Simulation of Workflow and Threat Characteristics for Cyber Security Incident Response Teams

Abstract

Within large organizations, the defense of cyber assets generally involves the use of various mechanisms, such as intrusion detection systems, to alert cyber security personnel to suspicious network activity. Resulting alerts are reviewed by the organization’s cyber security personnel to investigate and assess the threat and initiate appropriate actions to defend the organization’s network assets. While automated software routines are essential to cope with the massive volumes of data transmitted across data networks, the ultimate success of an organization’s efforts to resist adversarial attacks upon their cyber assets relies on the effectiveness of individuals and teams. This paper reports research to understand the factors that impact the effectiveness of Cyber Security Incidence Response Teams (CSIRTs). Specifically, a simulation is described that captures the workflow within a CSIRT. The simulation is then demonstrated in a study comparing the differential response time to threats that vary with respect to key characteristics (attack trajectory, targeted asset and perpetrator). It is shown that the results of the simulation correlate with data from the actual incident response times of a professional CSIRT.