iterating through the OODA loop (Observe, Orient, Decide, Act). We designed tools to help the operator make informed decisions in incident handling and response for each phase of the cycle. The Observe phase builds on common tools for active and passive network monitoring and vulnerability assessment. In the Orient phase, the data on the network are structured and presented in a comprehensible and visually appealing manner. The Decide phase opens opportunities for decision-support systems, in our case, a recommender system that suggests the most resilient configuration of the critical infrastructure. Finally, the Act phase is supported by a service that orchestrates network security tools and allows for prompt mitigation actions. Finally, we present lessons learned from the deployment of the toolset in the campus network and the results of a user evaluation study.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.