Improving Quality Assurance and Situational Awareness for CONCORDIA’s incident clearing house
CONCORDIA aims to build a threat intelligence platform that facilitates cross-sector sharing of actionable information on imminent or already successful attacks on your networks. But besides simply informing you in case of already successful attacks, there is more that can be done with this information if you look more closely.
The incident clearing house in CONCORDIA’s TI platform
CONCORDIA’s incident clearing house originates in the former ACDC project, which aimed to develop a comprehensive European solution to fight botnets. The CCH developed in ACDC is essentially a data distribution platform that takes reports of malicious network activity and forwards them to the party responsible for the reported network resources. This allows a user of the CCH to submit things like bot infections observed through a sinkhole, attacks on a honeypot, or a malicious URL and the CCH automatically forwarding this information to the correct, trusted contact for mitigation and cleanup at the source of the malicious activity.
In CONCORDIA the CCH thus functions as a retroactive incident clearing house that informs users of actual problems that they have right now in their networks. This is complemented in CONCORDIA’s threat intelligence platform by the proactive sharing of indicators via MISP, informing users of possible attacks that they might face in the future.
Assuring data quality and detecting anomalies
A report from the incident clearing house usually initiates some kind of incident handling process on the receiving side. Since the effort and financial cost of incident response are usually considerable, the quality of the reported data is crucial. This covers multiple dimensions such as the completeness, correctness, and timeliness of the reported data. To assure data quality, we are going to apply security metrics to measure different quality parameters that are derived from these quality dimensions. The measured parameters will support users of the CCH in evaluating reports.
Another benefit of using security metrics is to detect anomalies in the data of the CCH. Since the CCH collects a large quantity of security data from multiple distributed sites, it is likely that large scale incidents on the Internet cause specific anomalies. For example, a new Internet worm or global IoT botnet activity will likely result in a significant increase of reported security events. Ongoing research performed inside CONCORDIA has shown that such anomalies can be reliably detected by approaches from time series analysis (ARIMA).
The contributions to the CONCORDIA consortium and the public are manifold. Our first aim is to improve the confidence in CONCORDIA’s TI platform by assuring the quality of the reported security events. Moreover, we strive to share information about detected anomalies with the CONCORDIA community to support network situational awareness. That would enable, for example, to confirm and investigate global security incidents by correlating detected anomalies with other TI sources like CONCORDIA’s MISP platform.
(By Dr.-Ing. Christian Keil and Jan Kohlrausch, DFN-CERT Services GmbH)