Instrumentation & Measurement Magazine 25-6 - 31

Detecting Cyber Attacks through
Measurements: Learnings from a
Cyber Range
Rasmi-Vlad Mahmoud, Marios Anagnostopoulos, and Jens Myrup Pedersen
N
owadays, it is hard to see an organization without
a digital presence, while our modern society
relies on a wide range of activities like banking,
government services, commerce, or education that are offered
online. Even more, the recent years have pushed the limits of
digital transformation for multiple organizations, companies,
and educational institutions. This transition occurred without
any prior planning or preparation and at an unprecedented
scale [1]. As the globe is converging towards a technologydriven
society, cyber attacks and cyber crime campaigns are
blooming. Recent reports show that cyber crime is growing in
severity and frequency, competing with the traditional crime
in both the number of incidents and revenue [2].
Measuring Cyber Security
For a cyber crime to occur, three essential factors are needed,
often called the crime triangle: a victim, a motive, and an opportunity.
The victim is the target of the attack, the motive is
what drives the criminal to commit the attack, and the opportunity
is what allows the crime to be realized, e.g., it can be a
vulnerability of a system, an unprotected device or human
negligence [2]. Threat actors use a variety of Tactics, Techniques,
and Procedures (TTPs) to violate the confidentiality,
integrity and availability of systems and data. To this direction,
the National Institute of Standards and Technology (NIST)
framework for cyber security presents the five function model:
Identify, Protect, Detect, Respond and Recover that aid against
cyber attacks. Therefore, Detection is of utmost importance
to protect an organization's assets, such as critical services,
networks, systems, and infrastructure, by continuously monitoring
the organization's Information and Communications,
Technology (ICT) infrastructure and applications to ensure
visibility in the event of a security incident [3].
In this context, security monitoring deals with the collection
of data from various and heterogeneous sources, and
their analysis, with the purpose to identify Indicators of Compromise
(IoC). To monitor uninterruptedly the services and
operations, a Security Operation Center (SOC) is established.
The SOC has become a priority for organizations since they
September 2022
are investing in their development to provide increased visibility
to events throughout their networks [4]. Essentially, it
is the centralized monitoring unit of the IT and network infrastructure
and handles security issues on an organizational and
technical level [5].
This paper presents the monitoring capabilities in the context
of an SOC enviroment, focusing on two vantage points,
namely, network and host based measurments. These measurements
can help the cyber security team of the organization
or the researchers both to determine the TTPs and identify ongoing
or completed malicious activity. Furthermore, we aim
to highlight the importance of accurate measurements for the
objectives of an SOC by exemplifying the logging approaches
and pinpointing the locations where activity should be monitored.
Moreover, this work provides examples of tools that can
support the operational requirements of an SOC, with a focus
on Elasticsearch, Logstash and Kibana (ELK-Stack). In our research,
the ELK-Stack is used for the collection, processing,
and correlation of different log sources which are essential for
the identification of security incidents. Since it is based on the
log analysis, the SOC aims to infer whether an incident took
place or is in progress within the monitored infrastructure.
Finally, we offer directions of how these data can be further utilized
for the purposes of cyber security.
We provide an overview of the current techniques and
methods for infrastructure monitoring in the context of cyber
security, by giving focus on security information event
management (SIEM) systems. SIEMs are a set of technologies
collaborating to provide a comprehensive view of the infrastructure.
The SIEM provides the technical foundation for an
SOC to function, engaging many necessary processes for early
response to security incidents. By building on the ELK-Stack
and its dependent applications, one is able to aggregate network
traffic, system events, security-related events, and other
metrics.
Background and Related work
According to Vielberth et al. [6], the number of the documented
breaches for companies has been increased over the
IEEE Instrumentation & Measurement Magazine
1094-6969/22/$25.00©2022IEEE
31
Instrumentation & Measurement Magazine 25-6

Table of Contents for the Digital Edition of Instrumentation & Measurement Magazine 25-6
