This framework ain't big enough for the both of us.
Published: Jul 21, 2017
Author: Marc Spitler
We have modeled many, many cases into the VERIS framework and early on in our own adoption we realized that a seemingly simple question isn't always so simple. One such question is "Who is THE victim?". There are several common cases in which the complete event chain would encompass devices owned and/or managed by several different participants in a B2C or B2B relationship. While it is in our nature to want to provide a beginning-to-end explanation of all the steps and details in an incident, to do so in a single record can actually be a disservice. A simple example would be an organization (let's just say a dental office) that is infected with malware designed to capture user input, specifically banking credentials. Those credentials are then used to access a banking application and ultimately wire 51,201 USD from the company account to Romania. From a modeling standpoint this is a bit tricky. The entire point of VERIS and incident data collection is to derive a list of controls that can reduce the risk of similar incidents having the same effect in the future. It would be incorrect to align a control of two-factor authentication to medical offices based on this incident as the web application is under the management of the bank. It would be equally wrong to recommend malware defenses (based only on this incident) to the banking organization as they did not experience a malware infection. If we identify two victims it becomes infeasible to associate the specific threat Actions and Assets with the correct victim. So for each VERIS record there can only be one primary victim. For organizations who are using VERIS to track their own incidents it's not difficult, you model from your standpoint as the victim. For researchers, we will split the incident up into 2 individual, but linked, entries in our database. This allows the proper focus on malware prevention/detection for Victim A and multi-factor authentication as a control for Victim B. Going back to organizations who are using VERIS, Congrats! Secondly, you don't necessarily have to exclude the second part of the incident either. By utilizing the asset.ownership enumeration you can include partner or customer assets in the event chain. The Hacking Action includes "Partner connection or credential" as a possible vector as well. This allows the full story to be told and can help identify a need to better vet potential business partners or review existing third-party agreements. Use the framework in a manner that collects the information you need and makes sense. The VERIS framework is like a strike zone it can be interpreted differently, which is OK to a certain extent as long as you call it consistently.