Criteria and indicators for assessing the quality of the investigation of an information security incident as part of a targeted cyberattack

Objectives. The currently increasing number of targeted cyberattacks raises the importance of investigating information security incidents. Depending on the available means of protection, computer forensic experts use software and hardware tools for analyzing digital artifacts of various operating systems and network traffic to create an event chronology (timeline) of the incident. However, to date, there is no formal approach for assessing the effectiveness of expert activities when investigating an information security incident within the framework of a targeted cyberattack. The present study aims to develop partial indicators of promptness, effectiveness, and resource intensity as part of the suitability criterion for investigating an information security incident.

Methods. Methods informed by purposeful process efficiency and set theory are used along with expert evaluation approaches.

Results. An analysis of works in the field of investigation of computer incidents is presented. The terminology and main guiding documents on specifics of conducting information security incident investigations are described along with examples of digital artifacts defined in the form of classification. The expediency of forming criteria and indicators for assessing the quality of an information security incident investigation is substantiated. The suitability criterion and subsequent indicators for assessing the quality of the investigation are selected: the effectiveness (completeness) indicator for detecting digital artifacts by a computer criminologist is based on the conducted activities, resource intensity indicator, and promptness indicator for investigating an information security incident.

Conclusions. The obtained results can be used not only by heads of departments but also by rank-and-file information security professionals for objective analysis of the available software and human resources, the time spent on these activities, and the identified digital artifacts as part of a cyber incident investigation.

1. Smirnov S.I., Eremeev M.A., Gorbachev I.E., Nefedov V.S., Izergin D.A. Analysis of techniques and tools used by an attacker when moving horizontally in the corporate network. Zashchita Informatsii. Insaid. 2021;1(97):58–61 (in Russ.). https://www.elibrary.ru/pltlpq

2. Smirnov S.I. Cyber incident investigation methodology based on intelligent analysis of domain security events. Zashchita Informatsii. Insaid. 2022;4(106):60–69 (in Russ.). https://www.elibrary.ru/mefhpc

3. Smirnov S.I., Kiselev A.N., Azerskii V.D., Karel’skii D.V., Kumurzhi G.M. Comprehensive methodology for conducting an information security incident investigation. Zashchita Informatsii. Insaid. 2023;2(110):14–26 (in Russ.). https://www. elibrary.ru/fdhgzq

4. Makarenko S.I. Criteria and parameters for estimating quality of penetration testing. Voprosy kiberbezopasnosti = Cybersecurity Issues J. 2021;3(43):43–57 (in Russ.). https://www.elibrary.ru/udlknn

5. Smirnov S.I., Eremeev M.A., Pribylov I.A. Approach to Recognition of Malicious Behavior Based on Autoregression Model upon Investigation into Cyberincident. Aut. Control Comp. Sci. 2021;55(8):1099–1103. http://doi.org/10.3103/S0146411621080290, https://www.elibrary.ru/ubwpai

6. Zegzhda D.P., Lavrova D.S., Pavlenko E.Y. Management of a Dynamic Infrastructure of Complex Systems Under Conditions of Directed Cyber Attacks. J. Comput. Syst. Sci. Int. 2020;59(3):358–370. https://doi.org/10.1134/S1064230720020124 [Original Russian Text: Zegzhda D.P., Lavrova D.S., Pavlenko E.Y. Management of a Dynamic Infrastructure of Complex Systems Under Conditions of Directed Cyber Attacks. Izvestiya Rossiiskoi akademii nauk. Teoriya i sistemy upravleniya. 2020;3:50–63 (in Russ.). https://doi.org/10.31857/S0002338820020134 ]

7. Kalinin V.N., Lomako A.G., Ovcharov V.A., Petrenko S.A. Investigation of information security incidents using the behavior profiling of dynamic network objects. Zashchita Informatsii. Insaid. 2018;3(81):58–67 (in Russ.). https://www.elibrary.ru/xqlamp

8. Ovcharov V.A., Romanov P.A. Investigation of computer incidents based on the identification of discrete IS events and reverse analysis by final outcomes. Trudy Voenno-kosmicheskoi akademii imeni A.F. Mozhaiskogo = Proceedings of the Mozhaisky Military Aerospace Academy. 2015;648:84–89 (in Russ.). https://www.elibrary.ru/uzmkox

9. Lomako A.G., Ovcharov V.A., Petrenko S.A. Method for investigating security incidents based on behavior profiles of network objects. In: Distance Educational Technologies: Materials of the Third All-Russian Scientific and Practical Conference, September 17–22, 2018. Yalta: Arial; 2018. P. 366–373 (in Russ.). https://www.elibrary.ru/uzzdah

10. Saenko I.B., Lauta O.S., Karpov M.A., Kribel A.M. Model of threats to information and telecommunication network resources as a key asset of critical infrastructure. Elektrosvyaz. 2021;1:36–44 (in Russ.). https://doi.org/10.34832/ELSV.2021.14.1.004

11. Bystrov I.S., Kotenko I.V. Analysis of user behavior models for the task of detecting cyber insiders. In: Actual Problems of Infotelecommunications in Science and Education: collection of scientific articles: in 4 v. V. 1. St. Petersburg: Bonch-Bruevich St. Petersburg State University of Telecommunications; 2021. P. 139–143 (in Russ.). https://www.elibrary.ru/sqzvma

12. Eremeev M.A., Smirnov S.I., Pribylov I.A. Detection of malicious actions of an attacker based on event logs when investigating an ongoing cyber incident. In: Innovative Aspects of the Development of Science and Technologies: Collection of articles of the 7th International Scientific and Practical Conference. Saratov: Tsifrovaya nauka; 2021. P. 22–28 (in Russ.). https://www.elibrary.ru/ygoyfz

13. Avramenko V.S., Malikov A.V. Neural network model for diagnosing computer incidents in special purpose infocommunication systems. In: Problems of Technical Support of Troops in Modern Conditions: Proceedings of the Forth Interuniversity Scientific and Practical Conference. St. Petersburg; 2019. P. 41–45 (in Russ.). https://www.elibrary.ru/flomvh

14. Levshun D.S. Building an attacker model for a modern cyberphysical system. In: Actual Problems of Infotelecommunications in Science and Education (APINO 2020). The 9th International Scientific-Technical and Scientific-Methodological Conference: collection of scientific articles. V. 1. St. Petersburg: Bonch-Bruevich St. Petersburg State University of Telecommunications; 2020. P. 679–682 (in Russ.). https://www.elibrary.ru/krafgr

15. Petukhov G.B., Yakunin V.I. Metodologicheskie osnovy vneshnego proektirovaniya tselenapravlennykh protsessov i tseleustremlennykh system (Methodological Foundations of External Design of Purposeful Processes and Purposeful Systems). Moscow: AST; 2006. 504 p. (in Russ.).