Staysure Data Breach: Lessons in Cybersecurity Case Study

Introduction - Risk Assessment and Security Recommendations for Staysure

This r?port ?xamin?s th? Octob?r 2013 data br?ach of Staysur? and an onlin? holiday insuranc? provid?r. Th? br?ach r?sult?d from th? company's failur? to apply critical softwar? s?curity updat?s ov?r s?v?ral y?ars and l?aving vuln?rabiliti?s that w?r? ?xploit?d by hack?rs to acc?ss custom?r r?cords. Malicious cod? was inj?ct?d into Staysur?'s w?bsit? s?rv?r by attack?rs and gaining acc?ss to th? back?nd databas? containing ov?r 100000 custom?rs' paym?nt card d?tails and m?dical information and an oth?r s?nsitiv? data. Ultimat?ly and th? un?ncrypt?d card data of ov?r 93000 custom?rs was compromis?d and with thousands ?xp?ri?ncing cr?dit card fraud. Th? UK Information Commission?r's Offic? (ICO) inv?stigat?d an fin?d Stay sure £175000 for violating th? Data Prot?ction Act by failing to k??p p?rsonal data s?cur?.

Stage 1: Case Study Articulation

Task 1

Background on Staysure.co.uk

Staysure.co.uk Limited is an online travel insurance provider based in the United Kingdom that is offered various insurance products to consumers including travel, health, life, holiday, home, and automotive insurance plans (Bécue et al, 2021). As an online insurance platform, sensitive customer information such personal details, travel records, medical history, and financial payment data required for managing customer policies and claims is stored by the company.

Details of the Data Breach Incident

In October 2013, Staysure.co.uk's publicfacing web servers were breached by malicious external attackers who exploited a software vulnerability to gain unauthorized access to internal systems. The root vulnerability exploited by the attackers was a wellknown and documented flaw in certain versions of the JBoss Application Server, which had originally been publicly disclosed in 2010. In 2013, an additional security fix was released by the vendor as well(Bhandari et al, 2023). However, an adequate process for tracking or installing software security updates in a timely manner was not had by Staysure.co.uk. Consequently, despite patches being available for over 3 years prior to the breach, the servers were still left vulnerable.

At the time of breach, approximately 3 million customer records were contained in the database backups, though evidence suggests payment card information related to around 110,000 records was specifically targeted and extracted by the attackers. Included in this was live credit card numbers, names, expiration dates, and CVV codes, much of which was stored in plain text. The lack of encryption, use of flawed and outdated software, and insufficient access controls enabled easy access and exfiltration of this sensitive customer information by the attackers.

Business Impacts and Regulatory Penalties

The stolen payment card data was used by the attackers to make unauthorized transactions and commit financial fraud against over 5,000 impacted Staysure customers. Additionally, the personal medical, travel, and other sensitive information of up to 100,000 clients was left exposed. As per U.K. Data Protection laws, substantial scrutiny and penalties from regulators were faced by Staysure.co.uk for failing to adequately secure customer data. A monetary fine of £175,000 was imposed against Staysure by the Information Commissioner's Office (ICO) for data security shortcomings that enabled the breach (Steingartner et al, 2021). Principles within the UK Data Protection Act related to information handling procedures, access controls, retention policies, and maintaining the confidentiality and integrity of collected customer data were found to have been violated by the organization.

Key Recommendations to Improve Security:

1. A robust patch management process should be implemented to swiftly address vulnerabilities in internet facing systems and backend databases.
2. Vendor notifications should be monitored, patches tested, and urgent fixes deployed on priority.
3. Strong encryption protocols such as AES256 bit encryption should be employed to protect confidential personal data, especially highly sensitive information like financial data, medical records, passwords, etc.
4. Formal data classification guidelines should be developed and appropriate access controls enforced based on data sensitivity, user roles, and business need.
5. Access should be limited to only authorized personnel.

Secure software development practices should be instituted for custom web/mobile applications and IT systems. SDL methodologies should be incorporated into SDLC processes.

Independent external security audits and penetration testing exercises should be undergone at least annually to identify security gaps or system misconfigurations.

Employees should be continually educated through security awareness programs focusing on data privacy, phishing response, and best practices for handling customer information.

Particularly, this specific breach vector could have been prevented by implementing robust patch management and data encryption mechanisms.

Task 2

This network diagram depicts a proposed secure architecture for the Staysure environment prior to the 2013 breach which aims to isolate and protect sensitive customer data through proper network segmentation based on asset type and risk level (González-Granadillo et al, 2021). This prevents external attackers from pivoting deeper into the network if they compromise a web server.

Figure 1: The Network architecture of the Organization

Segmenting the database server into its own zone protects this highvalue target even if other LAN servers are breached. Critical systems like the database and app servers implement rolebased access control via Windows Active Directory domains and groups set up by administrators. This limits access to only privileged service accounts needed for essential functions. Regular user workstations are placed in a separate domain without access to critical systems. Frequent patching and vulnerability scanning which identifies and closes security gaps is planned (Ramsdale et al 2020). Network monitoring would also alert staff of any malicious activity.

The architecture of network was well focused on the business aspects depthly and connectivity flows relevant to the Staysure.co.uk breach scenario based on details provided in the case study background.

Key components depicted include:

Internet Edge Router

Figure 2: Head quarter and Server side routers

As the initial point of entry from untrusted zones, an important role as part of the network attack surface is played by the edge router.

VPN Gateway

Advanced traffic filtering, inspection, intrusion prevention capabilities to secure the internal network zones from external threats is provided by a dedicated Cisco ASA firewall device.

Figure: The VPN connected model

Remote employees connecting via VPN can authenticate through the firewall VPN gateway to securely access company applications and resources when working remotely.

Web Server

Figure 3: The Web Servers and server side switch

The externally facing Red Hat Enterprise Linux web server hosts the customer website built on the JBoss application server platform. The backend mySQL database is relied on by the web application for storing and retrieving sensitive customer data submitted online for insurance policy applications, claims, payments etc (Miller et al, 2021). By exploiting an unpatched JBoss vulnerability, the initial point of compromise in the breach was this server.

Database Server

Figure 4: Database server

An internal Ubuntu database server runs the mySQL database software used to manage policies, claims, customer account info, payment cards, and other confidential data. Without adequate access restrictions in place, millions of sensitive records that were put at risk were contained by the database.

Employee Workstations

Figure 5: Employee workstations

These Windows and Linux enduser computing devices are used by company employees for tasks like managing customer accounts, processing claims/payments, website content editing etc (Kim et al, 2023). Despite no direct external connectivity, compromised access credentials could allow an attacker to pivot from the web server to workstations.

Intrusion Protection Systems

Inline traffic monitoring to detect known bad traffic patterns and blockchain malicious activity is provided by networkbased IPS devices. While certain standard security safeguards like VPNs, and IPS are included in the above architecture, additional mechanisms around access control, encryption, activity monitoring, vulnerability management etc. could have made breach exploitation much more difficult for the adversaries (Rantos et al, 2021). With this foundational topology now documented, analyzing the specific attack scenario, vulnerabilities, and recommendations through various industry approaches is proceeded to.

Stage 2: Threat Analysis and Risk Assessment

Task 3

A risk assessment methodology that evaluates the likelihood and potential impact of threats to key assets and vulnerabilities should be implemented by Staysure. For both likelihood and impact, a scoring system from 15 can be used (Alexei and Alexei 2021). Likelihood scores assess the probability of a threat exploiting a vulnerability based on factors like threat capability, system susceptibility, and existing controls. Impact scores gauge the damage to confidentiality, integrity and availability of assets if a vulnerability is exploited. An overall risk rating is produced by combining likelihood and impact scores.

Risk Register Header

• Risk ID: Unique identifier for risk
• Risk Title/Description: Brief summary of risk
• Impact Category: Category based on what aspect of business is affected Financial, Legal/Compliance, Operational, Reputational
• Likelihood Score: Score from 15 representing probability of occurrence; 1 = Very Low, 5 = Very High
• Impact Severity: Score from 15 indicating severity of impact; 1 = Negligible, 5 = Extreme
• Inherent Risk Score: Likelihood x Impact (Higher = worse)
• Mitigation Effectiveness %: Estimated effectiveness percentage of applied control(s)
• Residual Risk Score: Inherent Risk x (1 Mitigation Effectiveness %)
• Scoring Criteria Definition

Likelihood Scoring Guidelines

1. Very Low: Theoretically possible but highly unlikely or rare occurrence
2. Low: Could occur but doubtful
3. Moderate: Fairly possible to occur at some point in time
4. High: Very likely to happen
5. Very High: Almost inevitable or already occurring

Impact Severity Guidelines:

1. Little noticeable business impact
2. Minor: Small loss, breach, outage with limited effects
3. Moderate: Clear issues leading to tangible damages
4. Major: Severe impacts disrupting operations
5. Extreme: M reservation Shutdowns, huge direct loss or reputational harm

Risk Assessment for Staysure.co.uk

Risk ID	Risk Description	Impact Category	Likelihood	Severity	Inherent Risk Score	Mitigation Effectiveness	Residual Risk Score
RSK01	External attacker exploits vulnerability to breach public web server	Operational, Reputational	5,high	5,high	25	60%	10
RSK02	Compromised web server used to access internal database	All categories	4,medium	5,high	20	70%	6
RSK03	Unencrypted confidential customer data extracted from database	All categories	5,high	5,high	25	80%	5
RSK04	Stolen customer payment card data used for financial fraud	Financial, Legal, Reputational	5,high	4,medium	20	30%	14
RSK05	Medical injury claims delayed due to system outage	Operational, Reputational	3,low	3,low	9	70%	3

Proposed Mitigation Techniques

1. Harden servers and apply latest OS/software security patches frequently (2,4)
2. Employ strong encryption for sensitive data at rest and in transit (3,5)
3. Enforce granular access controls between application tiers (1,3)
4. Institute advanced perimeter security and activity monitoring (4,5)
5. Maintain regular data backups and incident response preparedness (1,6)

References

1. PCI DSS v3.2
2. ISO 27001 Annex A Domain 12
3. NIST SP 80053 Rev 5 Control Families
4. CIS Critical Security Controls
5. ENISA Network Security Baseline
6. NIST Cybersecurity Framework (Identify, Protect, Detect, Respond)

Task 4

STIX Modeling of Breach

Key SDOs:

1. Malware instance (JSP Spy backdoor)
2. Vulnerability (JBoss server software flaw)
3. Threat actors (External cybercriminals)
4. Staysure company as identity victim
5. Financial loss resulting from fraud

The Structured Threat Information Expression (STIX) is represented as a standardized schema and ontology for being characterized as cyber threat intelligence by machine readable objects with consistent terminology and attributes. For the Staysure breach, the company is able to be characterized as an identity victim organization targeted by financially motivated external threat actors leveraging a known vulnerability in the JBoss platform, which enabled delivery of a malicious backdoor tool that facilitated intrusion activities (Bouwman et al, 2020). These software flaws, tools, and threat groups are able to be captured as SDOs with additional metadata around specific vulnerability identifiers like CVE numbers and CVSS access complexity/impact scores, malware file hashes and capabilities, actor sophistication level ranging from novice, intermediate, expert, innovator based on tactics, techniques and procedures (TTPs) exhibited.

Relationships:

1. Vulnerability exploited to deliver malware
2. Backdoor used to access internal database
3. Actors Leverage vulnerability to steal data
4. Company suffers financial loss from breach

Relationships are able to connect these SDOs, for example, showing that the specific CVE weakness was exploited to inject the web shell malware payload, which was then utilized by the attackers to traverse systems and access confidential data for exfiltration, eventually causing loss of customer funds or services modeled quantitatively as another SDO.

Additional contextual fields are able to supply industry/motivation categories for the financial crime actors, ties to other campaigns with related TTPs are able to be supplied, recommended mitigation advice is able to be supplied, and external references to reports/sites with more threat details are able to be supplied.

Additional SDO fields provide further:

1. Context on vulnerability specifics (CVE ID, CVSS score)
2. Malware code signatures and capabilities
3. Actor sophistication level and attribution details
4. Granular monetary impact quantification

STIX modeling is thus able to correlate the attack sequence between relevant assets, threat entities and business impacts using standardized vocabulary as commonly applied in CTI sharing.

This standardized intelligence being shared is able to better equip partner organizations in the travel insurance sector to tune their security infrastructure against imminent threats (Hajizadeh et al, 2021). The structured format allows for computers rather than just human analysts to efficiently parse the indicators of compromise and key risk characteristics across aggregated data for historical patterns, clusters, sudden anomalies and early warnings leveraged in threat hunting to be enabled.

By cyber threat realities being modeled as machine actionable STIX objects, nodes and relationships with software tools, defenders being able to operationalize intelligence is able to be accelerated to accelerate incident response while collaborating securely across trusted partners adhering to this common vocabulary (Georgiadou et al, 2021). The graphical visualization also helps threat analysts to understand and contextualize attack narratives quickly.

STIX cyber threat intelligence standards can be used to characterize the Staysure breach. Relevant STIX cyber observable objects (SCOs) would have included: Network traffic (Network_Traffic_SCO) Captures malicious HTTP requests sending JspSpy payload to vulnerable JBoss server (Sarker et al, 2021). File object (File_SCO) Identifies JspSpy .jsp script located on compromised web serverIPv4 address (Address_SCO) Lists attacker IP address used to remotely access JBoss server.Windows process (Process_SCO) Describes instances of JspSpy script executed to create backdoorMalware analysis (Malware_SCO) Documents forensic analysis of JspSpy components and capabilities.

Stage 3: Threat Modeling

Task 5

The Lockheed Martin cyber kill chain provides a useful framework to analyze the structured progression of an attack campaign targeting confidential data assets. By mapping adversary activities to well defined phases ranging from initial reconnaissance through final data exfiltration, opportunities to detect threats and prevent successful intrusions are able to be identified by defenders.

use my discount

In the Staysure attack scenario, extensive reconnaissance is likely to have been performed by the external hackers using Internet searches to scan for vulnerable JBoss application servers facing the public internet, a valuable target given the prevalence of this platform (Kaloudi and Li, 2020). Once the company's Internet Facing assets were identified, the exploits could be weaponized by the hackers by adapting publicly available proof of concept code that leverages the JBoss software vulnerability to inject malicious scripts.

Delivery of the weaponized payload would occur through the external web application vector during normal traffic by the unpatched vulnerability being exploited. With the malicious script now executing via the established backdoor, an expanded foothold to explore internal systems and databases was had by the attackers (Syed, 2020). By capturing administrative passwords in memory or through brute force attempts, persistent control could be maintained by them even if the initial entry point was later patched. Such command and control is harder to be detected versus a quick smash and grab data extraction approach.

Finally, the cyber criminals were able to achieve their ultimate objectives by querying and funneling out vast amounts of personal customer data including payment cards that fetched high prices on dark web marketplaces (Alves et al, 2021). The information was taken care to be exfiltrated slowly and intermittently by them to avoid raising alarms from sudden spikes in outbound transfers. While the entry point was the externally facing web server, the crown jewels lay deeper within backend databases that should have been better safeguarded.

By this structured model of an unfolding attack being leveraged to establish opportunities for visibility and control, stronger preventative controls, earlier threat detection, and response capabilities to minimize exploitation success at various points along the chain are able to be invested in by organizations.

Task 6

An effective threat modeling technique to logically map how an adversary may exploit technical, physical or procedural vulnerabilities to achieve an undesirable outcome is provided by attack trees (Gao et al, 2021). By decomposing sequential decisions and factors needed to reach an attack objective, potential risk mitigation at various stages based on increasing attacker difficulty, required resources and likelihood of occurrence is able to be evaluated by defenders.

In the Staysure breach, specialized expertise and effort would first need to be discovered by a vulnerable Internet Facing server that was not yet patched, and the advanced exploit be adapted to compromise access. After gaining an initial foothold on the public server, lateral movement to access the deeper database is simplified if administrator credentials are compromised through brute force or credential dumping memory techniques. For Staysure, regular patching and upgrades of Internetfacing systems greatly raises initial intrusion difficulty (Koloveas et al, 2021). Stronger segmentation and access controls between application tiers would obstruct unauthorized database access. Encrypting sensitive fields, masking data, or using tokenized formats lowers exfiltration value. By modeling attack thought processes, associated variable expenses borne by threat actors, and effect of security controls, the risk likelihood is able to be adjusted appropriately based on tolerance thresholds for business operations. Attack tree analysis thus helps evaluate security architectures from an adversarial mindset.

Stage 4: Security Assurance Architecture

Task 7

Modern threat and data security trends warrant legacy security architectures being enhanced with more robust solutions for visibility, early detection and rapid response powered by cloud analytics and automation (de Melo e Silva et al, 2020). Preventative network security controls should be supplemented by continuous monitoring and intelligence feeds to address inevitability of some threats bypassing the perimeter through zero days, insider actions or social engineering.

For Staysure's updated Packet Tracer network model, usage of deep packet inspection, protocol anomaly detection and prevention capabilities going beyond traditional port/IP filters against modern sophisticated threats. Microsegmenting application tiers is hindered unauthorized lateral access across other zones following initial intrusions. Multifactor VPN authentication mechanisms are reduced compromised credential risks (Gao et al, 2020). Database activity monitoring is helped to detect anomalous queries or transfers indicative of unauthorized access attempts.

Strengthened log data collection when collectively analyzed on a centralized platform would reveal behavioral patterns, tools and techniques associated with threat actors for earlier interruption (Ramsdale et al, 2021). While not explicitly depicted in the network diagram, other critical improvements needed for Staysure encompass regularly patching and upgrading software versions promptly after known vulnerabilities are disclosed, implementing data at rest and in transit protections applying formats preserving confidentiality and integrity, and streamlining access privileges based on user roles with minimal standing rights reduced through justintime elevation.

This multilayered security approach spanning the technology and process domains aligned with leading practices helps manage risks from various attack entrada points more effectively in today's complex threat landscape.

Task 8

Wellarticulated information security policies represent the foundation for consistent data protection mechanisms meeting legal and compliance bar for regulated industries. Technical controls can help enforce policies through system configurations and automation, while human governance establishes broader accountabilities.

For Staysure, recommended policy areas include securely handling of customer data throughout lifecycles across systems, networks and processes. Stringent access restrictions must govern sensitive information like medical records and financial documents. Data recovery provisions in case of corruption or loss are also vital for operational continuity (Zhao et al, 2020). Cryptographic policies should cover approved algorithms, protocols, key lengths and storage procedures aligned with sensitivity levels based on data classification tiers.

Third party security oversight policies will ensure partners meet adequate assurances via risk assessments before trusting them with data access, while responding to incidents requires coordinated plans for forensic investigation, customer breach notification and public relations mitigation (Schletter et al, 2020). As exemplified by the template policy covering vulnerability and patch management, specific elements to be defined formally include responsible teams and personnel, inventory scope, risk measurement criteria, change control processes, fall back contingency, audit reporting cadence to executive leadership and continuous improvement considering latest threats.

Turning policy ambitions into practice with proper governance frameworks is thus invaluable for holistic lifecycle data security beyond just buying security products. The board and top management should drive top down policies for all lines of business reflecting enterprise priorities.

Conclusion

This report applied a variety of contemporary cybersecurity risk and threat analysis methodologies to the real world Staysure.co.uk data breach scenario involving theft of customer payment card information. The hypothetical pre intrusion system architecture established the technical environment and connectivity flows prior to the incident as the starting point for evaluations. Vulnerability prioritization allows remediation efforts to be focused on the riskiest attack vectors. Various frameworks facilitated structured characterization of threats the Cyber Kill Chain modeled the tactical progression of attack events as boundaries worth being safeguarded, while attack trees framed adversary perspectives weighing options during campaigns. On the defensive front, the enriched network architecture diagram codified technical security controls like next generation web application protections, microsegmentation, database activity monitoring and other mechanisms for hardening and visibility. Just as crucially, formalized information security policies now mandate data handling processes, access restrictions, encryption protocols and vulnerability life cycles. Applying similar synthesis of risk driven security architectures backed by data centric policies tailored to business needs can help sensitive assets be secured for the long term.

Struggling to balance assignments with part-time work or personal life?

Managing deadlines while juggling responsibilities can be overwhelming. That’s where Professional Assignment Writers step in to help. With deep academic expertise and time-management skills, they craft well-researched assignments tailored to your specific guidelines. Say goodbye to sleepless nights and hello to quality submissions that boost your academic performance effortlessly.

References

Journals

Khalid, Z., Iqbal, F., Kamoun, F., Hussain, M. and Khan, L.A., 2021, October. Forensic analysis of the Cisco WebEx application. In 2021 5th Cyber Security in Networking Conference (CSNet) (pp. 9097). IEEE.

Alexei, L.A. and Alexei, A., 2021. Cyber security threat analysis in higher education institutions as a result of distance learning. International Journal of Scientific and Technology Research, (3), pp.128133.

Ramsdale, A., Shiaeles, S. and Kolokotronis, N., 2020. A comparative analysis of cyberthreat intelligence sources, formats and languages. Electronics, 9(5), p.824.

AlFawa'reh, M., AlFayoumi, M., Nashwan, S. and Fraihat, S., 2022. Cyber threat intelligence using PCADNN model to detect abnormal network behavior. Egyptian Informatics Journal, 23(2), pp.173185.

Gupta, H. and Singh, M., 2019. Cyber threat analysis of consumer devices. In Advances in Computing and Data Sciences: Third International Conference, ICACDS 2019, Ghaziabad, India, April 12–13, 2019, Revised Selected Papers, Part II 3 (pp. 3245). Springer Singapore.

Yamin, M.M. and Katt, B., 2019, August. Cyber security skill set analysis for common curricula development. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 18).

Schlette, D., Böhm, F., Caselli, M. and Pernul, G., 2021. Measuring and visualizing cyber threat intelligence quality. International Journal of Information Security, 20, pp.21-38.

Ramsdale, A., Shiaeles, S. and Kolokotronis, N., 2020. A comparative analysis of cyber-threat intelligence sources, formats and languages. Electronics, 9(5), p.824.

Shin, B. and Lowry, P.B., 2020. A review and theoretical explanation of the ‘Cyberthreat-Intelligence (CTI) capability’that needs to be fostered in information security practitioners and how this can be accomplished. Computers & Security, 92, p.101761.

Zhao, J., Yan, Q., Li, J., Shao, M., He, Z. and Li, B., 2020. TIMiner: Automatically extracting and analyzing categorized cyber threat intelligence from social data. Computers & Security, 95, p.101867.

Gao, Y., Li, X., Peng, H., Fang, B. and Philip, S.Y., 2020. Hincti: A cyber threat intelligence modeling and identification system based on heterogeneous information network. IEEE Transactions on Knowledge and Data Engineering, 34(2), pp.708-722.

de Melo e Silva, A., Costa Gondim, J.J., de Oliveira Albuquerque, R. and García Villalba, L.J., 2020. A methodology to evaluate standards and platforms within cyber threat intelligence. Future Internet, 12(6), p.108.

Koloveas, P., Chantzios, T., Alevizopoulou, S., Skiadopoulos, S. and Tryfonopoulos, C., 2021. intime: A machine learning-based framework for gathering and leveraging web data to cyber-threat intelligence. Electronics, 10(7), p.818.

Gao, P., Shao, F., Liu, X., Xiao, X., Qin, Z., Xu, F., Mittal, P., Kulkarni, S.R. and Song, D., 2021, April. Enabling efficient cyber threat hunting with cyber threat intelligence. In 2021 IEEE 37th International Conference on Data Engineering (ICDE) (pp. 193-204). IEEE.

Alves, F., Bettini, A., Ferreira, P.M. and Bessani, A., 2021. Processing tweets for cybersecurity threat awareness. Information Systems, 95, p.101586.

Syed, R., 2020. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Information & Management, 57(6), p.103334.

Kaloudi, N. and Li, J., 2020. The ai-based cyber threat landscape: A survey. ACM Computing Surveys (CSUR), 53(1), pp.1-34.

Sarker, I.H., Furhad, M.H. and Nowrozy, R., 2021. Ai-driven cybersecurity: an overview, security intelligence modeling and research directions. SN Computer Science, 2, pp.1-18.

Georgiadou, A., Mouzakitis, S. and Askounis, D., 2021. Assessing mitre att&ck risk using a cyber-security culture framework. Sensors, 21(9), p.3267.

Hajizadeh, M., Afraz, N., Ruffini, M. and Bauschert, T., 2020, June. Collaborative cyber attack defense in SDN networks using blockchain technology. In 2020 6th IEEE Conference on Network Softwarization (NetSoft) (pp. 487-492). IEEE.

Bouwman, X., Griffioen, H., Egbers, J., Doerr, C., Klievink, B. and Van Eeten, M., 2020. A different cup of {TI}? the added value of commercial threat intelligence. In 29th USENIX security symposium (USENIX security 20) (pp. 433-450).

Rantos, K., Spyros, A., Papanikolaou, A., Kritsas, A., Ilioudis, C. and Katos, V., 2020. Interoperability challenges in the cybersecurity information sharing ecosystem. Computers, 9(1), p.18.

Kim, G., Lee, C., Jo, J. and Lim, H., 2020. Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network. International journal of machine learning and cybernetics, 11, pp.2341-2355.

Miller, T., Staves, A., Maesschalck, S., Sturdee, M. and Green, B., 2021. Looking back to look forward: Lessons learnt from cyber-attacks on industrial control systems. International Journal of Critical Infrastructure Protection, 35, p.100464.

González-Granadillo, G., González-Zarzosa, S. and Diaz, R., 2021. Security information and event management (SIEM): analysis, trends, and usage in critical infrastructures. Sensors, 21(14), p.4759.

Steingartner, W., Galinec, D. and Kozina, A., 2021. Threat defense: Cyber deception approach and education for resilience in hybrid threats model. Symmetry, 13(4), p.597.

Bhandari, A., Cherukuri, A.K. and Kamalov, F., 2023. Machine Learning and Blockchain Integration for Security Applications. In Big Data Analytics and Intelligent Systems for Cyber Threat Intelligence (pp. 129-173). River Publishers.

Bécue, A., Praça, I. and Gama, J., 2021. Artificial intelligence, cyber-threats and Industry 4.0: Challenges and opportunities. Artificial Intelligence Review, 54(5), pp.3849-3886.