Cyber Incident Response PhD Position

Cyber Incident Response PhD Position

College / Management Unit: College of Science

School / Unit / Institute: School of Computer Science and Centre for Cybersecurity and Cybercrime Investigation 

Post Title: PhD

Post Duration: 4 years

Reports to / Principal Investigator: Rob Brennan

Research Topic: Leveraging incident response knowledge for organisational cyber resilience 

Supervision team: Rob Brennan and Cormac Doherty

Research Problem:

Current threat sharing and incident response tools such as MISP focus on incident detection and identification through to recovery. They currently lack support for learning and reusing the knowledge of how a problem was fixed to update controls, manage risk and increase organisational resilience.  This requires a new emphasis on recording of corrective actions and automated or semi-automated analysis methods, e.g. for utility or links to threats, in order to build a structured knowledge base of best practice. This knowledge base could then support a managed change program, training or risk management activities leading to greater organisational cyber resilience.. 

Research areas to be addressed:

Development of machine learning methods and tools, ontologies, vocabularies or taxonomies to support the creation of a  machine-readable knowledge base of incident response actions using a knowledge graph linking incidents, corrective actions, controls, risks, threats and outcomes. Extending socio-technical analysis techniques such as CUBE [1] for cyber incident response to provide a common framework to synthesize the knowledge from many incidents.  Extending the MISP or ARK (Access Risk Knowledge) Platform (https://openark.adaptcentre.ie/) to support RiskOps and SecOps teams collecting and interrogating incident learning reports and developing safety improvement/cyber risk management projects. 

Progress beyond state of the art:

Developing new open standards for a machine-readable knowledge base of Incident Response that focuses on corrective actions. Building FAIR (Findable, Accessible, Interoperable, Reusable) knowledge graphs of incidents and responses. Extending safety critical systems research on understanding both the social and technical context of incidents or related risks to support implementing and embedding change in organisations. Developing new methods and tools for evidence-driven incident intervention learning and assessment. Enabling post-incident analysis for the effectiveness and applicability of interventions.

Problem Significance

The global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Knowledge loss to organisations due to staff turnover is a significant cause of reduced resilience and costs. The lack of an evidence-driven approach to incident intervention learning reduces the effectiveness of incident response and the cost of incidents [2].

Potential Impact

Reduced training costs, increased organisational knowledge, more effective incident responses, detection of both social (human factors) and technical issues underlying effective and ineffective incident response. Easier to share knowledge among the CSIRT community. Adding an additional organisational cyber resilience layer on top of automated cyber resilience systems [3].

Salary:  €19,000 per annum stipend

Benefits

Travel budget

Budget for PC/laptop

Materials budget (books, computer consumables and general disposables)

Principal Duties and Responsibilities

This is a research focused role, where you will conduct a specified programme of research supported by research training and development under the supervision and direction of the Supervisors, and where the student will:

• carry out an agreed research and work plan to meet project requirements and deliverables, working closely with UCD staff and PhD team from other projects in the Computer Science, Centre for Cybersecurity and Cybercrime Investigation and SFI ADAPT Centre;
• support tasks in data acquisition and preparation if requested;
• travel to meetings and conferences as required;
• collaborate with partners/stakeholders on specific tasks on a range of topics

As part of a structured PhD in UCD the student will complete modules in relevant topics to a total of 30 credits as required, and will engage with and contribute to the Centre for Cybersecurity and Cybercrime Investigation and the SFI ADAPT Centre.

The student will ensure that all research is carried out in line with UCD requirements for ethical research and data management, and that the PhD is completed within the allocated period.

Selection Criteria 

Selection criteria outline the qualifications, skills, knowledge and/or experience that the successful candidate would need to demonstrate for successful discharge of the responsibilities of the post.  Applications will be assessed on the basis of how well candidates satisfy these criteria.

Mandatory:

• MSc and BSc (2.1 grade or higher) in Computer Science, or an aligned field,
• Understanding of distributed systems, data modelling, data science/data analysis techniques, source control and software engineering
• Experience, knowledge or willingness to learn cybersecurity incident response and intelligence collection,
• Experience, knowledge or willingness to learn knowledge management, formal knowledge representation techniques such as ontologies,
• Experience, knowledge or willingness to learn risk analysis methods and tools including socio-technical systems analysis,
• Excellent English oral and written communication skills,
• UCD English requirements for non-native speakers of English: https://www.ucd.ie/registry/prospectivestudents/admissions/policiesandgeneralregulations/generalrequirements/minimumenglishlanguagerequirements/
• Excellent interpersonal skills,
• Ability to work independently,
• Willingness to work closely with a wider cohort of stakeholders.

Desirable:

• Academic publication track record,
• Significant development experience in JSON, Python, PHP, TravisCI, 
• Open source software development experience,
• MISP experience,
• Natural Language Processing or knowledge extraction experience,
• Knowledge of Python, Pytorch, TensorFlow, Pandas and other machine learning frameworks.
• Well-developed research skills, both qualitative and quantitative,
• Attention to detail and strong organisational skills,
• Experience in stakeholder engagement,
• Awareness of equality, diversity and inclusion agenda, and,
• Ability to manage a complex workload and work to tight deadlines.

Applicants should send a CV, cover letter (maximum 500 words), transcripts and 2 references to Dr Rob Brennan (rob.brennan@ucd.ie) 17.00 IST, June 25th, 2023.

Shortlisted candidates will be called for interview in late June/early July, expecting a commencement date in September 2023.

References

1. McDonald, N., McKenna, L., Vining, R., Doyle, B., Liang, J., Ward, M.E., Ulfvengren, P., Geary, U., Guilfoyle, J., Shuhaiber, A., Hernandez, J., Fogarty, M., Healy, U., Tallon, C., and Brennan, R. (2021). Evaluation of an Access-Risk-Knowledge (ARK) Platform for Governance of Risk and Change in Complex Socio-Technical Systems. International       Journal of Environmental Research and Public Health. 2021; 18(23):12572.

2. Ahmad, Atif, Justin Hadgkiss, and Anthonie B. Ruighaver. "Incident response teams–Challenges in supporting the organisational security function." Computers & Security 31.5 (2012): 643-652.

3.Huang, Yunhan, Linan Huang, and Quanyan Zhu. "Reinforcement learning for feedback-enabled cyber resilience." Annual Reviews in Control (2022).