Response
This section focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify corrective actions needed place to detect and/or prevent similar incidents in the future.
VERIS classification note: If the actor’s role in the breach is limited to a contributory error, the actor would not be included here. For example, if an insider’s unintentional misconfiguration of an application left it vulnerable to attack, the insider would not be considered a threat actor if the application were successfully breached by another actor. An insider who deliberately steals data or whose inappropriate behavior (e.g., policy violations) facilitated the breach would be considered a threat actor in the breach.
Incident Timeline
The timeline of events leading up to and following an incident varies greatly depending on a multitude of factors. VERIS tracks the following incident milestones, not all of which are applicable to every incident:
- First malicious action: Beginning of the threat actor's malicious actions against the victim. Port scans, initiating a brute-force attack, and even physical recon, are a few examples. This is only relevant to intentional and malicious actions.
- Initial compromise: First point at which a security attribute (C/P, I/A, A/U) of an information asset was compromised.
- Data exfiltration: First point at which non-public data was taken from the victim environment. Only applicable to data compromise events.
- Incident discovery: When the organization first learned the incident had occurred.
- Containment/restoration: Point at which the incident is contained (e.g., the “bleeding is stopped”) or restored (e.g., fully functional)”.
Time framing the incident yields extremely useful metrics about threat actors and their actions, security readiness, resiliency, and response of victims, and a host of other factors. Note that the method of tracking timeline information has changed a few times since we published the VERIS framework. Most recently, we changed from collecting a timestamp for each phase to a timespan between phases (which is how it was originally).
Incident date
Question Text: When did the incident occur?
User notes: The first point at which a security attribute (C/P, I/A, A/U) of an information asset was compromised. Record time in hh:mm:ss UTC offset format (e.g. 15:18:27 -0500).
Question type: Date and time field
Variable name: timeline.incident(comprised of the year (integer), month (integer), day (integer), time (string) variables)
Purpose: Contributes to the construction of a timeline for the incident, which is useful for reporting, trending, and analysis.
Developer notes: Rather than using a single date field, we separated day, month, and year. We did this because it may not be desirable to use the exact date of the incident in certain situations where the information is to be shared anonymously with other organizations. As such, only the year is required; day, month, and time are optional. We recommend that organizations record the exact date and time when using VERIS for internal incident tracking. When sharing with others, such organizations can omit time/day/month as desired. You may wish to display this in the 'Incident Tracking' section in the application, as it fits well there from a user perspective.
Miscellaneous: There are many different approaches to dating incidents among organizations. We suggest the point of initial compromise the most appropriate option to as the primary date for time-based analysis and trending of incidents (e.g., creating stats for all 2012 incidents). It is usually not the culmination of the incident (i.e., it could be the first evidence of availability loss during a DDoS attack or the initial intrusion into the network before any subsequent actions).
Time to compromise
Question Text:
User notes: N/A
Question type: enumerated list (multi-select)
Variable name: timeline.compromise (single-select) for unit and text field for value (number)
Purpose: Contributes to the construction of a timeline for the incident, which is useful for reporting, trending, and analysis.
Developer notes: N/A
Miscellaneous: N/A
Time to exfiltration
Question Text: Initial compromise TO data exfiltration:
User notes: Select an appropriate unit of time (e.g., minutes or days) and then specify a value (i.e., the exact number of minutes or days). While we offer options for weeks, months, and years, consider specifying the number of days instead to increase precision (i.e., 79 days is more precise than 2 or 3 months).
Question type: enumerated list (single-select) for unit and text field for value
Variable name: imeline.exfiltration (comprised of the unit (string; enumeration) and vvalue (number variables)
Purpose: Contributes to the construction of a timeline for the incident, which is useful for reporting, trending, and analysis.
Developer notes: N/A
Miscellaneous: N/A
Time to discovery
Question Text: Initial compromise TO incident discovery:
User notes: Select an appropriate unit of time (e.g., minutes or days) and then specify a value (i.e., the exact number of minutes or days). While we offer options for weeks, months, and years, consider specifying the number of days instead to increase precision (i.e., 79 days is more precise than 2 or 3 months).
Question type: enumerated list (single-select) for unit and text field for value
Variable name: timeline.discovery (comprised of the unit (string; enumeration) and value (number) variables)
Purpose: Contributes to the construction of a timeline for the incident, which is useful for reporting, trending, and analysis.
Developer notes: N/A
Miscellaneous: N/A
Time to containment
Question Text: Initial compromise TO containment/restoration:
User notes: Select an appropriate unit of time (e.g., minutes or days) and then specify a value (i.e., the exact number of minutes or days). While we offer options for weeks, months, and years, consider specifying the number of days instead to increase precision (i.e., 79 days is more precise than 2 or 3 months).
Question type: enumerated list (single-select) for unit and text field for value
Variable name: timeline.containment (comprised of the unit (string; enumeration) and value (number) variables)
Purpose:
Developer notes: N/A
Miscellaneous: N/A
Discovery Method
Question Text: How was the incident discovered?
User notes: If more than one discovery method was involved, select the primary (or first) means of discovery (what tipped them off?).
Question type: enumerated list (single-select)
Variable name: discovery_method (string)
Purpose: Identifies how the incident was discovered, which says a great deal about the detective capabilities and readiness of the organization.
Developer notes: N/A
Miscellaneous: N/A
Root Causes
Question Text: What were the root control failures or weaknesses that allowed this incident to occur?
User notes: Obviously, there may be a multitude of factors that could be listed here. Include as many as you want, but we do recommend focusing on the issues most pertinent to the incident at hand.
Question type: text field
Variable name: control_failure (string)
Purpose: Understanding what went wrong is an essential first step toward making it right.
Developer notes: N/A
Miscellaneous: N/A
Corrective Actions
Question Text: What corrective action(s) are planned (or recommended) to prevent and/or detect similar incidents in the future?
User notes: This can include general recommendations, specific changes to policy, procedures, personnel, and technology, short-term and long-term strategies, etc. We recommend that you don't take a “everything but the kitchen sink” approach here; focus on things that are practical and achievable given your circumstances.
Question type: text field
Variable name: corrective_action (string)
Purpose: Identifies what is to be (or what should be) done to prevent such an incident from recurring in the future. This is obviously important to addressing the root issues contributing to the incident, but it's also useful to analyzing the nature and extent of corrective actions themselves (i.e., simple/cheap vs difficult/expensive or process fix vs technology fix).
Developer notes: N/A
Miscellaneous: N/A
Targeted vs Opportunistic
Question Text: Was this a targeted or opportunistic attack?
User notes: N/A
Question type: enumerated list (single-select)
Variable name: targeted (string)
Purpose: Enables comparative analysis of incidents along this distinction.
Developer notes: N/A
Miscellaneous: Only relevant to deliberate, malicious actions. There is some degree of subjectivity in answering this, but it's still a useful characteristic to associate with incidents.
Additional Guidance
When recording a timespan, use “10.25 months” instead of “312 days.” While these are equivalent lengths of time, supporting the freedom required to make sense of the latter is non-trivial. VERIS separates the 'unit' (“days”) from the 'value' (“312”). If we ran stats on incidents where the unit was “months or years,” this would not be included because VERIS would treat it as “days.” IOW, we need to use the correct unit and do the math to get the appropriate value for now (312/365 * 12 = 10.25 months). Hopefully we can figure a way to build in flexibility at some point.