Keypoints
- This work unifies threat modeling and incident response by converting SAND Attack Trees into Compatible Intrusion Models (CIM) usable within IR playbooks via SecMoF.
- The Security Model Converter (SMC) tool automates conversion of tab-indented SAND attack trees into FRIPP-compliant XML models for use in SecMoF.
- CIMs enrich attack step data by including actuators (manual, automatic, dual, unknown) and related references, improving clarity and actionable intelligence.
- The unified modeling approach enables mapping between attack steps and operational Dependency Models, facilitating impact assessment on critical infrastructure components.
- Detailed analyses of BlackEnergy malware and the 2015 Ukraine power outage illustrate the benefits of integrated threat and response modeling for SOC analysts.
- The methodology improves communication between technical and non-technical stakeholders by combining IR actions with operational context in a single framework.
- A public knowledge base of nine critical infrastructure intrusion models in CIM format and open-source tooling are provided to support future research and practice.
Security Problem
The paper addresses the disconnect between cyber threat modeling (identifying potential system attacks) and incident response (IR) playbooks used to recover from such attacks. Traditionally, threat models and IR playbooks are created independently using different formalisms, resulting in inconsistent or incompatible approaches that hinder effective risk management and operational response—especially in critical national infrastructure (CNI) environments where cyber-attacks can have catastrophic consequences. This gap reduces organizational resilience by preventing lessons learned from threat analysis to inform IR, and vice versa.
Methodology or Data
The authors propose a unified modeling framework by adapting Sequential AND (SAND) Attack Trees into Compatible Intrusion Models (CIM) that extend the Formalised Response to Incident Process Playbook (FRIPP) meta-model within the open-source Security Modelling Framework (SecMoF). They develop the Security Model Converter (SMC) tool to automate translation between tab-indented SAND trees and FRIPP XML models. Nine established cyber-intrusion models targeting CNI, including BlackEnergy and Ukrainian power grid attacks, are converted and analyzed. The integrated framework allows linking of attack steps to operational Dependency Models (DM), enabling evaluation of attack impacts on system components.
Key Findings
The conversion of SAND Attack Trees into CIMs enhances the representation of attacks by incorporating actuator types (manual/automatic), related references, and ordered step numbering, which are absent in original SAND models. Linking these CIMs to Dependency Models provides a nuanced understanding of how attack stages degrade operational system states. Case studies reveal that BlackEnergy relies heavily on manual attacker input followed by automated payload execution, highlighting potential intervention points. The Ukraine attack model demonstrated how chained manual and automated actions disabled critical SCADA system components. These insights demonstrate that a unified modeling approach informs both risk assessment and IR, improving organizational cyber resilience.
Operational Relevance
By harmonizing threat modeling and incident response playbooks into a single consistent format, security teams—particularly SOC analysts—gain an integrated tool for understanding attack vectors and their operational consequences. The approach facilitates more effective development, maintenance, and execution of IR playbooks aligned with real attack scenarios, enhancing detection, containment, and recovery strategies in critical infrastructure environments. Furthermore, the framework’s usability for non-technical stakeholders fosters cross-disciplinary communication and decision-making. The open-source tooling and public CIM intrusion model repository provide valuable practical resources for improving cyber defense processes within and across organizations.
The content featured on this site is sourced from arXiv.org, a free distribution service and open-access archive hosting over 2.4 million scholarly articles across a wide range of disciplines. This collection specifically highlights articles focused on cybersecurity, particularly topics relevant to threat intelligence and Security Operations Center (SOC) work.
Please note that materials on arXiv are not peer-reviewed, and are shared as preprints by the authors to foster early dissemination and feedback within the academic and professional community. I recommend using arXiv papers as a starting point for exploration and research, not as definitive sources. Always evaluate findings critically, and whenever possible, cross-check with peer-reviewed publications or operational validation.
Read more: https://arxiv.org/html/2505.16398v1