Improve Security With VERIS Framework

When a security event is investigated, a narrative naturally emerges from the process. The investigator will typically try to answer the question, “Who did what to what (or whom) with what result?” That question presents a good core set of data points to collect. Therefore, as a starting point, you’ll want to focus on those four points—“Who (threat actor) did what (action) to what or whom (asset) with what result (attribute)?”. By understanding that informations, You can Improve Security With VERIS Framework. VERIS (Verizon Enterprise Risk and Incident Sharing) originally was created by the Verizon Business.it was used by their team in order to gathering the Report about the data breach investigation each year.

But that’s not all you may be interested in; you may also want to know how you discovered and responded to the incident and if possible the impact you experienced as a result. Finally, you’ll have some housekeeping items (an identifier, summary, workflow status, and so on) and if you aggregate breaches or share the information, you’ll want to record some victim demographics. When investigating, Veris Framework gather sections of data, such as

1. Incident Tracking, Metadata about the incident for management and tracking purposes
2. Threat Actor, One or more people who cause or contribute to an incident
3. Threat Actions, What the threat actor(s) did or used to cause or contribute to the incident
4. Information Assets, Information assets that were compromised or affected during the incident
5. Attributes, What happened to the asset during the incident
6. Discovery / Response, Timeline, discovery method, and lessons learned
7. Impact, What was the overall effect of the incident to the organization
8. Victim, Demographic information like industry and organizational size
9. Indicators, Optional indicators of compromise such as IP addresses, malware hashes, and so on
10. Plus, Optional section for extending VERIS

Although it’s tempting to dig into the data (and you will), it’s important to understand the significance of these fields so you don’t misapply them.

Seeing How VERIS Works

It’s always helpful to take some time before jumping into the analysis to look directly at the data. It helps set the context and may help shape your approach to the analysis. Since the average incident is about 100 lines of JSON, we don’t include the whole incident. Please take some time to surf around the VCDB repository and look at the data there for full records. As a good example, Listing below shows the actor and what is his/her action from an incident from VCDB.

"actor": { "external": { "country": [ "SY" ], "motive": [ "Ideology" ], "variety": [ "State-affiliated" ] } }, "action": { "hacking": { "variety": [ "Use of stolen creds" ], "vector": [ "Web application" ] }, "social": { "target": [ "End-user" ], "variety": [ "Phishing" ], "vector": [ "Email" ] } }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

"actor": { "external": { "country": [ "SY" ], "motive": [ "Ideology" ], "variety": [ "State-affiliated" ] } }, "action": { "hacking": { "variety": [ "Use of stolen creds" ], "vector": [ "Web application" ] }, "social": { "target": [ "End-user" ], "variety": [ "Phishing" ], "vector": [ "Email" ] } }

If you have never seen JSON before, this is what it looks like. Rarely if ever would you want to edit the JSON by hand. It’s not that JSON is terribly difficult, but it is terribly easy to mistype something. You could forget a comma or quote or something would prevent the data from loading properly. If you do attempt to create or modify a JSON file by hand, be sure you have a way to check your work, validate the JSON, and if possible, validate the values and factors within the data.