Consistent and Compatible Modelling of Cyber Intrusions and Incident Response Demonstrated in the Context of Malware Attacks on Critical Infrastructure
Peter Maynard, Yulia Cherdantseva, Avi Shaked, Pete BurnapCyber Security Incident Response (IR) playbooks are used to capture the steps required to recover from a cyber intrusion. Intrusion modelling focuses on a specific potential cyber intrusion and is used to identify where and what countermeasures are needed. The resulting intrusion models are expected to be used in IR, ideally by feeding IR playbook designs. However, IR playbooks and intrusion models are created in isolation and at varying stages of the system’s lifecycle, and there is no systematic approach that allows for their integration. In this article, we present a new approach to integrate intrusion models and IR models by translating intrusion models into a form compatible with IR models. We take nine critical national infrastructure intrusion models—expressed using Sequential AND Attack Trees—and transform them into models of the same format as IR playbooks, using a newly devised, automated conversion application. We use the Security Modelling Framework for modelling intrusions and playbooks, and for demonstrating the feasibility of the better integration between them based on operational impact. This results in enhanced intrusion models that are contextualised with respect to operations and, accordingly, can offer tighter coupling with IR playbooks. The main contributions of this paper are (a) a novel way of representing attack trees, (b) a new tool for automatically converting Sequential AND attack trees into models compatible with playbooks, and (c) examples of nine real-world intrusion models.