Work in Progress: Evaluation of Security Standards through a Cyber Range using Hackers’ Tactics, Techniques and Procedures

Abstract

We present a framework for the creation of a cyber range to test the effectiveness of security standards, policies and frameworks. These assets guide organisations on how to protect themselves from cyber threats. They have been created via a variety of methods including standards bodies, anecdotal evidence, findings from successful attacks and others. To date, however, there is not an agreed process for creating cyber ranges to conduct a practical assessment of the recommended controls. As a result, the ability of enterprises and standards bodies to judge the effectiveness of these measures is limited. Utilising hackers’ tactics, techniques, and procedures to evaluate security standards, should be an effective method for testing a lifelike cyber range which complies to a specific standard. We have started to produce the blueprint for such a laboratory, presented here to showcase our initial findings, using the Cyber Essentials framework as an initial use case. 1.