JP2019212143A - Damage prediction method, damage prediction system, and program - Google Patents

Abstract

To simulate an occurrence of a cyber incident and damage thereby.SOLUTION: In the damage prediction method for predicting a damage caused by a cyberattack of the prediction target system for executing processing for a given business, the computer reads the vulnerability model for each software used in the prediction target system, and generates vulnerability information occurrence date and vulnerability characteristics to evaluate the resulting risk due to the attack using the vulnerability to the element based on the network topology information of the elements constituting the prediction target system based on the probability model for the time elapsed from the vulnerability information occurrence date. If an attack has occurred, the occurrence of the attack against the vulnerability is determined, and the system predicts the occurrence of damage due to the attack on the result of the risk assessment and each element.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a damage prediction system and damage prediction method for a cyber incident.

  While various systems and devices are connected to the Internet, various businesses cooperate with IT technology, these logs are reused, and business is becoming smarter. The impact on continuity is serious.

  In order to ensure business continuity against these cyber attacks, it is necessary to identify risks and respond appropriately to cyber incidents.

  However, it is necessary to clarify the probability that a cyber incident will occur in order to properly evaluate the risk against the cyber incident, but statistical information that clearly shows the causal relationship of the cyber incident is not prepared. A method for clarifying the probability of occurrence of cyber incidents and the expected value of damage is required in the systems, security measures, and security postures of each business entity without relying on these statistical information.

  Patent Document 1 is known as a conventional technique for managing vulnerabilities in an information system and evaluating its security risk. In Patent Document 1, based on system configuration information related to the configuration of a business system to be evaluated and information related to information security, a vulnerability detection unit that detects a vulnerability of a device, and a vulnerability node that indicates a detected vulnerability A device risk evaluation model generating unit that generates a device risk evaluation model for evaluating a risk that a detected vulnerability may occur in the device by arranging the device node indicating the device in association with each other, and a predetermined risk The risk that a detected vulnerability can occur in a given business process by adding a business-related node related to business processing included in business-related information processing to the device risk assessment model and associating the business-related node with the device node A business-related risk assessment model that generates a business-related risk assessment model for assessing And a part, to evaluate the business risk.

JP 2017-224053 A

  In the prior art, by associating vulnerability information with product information, vulnerability information related to the information processing system to be managed is selected from a large amount of vulnerability information, and the vulnerability information indicated by the selected vulnerability information is displayed. Based on the technical characteristics, the risk that the vulnerability poses to the information processing system can be evaluated.

  In addition, with the conventional technology, if the information processing system is stopped to deal with vulnerabilities, there is a risk of adverse effects such as hindering the smooth processing of operations and decreasing sales. In addition to evaluating the technical impact of vulnerability information processing systems to help determine whether and when vulnerabilities should be addressed based on The impact can also be evaluated.

  However, from the viewpoint of business continuity planning, the conventional technology has a problem that it is difficult to make a reasonable prediction as to how much cyber incidents are expected in the near future in the current business system.

  Therefore, an object of the present invention is to provide a system and a damage occurrence simulation method for simulating the occurrence of a cyber incident and the occurrence of damage.

  The present invention relates to a damage prediction method for predicting damage caused by a cyber attack of a prediction target system that executes processing related to a predetermined business on a computer having a processor and a memory, and the processor is used in the prediction target system. A first step of reading a vulnerability model for each software to generate a date of occurrence of vulnerability information and a characteristic of the vulnerability, and the processor based on network topology information of elements constituting the prediction target system, A second step of evaluating a risk that an attack using the vulnerability reaches the element; and the processor is configured to deal with the vulnerability based on an occurrence probability model with respect to a lapse of time from the occurrence date of the vulnerability information. A third step of determining the occurrence of an attack, and the processor has attacked the vulnerability If determined, the result of the risk assessment, the fourth step of predicting the occurrence of damage due to the attack on each element, and the processor reflects the countermeasure status of the prediction target system for the vulnerability And a sixth step in which the processor generates a random number and repeats the first to fifth steps up to a predetermined number of times.

  According to the present invention, based on the reachability of an attack according to the network topology of a business system device, triggered by the occurrence of vulnerability information based on the issuance statistics of vulnerability information of software that functions as each device of the business system. It is possible to simulate the occurrence of damage on each device.

It is a flowchart figure which shows the Example of this invention and shows the outline | summary of one example of embodiment of the damage prediction system and damage prediction method with respect to a cyber incident. It is a block diagram which shows the Example of this invention and shows an example of a structure of a computer. It is a flowchart of the process which shows the Example of this invention and simulates the generation | occurrence | production timing of vulnerability information. It is a flowchart of the process which shows the Example of this invention and simulates the characteristic of the vulnerability information to generate | occur | produce. It is a figure which shows the Example of this invention and shows an example of the structure of the vulnerability information table to generate | occur | produce. It is a figure which shows the Example of this invention and shows an example of a structure of a database. It is a figure which shows the Example of this invention and shows an example of the table which defines the network information which comprises a business system. It is a figure which shows the Example of this invention and shows an example of the table which defines the apparatus information which comprises a business system. It is a figure which shows the Example of this invention and shows an example of the table which manages the condition of the vulnerability information detected by the apparatus which comprises a business system. It is a detail of the flowchart of the process which shows the Example of this invention and performs damage | occurrence | production occurrence simulation. It is a flowchart of the process which shows the Example of this invention and calculates an excess damage probability curve or a reproduction period. The Example of this invention is shown and it is a screen structural example of a vulnerability generation | occurrence | production simulator part. The Example of this invention is shown and it is a screen structural example of a damage generation | occurrence | production simulator part. It is a figure which shows the Example of this invention and shows an example of an attack scenario table.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. As will be described below, an example showing an example of the present embodiment relates to a damage prediction system and a damage prediction method for a cyber incident, predicts the occurrence of damage in a business system, and assists in the determination of how to deal with the risk.

<Overview of the whole>
FIG. 1 is a flowchart showing an overall outline of one example of this embodiment. FIG. 1 shows a flowchart of an overview of an embodiment to the extent necessary to understand and implement the present invention.

  The damage prediction system and damage prediction method for a cyber incident according to the present invention includes the following steps.

  Prior to the start of this process, the probability distribution model 112 relating to the occurrence of vulnerability information for each software product, the system configuration information and countermeasure status 113 of the prediction target, and the devices (elements that constitute the system of the prediction target) ) Is estimated in advance. Further, it is assumed that the computer 200 has also received a loop repetition count N in advance.

  The computer 200 (see FIG. 2) constituting the damage prediction system starts processing in step 101. In step 102, the computer 200 simulates the variation in the generation timing of vulnerability information for each product with a random number based on the probability distribution model 112 for each product regarding the generation of vulnerability information. Further, the computer 200 simulates the variation in the characteristics of the generated vulnerability information with random numbers based on the probability distribution model 112 regarding the vulnerability characteristics of the generated vulnerability information, and simulates the generation of the vulnerability information for one year. To do.

  In step 103, the computer 200 acquires vulnerability information at a predetermined timing of the year, refers to the system configuration information and the countermeasure status 113, performs risk evaluation for each device, and calculates a risk value. As a method for this risk evaluation, the method of Patent Document 1 may be used. In the following description, the vulnerability risk evaluation method disclosed in Patent Document 1 is used. That is, risk assessment for vulnerability is performed based on the attack reachability according to the network topology of the devices (elements) constituting the prediction target system.

  Further, the system configuration information and the countermeasure status 113 can include a table relating to the business process of Patent Document 1, the network information table 700 of the present embodiment, the device information table 800, and the vulnerability status management table 900.

  In step 104, the computer 200 reads the damage estimate 114 for each device, simulates the variation in damage occurrence according to the risk value for each device calculated in step 103 with a random number, calculates the damage amount for each device, Record.

  In step 105, the computer 200 repeats the processing in steps 102 to 104 for one year (365 days). After the repetition process is completed, the process proceeds to step 106.

  In step 106, the computer 200 repeats the processing of steps 102 to 105 a predetermined number of times (N), and calculates and records the predetermined amount of annual damage.

  In step 107, the computer 200 totals the damage calculation results of step 104 for one year (365 days) of each repetition, and calculates and records the annual damage amount.

  In step 108, the computer 200 calculates an excess loss probability curve (or reproduction period curve) from a predetermined number (N times) of annual damage amount. The excess loss probability curve can be calculated from the excess probability year and the excess probability. In step 109, the computer 200 ends the process.

  Devices (elements) and network topology that make up a business system triggered by issuing vulnerability information based on vulnerability information issuance statistics of software products that provide the functions of each device of the business system to be predicted by the above processing It is possible to simulate the occurrence of damage of each device based on the attack reachability according to the. Therefore, the damage prediction system can calculate the excess loss probability curve by counting annual damage occurrence and repeatedly evaluating the annual damage amount using the Monte Carlo method, and can realize the loss prediction of the business model. it can.

<Hardware configuration>
FIG. 2 is a block diagram illustrating an example of the configuration of the computer 200 according to this embodiment. The computer 200 includes, for example, a CPU 201, a memory 202, a storage device 203, an input device 204, an output device 205, and a communication device 206.

  The CPU 201 executes a program loaded on the memory 202. In the present embodiment, an example is shown in which the vulnerability information generation simulator 210, the vulnerability risk evaluation unit 220, the damage generation simulator 230, and the damage prediction unit 240 are loaded into the memory 202 as programs. In the description of each flowchart, the subject of processing is the computer 200, but the CPU 201 may be used.

  The storage device 203 is composed of a nonvolatile storage medium, and stores data used by the program.

  In the present embodiment, as data, a probability distribution model 112 for each product, system configuration information and countermeasure status 113, a damage estimate 114 for each device, a vulnerability information occurrence date list 402, and a probability probability table of vulnerability characteristics are generated. 406, cumulative probability distribution information 1005 with respect to the number of days elapsed from the vulnerability occurrence date until the Exploit code is released, a damage amount table 1030, a damage occurrence record 1020, and a database 600 are stored. Details of each data will be described later. Note that data such as the probability distribution model 112 to the damage occurrence record 1020 may be stored in the memory 202.

  Note that the probability distribution model 112 for each product and the occurrence probability table 406 for vulnerability characteristics are values set for each product (software), so these may be treated as vulnerability models for products (software). good. Alternatively, the probability distribution model 112 and the vulnerability characteristic occurrence probability table 406 may be created for each type of product (for example, a type classified by software functions such as OS, Web, DB, or other middleware).

  The input device 204 is configured with a keyboard, a mouse, or a touch panel, and accepts user input. The output device 205 includes a display and displays information. The communication device 206 is connected to the network 207 and communicates with other computers.

  The CPU 201 operates as a functional unit that provides a predetermined function by performing processing according to a program of each functional unit. For example, the CPU 201 functions as the vulnerability information generation simulator 210 by performing processing according to the vulnerability information generation simulation program. The same applies to other programs. Furthermore, the CPU 201 also operates as a functional unit that provides each function of a plurality of processes executed by each program. A computer and a computer system are an apparatus and a system including these functional units.

  Information such as programs and tables for realizing each function of the computer 200 is stored in a storage device 203, a nonvolatile semiconductor memory, a hard disk drive, a storage device such as an SSD (Solid State Drive), or an IC card, SD card, DVD, etc. It can be stored on a computer readable non-transitory data storage medium.

  Each program loaded in the memory 202 performs the following processing. The vulnerability information generation simulator 210 simulates the generation of vulnerability information for each product based on the probability distribution model 112 for each product. The vulnerability risk evaluation unit 220 calculates a risk value for each device based on the system configuration and evaluates the risk.

  The damage occurrence simulator 230 estimates the amount of damage for each year based on the damage estimate 114 for each device. And the damage prediction part 240 controls each said program, and calculates an excess damage probability curve (reproduction period).

<Vulnerability information generation timing simulation>
FIG. 3 is a flowchart of processing in which the vulnerability information generation simulator 210 simulates the generation timing of vulnerability information. This process is performed in a part of step 102 shown in FIG.

  The computer 200 starts the N-th process in step 300. N indicates the number of repetitions of the processing loop of FIG. In step 301, the computer 200 reads function parameters from the probability distribution model 112 for each product set in advance.

  As shown in FIG. 3, the probability distribution model 112 includes a product ID 1121 that stores an identifier of a software product (or product), a function 1122 that stores the type of the probability distribution model, and a constant term 1123 that stores parameters. An entry is constructed.

  In the probability distribution model 112, a probability distribution model and parameters are set in advance for each piece of software used in the business system to be predicted.

  In step 302, the computer 200 substitutes i = 1 and Tx [0] = 0 as initial values. Note that i represents a counter value, and Tx is a numerical value representing the occurrence timing of vulnerability information for one year in decimal. For example, since 0.1 year is 365 × 0.1 days, February 5 days. Further, the computer 200 selects one product.

  In step 303, the computer 200 determines the value of Tx. If Tx [i−1] <1, the computer 200 proceeds to step 304, otherwise proceeds to step 306. In other words, if the value of Tx is one year or more, the occurrence timing of vulnerability information for 365 days has been calculated for the currently selected product, and the process proceeds to step 306.

In step 304, the computer 200 generates a random number (or pseudo random number) R. Next, in step 305, the computer 200 acquires the previous generation timing CT = Tx [i−1], and then
Tx [i] = CT−Ln (R) / E (x)
Calculate

  Here, E (x) is set according to a probability distribution function related to the generation of vulnerability information for each product. For example, when the probability distribution is a Poisson distribution, the average number of occurrences per year is obtained. When the variation is large, vulnerability generation can be modeled by a negative binomial distribution. Here, the function Ln is a function that returns a logarithm (natural logarithm) with the constant e as a base.

  Then, the computer 200 increments the counter value i and then returns to step 303 to repeat the above processing.

  In step 306, the computer 200 converts the decimal number (unit year) Tx indicating the occurrence timing of vulnerability information into a date using a function (ChangeDate function) that converts the date into a date, and displays a vulnerability information occurrence date list for each product (FIG. Medium OccurrProductList) 402. For example, the vulnerability information occurrence date list 402 can be configured by a table including a date and a product ID in one entry.

  In step 308, if the computer 200 has finished generating the vulnerability information occurrence date list 402 for all product IDs 1121 set in the probability distribution model 112, the process ends in step 308.

  On the other hand, if the generation of the vulnerability information occurrence date list 402 has not been completed for all product IDs 1121, the above steps 301 to 306 are repeated in order to simulate the generation timing of the next product list.

  Through the above processing, a one-year vulnerability information occurrence date list 402 is generated for each product ID based on the probability distribution model 112.

<Simulation of generated vulnerability information>
FIG. 4 is a flowchart of processing for simulating the characteristics of vulnerability information generated by the vulnerability information generation simulator 210. This process is executed as part of step 102 shown in FIG.

  The computer 200 starts the N-th process in step 400. N indicates the number of repetitions of the processing loop of FIG. In step 401, the computer 200 substitutes Date = January 1 as an initial value.

  In step 403, the computer 200 reads the vulnerability information occurrence date list 402 for each product generated in FIG. 3, determines whether there is any vulnerability information on the date corresponding to Date, and if there is any If not, the process proceeds to step 411.

  In step 404, the computer 200 generates an expression product list (OccurProductList in the figure) that generates vulnerability information at the current Date from the vulnerability information occurrence date list 402 for each product. The expression product list is intermediate data for generating the vulnerability information table 500, and includes, for example, an occurrence date (Date) and a product ID (Pid).

  In step 405, the computer 200 generates a random number R. In step 407, the computer 200 reads the parameters of the corresponding product from the vulnerability characteristic occurrence probability table 406 for each product, and determines the vulnerability characteristic from the occurrence probability corresponding to the random number R generated in step 405.

  In step 408, the computer 200 generates vulnerability information of the vulnerability characteristic determined in step 407 as vulnerability information generated in the current Date, and the Date (date), product ID, vulnerability characteristic, and vulnerability To the sex information table 500. Details of the vulnerability information table 500 will be described later with reference to FIG. Further, the computer 200 can write vulnerability information of a plurality of product IDs on the same date.

  In step 409, the computer 200 refers to the vulnerability information occurrence date list 402, and if there is vulnerability information of other products that occur in the current Date, the computer 200 returns to step 405 and performs the processing in steps 405 to 408. repeat. Here, depending on the generation parameter, vulnerability information of the same product may be generated.

  In step 410, the computer 200 returns to step 403 from step 411 and repeats the above processing until Date becomes December 31. In step 411, the computer 200 increments Date and repeats the above processing for the next day. In step 412, the computer 200 ends the above processing.

  As a result of the above processing, an entry is added to the vulnerability information table 500 in which vulnerability characteristics are estimated for each product ID with respect to the date of occurrence of vulnerability information in the vulnerability information occurrence date list 402. That is, the vulnerability information occurrence date (timing) and its characteristics for one year are generated in the vulnerability information table 500.

  Here, the probability distribution function of vulnerability information occurrence and the vulnerability characteristic occurrence probability table 406 are vulnerability information maintained by IPA (Information Processing Promotion Organization) and US NIST (National Institute of Standards and Technology). Based on the information in the database, it is modeled and set in advance according to the annual number of occurrences and the content ratio of each vulnerability characteristic.

  Further, the annual number of occurrences of vulnerability information is approximated by Poisson distribution or negative binomial distribution, and the variation in generation timing is simulated by random numbers as shown in the flowchart of FIG. As for the vulnerability characteristic, vulnerability information is generated by determining a combination of vector values of CVSS (Common Vulnerability Scoring System) by a random value so that the vulnerability characteristic is assigned according to a statistical ratio.

  As shown in FIG. 3, the vulnerability characteristic occurrence probability table 406 of the present embodiment includes a CVSS pattern 4061, Pa4062-1 for storing the occurrence probability of product a, and Pb4062-2 for storing the occurrence probability of product b. Shows an example in which one entry is configured. Occurrence probability can be set up to 4062-n according to the number Pn of products.

<Database configuration>
FIG. 6 is a diagram illustrating an example of a configuration of a database 600 that stores information necessary for processing in the storage device 203 of the present embodiment.

  The database 600 includes a vulnerability information table 500, a network information table 700, a device information table 800, a vulnerability status management table 900, and an attack scenario table 610.

  FIG. 5 is a diagram showing an example of the configuration of vulnerability information 500 generated in the simulation. The vulnerability information 500 includes a vulnerability ID 501 that stores an identifier that uniquely identifies a vulnerability, and an affected software 502 that stores an identifier and a name of software (or product) affected by the vulnerability specified by the vulnerability ID 501. CVSS (fragile characteristics) 503 for storing CVSS vector information as vulnerability vulnerability, CWE (type) 504 for storing the type of vulnerability as a classification number CWE (Common Weakness Enumeration), etc. Whether or not the vulnerability is a vulnerability for which an exploit code (attack procedure) is disclosed, an exploit status identifier 505 for storing the status of whether or not the exploit code has been disclosed, and the date and time 506 when the vulnerability occurred One entry is configured. The generated vulnerability information 500 is stored in the storage device 203.

  FIG. 7 is a diagram illustrating an example of a network information table 700 that defines information on a network that constitutes a business system to be predicted in the present embodiment.

  The network information table 700 includes a network segment ID 701 for storing an identifier for uniquely identifying a network segment, network segment information 702 related to the network segment specified by the network segment ID 701, and a network segment specified by the network segment ID 701. A reachable segment ID list 703 that stores identifiers of segments that can be reached by the message and an external connectivity 704 that stores the presence or absence of external connection of the network segment specified by the network segment ID 701 constitute one entry.

  The network information table 700 is data set in advance for each business system to be predicted.

  FIG. 8 is a diagram illustrating an example of a device information table 800 that defines device information constituting the business system to be predicted in the present embodiment.

  In the device information table 800, a device ID 801 that stores an identifier that uniquely identifies a device, device information 802 that stores information related to the device specified by the device ID 801, and a device specified by the device ID 801 belong (connect). Connected segment ID list 803 for storing a list of network segment IDs, device type 804 for storing the type of device specified by device ID 801, and software (or product) installed in the device specified by device ID 801 ) Is stored in the software list 805, and one entry is configured.

  The device information table 800 is data set in advance for each business system to be predicted.

  FIG. 9 is a diagram showing an example of a vulnerability status management table 900 for managing the status of vulnerability information detected for devices constituting the business system to be predicted in the present embodiment.

  The vulnerability status management table 900 stores a detection ID 901 that stores an identifier that uniquely identifies a vulnerability detected by each device, and a vulnerability that stores an identifier that specifies vulnerability information of the detected vulnerability specified by the detection ID 901. A device ID 903 that stores an identifier that identifies a device having a detection vulnerability identified by the detection ID 901, a countermeasure status 904 that stores a countermeasure status of the detection vulnerability identified by the detection ID 901, and a detection ID 901 One entry is configured from the update date and time 905 when the status of the identified detection vulnerability is updated.

  Here, the countermeasure status 904 of the detected vulnerability is defined in two situations where the countermeasure is not taken and the countermeasure is taken. The vulnerability status management table 900 is generated or updated by the damage occurrence simulator 230.

<Damage simulation>
FIG. 10 is a flowchart showing an example of processing in which the damage occurrence simulator 230 performs a damage occurrence simulation in this embodiment. This process shows the details of the processes of steps 104 to 105 shown in FIG.

  In step 1000, the computer 200 starts the N-th process. N indicates the number of repetitions of the processing loop of FIG. Next, in step 1001, the computer 200 substitutes Date = January 1 as an initial value.

  In step 1002, the computer 200 reads the vulnerability occurrence date and time 506 corresponding to the Date, the vulnerability ID 501, the affected software 502, and the Exploit state identifier 505 from the vulnerability information table 500, and has occurred at the current Date. Vulnerability information is detected.

  In step 1003, the computer 200 refers to the countermeasure status 904 of the vulnerability status management table 900 and determines whether a countermeasure has been taken for the detected vulnerability information. If no countermeasure has been taken, it is determined that there is unmeasured detection information, and the process proceeds to step 1004. On the other hand, if a countermeasure is taken for the detected vulnerability information, the process proceeds to step 1015 and the above process is repeated for the next Date.

  For example, if the update date / time 905 of the vulnerability status management table 900 is before the current Date and the countermeasure status 904 is “Countermeasured”, the vulnerability is already determined. Can be determined.

  In step 1004, the computer 200 generates a random number R1. In step 1006, the computer 200 calculates the difference between the date of occurrence of vulnerability information and the date of occurrence of vulnerability information inherent in each device of the business system to be predicted (that is, the number of days elapsed since the date of occurrence of vulnerability information).

  Then, the computer 200 refers to the cumulative probability distribution information 1005 with respect to the number of days elapsed from the vulnerability occurrence date until the Exploit code is released, and if the random number R1 exceeds the occurrence probability of the Exploit code release. As an Exploit code expression, a mark is set for the corresponding vulnerability.

  Note that the cumulative probability distribution information 1005 with respect to the number of days elapsed is a damage occurrence probability model that is set in advance with the passage of time for each vulnerability. Further, the cumulative probability distribution information 1005 is set with the probability of occurrence of damage with respect to the number of days elapsed from the date of occurrence of vulnerability information depending on the security operation status in the business system to be predicted.

  In step 1007, if there is a vulnerability in which the Exploit code is newly expressed, the computer 200 proceeds to step 1008, otherwise proceeds to step 1015.

  In step 1008, the computer 200 evaluates the possibility of reaching an attack for each device only for the vulnerability in which the Exploit code is expressed.

  The evaluation of the possibility of reaching the attack can use the method described in the above-mentioned Patent Document 1. From the reachable segment ID list 703 of the network information table 700 and the connection segment ID list 803 of the device information table 800, The probability of attacks (messages) is evaluated by calculating the marginal probability between them.

  In step 1009, the computer 200 generates a random number R2. Next, in Step 1010, the computer 200 identifies an attack reachable device exceeding the random number R2. The attack reachability is expressed by the peripheral probability of each node (device) calculated in the Bayesian network in Patent Document 1.

  In step 1011, the computer 200 determines whether there is an attack reachable device exceeding the random number R <b> 2. If there is a device exceeding the random number R2, the process proceeds to step 1012. Otherwise, the process proceeds to step 1015.

  In step 1012, the computer 200 determines the impact of the devices and vulnerabilities identified as reaching the attack on the basis of CVSS based on the damage amount table 1030 classified by CIA (confidentiality: Confidentiality, integrity: Integrity, availability: Availability) for each device. The amount of damage for each CIA is calculated from the vector, and the damage is recorded in the damage occurrence record 1020 for each device. The damage amount table 1030 is a preset table.

  The damage amount table 1030 includes, in one entry, a device ID 1031, a C 1032 in which a damage amount related to confidentiality is set, an I 1033 in which a damage amount related to integrity is set, and A 1034 in which a loss amount related to availability is set. .

  In step 1011, the computer 200 reflects the countermeasure status against the exposure of damage in step 1012 as described later. In step 1014, the computer 200 proceeds to step 1016 if the date is December 31, otherwise proceeds to step 1015.

  In step 1015, the computer 200 increments Date, returns to step 1002, and repeats the above processing. In step 1016, the computer 200 ends the process.

  Here, the probability distribution 1005 with respect to the number of days elapsed from the date of occurrence of the vulnerability information to the time when the Exploit code is released is a normalized accumulation of the vulnerability information for which the Exploit code has been released with respect to the number of days elapsed since the occurrence of the vulnerability information. It can be calculated by generating a histogram. For example, normalized histogram information is stored in a table or CSV file (elapsed days, normalized cumulative frequency).

  Further, the reflection of the countermeasure status at the time of occurrence of damage in step 1011 differs depending on the contents of the response procedure set in advance for each organization operating the business system. For example, the following pre-set examples can be considered.

  (A) Regardless of whether damage has occurred or not, if there is a procedure for regularly performing vulnerability patches and countermeasures for published vulnerabilities, countermeasure intervals (such as periodic maintenance intervals) are set for each organization.

  (B) A means for detecting the presence or absence of an attack is taken, and it is procedural to take immediate measures after detection regardless of the presence or absence of damage. Examples of detection and countermeasure means include virus vaccine software, IDS (intrusion detection system), and WAF (Web application firewall).

  (C) In the event of damage, countermeasure procedures have been decided and the scope of countermeasures has been set.

  In accordance with these countermeasure statuses, the computer 200 updates the content of the countermeasure status 904 in the vulnerability status management table 900 in step 1013 described above. Note that the computer 200 can add a new entry to the vulnerability status management table 900 if it is a new vulnerability ID.

  As a result of the above processing, the amount of damage due to an incident is generated as a damage occurrence record 1020 for each device based on the damage amount table 1030 set in advance for devices having an attack reachability exceeding the random number R2.

  FIG. 11 is a flowchart in which the damage prediction unit 240 in this embodiment calculates an excess damage probability curve or a reproduction period. This process is performed in steps 107 to 108 in FIG.

  In step 1100, the computer 200 starts processing. In step 1101, the computer 200 assigns 0 to the counter n as an initial value. In step 1102, the computer 200 reads the damage occurrence record 1020 for each device, calls the damage amount due to each repeated (N) incident, calculates the sum, and records it.

  In step 1103, if the computer 200 has completed the calculation of the N sums that have been repeatedly calculated, the process proceeds to step 1104, and if not, the process proceeds to step 1107.

  In step 1105, the computer 200 repeatedly sorts N times in descending order of the annual damage amount. In step 1106, the computer 200 numbers (numbers) the items in the order of repeated times with the smallest annual damage amount.

  In step 1107, the damage amount indicated by the number assigned by the computer 200 is a reproduction period in which the damage occurs. The computer 200 generates a graph in which the vertical axis represents the limited period and the horizontal axis represents the amount of damage. After generation, go to step 1108.

  In step 1107, the computer 200 increments the counter n and returns to step 1102. In step 1108, the process ends.

  Here, in the above step 1107, when the excess damage probability curve is generated, the excess probability P is calculated as follows, assuming the numbered numerical value X.

  P = (N−X) / N (Equation 1)

  The computer 200 sets an excess probability P on the vertical axis and generates an excess loss probability curve graph with the damage amount on the horizontal axis.

<Screen configuration example>
FIG. 12 is a diagram illustrating an example of a screen configuration of the vulnerability occurrence simulator unit 1200 according to the present embodiment. The screen of the vulnerability generation simulator unit 1200 generated by the vulnerability information generation simulator 210 includes a vulnerability generation controller 1210, a vulnerability occurrence status monitor 1220, and a vulnerability information detail confirmation unit 1230.

  Vulnerability generation controller 1210 can input the software that is the target of the incident, the generated mathematical expression model, and parameters of the mathematical expression. It is possible to add or delete these target software and specify the number of repetitions of annual vulnerability information.

  Further, details such as the probability of occurrence of vulnerability characteristics (CVSS and CWE) of each software and the probability of occurrence of an Exploit code can be set. Furthermore, the vulnerability generation process can be started according to these conditions.

  The vulnerability occurrence status monitor 1220 can display a graph of the number of occurrences of vulnerability information per month for each repetition (N). The pull-down menu 1221 can switch the display mode of the graph to the breakdown of each software, the CVSS value classification (High, Middle, Low), the CWE classification, and the presence / absence of occurrence of the Exploit code.

  The generated vulnerability information detail confirmation unit 1230 can display a list of generated vulnerability information. As items of vulnerability information, CVE-ID 1231, target software 1232, CVSS vector 1233, CWE 1234, presence / absence of occurrence of Exploit code 1235 can be displayed.

  The generated vulnerability information detail confirmation unit 1230 has a condition input field 1236 for narrowing down the range of the list display. As the narrowing-down conditions, it is possible to set repetition times, software name, month of occurrence, CVE-ID, vulnerability characteristic information, and the like.

  FIG. 13 is a diagram illustrating an example of a screen configuration of the damage occurrence simulator unit 1300 of the present embodiment. The damage occurrence simulator unit 1300 generated by the damage occurrence simulator 230 includes a controller unit 1310, a BIA (Business Impact Analysis) analysis parameter setting unit 1320, an organization countermeasure status parameter setting unit 1330, and a result monitor unit 1340.

  The damage occurrence simulator controller unit 1310 can specify the number of repetitions and instruct the start of simulation execution.

  The BIA analysis parameter setting unit 1320 can set the impact on the damage amount for each device for each CIA (C: confidentiality violation, I: integrity violation, A: availability violation). You can also read or write these settings from a file.

  Moreover, the countermeasure period for every apparatus can be set. For example, settings are made such that an immediate countermeasure is provided by an update service for a PC, a periodic maintenance countermeasure is provided for the Web and DB, and a countermeasure is taken every six months for the control device.

  The organization countermeasure status parameter setting unit 1330 can set a period of periodic maintenance measures, organization detection capability (average attack detection time), organization defense capability (attack protection probability, loss reduction rate), and the like. The organizational defense capability may be a parameter for controlling the attack defense probability (loss occurrence probability) according to the security measures of the business system to be predicted.

  The result monitor unit 1340 can select and display a damage amount reproduction period graph, an excess loss probability curve graph, and the like. These results can be output as a file.

  According to this embodiment configured as described above, the network topology of the business system device is triggered by the issuance of vulnerability information based on the issuance statistics of the vulnerability information of the software that functions as each device of the business system. It is possible to simulate the occurrence of damage of each device based on the corresponding attack reachability. Therefore, according to the present invention, the excess damage probability curve can be calculated by repeatedly evaluating the annual damage occurrence by the Monte Carlo method. As a result, the management can accurately handle the risk of business continuity by presenting the scale of damage caused by cyber incidents and the probability of their occurrence.

<Extended example of embodiment>
In the present embodiment so far, damage is simulated only by the reachability of the attack due to the vulnerability of the device and the network topology of the device without considering the intention of the attacker, but depending on the characteristics of the business system, An attack scenario may be set to simulate the damage caused by a cyber attack.

  For example, when the business system to be predicted is a Web service, for an attack from the Internet, an intrusion from the Internet is assumed as an attack scenario, and the occurrence of damage assuming personal data fraud damage due to the intrusion into the business system is reflected in the BIA analysis result Then, the attack origin is set at the Internet boundary and the occurrence of damage is simulated.

  Note that an attack scenario table 610 stored in the database 600 of FIG. 6 can be used as the attack scenario. As shown in FIG. 14, the attack scenario table 610 is a preset table including an attack scenario ID 611, an attack type / name 612, an attack starting point 613, and an attack purpose 614 in one entry. Here, the attack reachability from the attack starting point set at the attack starting point 613 is evaluated, and the damage occurrence is simulated by calculating the damage to the CIA indicated for the purpose of the attack.

  In addition, in the case of IIoT (Industrial Internet of Things), in addition to intrusion from the Internet, the occurrence of damage related to business continuity assuming a DoS attack due to ransomware infection to worker PCs is reflected in the BIA analysis results and attacks The starting point is set at the Internet boundary and the worker PC, and the occurrence of damage is simulated.

<Summary>
Further, in the present embodiment so far, whether or not an attack is successful is determined based on whether or not there is a vulnerability of the device, but it is also possible to consider whether or not an attack can be successful depending on whether or not there is a countermeasure. For example, the prevention of damage is simulated by setting the success probability of an attack using vulnerability based on whether virus vaccine software is installed and the update rule of the pattern file. In addition, by setting the success probability of vulnerability attacks over the Internet to the internal devices by introducing FW, IDS, WAF at the Internet boundary and operating rules for updating their signatures, attacks from the Internet Simulate the damage caused by.

  In the present embodiment, the organization countermeasure status parameter setting unit 1330 sets these countermeasure statuses as the organization detection capability as a period until an attack can be detected, or as the organization defense capability as a probability of successful attack defense. Then, the occurrence of damage is simulated by weighting the random number of the damage occurrence simulation.

  In addition, this invention is not limited to the above-mentioned Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.

  Each configuration, function, processing unit, processing means, and the like of the embodiments may be realized in hardware by designing a part or all of them with an integrated circuit, for example. Each of the above-described configurations, functions, and the like may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.

  The control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. In practice, it may be considered that almost all the components are connected to each other.

200 Computer 201 CPU
202 Memory 203 Storage Device 204 Input Device 205 Output Device 206 Communication Device 210 Vulnerability Information Generation Simulator 220 Vulnerability Risk Evaluation Unit 230 Damage Occurrence Simulator 240 Damage Prediction Unit

Claims (15)

A damage prediction method for predicting damage caused by a cyber attack of a prediction target system that executes processing related to a predetermined business on a computer having a processor and a memory,
A first step in which the processor reads a vulnerability model for each software used in the prediction target system and generates an occurrence date of vulnerability information and a vulnerability characteristic;
A second step in which the processor evaluates a risk that an attack using the vulnerability reaches the element based on network topology information of the element constituting the prediction target system;
A third step in which the processor determines the occurrence of an attack against the vulnerability based on an occurrence probability model with respect to the passage of time from the occurrence date of the vulnerability information;
If the processor determines that an attack against the vulnerability has occurred, a fourth step of predicting the result of the risk assessment and the occurrence of damage due to the attack on each element;
A fifth step in which the processor reflects a countermeasure status of the prediction target system with respect to the vulnerability;
A sixth step in which the processor generates a random number and repeats the first step to the fifth step a predetermined number of times;
A damage prediction method comprising: The damage prediction method according to claim 1,
The third step includes
The damage prediction method, wherein the occurrence probability model is set according to characteristics of the vulnerability information. The damage prediction method according to claim 1,
The fourth step includes
A damage prediction method, characterized in that a damage amount is calculated in accordance with a type of the element and a characteristic of vulnerability. The damage prediction method according to claim 1,
The first step includes
A damage prediction method, wherein a probability distribution of occurrence of the vulnerability is preset for each software. The damage prediction method according to claim 1,
The fourth step includes
A damage prediction method, characterized by controlling a probability that damage will occur depending on the presence or absence of security of the prediction target system. The damage prediction method according to claim 1,
The third step includes
A damage prediction method, wherein a damage occurrence probability with respect to the number of days elapsed since the occurrence of a vulnerability is set according to a security operation state in the prediction target system. The damage prediction method according to claim 1,
The damage prediction method further comprising: a seventh step in which the processor calculates a sum of damages for each repetition up to a predetermined number of times and calculates an excess damage probability based on the sum. A damage prediction system that predicts damage caused by a cyber attack on a prediction target system that performs processing related to a predetermined business on a computer including a processor and a memory,
A vulnerability information generation simulator that reads a vulnerability model for each software used in the prediction target system and generates a vulnerability information generation date and a vulnerability characteristic;
A vulnerability risk evaluation unit that evaluates a risk that an attack using the vulnerability reaches the element based on network topology information of an element constituting the prediction target system;
Based on an occurrence probability model with respect to the passage of time from the occurrence date of the vulnerability information, the occurrence of an attack against the vulnerability is determined, and when it is determined that the attack against the vulnerability has occurred, the risk evaluation A damage occurrence simulator that predicts the result and the occurrence of damage due to an attack on each element, and reflects the countermeasure status of the prediction target system for the vulnerability;
A damage prediction unit that generates random numbers and repeatedly executes the vulnerability information generation simulator, the vulnerability risk evaluation unit, and the damage occurrence simulator processing up to a predetermined number of times;
A damage prediction system characterized by comprising: The damage prediction system according to claim 8,
The damage occurrence simulator is
The damage prediction system, wherein the occurrence probability model is set according to characteristics of the vulnerability information. The damage prediction system according to claim 8,
The damage occurrence simulator is
A damage prediction system characterized by calculating a damage amount according to the type of element and the characteristic of vulnerability. The damage prediction system according to claim 8,
The vulnerability information generation simulator is
A damage prediction system, wherein a probability distribution of occurrence of the vulnerability is preset for each software. The damage prediction system according to claim 8,
The damage occurrence simulator is
A damage prediction system, characterized by controlling a probability that damage will occur depending on the presence or absence of security of the prediction target system. The damage prediction system according to claim 8,
The damage occurrence simulator is
A damage prediction system in which a probability of occurrence of damage with respect to the number of days elapsed since the occurrence of a vulnerability is set according to a security operation state in the prediction target system. The damage prediction system according to claim 8,
The damage prediction unit
A damage prediction system characterized by calculating a total sum of damage amounts for each repetition up to a predetermined number of times and calculating an excess damage probability based on the total sum. A program for predicting damage caused by a cyber attack of a prediction target system that executes processing related to a predetermined business on a computer having a processor and a memory,
A first step of reading a vulnerability model for each software used in the prediction target system, and generating an occurrence date of vulnerability information and a vulnerability characteristic;
A second step of evaluating a risk of an attack using the vulnerability reaching the element based on network topology information of an element constituting the prediction target system;
A third step of determining the occurrence of an attack against the vulnerability based on an occurrence probability model with respect to the passage of time from the occurrence date of the vulnerability information;
If it is determined that an attack against the vulnerability has occurred, a result of the risk assessment, and a fourth step of predicting the occurrence of damage due to the attack on each element;
A fifth step of reflecting a countermeasure status of the prediction target system with respect to the vulnerability;
A sixth step of generating a random number and repeating the first to fifth steps a predetermined number of times;
A program for causing the computer to execute.