METHOD OF DEVELOPMENT OF THREAT SCENARIOS KNOWLEDGE BASE FOR INCIDENT RESPONSE PLATFORM (IRP)

Abstract

The objective of the work is to study the possibility of increasing the efficiency of response to information security (IS) incidents. This can be achieved by developing a system capable of quickly localizing an incident, providing automation of response to an IS threat, taking predetermined actions depending on the details of the threat scenario being implemented. An architecture for constructing an IRP system is proposed, the main modules of which are a response scenario knowledge base, a threat scenario knowledge base, modules for determining the incident status and making decisions on the formation of command information. The problem of developing threat scenarios for creating a scenario knowledge base has been solved, on the basis of which adequate response scenarios can be developed that are unique for each chain of the cybercriminal's actions, events and involved objects. The paper formalizes the method for developing a knowledge base of threat scenarios based on constructing EPC diagrams of scenarios that display multi-component attacks taking into account tactics, techniques, vulnerabilities used, and information security threats (IST) specified in regulatory documents and databases. The paper formulates the rules for constructing EPC diagrams of threat scenarios and the methodology for EPC modeling for objects of influence in ICS. An example of an attack scenario on an industrial network from a global network is considered in the case when a cybercriminal, having attacked a remote user's computer, first gains unauthorized access to the corporate segment and gains a foothold in it for further penetration beyond the perimeter of the process network. The paper presents the developed EPC diagram of a threat scenario indicating the tactics, techniques, intermediate IST, and some vulnerabilities used. The assessment of the probability of scenario implementation is formalized