Abstract
With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss.
As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity.
By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization.
This detection is performed by a Security Operations Center (SOC) deploying automated detectors that monitor devices and network traffic for suspicious events.
This thesis aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis.
Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers.
In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies.
Second, we study the event investigation process known as triaging.
Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level.
Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it.
This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity.
Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations.
This case study demonstrates the potential for our methods in future work.
Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.
As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity.
By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization.
This detection is performed by a Security Operations Center (SOC) deploying automated detectors that monitor devices and network traffic for suspicious events.
This thesis aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis.
Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers.
In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies.
Second, we study the event investigation process known as triaging.
Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level.
Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it.
This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity.
Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations.
This case study demonstrates the potential for our methods in future work.
Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.
Original language | English |
---|---|
Qualification | Doctor of Philosophy |
Awarding Institution |
|
Supervisors/Advisors |
|
Award date | 24 Nov 2023 |
Place of Publication | Enschede |
Publisher | |
Print ISBNs | 978-90-365-5888-4 |
Electronic ISBNs | 978-90-365-5889-1 |
DOIs | |
Publication status | Published - 24 Nov 2023 |