In addition to over 400 IT-related security cases from Argus MSSP Partners, Argus research team has identified, documented, and categorized over 136 automotive-specific attack scenarios and is continuously growing this library at a rapid pace.

Driven by approximately 215,000 hours of automotive cybersecurity research and dozens of projects for major OEMs and Tier 1s, these automotive use cases further position Argus Fleet Protection as the leading automotive SOC solution.

Given the vast amount of data sources and endpoints that need to be protected in the automotive ecosystem, these automotive use cases are essential for automotive CISOs whose core challenge is to constantly know, at any given moment, that their OEM fleet and systems are secured.

By expanding their automotive use case library, CISOs can effectively prepare their Automotive SOC (ASOC) team for potential vehicle attacks, while ensuring protection across the entire incident lifecycle — from detection to investigation, and mitigation.

Argus Automotive Use Cases: What Are They?

A use case documents a specific condition or event (usually related to a specific threat) which is to be detected or investigated by the cybersecurity tool with the appropriate OEM response.

Similarly, automotive use cases are well-documented attack scenarios that take into account the context of the automotive industry, the potential impact of a given threat across the fleet, along with the means to address this threat. With well-defined automotive use cases, ASOC teams are equipped to identify threats, facilitate immediate responses, and ensure smooth investigation processes.

Argus’ automotive use cases are divided into multiple categories, including:

  • API and backend process monitoring
  • Specific Threat Scenario
  • Incident Response Procedure
  • Best Practices, for example, OWASP API security 
  • Global Compliance, for example, upcoming UNECE, WP.29 Regulation, which states in  Annex 5:  

Table A1: 

12.1  “Compromise of over the air software update procedures. This includes fabricating the system update program or firmware”

Table B4:

16.1  “Manipulation of functions designed to remotely operate vehicle systems, such as remote key, immobilizer, and charging pile M20 Security controls shall be applied to systems that have remote access”

 16.2 “Manipulation of vehicle telematics (e.g. manipulate temperature measurement of sensitive goods, remotely unlock cargo doors) “

On top of these automotive use cases, Argus provides its customers with hundreds of IT-specific cybersecurity use cases to enable comprehensive and multi-layered cybersecurity protection.

The Role of Automotive Uses Cases

As automotive use cases span the lifecycle of a threat and are built on unique automotive knowledge, they enable ASOC teams to do three things: identify threats that may otherwise go amiss, provide the context to validate those threats, and take predefined steps to mitigate the threat in two separate stages:

Threat Hunting

The Argus Threat Hunting tool is used to detect threats in vehicles and connected car services and is largely distinguished by unique detection-based use cases tailored to the automotive domain. These use cases determine the Direct Observables as well as the Indirect Observables sourced by the Threat Hunting tool.

Automotive use cases for Direct Observables are based on Argus research. For the Indirect Observables use cases, Argus uses data-driven use-cases and a wealth of threat intelligence that’s been uncovered in the dark web on vulnerabilities, malware, and zero-day attacks targeting vehicles. 

Incident Investigation

As soon as a use case is identified, an alert gets triggered in Argus’ Incident Management tool where the security analyst is able to determine if it’s a real threat or mark it as a false-positive.

Whenever a new alert is detected, security analysts use the playbook to standardize the incident management and investigation process. These playbooks are based on Argus’ automotive use cases, providing predefined steps on the recommended actions to be taken for each incident type. 

Once an attack scenario has been identified, analysts will know how to go about the investigative process — be it by performing a false-positive analysis, root-cause analysis, impact assessment, and so on. As a result, not only does the ASOC team analyze each incident in-depth, but they can also apply the correct, prioritized actions to accelerate the entire investigation process and thereby removing any bottlenecks.

In the end, these automotive use cases provide pre-defined investigative steps and other technological features, which together with the playbooks can significantly reduce the time that analysts spend on understanding the threat, responding to it, and beginning the mitigation process.

Why Automotive Use Cases Matter

Automotive use cases are vital in orchestrating a successful automotive cybersecurity strategy across the entire threat lifecycle. They promote comprehensive detection of threats, streamline SOC processes with playbooks, and ensure that valuable time is spent on mitigating “real” threats as opposed to false-positives. With a substantial bank of use cases, the ASOC team is fully equipped to identify, manage, and respond to almost any security threat targeting the OEM fleet.

Get your copy of our latest eBook to learn more about how you can build a complete ASOC strategy using Argus Fleet Protection.


Author: Sapir Segal, Product Marketing Manager
at Argus Cyber Security

Subscribe to our blog

Recent Posts