Getting Started with VERIS

Kevin ThompsonTwitter: @bfistRisk and Intelligence Researcher, Verizon RISK Team

#ermascerity

VERIS - A Framework for Gathering Risk Management Information from

Security Incidents

Vocabulary for Event Recording and IncidentSharing

Risk Management: Operating Model

√∫∑

Framework

Models Data

=

∩

Evidence-Based Risk Management

Risk Management: Operating Model

√∫∑

Framework

Models Data

=

∩

UNCERTAINTY=Data

“The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.”Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.

EQUIVOCALITY=Framework

VERIS Framework

VERIS Framework

Data

The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why

they’re doing it, and what might be done to prevent it.

- 2013 DBIR -19 global contributors

47,000+ security incidents621 confirmed data breaches

Methodology: Data Collection and Analysis

• DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data.

• Enables case data to be shared anonymously to RISK Team for analysis

VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.

VERIS: https://veriscommunity.net/

(i.e. you can do this too)

Actor

External Internal Partner

State

Crime

Activist

Action

Hacking Malware SocialMisuse

SQLi

XSS

Brute

How VERIS worksINCIDENT REPORT“An external attacker sends a phishing email

that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…”

VERIS takes this and…

How VERIS works

…and translates it to this…

Understand the Framework

Build your contacts

Build your collector

Practice, Practice, Practice

Refine your process

Make it your own

Basic Sections

• Incident Tracking• Victim Demographics• Events• Detection & Response• Impact

Demographics

• Company industry

• Company size

• Geographic location • of business unit in incident

• Size of security department

Incident Classification A4 event model

• Agent– What acts against us

• Action– What the agent does to the

asset

• Asset– What the agent acts against

• Attribute– The result of the agent’s action

against the asset

agent

action

asset

attribute

external

partner

internal

hackingmalware

socialphysical

misuseerror

environmental

typefunction

confidentiality

availability

integrity

possession

utility

authenticity

The series of events (a4) creates an “attack model”

1 2 3 4 5> > > >

Incident Classification A4 event model

AgentSource: External Type: Organized criminal group

ActionCategory: HackingType: SQL injectionPath: Web application

AssetType: DatabasePlatform: Acme Server 2008

Attribute Type: ConfidentialityData: Payment card data

A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS:

1 2 3 4 5> > > >

Discovery & Mitigation

• Incident timeline

• Discovery method

• Evidence sources

• Control capability

• Corrective action– Most straightforward manner in which the incident

could be prevented

– The cost of preventative controls

+

Impact Classification

• Impact categorization– Sources of Impact (direct, indirect)

– Similar to ISO 27005/FAIR

• Impact estimation– Distribution for amount of impact

• Impact qualification– Relative impact rating

$

Build your understanding

• Go to http://veriscommunity.net for full details of the framework.

Building Contacts

• While you’re at http://veriscommunity.net join the VERIS mailing list.

• You can ask questions about the framework and specific questions about how to categorize something.

Build your collector

• People, this is just a survey!– Use any of the millions of online survey websites

to make your collector.– Build this thing in Sharepoint and add a workflow

to it.

Excel Spreadsheet

laptop_incident_cost(params['data_count'], params['data_variety'])[0]

Pro Tip – Minimize Data Entry

You want source code?

• Tweet

“Oui Kevin! @bfist #BSidesQuebec”

Don’t be afraid to customize!

Sharing is Caring

• Share your data, it makes us all better off.– XML – JSON

• Form partnerships with other organizations and compare incidents.

Kevin Thompsonkevin.thompson@verizon.comtwitter: @bfist