The Use of Public Data and Free Tools in National CSIRTs' Operational Practices: A Systematic Literature Review
Authors:
Sharifah Roziah Binti Mohd Kassim,
Shujun Li,
Budi Arief
Abstract:
Many CSIRTs, including national CSIRTs, routinely use public data, including open-source intelligence (OSINT) and free tools, which include open-source tools in their work. However, we observed a lack of public information and systematic discussions regarding how national CSIRTs use and perceive public data and free tools in their operational practices. Therefore, this paper provides a systematic…
▽ More
Many CSIRTs, including national CSIRTs, routinely use public data, including open-source intelligence (OSINT) and free tools, which include open-source tools in their work. However, we observed a lack of public information and systematic discussions regarding how national CSIRTs use and perceive public data and free tools in their operational practices. Therefore, this paper provides a systematic literature review (SLR) to comprehensively understand how national CSIRTs use and perceive public data and free tools in facilitating incident responses in operations. Our SLR method followed a three-stage approach: 1) a systematic search to identify relevant publications from websites of pertinent CSIRT organisations, 2) a conventional SLR into the research literature, and 3) synthesise data from stages one and two to answer the research questions. In the first stage, we searched the websites of 100 national CSIRTs and 11 cross-CSIRT organisations to identify relevant information about national CSIRTs. In the second stage, we searched a scientific database (Scopus) to identify relevant research papers. Our primary finding from the SLR is that most discussions concerning public data and free tools by national CSIRTs are incomplete, ad hoc, or fragmented. We discovered a lack of discussions on how the staff of national CSIRTs perceive the usefulness of public data and free tools to facilitate incident responses. Such gaps can prevent us from understanding how national CSIRTs can benefit from public data and free tools and how other organisations, individuals and researchers can help by providing such data and tools to improve national CSIRTs' operation. These findings call for more empirical research on how national CSIRTs use and perceive public data and free tools to improve the overall incident responses at national CSIRTs and other incident response organisations.
△ Less
Submitted 9 June, 2023;
originally announced June 2023.
Position paper: A systematic framework for categorising IoT device fingerprinting mechanisms
Authors:
Poonam Yadav,
Angelo Feraudo,
Budi Arief,
Siamak F. Shahandashti,
Vassilios G. Vassilakis
Abstract:
The popularity of the Internet of Things (IoT) devices makes it increasingly important to be able to fingerprint them, for example in order to detect if there are misbehaving or even malicious IoT devices in one's network. The aim of this paper is to provide a systematic categorisation of machine learning augmented techniques that can be used for fingerprinting IoT devices. This can serve as a bas…
▽ More
The popularity of the Internet of Things (IoT) devices makes it increasingly important to be able to fingerprint them, for example in order to detect if there are misbehaving or even malicious IoT devices in one's network. The aim of this paper is to provide a systematic categorisation of machine learning augmented techniques that can be used for fingerprinting IoT devices. This can serve as a baseline for comparing various IoT fingerprinting mechanisms, so that network administrators can choose one or more mechanisms that are appropriate for monitoring and maintaining their network. We carried out an extensive literature review of existing papers on fingerprinting IoT devices -- paying close attention to those with machine learning features. This is followed by an extraction of important and comparable features among the mechanisms outlined in those papers. As a result, we came up with a key set of terminologies that are relevant both in the fingerprinting context and in the IoT domain. This enabled us to construct a framework called IDWork, which can be used for categorising existing IoT fingerprinting mechanisms in a way that will facilitate a coherent and fair comparison of these mechanisms. We found that the majority of the IoT fingerprinting mechanisms take a passive approach -- mainly through network sniffing -- instead of being intrusive and interactive with the device of interest. Additionally, a significant number of the surveyed mechanisms employ both static and dynamic approaches, in order to benefit from complementary features that can be more robust against certain attacks such as spoofing and replay attacks.
△ Less
Submitted 19 October, 2020; v1 submitted 16 October, 2020;
originally announced October 2020.