DISTRIBUTED THREAT HUNTING TOOL BASED ON CARMEN
The objective of this project is to build a distributed threat hunting tool based on CARMEN, which allows the exchange of cyber-intelligence and the automated integration of external intelligence sources.
Cybersecurity and cyber-defense have come to be seen as key issues, not only by different economic sectors, but also by governments, which are responsible for the well-being of citizens, their economy, environment and ecosystem. In this regard, it is worth noting, at the international level, the strong involvement in cybersecurity issues in control environments by entities such as ENISA (European Union Agency for Network and Information Security – https://www.enisa.europa.eu), as well as other relevant institutions.
While in the past the impact of cybersecurity incidents was limited to economic damages and information breakdown, today concerns have been added to the protection of industrial control systems and critical infrastructures.
So, nowadays, any company, public body or infrastructure operator has to implement monitoring and cyber-defense measures. These measures traditionally include perimeter barriers such as firewalls and monitoring systems such as intrusion detection systems (IDS) and malware detectors.
However, cyber-attacks are becoming increasingly sophisticated and attackers have significant resources. Persistent Advanced Threats (APTs) are complex, organized, long-lasting and substantially resourced attacks. These types of attacks are difficult to detect with traditional monitoring systems.
Most traditional techniques are based on rules or the detection of static signatures (patterns) of attacks previously observed in an organization’s network traffic. However, modern APT-style attacks are usually individual and tailored, which is why they are not usually detected by existing signatures automatically.
The result of this project will be a distributed thread hunting tool, i.e., with communication and synchronization between different instances of the tool, thus creating an intelligence network shared between different facilities in a specific organization, between organizations managed by the same managed security provider or other organizations wishing to collaborate.
An integration with intelligence sharing tools, such as the aforementioned MISP platform, will even allow participation in global intelligence networks.
To show the feasibility of the concept, a proof-of-concept prototype will be built based on the existing CARMEN threat-hunting tool.
SME R&D Program
File Number: IMIDTA-2017-6