-
Notifications
You must be signed in to change notification settings - Fork 161
VERIS Overview
VERIS is made up of sub-sections for capturing metadata about a security incident and free form text fields for capturing information that doesn't fit well in the other fields. The VERIS framework consists of high-level fields from the A4 Model (an Actor takes an Action against an Asset's Attributes). Additionally, the framework collects information about the victim organization, the timeline of the event, impact, discovery, and incident tracking. VERIS also includes a free-for-all section where organizations can add variables that they want to collect that are not included in the framework.
View the main article on the [actor](Threat Actors) fields.
Entities that cause or contribute to an incident are referred to as threat actors. There can be more than one actor involved in any particular incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors - external, Internal, and partner. VERIS also has an Unknown actor for cases where the analyst is not able to determine a more appropriate choice.
View the main article on the [action](Threat Actions) fields.
Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.
View the main article on the asset fields.
Assets are the organization's resources which were affected by the security incident and can include technology, personally-owned devices, paper records, or even people. “Affected” refers to any loss of confidentiality/possession, integrity/authenticity, availability/utility (primary security attributes). Naturally, an incident can involve multiple assets and affect multiple attributes of those assets.
View the main article on the attribute fields.
Attributes are the qualities, characteristics, and properties of the previously-identified assets that were compromised during the incident. VERIS uses a paired version of the six primary security attributes of confidentiality/possession, integrity/authenticity, availability/utility. An extension of the “C-I-A Triad,” they are commonly called the “Parkerian Hexad,” after their originator, Donn Parker. Multiple attributes can be affected for any one asset and each attribute contains different metrics.
View the main article on the [incident tracking](incident tracking) fields.
This section captures general information about the incident. The main purpose is allow organizations to identify, store, and retrieve incidents over time.
View the main article on the victim fields.
The Victim Demographics section describes (but does not identify) the organization affected by the incident. The primary purpose is to aid comparisons between different types of organizations (across industries, sizes, regions, etc) or departments within a single organization. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.
Organizations using VERIS to track incidents internally may (depending on circumstances) want to pre-populate some or all of the demographic variables rather than prompting the user for them upon each submission.
View the main article on the response fields.
This section focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify corrective actions needed place to detect and/or prevent similar incidents in the future.
View the main article on the impact fields.
One of the more important pieces of information about an incident is the impact it has on the organization. Unfortunately the true scope and extent of consequences can be difficult to measure since a wide array of tangible and intangible costs can be involved. With this in mind, the VERIS leverages three perspectives of impact in order to provide an understanding and measure of consequence associated with the incident. Together they seek to 1) categorize the varieties of losses experienced, 2) estimate their magnitude, and 3) capture a qualitative assessment of the overall effect on the organization.
View the main article on the plus fields.
Organizations may wish to record additional details about a security incident that are not included in the VERIS framework or fields that would not want to share with other organizations. The plus section of the VERIS framework is a catch-all where organizations can put whatever they want without fear of invalidating an incident.