METHOD OF DEVELOPMENT OF THREAT SCENARIOS KNOWLEDGE BASE FOR INCIDENT RESPONSE PLATFORM (IRP)

Abstract

The objective of the work is to study the possibility of increasing the efficiency of response to information
security (IS) incidents. This can be achieved by developing a system capable of quickly localizing
an incident, providing automation of response to an IS threat, taking predetermined actions depending on
the details of the threat scenario being implemented. An architecture for constructing an IRP system is
proposed, the main modules of which are a response scenario knowledge base, a threat scenario
knowledge base, modules for determining the incident status and making decisions on the formation of
command information. The problem of developing threat scenarios for creating a scenario knowledge
base has been solved, on the basis of which adequate response scenarios can be developed that are unique
for each chain of the cybercriminal's actions, events and involved objects. The paper formalizes the method
for developing a knowledge base of threat scenarios based on constructing EPC diagrams of scenarios
that display multi-component attacks taking into account tactics, techniques, vulnerabilities used, and
information security threats (IST) specified in regulatory documents and databases. The paper formulates
the rules for constructing EPC diagrams of threat scenarios and the methodology for EPC modeling for
objects of influence in ICS. An example of an attack scenario on an industrial network from a global network
is considered in the case when a cybercriminal, having attacked a remote user's computer, first gains
unauthorized access to the corporate segment and gains a foothold in it for further penetration beyond the
perimeter of the process network. The paper presents the developed EPC diagram of a threat scenario
indicating the tactics, techniques, intermediate IST, and some vulnerabilities used. The assessment of the
probability of scenario implementation is formalized