Skip to main content

Table Of Contents

  • VOCABULARY FOR EVENTS RECORDING AND INCIDENT SHARING (VERIS)
    • GENERAL
    • ACTOR
    • ACTION
    • ASSET
    • ATTRIBUTE
    • COURSE OF ACTION
  • KILL CHAIN MAPPING
    • GATHER DATA FOR MAPPING KILL CHAIN
  • PRIORITIZED DEFENDED ASSET LIST (PDAL)
    • GATHER DATA AND PRIORITIZE ASSETS TO DEFEND

VOCABULARY FOR EVENTS RECORDING AND INCIDENT SHARING (VERIS)

GENERAL

  • incident_id
    • [BLANK]
  • security_incident
    • Confirmed, Suspected, False positive, Near miss, No
  • confidence
    • High, Medium, Low, None
  • victim.employee_count
    • [BLANK]
  • timeline.unit
    • Unknown, NA, Seconds, Minutes, Hours, Days, Weeks, Months, Years, Never
  • impact.overall_rating
    • Unknown, Insignificant, Distracting, Painful, Damaging, Catastrophic
  • impact.loss.variety
    • Asset and fraud, Brand damage, Business disruption, Operating costs, Legal and regulatory, Competitive advantage, Response and recovery
  • impact.loss.rating
    • Unknown, Major, Moderate, Minor, None
  • discovery_method
    • Unknown, Ext - actor disclosure, Ext - fraud detection, Ext - monitoring service, Ext - customer, Ext - unrelated party, Ext - audit, Ext - unknown, Int - antivirus, Int - incident response, Int - financial audit, Int - fraud detection, Int - HIDS, Int - IT audit, Int - log review, Int - NIDS, Ext - law enforcement, Int - security alarm, Int - reported by user, Int - unknown, Other
  • targeted
    • Unknown, Opportunistic, Targeted, NA
  • cost_corrective_action
    • Unknown, Simple and cheap, Difficult and expensive, Something in-between
  • country
    • Unknown, Two Letter, Other
  • iso_currency_code
    • AED, AFN, ALL, AMD, ANG, AOA, ARS, AUD, AWG, AZN, BAM, BBD, BDT, BGN, BHD, BIF, BMD, BND, BOB, BRL, BSD, BTN, BWP, BYR, BZD, CAD, CDF, CHF, CLP, CNY, COP, CRC, CUC, CUP, CVE, CZK, DJF, DKK, DOP, DZD, EGP, ERN, ETB, EUR, FJD, FKP, GBP, GEL, GGP, GHS, GIP, GMD, GNF, GTQ, GYD, HKD, HNL, HRK, HTG, HUF, IDR, ILS, IMP, INR, IQD, IRR, ISK, JEP, JMD, JOD, JPY, KES, KGS, KHR, KMF, KPW, KRW, KWD, KYD, KZT, LAK, LBP, LKR, LRD, LSL, LTL, LVL, LYD, MAD, MDL, MGA, MKD, MMK, MNT, MOP, MRO, MUR, MVR, MWK, MXN, MYR, MZN, NAD, NGN, NIO, NOK, NPR, NZD, OMR, PAB, PEN, PGK, PHP, PKR, PLN, PYG, QAR, RON, RSD, RUB, RWF, SAR, SBD, SCR, SDG, SEK, SGD, SHP, SLL, SOS, SPL, SRD, STD, SVC, SYP, SZL, THB, TJS, TMT, TND, TOP, TRY, TTD, TVD, TWD, TZS, UAH, UGX, USD, UYU, UZS, VEF, VND, VUV, WST, XAF, XCD, XDR, XOF, XPF, YER, ZAR, ZMK, ZWD

ACTOR

  • actor.x.motive
    • Unknown, NA, Espionage, Fear, Financial, Fun, Grudge, Ideology, Convenience, Other
  • actor.external.variety
    • Unknown, Activist, Auditor, Competitor, Customer, Force majeure, Former employee, Nation-state, Organized crime, Acquaintance, State-affiliated, Terrorist, Unaffiliated, Other
  • actor.internal.variety
    • Unknown, Auditor, Call center, Cashier, End-user, Executive, Finance, Helpdesk, Human resources, Maintenance, Manager, Guard, Developer, System admin, Other

ACTION

  • action.malware.variety
    • Unknown, Adware, Backdoor, Brute force, Capture app data, Capture stored data, Client-side attack, Click fraud, C2, Destroy data, Disable controls, DoS, Downloader, Exploit vuln, Export data, Packet sniffer, Password dumper, Ram scraper, Ransomware, Rootkit, Scan network, Spam, Spyware/Keylogger, SQL injection, Adminware, Worm, Other
  • action.malware.vector
    • Unknown, Direct install, Download by malware, Email autoexecute, Email link, Email attachment, Instant messaging, Network propagation, Remote injection, Removable media, Web drive-by, Web download, Other
  • action.hacking.variety
    • Unknown, Abuse of functionality, Brute force, Buffer overflow, Cache poisoning, Session prediction, CSRF, XSS, Cryptanalysis, DoS, Footprinting, Forced browsing, Format string attack, Fuzz testing, HTTP request smuggling, HTTP request splitting, HTTP response smuggling, HTTP Response Splitting, Integer overflows, LDAP injection, Mail command injection, MitM, Null byte injection, Offline cracking, OS commanding, Path traversal, RFI, Reverse engineering, Routing detour, Session fixation, Session replay, Soap array abuse, Special element injection, SQLi, SSI injection, URL redirector abuse, Use of backdoor or C2, Use of stolen creds, XML attribute blowup, XML entity expansion, XML external entities, XML injection, XPath injection, XQuery injection, Virtual machine escape, Other
  • action.hacking.vector
    • Unknown, 3rd party desktop, Backdoor or C2, Desktop sharing, Physical access, Command shell, Partner, VPN, Web application, Other
  • action.social.variety
    • Unknown, Baiting, Bribery, Elicitation, Extortion, Forgery, Influence, Scam, Phishing, Pretexting, Propaganda, Spam, Other
  • action.social.vector
    • Unknown, Documents, Email, In-person, IM, Phone, Removable media, SMS, Social media, Software, Website, Other
  • action.social.target
    • Unknown, Auditor, Call center, Cashier, Customer, End-user, Executive, Finance, Former employee, Helpdesk, Human resources, Maintenance, Manager, Partner, Guard, Developer, System admin, Other
  • action.misuse.variety
    • Unknown, Knowledge abuse, Privilege abuse, Embezzlement, Data mishandling, Email misuse, Net misuse, Illicit content, Unapproved workaround, Unapproved hardware, Unapproved software, Other
  • action.misuse.vector
    • Unknown, Physical access, LAN access, Remote access, Non-corporate, Other
  • action.physical.variety
    • Unknown, Assault, Sabotage, Snooping, Surveillance, Tampering, Theft, Wiretapping, Connection, Other
  • action.physical.location
    • Unknown, Partner facility, Partner vehicle, Personal residence, Personal vehicle, Public facility, Public vehicle, Victim secure area, Victim work area, Victim public area, Victim grounds, Other
  • action.physical.vector
    • Unknown, Privileged access, Visitor privileges, Bypassed controls, Disabled controls, Uncontrolled location, Other
  • action.error.variety
    • Unknown, Classification error, Data entry error, Disposal error, Gaffe, Loss, Maintenance error, Misconfiguration, Misdelivery, Misinformation, Omission, Physical accidents, Capacity shortage, Programming error, Publishing error, Malfunction, Other
  • action.error.vector
    • Unknown, Random error, Carelessness, Inadequate personnel, Inadequate processes, Inadequate technology, Other
  • action.environmental.variety
    • Unknown, Deterioration, Earthquake, EMI, ESD, Temperature, Fire, Flood, Hazmat, Humidity, Hurricane, Ice, Landslide, Lightning, Meteorite, Particulates, Pathogen, Power failure, Tornado, Tsunami, Vermin, Volcano, Leak, Wind, Other

ASSET

  • asset.variety
    • Unknown, S - Authentication, S - Backup, S - Database, S - DHCP, S - Directory, S - DCS, S - DNS, S - File, S - Log, S - Mail, S - Mainframe, S - Payment switch, S - POS controller, S - Print, S - Proxy, S - Remote access, S - SCADA, S - Web application, S - Code repository, S - VM host, S - Other N - Access reader, N - Camera, N - Firewall, N - HSM, N - IDS, N - Broadband, N - PBX, N - Private WAN, N - PLC, N - Public WAN, N - RTU, N - Router or switch, N - SAN, N - Telephone, N - VoIP adapter, N - LAN, N - WLAN, N - Other U - Auth token, U - Desktop, U - Laptop, U - Media, U - Mobile phone, U - Peripheral, U - POS terminal, U - Tablet, U - Telephone, U - VoIP phone, U - Other T - ATM, T - PED pad, T - Gas terminal, T - Kiosk, T - Other M - Tapes, M - Disk media, M - Documents, M - Flash drive, M - Disk drive, M - Smart card, M - Payment card, M - Other P - System admin, P - Auditor, P - Call center, P - Cashier, P - Customer, P - Developer, P - End-user, P - Executive, P - Finance, P - Former employee, P - Guard, P - Helpdesk, P - Human resources, P - Maintenance, P - Manager, P - Partner, P - Other
  • asset.accessibility
    • Unknown, External, Internal, Isolated, NA
  • asset.accessibility
    • Unknown, External, Internal, Isolated, NA
  • asset.ownership
    • Unknown, Victim, Employee, Partner, Customer, NA
  • asset.management
    • Unknown, Internal, External, NA
  • asset.hosting
    • Unknown, Internal, External shared, External dedicated, External, NA
  • asset.cloud
    • Unknown, Hypervisor, Partner application, Hosting governance, Customer attack, Hosting

ATTRIBUTE

  • attribute.confidentiality.data_disclosure
    • Unknown, Yes, Potentially, No
  • attribute.confidentiality.data.variety
    • Unknown, Credentials, Bank, Classified, Copyrighted, Medical, Payment, Personal, Internal, System, Secrets, Other
  • attribute.confidentiality.state
    • Unknown, Stored, Stored encrypted, Stored unencrypted, Transmitted, Transmitted encrypted, Transmitted unencrypted, Processed
  • attribute.integrity.variety
    • Unknown, Created account, Hardware tampering, Alter behavior, Fraudulent transaction, Log tampering, Misappropriation, Misrepresentation, Modify configuration, Modify privileges, Modify data, Software installation, Other
  • attribute.availability.variety
    • Unknown, Destruction, Loss, Interruption, Degradation, Acceleration, Obscuration, Other

COURSE OF ACTION

  • Structured Threat Information eXpression (STIX™) (Adapted)
  • Ref. https://stixproject.github.io
  • coa.type
    • Blocking, Redirecting, Hardening, Patching, Rebuilding, Monitoring, Other
  • coa.impact
    • Insignificant, Distracting, Painful, Damaging, Catastrophic, Unknown
  • coa.efficacy
    • Not Effective, Somewhat Effective, Mostly Effective, Completely Effective, NA
  • coa.stage
    • Prepare, Remedy, Response, Recovered
  • coa.hosting
    • Unknown, Internal, External shared, External dedicated, External, NA
  • coa.objective
    • Detect, Deny, Disrupt, Degrade, Deceive, Destroy

KILL CHAIN MAPPING

GATHER DATA FOR MAPPING KILL CHAIN

  • Active Reconnaissance
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Weaponization and Customization
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Delivery
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Exploitation
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Installation
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Command & Control (C2)
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy
  • Action on Objectives
    • Identified evidence, artifact, info, or intel | [BLANK]
    • Course of Action | Detect, Deny, Disrupt, Degrade, Deceive, Destroy

GATHER DATA AND PRIORITIZE ASSETS TO DEFEND

  • Asset: [BLANK]
    • Location: [BLANK]
    • Description: [BLANK]
    • Purpose: [BLANK]
    • Time Prioritized: [BLANK]
    • Criticality: [BLANK]
    • Vulnerability: [BLANK]
    • Recoverability: [BLANK]   - Ranking: [BLANK]
    • Priority: I
  • Asset: [BLANK]
    • Location: [BLANK]
    • Description: [BLANK]
    • Purpose: [BLANK]
    • Time Prioritized: [BLANK]
    • Criticality: [BLANK]
    • Vulnerability: [BLANK]
    • Recoverability: [BLANK]   - Ranking: [BLANK]
    • Priority: II
  • Asset: [BLANK]
    • Location: [BLANK]
    • Description: [BLANK]
    • Purpose: [BLANK]
    • Time Prioritized: [BLANK]
    • Criticality: [BLANK]
    • Vulnerability: [BLANK]
    • Recoverability: [BLANK]
    • Ranking: [BLANK]
    • Priority: III