A Collaborative Analysis System for Cross-organization Cyber Incident Handling

Information and Communication Technology (ICT) systems are predominant in today’s energy, finance, transportation and telecommunications infrastructures. Protecting such Critical Infrastructures (CIs) against modern cyber threats and respond to sophisticated attacks is becoming as complex as essential. A synergistic and coordinated effort between multiple organizations is required in order to tackle this kind of threats. Incidents occurring in interconnected CIs can be effectively handled only if a cooperation plan between different stakeholders is in place. Organizations need to cooperatively exchange security-relevant information in order to obtain a broader knowledge on the current cyber situation of their infrastructures and timely react if necessary. National cyber Security Operation Centers (SOCs), as proposed by the European NIS directive, are being established worldwide to achieve this goal. CI providers are asked to report to the national SOCs about security issues revealed in their networks. National SOCs correlate all the gathered data, analyze it and eventually provide support and mitigation strategies to the affiliated organizations. Although most of these tasks can be automated, human involvement is still necessary to enable SOCs to adequately take decisions on occurring incidents and quickly implement counteractions. In this paper we therefore introduce and evaluate a semi-automated analysis engine for cyber incident handling. The proposed approach, named CAESAIR (Collaborative Analysis Engine for Situational Awareness and Incident Response), aims at supporting SOC operators in collecting significant security-relevant data from various sources, investigating on reported incidents, correlating them and providing a possible interpretation of the security issues affecting concerned