Advanced Threat Intelligence Orchestrator in IRIS project

In the context of IRIS, Advanced Threat Intelligence Orchestrator will act as a medium for communication between external data sources and stakeholders. More specifically, it will manage, prioritize, and share cyber threat information in collaboration with the rest of the IRIs tools pipelined with an appropriate API-framework. This technical solution adheres to the capabilities of security, orchestration, automation, and response (SOAR).

The benefits of Advanced Threat Intelligence Orchestrator SOAR capabilities are summarised below:

  • Automate critical use cases
  • Streamlined Operations
  • Immediate incident detection and automating or semi-automating response
  • Faster response time of an incident
  • Systems Scalability

The Advanced Threat Intelligence Orchestrator (ATIO) will serve both as a) a middleware, pushing and pulling information from and to INFRA, ATA, CTI, and DPA, and b) a workflow and visualization engine. In other words, the Advanced Threat Intelligence Orchestrator will be placed at the “center” of the IRIS architecture, transferring information to the backend and frontend as well. More especially, enables communication.

  1. ATIO Communication among IRIS Components

Data Protection and Accountability (DPA), Automated Threat Analytics (ATA), Collaborative Threat Intelligence (CTI), and Smart Infrastructures will be able to exchange cyber-threat information back and forth thanks to ATIO and the appropriate API framework. End users, in particular, can start Orchestrator workflows for invoking ATA tools monitoring infrastructure, sharing, and managing cyber threat intelligence information.

  1. ATIO Visual Environments

The Advanced Threat Intelligence Orchestrator (ATIO) is composed of six sub-components: two visual environments and four backend tools. The visual environments (Orchestration Workflow Manager (OWM), Threat Sharing and Response tasks management tracking system.) will be integrated with the platform dashboard of the MeliCERTes platform to form the EME Unified Dashboard. Infrastructure owners as well as cyber security experts (CERTs/CSIRTs) can gain access to and use the ATIO environment.

In the Orchestration Workflow Manager (OWM), the users will have the capability to use predefined IRIS workflows, to create customized ones as well as see results regarding the execution status of the workflow steps. The workflows can be executed by end-users in order to initiate the ATA IRIS tools that will be located in infrastructure as well as can be triggered by ATA tools and executed the specific workflows that at this moment is aligned with IRIS data flows.

In addition, through the Task Management & Tracking the security experts (CERTS/CSIRTs) will have the capability to see the status of the security incidents and the operators will have the capability to visualise all the listed response actions proposed by Risk-based Response & Self-Recovery prioritised based on their risk indicators. Also, the user will select whether to approve or decline the proposed response actions.