Exercises and Experiments for Operational Capability in the cyberdomain: Final report


  • Teodor Sommestad

Publish date: 2017-12-31

Report number: FOI-R--4498--SE

Pages: 28

Written in: Swedish


  • cyber defence
  • log analysis
  • intrusion detection
  • situational awareness
  • training
  • exercise
  • assessment


A cyber defense requires several capabilities. The three-year project Exercises and experiments for operational capability in the cyber domain has focused on one the capability of analyzing system logs to detect and understand cyberattacks. The project has searched for answers to three questions. (1) How log analysis capability is influenced by different factors? (2) How should log analysis capability be assessed? (3) Which tools are required to run experiments and exercises on log analysis capability? The answer to the first question is that log analysis capability is a function of the capability to collect information, automatic analysis, and manual analysis. Within these, a number of variables are of importance. However, the knowledge of how important they are is limited. A number of exercise alternatives were developed as an answer to the second question, and some of these were tested. It is apparent that exercises in controlled cyber environments, where the ground truth is known, is advantageous. The answer to the third question is that it requires realistic and meaningful cyber environments, tools to simulate events in the cyber environment, and tools that simplify log collection. The project has tried to ensure that FOI's cyber range CRATE can meet these requirements.