Cyber security Tax Authority

Problem Context

Cyber securty is vital for the tax authority and innovation in cyber security is key. We partnered up with the Dutch Tax Authority and other government parties to jointly fight cybercrime and cyberattacks with the use of explainable and responsible AI. To do this, it is very important that the research is aligned with the data and tools which are currently available within IT infrastructure of the TA.

Solution

We develop methods for lateral movement detections including user feedback loops to enable SOC analysists to understand, interact, and effectively act on alerts. We also developed and validated AI-based methods for lateral movement detection using one or more data sources. Futhermore, we focussed on modelling of causal relations between lateral movement detection events to enable early warning.

Results

We implemented a demonstrator in Splunk for lateral movement detection with graph based clustering and time series clustering. To prepare validation of the framework for detection of causal relations we chose a Modus Operandi (MO), ransomware, and implemented a lab environment to simulate these attacks, and hence produce datasets. Futhermore, we also implemented a Tunnelling detector, of which the results in an operational environment will be analysed in future.

Affiliations

The project is carried out in collaboration with the tax authorities. In 2022 we extended the partnership with an additional partner, namely the NCSC (Nationaal Cyber Security Centrum).