Containment Strategy Formalism in a Probabilistic Threat Modelling Framework

Abstract: Background - Foreseeing, mitigating and preventing cyber-attacks is more important than ever before. Advances in the field of probabilistic threat modelling can help organisations understand their own resilience profile against cyber-attacks. Previous research has proposed MAL, a meta language for capturing the attack logic of a considered domain and running attack simulations in a depicted model of the defender’s system. While this modality is already somewhat established, less is known about how to proactively model containment protocols for when an incident already has occurred. Purpose - By proposing a formalism for how to describe and reason about containment in a MAL-based system-specific model, this study aims to bridge the divide between probabilistic threat modelling and the containment phase in the incident response life-cycle. The main issues are how to formalise containment as well as how to reason about selecting the most beneficial strategy for a considered model. Method - The study firstly sets out to identify practical instances of incident containment in the literature. Then, some of these incidents and respective containment items will be encoded with a novel methodology. A containment strategy selection algorithm will be proposed that guides containment decisions by working with the encoded constructs and a system-specific model. Finally, the encoded items will be verified and the algorithm validated through example scenarios.  Result & Analysis - The verification tests showed that all implementations of encoded constructs yielded results according to expectation. Validity tests also indicated that the algorithm endorsed the correct solution to a significant extent. The null hypothesis, being that the number of correctly predicted containment strategies could be explained strictly by coincidence, was namely rejected by two validity tests with respective p-values of 8:2. 10-12 and 2:9 . 10-17, both < 0:05. Conclusion - The study demonstrates a viable methodology for describing and reasoning about containment of incidents in a MAL-based framework. This was indicated by verification and validity testing that confirmed the correctness of the incident and containment action implementations as well as that the propensity for the algorithm to favour containment strategies that align with human reasoning.