Skip to main content
Springer Nature Link
Log in

Skade – A Challenge Management System for Cyber Threat Hunting

  • Conference paper
  • First Online:
Computer Security. ESORICS 2023 International Workshops (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14398))

Included in the following conference series:

Abstract

When cyber security analysts believe their computer network has been compromised, or feel uneasy about potential intrusions, they might initiate a threat hunting process. The success of a threat hunt is largely dependent on the threat hunter’s ability to determine what to investigate, sift through logs, and distinguish normal events from threats. However, these abilities are hard to come by, and it is therefore important to find ways to improve peoples’ ability to threat hunt. This paper presents the blueprint for Skade, a system to manage threat hunting challenges. Skade is designed to meet a number of established theories in the field of pedagogy: ensuring constructive alignment, motivating trainees by meeting Turner and Paris’ six Cs, providing useful feedback, and covering multiple learning dimensions. Mockups of the user interface of Skade and requirements on supporting scenario emulators are presented, e.g. the data they need to provide to enable generation of feedback to trainees. Seven required functions are identified, e.g. the ability to produce assessment questions based on logs from emulators.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. MSB hosts international cybersecurity exercise in Sweden (2023). https://www.msb.se/en/news/2023/may/msb-hosts-international-cybersecurity-exercise-in-sweden/

  2. Almgren, M., et al.: RICS-el: building a national testbed for research and training on SCADA security (Short Paper). In: Luiijf, E., Žutautaitė, I., Hämmerli, B.M. (eds.) CRITIS 2018. LNCS, vol. 11260, pp. 219–225. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-05849-4_17

    Chapter  Google Scholar 

  3. Applebaum, A., Miller, D., Strom, B., Korban, C., Wolf, R.: Intelligent, automated red team emulation. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 363–373 (2016)

    Google Scholar 

  4. Beuran, R., Inoue, T., Tan, Y., Shinoda, Y.: Realistic cybersecurity training via scenario progression management. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 67–76. IEEE (2019)

    Google Scholar 

  5. Bianco, D.: The pyramid of pain. Enterprise Detection & Response (2013)

    Google Scholar 

  6. Biggs, J.: Enhancing teaching through constructive alignment. High. Educ. 32(3), 347–364 (1996)

    Article  Google Scholar 

  7. Bin Mubayrik, H.F.: New trends in formative-summative evaluations for adult education. Sage Open 10(3) (2020)

    Google Scholar 

  8. Blumberg, P.: Maximizing learning through course alignment and experience with different types of knowledge. Innov. High. Educ. 34, 93–103 (2009)

    Article  Google Scholar 

  9. Burch, G.F., Giambatista, R., Batchelor, J.H., Burch, J.J., Hoover, J.D., Heller, N.A.: A meta-analysis of the relationship between experiential learning and learning outcomes. Decis. Sci. J. Innov. Educ. 17(3), 239–273 (2019)

    Article  Google Scholar 

  10. Carnegie Mellon University: TopoMojo: A VM Topology Manager (2019)

    Google Scholar 

  11. Chanussot, T., Schürmann, C.: Cyber awareness training for election staff using constructive alignment. In: Krimmer, R., et al. (eds.) E-Vote-ID 2021. LNCS, vol. 12900, pp. 63–74. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86942-7_5

    Chapter  Google Scholar 

  12. Chowdhury, N., Gkioulos, V.: Cyber security training for critical infrastructure protection: a literature review. Comput. Sci. Rev. 40, 100361 (2021)

    Article  Google Scholar 

  13. CISA: Cyber storm viii: After-action report, Tech. rep. (2022)

    Google Scholar 

  14. For Cybersecurity (ENISA), T.E.U.A.: European cybersecurity skills framework, Tech. rep. (2022)

    Google Scholar 

  15. Dashevskyi, S., Dos Santos, D.R., Massacci, F., Sabetta, A.: Testrex: a testbed for repeatable exploits. In: CSET (2014)

    Google Scholar 

  16. Dufkova, A., Budd, J., Homola, J., Marden, M.: Good practice guide for certs in the area of industrial control systems. European Network and Information Security Agency (ENISA) (2013)

    Google Scholar 

  17. Epstein, J.L., for Research on Elementary, J.H.U.C., Schools, M.: Target, an Examination of Parallel School and Family Structures that Promote Student Motivation and Achievement. Report (Johns Hopkins University. Center for Research on Elementary and Middle Schools), Center for Research on Elementary and Middle Schools, Johns Hopkins University (1987)

    Google Scholar 

  18. Ernits, M., Tammekänd, J., Maennel, O.: i-tee: a fully automated cyber defense competition for students. ACM SIGCOMM Comput. Commun. Rev. 45(4), 113–114 (2015)

    Article  Google Scholar 

  19. Fuchs, M., Lemon, J.: Sans 2019 threat hunting survey: The differing needs of new and experienced hunters, Tech. rep. (2019)

    Google Scholar 

  20. Gustafsson, T., Almroth, J.: Cyber range automation overview with a case study of CRATE. In: Asplund, M., Nadjm-Tehrani, S. (eds.) NordSec 2020. LNCS, vol. 12556, pp. 192–209. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-70852-8_12

    Chapter  Google Scholar 

  21. Hajny, J., Ricci, S., Piesarskas, E., Levillain, O., Galletta, L., De Nicola, R.: Framework, tools and good practices for cybersecurity curricula. IEEE Access 9, 94723–94747 (2021)

    Article  Google Scholar 

  22. Hattie, J.: The applicability of visible learning to higher education. Scholarsh. Teach. Learn. Psychol. 1(1), 79 (2015)

    Article  Google Scholar 

  23. Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. Manage. Inform. Syst. Q. 28, 75–106 (2004)

    Google Scholar 

  24. Holm, H.: Lore a red team emulation tool. IEEE Trans. Depend. Secure Comput. 20, 1596–1608 (2022)

    Article  Google Scholar 

  25. Holm, H., Sommestad, T.: SVED: scanning, vulnerabilities, exploits and detection. In: MILCOM 2016–2016 IEEE Military Communications Conference, pp. 976–981. IEEE (2016)

    Google Scholar 

  26. Jadidi, Z., Lu, Y.: A threat hunting framework for industrial control systems. IEEE Access 9, 164118–164130 (2021)

    Article  Google Scholar 

  27. Karjalainen, M., Siponen, M.: Toward a new meta-theory for designing information systems (IS) security training approaches. J. Assoc. Inf. Syst. 12(8), 3 (2011)

    Google Scholar 

  28. der Kleij, F.M.V., Feskens, R.C.W., Eggen, T.J.H.M.: Effects of feedback in a computer-based learning environment on students’ learning outcomes. Rev. Educ. Res. 85(4), 475–511 (2015). https://doi.org/10.3102/0034654314564881

  29. Kolb, D.: Experiential Learning: Experience As The Source Of Learning And Development, vol. 1. Prentice Hall (1984)

    Google Scholar 

  30. Landauer, M., Frank, M., Skopik, F., Hotwagner, W., Wurzenberger, M., Rauber, A.: A framework for automatic labeling of log datasets from model-driven testbeds for HIDS evaluation. In: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, pp. 77–86 (2022)

    Google Scholar 

  31. Lau, A.M.S.: ‘Formative good, summative bad?’ - a review of the dichotomy in assessment literature. J. Furth. High. Educ. 40(4), 509–525 (2015). https://doi.org/10.1080/0309877x.2014.984600

    Article  Google Scholar 

  32. Lee, D., Kim, D., Lee, C., Ahn, M.K., Lee, W.: ICSTASY: an integrated cybersecurity training system for military personnel. IEEE Access 10, 62232–62246 (2022)

    Article  Google Scholar 

  33. Lemay, A., Fernandez, J., Knight, S.: An isolated virtual cluster for SCADA network security research. In: 1st International Symposium for ICS & SCADA Cyber Security Research 2013 (ICS-CSR 2013) 1, pp. 88–96 (2013)

    Google Scholar 

  34. Lif, P., Varga, S., Wedlin, M., Lindahl, D., Persson, M.: Evaluation of information elements in a cyber incident report. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 17–26. IEEE (2020)

    Google Scholar 

  35. Mandouit, L., Hattie, J.: Revisiting “the power of feedback’’ from the perspective of the learner. Learn. Instr. 84, 101718 (2023)

    Article  Google Scholar 

  36. Mathur, A.P., Tippenhauer, N.O.: Swat: a water treatment testbed for research and training on ICS security. In: 2016 International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), pp. 31–36. IEEE (2016)

    Google Scholar 

  37. Miazi, M.N.S., Pritom, M.M.A., Shehab, M., Chu, B., Wei, J.: The design of cyber threat hunting games: a case study. In: 2017 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–6. IEEE (2017)

    Google Scholar 

  38. Nakashima, E., Warrick, J.: Stuxnet was work of US and Israeli experts, officials say. The Washington Post 2 (2012)

    Google Scholar 

  39. Plot, J., Shaffer, A., Singh, G.: CARTT: cyber automated red team tool. HICSS (2020)

    Google Scholar 

  40. Rossey, L.M., et al.: LARIAT: Lincoln adaptable real-time information assurance testbed. In: Proceedings, IEEE Aerospace Conference, vol. 6, p. 6. IEEE (2002)

    Google Scholar 

  41. Russo, E., Costa, G., Armando, A.: Building next generation cyber ranges with crack. Comput. Secur. 95, 101837 (2020)

    Article  Google Scholar 

  42. Sitnikova, E., Foo, E., Vaughn, R.B.: The power of hands-on exercises in SCADA cyber security education. In: Dodge, R.C., Futcher, L. (eds.) WISE 2009/2011/2013. IAICT, vol. 406, pp. 83–94. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39377-8_9

    Chapter  Google Scholar 

  43. Smeets, M.: The role of military cyber exercises: a case study of locked shields. In: 2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon), vol. 700, pp. 9–25. IEEE (2022)

    Google Scholar 

  44. SQRRL: A framework for cyber threat hunting, Tech. rep. (2018)

    Google Scholar 

  45. Stamov Roßnagel, C., Fitzallen, N., Lo Baido, K.: Constructive alignment and the learning experience: relationships with student motivation and perceived learning demands. High. Educ. Res. Develop. 40(4), 838–851 (2021)

    Article  Google Scholar 

  46. Turner, J., Paris, S.G.: How literacy tasks influence children’s motivation for literacy. Read. Teach. 48(8), 662–673 (1995)

    Google Scholar 

  47. Vielberth, M., Böhm, F., Fichtinger, I., Pernul, G.: Security operations center: a systematic study and open challenges. IEEE Access 8, 227756–227779 (2020)

    Article  Google Scholar 

  48. Vykopal, J., Ošlejšek, R., Čeleda, P., Vizvary, M., Tovarňák, D.: KYPO cyber range: design and use cases. In: 12th International Conference on Software Technologies. SciTePress (2017)

    Google Scholar 

  49. Vykopal, J., Vizvary, M., Oslejsek, R., Celeda, P., Tovarnak, D.: Lessons learned from complex hands-on defence exercises in a cyber range. In: 2017 IEEE Frontiers in education conference (FIE), pp. 1–8. IEEE (2017)

    Google Scholar 

  50. Wang, X., Su, Y., Cheung, S., Wong, E., Kwong, T.: An exploration of Biggs’ constructive alignment in course design and its impact on students’ learning approaches. Assessment Eval. High. Educ. 38(4), 477–491 (2013)

    Article  Google Scholar 

  51. Wei, J., Chu, B.T., Cranford-Wesley, D., Brown, J.: A laboratory for hands-on cyber threat hunting education. J. Colloquium Inform. Syst. Secur. Educ. 7, 1 (2020)

    Google Scholar 

  52. Yüksel, H.S., Gündüz, N.: Formative and summative assessment in higher education: opinions and practices of instructors. Eur. J. Educ. Stud. (2017)

    Google Scholar 

  53. Zetter, K., et al.: Inside the cunning, unprecedented hack of Ukraine’s power grid. Wired 9, 1–5 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Swedish Defence Research Agency FOI, Stockholm, Sweden

    Teodor Sommestad, Henrik Karlzén, Hanna Kvist & Hanna Gustafsson

Authors
  1. Teodor Sommestad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Henrik Karlzén
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hanna Kvist
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hanna Gustafsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Teodor Sommestad .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montreal, QC, Canada

    Frédéric Cuppens

  3. Polytechnique Montréal, Montreal, QC, Canada

    Nora Cuppens-Boulahia

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. Télécom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

  6. Universitat Autonoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  7. University of Murcia, Murcia, Spain

    Pantaleone Nespoli

  8. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  9. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  10. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  11. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sommestad, T., Karlzén, H., Kvist, H., Gustafsson, H. (2024). Skade – A Challenge Management System for Cyber Threat Hunting. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14398. Springer, Cham. https://doi.org/10.1007/978-3-031-54204-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54204-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54203-9

  • Online ISBN: 978-3-031-54204-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics