In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
Computer security incident response teams (CSIRTs) respond to a computer security incident when the need arises. Failure of these teams can have far-reaching effects for the economy and national security. CSIRTs often have to work on an ad hoc basis, in close cooperation with other teams, and in time constrained environments. It could be argued that under these working conditions CSIRTs would be likely to encounter problems. A needs assessment was done to see to which extent this argument holds true. We constructed an incident response needs model to assist in identifying areas that require improvement. We envisioned a model consisting of four assessment categories: Organization, Team, Individual and Instrumental. Central to this is the idea that both problems and needs can have an organizational, team, individual, or technical origin or a combination of these levels. To gather data we conducted a literature review. This resulted in a comprehensive list of challenges and needs that could hinder or improve, respectively, the performance of CSIRTs. Then, semi-structured in depth interviews were held with team coordinators and team members of five public and private sector Dutch CSIRTs to ground these findings in practice and to identify gaps between current and desired incident handling practices. This paper presents the findings of our needs assessment and ends with a discussion of potential solutions to problems with performance in incident response. https://doi.org/10.3389/fpsyg.2017.02179 LinkedIn: https://www.linkedin.com/in/rickvanderkleij1/
MULTIFILE
Cybersecurity threat and incident managers in large organizations, especially in the financial sector, are confronted more and more with an increase in volume and complexity of threats and incidents. At the same time, these managers have to deal with many internal processes and criteria, in addition to requirements from external parties, such as regulators that pose an additional challenge to handling threats and incidents. Little research has been carried out to understand to what extent decision support can aid these professionals in managing threats and incidents. The purpose of this research was to develop decision support for cybersecurity threat and incident managers in the financial sector. To this end, we carried out a cognitive task analysis and the first two phases of a cognitive work analysis, based on two rounds of in-depth interviews with ten professionals from three financial institutions. Our results show that decision support should address the problem of balancing the bigger picture with details. That is, being able to simultaneously keep the broader operational context in mind as well as adequately investigating, containing and remediating a cyberattack. In close consultation with the three financial institutions involved, we developed a critical-thinking memory aid that follows typical incident response process steps, but adds big picture elements and critical thinking steps. This should make cybersecurity threat and incident managers more aware of the broader operational implications of threats and incidents while keeping a critical mindset. Although a summative evaluation was beyond the scope of the present research, we conducted iterative formative evaluations of the memory aid that show its potential.
Public safety is under enormous pressure. Demonstrations regularly result in riots and VIPs are often threatened even at their homes ! Criminal graffiti-gangs are threatening security professionals and costing the Dutch railways (NS), causing a loss of 10 M€ yearly. The safety incidents often escalate quickly, therefore, they require a very quick and correct scaling up of the security professionals. To do so, it is necessary for the security professionals to get very quick and accurate overview of the evolving situation using Mobile Drone intervention unit for quick response (Mobi Dick). The successfully completed project The Beast (9/11) has delivered a universal docking station with an automatic security drone. The drone takes off from a permanently installed docking station. Nest Fly emerged as a startup from this RAAK project, and it has already developed the prototype further to a first product. Based on extensive interaction with security professionals, it has been concluded that a permanently installed docking station is not suitable for all emergency cases. Therefore, a mobile, car-roof top mounted, docking station with a ready-for-take-off drone is required for the more severe and quickly escalating incidents. These situations require a drone taking off from the car-roof top mounted docking station while the vehicles continue to drive towards the incident. In this RAAK KIEM, a feasibility study will be executed by developing a car-roof top docking station. The concept will functionally be designed within the project (task 1). The two required subsystems car roof docking station (task 2) and dynamic take-off & landing (task 3) will technically be developed and integrated (task 4). The outcome of the experiments in this task will show the feasibly of the idea. Task 5 will ensure the results are disseminated in new cooperation’s, publications, and educational products.
Prompt and timely response to incoming cyber-attacks and incidents is a core requirement for business continuity and safe operations for organizations operating at all levels (commercial, governmental, military). The effectiveness of these measures is significantly limited (and oftentimes defeated altogether) by the inefficiency of the attack identification and response process which is, effectively, a show-stopper for all attack prevention and reaction activities. The cognitive-intensive, human-driven alarm analysis procedures currently employed by Security Operation Centres are made ineffective (as opposed to only inefficient) by the sheer amount of alarm data produced, and the lack of mechanisms to automatically and soundly evaluate the arriving evidence to build operable risk-based metrics for incident response. This project will build foundational technologies to achieve Security Response Centres (SRC) based on three key components: (1) risk-based systems for alarm prioritization, (2) real-time, human-centric procedures for alarm operationalization, and (3) technology integration in response operations. In doing so, SeReNity will develop new techniques, methods, and systems at the intersection of the Design and Defence domains to deliver operable and accurate procedures for efficient incident response. To achieve this, this project will develop semantically and contextually rich alarm data to inform risk-based metrics on the mounting evidence of incoming cyber-attacks (as opposed to firing an alarm for each match of an IDS signature). SeReNity will achieve this by means of advanced techniques from machine learning and information mining and extraction, to identify attack patterns in the network traffic, and automatically identify threat types. Importantly, SeReNity will develop new mechanisms and interfaces to present the gathered evidence to SRC operators dynamically, and based on the specific threat (type) identified by the underlying technology. To achieve this, this project unifies Dutch excellence in intrusion detection, threat intelligence, and human-computer interaction with an industry-leading partner operating in the market of tailored solutions for Security Monitoring.
Despite the vast potential drone technologies have, their integration to our society has been slow due to restricting regulations. Recently, a new EU-wide drone regulation has been published. This regulation is intended to harmonize the non-uniform national regulations across EU. It also relaxes the existing restrictions and allows previously prohibited operations that have significant socio-economic and technological impacts, such as autonomous BVLOS flights even over populated areas. However, there are challenges with regard to specifics and accessibilities of the required technological & procedural prerequisite this regulation entails. There is, therefore, a demand from SMEs for practical knowledge on technological and procedural aspects of a safe, robust and BVLOS operable security drone with short and long-term autonomy that fully complies to the new drone regulation. The required drone technologies include robust obstacle avoidance, intelligence failsafe for robust, reliable and safe autonomous flights with long-term autonomy capabilities. The operational procedures include SORA, pre/in/post-flight analysis and ROC/LUC permissions. In this project, these two aspects will be addressed in an integral manner. The consortium recognizes that developing such advanced security drone in two years is ambitious. Yet, they firmly believe that it is realizable due to the complementary expertise of the consortium and their commitment for the success of the project. With this project, the knowledge institutes will enrich their practical knowledge in the area of autonomous and BVLOS capable drones, operational procedures, risk analysis and mitigations. The partner companies will be equipped with the necessary technologies, operation permission and knowledge on optimal operation procedures to be at the forefront and benefit from the exploding market opportunities when the new regulation is fully implemented in July 2022. Moreover, this project will also make a demonstrable contribution to the renewal of higher professional education.
