Response Recommendations to Cyber Security Threats

Cyber security threats continue to pose a major challenge to organizations. While there is an abundance of technologies and products assisting the detection and investigation of threats, supporting security operation teams in responding to threats has received limited attention. Modern Endpoint Detection and Response (EDR) systems provide the possibility to react in real time to cyber threats, but still lack the ability to predict the impact of the responses on the system environment.

This student research project realizes a proof-of-concept application for impact calculation of cyber incident responses. The focus is on supporting the cyber security analyst in making a decision on the best suited response by providing additional information about the environment. The application receives security alerts from an EDR system and calculates the impact of possible responses which are then presented to the analyst. Consequently, the analyst can decide on the most suited response, considering its impact on the environment. The application itself is a three-tier architecture which consists of a frontend, a backend, and a persistency tier. The frontend presents the relevant information to the analyst and allows the inspection of alerts and their responses. The backend provides the calculation and alert data handling functionalities. To model and calculate the implications, the environment is abstracted in a graph data model implemented in a persistent graph database. This data model is pre-configured, based on the real environment, and serves as starting point for further elaboration by the analyst.

The application implements different subject areas such as data modelling, matching security responses to given incidents, as well as impact calculation of an incident response under consideration of an environment model. It can retrieve security alerts from an EDR system which are then processed by the backend. This data, together with additional information about the environment, is then visually presented to the analyst.

The combination of security events, possible responses and the impact calculation supports a cyber security analyst making more efficient decisions to mitigate a threat. This builds the basis for further development such as an extended data model or more extensive impact calculations.