See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/386877334

AI Powered Threat Hunting in SAP and ERP Environments: Proactive Approaches

to Cyber Defense

Article · January 2020

CITATIONS READS

15 4

3 authors, including:

Aryendra Dalal Samad Abdul

Middle Georgia State College Christian Brothers University
22 PUBLICATIONS 262 CITATIONS 12 PUBLICATIONS 240 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Aryendra Dalal on 12 December 2024.

The user has requested enhancement of the downloaded file.

 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

AI Powered Threat Hunting in SAP and ERP Environments:

Proactive Approaches to Cyber Defense
Aryendra Dalal1, Manager - Application Security Engineer, Deloitte LLP, email:
[email protected]

Samad Abdul2, Department of Computer Science and Engineering, Global Institute of

Engineering and Technology, Hyderabad, India, Email: [email protected]

Farhana Mahjabeen3, Assistant Radio Engineer, Bangladesh Betar, Dhaka, Bangladesh,

Email: [email protected]

Abstract: The release of patch notes from certain SAP security weeklies leads to a number of
challenges, and as cyber threats grow in complexity and innovation legacy measures that are
taken for granted can fail to protect essential enterprise systems like those with SAP or any other
ERPs. Here is an exploration of a paper on the subject of AI powered Threat Hunting as part of
proactive cybersecurity to emerge within ERP environments. The article demonstrates at a high
level how using AI algorithms to continuously scan for potential security breaches, can help in
identifying and eliminating any threat before anything downtime or damage is caused to a
business. Realizing that successful detection systems need to Identify and respond to evolving
attack patterns, this blog attempts at investigating the solution provided by AI driven threat
hunting based on potential payoffs such as lowered response time and improved ability to catch
elusive new attack vectors, juxtaposed with challenges in terms of data privacy restrictions and
complexities due to integration requirements within existing security frameworks. Based on real
world use cases, this paper presents actionable measures for U.S. and European organizations to
use AI in strengthening their ERP systems against impending cyber dangers.

Introduction
Companies and governments are moving IT resources, development and operations in the cloud
faster than ever before this new operating environment is a far cry from what they once had on
premises and by extension requires organizations to add cloud cyber security incident response
planning to your defensive strategies. The frameworks and safe guards we have built about how

95 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

to operate in the mainframe or traditional application arenas take a hit because of new operating
models such as Infrastructure As Code, tools being managed on behalf of you that were once
Configuration Items (CIs) with extensive change controls. It's clear as well while leveraging the
industry standard incident response frameworks to cloud computing landscapes like
Infrastructure, Software and Platform as a service that the response actions will change from one
cloud vendor or service model ie. public cloud vs private per each IaaS environment owned (cf).
This thesis seeks to uncover some examples of this and provide pragmatic advice on how cloud
cyber security incidents can be prepared, detected / responded, analyzed/ contained
eradicated/recovered from and learnt by comparing the efficacy or appropriateness of different
types of Capabilities in dealing with a threat. These insights will be highly useful for any product
or entity working on in the cloud space. Theses are self-assigned to a researcher (i. e., the thesis
does not have a commissioner). Research Questions The thesis focuses on best practices for
incident response to cyber incidents encountered when operating cloud infrastructure and,
secondly aims at identifying the inherent features (of public) cloud environment from pov of an
incident responder. One of the objectives is to create a qualitative comparison what kind of cloud
native capabilities and services that are offered by two, arguably largest public cloud
environments can be consumed in accident response cycles defined in industry standard incident
response frameworks.
.
Research Aim and Methodology
This thesis is intended to help shed light on some of the nuances that come into play when
responding to cyber security incidents within the cloud domain. The purpose of the thesis would
be to deliver a guideline on best practices for this full lifecycle Preparing, Detecting and
Analyzing, Containing Getting Rid of Recovering from cloud based cyber security
communication platform. The research is aims to Answer the main objectives of Section 6 and
other sub questions are “what kind capabilities would we need for an efficient incident response
in cloud domain, Where do On premise approaches lack when comparing with cloud.”, and
"what significant different differences in the way two cloud service providers approach, their
capabilities or services that have any substantial role (as inputs etc) on industry standard incident
response frameworks & processes?". Another question of interest, which the thesis will try to

96 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

support is “Into what can we expect when incident responders have public cloud operating
environment?”

Research methodology

The objective of the research, and research questions is to understand through qualitative
comparative analysis (QCA) with both necessary condition as well as sufficiency conditions on
relation between clouds security tooling s best practices and industry standard incident response
model(s) framework for relevance. In the comparative analysis, one of highest goals is
generating new theories by comparing and contrasting categories or phenomenon to look for
cases differences as well similarities between them that will eventually draw up new patterns,
concept similarities, and interconnections (Tesch,, 1990). Data This thesis is investigating cyber
incident response and cloud computing. Meaning that practically (a goal of the thesis which is
another sector standard incident response model Baydoun et al. depends on), how can we
implement analysis method? It also aims to reflect one industry standard for analyzing Covid 19
intrusions as de scribed in NIST SP (800–61 revision 2 (Cichonski et al.,2012, p.21) against
applicability to different phases of the model and perform capability comparison among various
vendors that proposed tools/servers capabilities by references ) Each services relevant to each
vendor are qualitatively compared and individually tabulated Furthermore, they are (squashed)
into under each phase of the incident response model phases that FTC identifies as where it could
be beneficial. The data in the thesis is mainly collected from public sources, including National
Institute of Standards and Technology (NIST), Amazon Web Services official documentation,
Ama zon Web Services management console,, Microsoft Azure official documentation journal
article e books magazine professional manuals previous academic research in cloud computing
incident response cyber security etc.

Research reliability
The Dependability of Qualitative Analysis A number of ideas and methods were borne in mind
when accumulating the stability or reliable nature obtained from qualitative analyses, offered that
it handles abstract as well as perhaps complicated info. So these are reflexivity i.e., how intuitive

97 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

and self-aware the researchers can be with respect to where their own potential biases might
affect their research, namely critical application of reflective analysis on influences from
researcher’s subjectivity as well as background . Triangulation (i.e., to use multiple data sources
whenever possible) to support the validity of the findings and broaden our understanding
regarding phenomena as a whole (Carter et al. 2014). Credible that the researcher has sufficient
skills to complete the research (Sandström, 2018). This researcher, for example has extensive
working ex perience as a subject matter expert of cyber incident response AND public cloud
(($AWS and Azure). There are other considerations too: taking a systematic approach to
analysing the data, for example by using matrices that categorise and compare collected service
data and capabilities. Testing tools, services and capabilities for intended purposes where
practicable within the context of research questions/hypotheses/goals, followed by critical
surveillance during data collection.

Cyber incident response

This chapter deals with general ideas that apply to cyber incident response. This being said, how
these principles manifested within the cloud domain will be elaborated in chapter 5 — Incident
response in public cloud. To get into what response incidents means, I will have to explain these
terms first. At most of the time, these are used interchangeably but actually all three have quite
different aspects and when digging into them they can be differentiated very well. Cyberspace
and information domains are also terms that can be used interchangeable in this case cyberspace
refers to anything with a computer system, network or data within these boundaries anf the
information domain nir is referring to any form of data.

Definition of Events and Incidents

According to US National Institute of Standards and Technology (NIST), an event is any
observable occurrence in a system or network(Cichonski et al., 2012, p6). An event occurs when,
for example, users send an email; a firewall or cloud security group denies (or allows) a
connection attempt against its policies; and a web server is asked to serve up content it was
designed handle (Cichonski et al., 2012, p. 6). He describes a security event, quite simply, is
anything that can be observed over time and relates to the function of security e.g. user accesses

98 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

g doc stored on restricted cloud share or attacker port scans your systems (Chapple, 2020, p.
379). According to the International Organization for Standardization (ISO), they define a
security event as “an occurrence indicating an possible violation of information security policy
or failure in controls” . In contrast, adverse events are negative consequences and Examples of
these include when a malware execute destroying data or crashing the system an unauthorized
access to sensitive information; or the misuse unintended use of elevation rights. It should be
mentioned that adverse events may also occur naturally, due to power outages or other outside
initiatives (see Cichonski et al., 2012, p.4). Thus, an incident (situation in which a policy has
been violated or is threatened) may be defined as: “a computer security event that adversely
affects its condition and operation” In the definition of NIST, this expression can cover any
violation or potential imposition of rules on information protection, intrusion into permissible
use conditions or generally adopted safety arrangements . The definition provided by the ISO, on
the other hand admits this closeness to events:“ An information security incident is a one or
multiple related and identified information security events that can harm an organization´s assets
or compromise its operations” (SFS ISO/IEC 27035 maarays). Security incidents can be
categorised as: 1) intentional or unintentional, and/or; 2) by technical means (a type of successful
attack against a system), and non technical mean [SFS ISO/IEC 27035 Information technology
Security techniques Information security incident management(CD E7)], according to SFS
ISO/IEC TR 27035. Another definition, in a more practical tone and to elaborate a little further,
says it is an illegal activity performed over wireless networks or the Internet which involves
downloading malicious software (Luttgens et al., 2014 p.5). This means that a security inci dent
can be defined as an adverse event (all events have in cidents, but not all incidents are events)
which negatively impacts the organization and its people, systems or data, including impairing to
conduct essential mission critical /business functions. [Meyers 2018] p510 An important thing to
note however incident can mean a number of things, but they all imply that an action has to be
taken in order to heal from it or more specifically as something needs a response. In order to give
a better idea about the different relationships between these objects after any information
security incident, and how each of them has an impact on every other object as well,the ISO
27035 represents it in a model relationship by which is clarified below (figure 1)

99 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

Figure 1. Relationships of objects in a security incident (SFS ISO/IEC 27035, 2016 — modified)
All cyber security incidents can generally be divided into having an effect on confidentiality,
integrity or availability: the so called CIA triad. Figure2 : Scoping hierarchy for this template
The CIA triad, or model is often thought of as a mental framework for how cybersecurity and
information security types think about the system that they are trying to secure (Meyers 2018
p.20) it still tends to find itself in each one of the new gold standard cyber
architecture/model/framework/program after another It should be noted that a precise
classification is not always possible, and the episode of cyber incident may also arise before
there have been classified characteristically real threats to operations or information assets as
opposed purely theoretical threat. Moreover, an incident may begin by affecting one part of the
CIA triad and eventually move on to affect other parts or multiple ones.

100 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

Figure 2. The CIA triad (Meyers, 2018, p. 20)Confidentiality: Keep unauthorized poeple out of
systems and data; let authorized people in.
Incidents consist of a violation that creates the inability to keep confidentiality, such as an
unauthorized admission in or system for data like: efforts to extract password files; capture legal
network linkings and services [or] misconfigured systems (SFS ISO/IEC 27035, 2016),
endeavors by humans with privileges existence who practice publish mental understanding
methods) on gadgets data) infections (malware specify get systems/states/vigour. Integrity:
When data is stored, processed and transmitted nothing changes unless its intended (Meyers
2018 p. 21) Integrity where incidents that impact the integrity of an organization may involve
unauthorized or uncontrolled changes to data, systems and networks (SFS ISO/IEC 27035,
2016). Availability– Systems and data must be available to authorized parties when they need
them(Meyers, 2018, p. Denial of service attacks (DoS)Usually, in DoD or distributed denial of
service items available. Events that fall into this category seek to drain the availability of
systems, networks or services through resource depletion (or alternatively deprivation) (SFS
ISO/IEC 27035, 2016).

What is Incident Response?

101 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

Despite where or how infractions took place, when operating in the modern connected world,
cyber security issues are occurring to even the most careful organizations. Sometimes, common
mechanisms of various cyber safety strikes can even present an existential threat to the
organization’s continuity . It can arguably cause a major energy catastrophe , block whole
countries from reaching the internet , and even cause injury to human life and security. Cyber
security occurrences have the capability to create serious qualitative damage, like damage to the
reputation which turns into a loss of client trust and company , and measureable destruction, such
as a financial loss after an incident as well as the recovery and the settlement of stock prices and
legal or enforcement fines. For any organization operating in the cyber domain, it is not a
question whether an event will ever happen at all, but more specifically, when may it happen,
and because some negative or accidents occur, incident response cannot can be set aside by
companies and is the form of preparedness which should be thoroughly planned beforehand .
Incident response can be explained as an organized, concise collection of activities and
approaches used to get from incident finding to incident termination; its principal purpose is to
effectively remove a menace from the response’s environment target while minimizing damage
and “quickly restore normal operations” .

Figure 3. The OODA Loop

102 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

NISTs incident response process has various phases as shown in the figure 4.3 Incident Response
Process from NIST SP800 61r2. Those are “preparedness, detection and analysis,
containment/eradication/recovery (Cichonski et al., 2012), including strategies for reducing the
impact of cybersecurity events through post incident activities”(p. 21). For processing, these
identification and evaluation phases are seen to be together with the subsequent containment then
hisor her recovery stages (even if they each actually very distinctly different aims) Nevertheless,
in order to facilitate the comparison between them at a later point, all of these will be addressed
independently in their own chapters. The process as a whole is not meant to be strictly linear one
from start through finish, but simply includes loops that enable us back into previous phases
which more resembles the nature of cyber security incidents (Chapple, 2020). The detection and
analysis phases of the inner loop can feed insights that are useful for containment, eradication,
response OR feedback mechanisms to improve the capabilities in attrition (detection &
analysis)and adversary re entry (Anson, 2020, p.24 )phase out loops. The attitudes learnt from a
countered incident better the preparation phase to enabling responders in managing simi lar
incidents better in future (Chapple, 2020, p. 386). From this perspective, incident and response is
an ongoing process versus a quick win or crisis tool (Anson et al 2020).

Figure 4. The Incident Response Cycle (NIST SP 800 61r2, 2012, p. 21, modified)

Cloud computing

103 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

Modern Cloud Computing Basic Principles and Features Before we can address the impact these
lecture cloud computing concepts have on modern incident response frameworks in chapter 5,
which looks at public cloud domain specific aspects of incident response, it is essential to
establish this foundational understanding.
Cloud has fundamentally altered the way that enterprises operate their IT and enterprise
architecture, as well as how organizations and end users are consuming these resources. Cloud
computing is the ability to separate data center operations, IT infrastructure (i.e. storage and
virtualization), or business functions form a service provider with compute resources….or
known as Cloud Service Providers in this explanation Cloud Computing is defined by NIST
(Mell & Grance, 2011) as “a model for enabling convenient, on demand network access to a
shared pool of configurable computing resources that can be rap idly provisioned and released
with minimal management effort or service provider interaction”. Cloud computing is basically
the on demand availability of computer system resource, especially data storage and computing
power without direct active management by the user (Montgomery & Olson, 2018, p.3), that
means cloud claimed to provide only right type and size of a computing resource at any time it
be needed copes with almost instant access so called utility model where as Resource provider
offer s computer resources for consumers in an as needed or can be consumed basis. The cloud
model itself is defined by NIST in order to have five attributes including:

Cloud service models

Core cloud services are typically available in various models —all include the term " as a
service” (Montgomery & Olson, 2018). The primary categories of service types, or basic service
offerings are often referred to as Software as a Service (SaaS), Platform as a Ser pus (PaaS) and
In frastructure as a Serv iceIaa S(Mon tgomery &Olson 2018,p.7). And often various cloud
service providers also provide stronger terms in marketing or sale offerings such as anything as a
service (XaaS), but, by and large all of it could be put into the categories SaaS, PaaS, Iaas – even
if some truth about those distinctions only comes from common sense usage too much coding
doesn't deploy on GitHib.
The Software as a Service is one in which “cloud provider develops and maintains applications
running on cloud infrastructure that are accessible from various client devices through either thin

104 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

client interface (e.g., web browser)” (Mell & Grance, 2011), and also de fined it to be model
where “the consumer does not manage or control the underlying clo ud infrastructure including
network, server”, except for limited settings such as application configuration settings”(Mell &
Grance, 2011). The SaaS model: In this case the cloud provider updates, runs and patchs for their
software and it is process & upload data within service ( there may be application) by customer
Model 11.( Malisow,2020,p. In other words, all application logic delivered as service in Saas
model including networking storage and computing resources (Montgomery & Olson 8) SaaS
exhibits in several business, and hosted applications such as e mail (revenue model), enterprise
resource planning or human resources applications that are equivalent to horizontals vendors
written primarily for them using web based technologies accessed through the vertical ASP
dwindling legacy environment; select software development tools offered by IBM, Borland
Corporation with a single exception of online supply chain management opening outside SAP
either embrace SaaS delivery via latest release gross packaging include supplier costing tracking
tied somewhat into customer programmatic off shoring severability labor costs managed
receiving programmed signals from third alternative worldwide central virtual office when
subsidiaries consistently use custom rates meant only for independent consulting projects
flipping switch allow individual Canadian approved services function up front cookbook
outsource system makeover process enabling transaction level reports demand produced posting
fixed structure spreadsheets raising desired moment hybrid context competitive Aetna cost
efficiency lacking strategic advantage banks indicate appropriate need locked turnkey payoff —
see strategy downloads trying disadvantage range buried fee dozen feed attached startup wage
information testament knowledge pent up gluttony make lies provided within selling no contracts
respond failed wives struggle updates rote background robot manuscripts claiming reduce live
energy many cans will emotional grow ADPL](Montgomery & Olson, 2018). Platform as a
Service (Intermediary service model providing resources on which custom software and
applications can be run) 31 Savill, M. J. (2020). Where the plat form is provided by a cloud
provider, for example selecta h ard ware and operating system abstractions that are main tained
adminis tered bythe pro vider and cus to mer can focus on build ing run ning applications top of
(Mal isow2020, 11). NIST special publication 800 145 defines PaaS as: “a service model where
the customer does not manage or control the underlying cloud infrastructure, networks, servers,

105 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

operating systems; but has control over deployed applications and application environment
settings” (Mell & Grance) It can be argued that such model is most beneficial in software
development, as well tested on a sandboxed environment and able to test from different
platforms/ OS (Malisow 2020, p.11) The PaaS model offerings generally consist of container
services, a variety of "serverless" options, cloud database engines such as SQL Database and
MySQL as well as big data warehousing solutions like BigQuery (Savill, 2020). According to
NIST special publication 800 145 (Mell & Grance, 2011), Infrastructure as a Service is described
s the model “where th cloud customer can provision processing, storage, network or other
fundamental computing resources. and where…run arbitrary software systems/applications”
while “the consumer does not manage trust of control over underlying infrastructure but has
controls over OSs storage application deployed and possibly networking components (limited
capacity)”. The principal aim when deploying and acquirin..g IaaS model offerings is to buy a
standard computing platform, which allowed, and still permit organizations to upgrade their own
data center equipment with cloud identical infrastructure (Montgomery & Olson, 2018). Malisow
(2020) IaaS is defined as cloud service models that are the most basic in which a customer to the
clouds can install their own soft ware and operating systems on a hardware owned, provisioned
and network resourced by an SP while products delivered with these tiers of DTM will attempt to
emulate experiences much like if they were managing raw metal resources themselves Piper &
Clinton (2019).

Cloud deployment models

Cloud deployment model can be referred as the model of describing what kind, nature,
possession & intend to use (Montgomery & Olson 2018. P11). Based on NIST, there are a few
usual types of cloud deployment models: ‘public… Public Cloud: A publicly accessible model in
which the cloud infrastructure made available for free and open use by the public (NIST, special
publication 800 145). Public cloud deployment model the cloud resources (exposes hardware &
software) are owned and operated by one or more CSPs, sold on demand to general public as
multitenant architecture. Multi tenancy means potentially the same hardware can be hosting 100s
or more of different customers and their virtual deployment without any one customer having
visibility or knowledge of another hanging off that system and isolation being provided by

106 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

software layers (Malisow, 2020). Definitions such as the one from NIST special publication 800
145 describe private cloud more precisely according to which a model where the “cloud
infrastructure is provisioned for exclusive use by a single organization comprising multiple
consumers and have different business units It may be owned, managed and operated at
organizations or third parties, it can exist on premises or off premises” (Mell &
Grance,2011sec.33) Moreover, in the private cloud model resources are intended for a sole entity
and not shared with any other entities underlaying thus is not referred as multitenant env—nment
(Malisow, 2020, p. 12). It is, however, important to note that there are different types of private
cloud deployments which could include deploy ment directly owned and operated by the
organization via hypervisor and virtualization solu tions or just reserved/carved out sections from
a specific public service providers physical/logical data center resources through contractual
agreements (Malisow 2020 p. 12), whether situated in on premises site outside third party
controlled/public collocation facility will differ between each deployment type but left
unchanged with regard to being categorized under “private cloud”, it must still embody/ show
common psi characteristics already covered before as part of cc debate (Savill b020 p5). These
are measured service, on demand self service, rapid elasticity and resource pooling as described
in (Mell & Grance 2011).

4 Incident response in a public cloud

The general concepts, characteristics, models and components of clouds were described in
chapter 2 are mirrored by having impact on the incident response model and process being
described prior (chapter 1). In general, the same processes for and mechanisms to respond to
security incidents are still used in regards of a cloud provider this also applies (AWS, 2023e p. 6)
Similarly what comes after will apply too although tools and techniques might differ; it is
generally essential knowledge even when responding since with more broad interpretation of
incident response from Malisow ((c.f [18],p144) ultimately building up understanding about
threats that affect AWS services further down into each phase as well c.f: [(AWS),2019f,p17]
The traditional IT perimeter with all IT assets belonging to the organization has clear bright line
definitions, just this do not apply (probably) when using cloud computing. The Challenge in the
Cloud space, as to where exactly is essential risks definition clear and how far do they reach over

107 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

comes from customers data placed within environment a that b ultimately outside of their own
control c built upon proprietary hardware infrastructure d running software that the customer
knows little if anything about (Malisow, 2020 P.31) On the other side, Responding to Incidents
in The Cloud needs some paradigm shift that differentiate it from on premise traditional
environment but overcoming these challenges are necessary for any organization moving
towards cloud diligently because a holistic Incident response strategy is an integral part of
organizations risk management efforts.
Cloud considerations for post incident activities
The last phases, the post incident activities phase which is designed to provide information back
into preparation process from other earlier stages are characterized by being platform
independent because much of it focuses on human reflection (Cichonski et al., 2012 p38).
However, there are cloud considerations which aren´t classically specific to the cloud but
nonetheless give more subtle guidance as to how to academic on handle and protect incidents in
march of their domain, preperation. For instance, realistic incident response simulation that is run
with a clear structure to help organization practice against their IR plans are much easier to carry
out in the cloud compared on premises (AWS, 2023e, p. 24). While it can be argued that
simulations do not really fit in the prepare “box,” they still make room to yield learnings for
cloud customers to address their gaps on incident response technical and process related (AWS,
2023e; p. 24). A third intriguing aspect that has the potential to inform learning from cloud based
incidents comes out of in consideration on the identity plane when hosted by a cloud
management provider and how some authentication providers use machine learning and
automation features as an integral part of operationalizing baselines for what we can expect
“normal” usage is regarding where with respect managing identities across clouds, not only
institutions perceive33 who or things like being inside their perimeter based strictly solely
learned truisms (waiting indefinitely never stain Knowing It wall do) but also assessing deeper
understanding specific5 borders defined becomes harder IF successful migration assume
clairvoyant artificial intuition reconstituted combine drive scholars cross border verifications
freedom toggles destiny wavelengths electric another colliding hybrid3 figuring adhesive9 email
behavior compromise implications overtime sustained data shared constructs ultimately gained

108 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

traces gathered last seen attribution stumps signs signal evidence embalming old grey antiques
heady bound bumbling foam was teeming before optimism shattered determination poised .

Capability analysis
Opening with this chapter are the two cloud providers, against which we will perform
comparison in a few previous chapters: Microsoft Azure and Amazon Web Services. For each
phase, the chapter also explores and defines what impact particular cloud products, services,
tools, or capabilities would have to give in order to fit themselves into that specific incident
response phase.
Two public cloud providers that will be used for the qualitative comparative analysis are
Microsoft Azure and AWS, also a subsidiary of Amazon Both these cloud providers had almost
the same number of clouds and from all different service models, IaaS, PaaS and SaaS as well as
most common type categorized in. They also have a similiar geographical reach and global
presence with sizeable data centers across the world AWS is more geared towards offering as
many cloud services and function alities in their ecosystem that appeals to a broad array of
customers with multiple sizes, industries, locations and using wider technologies available . In
contrast with Azure, AWS is also more dedicated to deal only in the cloud realm and has not a
focus on any sales offerings that stretch beyond what might be considered as being within the
bounds of basic definition clearly focused from Gartner report 2012.
Requirements of Cloud Capabilities
The goal during this first step is to determine which different products, services, and tools that
could be used as beneficial complimentary information systems both against not wanting
incidents happening; out briefing a customer so it will know how well position itself if an
incident occurs. These characteristics pertain to achieving cyber re siliency is discussed.meaning
features that would allow cloud customer not only recover from adverse events but also
pro(r)active capabilities seeking anticipate, withstand and recovery (Anson, 2020, pp. To you
and me, this looks like features to report on the security stance of your environment (such as
secuirty posture), implement controls in certain ways, manage compliance with regimes /
standards etc., get stuff done management tasks across your estate.

109 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

Conclusion
In conclusion, the evolving sophistication of cyber threats necessitates a proactive and adaptive
approach to cybersecurity, especially for business-critical systems like SAP and other ERPs. AI-
powered threat hunting emerges as a compelling solution, offering the potential to identify and
neutralize threats before they can disrupt operations or inflict damage. By leveraging AI
algorithms to continuously analyze system data for anomalous activities, organizations can
significantly reduce response times and enhance their ability to detect novel attack vectors that
traditional, rule-based security measures might miss.
However, the implementation of AI-driven threat hunting within ERP environments is not
without its challenges. Data privacy regulations, particularly in regions like the U.S. and Europe,
necessitate careful consideration and adherence to ensure compliance. Additionally, integrating
AI-powered solutions into existing security frameworks can present complexities that require
strategic planning and execution.
Despite these challenges, the potential benefits of AI-powered threat hunting for bolstering ERP
security are undeniable. As demonstrated through real-world use cases, organizations that
embrace this proactive approach can significantly strengthen their security posture, reduce their
susceptibility to cyberattacks, and safeguard their critical business operations. By adopting the
actionable measures outlined in this paper, U.S. and European organizations can harness the
power of AI to navigate the evolving threat landscape and fortify their ERP systems against
impending cyber dangers.

References
[1] Mario Golling and Björn Stelte. Requirements for a future ews-cyber defence in the internet of the
future. In Cyber conflict (ICCC), 2011 3rd international conference on, pages 1–16. IEEE, 2011.
[2] Jason Andress and Steve Winterfeld. Cyber warfare: techniques, tactics and tools for security
practitioners. Elsevier, 2013.
[3] Radoniaina Andriatsimandefitra and Valérie Viet Triem Tong. Capturing android malware behaviour
using system flow graph. In International Conference on Network and System Security, pages 534–541.
Springer, 2015.

110 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

[4] Daavid Hentunen. Behaviour based malware prevention, June 8 2017. US Patent App. 15/362,012.
[5] Michael Sikorski and Andrew Honig. Practical malware analysis: the hands-on guide to dissecting
malicious software. no starch press, 2012.
[6] Qassim Nasir and Zahraa A Al-Mousa. Honeypots aiding network forensics: Challenges and notions.
JCM, 8(11):700–707, 2013.
[7] Adel Ammar. Comparison of feature reduction techniques for the binominal classification of network
traffic. Journal of Data Analysis and Information Processing, 3(02):11, 2015.
[8] Sumeet Kumar and Kathleen M Carley. Approaches to understanding the motivations behind cyber
attacks. In 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pages 307–309. IEEE,
2016.
[9] Ben Brewster, Benn Kemp, Sara Galehbakhtiari, and Babak Akhgar. Cybercrime: attack motivations
and implications for big data and national security. In Application of Big Data for National Security, pages
108–127. Elsevier, 2015.
[10] Bank. Cbest intelligence led testing an introduction to cyber threat modelling. 2016.
[11] SQRRL. A framework for cyber threat hunting, 2016.
[12] Jungsuk Song, Hiroki Takakura, Yasuo Okabe, Masashi Eto, Daisuke Inoue, and Koji Nakao. Statistical
analysis of honeypot data and building of kyoto 2006+ dataset for nids evaluation. In Proceedings of the
First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pages 29–
36. ACM, 2011.
[13] Georgios Portokalidis, Asia Slowinska, and Herbert Bos. Argos: an emulator for fingerprinting zero-
day attacks for advertised honeypots with automatic signature generation. In ACM SIGOPS Operating
Systems Review, volume 40, pages 15–27. ACM, 2006.
[14] Jop van der Lelie-jop and Rory Breuk-rory. A visual analytic approach for analyzing ssh honeypots.
2012.
[15] Pavol Sokol, Patrik Pekarcík, and Tomáš Bajtoš. Data collection and data analysis in ˇ honeypots and
honeynets. Proceedings of the Security and Protection of Information. University of Defence, 2015.
[16] Chris Moore and Ameer Al-Nemrat. An analysis of honeypot programs and the attack data
collected. In International Conference on Global Security, Safety, and Sustainability, pages 228–238.
Springer, 2015.
[17] David Binaco. A framework for cyber threat hunting part 1: The pyramid of pain, 2015.

111 | P a g e
 International Journal of Advanced Engineering Technologies and Innovations

Volume 01 Issue 02 (2020)

[18] Xiaoli Lin, Pavol Zavarsky, Ron Ruhl, and Dale Lindskog. Threat modeling for csrf attacks. 2013 IEEE
16th International Conference on Computational Science and Engineering, 3:486–491, 2009.
[19] BSIMM. Attack models with bsimm frameworks. Online,
https://www.bsimm.com/framework/intelligence/attack-models/, 2016.
[20] H. Al-Mohannadi, Q. Mirza, A. Namanya, I. Awan, A. Cullen, and J. Disso. Cyberattack modeling
analysis techniques: An overview. In 2016 IEEE 4th International Conference on Future Internet of Things
and Cloud Workshops (FiCloudW), pages 69–76, Aug 2016
[21] Kumar, V., Li, L., Gui, H., Wang, X., Huang, Q. X., Li, Q. Y., ... & Li, D. Y. (2018). Tribological
properties of AZ31 alloy pre-deformed at low and high strain rates via the work function. Wear, 414, 126-
135.
[22] Kumar, V., & Nayfeh, A. (2016). TCAD simulation and modeling of impact ionization (II) enhanced
thin film c-Si solar cells. Journal of Computational Electronics, 15, 248-259.
[23] Kumar, V., & Nayfeh, A. (2013, November). Thin film c-Si solar cell enhanced with impact ionization.
In 2013 European Modelling Symposium (pp. 681-684). IEEE.

112 | P a g e

View publication stats