Attack surface model for complex systems based on microservice architecture

Purpose of research. Increasing the level of security of information processed in information systems based on microservice architecture; by creating an effective protection system designed on the basis of knowledge obtained as a result of creating an attack surface model.

Methods. During the analysis, types of information systems (IS) were considered, among them complex IS created on the basis of microservice architecture were highlighted. Russian and foreign technologies, software allowing to automate the process of information processing were considered. A set-theoretic model of constructing an attack surface for information systems built on the basis of microservice architecture was proposed.

Results. An original approach to the description of the attack vector and surface is proposed, including a list of frequently encountered vulnerabilities, methods and tools for implementing an attack, as well as a list of possible objects of influence. A set-theoretic model for constructing an attack surface for information systems built on the basis of a microservice architecture is developed.

Results. Conducting research and developing an attack surface model for complex information systems built on a microservice architecture will improve the level of knowledge in the field of information security (IS) and ensure the security of processed data by building an effective information security system that takes into account current threats and methods of influencing the information system.

1. What is Threat Intelligence and how to use it? (In Russ.). Available at: http://www.sberbank.ru/ru/person/kibrary/articles/chto_takoe_threat_intelligence (accessed 10.11.2024).

2. Targeted attacks: stages, tools, methods. (In Russ.). Available at: http://www.sberbank.ru/ru/person/kibrary/articles/celevye-ataki-ehtapy-instrumenty-metody (accessed 10.11.2024).

3. Stages of cyber attacks methods. (In Russ.). Available at: https://vasexperts.ru/blog/bezopasnost/etapy-provedeniya-kiberatak/ (accessed 10.11.2024).

4. Linked by one chain: Kill Chain stages of cyber attacks and how to prevent them. (In Russ.). Available at: https://securitymedia.org/info/svyazannye-odnoy-tsepyu-kill-chainetapy-kiberataki-kak-ikh-predotvratit.html (accessed 10.11.2024).

5. Approaches to assessing the attack surface and fuzzing web browsers. (In Russ.). Available at: https://cyberleninka.ru/article/n/podhody-k-otsenke-poverhnosti-ataki-ifazzingu-veb-brauzerov (accessed 10.11.2024).

6. Attack vector. (In Russ.). Available at: https://encyclopedia.kaspersky.ru/glossary/attack-vector/ (accessed 10.11.2024).

7. MITRE ATT&CK. Available at: https://attack.mitre.org/ (accessed 10.11.2024).

8. CVE. Available at: https://cve.mitre.org/ (accessed 10.11.2024).

9. Adaptation of the S.T.R.I.D.E. approach for threat modeling. (In Russ.). Available at: https://osday.ru/2022/presentations/Moiseev.pdf (accessed 11/10/2024).

10. PASTA Threat Modeling. Available at: https://threat-modeling.com/pasta-threatmodeling/ (accessed 10.11.2024).

11. Major cyberattacks and leaks in the first half of 2024 in Russia. (In Russ.). Available at: https://blog.cortel.cloud/2024/05/23/krupnye-kiberataki-i-utechki-pervoj-poloviny-2024goda-v-rossii/ (accessed 15.10.2024).

12. Ostapenko G. A., Kulikov S. S., Konoplin A. V., Ostapenko A. A. Development of cyber polygon architecture to improve the quality and effectiveness of the educational process in the study of attacks on information systems and networks. Informatsiya i bezopasnost = Information and security. 2023; 26(1): 101-108. (In Russ.). https://doi.org/10.36622/VSTU.2023.26.1.012.

13. Demyanov A. Testing the cybersecurity of embedded systems using their digital counterpart. Elektronika: nauka, tekhnologiya, bezopasnost' = Electronics: science, technology, safety. 2021; (7): 126-29. (In Russ.).

14. Ulyanov A.N., Stolyarov M.G., Stelmakh I.V. Quality plus visibility the use of virtualization technologies for computing resources in the information and educational environment. BBO. 2021; (6). (In Russ.).

15. Monakhov M.Yu., Telny A.V., Mishin D.V. On the possibilities of using cyber polygons as assessment tools for determining the level of competence formation. Informatsionnoe protivodeistvie ugrozam terrorizma = Information counteraction to terrorist threats. 2015; 1(25): 269-277 (In Russ).

16. NCC: There is a threat of cyber attacks on Russian information resources. An online information security portal on the web. 2022 (In Russ). Available at: https://safesurf.ru/specialists/news/675925 / (accessed: 10/15/2024).

17. Kaspersky Lab: the number of cyber incidents in Russian companies has increased 4 times. Kaspersky Lab: [website]. 2022. (In Russ). Available at: https://www.kaspersky.ru/about/press-releases/2022_laboratoriya-kasperskogokolichestvo-kiberincidentov-v-rossijskihkompaniyah-uvelichilos-v-4raza (accessed: 10/15/2024).

18. Monakhov M.Yu., Telny A.V., Mishin D.V. On the possibilities of using cyber ranges as assessment tools for determining the level of competence development. Informatsionnoe protivodeistvie ugrozam terrorizma = Information counteraction to terrorist threats. 2015; 1(25): 269-277 (In Russ).

19. Arkhangelsky O.D., Syutov D.V., Kuznetsov A.V. Practical approaches to creating the infrastructure of an industrial cyberpolygon. Avtomatizatsiya v promyshlennosti = Automation in industry. 2020; (1): 52-57. (In Russ.).