The document discusses the need for organizations to have an incident response (IR) framework to adequately prepare for security incidents. It introduces the VERIS framework, which can help lay the foundation for an IR program by describing attacks. VERIS provides a common vocabulary for recording and sharing information about security incidents and helps organizations understand the variety of actions, actors, assets, and attributes involved in incidents to improve detection and response capabilities. The document advocates that understanding details about incidents through frameworks like VERIS is important because organizations cannot detect or respond to what they do not understand or know about attacks and attackers.

1. Cyber Readiness
with VERIS
Judy Nowak, GCIH, CISSP
Cyber Security Consultant, Scalar

2. About Me
Formerly
• Forensic investigator
• Forensic consultant
• Security analyst
Current
• Penetration tester (Risk Advisory Services)

3. Disclaimer:
Everything you learn here you do so at
your own risk.
My opinions are my own.

4. Incident or
Breach
Readiness
Incident or
Breach
Response
Proactive Reactive

5. To adequately prepare for security
incidents you need an IR framework
that can lay the foundation for your
IR program and describe attacks.
Agenda
Pave the structure
& describe attacks
(VERIS)
Complexity
Many components
Q&A

6. Part I: Background

7. IR Definition
Event Incident
Disaster
or Crisis
Symptom Illness Serious Medical
Emergency
Escalation of an incident
Incident Response: an organized approach to addressing and managing the
aftermath of a security breach or attack.
End goal: remediation.

8. How Does it all Fit Together?
8
Forensics
IT or Security
Events
IR

9. IT incidents != Security incidents
9
!=

10. IT Incidents vs Security Incidents
10
IT Incidents Security Incidents
Definition Reduction or disruption of a
service.
Reduction of security or safety
to data, networks, or persons.
Purpose Restore IT services. Not
malicious.
Resolution of an attack, often
malicious.
Scope IT services only. Entire organization: HR,
facilities, legal, partners, etc.
Skills IT technology. Offensive knowledge, forensic
knowledge, etc.

11. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 11
How Does Forensics Fit in? What is Forensic Science?
Physiological Sciences
(Body)
Forensic Criminalistics
(Crime)
Social Sciences
(Mental)
Digital Forensics
(Electronic)
Branches of
Forensic Sciences
Forensic pathology
Forensic biology
DNA profiling
Forensic chemistry
Ballistic fingerprinting
Body identification
Forensic Toxicology
Fingerprint analysis
Forensic accounting
Forensic psychology Forensic psychiatry
Computer forensics
Mobile forensics
Database forensics
Network forensics
Social media forensics
Cloud forensics
Forensic Malware Analysis
Forensic Data Analytics
Forensic Audio/Video
Forensics: applying science to law. End goal: prepare information for legislative requirements.

12. © 2016 Scalar Decisions Inc. Not for distribution outside of intended audience. 12
Main Areas of Forensics Today
eDiscovery or
Electronic Discovery
Corporate Investigations Cyber Forensics
Description Discovery in litigation.
Exchange of information in
legal format. Data is identified
as potentially relevant by
attorneys and placed on legal
hold.
Corporate investigations for
internal non-compliance.
Extracting and
processing information
that could serve as legal
evidence in the
investigation of breaches.
Examples Pyramid schemes,
bankruptcies, lawsuits,
Threats, harassment, theft,
inappropriate usage of
company property.
Large breaches, data
leakage, corporate
espionage.
Digital Forensics: applying IT to law. End goal: prepare information for legislative requirements.

13. Forensic Trigger Checklist
 Is it criminal or illegal?
 Does it potentially require litigation?
 Is it a legislative requirement?
13
Examples of forensic cases:
Child pornography
Fraud
Death threats
Harassment
Intellectual property theft
Leakage of personal information
Discrimination
Violation of privacy
Industrial espionage
Disputed dismissals
Breach of contract
Blackmail
Destruction of data
Identity theft

14. Where Does IR & Forensics Exactly Fit Into a Cyber Breach?
14
Forensics
Incident Response
Forensic documentation
Know legal obligations
Search authority
Collection of evidence Court preparation
IR plan, procedures
Retainers
Cyber insurance
IR drills
Understand attacks
IR tools
Understand crime or
wrongdoing
Use tools to eradicate Lessons learned

15. Adding to the Complexity – Many Different Skillsets Required
15
Investigation
DefenderAttacker
Forensics
IT teamsSimulation teams
Threat Intelligence Attackers & Motives Business Environment

16. Handling a Cyber Breach – IR Capability Levels
16
Lean
• IR plan
• Procedures
• Retainers
• Basic training
Medium Advanced
• IR plan
• Procedures
• Retainers
• Staff fully trained
• Red/blue team
• IR tools installed
• SIEM/SOC or
• managed services
• Regular compromise
assessment
• IR plan
• Procedures
• Retainers
• Moderate training
• IR drills/simulations
• Some IR tools:
• SIEM, advanced
malware detection
Note: omitting many other details

17. Another Perspective – ISACA Responding to Cyber Attacks
17

18. IR Readiness Components
18
IR planning/strategy
IR teams IR drills
IR retainers
Forensic retainersDocumentation
Crisis management retainers
Cyber insurance
NDA contracts
Procedures
Threat intelligence
Risk assessment
Training Remediation
IR tools
Legal obligations
PoliciesThreat Modelling

19. Part II: VERIS
19

20. IR Frameworks
20
1. NIST 800-61: Computer Security Incident Handling Guide - 2012
2. ISACA: Responding to Targeted Cyber attacks – 2013
3. RFC 2350: Expectations for Computer Security Incident Response - 1998
4. CERT: Handbook for Computer Security Incident Response Teams (CSIRTs) - 1998
5. ENISA: CSIRT Setting up Guide – 2006
6. ISO/IEC 27035:2011: Information Security Incident Management - 2011
SANS Top 20 Critical Security Controls
Strategies to mitigate cyber intrusions – Top 35
NIST Cybersecurity framework

21. VERIS – Vocabulary for Event Recording and Incident Sharing
Framework open for anyone to use:
http://veriscommunity.net/
21

22. So What is VERIS?
22
Action
(What)
Asset
(Which)
Attribute
(How)
Actor
(Who)
Risk

23. VERIS High-Level Overview
23

24. What Actions Where Taken?
24
Social tactics employ deception, manipulation, intimidation, to exploit the
human element, or users, of information assets.
Malicious software or code, script that alters state without consent.
All attempts to harm or access information assets.
Use of entrusted organizational resources or privileges for any purpose or
manner contrary to what was intended.
Physical actions encompass deliberate threats that involve proximity,
possession, or force.
Anything done (or left undone) incorrectly or inadvertently.
Natural events and hazards.
Social
Malware
Hacking
Misuse
Physical
Error
Environmental

25. VERIS – Variety Subcategories
25
Actor Actions Asset Attribute
Category External
Internal
Partner
Social
Malware
Hacking
Misuse
Physical
Environmental
People
Offline Data
User Devices
Networks
Servers
Confidentiality
Integrity
Availability
Variety
Subcategory
External: cyber
criminal, state actor,
hacktivist.
Internal: employee,
contractor
Partner: company A,
company B, etc
Social: phishing, scam, spam
Malware: Rootkit, ransomware,
etc
Hacking: SQL injection, XSS,
brute-force
Misuse: Knowledge abuse,
privilege abuse, data
mishandling
Physical: assault, theft,
sabotage
Environmental: flood, fire,
earthquake
People: client employee,
vendor, other.
Offline Data: tapes, flash drive,
hard-drive
User Devices: desktop,
notebook, mobile
Network: firewall, PBX, LAN,
WLAN, POS.
Servers: DNS, email, print,
web, remote access, etc.
Keep it simple.

26. Use your Classification as your Foundation for Procedures
26
Phishing, scams
Ransomeware, rootkits
Use of stolen credentials, use of backdoor, DoS, XSS
Email misuse, privilege abuse
Assault, tampering
Misconfiguration, unpatched systems
Floods, Fire
Social
Malware
Hacking
Misuse
Physical
Error
Environmental

27. How would you break into this house?
27

28. VERIS – Paths of Infection (Malware Attack Vector)
28

29. VERIS Example – Malware Vector
29
ACTION.MALWARE.VECTOR
 Direct install: Directly installed or inserted by threat agent (after system access)
 Download by malware: Downloaded and installed by local malware
 Email autoexecute: Email via automatic execution
 Email link: Email via embedded link
 Email attachment : Email via user-executed attachment
 Instant messaging: Instant Messaging
 Network propagation: Network propagation
 Remote injection: Remotely injected by agent; exploits vulnerability in software (i.e. via SQLi)
 Removable media: Removable storage media or devices
 Web drive-by: Web via auto-executed or “drive-by” infection
 Web download: Web via user-executed or downloaded content
 Unknown: Unknown
 Other: Other

30. Why Does Knowing Incident Details Matter?
30
We cannot detect to what we don’t know.
We cannot respond to what we cannot detect.
We need to understand attacks, attackers and
their motivations.

31. Summary
 Complexity & components
 The need for better detection
 The need for a framework with an emphasis on describing attackers,
attacks and their motivations.
 VERIS can help provide a foundation for describing attacks better.
31

32. Q&A