SYSTEMOLOGICAL APPROACH TO THE INVESTIGATION OF CYBER INCIDENTS IN THE REGULATORY AND LEGAL FIELD OF UKRAINE AND INTERNATIONAL INFORMATION SECURITY STANDARDS

Abstract

This research provides a detailed and systemological analysis of the organizational, methodological, and technological dimensions of Digital Forensics and Incident Response (DFIR) implementation within governmental information systems and critical national infrastructure facilities. This operational domain is currently subjected to extreme pressure due to the intense and sustained nature of hybrid threats. The paper fundamentally substantiates that DFIR transcends a purely technical or reactive function, fulfilling a primary strategic role by transforming into a robust, cyclical mechanism essential for guaranteeing national cyber resilience and ensuring state stability. This crucial transformation is meticulously examined through the lens of recognized international standards, notably the four-phased model detailed in NIST SP 800-61 Rev. 2, and the stringent requirements of ISO/IEC 27035:2023 concerning incident management and the legally verifiable preservation of digital evidence. Key technical imperatives for achieving effective national response capabilities are clearly defined: these include the necessity for ubiquitous and consistent deployment of sophisticated Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA) systems. Furthermore, the mandatory integration with specialized Threat Intelligence (TI) exchange platforms, such as the Malware Information Sharing Platform (MISP), is identified as a non-negotiable condition for achieving real-time threat synchronization and enabling coordinated containment actions. A critical review of existing national practices in Ukraine revealed pervasive systemic deficiencies. These structural weaknesses include a critically low level of monitoring automation, institutional fragmentation in the protocols for exchanging Indicators of Compromise (IoC), and a significant deficit of highly qualified digital forensics specialists. In direct response to these profound systemic shortcomings, a comprehensive, integrated cyber incident investigation methodology is formally proposed. Reinforcement is to be achieved through the symbiotic combination of automated analytical tools (including SIEM, MISP, and advanced forensic suites) with strictly formalized, standardized, and legally binding response and reporting procedures.