CyberSANE project funded by the European Commission under the H2020 program has completed the technical activities related to the integration of the CyberSANE system, an advanced, configurable and adaptable, security and privacy incident handling system that will allow European Critical Information Infrastructures (CII’s) from different sectors to improve, intensify and coordinate the overall security efforts for the effective and efficient identification of threats, and the investigation, mitigation and reporting of multi-dimensional attacks.
Since the start of the project in September 2019, the consortium involving 16 partners from different EU-Member States, has been working on requirements elicitation and the design of the architecture of the System addressing technical and cognitive challenges against cyberattacks on CIIs.
CyberSANE architecture implements all phases of the Cyber incident handling lifecycle, increasing the agility of security professionals and experts, encouraging continuous learning, through various layers which are mainly realized in the main CyberSANE web application.
From the technical perspective, the realization of the CyberSANE vision composes the following six main and core structural elements / components:
- LiveNet (Live Security Monitoring and Analysis): LiveNet is an advanced and scalable component, the realization of which is based on existing tools capable of preventing and detecting threats in real time and, in case of a declared attack, capable of mitigating the effects of an infection/intrusion. Its features include security incident monitoring and management, normalization and transformation, and encrypted network traffic analysis.
LiveNet operates as the interface between the underlying CII and the CyberSANE System, combining security information and event management functions, into one security management system.
- DarkNet (Deep and Dark Web Mining and Intelligence): DarkNet serves as the Threat Web Intelligence reporting mechanism of the whole system as the results of two core tools capable on one hand of mining and analyzing articles from news sites, social media, and World Wide Web, and on the other of collecting content from the dark web, illegal marketplaces commercialising personal data, sites offering breached data and pawned email accounts or containing DDoS, malware, trojan, and other threats for organisations.
DarkNet allows the exploitation and analysis of security risks and threats related information, embedded in the User Generated Content (UGC), via the analysis of both the textual and meta-data content.
- HybridNet (Data Fusion, Risk Evaluation, and Event Management): The HybridNet component provides the intelligence needed to perform effective and efficient analysis of a security event including assessment and prediction. Assessment concerns the identification of on-going attacks and related information, such as what is the stage of the attack and where is the attacker. Prediction concerns the identification of possible scenarios of future attacks through forecasting models.
HybridNet also incorporates Cyber Fusion Models, produced in CyberSANE based on existing mathematical models, which support and provide reasoning capabilities for the near real-time identification of anomalies, threats and attacks, assessing any possible malicious actions in the cyber assets such as abnormal behaviours or malicious connections to identify unusual activities that match the structural patterns of possible intrusions.
- ShareNet (Intelligence and Information Sharing and Dissemination): ShareNet provides an infrastructure for automated Cyber Threat Intelligence exchange to allow the CyberSANE framework components to securely share information with external platforms and entities.
Functionalities provided by ShareNet include the production and circulation of notifications containing critical information for enhancing the perception of the current situation and facilitating and improving the projection into the future. All potential evidence is captured, stored, and exchanged in a way that their integrity is maintained using the security and data protection methods of the PrivacyNet Orchestrator.
ShareNet adopts a more trusted and distributed intelligence and incident sharing scenario. Considering the kind of information that is exchanged, a dynamic and continuous trust assessment is performed, in order to allow all the involved entities to be able to determine the trustworthiness of each information sources, and also to identify them, as soon as the data is received.
- PrivacyNet (Privacy & Data Protection Orchestrator): PrivacyNet implements all the appropriate security and data protection methods required, depending on the user’s privacy requirements, which cover a wide range of techniques including anonymization, location privacy, obfuscation, pseudonymization, searchable encryption, multi-party computation and verifiable computation, in order to meet the highly demanding regulatory compliance obligations, for example in relation to accountability towards data protection supervisory authorities, for adequate management of informed consent, etc.
PrivacyNet includes novel techniques and processes for enhancing the secure distribution and storage of all forensic artifacts in order to protect them from unauthorized deletion, tampering revision and sharing.
To demonstrate the effectiveness and performance of CyberSANE system and components, three pilot events will be organised and executed in 2022:
- Container cargo transportation service managed by the Port of Valencia in Spain
- Solar energy production, storage and distribution service operated by Lightsource Labs in Ireland
- Real-time patient monitoring and treatment service provided by Klinikum Nuremberg in Germany.
For more information, please visit CyberSANE website.