The document discusses the need for organizations to have an incident response (IR) framework to adequately prepare for security incidents. It introduces the VERIS framework, which can help lay the foundation for an IR program by describing attacks. VERIS provides a common vocabulary for recording and sharing information about security incidents and helps organizations understand the variety of actions, actors, assets, and attributes involved in incidents to improve detection and response capabilities. The document advocates that understanding details about incidents through frameworks like VERIS is important because organizations cannot detect or respond to what they do not understand or know about attacks and attackers.
5. To adequately prepare for security
incidents you need an IR framework
that can lay the foundation for your
IR program and describe attacks.
Agenda
Pave the structure
& describe attacks
(VERIS)
Complexity
Many components
Q&A
7. IR Definition
Event Incident
Disaster
or Crisis
Symptom Illness Serious Medical
Emergency
Escalation of an incident
Incident Response: an organized approach to addressing and managing the
aftermath of a security breach or attack.
End goal: remediation.
8. How Does it all Fit Together?
8
Forensics
IT or Security
Events
IR
10. IT Incidents vs Security Incidents
10
IT Incidents Security Incidents
Definition Reduction or disruption of a
service.
Reduction of security or safety
to data, networks, or persons.
Purpose Restore IT services. Not
malicious.
Resolution of an attack, often
malicious.
Scope IT services only. Entire organization: HR,
facilities, legal, partners, etc.
Skills IT technology. Offensive knowledge, forensic
knowledge, etc.
13. Forensic Trigger Checklist
Is it criminal or illegal?
Does it potentially require litigation?
Is it a legislative requirement?
13
Examples of forensic cases:
Child pornography
Fraud
Death threats
Harassment
Intellectual property theft
Leakage of personal information
Discrimination
Violation of privacy
Industrial espionage
Disputed dismissals
Breach of contract
Blackmail
Destruction of data
Identity theft
14. Where Does IR & Forensics Exactly Fit Into a Cyber Breach?
14
Forensics
Incident Response
Forensic documentation
Know legal obligations
Search authority
Collection of evidence Court preparation
IR plan, procedures
Retainers
Cyber insurance
IR drills
Understand attacks
IR tools
Understand crime or
wrongdoing
Use tools to eradicate Lessons learned
15. Adding to the Complexity – Many Different Skillsets Required
15
Investigation
DefenderAttacker
Forensics
IT teamsSimulation teams
Threat Intelligence Attackers & Motives Business Environment
16. Handling a Cyber Breach – IR Capability Levels
16
Lean
• IR plan
• Procedures
• Retainers
• Basic training
Medium Advanced
• IR plan
• Procedures
• Retainers
• Staff fully trained
• Red/blue team
• IR tools installed
• SIEM/SOC or
• managed services
• Regular compromise
assessment
• IR plan
• Procedures
• Retainers
• Moderate training
• IR drills/simulations
• Some IR tools:
• SIEM, advanced
malware detection
Note: omitting many other details
18. IR Readiness Components
18
IR planning/strategy
IR teams IR drills
IR retainers
Forensic retainersDocumentation
Crisis management retainers
Cyber insurance
NDA contracts
Procedures
Threat intelligence
Risk assessment
Training Remediation
IR tools
Legal obligations
PoliciesThreat Modelling
24. What Actions Where Taken?
24
Social tactics employ deception, manipulation, intimidation, to exploit the
human element, or users, of information assets.
Malicious software or code, script that alters state without consent.
All attempts to harm or access information assets.
Use of entrusted organizational resources or privileges for any purpose or
manner contrary to what was intended.
Physical actions encompass deliberate threats that involve proximity,
possession, or force.
Anything done (or left undone) incorrectly or inadvertently.
Natural events and hazards.
Social
Malware
Hacking
Misuse
Physical
Error
Environmental
25. VERIS – Variety Subcategories
25
Actor Actions Asset Attribute
Category External
Internal
Partner
Social
Malware
Hacking
Misuse
Physical
Environmental
People
Offline Data
User Devices
Networks
Servers
Confidentiality
Integrity
Availability
Variety
Subcategory
External: cyber
criminal, state actor,
hacktivist.
Internal: employee,
contractor
Partner: company A,
company B, etc
Social: phishing, scam, spam
Malware: Rootkit, ransomware,
etc
Hacking: SQL injection, XSS,
brute-force
Misuse: Knowledge abuse,
privilege abuse, data
mishandling
Physical: assault, theft,
sabotage
Environmental: flood, fire,
earthquake
People: client employee,
vendor, other.
Offline Data: tapes, flash drive,
hard-drive
User Devices: desktop,
notebook, mobile
Network: firewall, PBX, LAN,
WLAN, POS.
Servers: DNS, email, print,
web, remote access, etc.
Keep it simple.
26. Use your Classification as your Foundation for Procedures
26
Phishing, scams
Ransomeware, rootkits
Use of stolen credentials, use of backdoor, DoS, XSS
Email misuse, privilege abuse
Assault, tampering
Misconfiguration, unpatched systems
Floods, Fire
Social
Malware
Hacking
Misuse
Physical
Error
Environmental
28. VERIS – Paths of Infection (Malware Attack Vector)
28
29. VERIS Example – Malware Vector
29
ACTION.MALWARE.VECTOR
Direct install: Directly installed or inserted by threat agent (after system access)
Download by malware: Downloaded and installed by local malware
Email autoexecute: Email via automatic execution
Email link: Email via embedded link
Email attachment : Email via user-executed attachment
Instant messaging: Instant Messaging
Network propagation: Network propagation
Remote injection: Remotely injected by agent; exploits vulnerability in software (i.e. via SQLi)
Removable media: Removable storage media or devices
Web drive-by: Web via auto-executed or “drive-by” infection
Web download: Web via user-executed or downloaded content
Unknown: Unknown
Other: Other
30. Why Does Knowing Incident Details Matter?
30
We cannot detect to what we don’t know.
We cannot respond to what we cannot detect.
We need to understand attacks, attackers and
their motivations.
31. Summary
Complexity & components
The need for better detection
The need for a framework with an emphasis on describing attackers,
attacks and their motivations.
VERIS can help provide a foundation for describing attacks better.
31