Use Case: Cyber Breach Analysis and Categorization

---

Cyber Breach Analysis and Categorization

Abstraction Level (High, Medium or Low): High

Related Use Cases:

• Sub-use-case of Share Cyber Threat Information

Description: A tool consumes various event alerts and correlates into an incident record. Correlated incident is converted to VERIS framework, commensurate to the fidelity of the raw data. After initial conversion, the incident is assigned to a human analyst who will add additional analysis. Final output for each incident is in a consumable, actionable format.

Example: A strategic planner receives a data set of multiple incidents and breaches. They split the data, apply filters and mutations, and combine the data to categorize applicable breaches and their attributes. Internal data sets may be combined or compared to additional shared, aggregated data sets. The historical study of threat actors, their motives, threat actions, assets targeted, the negative effects incurred, victim demographics, and discovery and timeline metrics in prior incidents is used for reporting and strategic planning of future cyber defenses. Incident data is reviewed on a recurring basis to look for trends and shifts in attacker tactics, techniques, and procedures.

Example: A retail organization analyses incident data set. They compare their company profile to the broader industry profile to identify that while attackers are selecting their victims opportunistically, they are strategically targeting web payment processing systems with the goal of stealing credit card numbers for financial gain.

Stakeholders/Goals:

• Data Providers: Group or organization that reports breach information
• Goal: Collection of breach information and efficient conversion from raw data to a standardized format with minimal manual processes.
• Security Analyst: Person(s) who receive individual breach reports and analyze data
• Goal: Receive data in format that facilitates temporal, aggregate, relational analysis using common statistical tools. Format should facilitate production of quality reporting and visualization.
• Strategic Planner: Consume output of analysis of breach data and incorporate as data point in security decision making process.
• Goal: Format facilitates aggregate metrics that are useful in decision making process.
• Data Sharing Community: Group of organizations that share incident data to identify trends in tactics, techniques, and procedures targeting their industry.
• Goal: Community members provide and consume data from multiple sources to improve the overall incident data set.
• Goal: Provide analysis on overall incident set for community use.

Dependencies:

1. Cyber Breach Analysis and Categorization

Main Success Scenario:

1. Strategic planners use real-world breach data to improve decision making process.