Over the last decade, cyber-attacks are being witnessed with increasing frequency and impact, some of them even reaching a global scale. It is estimated that the average annual cost of cybercrime per organisation exceeds $13 million, continuing to rise at a rate of 12% during 2018 and cumulatively 72% over the past five years1. This calls for continuous (and increasing) investments in cybersecurity solutions, which however do not always deliver the expected benefits. Modern cyberthreats are becoming increasingly complex and frequently manage to bypass traditional perimeter, network and endpoint protection methods.
In the defence domain, as state-of-the-art ICT technologies are increasingly used in military units and command structures, the impact of cyber threats and potential incidents on the Member States’ defence capabilities - on tactical, administrative and strategic level- is constantly growing. In a military context, the impact of a cybersecurity incident may have more than economic consequences; it might also directly affect national security and integrity and even lead to loss of human lives. While information theft is the most rising consequence of cybercrime, other targets, such as military networks and control systems, can be exploited in a powerful move to disrupt and destroy. In addition, many cyberattacks against military targets are ordered (and financed) by foreign states, rather than individuals, and conducted by professional teams with highly sophisticated tools, with generous access to resources - technical, financial and human.
Towards increasing their cyber-resilience, Member States’ structures employ a variety of technical solutions, at perimeter, network and endpoint level. These solutions are often combined as a patchwork of standalone products, each one working in an isolated fashion, devoid of any organic integration or information sharing capabilities. This approach, however, forms a stop-gap solution rather than a holistic defence framework. What is more, most of these solutions are developed (and controlled) by organisations outside the EU, and their logic and operation is totally opaque to the end-user. They essentially operating as “black boxes”, while the user documentation is often the sole source of information about their actual behaviour. It is thus no wonder that EU has identified Enabling Capabilities for Cyber Responsive Operations as one of its eleven development priorities2. Relying on purely EU-developed capabilities is crucial for improving the cyber resilience and strengthening the operational independence of EU Member States, especially in a cost-effective manner.
In the technical realm, while traditional security techniques are reaching their limits, it is recognised that Threat Intelligence Sharing3, as well as Automation, Artificial Intelligence and Machine Learning4 5 are the two most cost-efficient approaches to reinforcing cyber resilience today6. In this direction, an integrated innovative open solution, developed in the EU, which would leverage these two emerging enablers in order to improve detection and reaction capabilities and promote cyber threat intelligence sharing, specifically tailored for use in the defence domain and complementing traditional security solutions already in place, would constitute a decisive contribution to the development of EU cyber resilience capabilities.
The PANDORA project aims at contributing to EU cyber defence capacity building, by designing and implementing an open technical solution for real-time threat hunting and incident response, focusing on endpoint protection, as well as information sharing. The PANDORA system will be able to promptly detect and classify known and unknown threats, enforce policies on-the-fly to counter these threats, and also provide near-instantaneous exchange threat of intelligence information with third parties, at both national and international level.
More specifically, the technical solution developed in PANDORA will:
- Collect information (metrics, traffic, Indicators of Compromise (IoCs) etc.) from endpoints and network elements;
- Detect and classify security incidents, both known (based on signatures and IoCs) and unknown (based on inferred anomalies and suspicious behaviours);
- Suggest mitigation actions and policies – and enforce them automatically upon confirmation;
- Import and export incident information and threat intelligence to/from national and international information sharing platforms;
- Expose interfaces, both graphical and programmatic, with role-based access control, to support Security Operations and allow in-depth investigations in case of an incident.
It must be stressed that, as already mentioned, PANDORA will be fully aligned with the scope and objectives of the PESCO project entitled “Cyber Threats and Incident Response Information Sharing Platform (CTISP)”. Most of the requirements mentioned in the EDIDP call – and will be fulfilled by the PANDORA solution – are harmonised with the goals of the PESCO CTISP project.

• Partner: SPACE HELLAS S.A. (COORDINATOR), THALES HELLAS, Naval Group, GMVIS SKYSOFT, AIT Austrian Institute of Technology GmbH, INFILI Technologies PC, UBITECH LIMITED, Orion Innovations PC, Gatewatcher, Honvédelmi Minisztérium Elektronikai Logisztikai és Vagyonkezelö ZRT., Centre Tecnologic de Telecomunicacions de Catalunya, INESC TEC – Instituto de Engenharia de Sistemas e Computadores, Tecnologia e Ciência, CYBER SERVICES, NVISO CVBA, Centro de Investigação, Desenvolvimento e Inovação da Academia Militar – CINAMIL
• Projektlaufzeit: 12/2020 – 11/2022
• Förderprogramm: Software suite solution, enabling real-time cyber threat hunting and live incident response, based on shared cyber threat intelligence, EDIDP-CSAMN-SSS-2019