Semi-Automated Cyber Threat Intelligence – open source platform

Semi-Automated Cyber Threat Intelligence

Læs en artikel med Søren Egede Knudsen, der taler på SCADA-konferencen om ledelseskommunikation og OT Cybersikkerhed.

Norske KraftCERT, Nordic Financial CERT, Norges National Security Agency og mnemonic står sammen om et ACT-projekt, der har til formål at udvikle en platform til Digital Threat Intelligence. Platformen er open source og den kan forudsige og afsløre målrettede cyberangreb, IT-spionage og sabotage.

På konferencen SCADA kan du høre Dr. Martin Eian, Project Manager (ACT), mnemonic, fortælle meget mere om platformen. I dit her indlæg kan du læse et interview (på engelsk) med Dr. Martin Eian.

Would you describe your keynote? Why is this interesting for the delegates?

“In my keynote, I would like to introduce a way for organizations to work with threat intelligence, and go from data to knowledge driven investigations in their SOC. Instead of starting from scratch every time an incident is detected, I would like to introduce the ACT platform which will provide analysts with instant context and knowledge around the incident based on experiences that other companies or organizations have faced. For example if a bank in Norway detects a suspicious event and performs an analysis, we would like for the Danish banks (and other banks around for world for that matter) to look at that analysis and benefit from the knowledge (IOCs, TTPs, etc) that previously have been associated to that particular campaign or threat actor. In reality this means that the analyst working with the incident will be provided with high-quality, verified threat intelligence that will be specific for the event that they are working with – giving them a chance to work efficiently and with a high degree of certainty for what they are dealing with.

I believe this will be relevant for the delegates who either have their own SOC or are procuring these services through a security partner, as I am confident that it will increase the quality and efficiency of the work that their analysts can do.

What are you hoping the delegates will take home with them after hearing your keynote?

“I hope that the delegates will take this information home with them to their organization, and validate whether this can help them in their SOC. And if they have outsourced this functionality to a third party service provider, we invite them to spread the word about the platform, as this will contribute to the sharing of knowledge that they obtain through the analysis of events they work with. If all of the companies and organizations present at the conference were to put ACT into production, the Danish critical infrastructure would definitely be a step higher on the maturity scale as a whole.”

If you were to come back and speak in 5 years. What do you think the subject would be?

In five years, we expect that this type of technology will be used by every self-respecting SOC in order for them to work in the highest quality and most efficient way possible. We also hope that the security community as a whole will adapt this type of platform for the sharing of analysis related to specific incidents/threat actors, which would help the community as a whole to detect and respond to advanced threats. The bad guys are sharing their tools and analysis – so should we!

In 5 years, I would hope to come back and speak about the things we have found out thanks to the platform, and all of the knowledge that has been generated and shared because of it.”

Which of the other keynotes are you looking forward to hear?

Personally, I am looking forward to hearing from Andy Powell, about the lessons learned from the Mærsk incident. We have all read about it and drawn our own conclusions to what has happened and what we should learn from it, but it is always interesting to hear it straight from the source.”

What do you see at the biggest challenge within IT and OT security?

“There are many challenges to name here, but I believe the biggest challenge moving forward will revolve around finding the right people. It doesn’t necessarily work to throw an IT Security expert into an OT/SCADA environment and expect them to understand things, unless they have a good understanding of the systems themselves and how they work. Ideally we would take engineers and train them on security, not the other way around. That being said, I don’t think engineers are growing on trees either these days!”

Do you have anything else you would like to share?

“If you or your organization would like to test the platform and understand how it works, feel free to follow the links below”:


Vil du høre mere til Dr. Martin Eian og ACT-platformen?

Du kan høre hele Dr. Martin Eians indlæg på konferencen  SCADA – oprustning af kritisk infrastruktur den 13.-14. november.

Du kan læse mere om konferencen her og tilmelde dig her.

[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][fusion_sharing tagline=”” tagline_color=”” title=”Sådan implementerer du LCM/IT Security i produktionen” link=”” description=”På konferencen SCADA – oprustning af kritisk infrastruktur den 13.-14. november fortæller Dr. Martin Eian, Project Manager (ACT), mnemonic, om en ACT-platform.” pinterest_image=”” icons_boxed=”yes” icons_boxed_radius=”1px” color_type=”custom” box_colors=”#6b7a96″ icon_colors=”#ffffff” tooltip_placement=”bottom” backgroundcolor=”#ffffff” class=”” id=””][/fusion_sharing][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]