As many of you know, we released the Verizon Incident Sharing framework a couple weeks ago. The framework has 4 main sections: Demographics, Incident Classification, Discovery and Mitigation, and Impact Classification. The Incident Classification piece makes for a particularly interesting mind map that you can view here and play around with if you like.

I have included a little background on the Incident Classification section below (This is all in the main framework document, so if you’ve read that, you’ve read the following).

This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VERIS employs the A⁴ Threat Model developed by Verizon’s Risk Intelligence team. In the A⁴ model, a security incident (or threat scenario) is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the 4 A’s), which provide the top-level structure for metrics in this section.

• Agent: Whose actions affected the asset
• Action: What actions affected the asset
• Asset: Which assets were affected
• Attribute: How the asset was affected

Describing the incident is a process of classifying all elements (and sub-elements) for all significant events. Thus, a single-event incident involving an external attacker using SQL injection to pull records from a database would be described in the manner depicted below. More complex incidents are handled similarly but utilize sequential sets of A’s corresponding to each event to form the attack chain. Those familiar with the Data Breach Investigations Reports may recognize the basic structure.

Agent

• Source: External
• Type: Organized criminal group
• Origin: Romania

Action

• Category: Hacking
• Type: SQL injection
• Path: Web application

Asset

• System: Database server
• Data: Personal information

Attribute

• Type: Confidentiality

It is our position that the 4 A’s represent the minimum information necessary to adequately describe any incident or threat scenario. Furthermore, this structure provides an optimal framework within which to measure frequency, associate controls, link impact, and many other concepts required for risk management.

Tags: Data Breach Report, DBIR, Incident Response, incidents, Models, Threat, threat agents, VERIS

This entry was posted on Tuesday, March 23rd, 2010 at 2:02 pm and is filed under Analysis, VERIS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.