In recent years, large-scale cyber attacks and attacks aimed at maximizing the impact on the economy and society have grown rapidly. These attacks utilize both known attack vectors, e.g. DDoS, as well as previously unknown security vulnerabilities in the course of advanced APT attacks to take advantage. These affect not only companies and private individuals, but now also state institutions. Due to its role in national defence, the BMLV is a particularly prestigious target for a wide variety of attacking groups. Therefore, it is the Federal Army's aim to maintain sovereignty over its mission-critical information and to make a significant contribution to national cyber defence in the best possible way to protect its infrastructures.
The occurrence of a massive cyber incident caused by a cyberattack, massive misconfiguration, or extremely unfavourable failure of core services is only a matter of time. Preparatory measures are therefore urgently needed in order to react appropriately in the event of an incident, and (i) to be able to detect an incident in due time (monitoring, sensor technology), (ii) to recognize correlations and to draw the right conclusions (data analysis), (iii) to provide the relevant actors with specific information (information distribution), (iv) to assist the establishment of situational awareness (situation picture presentation), (v) and to initiate the correct countermeasures (cyber incident response).
While there are various efficient solutions in the SOC area for private companies, these are not directly applicable to the BMLV. On the one hand, its structure is fundamentally different, on the other hand the objectives are diametral to the industry. While private companies generally strive for profit maximization under cost pressure, the BMLV with its particularly sensitive data (up to the classification level "top secret") has higher protection goals. However, this also means that risks must be mitigated, which would be accepted under purely economic aspects. As a result, monitoring and cyber incident response in the BMLV must also be set up differently, or follow much stronger requirements than in the private sector. This leads to the circumstance that existing solutions can only be used in an adapted form, or that overall new concepts, methods and solutions for cyber incident response in the military sector have to be developed.
The aim of CADSP is a scientifically sound conception and prototypical evaluation of a Cyber Attack Decision and Support Platform (CADSP) for selected BMLV (Federal Ministry of Defence) use cases and defined processes for Cyber Incident Response especially in the military sector. CADSP should investigate which data sources are suitable in the selected application scenario in order to provide sufficiently accurate information for assessing the current security status of an infrastructure and cyber attacks taking place. Building on this, a suitable user interface and situation visualization are to be generated that optimally support the Cyber Incident Response process. The project aims to ensure that user-centered support in the form of a software prototype demonstrably enhances situational awareness and thereby the ability of military users to act appropriately.