Consistent and Compatible Modelling of Cyber Intrusions and Incident Response Demonstrated in the Context of Malware Attacks on Critical Infrastructure (2505.16398v1)

Abstract: Cyber Security Incident Response (IR) Playbooks are used to capture the steps required to recover from a cyber intrusion. Individual IR playbooks should focus on a specific type of incident and be aligned with the architecture of a system under attack. Intrusion modelling focuses on a specific potential cyber intrusion and is used to identify where and what countermeasures are needed, and the resulting intrusion models are expected to be used in effective IR, ideally by feeding IR Playbooks designs. IR playbooks and intrusion models, however, are created in isolation and at varying stages of the system's lifecycle. We take nine critical national infrastructure intrusion models - expressed using Sequential AND Attack Trees - and transform them into models of the same format as IR playbooks. We use Security Modelling Framework for modelling attacks and playbooks, and for demonstrating the feasibility of the better integration between risk assessment and IR at the modelling level. This results in improved intrusion models and tighter coupling between IR playbooks and threat modelling which - as we demonstrate - yields novel insights into the analysis of attacks and response actions. The main contributions of this paper are (a) a novel way of representing attack trees using the Security Modelling Framework,(b) a new tool for converting Sequential AND attack trees into models compatible with playbooks, and (c) the examples of nine intrusion models represented using the Security Modelling Framework.

Consistent and Compatible Modelling of Cyber Intrusions and Incident Response: A Methodological Advancement

The paper presents a method for integrating cyber intrusion models with incident response (IR) frameworks, specifically focusing on critical national infrastructure (CNI). The authors highlight the compartmentalization and isolated development process of intrusion models and IR playbooks. By bridging these components, the paper addresses the critical gap that exists in the current cyber security landscape, enabling a more cohesive strategy for handling cyber threats.

The authors adopt Sequential AND Attack Trees (SAND) methodology and demonstrate its potential in transforming these intrusion models into formats compatible with IR playbooks, leveraging the Security Modelling Framework (SecMoF). The primary contributions are the novel representation of attack trees using this framework, a tool for converting SAND attack trees to FRIPP-compatible models, and case studies of nine intrusion models relevant to CNI, such as Stuxnet and BlackEnergy.

From a methodological standpoint, the paper emphasizes the integration of threat modelling and incident response, bringing an alignment that is often missing in the siloed approaches traditionally adopted. This alignment is achieved through Consistent Intrusion Models (CIM) and their mapping to dependency models within SecMoF. Such an approach fosters a dynamic feedback loop between risk assessment and incident response, promoting a proactive security posture.

Numerically, the models result in 37 steps for BlackEnergy and 22 for the Ukrainian power grid attack, reflecting on the complexity and sequential dependencies of cyber operations. These numerical indicators serve as insights into both the nature of advanced persistent threats and the operational intricacies required to thwart such threats.

The implications of this research extend to both theoretical and practical realms. Theoretically, it challenges existing paradigms in threat modelling and advocates for unified representation. Practically, it suggests a roadmap for enhancing operational resilience against cyber threats by streamlining the processes around threat detection, intrusion management, and incident recovery. For future developments, the paper opens avenues for expanding SecMoF to accommodate broader security measures, potentially incorporating emerging AI techniques for predictive threat analysis and adaptive incident management. By integrating these modern capabilities, the bridge between disparate security functions could be further strengthened, enhancing the overall cybersecurity ecosystem.