Optimizing security monitoring in air-gapped infrastructure

Thumbnail Image

Files

master_Nepal_Ranjit_2025.pdf (483.18 KB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-09-29

Department

Major/Subject

Security and Cloud Computing

Mcode

Degree programme

Master's Programme in Security and Cloud Computing

Language

en

Pages

42

Series

Abstract

Air gapped Linux infrastructures cannot rely on cloud services for monitoring or external threat intelligence. Monitoring has to be managed locally and this is difficult because most built-in rules are broad, noisy or heavy on resources. In this thesis, a framework was developed to make rule based monitoring fit better for such isolated environments. The framework has three parts: first studying the environment, then linking adversary behavior with the MITRE ATT&CK framework and finally checking detections against defined scenarios. For simulation of attack scenarios, Elastic SIEM is used. The evaluation led to practical changes: rule with no relevance were disabled, missing coverage was added and noisy rules were tuned. As a result, coverage of real adversary attack techniques improved while unnecessary alerts and load were reduced. The study shows that monitoring in air gapped Linux systems can be improved when guided by adversary behavior and by the real conditions of the environment.

Description

Supervisor

Gunn, Lachlan

Thesis advisor

Gligoroski, Danilo
Nymalm, Sören

Keywords

air gapped infrastructure, security monitoring, MITRE ATT&CK, elastic SIEM, Linux, elastic rules

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202510208297

Collections

[dipl] Perustieteiden korkeakoulu / SCI