This phase starts in December and runs until March 2021. Which projects are going from the Explore phase to Proof of Concept and which goals go with it?
Crystal ball DDoS detection
First idea: the project aims to investigate whether new DDoS attacks can be predicted before they have an actual impact. This is similar to dealing with tsunami alerts. The idea is to achieve this by analysing public and private data using AI techniques.
Activities in Explore phase: the project team has looked at challenging and innovative methods to pick up early signals of application-based DDoS attacks on the basis of probe detection. This seems promising, has been proven to be innovative based on literature study and external contacts, but it is not yet certain that this will yield a good result. That makes this project even more attractive to continue within the PCSI. It is crucial in this project that sufficient test data is available, both from public sources and from the PCSI partners.
Conclusion: In the Proof of Concept phase an algorithm for probe detection will be developed and tested on DDoS datasets.
First idea: research whether the 'customer journey methodology' of marketers can be used to make employees more security-conscious, so that security incidents attributable to human behaviour can be reduced. For the security journey, we use data-driven AI tooling to identify internal processes and define the appropriate steps for each role involved.
Activities in Explore phase: the project team has explored the requirements and possibilities of a security expert and verified these externally with various experts. The approach chosen was one based on human actions and not on technology. The results from the exploration showed that a security journey expert should focus on human factors and behaviour.
Conclusion: the preconditions for the Proof of Concept phase will be further tightened. In this phase, the project team wants to develop a job description of a security journey expert, including a toolset that this person can use.
First idea: this project aims to monitor behaviour in order to identify how attackers operate. The idea of this project is to combine information from multiple parties in order to get a better picture of the attackers and how they operate. Through collaboration and information sharing, strategic insights are obtained that individual organisations would otherwise not be able to acquire.
Activities in Explore phase: the project group has worked out a concept of the deception environment, including the components that are important in it. In addition, the market was explored in order to determine what external parties already offer and what we would need from them.
Conclusion: the project team will go through the Explore phase again with a focus on deception and threat intel. The possibilities of involving an external party in this will be investigated more explicitly.