Improved Cyber Defense Modeling Framework for Modeling and Simulating the Lifecycle of Cyber Defense Activities

Abstract

It is difficult to assess the business impact of a cyberattack and implement appropriate strategies or policies to enhance cyber resilience and counter future attacks. Penetration testing, which is currently gaining popularity, has been employed to assess cyber defense levels in actual operating environments. However, it is expensive and time-consuming and only reveals the current state of a problem without providing insights into potentially better alternative strategies. To overcome these limitations, cybersecurity modeling and simulation (M&S) research, which includes the crucial component of cyber-defense modeling, is being actively conducted. Most cyber defense modeling approaches only model defenses as a response to cyberattacks, neglecting to consider the complexities in the actual cyber defense activities of organizations. Consequently, the intended aim to evaluate and enhance cyber defense capabilities through analysis cannot be met. In this study, we present a cyber defense process model that models the entire lifecycle of cyber defense activities as the following five phases: prevention, monitoring and detection, initial response, attack analysis, and recovery response. This model not only accounts for defense steps that had been neglected in previous studies but also offers improvements to previously introduced defense steps. Additionally, we present a framework for applying initial and recovery response models by progressively integrating a unit response behavior model to counter cyberattacks. The applicability of the proposed model was verified by using a constructed prototype. The results of this study can be applied to developing an M&S-based experimental environment for assessing the sustainability of missions/businesses that have faced cyberattacks.