RU2824732C1 - Information security incident response system and method - Google Patents

Abstract

FIELD: computer engineering.

SUBSTANCE: information security incident response method includes steps of: obtaining information on the detected information security incident from the security component; generating a response scenario on the computer device according to the obtained information; executing the generated response script to eliminate the consequences of the detected information security incident; transmitting the result of the execution of the incident response scenario to the server for evaluation result of script execution; scenario of responding to an information security incident is changed according to the received instructions.

EFFECT: faster response to a new information security (IS) incident on a computer device.

15 cl, 4 dwg

Description

Field of technology

The invention relates to the field of information security, and more specifically to systems and methods for automatically responding to an information security incident.

State of the art

Modern organizations tend to automate production processes. Thus, processes controlled or executed by humans are replaced by modern computer technologies and systems. As a result, the number of cyber attacks in the production process increases, which can develop into physical threats. The following types of automation are used in the production area:

- information technology (IT);

- automated production (computer-aided manufacturing, CAM);

- equipment with numerical control (NC);

- robots;

- flexible manufacturing systems (FMS);

- computer-integrated manufacturing (CIM).

The devices implemented in different types of automated systems may include computer devices such as personal computers (PCs), mobile devices (smartphones, tablets), servers and other similar devices.

A cyber attack is an unauthorized attempt to use, steal, or damage confidential information, including an organization's asset. An organization's asset is a tangible or intangible entity (object, item) that is valuable to the organization or its owner. Cyber attacks are carried out in various ways through computer networks and systems, for example, by using malicious software (SW).

Examples of malware include computer viruses, Trojan horses, spyware, ransomware, and any other applications or code that are designed to harm or exploit either computer devices or an organization's assets. Malware poses a serious risk to computer devices, making them vulnerable to loss of data and confidential information, identity theft, and loss of performance or functionality. In addition, attackers are constantly using more and more sophisticated attack methods (cyber attacks), such as exploiting vulnerabilities in computer devices or phishing resources. Such attack methods provoke new information security (IS) incidents.

An information security incident is usually understood as at least one undesirable information security event that can damage an organization's assets or compromise its operations. At the same time, there is currently a sharp increase in the number of information security incidents associated with malicious programs and attempts to launch them, as well as the use of vulnerabilities in computer devices to increase the level of access to the resources of the organization's production process. As a result of an information security incident, an intruder can gain access to the user's personal data, confidential information of the organization, gain the ability to encrypt files (for example, using an encryption program) or make an unauthorized transfer of confidential information. Examples of the consequences of information security incidents are the destruction of the documentary base (files, registry entries, system logs, etc.) in order to destroy traces of penetration, which will complicate a comprehensive investigation of the information security incident, blocking access to the computer information system or one of its computer devices by an intruder, and failure of the local computer network.

Currently, the tasks of collecting and analyzing information about an information security incident, as well as providing the said information on demand to users (information security specialists), are solved in one form or another by SIEM systems (Security Information and Event Management). These systems are designed to collect and analyze information coming from various sources, at least such as DLP (Data Loss Prevention), IDS (Intrusion Detection System), antivirus programs, UTM devices (Unified Threat Managers), automated user workstations, servers, routers, firewalls. SIEM systems also detect deviations in the operation of various computer systems based on information coming from various sources. These deviations are detected when comparing incoming information with normal information according to some criteria. Examples of criteria include, in particular, user login, computer device speed with antivirus software running, USB devices connected to the computer device, unauthorized installation of third-party software, unauthorized remote connections, changes in the computer device's outgoing Internet traffic, and activation of third-party background processes. Deviation from the norm can be determined based on the calculation of a statistical outlier. A statistical outlier is an extreme value in the input data that is far beyond the limits of other observations. For example, a computer device was started at night, but before that, the computer device was started only during the day. As soon as the SIEM system detects a deviation, an incident report is generated.

One example of such a system is Kaspersky Unified Monitoring and Analysis Platform (KUMA). KUMA allows you to increase the transparency of the protected object, enhances the effectiveness of protection measures and helps build a long-term security strategy. KUMA carries out centralized collection and analysis of information security event logs, real-time correlation of information security events and timely notification of the SIEM system about incidents.

Quite often, the incident response process is delayed. First of all, this is due to the fact that the process of collecting and analyzing information occurs on different computer devices (servers). Thus, information is collected directly on the security server, and the analysis of the collected information is performed on the server with the SIEM system. Another reason for the delay is the need to provide incident results to users with knowledge of information security for analysis and wait for a response. For this reason, the provision of information about the incident that occurred occurs quite quickly, and the result of the analysis of the transferred information can take a long time, in particular, up to several days.

Thus, from the patent application US2015207709A1 a method is known related to intelligent processing of PC log messages and detection of information security incidents. In one embodiment, the method implemented on a computer includes analysis of log messages using a recording device to determine whether at least one of the messages indicates an error (information security incident). The operating principle of the method for processing log messages is the same as that of SIEM systems. The disadvantages of the method include the lack of collection of an evidence base (information about the information security incident) and the lack of further adaptive response to the information security incident on the end computer device.

Another approach is known from patent US8225407B1. It presents a method for determining priorities and providing recommendations for adaptive response to information security incidents. In particular, the possibility of managing information security incidents at an automatic level without human intervention is disclosed. The process of adaptive response to an information security incident is performed until either new information about the incident is received, or the consequences of the incident are eliminated. This approach is also implemented on the principle of a SIEM system, where event correlation rules are processed and certain assessments or recommendations are issued for adaptive response to information security incidents. One of the disadvantages of the proposed method is the lack of automatic measures to actively counter the results of an information security incident on the end computer device.

The approaches that exist in one form or another apply a response to an information security incident, in particular, this is the collection of information about an information security incident for investigation using SIEM systems, the implementation of response measures aimed at counteracting the consequences of an information security incident, or user training. However, the process from detection to a response to an information security incident can stretch up to several days, which is a significant drawback. In this regard, the attacker has time to implement the intended action plan, for example, to obtain the necessary data and delete all traces of his activity, which prevents an information security specialist from conducting an investigation and identifying possible security problems in a computer network or computer device.

Analysis of the prior art allows us to conclude that the current technologies are not effective enough in terms of responding to an information security incident. Therefore, a solution is proposed that allows us to increase the effectiveness of responding to an information security incident.

Disclosure of the essence of the invention

The present invention relates to solutions that make it possible to increase the level of security of a computer system in an information environment by applying measures to respond to an information security incident based on the formation and execution of a scenario for automatically responding to an information security incident on a computer device.

The first technical result consists in expanding the arsenal of tools for eliminating the consequences of an information security incident on a computer device by forming and using a scenario for responding to an information security incident.

The second technical result is the reduction of the response time to a new information security incident on a computer device by generating a response scenario on the computer device before transferring it to the server, which in turn leads to an increase in the security of the entire computer network.

According to the embodiment, a method for responding to an information security incident (hereinafter referred to as an IS incident) implemented on a computer device is used, wherein said method includes the following stages: receiving information about a detected IS incident from at least one security component; generating a response scenario on the computer device in accordance with the received information, wherein the response scenario contains at least: operations for collecting additional information about the detected IS incident; measures for responding to the detected IS incident that make it possible to at least eliminate the consequences of the IS incident; executing the generated response scenario to eliminate the consequences of the detected IS incident; transmitting the result of executing the response scenario to the IS incident to the server to evaluate the result of executing the scenario, wherein: receiving instructions for changing the scenario from said server when the consequences of the IS incident have not been eliminated; saving the scenario in the scenario database when the consequences of the IS incident have been eliminated; changing the response scenario to the IS incident in accordance with the received instructions.

According to one particular embodiment, information about a detected information security incident includes at least information about one undesirable event that occurred on a computer device during the information security incident, and information about the security component that detected the information security incident, the class of the detected information security incident, and the time of detection of the information security incident.

According to another particular embodiment, the class of the detected information security incident is determined based on the security component that detected the information security incident.

According to another particular implementation option, a scenario is formed by analyzing the received information about a detected information security incident using rules.

According to another particular implementation option, during the analysis of the received information about a detected incident, the information security systems select the most relevant and priority operations for collecting additional information.

According to another particular variant of implementation of the operation for collecting additional information and measures to respond to the detected information security incident, they are formed and executed both sequentially and in parallel.

According to another particular embodiment, the operations for collecting additional information include at least one of: taking a screenshot at the time of an event or a series of screenshots at a specified interval; recording data about the user session and his account; building a list of processes on the computing device; building a list of threads of a specified process; building a list of services in the operating system and their status; building a list of drivers; building a list of loaded libraries; removing a process memory dump; collecting general data about the operating system, installed software, autorun of applications of the computing device; collecting network information; collecting information about connected devices; collecting information about files in quarantine; collecting information from the security event registration log using the advanced audit setting of the operating system installed by the user, storing records of security events of the computing device.

According to another specific implementation option, the operation to collect additional information additionally includes checking the effectiveness of the developed response measures.

According to another particular implementation option, response measures to a detected information security incident include primary and secondary response measures.

According to another particular implementation option, the primary response measures to a detected information security incident are generated automatically immediately after the information security incident is identified based on known information, without waiting for the results of the analysis of additional information collected about the information security incident, and include at least one of the following actions: changing the settings of the antivirus application on the computer device; disconnecting the computer device from the Internet; breaking remote connections (Remote Desktop Protocol); disconnecting peripheral devices, in particular, electronic digital signature tokens; removing third-party software; blocking the attacker by IP address; emergency shutdown of the computer device.

According to another particular embodiment, secondary response measures to a detected information security incident are formed as a result of analyzing information about the detected information security incident in accordance with instructions for using secondary response measures, and include at least one of the following actions: changing the requirements of the object's policy related to the requirements for access passwords; forming a list of updates to the object's operating system; starting a scan of the operating system of the computer device, wherein the scanning rules can be pre-defined by the user; changing security policies for preventing information leaks on the computer device.

According to another particular embodiment, the primary or secondary response measures additionally include instructions aimed at training the user of the computing device.

According to another particular implementation option, instructions for changing the response scenario are formed based on the results of a previously executed scenario and information about the detected information security incident.

According to another particular embodiment, in the case of performing the stage of the method for changing the scenario for responding to an information security incident, according to the received instructions, the following steps are performed: executing the generated scenario for responding to eliminate the consequences of the detected information security incident; transmitting the result of executing the scenario for responding to an information security incident to the server to evaluate the result of executing the scenario, while: receiving instructions for changing the scenario from the said server when the consequences of the information security incident have not been eliminated; saving the scenario in the scenario database when the consequences of the information security incident have been eliminated; to eliminate the consequences of the detected information security incident.

According to the embodiment, an information security incident response system is used, containing at least one computer, including means that interact with each other: an information collection means, a scenario generation means, an information security incident information base, a scenario base, a scenario execution means, during the execution of which the system responds to an information security incident according to one of the above-mentioned methods.

Brief description of the drawings

Additional objects, features and advantages of the present invention will be apparent from reading the following description of the embodiment of the invention with reference to the accompanying drawings, in which:

Fig. 1 schematically shows an example of the implementation of an information security incident response system;

Fig. 2 is a block diagram illustrating a method for responding to an information security incident.

Fig. 3 shows an example of generating a scenario for responding to an information security incident in a tree representation.

Fig. 4 shows an example of a general-purpose computer system.

Implementation of the invention

The objects and features of the present invention, the methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to other embodiments disclosed below, it can be embodied in various forms. The substance given in the description is nothing more than specific details provided to help a person skilled in the art to fully understand the invention, and the present invention is defined within the scope of the appended claims.

An IS incident is defined based on at least one undesirable IS event, the occurrence of which indicates a possible threat to information security (hereinafter referred to as an IS threat) of both an individual network node and the entire computer network. An IS threat is a set of conditions and factors that create a risk of information security breach. An IS threat is, in particular, at least one of the following: malicious software (SW), a computer attack or anomaly.

An undesirable information security event indicates a certain state of a network node (e.g., a computer device, an element of a computer device, a server) or a computer network at a certain point in time and indicates a possible violation of the information security policy, the failure of any protective measure, or the occurrence of a situation that is related to information security.

At the same time, an undesirable information security event indicates that an information security incident has occurred or may occur, and also indicates a connection with other events that may be both the causes of the occurrence and the consequences of the occurrence of this event.

Fig. 1 shows an example of the implementation of an information security incident response system, which is implemented on at least one device 102. Device 102 is understood to mean a computer device, such as a personal computer (PC), a mobile device (smartphones, tablets), a server and a data terminal.

In one embodiment, device 102 is a computer system, such as that shown in Fig. 4.

The information security incident response system (hereinafter referred to as the response system) 105 includes an information collection tool 110 , a scenario generation tool 115 , an information security incident information database 120 , a scenario database 125 , and a scenario execution tool 130 .

In the general case, the response system 105 receives information about a detected information security incident from at least one protection component 101 of the device 102 , where the information contains information about at least one undesirable information security event. Then, the response system 105 generates a scenario for responding to an information security incident to eliminate the consequences of the detected information security incident on the device 102.

Depending on the implementation, the functionality of the response system 105 can be implemented solely by hardware, as well as in the form of a combination, where part of the functionality of the response system 105 is implemented by software, and part by hardware. In some embodiments, at least one element of the response system 105 is executed on the processor of a computer system, for example, which is shown in Fig. 4 .

Information gathering tool110receives protection from one or more components101, installed on the device102,information about an information security incident that occurred and was detected by one or more security components101. The specified information includes information about at least one unwanted information security event and information about at least one triggered protection component.101, the class of the detected information security incident and the time of detection of the information security incident. In a particular embodiment of the protection component101additionally transmits information about the information security incident via the network103to the SIEM system located on the server135. The SIEM system stores the received information about the information security incident in the incident database145.

In a particular embodiment, at least one of the protection components 101 notifies the response system 105 about an information security incident that has occurred, after which the information collection means 110 collects information about the information security incident from at least one protection component 101 .

The object of an information security incident is either an element of a device 102 , where an element can be a technical means, a software means, a software and hardware means, or some information resource (for example, a file, document, website).

It is worth noting that the class of the information security incident is determined based on the protection component 101 that detected the information security incident. The protection component 101 is at least one of the following components that ensure the information security of the device 102 : file Anti-Virus, mail Anti-Virus, web Anti-Virus, IM Anti-Virus, program control, program manager, web camera protection, firewall, network monitoring, activity monitoring, protection against network attacks, Anti-Spam, Anti-Phishing, Anti-Banner, protection against data collection, safe payments, data entry protection, safe program mode, parental control.

At least the following classes of information security incidents can be detected by protection components 101 :

- introduction of malware modules into an object;

- using an object to distribute malware to third-party objects;

- a computer attack of the denial of service (DoS) type, directed at an object;

- a distributed denial of service (DDoS) computer attack directed at an object;

- unauthorized disabling of an object, for example blocking access of a computer device to the Internet;

- unintentional (without malicious intent) shutdown of an object;

- successful exploitation of a vulnerability in an object;

- compromise of an account in the object;

- listening (intercepting) the object’s network traffic;

- social engineering aimed at compromising an object, such as phishing or phreaking;

- unauthorized disclosure of information processed in the facility;

- unauthorized modification of information processed in the object;

- sending spam messages from the facility;

- publication of information prohibited by law in the facility;

- abuse of the object, i.e. the fact of deliberate, illegal and selfish use of the object, as a result of which the performance of the object is reduced (could be reduced). For example, constant CPU load of 90% or more;

- publication of fraudulent information in the object.

The information collection tool 110 transmits the received information about the information security incident to the scenario execution tool 130 . The scenario execution tool 130 checks for the presence of a suitable generated scenario for responding to an information security incident in the scenario database 125 . If a suitable scenario is present in the scenario database 125 , the scenario execution tool 130 receives the specified scenario. The scenario execution tool 130 executes the generated scenario for responding to an information security incident, interacting with the information collection tool 110 . Otherwise, if there is no suitable scenario for responding to an information security incident in the scenario database 125 , the scenario execution tool 130 notifies the information collection tool 110 about the absence of a suitable scenario and the information collection tool 110 transmits the received information about the information security incident to the scenario generation tool 115 . It can be said that the transmission of information about an information security incident to the scenario generation tool 115 indicates the presence of a new information security incident. The specified tool 115 generates a scenario by analyzing the received information in accordance with the rules. The scenario includes at least two parts: a sequence of actions (hereinafter referred to as operations) to collect additional information about the information security incident and measures to respond to the information security incident, allowing at least to eliminate the consequences of the information security incident. In a particular implementation option, collecting additional information includes checking the effectiveness of the response measures formed.

The scenario generation tool 115 , analyzing the received information about the information security incident, applies one or more rules. The rules can be applied both in parallel and sequentially. The rules have the form of a logical expression with IF-THEN operators (hereinafter referred to as IF-THEN rules). In the process of analyzing the received information about the information security incident, according to the rules, the scenario generation tool 115 generates requests, in particular, for obtaining additional information and transmits them to the information collection tool 110 , which in turn collects additional information using the protection component 101 . The information collection tool 110 transmits the results of collecting additional information to the scenario generation tool 115 . The obtained results allow the scenario generation tool 115 to select both additional operations for collecting additional information and to select or adjust response measures to the information security incident in the process of analyzing information about the information security incident. The result of the analysis of information about an information security incident by the means of generating a scenario 115 is a generated scenario of response to an information security incident, which includes two parts: operations to collect additional information about an information security incident and measures to respond to an information security incident. Requests are generated based on the received information about an information security incident or additional information about an information security incident, obtained using operations to collect additional information or measures to counter an information security incident.

Let us consider an example of the operation of the scenario generation tool 115. The scenario generation tool 115 received the following information about the detected information security incident from the information collection tool 110 :

- unwanted event – unauthorized access to device 102 ;

- name of the triggered protection component 101 – protection against network attacks;

- class of the detected information security incident – eavesdropping (capture) of the object’s network traffic;

- time of detection of the information security incident – 03:17:17.

Based on the information received, scenario generation tool 115 applied the following rules:

1) IF “the class of the detected information security incident is eavesdropping (capturing) of the object’s network traffic”, THEN the “operation to collect additional information – building a list of processes on the computer device; building a list of threads of a given process” and “response measure – blocking the eavesdropper by IP address” are applied;

Based on the results of the additional information gathering operation (building a list of processes on the computing device), the script generation tool 115 applies the second rule:

2) IF "Untrusted programs are running in the list of processes", THEN "operation to collect additional information - compiling a list of loaded libraries".

Based on the results of the additional information gathering operation (compiling the list of loaded libraries), the script generation tool 115 applies the third rule:

3) IF "To device 102 , completely remote connection", THEN "collecting network information; collecting information about connected devices".

Based on the results of the additional information collection operation (network information collection, connected device information collection), the 115 scenario generator applies the fourth rule:

4) IF “Remote connection is active”, THEN “response measure – break RDP connections”.

The analysis of information about the information security incident according to the rules and the formation of a response scenario, including operations for collecting additional information about the information security incident and measures for responding to the information security incident, are further disclosed in the description of Fig. 3.

It is worth noting that collecting additional information about an information security incident includes at least one of the following operations:

- taking a screenshot at the time of an event or a series of screenshots at a specified interval;

- recording data about the user's session and account;

- building a list of processes on a computer device;

- building a list of threads of a given process;

- building a list of services in the operating system and their status;

- building a list of drivers;

- building a list of loaded libraries;

- removing a process memory dump;

- collection of general data about the operating system, installed software, and auto-launch of applications on the computer device;

- collecting information about the network;

- collecting information about connected devices;

- collecting information about files in quarantine;

- collecting security event log information (e.g. Windows Security Log) using the advanced audit setting of the operating system installed by the user, which stores records of device security events 102 .

During the analysis, the scenario generation tool 115 selects the most relevant and priority operations for collecting additional information depending on the information about the information security incident. In one embodiment, the relevance and priority of each operation for a particular information security incident is established at the beginning of the invention, for example, it can be determined and specified by a user with certain knowledge in information security. A user with certain knowledge in information security is an information security employee, specialist, operator, expert, analyst or security officer. In another particular embodiment, operations that are simpler, i.e. do not require a large amount of time and resources for execution, have the highest priority. Examples of such operations are taking screenshots, building a list of processes and services. Priority determines the order of operation execution during scenario execution. In the case when the operations have the same priority, either both or one selected randomly are used. The information collection tool 110 stores the obtained results of operations to collect additional information about the information security incident in the database with information about the information security incident 120 .

In one of the particular implementation options, some operations for collecting additional information about an information security incident, regardless of the priority level, have a strict sequence of execution. This sequence is observed due to the execution of the operation based on the results of at least one previously executed operation. For example, the operation "removing a process memory dump" and the operation "building a list of loaded libraries" will be executed after the operation "building a list of processes on a computer device".

Let's look at an example of collecting additional information about an information security incident. On the device102at 3:45 am protection component101discovered a utility file for removing process dumps and stealing passwords. Information gathering tool110receives information about the detected utility via the protection component101and in the absence of a suitable scenario for responding to an information security incident in the database125passes them on in the scenario generation tool115. Scenario generation tool115generates the first part of the scenario for responding to an information security incident, which includes the following operations for collecting additional information: collecting general data about the system, installed software, autorun of computer device applications, compiling a list of loaded libraries, building a list of services in the system and their status, removing a process memory dump. All of the listed operations for collecting additional information, except for collecting general data about the system, have a higher execution priority. Scenario generation tool115passes the first part to the script runner130. Script execution tool130When executing a script, it passes the task to the information gathering tool110to perform operations to collect additional information about an information security incident. Information collection tool110after collecting additional information, passes the information to the script executor130. After analyzing the additional information received, the script execution tool130determines what is on the device102The backup script that was launched based on the request received from the user was executed.

The measures to respond to an information security incident generated by the scenario generation tool 115 are intended to at least eliminate the consequences of the detected information security incident and may include both primary and secondary measures. As a rule, primary measures are generated automatically immediately after the information security incident is detected based on known information, without waiting for the results of the analysis of additional information collected about the information security incident. Examples of primary measures, in particular, include at least one of the following actions:

- changing the settings of the antivirus application on the device 102 ;

- disconnecting device 102 from the Internet;

- breaking remote connections to the desktop (Remote Desktop Protocol);

- disabling peripheral devices, in particular, electronic digital signature tokens;

- removal of third-party software;

- blocking the attacker by IP address;

- emergency shutdown of the device.

Secondary measures for responding to an information security incident are generated based on the results of the analysis of all additional information about the information security incident, carried out by the scenario generation tool 115. Secondary measures are generated locally on the device 102, as a result of the analysis of information about the information security incident by the scenario generation tool 115 and instructions for applying secondary measures received from the server (SIEM system) 135. Instructions for applying secondary measures are generated after transferring all collected information about the information security incident to the server (SIEM system) 135. An example of such instructions are measures for responding to an information security incident that cannot be performed automatically or require special permission for their execution. Examples of secondary measures, in particular, include at least one of the following actions:

- changing the requirements of the object's policy related to the requirements for access passwords;

- formation of a list of updates for the object’s operating system;

- launching a scan of the operating system of the computer device 102 , wherein the scanning rules can be pre-defined by the user;

- changing security policies (rules) to prevent information leaks on device 102 .

In a particular embodiment, the primary or secondary measures additionally include instructions aimed at training the user of the computing device. The instructions aimed at training contain at least one of:

- training content according to the identified information security incident;

- a list of requirements to prevent future information security incidents similar to the identified information security incident.

The training content can be provided to the user of the device 102 in various formats, in particular in the form of a video, presentation, article, interactive interaction, instruction or notification. The instructions are generated on the server 135 , in particular, by means of interaction with the user (IS specialist).

Let us consider an example of selecting response measures to eliminate the consequences of an information security incident related to the detection of installed malware. Information collection tool 110 receives the following information about the information security incident from protection components 101 :

- unwanted event – unauthorized installation of malware;

- name of the triggered protection components 101 – protection against data collection and network monitoring;

- class of the detected information security incident – use of an object for distributing malicious software;

- time of detection of the information security incident – 12:24:00.

The information collection tool 110 transmits the obtained information to the scenario generation tool 115 for generating an information security incident response scenario. The scenario generation tool 115 generates an information security incident response scenario using the IF-THEN rule analysis, based on which at least requests for collecting additional information are generated. The requests include at least one of the following operations for collecting additional information: building a list of services in the system and their status, building a list of loaded libraries, building a list of threads of a specified process. The information collection tool 110 saves the obtained results of the operations for collecting additional information about the information security incident in the database with information about the information security incident 120 . In parallel with the operations for collecting additional information, the scenario generation tool 115 generates the following primary response measures: disconnecting the device from the Internet, breaking remote connections. Based on the results of operations to collect additional information about the information security incident stored in the database 120 and the analysis according to the “IF – THEN” rule, the scenario generation tool 115 generates a secondary response measure: launching a full scan of the operating system of the computer device 102 with manual changes to the scanning settings.

In another embodiment, depending on the information security incident, the scenario generation tool 115 generates a scenario for responding to the information security incident, which simultaneously contains primary and secondary response measures, wherein the secondary measures will be generated without the results of collecting additional information. In addition, the scenario contains a requirement according to which the execution of the specified measures is carried out in parallel mode. For example, the scenario contains the following measures: changing the settings of the antivirus application on the device 102 , disconnecting the device 102 from the Internet, breaking remote connections to the desktop (Remote Desktop Protocol), changing security policies (rules) for preventing information leaks on the device 102 .

Let us consider an example of forming a response scenario to an information security incident. Information collection tool 110 received the following information from protection components 101 installed on device 102 :

- unwanted event – unauthorized copying of information contained on device 102 ;

- name of the triggered protection components 101 – mail Antivirus and protection from network attacks;

- class of the detected information security incident – introduction of malicious software modules into the object;

- time of detection of the information security incident – 04:13:21.

Information collection tool 110 transmits the received data to scenario generation tool 115 to generate a scenario for responding to an information security incident using the IF-THEN rule analysis. Based on the analysis results, scenario generation tool 115 generates a scenario. The scenario includes the following operations for collecting additional information about the information security incident:

- taking a screenshot and recording data about the user's session and account;

- collecting information about the user's session, including blocked ones;

- collecting information about the network;

- building a list of services in the system and their status;

- collection of general data about the system, installed software, and autostart of computer device applications.

The scenario also includes the following primary measures to respond to an information security incident: removing third-party software, blocking the attacker by IP address.

The scenario generation tool 115 transfers the generated response scenario to the scenario execution tool 130 . The scenario execution tool 130 can execute the scenario both sequentially and in parallel, while when selecting the appropriate execution mode, it is guided either by the requirements of the scenario itself or by the available technical capabilities for executing the scenario, such as optimization and intelligent parallelization (see the description of Fig. 3 ). During sequential execution, operations for collecting additional information about the information security incident are performed first. When executing the scenario, the scenario execution tool 130 transfers the task to the information collection tool 110 to execute operations for collecting additional information about the information security incident with subsequent storage of the results of collecting additional information in the information security incident information database 120 and transmission via network 103 to the SIEM system located on server 135 . Server 135 can be implemented as a cloud service or an on-premise service. Transfer of results to the SIEM system is necessary for backup of information and further investigation, assessment of the characteristics of the occurrence and activity of the information security incident by information security employees. Then, the scenario execution tool 130 transfers the task to at least one protection component 101 through the information collection tool 110 for the execution of measures to respond to the information security incident.

The scenario execution tool 130, after executing the generated scenario for responding to an information security incident, transmits the scenario execution result, which includes at least the results of executing the measures for responding to an information security incident, to the server 135 via the network 103 for evaluating the scenario execution result. The server 135 evaluates the scenario execution result. If the consequences of the information security incident were not eliminated by the executed measures for responding to an information security incident, then the server 135 sends instructions for changing the scenario to the scenario generation tool 115 . Otherwise, if the consequences of the information security incident were eliminated by the executed measures for responding to an information security incident, then the scenario is marked as successful and added to the scenario database 140 . The scenario database 140 stores successful scenarios for responding to an information security incident, collected from the devices 102 located in the network 103 . The server 135 transmits successful scenarios for responding to an information security incident from the scenario database 140 to the scenario database 125 located on the device 102 for the purpose of using a successful scenario for the detected information security incident. Instructions for changing the scenario are formed based on the results of a previously executed scenario and information about the information security incident, and they can be selected from previously generated instructions or generated using interaction with the user in real time. In one embodiment, the instruction contains changes that must be made to the scenario. In another embodiment, the instructions include a modified scenario containing response measures for eliminating the consequences of the information security incident, and operations for collecting additional information about the said information security incident. It is worth noting that the instructions can contain operations and/or response measures that previously could not be executed automatically or required permission to execute them, for example, installing a program that protects against information leakage, or starting an operating system scan with manual configuration (manual configuration is performed by the user). The scenario generation tool 115 modifies the information security incident response scenario taking into account the received instructions and transmits the modified scenario to the scenario execution tool 130 . Modifying the scenario taking into account the instructions consists either in introducing the received changes related to the operations for collecting additional information and response measures to eliminate the consequences of the information security incident, or in completely replacing the generated scenario with the scenario received as instructions. The scenario execution tool 130 applies the modified scenario to the information security incident and transmits to the server 135 the result of the scenario execution, which includes at least the results of the execution of the response measures to the information security incident . If the scenario for responding to the information security incident eliminated the consequences of the incident, then it is saved in the scenario database 140 , located in the SIEM system located on the server 135 , as successful. Otherwise, the scenario is saved in the scenario database 140 as requiring changes, and instructions for changing the scenario for responding to the information security incident are repeatedly received from the server 135 via the network 103 to the scenario generation tool 115 . In a particular embodiment, the server (SIEM system) 135, after successfully executing the scenario for responding to an information security incident, transmits information about the successful scenario to other devices 102, united by the network 103. The transmission of said information can be carried out both by general distribution, for example, through updating the databases, and at the request of each device 102 separately.

Fig. 2 shows a method for automatically responding to an information security incident. The presented method is implemented using the means of the response system 105 , presented in the description of Fig. 1

At step 210, using the information collection tool 110, information about the information security incident is received from at least one protection component 101. The information about the information security incident includes at least information about the undesirable event that occurred on the device 102 during the information security incident, and information about the protection component 101 that detected the information security incident, the class of the detected information security incident, and the time of detection of the information security incident. Then, using the information collection tool 110, the received information about the information security incident is transmitted to the scenario generation tool 115 for generating a scenario for responding to the information security incident.

In a particular embodiment , the information received about the information security incident is first transmitted from the protection component 101 to the scenario execution tool 130 using the information collection tool 110 to check for the presence of an existing response scenario. The presence of a suitable generated scenario for responding to an information security incident is checked in the scenario database 125 using the scenario execution tool 130. If a suitable scenario is present in the scenario database 125, the specified scenario is obtained using the scenario execution tool 130. The scenario execution tool 130 executes the generated scenario for responding to the information security incident, interacting with the information collection tool 110. Otherwise, if the scenario database 125 does not contain a suitable scenario for responding to an information security incident, the scenario execution tool 130 notifies the information collection tool 110 about this and the information collection tool 110 transmits the information received about the information security incident to the scenario generation tool 115. It should be noted that this information is the minimum information necessary for generating a scenario for responding to an information security incident.

At step 220, a scenario for responding to an information security incident is generated using the scenario generation tool 115. The scenario is generated by analyzing the received information about the information security incident using the "IF - THEN" rules. Examples of using the rules and generating a scenario are presented in the description of Fig. 1. The scenario for responding to an information security incident includes operations for collecting additional information about the information security incident and measures for responding to the information security incident. The scenario generation tool 115 transmits the generated scenario for responding to the scenario execution tool 130.

At the stage230using the script execution tool130perform the formed scenario for responding to an information security incident. The scenario execution tool130when executing the script, the task is transferred to the information gathering tool110to perform operations to collect additional information about an information security incident with subsequent storage of the results of collecting additional information in the information security incident information database120and transmission via the network103to the SIEM system located on the server135. Then, using the script execution tool130delegate the task to at least one security component101via information gathering tool110to implement measures to respond to an information security incident.

An example of executing a generated scenario for responding to an information security incident by means of executing a scenario 130 , containing the following information:

- unwanted event – unauthorized access and copying of confidential information located on device 102 ;

- name of the triggered protection component 101 – protection against network attacks;

- class of the detected information security incident – eavesdropping (capture) of the object’s network traffic;

- the time of detection of the information security incident is 12:35:01, and looks like the one presented below.

By interacting with at least one security component 101 via an information collection means 110 that receives requests from a script execution means 130 and provides responses:

1. take a screenshot and record data about the user's session and account.

2. In parallel, they collect information about connected devices and network information and terminate RDP (Remote Desktop Protocol) connections.

3. build a list of drivers and loaded libraries.

4. collect general data about the operating system, installed software, and startup.

5. Consistently remove third-party software and block the attacker by IP address.

In a particular embodiment, stages 220 and 230 are combined, and in this case the scenario is executed in the process of forming the scenario itself. With combined stages 220 and 230, the selection of operations for collecting additional information about the information security incident and measures to respond to the information security incident occurs, among other things, based on the results of the operations and measures executed in the process of forming the scenario.

At step 235, the result of executing the generated scenario for responding to an information security incident, including at least the results of executing measures for responding to an information security incident, is transmitted using the scenario execution tool 130 to the server 135 via the network 103 to evaluate the result of executing the scenario.

At the stage240with the help of servers135evaluate the result of the execution of the response scenario to an information security incident. If the consequences of the information security incident were not eliminated by the implemented measures to respond to the information security incident, then they are obtained using the scenario generation tool115instructions for changing the script from the server135. Otherwise, if the consequences of the information security incident were eliminated by the implemented measures to respond to the information security incident, then at the stage250the script is saved to the script database140.

If the consequences of an information security incident are not eliminated, then at the stage260 using the means scenario formation115change the scenario for responding to an information security incident according to the instructions received from the server135and return the modified script to the stage230.

In one implementation, the instruction contains changes that need to be made to the script.

In another implementation option, the instructions include a modified scenario containing response measures to eliminate the consequences of an information security incident and operations to collect additional information about the said information security incident. It is worth noting that the instructions may contain operations and/or response measures that previously could not be executed automatically or required permission to execute them, such as installing a program that protects against information leakage or running an operating system scan with manual configuration (manual configuration is performed by the user).

In a particular embodiment of the implementation at the stage260instructions are generated on the server135by interacting with the user. In this case, the user is provided with the results of a previously executed scenario and information about the information security incident using the tool scenario formation115and await a response. The response provided may contain either specific instructions or changes to the instructions generated by the script generator.115.

OnFig. 3An example of forming a response scenario for an information security incident is presented305means of forming a scenario115V tree-like form according to the "IF-THEN" rules. Information gathering tool110transmits the received information about the detected information security incident310in the scenario generation tool115. Formation of the scenario305includes operations to collect additional information about the information security incident and measures to respond to the information security incident. The scenario is a tree-like structure, at the stages of "IF»which an analysis is performed, on the basis of which a decision is made whether to record a particular collection operation or response measure in the scenario or not. In a particular implementation option, the formation of a scenario is possible without analyzing additional information, since the operations and measures will have a strict sequence. The formation of a scenario depends on the initial information about the detected information security incident, namely, information about at least one undesirable event, the name of the triggered protection components101, the class of the detected information security incident and the time of detection of the information security incident. When selecting each operation for collection and response measures at the stages"IF"it is taken into account whether its optimization and intelligent parallelization are admissible. Optimization of operations for collecting additional information and measures to respond to an information security incident consists of revising the sequence of "IF" stages in order to reduce the response time and increase the effectiveness of responding to an information security incident. Possible options:

- “optimization is prohibited” – the operation or measure is always executed, and can be added several times within the scenario, and must be executed without fail;

- “can be optimized” – operations and measures that can be optimized several times in a scenario, however, for operations and measures marked “can be optimized”, a register of their execution is maintained, as a result, after the first successful execution, subsequent similar calls are not executed;

- “optimization during generation” – similar operations marked “can be optimized” are not added;

- “optimization of execution time” – when two information security incidents are detected, it may turn out that the scenario for the first incident was launched after the second incident occurred, and some of the operations and measures that are relevant for the second incident and present in its response scenario have already been executed.

Intelligent parallelization is used to reduce the time of generating a response scenario for an information security incident. In the process of generating a response scenario for an information security incident, the scenario generation tool 115 groups operations and measures by the parallelization feature. Individual operations and measures in the scenario may have a parallelization feature, i.e. several options for parallel execution of the operation and measure. Among other things, the scenario generation tool 115 , when making decisions on parallelism, takes into account the resources of the device 102 , for example (the amount of available RAM, the degree of load on the hard or SSD disk). Examples of parallelization features are discussed below.

- "Parallel launch prohibited". This parallelization flag is important for operations to collect additional information and measures to respond to an information security incident, which must be executed in a strictly defined order. Example: the user's PC screen displays the content "You have reached a phishing page, how to protect yourself?", thus the training window is located on top of the browser window. In this case, "operation 1" to take a screenshot is not informative, since the training window is located on top of the phishing source. In another option, the user will see a notification about a phishing incident with an instruction to immediately close the browser. In this case, "operation 1" to take a screenshot is not informative, and the response system 105 will not receive data for research and screenshots. Thus, in this case, the measures to respond to an information security incident aimed at training cannot be launched in parallel with operations to collect additional information about the information security incident, they should be launched only after collecting additional information about the information security incident.

- "Parallel launch permitted within a group" - parallel operation of operations and measures is possible, but within a group of operations. For example, two or three operations within a group of operations to collect additional information about an information security incident, provided that they do not interfere with each other.

- "Parallel execution allowed". The flag indicates the possibility of performing operations to collect additional information or measures to respond to an information security incident in parallel. This flag is assigned to operations and measures provided that none of the measures or operations interfere with each other's execution

Below is an example of intelligent parallelization in an information security incident response scenario. The operation of collecting RDP operation logs and collecting data on connected devices has two parallel launch options: parallel launch is prohibited and parallel launch is allowed within a group. If, when forming a scenario, a group of more than two operations is formed that will not interfere with each other during execution, then this operation will be executed in parallel; if this does not happen, then parallel launch of the operation is prohibited.

When executing a generated scenario for responding to an information security incident by the scenario execution tool 130 , each operation and measure has a "completed" execution record mark. This allows implementing a number of functional capabilities, which are listed below.

- Restore the script operation in case of reboot of device 102. For example, on "operation Nm" of execution of the script of response to an information security incident, device 102 is rebooted. In this case, when device 102 is started, execution of the script will not start from the beginning, but will continue from the last operation marked "executed".

- Possibility to postpone operations and measures marked as "not executed" without interrupting the execution of the response scenario. Example: during "operation N" of taking a series of screenshots, the user of device 102 locks the device using the key combination "Win-L". In this case, the operation of taking a series of screenshots is not informative, therefore "operation N" is marked as "not executed", and "operation Nn" or "operation Nm" is executed.

- When 2 or more scenarios operate in parallel on device 102, information about the accounting of the execution of operations via network 103 is transferred to the incident database 145 , located in the SIEM system implemented on server 135. This functionality helps optimize the response to an information security incident, since most of the operations and measures overlap.

In a particular embodiment, when generating scenario 305, scenario generation tool 115 additionally generates conditions under which the scenario is executed. An example of such conditions are requirements for the presence of the initial state of the device, under which the information security incident was detected. A conditional launch mark is set to control the execution of the scenario on device 102. For example, user X, under his account and during his shift, followed a phishing link, after which he turned off device 102. Protection component 101 was triggered, information about the incident was then transferred to scenario generation tool 115. The next time device 102 was turned on, user Y came on shift and logged in under his account. Since the scenario contains a mark (a conditional launch mark) about which account was used to log in to the system at the time the information security incident was detected, the operation to take a screenshot on user Y's account is uninformative and will not be executed.

Among other things, the IS incident response scenario has a "lifetime" function. This function allows the scenario execution tool 130 to control the relevance of operations and measures. For example, on the device 102, the protection component 101 detected an IS incident, the information collection tool 110 received information about the IS incident and transferred it to the scenario generation tool 115. The scenario generation tool 115 generated a scenario, which it transferred for execution to the scenario execution tool 130. However, before executing the scenario, the device 102 was turned off for a long time. After turning on the device 102, according to the set "lifetime", the execution of most of the operations and measures of the IS incident response scenario became irrelevant. Accordingly, the scenario will not be executed.

Below is an example of formation by means of115IS incident response scenario305based on the IF-THEN rules, while the means115received the following information about the detected information security incident310:

- unwanted event – unauthorized access and copying of confidential information located on device 102 ;

- name of the triggered protection component 101 – protection against network attacks;

- class of the detected information security incident – eavesdropping (capture) of the object’s network traffic;

- time of detection of the information security incident – 12:35:01.

At step 321 " IF " the user session activity is analyzed. If it is active, "operation N" is written into the script - taking a screenshot and recording data about the user session and his account. If the user session is not active, "operation 1" is written into the script - collecting information about the user session, including the completed session.

At stage 322 "IF" an analysis of the presence of a remote connection to device 102 is performed. If there is no remote connection, then "operation 1.2" is written to the script - the recording of operations in the script is complete. If there is a remote connection, then "operation 1.1" is written to the script - collecting data on running processes, services, drivers.

At step 323 " IF ", the presence of a remote connection to device 102 is analyzed. If a remote connection is present, then "operation Nm" is written to the script - collecting RDP operation logs and collecting data on connected devices. If there is no remote connection, then "operation Nn" is written to the script - collecting information from the security event log (for example, Windows Security Log) using the advanced audit setting of the operating system installed by the user, storing records of security events of device 102 .

At step 331 “IF”, based on the results of “ operation 1.1 or Nm”, “measure 1” is written into the script – breaking RDP connections with the mark “parallel execution with “operation 1.1 or Nm””.

At stage 324 "IF" it is specified whether the device 102 is physical. If the device 102 is physical, then the "Nmp operation" is written into the script - building a list of drivers and compiling a list of loaded libraries. Then the "Nmpp operation" is written into the script - collecting information, collecting general data about the system, installed software, autorun, with the note "parallel execution with "Nmp operation".

At step 332 "IF" based on the results of "operation Nmp", if the protection component 101 detects a sniffer (software that analyzes incoming and outgoing traffic from a computer connected to the Internet), "measure 1.1" is written into the script - removal of third-party software, "measure 1.1.1" - blocking the attacker by IP address, with a note of parallel execution of "measure 1.1 and measure 1.1.1". Otherwise, "measure 1.2" is written into the script - disconnecting device 102 from the Internet.

The generated scenario is transferred for execution 340 . In a particular implementation option, the execution of the scenario for responding to an information security incident occurs in parallel with its generation.

Thus, the disclosed invention allows to reduce the response time to a new information security incident on a computer device by generating a response scenario on a computer device before transferring it to the server, which in turn leads to an increase in the security of the entire computer network. More specifically, by performing operations to collect additional information about an information security incident with parallel transfer of the results of collecting additional information to the SIEM system, as well as applying response measures aimed at eliminating the consequences of an information security incident.

Fig. 4 shows a computer system on which various embodiments of the systems and methods disclosed in this document can be implemented. The computer system 20 can be a system configured to implement the present invention and can be in the form of a single computing device or in the form of several computing devices, such as a desktop computer, a portable computer, a notebook, a mobile computing device, a smartphone, a tablet computer, a server, a mainframe, an embedded device, and other forms of computing devices.

As shown in Fig. 4 , the computer system 20 includes: a central processor 21 , a system memory 22 and a system bus 23 that connects various system components, including memory associated with the central processor 21 . The system bus 23 is implemented as any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus capable of interacting with any other bus architecture. Examples of buses are: PCI, ISA, PCI-Express, HyperTransport™, InfiniBand™, Serial ATA, I2C and other suitable connections between components of the computer system 20 . The central processor 21 contains one or more processors having one or more cores. The central processor 21 executes one or more sets of machine-readable instructions that implement the methods presented in this document. The system memory 22 may be any memory for storing data and/or computer programs executed by the central processor 21 . The system memory may contain both a read-only memory (ROM) 24 and a random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the main procedures that ensure the transfer of information between elements of the computer system 20 , for example, at the time of loading the operating system using the ROM 24 .

The computer system 20 includes one or more data storage devices, such as one or more removable storage devices 27 , one or more non-removable storage devices 28 , or combinations of removable and non-removable devices. One or more removable storage devices 27 and/or non-removable storage devices 28 are connected to the system bus 23 via the interface 32. In one embodiment, the removable storage devices 27 and the corresponding computer-readable storage media are non-volatile modules for storing computer instructions, data structures, program modules and other data of the computer system 20. The system memory 22 , the removable storage devices 27 and the non-removable storage devices 28 can use various computer-readable storage media. Examples of computer-readable storage media include computer memory such as cache memory, SRAM, DRAM, Z-RAM, T-RAM, eDRAM, EDO RAM, DDR RAM, EEPROM, NRAM, RRAM, SONOS, PRAM; flash memory or other memory technologies such as solid-state drives (SSD) or flash drives; magnetic cassettes, magnetic tapes, and magnetic disks such as hard disks or floppy disks; optical media such as compact discs (CD-ROM) or digital versatile discs (DVD); and any other media that can be used to store desired data and that can be accessed by a computer system 20 .

The system memory 22 , the removable storage devices 27 and the non-removable storage devices 28 contained in the computer system 20 are used to store the operating system 35 , applications 37 , other program modules 38 and program data 39. The computer system 20 includes a peripheral interface 46 for transmitting data from input devices 40 , such as a keyboard, mouse, stylus, game controller, voice input device, touch input device, or other peripheral devices, such as a printer or scanner through one or more input/output ports, such as a serial port, parallel port, universal serial bus (USB) or other peripheral interface. A display device 47 , such as one or more monitors, projectors or built-in displays, is also connected to the system bus 23 through an output interface 48 , such as a video adapter. In addition to the display devices 47 , the computer system 20 is equipped with other peripheral output devices (not shown in Fig. 4 ), such as speakers and other audiovisual devices.

The computer system 20 may operate in a network environment using a network connection with one or more remote computers 49. The remote computer (or computers) 49 is a working personal computer or a server that contains most or all of the components mentioned earlier in describing the essence of the computer system 20 shown in Fig. 4. Other devices may also be present in the network environment, such as routers, network stations or other network nodes. The computer system 20 may include one or more network interfaces 51 or network adapters for communicating with the remote computers 49 via one or more networks, such as a local area network (LAN) 50 , a wide area network (WAN), an intranet and the Internet. Examples of a network interface 51 are an Ethernet interface, a Frame Relay interface, a SONET interface and wireless interfaces.

Embodiments of the present invention may be a system, a method, or a computer-readable storage medium (or carrier).

A computer-readable storage medium is a tangible device that stores and stores program code in the form of computer-readable instructions or data structures that are accessible to the central processor 21 of the computer system 20. The computer-readable storage medium may be an electronic, magnetic, optical, electromagnetic, semiconductor memory device, or any suitable combination thereof. As an example, such a computer-readable storage medium may include random access memory (RAM), read-only memory (ROM), EEPROM, a portable compact disc with read-only memory (CD-ROM), a digital versatile disk (DVD), flash memory, a hard disk, a portable computer diskette, a memory card, a floppy disk, or even a mechanically encoded device such as punched cards or relief structures with instructions recorded thereon.

The system and method of the present invention can be considered in terms of means. The term "means" as used herein refers to an actual device, component or group of components implemented by hardware, such as an application-specific integrated circuit (ASIC) or FPGA, or by a combination of hardware and software, such as a microprocessor system and a set of machine-readable instructions for implementing the functionality of the means, which (when executed) transform the microprocessor system into a special-purpose device. The means can also be implemented as a combination of these two components, where some functions can be implemented only by hardware, and other functions - by a combination of hardware and software. In some embodiments, at least a part, and in some cases all of the means can be executed on the central processor 21 of the computer system 20. Accordingly, each means can be implemented in various suitable configurations and should not be limited to any particular embodiment given herein.

Finally, it should be noted that the information provided in the description is examples that do not limit the scope of the present invention defined by the claims. It will be clear to one skilled in the art that in developing any actual embodiment of the present invention, many decisions specific to a particular embodiment must be made in order to achieve specific goals, and these specific goals will be different for different embodiments. It is understood that such development efforts can be complex and time-consuming, but, nevertheless, they will be a routine engineering task for those of ordinary skill in the art, using the present disclosure.

Claims (48)

1. A method for responding to an information security incident (hereinafter referred to as an IS incident) implemented on a computer device, wherein the specified method includes the following stages: a) receive information about a detected information security incident from at least one security component; b) generate a response scenario on a computer device in accordance with the information received, wherein the response scenario contains at least: • operations to collect additional information about the detected information security incident; • measures to respond to a detected information security incident that allow at least the elimination of the consequences of the information security incident; c) execute the developed response scenario to eliminate the consequences of the detected information security incident; d) transmit the result of the execution of the scenario for responding to an information security incident to the server to evaluate the result of the scenario execution, while: • receive instructions to change the scenario from the said server when the consequences of the information security incident have not been eliminated; • save the scenario in the scenario database when the consequences of the information security incident have been eliminated; d) change the scenario for responding to an information security incident in accordance with the instructions received. 2. The method according to claim 1, wherein the information about the detected information security incident includes at least information about one undesirable event that occurred on the computer device during the information security incident, and information about the security component that detected the information security incident, the class of the detected information security incident, and the time of detection of the information security incident. 3. The method according to item 2, wherein the class of the detected information security incident is determined based on the security component that detected the information security incident. 4. The method according to paragraph 1, in which a scenario is formed by analyzing the received information about the detected information security incident using rules. 5. The method according to paragraph 4, in which, during the analysis of the received information about the detected information security incident, the most relevant and priority operations for collecting additional information are selected. 6. The method according to paragraph 1, in which the operations for collecting additional information and measures to respond to a detected information security incident are formed and executed both sequentially and in parallel. 7. The method according to claim 1, wherein the operations for collecting additional information include at least one of: • taking a screenshot at the time of an event or a series of screenshots at a specified interval; • recording data about the user's session and account; • building a list of processes on a computing device; • building a list of threads of a given process; • building a list of services in the operating system and their status; • building a list of drivers; • building a list of loaded libraries; • removing a process memory dump; • collection of general data about the operating system, installed software, and auto-launch of applications on the computer device; • collecting information about the network; • collecting information about connected devices; • collecting information about files in quarantine; • collecting security event log information using the advanced audit setting of the operating system installed by the user, which stores records of security events of the computing device. 8. The method according to paragraph 1, wherein the operations for collecting additional information additionally include checking the effectiveness of the generated response measures. 9. The method according to item 1, wherein the response measures to the detected information security incident include primary and secondary response measures. 10. The method according to paragraph 9, in which the primary measures to respond to a detected information security incident are generated automatically immediately after the information security incident is identified based on known information, without waiting for the results of the analysis of additional information collected about the information security incident, and include at least one of the following actions: • changing the settings of the antivirus application on the computer device; • disconnecting the computer device from the Internet; • breaking remote connections (Remote Desktop Protocol); • disabling peripheral devices, in particular digital signature tokens; • removal of third-party software; • blocking the attacker by IP address; • emergency shutdown of a computer device. 11. The method according to item 9, wherein secondary response measures to a detected information security incident are formed as a result of an analysis of information about the detected information security incident in accordance with instructions for applying secondary response measures, and include at least one of the following actions: • changing the requirements of the object's policy related to access password requirements; • formation of a list of updates to the object’s operating system; • launching a scan of the operating system of a computer device, while the scanning rules can be pre-defined by the user; • changing security policies to prevent information leaks on a computing device. 12. The method of claim 9, wherein the primary or secondary response measures further include instructions aimed at training a user of the computing device. 13. The method according to paragraph 1, wherein the instructions for changing the response scenario are generated based on the results of a previously executed scenario and information about the detected information security incident. 14. The method according to paragraph 1, wherein in the case of step d) being performed, steps c)–d) are performed to eliminate the consequences of the detected information security incident. 15. An information security incident response system comprising at least one computer including means that interact with each other: an information collection means, a scenario generation means, an information security incident information database, a scenario database, a scenario execution means, during the execution of which the system responds to an information security incident according to the method according to any of paragraphs 1-14.