Description du sujet de thèse

Scientific context:
Cyberattacks are becoming increasingly complex and evolving rapidly, exploiting ever more sophisticated vulnerabilities. Detecting an incident does not equate to its immediate resolution. According to its last incident report [1], interCERT France reveals that the average Mean-Time-To-Respond (MTTR)—i.e., the average time taken to resolve cybersecurity incidents once detected—is 28.5 days in large enterprises. This statistic highlights the limitations of current approaches, which are often too slow to counter constantly evolving and increasingly sophisticated threats. In light of this reality, the need for automated and adaptive cybersecurity solutions is becoming urgent. To accelerate incident response, solutions such as SOAR (Security Orchestration, Automation, and Response) and XDR (eXtended Detection and Response) have emerged. These solutions aim to automate part of the security process orchestration to enhance the speed and efficiency of incident detection and response. This automation (which can also be semi-automated, as procedures may include actions performed by human operators) relies on playbooks, which define the sequence of actions to be executed in case of an incident.
However, creating playbooks is a complex task that requires anticipating precise actions for each type of incident. Although some vendors provide predefined playbooks, they often require significant modifications to be tailored to the specific environment. Additionally, playbooks represent rigid reaction behaviors that are predefined and do not adapt dynamically to emerging threats or evolving situations. This rigidity poses a challenge, particularly when multiple incidents occur imultaneously, as conflicting responses from different playbooks may arise.

Scientific objectives:
To address the limitations of existing solutions, this thesis aims to propose a framework that enables the dynamic planning, orchestration, and deployment of global incident responses. The generated incident response actions will be dynamically adapted to the target environment and continuously refined based on the evolving detection and understanding of incidents. The planning mechanism must also find an optimal trade-off between security enhancement and the operational impact of security measures on services and organizational activities. Finally, security measures may either be automatically deployed or presented as decision-support recommendations for cybersecurity crisis management teams.

This research will adopt an adaptive cybersecurity incident management, integrating incident qualification, response planning, and automated deployment. The first step involves analyzing and qualifying detected incidents to assess their severity and derive the organization's overall security posture, leveraging existing dynamic security models. Based on this assessment,
a strategic response planning phase will be carried out, considering both the available security functions and the impact of corrective measures on service continuity. This will involve exploring logic-based cybersecurity best practices, as in our previous work, or leveraging generative AI enhanced with cybersecurity knowledge. Finally, the planned strategies will be automatically deployed across security infrastructures. For this purpose, we will rely on policy-based management architectures or recent industry standards such as I2NSF and OpenC2.

Contexte de travail

The PhD will be funded by the French National Agency (ANR) under the PEPR Cybersecurity program (https://www.pepr-cybersecurite.fr/). The PhD student will collaborate with French experts in cybersecurity involved in the project SuperViz that focuses on the supervision and orchestration of cybersecurity.

The Institut de Recherche en Informatique de Toulouse (Toulouse Institute of Computer Science Research) gathers more than 700 members among which 400 researchers and faculty members. It is the largest computer science laboratory in France. IRIT researchers belong to one of the following institutions: CNRS (Centre National de la Recherche Scientifique), INPT (Institut National Polytechnique de Toulouse), UT (Université de Toulouse), UT1 (Université de Toulouse 1 Capitole) and UT2J (Université de Toulouse Jean Jaurès). IRIT's 24 research groups of the laboratory work in seven scientific themes covering most of computer science. Key personnel and groups have a long-standing experience in security, privacy, engineering, networks with strong collaboration links with other academic and industrial partners. More information at https://www.irit.fr

Le poste se situe dans un secteur relevant de la protection du potentiel scientifique et technique (PPST), et nécessite donc, conformément à la réglementation, que votre arrivée soit autorisée par l'autorité compétente du MESR.