JP2020129166A - Computer system, method for analyzing influence of incident to business system, and analysis device - Google Patents

Abstract

To analyze influence of an incident to a business system being an evaluation object by using an incident having occurred in another business system.SOLUTION: The computer system is connected with a plurality of business systems, acquires incident data containing information on an incident having occurred in a first business system, constructs an evaluation business system simulating a business system different from the first business system, reproduces, on the evaluation business system, the incident having occurred in the first business system based on the incident data, analyzes the influence of the incident to the evaluation business system, and outputs the analysis result.SELECTED DRAWING: Figure 1

Description

The present invention relates to a technique for designing security measures for preventing the influence of an incident on a business system.

In recent years, cyber attacks targeting private companies, defense-related companies, public institutions, etc. have become apparent, and the risk of damaging the interests and safety of individuals, companies, and the nation is increasing. In addition, the attack method has become more sophisticated, and targeted attacks that steal confidential information and destroy systems by leveraging sophisticated malware to infiltrate networks of specific government agencies, companies, and organizations are It is a big threat. Against this background, it is important to analyze threats promptly and formulate countermeasures based on the analysis results.

For example, in Patent Document 1, a malware candidate sample is received from FW (FireWall), the malware candidate sample is analyzed using a virtual machine to determine whether the malware candidate sample is malware, and the malware candidate sample is analyzed. A system is disclosed that automatically generates a signature when is determined to be malware.

Japanese Patent Publication No. 2014-519113

By using the technique of Patent Document 1, it is possible to prevent attacks by unknown malware that cannot be prevented by general antivirus software.

However, the technique of Patent Document 1 is not a technique for evaluating the influence on a plurality of business systems. Therefore, by utilizing the information on incidents that have occurred in other business systems (for example, business systems operated by a certain company), the impact of the incident on the business system under evaluation (for example, business system operated by the company) It is not possible to determine the presence or absence and to devise measures to prevent the impact. For example, a malware may be detected in another business system, but a signature is generated even though the malware does not affect the business system to be evaluated, and the generated signature may adversely affect the business system.

An object of the present invention is to analyze the influence of the incident on the business system to be evaluated by utilizing the information on the incident generated in another business system.

A typical example of the present invention is as follows. That is, in a computer system including a plurality of computers, each of the plurality of computers has a processor, a storage device connected to the processor, and an interface connected to the processor. Is a business system that is connected to a plurality of business systems that execute, acquires incident data including information about an incident that has occurred in the first business system, and that is connected to the computer system, and that is connected to the first business system. Constructs an evaluation business system simulating a different business system, reproduces an incident occurring in the first business system on the evaluation business system based on the incident data, and influences the evaluation business system by the incident. Is analyzed and the result of the analysis is output.

According to one aspect of the present invention, it is possible to analyze the influence of an incident on a business system that is an evaluation target by utilizing information about the incident that has occurred in another business system. Problems, configurations, and effects other than those described above will be clarified by the following description of the embodiments.

FIG. 1 is a diagram showing a configuration example of a computer system related to Example 1. FIG. 6 is a diagram showing an example of a data structure of incident data management information according to the first embodiment. FIG. 6 is a diagram showing an example of a data structure of business system management information according to the first embodiment. FIG. 6 is a diagram showing an example of a data structure of incident reproduction result management information according to the first embodiment. 5 is a flowchart illustrating an example of processing executed by the incident reproduction device according to the first embodiment. 6 is a flowchart illustrating an example of incident reproduction processing executed by the incident reproduction device according to the first embodiment. FIG. 6 is a diagram showing an example of a display screen displaying the incident reproduction result of the first embodiment. FIG. 8 is a diagram illustrating a configuration example of an incident reproduction device according to a second embodiment. FIG. 9 is a diagram showing an example of a data structure of attack technique management information according to the second embodiment. 9 is a flowchart illustrating an example of processing executed by the incident reproduction device according to the second embodiment. 9 is a flowchart illustrating an example of incident reproduction processing executed by the incident reproduction device according to the second embodiment.

First, the outline of the actual invention will be described.

In the present specification, when no distinction is made between individuals, companies, countries, etc. operating business systems, they are referred to as organizations.

In an organization that operates a business system in which an incident (security incident) has occurred, the identification of the threat that is the cause of the incident and the threat caused by SOC (Security Operation Center) and CSIRT (Computer Security Incident Response Team) that exist in the organization. Detecting methods are established and countermeasures against threats are taken.

In the present invention, the incident reproduction device 110 (see FIG. 1) acquires incident data including information on a threat identified by an organization, a threat detection method, and countermeasures taken to eliminate the influence of the threat. Then, the incident is reproduced on the business system operated by the evaluated organization. When the incident reproducing apparatus 110 has an influence on the business system by the incident, the incident reproducing apparatus 110 formulates a measure for preventing the influence.

By executing the above-described processing, it is possible to plan a measure for preventing the influence of an incident occurring in a certain business system on the business system to be evaluated. This makes it possible to prevent the occurrence of similar incidents in a plurality of business systems.

Embodiments of the present invention will be described below with reference to the drawings. However, the present invention should not be construed as being limited to the description of the examples below. It is easily understood by those skilled in the art that the specific configuration can be changed without departing from the spirit or gist of the present invention.

In the configurations of the invention described below, the same or similar configurations or functions are designated by the same reference numerals, and overlapping description will be omitted.

The notations such as “first”, “second”, and “third” in this specification and the like are given to identify components, and do not necessarily limit the number or order.

The position, size, shape, range, etc. of each configuration shown in the drawings and the like may not represent the actual position, size, shape, range, etc. for easy understanding of the invention. Therefore, the present invention is not limited to the position, size, shape, range, etc. disclosed in the drawings and the like.

FIG. 1 is a diagram illustrating a configuration example of a computer system according to the first embodiment.

The computer system is composed of systems 100 operated by different organizations. In FIG. 1, it is composed of systems 100A, 100B, 100C and 100D operated by organizations A, B, C and D. The present invention is not limited to the number of systems 100 that make up the computer system.

The systems 100A, 100B, 100C, 100D are connected to each other via a network 101. The network 101 is, for example, a WAN (Wide Area Network) or the like. The connection method of the network 101 may be wired or wireless.

The system 100A includes an incident reproduction device 110, an evaluation environment 140, and a production environment 150. The incident reproducing apparatus 110 may exist in only one system 100.

The production environment 150 is an environment for building a business system (not shown) that actually performs business. For example, a file server, a WEB server, a DNS (Domain Name System) server, and the like can be cited as the business system. The production environment 150 includes a plurality of computers and network devices, and various software.

The evaluation environment 140 is an environment for constructing an evaluation business system 141 that simulates a business system that analyzes the influence of an incident. An evaluation business system A 141A, an evaluation business system B 141B, and an evaluation business system C 141C are constructed in the evaluation environment 140 of FIG. Each evaluation business system 141 is connected to the incident reproduction device 110 via the network 142. The network 142 is, for example, a LAN (Local Area Network) or the like. The connection method of the network 142 may be wired or wireless.

In the first embodiment, the evaluation business system 141 simulating the business system operating in the own system 100A is constructed in the evaluation environment 140. It should be noted that an evaluation business system 141 simulating a business system operating on the other systems 100B, 100C, 100D may be constructed.

The incident reproducing apparatus 110 constructs the evaluation business system 141 in the evaluation environment 140, reproduces the incident on the evaluation business system 141, and analyzes the influence of the incident on the evaluation business system 141.

The incident reproduction device 110 is a computer having a CPU (Central Processing Unit) 113, a main memory 114, a storage device 115, an interface 112, and an input/output device 116. The respective hardware are connected to each other via a communication path 117. The communication path 117 is an information transmission medium such as a bus and a cable.

The CPU 113 executes the program stored in the main memory 114. The CPU 113 executes processing according to a program to operate as a functional unit (module) that realizes a specific function.

The main memory 114 stores a program executed by the CPU 113 and data used when the program is executed. The main memory 114 also includes a work area that is temporarily used by the program. Details of the programs stored in the main memory 114 will be described later.

The storage device 115 permanently stores a large amount of data. The storage device 115 is, for example, an HDD (Hard Disk Drive), a flash memory, or the like. Details of the data stored in the storage device 115 will be described later.

The interface 112 is an interface for communicating with another device. The interface 112 is, for example, a NIC (Network Interface Card). In FIG. 1, the incident reproducing apparatus 110 communicates with other systems 100B, 100C, 100D via an interface 112A, and also communicates with an evaluation environment 140 and a production environment 150 via an interface 112B.

The input/output device 116 is a device for inputting data to the incident reproducing device 110 and outputting data from the incident reproducing device 110. The input/output device 116 includes, for example, a keyboard, a mouse, a touch panel, a display, and the like.

Here, the programs stored in the main memory 114 will be described. The main memory 114 stores an incident data reception program 121, a business system construction program 122, an incident reproduction program 123, an impact analysis program 124, a countermeasure application program 125, and a presentation program 126.

The program stored in the main memory 114 may be stored in the storage device 115 or may be stored in an external device. When the program is stored in the storage device 115, the CPU 113 reads the program from the storage device 115 and loads it into the main memory 114. When the program is stored in the external device, the CPU 113 acquires the program from the external device via the input/output device 116 or the interface 112, and installs (loads) the program in the main memory 114.

The incident data receiving program 121 is a program executed to receive incident data including information related to an incident that has occurred in a business system operating on the system 100 of another organization.

The business system construction program 122 is a program executed to construct the evaluation business system 141 in the evaluation environment 140.

The incident reproduction program 123 is a program executed to reproduce an incident on the evaluation business system 141.

The impact analysis program 124 is a program executed to analyze the impact of the reproduced incident on the evaluation business system 141.

The countermeasure application program 125 is a program executed to apply a countermeasure to the evaluation business system 141.

The presentation program 126 is a program executed to present the analysis result to the user as an incident reproduction result. For example, the presentation program 126 is executed to visualize information (display a screen) or reproduce sound.

The programs stored in the main memory 114 may be a plurality of programs combined into one program, or one program may be divided into a plurality of programs. For example, the incident reproduction program 123 and the impact analysis program 124 may be one program.

Next, the data stored in the storage device 115 will be described. The storage device 115 stores incident data management information 131, business system management information 132, and incident reproduction result management information 133.

The incident data management information 131 is information for managing incident data. Details of the data structure of the incident data management information 131 will be described with reference to FIG.

The business system management information 132 is information for managing the configuration of the business system, the method of confirming the influence, and the like. Details of the data structure of the business system management information 132 will be described with reference to FIG.

The incident reproduction result management information 133 is information for managing the incident reproduction result. Details of the data structure of the incident reproduction result management information 133 will be described with reference to FIG.

FIG. 2 is a diagram illustrating an example of the data structure of the incident data management information 131 according to the first embodiment.

The incident data management information 131 stores an entry including an ID 201, date and time 202, organization 203, threat 204, detection method 205, and coping means 206. One entry corresponds to one incident data.

The ID 201 is a field that stores identification information for uniquely identifying incident data (entry).

The date and time 202 is a field that stores the date and time when the incident occurred. It is assumed that the time managed by each system 100 is synchronized.

The organization 203 is a field that stores identification information for identifying the system 100 in which the incident has occurred, that is, the organization that is the transmission source of the incident data.

The threat 204 is a field that stores information indicating the threat that is the cause of the incident. In this specification, an entity (program) that attacks the business system and an action that triggers the attack on the business system are defined as a “threat”.

The detection method 205 is a field that stores a method for detecting a threat. When there are a plurality of detection methods, the detection method 205 stores the plurality of detection methods. If the detection method is unknown, the detection method 205 is blank.

The coping unit 206 is a field that stores information about coping with the detected threat, such as processing and action. When a plurality of countermeasures are taken for an incident, the countermeasure 206 stores information indicating a plurality of countermeasures. If the countermeasure is unknown, the countermeasure unit 206 is blank.

The incident data corresponding to the ID 201 of “1” is detected by the organization B (system 100B) that the malware A was detected as a threat at 00:00/1/2018, and the infection of the site caused by malware A. Communication to A and a. This means that the generation of exe was observed, the communication to the site A was blocked, and the patch A was applied as a countermeasure.

The incident data corresponding to the ID 201 of “4” indicates that in the organization D (system 100D), the malware C was identified as a threat at 00:00:30 on January 1/1, 2018, and the detection method and the countermeasure are unknown. Indicates that there is.

It should be noted that although the incident data is described as including information related to an incident actually occurred in the organization (system 100) for convenience of explanation, the incident does not necessarily need to occur. The incident data management information 131 may store incident data including information about known threats.

The incident data management information 131 is generated by the CPU 113 that executes the incident data receiving program 121. The incident data management information 131 is used when reproducing an incident on a business system, analyzing the impact of the incident on the business system, applying measures to the business system, and presenting the incident reproduction result. Used.

FIG. 3 is a diagram illustrating an example of a data structure of the business system management information 132 according to the first embodiment.

The business system management information 132 stores an entry including an ID 301, a system name 302, an OS 303, an application 304, and a determination standard 305. One entry corresponds to one business system.

The ID 301 is a field that stores identification information for uniquely identifying a business system (entry).

The system name 302 is a field that stores the name of the business system. The OS 303 is a field that stores information indicating an OS (Operating System) used in the business system. The application 304 is a field that stores information indicating an application used in the business system.

The determination criterion 305 is a field that stores information regarding a criterion for determining whether or not an incident has an influence on the business system. Information indicating a plurality of determination criteria may be stored in the determination criteria 305. In this case, the incident reproducing apparatus 110 determines that the incident has an influence on the business system when any of the determination criteria is satisfied.

The business system corresponding to the ID 301 of “1” uses the OSA, the business application A and the database A are installed on the OSA, the business application A is stopped, the data is tampered with, or malware is infected. Is set as.

The business system management information 132 is set in advance. However, an administrator of the computer system or the like may add, delete, and update entries as necessary. The business system management information 132 is used when the evaluation business system 141 is constructed in the evaluation environment 140.

FIG. 4 is a diagram illustrating an example of a data structure of the incident reproduction result management information 133 according to the first embodiment.

The incident reproduction result management information 133 stores an entry including an ID 401, an incident ID 402, a business system ID 403, an influence 404, a countermeasure 405, and a post-application influence 406. One entry corresponds to one incident reproduction result.

The ID 401 is a field that stores identification information for uniquely identifying the incident reproduction result.

The incident ID 402 is a field that stores identification information of a reproduced incident. The incident ID 402 corresponds to the ID 201.

The business system ID 403 is a field for storing identification information of the evaluation business system 141 in which the incident has been reproduced. The business system ID 403 corresponds to the ID 301.

The influence 404 stores information indicating whether or not the reproduced incident has an influence on the evaluation business system 141. The influence 404 stores either “present” or “not present”. “Yes” indicates that there is an effect, and “none” indicates that there is no effect.

The countermeasure 405 stores information indicating the countermeasure applied to the business system.

The post-application impact 406 stores information indicating whether or not the reproduced incident has an impact on the business system after the countermeasure is applied. In the post-application influence 406, either “present” or “none” is stored.

The incident reproduction result corresponding to the ID 401 of “1” is that the business system A is affected by the incident of the ID 201 of “1”, and the business system A to which the measure of “site A blocking” is applied is also affected by the incident. Represents receiving.

The incident reproduction result management information 133 is generated by the CPU 113 that executes the impact analysis program 124. The incident reproduction result management information 133 is used when presenting the incident reproduction result.

Next, details of the processing executed by the incident reproduction device 110 will be described.

FIG. 5 is a flowchart illustrating an example of processing executed by the incident reproduction device 110 according to the first embodiment.

When the incident reproduction device 110 receives incident data from any system 100 via the interface 112A (step S501), the incident reproduction device 110 determines whether the incident corresponding to the incident data is an incident caused by an unknown threat. Yes (step S502).

Specifically, the CPU 113 that executes the incident data reception program 121 acquires information regarding a threat from the received incident. The CPU 113 refers to the incident data management information 131 and determines whether or not there is an entry that matches the information regarding the threat acquired by the threat 204. When there is no entry satisfying the above conditions, the CPU 113 determines that the incident corresponding to the received incident data is an incident caused by an unknown threat.

When it is determined that the incident corresponding to the received incident data is not the incident caused by the unknown threat, the incident reproducing apparatus 110 ends the process. In this case, the CPU 113 that executes the incident data reception program 121 ends the processing without registering the received incident data in the incident data management information 131.

When it is determined that the incident corresponding to the received incident data is an incident caused by an unknown threat, the incident reproducing apparatus 110 starts loop processing of the business system (step S503).

Specifically, the CPU 113 that executes the incident data reception program 121 registers the received incident data in the incident data management information 131 and activates the business system construction program 122. The CPU 113 executing the business system construction program 122 selects one entry from the entries stored in the business system management information 132. Below, the business system corresponding to the selected entry is described as a target business system.

Next, the incident reproducing apparatus 110 constructs the evaluation business system 141 corresponding to the target business system in the evaluation environment 140 (step S504).

Specifically, the CPU 113 that executes the business system construction program 122 constructs the evaluation business system 141 in the evaluation environment 140 based on the OS 303 and the application 304 of the entry selected from the business system management information 132. After that, the CPU 113 activates the incident reproduction program 123.

Next, the incident reproduction device 110 executes incident reproduction processing on the constructed evaluation business system 141 (step S505). Details of the incident reproduction processing will be described with reference to FIG.

Next, the incident reproducing apparatus 110 determines whether or not the processing has been completed for all business systems (step S506).

When it is determined that the processing has not been completed for all business systems, the incident reproducing apparatus 110 returns to step S503 and executes the same processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the business system construction program 122.

When it is determined that the processing has been completed for all business systems, the incident reproduction device 110 presents the incident reproduction result (step S507), and thereafter ends the processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the presentation program 126. The CPU 113 that executes the presentation program 126 generates and outputs information (display information, audio information, etc.) for presenting the incident reproduction result. The screen displayed based on the display information will be described with reference to FIG.

FIG. 6 is a flowchart illustrating an example of incident reproduction processing executed by the incident reproduction device 110 according to the first embodiment.

The incident reproduction device 110 reproduces the incident corresponding to the received incident data on the constructed evaluation work system 141, and analyzes the influence of the incident (step S601). Specifically, the following processing is executed.

The CPU 113 that executes the incident reproduction program 123 reproduces the incident on the evaluation work system 141 based on the incident data. For example, the program (malware) corresponding to the threat 204 is executed, or the action (access to the site) for the threat 204 is executed. The CPU 113 that executes the incident reproduction program 123 activates the impact analysis program 124.

The CPU 113 that executes the impact analysis program 124 monitors the behavior of the evaluation business system 141 in which the incident has been reproduced, and determines whether or not the determination criterion set in the determination criterion 305 of the entry selected in step S503 is satisfied. .. At this time, the CPU 113 monitors the behavior of the evaluation business system 141 using a preset policy or the received incident data detection method 205. In order to monitor the behavior of the evaluation business system 141 based on a preset policy, a program for checking the operating processes, the usage rate of the CPU 113, the presence or absence of data tampering, etc. is installed in the evaluation business system 141 and used. Good.

The above is the description of the process of step S601.

Next, the incident reproduction device 110 determines whether or not the reproduced incident has an effect on the evaluation business system 141 (step S602).

Specifically, the CPU 113 that executes the impact analysis program 124 determines whether or not the determination standard set in the determination standard 305 is satisfied. When the determination criteria set in the determination criteria 305 are satisfied, the CPU 113 determines that the reproduced incident has an influence on the evaluation business system 141.

When it is determined that the reproduced incident does not affect the evaluation business system 141, the incident reproducing apparatus 110 updates the incident reproduction result management information 133 (step S603), and then ends the incident reproducing process.

Specifically, the CPU 113 executing the impact analysis program 124 adds an entry to the incident reproduction result management information 133 and sets identification information in the ID 401 of the added entry. The CPU 113 stores the identification information of the reproduced incident in the incident ID 402 of the added entry, stores the identification information of the target business system in the business system ID 403, and stores “none” in the influence 404. In this case, the countermeasure 405 and the post-application influence 406 are blank.

When it is determined that the reproduced incident has an effect on the evaluation business system 141, the incident reproducing apparatus 110 starts a coping loop process (step S604). Specifically, the following processing is executed.

The CPU 113 that executes the impact analysis program 124 activates the countermeasure application program 125.

The CPU 113 that executes the countermeasure application program 125 refers to the incident data management information 131 and searches for an entry corresponding to the received incident data. The CPU 113 selects one countermeasure from the countermeasures set in the countermeasure means 206 of the retrieved entry.

The above is the description of the process of step S604.

Next, the incident reproducing apparatus 110 applies the selected countermeasure to the evaluation business system 141 as a countermeasure (step S605).

Specifically, the CPU 113 that executes the countermeasure application program 125 applies the selected countermeasure to the evaluation work system 141 as a countermeasure. The CPU 113 activates the incident reproduction program 123.

Next, the incident reproducing device 110 reproduces the incident corresponding to the received incident data on the evaluation business system 141 to which the countermeasure has been applied, and analyzes the influence of the incident (step S606). The process of step S606 is the same as the process of step S601.

Next, the incident reproduction device 110 updates the incident reproduction result management information 133 (step S607).

Specifically, the CPU 113 that executes the impact analysis program 124 adds an entry to the incident reproduction result management information 133 and sets identification information in the ID 401 of the added entry. The CPU 113 stores the identification information of the reproduced incident in the incident ID 402 of the added entry, stores the identification information of the target business system in the business system ID 403, and stores “present” in the influence 404. The CPU 113 stores information indicating the countermeasure selected in step S604 in the countermeasure 405 of the added entry, and stores the analysis result in the post-application influence 406. The analysis result is either "Yes" or "No".

Next, the incident reproducing apparatus 110 determines whether or not the processing has been completed for all measures (step S608).

When it is determined that the processing has not been completed for all the measures, the incident reproducing device 110 returns to step S604 and executes the same processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the countermeasure application program 125.

When it is determined that the processing has been completed for all the measures, the incident reproduction device 110 ends the incident reproduction processing.

By verifying a plurality of measures, it is possible to broaden the range of selection of applicable measures, such as extraction of easily applicable measures or low cost measures.

FIG. 7 is a diagram illustrating an example of a display screen that displays the incident reproduction result of the first embodiment.

The display screen 700 is, for example, a screen displayed on the input/output device 116, and includes a path column 701, an incident information column 702, a countermeasure column 703, and an incident reproduction result column 704. The display screen 700 shown in FIG. 7 is an example, and the display screen 700 is not limited to this. A column (not shown) may be included, or any column may not be included.

The path column 701 is a column for displaying a path in which the incident reproduction result management information 133 is stored.

The incident information column 702 is a column for displaying information regarding incidents that have occurred in other organizations. Information included in the received incident data is displayed in the incident information column 702. For example, the incident information column 702 displays the date and time when the incident occurred, the organization where the incident occurred, the identified threat, and the like.

The countermeasure column 703 is a column for displaying a recommended countermeasure for each business system. The countermeasure column 703 displays the countermeasure 405 of the entry having the influence 404 of “present” and the post-application influence 406 of “none”.

When there are a plurality of entries that satisfy the above-mentioned conditions for one business system, the countermeasures 405 for all the entries may be displayed, or the countermeasures 405 for some of the entries may be displayed.

If there is only an entry with the influence 404 being “present” and the post-application influence 406 being “present” for one business system, “unknown” is displayed to alert the administrator.

The incident reproduction result column 704 is a column for displaying the incident reproduction result of each business system.

Information set in the incident reproduction result management information 133 is displayed in the incident reproduction result column 704.

Here, the processing executed by the incident reproducing apparatus 110 will be described using a specific example. For convenience of explanation, it is assumed that there are no entries in the incident data management information 131 and the incident reproduction result management information 133. Further, it is assumed that the business system management information 132 has only entries of the business system A and the business system B.

In this example, the following incident is assumed. In the system 100B of organization B, an incident occurred at 00:00:00 on 1/1/1/2018. The SOC team of organization B identifies malware A as a threat, terminals infected with malware A communicate with site A, and a. It was specified to generate exe. On the other hand, the SOC team of the organization B carried out the blocking of the site A and the application of the patch A to the infected terminal.

The incident reproducing apparatus 110 receives the incident data including the information on the incident (step S501).

In step S502, the CPU 113 that executes the incident data reception program 121 determines that the incident data management information 131 is empty, and thus is an incident due to an unknown threat. At this time, the CPU 113 adds an entry to the incident data management information 131, stores “1” in the ID 201 of the added entry, and stores “2018/1/1 00:00:00” in the date 202. “Organization B” is stored in the organization 203, “malware A” is stored in the threat 204, “communication to site A” and “generation of a.exe” are stored in the detection method 205, and “coping means 206” is stored in Store “site A block” and “patch A applied”.

The processes of steps S504 and S505 are executed for each of the business system A and the business system B.

First, the CPU 113 executing the business system construction program 122 selects the entry having the ID 301 of “1” (step S503), and constructs the evaluation business system A141A corresponding to the business system A in the evaluation environment 140 (step S504).

The CPU 113 that executes the incident reproduction program 123 executes the malware A on the evaluation business system A 141A (step S601).

The CPU 113 that executes the impact analysis program 124 acquires the determination criterion 305 of the selected entry from the business system management information 132, and monitors the suspension of the business application A, data tampering, and occurrence of malware infection. The malware infection is monitored based on the incident data detection method 205. When at least one of “communication to site A” and “generation of a.exe” is detected, the CPU 113 determines that the malware A is infected.

In this example, it is assumed that both "communication to site A" and "generation of a.exe" have been detected. That is, it is assumed that the infection of the malware A is detected. In this case, the CPU 113 that executes the impact analysis program 124 determines that the reproduced incident has an impact on the evaluation business system A 141A (Yes in step S602), and activates the countermeasure application program 125.

The CPU 113 executing the countermeasure application program 125 selects either “site A block” or “patch A applied” stored in the coping means 206 (step S604). Here, it is assumed that “site A block” is selected.

The CPU 113 that executes the countermeasure application program 125 applies the settings, changes, and the like for realizing “site A cutoff” to the evaluation work system A 141A (step S605). For example, the setting is changed so as to block the communication to the site A on the evaluation business system A 141A, or the FireWall for blocking the communication to the site A is installed in the network 142.

The CPU 113 executing the incident reproduction program 123 causes the malware A to be executed on the evaluation business system A 141A to which the “site A block” countermeasure has been applied (step S606). Here, a. It is assumed that the generation of exe is detected.

The CPU 113 that executes the impact analysis program 124 updates the incident reproduction result management information 133 (step S607). Specifically, the CPU 113 adds an entry to the incident reproduction result management information 133, stores “1” in the ID 401, stores “1” in the incident ID 402, stores “1” in the business system ID 403, “Presence” is stored in the influence 404, “Site A cutoff” is stored in the countermeasure 405, and “presence” is set in the post-application influence 406.

In step S608, since there is an unprocessed countermeasure, the CPU 113 executing the impact analysis program 124 returns to step S604 and activates the countermeasure application program 125. The CPU 113 that executes the countermeasure application program 125 selects “Apply patch A”.

The CPU 113 that executes the countermeasure application program 125 applies the patch A to the evaluation business system A 141A (step S605).

The CPU 113 that executes the incident reproduction program 123 causes the malware A to be executed on the evaluation business system A 141A to which the countermeasure of “patch A application” has been applied (step S606). Here, it is assumed that none of the stoppage of the business application A, data tampering, and malware infection are detected.

The CPU 113 that executes the impact analysis program 124 updates the incident reproduction result management information 133 (step S607). Specifically, the CPU 113 adds an entry to the incident reproduction result management information 133, stores “2” in the ID 401, stores “1” in the incident ID 402, stores “1” in the business system ID 403, “Present” is stored in the influence 404, “patch A applied” is stored in the countermeasure 405, and “none” is set in the post-application influence 406.

In step S608, since all the handling processes have been completed, the incident reproducing apparatus 110 ends the incident reproducing process.

In step S506, since there is an unprocessed business system, the CPU 113 executing the impact analysis program 124 returns to step S503 and activates the business system construction program 122. The CPU 113 executing the business system construction program 122 selects the entry having the ID 301 of "2" (step S503), and constructs the evaluation business system B141B corresponding to the business system B in the evaluation environment 140 (step S504).

The CPU 113 that executes the incident reproduction program 123 executes the malware A on the evaluation business system B141B (step S601).

The CPU 113 that executes the impact analysis program 124 acquires the determination criterion 305 of the selected entry from the business system management information 132, and monitors the suspension of the business application B and the occurrence of data leakage.

In this example, it is assumed that data leakage has been detected. In this case, the CPU 113 that executes the impact analysis program 124 determines that the reproduced incident has an influence on the evaluation business system B 141B (Yes in step S602), and activates the countermeasure application program 125.

The CPU 113 executing the countermeasure application program 125 selects either “site A block” or “patch A applied” stored in the coping means 206 (step S604). Here, it is assumed that “site A block” is selected.

The CPU 113 that executes the countermeasure application program 125 applies the settings and changes for realizing the “site A cutoff” to the evaluation work system B141B (step S605). For example, the setting is changed so that the communication to the site A is blocked on the evaluation business system B 141B, or the FireWall for blocking the communication to the site A is installed in the network 142.

The CPU 113 that executes the incident reproduction program 123 causes the malware A to be executed on the evaluation business system B141B to which the measure of “site A block” is applied (step S606). Here, it is assumed that data leakage has been detected.

The CPU 113 that executes the impact analysis program 124 updates the incident reproduction result management information 133 (step S607). Specifically, the CPU 113 adds an entry to the incident reproduction result management information 133, stores “3” in the ID 401, stores “1” in the incident ID 402, stores “2” in the business system ID 403, “Presence” is stored in the influence 404, “Site A cutoff” is stored in the countermeasure 405, and “presence” is set in the post-application influence 406.

In step S608, since there is an unprocessed countermeasure, the CPU 113 executing the impact analysis program 124 returns to step S604 and activates the countermeasure application program 125. The CPU 113 that executes the countermeasure application program 125 selects “Apply patch A”.

The CPU 113 that executes the countermeasure application program 125 applies the patch A to the evaluation business system B141B (step S605).

The CPU 113 that executes the incident reproduction program 123 causes the malware A to be executed on the evaluation business system B141B to which the measure of "patch A application" has been applied (step S606). Here, it is assumed that the stop of the business application B is detected.

The CPU 113 that executes the impact analysis program 124 updates the incident reproduction result management information 133 (step S607). Specifically, the CPU 113 adds an entry to the incident reproduction result management information 133, stores “4” in the ID 401, stores “1” in the incident ID 402, and stores “2” in the business system ID 403. “Present” is stored in the influence 404, “patch A applied” is stored in the countermeasure 405, and “presence” is set in the post-application influence 406.

In step S608, since all the handling processes have been completed, the incident reproducing apparatus 110 ends the incident reproducing process.

In step S506, since the processing of all the business systems is completed, the CPU 113 that executes the impact analysis program 124 activates the presentation program 126. The CPU 113 that executes the presentation program 126 generates and outputs information for presenting the incident reproduction result (step S507). As a result, the display screen 700 as shown in FIG. 7 is presented to the user.

Note that the following modified examples of the first embodiment can be considered.

(Modification 1) Even if the incident reproducing apparatus 110 updates the business system management information 132 according to a change in the configuration of the business system, and then executes the process using the incident data stored in the incident data management information 131. Good. As a result, the impact of the incident on the latest business system can be analyzed.

(Modification 2) The incident reproduction device 110 may automatically apply the recommended countermeasures to the business system. For example, when the countermeasure applied to a certain business system determines that the incident is not affected, the incident reproducing apparatus 110 automatically applies the countermeasure to all or a specific business system. This allows the measures to be applied quickly to the business system.

(Modification 3) A level of influence is added to the criterion 305. For example, the judgment criteria for each of the small, medium, and large impacts are defined, and the impact level, countermeasures, and analysis results are presented. This makes it possible to realize flexible countermeasure application processing, such as applying the countermeasure when the influence of the countermeasure is small.

(Modification 4) The CPU 113 that executes the countermeasure application program 125 may select a countermeasure different from the countermeasure included in the received incident data. For example, the CPU 113 may select a countermeasure included in the incident data stored in the incident data management information 131. This makes it possible to take countermeasures against threats for which countermeasures have not been clarified, such as the emergence of a virus of a subspecies.

(Modification 5) The CPU 113 that executes the business system construction program 122 may construct the evaluation business system 141 in the evaluation environment 140 in advance. This can reduce the time required to reproduce and analyze the incident.

(Modification 6) The CPU 113 that executes the impact analysis program 124 may end the loop processing from step S604 to step S608 when a measure that does not affect the business system by the incident is specified. This allows the measures to be applied quickly.

(Modification 7) The CPU 113 that executes the countermeasure application program 125 may apply a countermeasure in which a plurality of countermeasures are combined. As a result, it is possible to broaden the range of selection of applicable measures, such as extraction of measures that are easy to apply or measures that have low cost.

As described above, according to the first embodiment, it is possible to analyze the influence of the incident on the business system of the own organization by utilizing the information about the incident that occurred in another organization. In addition, it is possible to prevent the occurrence of similar incidents by planning effective countermeasures using the analysis results.

In the second embodiment, the incident reproduction device 110 reproduces an incident caused by an unknown attack. In the first embodiment, an incident that actually occurred in another organization was reproduced on the business system, and its influence was analyzed. However, attack methods are evolving day by day, and it is desirable to prevent the occurrence of incidents due to unknown threats.

Hereinafter, the second embodiment will be described focusing on the differences from the first embodiment.

The configuration of the computer system of the second embodiment is the same as that of the first embodiment. In the second embodiment, the configuration of the incident reproduction device 110 is partially different.

FIG. 8 is a diagram illustrating a configuration example of the incident reproduction device 110 according to the second embodiment.

The hardware configuration of the incident reproducing apparatus 110 according to the second embodiment is the same as that of the first embodiment. The program stored in the main memory 114 of the second embodiment is also the same as that of the first embodiment.

In the second embodiment, the information stored in the storage device 115 is partially different. Specifically, the storage device 115 of the second embodiment stores attack method management information 800 in addition to the incident data management information 131, the business system management information 132, and the incident reproduction result management information 133. Details of the data structure of the attack method management information 800 will be described with reference to FIG.

In the second embodiment, the incident data includes an attack scenario as a threat. Here, the attack scenario is a group of attack methods for achieving a specific purpose, and is a scenario composed of a plurality of attack methods.

For example, in a targeted attack, malware that has invaded an organization using attached mail or a drinking fountain attack, etc. downloads new malware and attack tools by communicating with a C&C (Command & Control) server operated by the attacker. Scout inside, establish attack base, destroy and steal information and achieve the final purpose.

Here, the attacker uses the OS investigation program A to investigate the OS, uses the malware A to invade the organization, uses the authentication theft program A to steal the authentication information, and uses the remote execution program A. Assume an attack that spreads the infection and steals information using the information stealing program A. In this case, the attack scenario is "OS investigation (OS investigation program A), malware execution (malware A), authentication theft (authentication theft program A), remote execution (remote execution program A), information theft (information theft program A). It will be. The order of attack methods represents the order of execution.

In the second embodiment, the incident data is included in the incident data and the attack code used for the attack corresponding to the attack scenario (OS investigation program A, malware A, authentication stealing program A, remote execution program A, information stealing program A, etc.). Shall also be included.

FIG. 9 is a diagram illustrating an example of the data structure of the attack technique management information 800 according to the second embodiment.

The attack technique management information 800 includes an entry including an ID 901, an attack classification 902, an attack technique 903, a precondition 904, and an attack code 905. One entry corresponds to one attack method.

The ID 901 is a field that stores identification information for uniquely identifying an attack technique (entry).

The attack classification 902 is a field that stores information indicating a rough classification of attack methods.

The attack method 903 is a field that stores information indicating the attack method.

The precondition 904 is a field for storing information indicating a precondition for executing the attack technique corresponding to the attack technique 903.

The attack code 905 is a field that stores an attack code for realizing an attack method corresponding to the attack method 903.

The attack method in which the ID 901 corresponds to “1” indicates that the OS investigation program A is used to perform a reconnaissance action for the purpose of investigating the OS.

In the second embodiment, the attack method management information 800 is set in advance. Note that the administrator or the like may add, delete, and update the entry of the attack method management information 800 as necessary.

The attack method management information 800 is used when an incident is reproduced.

FIG. 10 is a flowchart illustrating an example of processing executed by the incident reproduction device 110 according to the second embodiment.

When the incident reproducing device 110 receives the incident data via the interface 112A (step S1001), the incident reproducing device 110 starts loop processing of the business system (step S1002).

Specifically, the CPU 113 that executes the incident data reception program 121 registers the received incident data in the incident data management information 131 and activates the business system construction program 122. The CPU 113 executing the business system construction program 122 selects one entry from the entries stored in the business system management information 132. Below, the business system corresponding to the selected entry is described as a target business system.

Next, the incident reproducing apparatus 110 constructs the evaluation business system 141 corresponding to the target business system (step S1003).

Specifically, the CPU 113 that executes the business system construction program 122 constructs the evaluation business system 141 in the evaluation environment 140 based on the OS 303 and the application 304 of the entry selected from the business system management information 132. After that, the CPU 113 activates the incident reproduction program 123.

Next, the incident reproduction device 110 executes incident reproduction processing for the constructed evaluation business system 141 (step S1004). Details of the incident reproduction processing will be described with reference to FIG.

Next, the incident reproducing apparatus 110 determines whether or not the processing has been completed for all business systems (step S1005).

If it is determined that the processing has not been completed for all business systems, the incident reproducing apparatus 110 returns to step S1002 and executes the same processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the business system construction program 122.

When it is determined that the processing has been completed for all business systems, the incident reproduction device 110 presents the incident reproduction result (step S1006), and thereafter ends the processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the presentation program 126. The CPU 113 that executes the presentation program 126 generates and outputs information for presenting the incident reproduction result.

FIG. 11 is a flowchart illustrating an example of incident reproduction processing executed by the incident reproduction device 110 according to the second embodiment.

The incident reproduction device 110 starts a loop of an attack scenario (step S1101). Specifically, the following processing is executed.

The CPU 113 that executes the incident reproduction program 123 refers to the attack technique management information 800 and changes the attack technique that constitutes the attack scenario included in the incident data to generate a new attack scenario (verification attack scenario). ..

The CPU 113 executing the incident reproduction program 123 selects one attack scenario from the generated attack scenarios.

For example, the attack scenario included in the incident data is “OS investigation (OS investigation program A), malware execution (malware A), authentication theft (authentication theft program A), remote execution (remote execution program A), information theft (information theft). In the case of the program A)”, the following processing is executed.

When “OS investigation (OS investigation program A)” is selected as the attack method to be changed, the CPU 113 that executes the incident reproduction program 123 searches for an entry whose attack classification 902 is “reconnaissance”. The CPU 113 replaces the "OS investigation (OS investigation program A)" of the attack scenario with the "vulnerability investigation (vulnerability investigation program A)" and the "vulnerability investigation (vulnerability investigation program B)". Generate the replaced attack scenario.

When “malware execution (malware A)” is selected as the attack method to be changed, the CPU 113 that executes the incident reproduction program 123 searches for an entry whose attack classification 902 is “initial intrusion”. The CPU 113 generates an attack scenario in which “malware execution (malware A)” in the attack scenario is replaced with “malware execution (malware B)” and an attack scenario in which “vulnerability use (exploit A)” is replaced.

By executing the same processing, a plurality of attack scenarios are generated. When the precondition 904 is set, the attack method is replaced when the precondition is satisfied.

The attack scenario included in the received incident data may also be output as the verification attack scenario. The above is the description of the process of step S1101.

Next, the incident reproduction device 110 reproduces the incident corresponding to the selected attack scenario on the constructed evaluation business system 141, and analyzes the influence of the incident (step S1102). Specifically, the following processing is executed.

The CPU 113 executing the incident reproduction program 123 reproduces the incident on the evaluation business system 141 based on the selected attack scenario. The CPU 113 that executes the incident reproduction program 123 activates the impact analysis program 124.

The CPU 113 that executes the impact analysis program 124 monitors the behavior of the evaluation business system 141 in which the incident has been reproduced, and determines whether or not the determination criterion set in the determination criterion 305 of the entry selected in step S1002 is satisfied. .. At this time, the CPU 113 monitors the behavior of the evaluation business system 141 using a preset policy or the received incident data detection method 205. In order to monitor the behavior of the evaluation business system 141 based on a preset policy, a program for confirming the running process, the usage rate of the CPU 113, the presence or absence of data tampering, and the like may be used.

The above is the description of the process of step S1102.

Next, the incident reproducing apparatus 110 determines whether or not the reproduced incident has an effect on the evaluation business system 141 (step S1103).

Specifically, the CPU 113 that executes the impact analysis program 124 determines whether or not the determination standard set in the determination standard 305 is satisfied. When the determination criteria set in the determination criteria 305 are satisfied, the CPU 113 determines that the reproduced incident has an influence on the evaluation business system 141.

When it is determined that the reproduced incident does not affect the evaluation business system 141, the incident reproducing apparatus 110 updates the incident reproduction result management information 133 (step S1104), and then ends the incident reproducing process.

Specifically, the CPU 113 that executes the impact analysis program 124 adds an entry to the incident reproduction result management information 133 and sets identification information in the ID 401 of the added entry. The CPU 113 stores the identification information of the reproduced incident in the incident ID 402 of the added entry, stores the identification information of the target business system in the business system ID 403, and stores “none” in the influence 404. In this case, the countermeasure 405 and the post-application influence 406 are blank.

When it is determined that the reproduced incident has an influence on the evaluation business system 141, the incident reproduction device 110 starts a loop processing for coping (step S1105). Specifically, the following processing is executed.

The CPU 113 that executes the impact analysis program 124 activates the countermeasure application program 125.

The CPU 113 that executes the countermeasure application program 125 refers to the incident data management information 131 and searches for an entry corresponding to the received incident data. The CPU 113 selects one countermeasure from the countermeasures set in the countermeasure means 206 of the retrieved entry.

The above is the description of the process of step S1105.

Next, the incident reproducing apparatus 110 applies the selected countermeasure to the evaluation business system 141 as a countermeasure (step S1106).

Specifically, the CPU 113 that executes the countermeasure application program 125 applies the selected countermeasure to the evaluation work system 141 as a countermeasure. The CPU 113 activates the incident reproduction program 123.

Next, the incident reproducing apparatus 110 reproduces the incident corresponding to the received incident data on the evaluation business system 141 to which the countermeasure is applied, and analyzes the influence of the incident (step S1107). The process of step S1107 is the same as the process of step S1102.

Next, the incident reproduction device 110 updates the incident reproduction result management information 133 (step S1108).

Specifically, the CPU 113 that executes the impact analysis program 124 adds an entry to the incident reproduction result management information 133 and sets identification information in the ID 401 of the added entry. The CPU 113 stores the identification information of the reproduced incident in the incident ID 402 of the added entry, stores the identification information of the target business system in the business system ID 403, and stores “present” in the influence 404. The CPU 113 stores information indicating the countermeasure selected in step S604 in the countermeasure 405 of the added entry, and stores the analysis result in the post-application influence 406. The analysis result is either "Yes" or "No".

Next, the incident reproducing apparatus 110 determines whether or not the processing has been completed for all measures (step S1109).

When it is determined that the processing has not been completed for all the measures, the incident reproducing apparatus 110 returns to step S1105 and executes the same processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the countermeasure application program 125.

When it is determined that the processing has been completed for all measures, the incident reproducing device 110 determines whether the processing has been completed for all attack scenarios (step S1110).

When it is determined that the processing has not been completed for all attack scenarios, the incident reproduction device 110 returns to step S1101 and executes the same processing.

Specifically, the CPU 113 that executes the impact analysis program 124 activates the incident reproduction program 123. The CPU 113 that executes the incident reproduction program 123 selects an unprocessed attack scenario from the generated attack scenarios.

When it is determined that the processing has been completed for all attack scenarios, the incident reproduction device 110 ends the incident reproduction processing.

It should be noted that the following modified examples of the second embodiment can be considered.

(Modification 1) The incident reproduction device 110 may collect attack codes published on the Internet or the like and generate or update the attack technique management information 800. Thereby, an attack scenario including the latest attack method can be generated.

(Modification 2) The incident reproduction device 110 uses an attack scenario published on the Internet or the like, instead of generating a new attack scenario from the attack scenario included in the incident data. This makes it possible to reproduce incidents caused by various attack scenarios and expand the range of applicable countermeasures.

As described above, according to the second embodiment, it is possible to reproduce an incident caused by an attack scenario that has not occurred in any organization and analyze its influence. This makes it possible to take measures against attacks that may occur in the future.

It should be noted that the present invention is not limited to the above-described embodiments, but includes various modifications. In addition, for example, the above-described embodiment is a detailed description of the configuration in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to one having all the configurations described. Moreover, a part of the configuration of each embodiment can be added, deleted, or replaced with another configuration.

Further, each of the above-described configurations, functions, processing units, processing means, etc. may be realized in hardware by designing a part or all of them with, for example, an integrated circuit. The present invention can also be realized by a program code of software that realizes the functions of the embodiments. In this case, a storage medium recording the program code is provided to the computer, and the processor included in the computer reads the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the function of the above-described embodiment, and the program code itself and the storage medium storing the program code constitute the present invention. As a storage medium for supplying such a program code, for example, a flexible disk, a CD-ROM, a DVD-ROM, a hard disk, an SSD (Solid State Drive), an optical disk, a magneto-optical disk, a CD-R, a magnetic tape, A non-volatile memory card, ROM or the like is used.

The program code that implements the functions described in this embodiment can be implemented in a wide range of programs or script languages such as assembler, C/C++, perl, Shell, PHP, Python, and Java (registered trademark).

Furthermore, by distributing the program code of the software that realizes the functions of the embodiments via a network, the program code is stored in a storage means such as a hard disk or a memory of a computer or a storage medium such as a CD-RW or a CD-R. Alternatively, the processor included in the computer may read and execute the program code stored in the storage unit or the storage medium.

In the above-mentioned embodiments, the control lines and information lines are shown to be necessary for explanation, and not all the control lines and information lines in the product are necessarily shown. All configurations may be connected to each other.

100 system 101, 142 network 110 incident reproduction device 112 interface 113 CPU
114 main memory 115 storage device 116 input/output device 117 communication path 121 incident data reception program 122 business system construction program 123 incident reproduction program 124 impact analysis program 125 countermeasure application program 126 presentation program 131 incident data management information 132 business system management information 133 incident Reproduction result management information 140 Evaluation environment 141 Evaluation business system 150 Production environment 700 Display screen 800 Attack method management information

Claims (12)

A computer system comprising a plurality of computers,
Each of the plurality of computers has a processor, a storage device connected to the processor, and an interface connected to the processor,
The computer system is
Connect to multiple business systems that perform business,
Acquire incident data including information on incidents that occurred in the first business system,
Constructing an evaluation business system which is a business system connected to the computer system and which simulates a business system different from the first business system;
Based on the incident data, reproduce the incident that occurred in the first business system on the evaluation business system, analyze the impact of the evaluation business system by the incident,
A computer system which outputs the result of the analysis. The computer system according to claim 1, wherein
If it is determined that an incident that has occurred in the first business system has an effect on the evaluation business system, apply measures to prevent the effect of the incident on the evaluation business system,
A computer system, which reproduces an incident that has occurred in the first business system on an evaluation business system to which the countermeasure is applied, and analyzes the influence of the incident on the evaluation business system. The computer system according to claim 2, wherein
The incident data includes information about a method of detecting an influence in the first business system and information about a countermeasure taken to eliminate the influence in the first business system,
The computer system is
Managing the business system management information defining the judgment criteria for judging the configuration and influence of each of the plurality of business systems,
Based on the business system management information, build the evaluation business system,
Based on the influence detection method in the first business system, it is determined whether or not the determination criterion of the evaluation business system is satisfied,
When it is determined that the evaluation criteria of the evaluation business system is satisfied, it is determined that an incident occurring in the first business system has an effect on the evaluation business system,
A computer system, wherein a measure corresponding to a measure taken to eliminate the influence of the first business system is applied to the evaluation business system. The computer system according to claim 1, wherein
The incident data includes an attack scenario defined as a combination of a plurality of attacks on the first business system,
The computer system is
A verification attack scenario is generated by changing at least one of the plurality of attacks constituting the attack scenario,
A computer system characterized by reproducing an incident generated in the first business system on the evaluation business system based on the verification attack scenario. A method for analyzing the impact of an incident executed by a computer system on a business system,
The computer system is
A plurality of computers having a processor, a storage device connected to the processor, and an interface connected to the processor;
Connect to multiple business systems that perform business,
The analysis method is
A first step in which at least one computer obtains incident data including information about an incident that has occurred in the first business system;
A second step of constructing an evaluation business system in which the at least one computer is a business system connected to the computer system and which simulates a business system different from the first business system;
A third step in which the at least one computer reproduces an incident that has occurred in the first business system on the evaluation business system based on the incident data, and analyzes the influence of the incident on the evaluation business system. When,
The at least one computer further comprises a fourth step of outputting the result of the analysis. The analysis method according to claim 5, wherein
When it is determined that the incident that has occurred in the first business system has an effect on the evaluation business system, the at least one computer prevents the evaluation business system from being affected by the incident. A fifth step of applying
A sixth step in which the at least one computer reproduces an incident that has occurred in the first business system on the evaluation business system to which the countermeasure is applied, and analyzes the influence of the incident on the evaluation business system; An analysis method comprising: The analysis method according to claim 6, wherein
The incident data includes information about a method of detecting an influence in the first business system and information about a countermeasure taken to eliminate the influence in the first business system,
The computer system manages business system management information that defines a determination criterion for determining the configuration and influence of each of the plurality of business systems,
The second step includes a step in which the at least one computer constructs the evaluation business system based on the business system management information,
The third step and the sixth step are
A step of determining whether or not the at least one computer satisfies the determination criterion of the evaluation business system based on a method of detecting an influence in the first business system;
When the at least one computer is determined to meet the evaluation criteria of the evaluation business system, it is determined that an incident occurring in the first business system has an effect on the evaluation business system. ,
The fifth step includes a step in which the at least one computer applies, to the evaluation business system, a measure corresponding to a countermeasure taken to eliminate an influence in the first business system. An analysis method characterized by the above. The analysis method according to claim 5, wherein
The incident data includes an attack scenario defined as a combination of a plurality of attacks on the first business system,
The third step is
The at least one computer generates a verification attack scenario by changing at least one of the plurality of attacks constituting the attack scenario;
The at least one computer reproduces an incident that has occurred in the first business system on the evaluation business system based on the verification attack scenario. An analysis device having a processor, a storage device connected to the processor, and an interface connected to the processor,
Connect to multiple business systems that perform business,
A reception unit that acquires incident data including information about an incident that has occurred in the first business system;
A construction unit that constructs an evaluation business system that is a business system connected to the analysis device and that simulates a business system different from the first business system,
An analysis unit that reproduces an incident that has occurred in the first business system on the evaluation business system based on the incident data, and analyzes the influence of the incident on the evaluation business system;
An analysis device, comprising: a presentation unit that outputs a result of the analysis. The analysis device according to claim 9, wherein
When the analysis unit determines that an incident that has occurred in the first business system has an influence on the evaluation business system, a measure for preventing the influence of the incident on the evaluation business system is applied. Including a countermeasure application section
The analysis apparatus, wherein the analysis unit reproduces an incident that has occurred in the first business system on the evaluation business system to which the countermeasure is applied, and analyzes the influence of the incident on the evaluation business system. The analysis device according to claim 10, wherein
The incident data includes information about a method of detecting an influence in the first business system and information about a countermeasure taken to eliminate the influence in the first business system,
The analysis device holds business system management information that defines a determination criterion for determining the configuration and influence of each of the plurality of business systems,
The construction unit constructs the evaluation business system based on the business system management information,
The analysis unit is
Based on the influence detection method in the first business system, it is determined whether or not the determination criterion of the evaluation business system is satisfied,
When it is determined that the evaluation criteria of the evaluation business system is satisfied, it is determined that an incident occurring in the first business system has an effect on the evaluation business system,
The analysis apparatus, wherein the measure application unit applies a measure corresponding to a countermeasure taken to eliminate the influence in the first business system to the evaluation business system. The analysis device according to claim 9, wherein
The incident data includes an attack scenario defined as a combination of a plurality of attacks on the first business system,
The analysis unit is
A verification attack scenario is generated by changing at least one of the plurality of attacks constituting the attack scenario,
An analyzer that reproduces an incident that has occurred in the first business system on the evaluation business system based on the verification attack scenario.

Images