CyberSANE

CyberSANE is an EU-funded project aiming to develop an innovative and novel system to protect Critical Information Infrastructures (CIIs) against cybercriminals and tackle current threats that could affect the operations of infrastructures related to healthcare, energy, and transportation.

Due to the amount of information and data used, gathered and shared, these industries rely on robust and reliable ICT components and infrastructures integrating multiple novel technologies for operation optimisation, which make them vulnerable to attacks coming from hackers and cybercriminals.

Over the last few years, it is a common phenomenon to see daily headlines describing major cyber-attacks or some new strain of malware or insidious social engineering technique being used to attack ICT infrastructures. In particular, CIIs have become lately targets for cyberattacks attracting the attention of security researchers, cyber-criminals, hacktivists (e.g. Anonymous, LulzSec) and other such role-players (e.g. cyber-spies). These cyber actors have significantly evolved their tactics, techniques, and procedures to include next-generation malware toolkits available on various locations on the internet (e.g. deep web, dark web) and new data exfiltration methods that give them an asymmetric quantum leap in capability.

In the past years, there have been a number of cybersecurity meltdowns and high-profile breaches affecting critical infrastructures, and in most cases, they targeted the organizations’ interconnected infrastructures as a means of targeting the broadest audience for their malware as possible. Obviously, the impact of a compromised CII can extend far beyond the corporate boundaries, putting not just individual organizations but also their dependent entities at risk.

CyberSANE proposes a state of the art solution that:

• Improves the detection and analysis of cyber-attacks and threats on CIIs and increases the knowledge of the current cyber threat landscape.
• Supports human operators (such as Incident Response professionals) to dynamically increase preparedness, improve cooperation amongst CIIs operators, and adopt appropriate steps to manage security risks, report, and handle security incidents.
• Complies with relevant regulations (such as the GDPR and NIS directive), which requires organizations to increase their preparedness, improve their cooperation with each other, and adopt appropriate steps to manage security risks, report and handle security incidents.

CyberSANE components are:

• LiveNet | Live Security Monitoring and Analysis:
  Implements services for preventing and detecting threats, providing to CyberSANE security professionals both insights and a track record of the activities within their Information Technology environment.
• DarkNet | Deep and Dark Web Mining and Intelligence:
  Searches and analyses threat actor communications in dark web communities for identifying compromised assets or information.
• HybridNet | Data Fusion, Risk Evaluation, and Event Management:
  Correlates attack-related patterns associated with specific malicious or anomalous activities in a given CII, proposing mitigation steps for all vulnerabilities, threats, and risks.
• ShareNet | Intelligence and Information Sharing and Dissemination:
  Provides the necessary threat intelligence and information sharing capabilities within the CIIs and with other involved parties, allowing them to determine the trustworthiness of each information source.
• PrivacyNet | Privacy and Data Protection Orchestrator:
  Responsible for managing and orchestrating the application of the required privacy mechanisms, maximizing achievable levels of confidentiality and data protection.

CyberSANE system have been validated in 3 pilots in the transportation, energy and healthcare domains.

• CyberSANE container cargo transportation pilot focused on a hacking attack to the software application in charge of the Verification of the container Gross Mass in the port of Valencia, Spain. In the Container Cargo pilot,
  • LiveNet detects the malware installation
  • DarkNet searches related terms to look for information related to the attack
  • HybridNet detects access to the application is done from an unknown suspicious IP
  • ShareNet shares the incident for avoiding the same attack in other infrastructures
  • PrivacyNet executes anonymization functions.
• CyberSANE solar energy pilot focused on potential threats to a domestic smart energy management system which monitors and optimises the generation, storage and consumption of electricity in a building to reduce energy bills in LightSource, UK. In the Solar Energy pilot:
  • LiveNet detects the malware installation the download of an unauthorized program
  • DarkNet checks the public IP against a database of known compromised IPs
  • HybridNet notifies the Security Expert about the detected anomaly and mitigation or investigation actions can be taken
  • ShareNet shares the information with the partners
  • PrivacyNet provides the necessary anonymization.
• CyberSANE healthcare pilot focused on the detection and communication of cyber-threats within Klinikum Nürnberg. Even if the whole system of medical devices in any hospital is highly protected due to the sensitiveness of the information, vulnerabilities can appear due to the need of sharing patients’ data amongst health professionals during patient’s treatments. In the Healthcare pilot,
  • LiveNet detects malware contacting known C2C-servers and documents the security incident on the platform
  • DarkNet gathers information about how to deal with the attack in the most effective way
  • HybridNet detects abnormal CPU or RAM consumption on the virtualized device
  • ShareNet notifies local CERT and other hospitals on the threat to prevent damage at the other hospitals
  • PrivacyNet anonymizes identifying information as for example IP of assets.

CyberSANE Project of the Week 19-23 October 2020