On 24 November 2023, Thijs van Ede successfully defended his PhD thesis with the title „Comprehending Security Events - Context-Based Identification and Explanation” erfolgreich verteidigt.
The supervisors of the thesis were Prof. Dr. Andreas Peter (Carl von Ossietzky Universität Oldenburg, Germany), Prof. Dr. Maarten van Steen (University of Twente, The Netherlands), und Dr. Andrea Continella (University of Twente, The Netherlands).
Moreover, the following committee members were involved in the assessment of the thesis:
- Prof. Dr. Giancarlo Guizzardi, University of Twente, The Netherlands(chair of committee)
- Prof. Dr. Marieke Huisman, University of Twente, The Netherlands
- Prof. Dr. Roland van Rijswijk-Deij, University of Twente, The Netherlands
- Prof. Dr. Herbert Bos, Vrije Universiteit Amsterdam, The Netherlands
- Prof. Dr. Stefano Zanero, Politecnico di Milano, Italy
- Dr. Marco Caselli, Siemens AG, Germany
Here’s a short summary of the PhD thesis:
With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss. As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity. By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization. This detection can be done internally or is outsourced to a Security Operations Center (SOC). The SOC deploys automated detectors that monitor devices and network traffic for suspicious events, which are subsequently sent to the SOC. Here, security operators manually analyze these events, verify whether they constitute an attack and, if required, take action.
Analyzing security events is not straightforward and requires highly skilled operators. We identified three major challenges that operators face during analysis:
- Operators need to invest time to keep up with the latest developments in attack patterns to accurately identify threats and find appropriate mitigations.
- Operators analyze a vast number of events, which often leads to alert fatigue where operators investigate so many events it impairs their ability to correctly distinguish malicious behavior from falsely flagged events.
- Operators require sufficient contextual information to assess security events.
This work aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis. Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers. In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies. Second, we study the event investigation process known as triaging. Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level. Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it. This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity. Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations. This case study demonstrates the potential for our methods in future work.
Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.
Link to PhD thesis: