This paper describes a situation awareness framework, Frankenstack, that is the result of a multi-faceted endeavor to enhance the expertise of cybersecurity specialists by providing them with real-time feedback during cybersecurity exercises and verifying the performance and applicability of monitoring tools during those exercises. Frankenstack has been recently redeveloped to improve data collection and processing functions as well as cyberattack detection capability.
This extensive R&D effort has combined various system and network security monitoring tools into a single cyberattack detection and exercise feedback framework. Although Frankenstack was specifically developed for the NATO CCD COE’s Crossed Swords exercise, the architecture provides a clear point of reference for others who are building such monitoring frameworks. Thus, the paper contains many technical descriptions to reduce the gap between theoretical research and practitioners seeking advice on how to implement such complex systems.
Index Terms—automation, cyber exercises, cyber ranges, Frankenstack, monitoring, NATO Cyber Range, real-time feedback, security training, technical architecture
This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence. It does not necessarily reflect the policy or the opinion of the Centre or NATO. The CCDCOE is a NATO-accredited cyber defence hub focusing on research, training and exercises. It represents a community of NATO nations and partners of the Alliance providing a 360-degree look at cyber defence, with expertise in the areas of technology, strategy, operations and law.