Threat Actors Entities that cause or contribute to an incident are referred to as threat actors

There can be more than one actor involved in any particular incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors - External, Internal, and Partner.

VERIS classification note: If the actor’s role in the breach is limited to a contributory error, the actor would not be included here. For example, if an insider’s unintentional misconfiguration of an application left it vulnerable to attack, the insider would not be considered a threat actor if the application were successfully breached by another actor. An insider who deliberately steals data or whose inappropriate behavior (e.g., policy violations) facilitated the breach would be considered a threat actor in the breach.

External Actors

External threats originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees, and government entities. Also includes God (as in “acts of”), “Mother Nature,” and random chance. Typically, no trust or privilege is implied for external entities.

Motive

Question Text: What motives drove the external actor(s) to act?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: actor.external.motive (string)

Purpose: Motive is an key component of understanding and defending against intelligent threat actors.

Developer notes: While this is common to all categories of actors, it is inherited and associated with each. In other words, if an incident involves both an external actors and an internal actor, different motives may be assigned for each

Miscellaneous: Two threat action categories (Error and Environmental) will not have a motive associated with them. Not Applicable (NA) is the correct selection.

Variety

Question Text: What varieties of external actors were involved?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: actor.external.variety (string)

Purpose: Identifying the specific variety helps assess the resources, capabilities, and tendencies of the actor.

Developer notes: N/A

Miscellaneous: f the actor is a former employee, then make sure to select the External variety of “Former employee” instead of an insider. If the former employee uses their still-active account, that falls under Misuse.

Origin (country)

Question Text: What are the geographic origins of the external actor(s)?

User notes: Reserve this for the actual countries from which the actor is operating, rather than basing it solely on IP geolocation.

Question type: enumerated list (multi-select)

Variable name: actor.external.country (string)

Purpose: Identifies the geographic origin of the actor, which is useful on multiple investigatory, operational, and strategic levels.

Developer notes: VERIS uses the ISO 3166 codes for the country variable, which can be found here: http://www.iso.org/iso/country_codes.htm. We recommend creating a list in the interface rather than requiring users to enter the correct code.

Miscellaneous: Reserving this for the actor's origin and collecting IPs separately allows the best of both worlds. We can track both the origin (and national ties) of threat actors and the location of the assets they use for malicious purposes./p>

Notes

Question Text: Enter any additional details you deem noteworthy about the external actor(s).

User notes: Names or affiliations of threat groups involved would be particularly useful to record here.

Question type: text field

Variable name: actor.external.notes (string)

Purpose: Catch-alls are handy

Developer notes: While this is common to all categories of actors, it is inherited and associated with each. In other words, if an incident involves both an external actor and an internal actor, different notes may be recorded for each.

Miscellaneous: Names or affiliations of threat actors or groups involved would be particularly useful to record here.

Internal Actors

Internal threats are those originating from within the organization. This encompasses company full-time employees, independent contractors, interns, and other staff. Insiders are trusted and privileged (some more than others).

Motive

Question Text: What motives drove the internal actor(s) to act?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: actor.internal.motive (string)

Purpose: Motive is an key component of understanding and defending against intelligent threat actors.

Developer notes: While this is common to all categories of actors, it is inherited and associated with each. In other words, if an incident involves both an external actor and an internal actor, different motives may be assigned for each.

Miscellaneous: Two threat action categories (Error and Environmental) will not have a motive associated with them. Not Applicable (NA) is the correct selection.

Actor.internal.variety

Question Text: What varieties of internal actors were involved?

User notes: If the employee resigned or was let go before the incident, select “former employee” under External actors instead.

Question type: enumerated list (multi-select)

Variable name: actor.internal.variety (string)

Purpose: Identifying the specific variety helps assess the resources, capabilities, and tendencies of the actor.

User notes: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about the internal actor(s).

User notes: Odd behaviors exhibited by the insider prior to or during the incident would be particularly useful to record here. Relevant job/role changes (e.g., fired) would be as well.

Question type: text field

Variable name: actor.internal.notes (string)

Purpose: Catch-alls are handy

User notes: N/A

Partner Actors

Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. some level of trust and privilege is usually implied between business partners.

Motive

Question Text: What motives drove the partner(s) to act?

User notes: N/A

Question type: enumerated list (multi-select)

Variable name: actor.partner.motive (string)

Purpose: Motive is an key component of understanding and defending against intelligent threat actors.

Developer notes: While this is common to all categories of actors, it is inherited and associated with each. In other words, if an incident involves both an external actor and an internal actor, different motives may be assigned for each.

Miscellaneous: Two threat action categories (Error and Environmental) will not have a motive associated with them. Not Applicable (NA) is the correct selection.

Industry

Question Text: Which industry best describes the services provided by the partner(s)?

User notes: If multiple, chose the option most closely associated with the partner services involved in the incident. VERIS uses standard NAIC codes for this list of industries. If you would like to enter a more specific code (e.g., full 6 digits), select the “other” option, and enter the desired code. NAICS provides descriptions at http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012.

Question type: text field or enumerated list (single-select)

Variable name: actor.partner.industry (string)

Purpose: Identifying the partner's industry (or the services provided) helps to assess and manage risk in dealing with 3rd parties.

Developer notes: We recommend making it as easy as possible for the user to locate and select the appropriate industry code (e.g., a picklist). If appropriate, auto-populate this field rather than prompting the user for it. The application should be configured to require at least 3 digits of the full 6 digit code in order to provide sufficient specificity.

Miscellaneous: N/A

Origin (country)

Question Text: What is the partner's country of operation?

User notes: If multinational, select the primary location of the business group involved in the incident.

Question type: enumerated list (multi-select)

Variable name: actor.partner.country (string)

Purpose: Identifies the geographic origin of the actor, which is useful on multiple investigatory, operational, and strategic levels.

Developer notes: VERIS uses the ISO 3166 codes for the country variable, which can be found here: http://www.iso.org/iso/country_codes.htm. We recommend creating a list in the interface rather than requiring users to enter the correct code.

Miscellaneous: N/A

Notes

Question Text: Enter any additional details you deem noteworthy about the partner(s).

User notes: N/A

Question type: text field

Variable name: actor.partner.notes (string)

Purpose: Catch-alls are handy

Developer notes: N/A

Miscellaneous: N/A