Consistent and Compatible Modelling of Cyber Intrusions and Incident Response Demonstrated in the Context of Malware Attacks on Critical Infrastructure

📅 2025-05-22
📈 Citations: 0
Influential: 0
📄 PDF

career value

192K/year
🤖 AI Summary
Current cybersecurity incident response (IR) playbooks and intrusion models are developed independently and asynchronously, leading to a fundamental semantic misalignment between threat modeling and response execution at the model level. Method: This paper proposes a unified modeling framework built upon the Security Modelling Framework (SMF), introducing the first Sequential AND Attack Tree formalism that enables precise semantic alignment between attack steps and response actions; develops an automated tool for transforming attack trees into structured IR playbooks; and constructs the first publicly available, cross-domain intrusion-response joint model suite—compatible across nine critical infrastructure sectors, including energy and transportation. Contribution/Results: The framework significantly enhances the operationalizability of intrusion models, achieves deep coupling between threat modeling and response orchestration, and uncovers novel, actionable mappings between attack paths and response actions—enabling synergistic analysis and improved decision support.

Technology Category

Application Category

📝 Abstract
Cyber Security Incident Response (IR) Playbooks are used to capture the steps required to recover from a cyber intrusion. Individual IR playbooks should focus on a specific type of incident and be aligned with the architecture of a system under attack. Intrusion modelling focuses on a specific potential cyber intrusion and is used to identify where and what countermeasures are needed, and the resulting intrusion models are expected to be used in effective IR, ideally by feeding IR Playbooks designs. IR playbooks and intrusion models, however, are created in isolation and at varying stages of the system's lifecycle. We take nine critical national infrastructure intrusion models - expressed using Sequential AND Attack Trees - and transform them into models of the same format as IR playbooks. We use Security Modelling Framework for modelling attacks and playbooks, and for demonstrating the feasibility of the better integration between risk assessment and IR at the modelling level. This results in improved intrusion models and tighter coupling between IR playbooks and threat modelling which - as we demonstrate - yields novel insights into the analysis of attacks and response actions. The main contributions of this paper are (a) a novel way of representing attack trees using the Security Modelling Framework,(b) a new tool for converting Sequential AND attack trees into models compatible with playbooks, and (c) the examples of nine intrusion models represented using the Security Modelling Framework.
Problem

Research questions and friction points this paper is trying to address.

Integrating intrusion models with incident response playbooks for consistency
Enhancing cyber attack analysis using Security Modelling Framework
Improving critical infrastructure security through unified threat modeling
Innovation

Methods, ideas, or system contributions that make the work stand out.

Transforms attack trees into playbook-compatible models
Uses Security Modelling Framework for integration
Demonstrates improved attack and response analysis