Development of an Ontology-based Tool for Risk Assessment Automation

Cybersecurity is an ever-evolving challenge in today's digital landscape. The growing dependence on digital technology, both in personal and business contexts, has resulted in a considerable increase in the potential impact of cyberattacks, with a corresponding increase in the severity of the outcomes of a cyber incident. Thus, the assessment of cybersecurity risks has become increasingly critical in recent times and, in order to effectively improve the cybersecurity posture of organizations, it should be considered as an ongoing process rather than a one-time task. The goal of this thesis is to develop a tool to assist security teams in identifying and assessing potential vulnerabilities and threats against the system under analysis in a more efficient, faster, and methodical manner. The tool takes as input an ontology that describes the ICT infrastructure under analysis and automatically enriches it with relevant security data. The tool operates on two primary fronts to achieve this objective. The first front involves retrieving known vulnerabilities and weaknesses that affect the system's assets, as well as attack tactics and techniques that could exploit them. All this information is automatically retrieved from public knowledge bases such as CVE and CWE. The second front involves leveraging an ontology reasoner and the rules defined within the ontology, along with the detailed information describing the ICT infrastructure, such as assets and data flows, to infer threats affecting the various parts of the system. Additionally, for each identified threat, the tool computes a risk score, which helps the security team prioritize the work required to improve the cybersecurity posture. This approach offers several benefits that make the vulnerability and threat mapping process considerably more efficient. The tool eliminates the need for manual and time-consuming tasks associated with vulnerability and threat mapping, thus accelerating the process. Routine checks and updates are easy to carry out, ensuring that the analysis remains up-to-date with the latest data from public knowledge bases. This adaptability is particularly useful when changes occur within the system, such as the replacement of some components within the system itself, as updating the base ontology describing the ICT infrastructure is enough to accurately reflect these changes. Lastly, the proposed solution is highly flexible as it accommodates manual additions of vulnerabilities and threats missing from public knowledge bases, thus allowing for the inclusion of proprietary or system-specific knowledge, further enhancing the overall analysis. In summary, the tool created in this thesis is a significant step forward in taking a proactive and continuous approach to risk assessment. Automating the collection of security data and using ontology reasoning simplifies the assessment process and guarantees that it stays current with the dynamic threat landscape, thus helping to improve the cybersecurity posture of organizations.