Threat Actions

Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.

Malware

Malware is any malicious software, script, or code run on a device that alters its state or function without the owner’s informed consent. Examples include viruses, worms, spyware, keyloggers, backdoors, etc.

Variety

Question Text: What varieties or functions of malware were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.malware.variety (string)

Purpose: In the short term, variety is necessary to adequately describe the incident and its ramifications. In the long term, it gives insight into the evolving nature of malware and how criminals use it.

Developer notes: N/A

Miscellaneous: N/A

Vector

Question Text: What were the vectors or paths of infection?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.malware.vector (string)

Purpose: Understanding how malware was introduced into the network or system is essential to assessing control weaknesses/vulnerabilities and identifying mitigation strategies.

Developer notes: N/A

Miscellaneous: N/A

Vulnerabilities

Question Text: Enter any CVEs exploited by this malware.

User notes: If it was a zero day with no CVE, note that and provide any details you can.

Question type: text field

Variable name: action.malware.cve (string)

Purpose: Identifying the specific vulnerability exploited is useful on many levels. It enables one to determine the percentage of malware that exploit vulnerabilities and which ones are exploited. The vulnerability ID also allows for useful secondary metrics like how long the vulnerability was publicly known, whether a patch existed (and for how long), etc.

Developer notes:

Miscellaneous: N/A

Common Name

Question Text: Common name or strain:

User notes: E.g., name given by AV vendor.

Question type: text field

Variable name: action.malware.name (string)

Purpose: Collecting (and hopefully sharing) attributes like these can aid more effective detection and response.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about malware in this incident.

User notes: Hashes and other IOCs can be supplied in a later section.

Question type: text field

Variable name: action.malware.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Hacking

Hacking is defined within VERIS as all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, denial of service attacks, etc.

VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.

Variety

Question Text: What varieties or methods of hacking were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.hacking.variety (string)

Purpose: The specific variety involved is essential to adequately describing the incident, assessing control weaknesses/vulnerabilities, and identifying mitigation strategies.

Developer notes: The list of hacking varieties is quite long. You may wish to organize them into categories (e.g., “Authentication Attacks”) to aid users. The categories themselves should not be selectable.

Miscellaneous: VERIS uses WASC's Threat Classification as a baseline for this list; descriptions of these attacks can be found there. We have considered incorporating or allowing other attack classifications (e.g., CAPEC), and would appreciate feedback from the community on this.

Vector

Question Text: What was the vector or path of attack?

User notes: This refers to intermediate assets or services exploited rather than the terminal point or target asset of the attack.

Question type: enumerated list (multi-select)

Variable name: action.hacking.vector (string)

Purpose: The vector of attack supplements information regarding the type selected above. In some cases, the same type of action conducted through different vectors requires very different defenses.

Developer notes: N/A

Miscellaneous: While certainly not exhaustive, we have found this simple list to be useful in the majority of cases and specific enough for the intended purpose. An alternative might be to use a path/vector aligned with layers in the OSI model. This enumerated list could certainly be broadened and improved by the community.

Vulnerabilities

Question Text: Enter any CVEs exploited through hacking.

User notes: If it was a zero day with no CVE, note that and provide any details you can.

Question type: text field

Variable name: action.hacking.cve (string)

Purpose: Identifying the specific vulnerability exploited is useful on many levels. It enables one to determine the percentage of attacks that exploit vulnerabilities and which ones are exploited. The CVE also allows for useful secondary metrics like how long the vulnerability was publicly known, whether a patch existed (and for how long), etc.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about hacking in this incident.

User notes: For example, the variety and peak bandwidth would be useful to record for a DoS attack.

Question type: text field

Variable name: action.hacking.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Social

Social tactics employ deception, manipulation, intimidation, etc to exploit the human element, or users, of information assets. Includes pretexting, phishing, blackmail, threats, scams, etc.

Variety

Question Text: What varieties of social tactics were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.social.variety (string)

Purpose: The specific variety involved is essential to adequately describing the incident, assessing control weaknesses/vulnerabilities, and identifying mitigation strategies.

Developer notes: N/A

Miscellaneous: N/A

Vector

Question Text: What vectors or communication channels were used?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.social.vector (string)

Purpose: Because the social tactics can be conducted through different vectors (e.g., pretexting over the phone or in-person), this helps to further establish policies and procedures and educate employees to recognize and resist social tactics.

Developer notes: N/A

Miscellaneous: N/A

Target

Question Text: Who was the target of these social tactics?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.social.target (string)

Purpose: Knowing who is targeted helps to focus policies and procedures and better educate appropriate employees to recognize and resist social attacks.

Developer notes: N/A

Miscellaneous: Technically speaking, the human targets of a social attack should be represented as an Asset (People category ) in the A4 model. We ask specifically for it here because many forget to include them in the assets section. Please indulge us and pardon the redundancy.

Notes

Question Text: Enter any additional details you deem noteworthy about social tactics in this incident.

User notes: For instance, provide a bit more context for a particularly clever social engineering ploy. Also, if they misrepresented their identity, who did they purport to be?

Question type: text field

Variable name: action.social.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Misuse

Misuse is defined as the use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended. Includes administrative abuse, use policy violations, use of non-approved assets, etc. These actions can be malicious or non-malicious in nature. Misuse is exclusive to parties that enjoy a degree of trust from the organization, such as insiders and partners.

VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.

Variety

Question Text: What varieties of misuse were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.misuse.variety (string)

Purpose: The specific variety involved is essential to adequately describing the incident, assessing control weaknesses/vulnerabilities, and identifying mitigation strategies.

Developer notes: N/A

Miscellaneous: N/A

Vector

Question Text: What vectors or access methods were misused?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.misuse.vector (string)

Purpose: Identifying the vector helps to further establish policies and procedures to deter, prevent, and detect misuse.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about misuse in this incident.

User notes: For instance, strange behaviors that precipitated the actions described above.

Question type: text field

Variable name: action.misuse.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Physical

Physical actions encompass deliberate threats that involve proximity, possession, or force. Includes theft, tampering, snooping, sabotage, local device access, assault, etc.

VERIS classification note: Natural hazards and power failures are often classified under physical threats. We include such events in the Environmental category and restrict the Physical category to intentional actions perpetrated by a human actor. This is done for several reasons, including the assessment of threat frequency and the alignment of controls.

Variety

Question Text: What varieties of physical attacks were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.physical.variety (string)

Purpose: The specific variety involved is essential to adequately describing the incident, assessing control weaknesses/vulnerabilities, and identifying mitigation strategies.

Developer notes: N/A

Miscellaneous: N/A

Vector

Question Text: How was access gained to the location(s)?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.physical.vector (string)

Purpose: The way in which physical access was obtained has a direct bearing on which controls can effectively prevent it.

Developer notes: N/A

Miscellaneous: N/A

Location

Question Text: Where did these physical attacks occur?

User notes:

Question type: enumerated list (multi-select)

Variable name: action.physical.location (string)

Purpose: Further informs mitigation strategies. Depending on the location whole groups of controls may not apply (i.e., biometric access to corporate facilities does not protect a laptop left in a car).

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about physical attacks in this incident.

User notes: N/A

Question type: text field

Variable name: action.physical.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Error

Error broadly encompasses anything done (or left undone) incorrectly or inadvertently. Includes omissions, misconfigurations, programming errors, trips and spills, malfunctions, etc. It does NOT include something done (or left undone) intentionally or by default that later proves to be unwise or inadequate.

Variety

Question Text: What varieties of errors were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.error.variety (string)

Purpose: The specific variety involved is essential to adequately describing the incident, assessing control weaknesses/vulnerabilities, and identifying mitigation strategies.

Developer notes: N/A

Miscellaneous: N/A

Vector

Question Text: Why did these errors occur?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.error.vector (string)

Purpose: Helps establish policies and procedures and educate employees on how errors can be avoided.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about errors in this incident.

User notes: N/A

Question type: text field

Variable name: action.error.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A

Environmental

The Environmental category not only includes natural events such as earthquakes and floods, but also hazards associated with the immediate environment or infrastructure in which assets are located. The latter encompasses power failures, electrical interference, pipe leaks, and atmospheric conditions.

Variety

Question Text: What varieties of environmental events were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: action.environmental.variety (string)

Purpose: Helps establish strategies to avoid or recover from environmental events.

Developer notes: N/A

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about environmental events in this incident.

User notes: N/A

Question type: text field

Variable name: action.environmental.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A