-
Notifications
You must be signed in to change notification settings - Fork 161
Home
This wiki supplements the main VERIS JSON schema by providing additional guidance to users and developers.
Over the years, there have been many initiatives to amass and share security incident data, but widespread participation and success have been elusive. While there are quite a few reasons for this, at least part of the problem is the lack of a commonly accepted taxonomy. Such efforts are either paralyzed due to equivocality around what to measure or lose traction when data that are collected offer little value because they are based upon incompatible or inadequate systems of classification.
The Vocabulary for Event Recording and Incident Sharing (VERIS) was designed specifically with this in mind. VERIS is a common language for describing security incidents in a structured and repeatable manner. It is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others. The overall goal is to lay a foundation from which we can constructively and cooperatively learn from our experiences to better measure and manage risk.
The data points defined within VERIS don't represent everything one might collect regarding a security incident. Instead, VERIS attempts to strike a balance between usefulness and completeness. If something is interesting from a research standpoint but does not directly provide security management with actionable information, it is likely not included. In certain sections, we identify additional metrics that, while not formally included, might be of interest should users desire to collect them. Done properly, VERIS can create not only a view of what happened in a specific incident, but allow the incident to be viewed in context with a broader body of knowledge.
VERIS can be organized into five major sections, each designed to capture a different aspect of the incident narrative. When viewed in aggregate, they give the business a tangible idea of cause and severity. The five sections are:
- Incident Tracking
- Victim Demographics
- Incident Description
- Discovery & Response
- Impact Assessment
For each variable included in the schema, a repeating set of information is given here including suggested text questions, user and developer notes, why we think it's important, etc. VERIS also includes a free-for-all section where organizations can add variables that they want to collect that are not included in the framework.
View the main article on the [incident tracking](incident tracking) fields.
This section captures general information about the incident. The main purpose is allow organizations to identify, store, and retrieve incidents over time.
View the main article on the victim fields.
The Victim Demographics section describes (but does not identify) the organization affected by the incident. The primary purpose is to aid comparisons between different types of organizations (across industries, sizes, regions, etc) or departments within a single organization. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.
View the main article on the [actor](Threat Actors) fields.
Entities that cause or contribute to an incident are referred to as threat actors. There can be more than one actor involved in any particular incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors - external, Internal, and partner. VERIS also has an Unknown actor for cases where the analyst is not able to determine a more appropriate choice.
View the main article on the [action](Threat Actions) fields.
Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.
View the main article on the asset fields.
Assets are the organization's resources which were affected by the security incident and can include technology, personally-owned devices, paper records, or even people. “Affected” refers to any loss of confidentiality/possession, integrity/authenticity, availability/utility (primary security attributes). Naturally, an incident can involve multiple assets and affect multiple attributes of those assets.
View the main article on the attribute fields.
Attributes are the qualities, characteristics, and properties of the previously-identified assets that were compromised during the incident. VERIS uses a paired version of the six primary security attributes of confidentiality/possession, integrity/authenticity, availability/utility. An extension of the “C-I-A Triad,” they are commonly called the “Parkerian Hexad,” after their originator, Donn Parker. Multiple attributes can be affected for any one asset and each attribute contains different metrics.
View the main article on the response fields.
This section focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify corrective actions needed place to detect and/or prevent similar incidents in the future.
View the main article on the impact fields.
One of the more important pieces of information about an incident is the impact it has on the organization. Unfortunately the true scope and extent of consequences can be difficult to measure since a wide array of tangible and intangible costs can be involved. With this in mind, the VERIS leverages three perspectives of impact in order to provide an understanding and measure of consequence associated with the incident. Together they seek to 1) categorize the varieties of losses experienced, 2) estimate their magnitude, and 3) capture a qualitative assessment of the overall effect on the organization.
View the main article on the plus fields.
Organizations may wish to record additional details about a security incident that are not included in the VERIS framework or fields that would not want to share with other organizations. The plus section of the VERIS framework is a catch-all where organizations can put whatever they want without fear of invalidating an incident.