Authoring Incident Response Actions Taking Into Consideration User Experience
Incident Response (IR) is a core function of Cyber Security Operations for any organization. Most of the times incident responders go through deep analysis of networks and IT components in order to come up with a response strategy for an identified incident. The response actions comprise several different steps that will allow an organization to mitigate and recover from an incident.
These actions for mitigating an incident are of great value since they combine expertise, time, effort and monetary resources.
In addition, Cyber Threat Intelligence (CTI) is a way of having situational awareness of current threats and an effective way of sharing knowledge. Presently, structured machine-readable ways of putting down incident response actions have been developed. The advantages are many. For example, such knowledge can be transferred to analysts or responders of low maturity as a guide to incident response and between parties of interest who share IR actions as part of CTI.
It is a fact that there is a need for a solution that will allow IRs, CTI analysts, and Security Analysts to be able to author such knowledge in a very easy and effective way.
This master thesis will focus on developing an application-front end and the relevant architecture for authoring Incident Response actions (courses of actions) in a way that will allow the user to do that easily, without the cognitive burden of knowing the underlying abstract languages needed to transfer this knowledge to the appropriate format (eg, OpenC2, CACAO, STIX). The application must include consistency checking that will allow full compliance with the standards and annotate the requirements to the user.
This system will allow the global security community to author, publish, and share Response Actions in a flexible way.