While for decades the focus of the cyber security domain was on prevention and perimeter security, the orientation has changed in recent years toward active response. It is generally accepted that a complex infrastructure cannot be successfully protected against attacks in the long run. It is therefore important to reduce the attackers' window of opportunity – the time from the initial intrusion to their detection and the initiation of countermeasures - to the shortest possible period of time. This also reduces the attackers' opportunities to use the initial penetration of a network for a successful attack (i.e., to ensure the achievement of the actual goals, such as exfiltrating data or paralyzing an infrastructure). Detecting attacks and responding to them quickly are therefore essential capabilities for organizations - not only for large-scale industry, but especially for critical infrastructure (CI) providers, as well as for the SME sector, which is so important in Austria. However, these in particular often operate under enormous cost pressure, which conflicts with the usually resource-intensive deployment of complex cyber security solutions. In addition, operators of essential services are also obliged under the NISG to deploy state-of-the-art cyber security solutions.

The goal of the project was therefore to develop best practices for cyber security monitoring and logging (CyberMonoLog) based on the known attack techniques and with special consideration of those that are not already effectively prevented by generally applied best practices/standards. Attack techniques that are typically treated reactively from an economic or technical point of view must be detected by monitoring. Ultimately, therefore, the project was based on an optimization problem: It is impossible for an organization to detect all known attack techniques by economic means. The research question was therefore, which data sources (or events emitted from them) have to be analyzed with which methods (ranking) in order to detect the most relevant attack techniques with predefined resource constraints.

The results of the project are applicable best practice guidelines for implementing a monitoring strategy for SMEs and CIs. The explanations are based on the known state of the art and the applicability of the results was ensured by cross-validation with external stakeholders as well as national authorities and experts from CERT.at. Legal aspects (data protection, labor/service law issues) were also taken into account.

In detail, the following goals were achieved in the CyberMonoLog project:

1. Relevant attack techniques were collected from the MITRE ATT&CK framework and ranked according to selected metrics (prevalence, impact, applicability, etc.).
2. A model suitable for solving the addressed optimization problem was formulated and instantiated using a Microsoft 365 environment as an example to assess its suitability for evaluating monitoring solutions in a specific context.
3. Furthermore, a survey of applicable standards and recommendations in the area of logging and monitoring (CIS Top18, ISO27001/2, BSI Grundschutz, etc.) was conducted and commonalities regarding requirements for logging and monitoring were identified.
4. A survey among SMEs (200 participants) to identify key assets and technologies or environments in the SME sector that require monitoring and logging was conducted to delineate the scope of further considerations, in particular the creation of concrete recommendations for action.
5. Based on the collected relevant technologies/assets and with the help of the optimization model, the first iteration of the implementation recommendations in the form of guidelines was significantly improved in several further iterations, whereby detailed step-by-step instructions were integrated via references.
6. Feedback interviews with industry representatives of the target group (SMEs and AIs) were conducted with the help of "trusted partners".
7. Legal questions, especially regarding data collection (logging), long-term archiving of logs and systematic processing were raised, investigated and evaluated.
8. The developed guidelines were widely distributed in an awareness campaign of the Austrian Economic Chambers (WKO) to their members in June 2023.