This paper by NATO CCDCOE Researchers Artūrs Lavrenovs, Kimmo Heinäaro and Erwin Orye was accepted and presented in “19th European Conference on Cyber Warfare and Security (ECCWS 2020)”, Chester, UK on 25-26 June 2020.
The final version of the paper was published in “Proceedings of the 19th European Conference on Cyber Warfare and Security (ECCWS 2020)” (E-Book ISBN: 978-1-912764-62-4; E-Book ISSN: 2048-8610, Book version ISBN: 978-1-912764-61-7; Book Version ISSN: 2048-8602, DOI: 10.34190/EWS.20.062)
Host and network-based events are the backbones of any modern IT monitoring and detection system. The number of lower priority security events is significant and might contain weak indicators of cyber attacks; by combining host and network events with sensor data that are not part of conventional IT security, the authors of this research are able to elevate otherwise missed events to discover hidden cyber attacks. The sensor data is fed into a situational awareness system which augments traditional alerts. This technique is primarily applicable for critical infrastructure, military, government and large organisations where the adversary is sophisticated enough to bypass existing detection methods. The paper discusses operational and strategic implications by using this type of sensor. These principles have been implemented in two scenarios tested in cyber exercises. In the first proof of concept authors focused on sensor fusion by integrating existing non-IT sensor systems with IT security and correlated the collected data.
Keywords: host-based events, network-based events, IDS, security events, sensors