Severe cyber attacks on companies and critical infrastructures dominate the weekly press reports. Many recent incidents, such as the death of a German patient as a result of a ransomware attack on a university clinic in September 2020, or the extensive infiltration of infrastructures, as in the case of the SolarWinds hacks 2020, underline the serious situation. In addition to these exemplary reports, the Cybercrime Report 2019 by the Federal Criminal Police Office (Bundeskriminalamt) also illustrates the unpleasant security statistics with an increase of complaints of 69.7% regarding illegal access to a computer system and 291.3% for data processing abuse, compared to the previous year.
While the focus of the cyber security domain has been on prevention and perimeter security for decades, the focus has changed in the past few years towards reactive actions. It is generally accepted that a complex infrastructure cannot be successfully protected against attacks in the long term. It is therefore important to reduce the attacker's time window - from the initial intrusion to their discovery and the execution of the first countermeasures - to the shortest possible time span. This also reduces the attacker's ability to use the initial intrusion into a network for a successful attack (i.e. to achieve the actual goals, such as exfiltrating data or paralyzing an infrastructure). Detecting attacks and reacting quickly to them are therefore essential skills for organizations - not only for large-scale industry, but especially for critical infrastructure providers (CI) as well as for the SME sector, which is very important in Austria. However, in particular these often operate under enormous cost pressure, which is contrary to the usually resource-intensive use of complex cyber security solutions. In addition, operators of essential services are also obliged to use state-of-the-art cyber security solutions according to the NIS law.
The aim of the project is therefore to develop best practices for cyber security monitoring and logging (CyberMonoLog) based on the known attack techniques and with special consideration of those that are not already effectively prevented by generally applied best practices / standards. Attack techniques, which are typically treated reactively from an economic or technical point of view, must be uncovered through monitoring. Ultimately, the project is based on an optimization problem: It is impossible for an organization to identify all known attack techniques with economic means. The research question is therefore which data sources (or the events emitted by them) have to be analyzed with which methods (ranking) in order to identify most of the relevant attack techniques with a predefined use of resources. The results of the project should be readily applicable best practice guidelines for the implementation of a monitoring strategy for SMEs and CIs. These guidelines will be based on the known state of the art and the applicability of the results is ensured by cross-validation with external stakeholders as well as authorities and experts from CERT.at. Legal aspects (data protection, labor law issues) are taken into account.
Dr. Dr. Florian Skopik, AIT Austrian Institute of Technology
SBA Research gemeinnützige GmbH (gGmbH)
Computer Emergency Response Team / NIC.at
TU Wien (Prof. Haslinger)
Bundesministerium für Inneres (BMI)
Dr. Dr. Florian Skopik
Thematic Coordinator Cyber Security
Security & Communication Technologies
Center for Digital Safety & Security
AIT Austrian Institute of Technology GmbH
Giefinggasse 4 | 1210 Wien | Austria
M +43 664 8251495 | F +43(0) 50550-4150
firstname.lastname@example.org | http://www.ait.ac.at