Building Command & Control in Cyber defence

Since a few years Artificial intelligence (AI) has entered the world of cybercrime. Malware and botnets are therefore becoming increasingly difficult to combat. On top of this the ever-growing use of Internet-of-Things (IoT) devices in modern society the attack-surface for cyber criminals is increasing. As a result of these developments, traditional security monitoring and response capabilities are no longer enough. An AI driven Command and Control (C2) capability is the only way to enable the analysis of ever-increasing volumes of log data, to detect and anticipate threats and to efficiently orchestrate incident responses in an automated fashion.

For NATO and its alliances, the integration of cyberspace as an operational military domain is currently taking place. This means that not only the technical capabilities (the NATO Computer Incident Response Capability – NCIRC) will be on continual alert, but Cyber C2 is defined and implemented as a crucial cyberspace function, which is underlined by the newly formed NATO Cyberspace Operations Center (CyOC).

The changing Threat Landscape

It is a matter of time before IoT and the use of cyber-physical systems (CPS) are widely applied for creating digital twins. Cyber-physical systems integrate sensing, computation, control and networking into physical objects and infrastructure, connecting them to the Internet and to each other. For example: CPS devices can be deployed in urban environments such as for smart lighting, security systems, crowd control, operation of bridges and locks, waste control and smart parking. CPS ultimately offers the possibility to then realize a fully digital twin of the city or the factory for monitoring and analysis purposes. This way an urban renewal projects can be tested in advance and avoid unnecessary waste of time and budget. With the arrival of large numbers of connected IoT devices and CPSs, the so-called “attack surface” of the IT infrastructure is being expanded exponentially. The collection and processing of all this data therefore needs to be done in a secure manner. And that is unfortunately what often is lacking when it comes to IoT networks.

Another trend is the use of AI by cyber criminals. For example, the rise of so-called botnet swarms has been made possible by AI. An example of this is the “Hide and Seek” botnet. Hide and Seek (HnS) is a self-learning cluster of compromised devices that is the first in the world known to communicate via a custom peer-to-peer protocol. Where traditional botnets receive commands from the bot shepherd, bot swarms can make independent decisions. After the discovery of “Hide and Seek” in early 2018, the botnet grew from 2,700 to 24,000 infected devices in just 48 hours. The counter currently stands at a minimum of 90,000 infected devices. Initially, home routers and IP cameras were the target, but now the code is evolving, and smart home devices are being infected by the botnet virus. Restarting the IoT device normally leads to the removal of the virus. However, not with HnS where the device is continuously infected again and again. Threats like these require a new cyber defence strategy, based on new technology.

Situational Awareness on Cyber defence

This changing threat landscape puts the pressure on the Security Operations Center (SOC). The SOC is usually responsible for identifying and detecting vulnerabilities in the operational infrastructure, identifying cyber threats and advising on response tactics to eliminate existing risks. The SOC is a “time-driven” operation, because the sooner a threat is detected, the smaller the impact will be. The configured use cases must be spot-on and threat intelligence must be up to date, at any moment. The central component in the SOC still is the Security Event & Information Monitoring (SIEM) tool. Due to the increasing workload on security analysts in the SOC, the next renowned SIEM tools are using Artificial Intelligence to improve incident analysis and alerting, and response processes. At Capgemini-Sogeti’s SOC in Luxembourg, IBM’s Watson AI platform is used in conjunction with SIEM tooling showing remarkable results. Threat analysis and root cause analysis have been reduced from an average of 3 hours to just 3 minutes! In addition, this SOC is part of Capgemini’s worldwide network of SOCs, which contributes to knowledge sharing and the ability to respond to threats even faster. The SIEM portal screens of course add to the status overview of your cyber defence. But these are not enough to create true Situational Awareness. In 2019 an expert team of Capgemini conducted an architecture study on behalf of NATO on the scenario’s for creating a Common Operational Picture for Cyber defence. This was dubbed the Recognized Cyber Picture (RCP). The main conclusion from this study is that a cyber picture is more than a pre-arranged set of data. Because much more than in the physical domain, the techniques and tactics in the operational cyber domain are constantly changing. In order to achieve and maintain a sustainable strategic advantage, the picture must therefore always adapt to the circumstances. And for that you need an extensive and broadly composed team of experts, consisting of analysts, architects and developers. This team must be close to the commander and be able to quickly build new pictures of the cyber situation at that time.

Automated and Orchestrated Responses

In addition to a SOC, a response team is needed that can respond efficiently to incidents which are escalated.  A response can not only rely on technical measures to resolve the incident and recommendations for changes to the ICT system. Several non-technical aspects of a response are also required, including communicating with employees and the public, responding to press inquiries, handling legal issues and any personnel issues in the event of an insider attack.

Train as You Fight

“Train as You Fight, Fight as You Train” is a military principle meaning that you need realistic training, especially on those tasks that are repetitive so that the actions one needs to take will become instinctive on every aspect, both technical and non-technical. The very principle also applies to cyber defence in case of incident responses. In order to provide realistic training in cyber defence Capgemini has recently launched its first so-called European Cyber Experience Center (CEC) in the Netherlands. The CEC provides organizations with a realistic and immersive environment to simulate cybersecurity incidents and test the preparedness and resilience of both the C-level management team and the operational SOC and OT teams of the customers.

To Conclude

Due to the changing threat landscape as a result of IoT-driven solutions, having a Security Command & Control (C&C) capability is a must. C&C includes both monitoring and response functions with regard to security incidents. Applying AI concepts helps to detect and resolve threats more quickly. In particular, the SIEM tooling must be able to integrate with IoT platforms, AI platforms, Threat Intelligence services and Incident Response tools. Outsourcing such a C&C or a sub-function thereof is a way for many smart solutions to become resilient in terms of cybersecurity.

About the authors