Consistent and Compatible Modelling of Cyber Intrusions and Incident Response Demonstrated in the Context of Malware Attacks on Critical Infrastructure
Peter Maynard, Yulia Cherdantseva, Avi Shaked, Pete Burnap, Arif Mehmood
TL;DR
This work addresses the fragmentation between threat modelling and incident response in Critical National Infrastructure (CNI) security by unifying attack modelling and IR Playbooks within the Security Modelling Framework (SecMoF). It introduces Compatible Intrusion Models (CIM) as FRIPP-compatible representations of SAND Attack Trees, enabled by the Security Model Converter (SMC) to map attacks to a Dependency Model (DM) and IR processes. The paper demonstrates nine ICS intrusion models converted from SAND to CIM, with in-depth analyses of BlackEnergy and the 2015 Ukrainian power outage, and shows how linking CIM with DM yields actionable insights for both risk assessment and IR actions. This integration advances risk management, threat analysis, and incident response for CNI by providing an interactive, interpretable, and interoperable modelling approach that facilitates learning and collaboration across technical and non-technical stakeholders.
Abstract
Cyber Security Incident Response (IR) Playbooks are used to capture the steps required to recover from a cyber intrusion. Individual IR playbooks should focus on a specific type of incident and be aligned with the architecture of a system under attack. Intrusion modelling focuses on a specific potential cyber intrusion and is used to identify where and what countermeasures are needed, and the resulting intrusion models are expected to be used in effective IR, ideally by feeding IR Playbooks designs. IR playbooks and intrusion models, however, are created in isolation and at varying stages of the system's lifecycle. We take nine critical national infrastructure intrusion models - expressed using Sequential AND Attack Trees - and transform them into models of the same format as IR playbooks. We use Security Modelling Framework for modelling attacks and playbooks, and for demonstrating the feasibility of the better integration between risk assessment and IR at the modelling level. This results in improved intrusion models and tighter coupling between IR playbooks and threat modelling which - as we demonstrate - yields novel insights into the analysis of attacks and response actions. The main contributions of this paper are (a) a novel way of representing attack trees using the Security Modelling Framework,(b) a new tool for converting Sequential AND attack trees into models compatible with playbooks, and (c) the examples of nine intrusion models represented using the Security Modelling Framework.