Vocabulary for event recording and incident sharing framework overview
Overview
The Vocabulary for Event Recording and Incident Sharing (VERIS) framework is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. The Queensland Government information security incident reporting standard incorporates elements of the VERIS framework to more thoroughly capture, structure, and share incident data.
This enables better analysis and tracking of trends in security incidents impacting Queensland Government, and also integrates with multiple intelligence frameworks.
Incident type
A confirmed incident refers to any incident where the confidentiality, integrity or availability of an information asset in any form was compromised or negatively impacted.
Incidents remained suspected when the QGCSU is not able to determine otherwise from the information available.
Confirmed or suspected incidents may be resolved as false positives when a response was triggered, but further investigation determines there was no incident.
Attributes
In alignment with IS18 and the Queensland Government information security classification framework, attributes describe which security attributes (of the previously identified assets) were compromised during the incident.
Multiple attributes can be affected for any one asset.
- Confidentiality refers to limited observation and disclosure of an asset (or data). A loss of confidentiality implies that data was observed by or disclosed to an unauthorised actor.
- Integrity refers to an asset (or data) being complete and unchanged from the original or authorised state, content, and function. Losses to integrity include unauthorised insertion, modification, manipulation, etc.
- Availability refers to an asset (or data) being present, accessible, and ready for use when needed. Losses to availability include destruction, deletion, movement, performance impact (delay or acceleration), and interruption.
If agencies are unsure of what attributes to apply when assessing incident impact, detailed enumeration advice can be found within the VERIS framework.
Actors
Actors are entities that cause or contribute to an incident. There can be more than one actor involved in any incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory.
There are three categories of threat actors:
- external threats originate from sources outside of the organisation and its network of partners. Examples include criminal groups, lone hackers, former employees, and government entities. Typically, no trust or privilege is implied for external entities.
- internal threats are those originating from within the organisation. This encompasses full-time employees, independent contractors, and other staff. Insiders are trusted and privileged.
- partners include any third party sharing a business relationship with the organisation. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. Some level of trust and privilege is usually implied between business partners.
If agencies are unsure of what category/categories may apply, detailed enumeration advice can be found within the VERIS framework.
Assets
Describe the information assets that had attempts or an actual/suspected compromise of confidentiality, integrity and/ or availability during the incident. An incident can involve multiple assets and affect multiple attributes of those assets.
The seven categories of assets include:
- Server: A computer or system that provides resources, data, services, or programs to other clients (computers), over a network
- Network device: Physical devices that allow hardware on a computer network to communicate and interact with one another (e.g. gateway/router/switch/modem/hub)
- User device: Broad. Can include desktop and laptop PCs, printers, document scanners, bar code scanners, smart phones, tablet devices
- Terminal device: A device, combining keyboard and display screen, that communicates with a computer
- Media: Digital Assets. Includes videos, audio, graphic design resources, source code, websites, and other data stored digitally
- Person: The users of information assets. Often the weakest element in cybersecurity!
- Other: Impacted asset that doesn’t clearly fit the above criteria
- Unknown: Impacted assets are unclear/not yet known.
If agencies are unsure of what category/categories an asset may fall under, detailed enumeration advice can be found within the VERIS framework.
Actions
Threat actions describe what the actor(s) did to cause or contribute to the incident. An incident often involves multiple actions and categories. There are seven categories of threat actions:
- Malware: Any malicious software, script, or code run on a device that alters its state or function without the owner’s informed consent
- Hacking: All attempts to intentionally access or harm information assets without (or exceeding) authorisation by circumventing or thwarting logical security mechanisms
- Social: Social tactics employ deception, manipulation, intimidation, etc. to exploit the human element, or users, of information assets
- Misuse: The use of entrusted organisational resources or privileges for any purpose or manner contrary to that which was intended. These actions can be malicious or non-malicious in nature. Misuse is exclusive to parties that enjoy a degree of trust from the organisation, such as insiders and partners
- Physical: Deliberate threats by a human actor that involve proximity, possession, or force such as theft, tampering, sabotage, local device access, assault, etc
- Error: Broadly encompasses anything done (or left undone) incorrectly or inadvertently such as misconfigurations, programming errors, trips and spills, malfunctions, etc
- Environmental: Natural events such as earthquakes and floods, and hazards such as power failures and pipe leaks, associated with the immediate environment or infrastructure in which assets are located.
If agencies are unsure of what category/categories may apply, detailed enumeration advice can be found within the VERIS framework.
Indicators of compromise (IOCs)
IOCs are artifacts related to an incident that indicate assets may be compromised. Examples include IPs, URLs, malware hashes, etc. IOCs are useful for a range of tactical and operational purposes (e.g., blacklisting IPs associated with malicious activity).
Data breach
While not a VERIS definition, a data breach happens when personal and/or agency information is accessed or disclosed without authorisation or is lost. Agencies are required to notify affected individuals and other applicable parties when a data breach is likely to result in serious harm.
Licence
This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International licence. To view the terms of this licence, visit https://creativecommons.org/licenses/by-sa/4.0/. For permissions beyond the scope of this licence, contact qgea@qld.gov.au.
The Queensland Government Cyber Security Unit attributes the use of the VERIS Framework to VerisFramework.org which is licensed under CC BY SA 4.0. Unendorsed changes were made when applying the VERIS framework to this document to contextualise it for Queensland Government use.
To attribute this material, cite the Queensland Government Customer and Digital Group, Department of Transport and Main Roads.
The licence does not apply to any branding or images.