The Verizon Incident Sharing framework (VerIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. It is the tool used by Verizon's IR team to collect data presented in the Data Breach Investigations Reports. VerIS is now available to anyone wishing to collect and compare incident information for the purposes of better decision-making. The framework has 4 main sections: Demographics, Incident Classification, Discovery and Mitigation, and Impact Classification. The Incident Classification piece makes for a particularly interesting mindmap (thus why we put it here). This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VerIS employs the A4 Threat Model developed by Verizon’s Risk Intelligence team. In the A4 model, a threat scenario or actual security incident is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the 4 A’s), which provide the top-level structure for metrics in this section. Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected Describing the incident is a process of classifying all elements (and sub-elements) for all significant events. Hope you find the mind map interesting.
Authentication server
Backup server
Chat/IM server
Data warehouse
Database server
DHCP server
Directory server
Distributed Control System
DNS server
Fax server
File server
FTP server
IDS/IPS server
Log server
Mail server
Mainframe
Media server
Middleware
Payment switch/gateway
POS server
Print server
Proxy server
Remote Access server
SCADA system
Software distribution server
Terminal services server
Web app/server
Private Branch Exchange (PBX)
Demarcation point/device
Wiring closet
LAN cabling/jack
Telephone network/line
Storage Area Network (SAN)
Wireless LAN
Private WAN link/line
Public WAN link/line
Mobile broadband network
Modem bank
Wireless Access Point
VoIP appliance
Router
Switch
Firewall
Hardware security module (HSM)
IDS/IPS sensor
Remote Terminal Unit (RTU)
Programmable Logic Controller (PLC)
Camera/video device
Physical security system
Desktop / Workstation
Laptop / Netbook / Tablet
Uncontrolled computer (non-corporate)
Media player / recorder
Mobile phone (includes smartphones/PDAs)
Uncontrolled computer
POS terminal
Self-service kiosk
Automated Teller Machine (ATM)
Pay at the Pump terminal
PIN entry device/Card reader (portable/detached)
Telephone
VoIP phone
Printer/copier/scanner/fax
Authentication token/device
Backup tapes
Disk media
Documents
Exported data (i.e., data taken and stored locally)
Flash drive/cards
Hard disk drive
Payment card
Smart card / chip card
Executive/Upper Management
Auditor
System/network administrator
Software developer
Maintenance staff
Janitorial staff
Security Staff
Human resources staff
Helpdesk staff
Finance/Accounting staff
Regular employee/end-user
Partner (B2B)
Customer (B2C)
Activist group
Another organization (not partner or competitor)
Auditor
Competitor
Customer (B2C)
External system(s) or site
Force majeure (nature & chance)
Former employee
Government
Maintenance/Construction crew
Organized criminal group
Relative or acquaintance or employee
Terrorist group
Unaffiliated person(s)
Auditor
Regular employee / end-user
Executive / Upper Management
Finance / Accounting staff
Helpdesk staff
Human resources staff
Internal system or site
System / network administrator
Janitorial staff
Maintenance staff
Security guard
Software developer
Auditor
Data Processing and Analysis
Data storage / archiving
Hardware vendor
Hosting provider
Information/Content provider
Janitorial services
Onsite IT management/support
Security guard services
Remote IT management/support
Shipping/logistics provider
Software as a Service provider
Software developer/vendor
Storage provider
Telecommunications provider
Type, Adware, Backdoor, Brute-force or dictionary attack, Capture data from an application / system process, Capture data resident on system, Keylogger / Spyware, Packet sniffer, RAM scraper, Command and Control, Destroy or corrupt data resident on system, Dialer, Disable or interfere with security controls, DoS attack on other systems, DoS attack on local system, Encrypt or sieze data resident on system, Infect other systems via email propagation (email worm), Infect other systems via network propagation (nw worm), Infect removable media or devices, Initiate client-side attack, Download / install additional malware or updates, Redirect to another site / address, Scan or footprint network, Send data to external site / entity, Send spam, System / network utilities (PsTools, Netcat)
Path, Coded into existing program / script, Email, Installed by other malware, Installed / injected by remote attacker, Instant Messaging, Network propagation, P2P / File sharing, Portable media and devices, Web/Internet (auto-executed/"drive-by" infection), Web/Internet (user-executed or downloaded)
Type, Authentication Attacks, Brute Force and dictionary attacks, Exploitation of default or guessable credentials, Exploitation of insufficient authentication, Use of stolen login credentials, Authorization Attacks, Credential / Session Prediection, Cross-site Request Forgery, Exploitation of insufficient authorization (weak or misconfigured access control), Session Fixation, Session Replay, Command Execution / Injection Attacks, Buffer overflow, Format String, Integer Overflows, LDAP Injection, Mail Command Injection, Null Byte Injection, OS Commanding, Remote File Inclusion, Special Element Injection, SQL Injection, SSI Injection, XML Injection, XPath Injection, XQuery Injection, Abuse of Functionality Attacks, Abuse of Functionality, Cache Poisoning, Resources Location Attacks, Forced browsing (aka Predictable Resource Location), Path Traversal, Denial of Service Attacks, DoS at the application layer, DoS at the network layer, XML Attribute Blowup, XML Entity Expansion, Client-side Attacks, Cross-site Scripting, Man-in-the-middle Attack, Routing Detour, Encryption Attacks, Cryptanalysis, Encryption Brute Forcing, Protocol Manipulation Attacks, Cross Site Tracing, HTTP Request Smuggling, HTTP Request Splitting, HTTP Response Smuggling, HTTP Response Splitting, XML External Entities, Miscellaneous Attacks, Exploitation of backdoor or command/control channel, Footprinting and Fingerprinting, Fuzz testing, Reverse Engineering, SOAP Array Abuse
Path, Backdoor or control channel, Network file / resource sharing service, Physical access or connection, Remote access and control services/software, Web application, Wireless network
Type, Baiting (planting of physical bait), Solicitation / Bribery, Propaganda / Disinformation, Elicitation, Extortion / Blackmail, Hoax / Scam, Phishing (or any type of *ishing), Pretexting, Repudiation, Spam, Spoofing / Forgery, Influence tactics
Path, Customer (B2C), Documents, Email, In-person, Instant messaging, Partner (B2B), Peer to Peer network, Phone, Portable media, SMS / Texting, Social Networking site, Software, Web/Internet
Type, Abuse of private knowledge, Abuse of system access / privileges, Embezzlement, skimming, and related fraud, Handling of data in an unapproved format, Handling of data on unapproved media / devices, Storage/transfer of unapproved content, Unapproved changes and workarounds, Use of unapproved hardware/devices, Use of unapproved software/services, Violation of asset/data disposal policy, Violation of data retention policy, Violation of email/IM use policy, Violation of web/Internet use policy
Type, Arson, Assault and Battery, Local access (i.e. Keyboard, network jack, etc), Passive interception, Sabotage, Snooping, Surveillance, Tampering, Theft, Wiretapping
Path, External location - Public area or building, External location - Public vehicle, External location - Hotel room, External location - Private area or building, External location - Private vehicle, Victim location - Outdoor area, Victim location - Disposal area, Victim location - Indoor public/customer area, Victim location - Indoor non-public area, Victim location - Indoor high security area
Type, Capacity overload, Classification or labeling error, Data entry error, Disposal error, Maintenance error (ie, during hardware upgrade), Gaffe (inadvertent disclosure, "let something slip"), General user error, Loss or misplacement, Misconfiguration, Misaddress or misdelivery (ie, mail sent to wrong recipient), Misinformation (accidentally giving false info), Omission (something overlooked or left undone), Physical accidents (ie, bankhoe power cable), Programming error, Publishing error (ie, posting private info on public site), Technical / System malfunction, Trips and spills
Path, Insufficient technology resources, Insufficient personnel resources, Inadequate processes, Lack of knowledge/skill, Carelessness, Random act
Type, Infrastructure Hazards, Electromagnetic interference (including RFI), Electrical/chemical fire, Static electricity/ESD, Power failures and fluctuations, Water leaks and discharges, Natural Hazards, Deterioration and degradation, Dust and dirt, Earthquake, Extreme temperatures, Fire, Flood, Hazardous materials, Humidity, Hurricane, Landslide, Lightning, Meteorites and astreroids, Pathogen, Snow and Ice, Tornado, Tsunamis, Volcanic eruption, Vermin, Wind, Hazardous materials
