Carmen Sánchez, Ph.D. in Telematic System Engineering

On July 3rd our collegue Carmen Sánchez Zas obtained the title of Ph.D. in Telematic System Engineering. The presented dissertation was titled “Propuesta de un modelo de caracterización de ciberataques para entornos de conciencia cibersituacional” and directed by Ph.D. Víctor Villagrá and Ph.D. Xavier Larriva.

The work undertaken presents a model that leverages current cybersecurity standards to characterise cyber-attacks and uses this information to carry out risk management processes and decision support in recommending countermeasures within cyber situational awareness environments.

Based on the analysis of the state of the art and the literature, the modules that compose the cybersituational awareness environment and enable this characterisation are proposed. Firstly, an intrusion detection system, composed of unsupervised machine learning models trained to learn the normal behaviour within the data generated by heterogeneous devices, and to generate alerts when the system detects anomalous behaviour according to the characteristics of the information or according to the timestamp in which they are received. The operation of this module allows the identification of possible threats to the protected system carried out not only through the network but also using technologies such as Wi-Fi, Bluetooth, radio frequency, mobile networks or user behaviour.

In addition to considering other sources, the most common cyber-attacks are carried out through networks, whether internal or external. Therefore, in the cyber-situational awareness environment, a module focused on the characterisation of this type of attack is needed. Using decision tree models, it identifies in traffic logs a set of MITRE ATT&CK techniques. This not only allows distinguishing the type of cyber-attack being carried out from the tactic but also allows deducing vital information for the characterisation, such as the possible attack patterns of the adversary, in which step they are and recommended countermeasures to mitigate the effect of cyber-attacks on a given system.

To complete the proposed environment, the information from the incident detection module and the characterisation of techniques in traffic records are collected in an ontology for dynamic risk management. This also has the capacity to be interoperable, transferring the results of other methodologies to a common standard, ITSRM, so that results can be compared or information can be exchanged regarding responses in previous situations. From this knowledge model, a set of recommendations against cyber-attacks is extracted through decision support.

In summary, the Doctoral Thesis presented introduces the characterisation of cyber-attacks as a contribution to the security of an organisation’s systems and assets. The different proposals introduced address this objective from different approaches, to obtain as a result a global vision and a more complete protection.