0% found this document useful (0 votes)
78 views60 pages

DFS40083 - Chapter 5

The document discusses monitoring common network protocols like syslog, NTP, DNS, HTTP, HTTPS, email protocols, and ICMP. It also covers security technologies like ACLs, NAT, encryption, load balancing, and peer-to-peer networking and how they can be exploited or impact monitoring. Security Onion is introduced as an open-source network security monitoring suite.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
78 views60 pages

DFS40083 - Chapter 5

The document discusses monitoring common network protocols like syslog, NTP, DNS, HTTP, HTTPS, email protocols, and ICMP. It also covers security technologies like ACLs, NAT, encryption, load balancing, and peer-to-peer networking and how they can be exploited or impact monitoring. Security Onion is introduced as an open-source network security monitoring suite.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

Chapter 5: Security Monitoring

CCNA Cybersecurity Operations v1.1


5.1 Technologies and
Protocols

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Monitoring Common Protocols
Syslog and NTP
▪ Syslog and Network Time Protocol (NTP) essential to work of cybersecurity analyst
• Syslog is used for logging event messages from network devices and endpoints.
• Syslog servers typically listen on UDP port 514.
• Syslog servers may be a target for threat actors.
• Hackers may block the transfer of data, tamper with log data, or tamper with software that
creates and transmits log messages.
• Enhancements provided by syslog-ng (next generation).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Monitoring Common Protocols
NTP
▪ Syslog messages are usually timestamped
using the Network Time Protocol (NTP).
▪ NTP operates on UDP port 123.
▪ Timestamps are essential for detection of an
exploit.
▪ Threat actors may attempt to attack NTP to
corrupt time information used to correlate
logged network events.
▪ Threat actors use NTP systems to direct DDoS
attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Monitoring Common Protocols
DNS
▪ DNS is used by many types of malware.
▪ Attackers encapsulate different network protocols within DNS to evade security devices.
▪ Some malware use DNS to communicate with command-and-control (CnC) servers and to
exfiltrate data in traffic disguised as normal DNS queries.
▪ Malware could encode stolen data as the subdomain portion of a DNS lookup for a domain
where the nameserver is under control of an attacker.
▪ DNS queries for randomly generated domain names, or extremely long random-appearing
subdomains, should be considered suspicious, especially if their occurrence spikes
dramatically on the network.
DNS Exfiltration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Monitoring Common Protocols
HTTP and HTTPS
▪ All information carried in HTTP is transmitted in plaintext from the source computer
to the destination on the Internet.
▪ HTTP does not protect data from alteration or interception.
▪ Web-based threats consist of malware scripts that have been planted on
webservers that direct browsers to infected servers by loading iframes.
• In iFrame injection, a threat actor compromises a webserver and plants malicious code
which creates an invisible iFrame on a commonly visited webpage.
• When the iFrame loads, malware is downloaded.

HTTP iFrame
Injection Exploit

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Monitoring Common Protocols
HTTP and HTTPS (Cont.)
▪ HTTPS adds a layer of encryption to the HTTP protocol by using secure
socket layer (SSL).
• SSL makes the HTTP data unreadable as it leaves the source computer until
it reaches the server.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Monitoring Common Protocols
HTTP and HTTPS (Cont.)
▪ Encrypted HTTPS traffic complicates network security monitoring.
▪ HTTPS adds complexity to packet captures.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Monitoring Common Protocols
Email protocols
▪ Email protocols such as SMTP, POP3, and IMAP can be used by threat actors to
spread malware, exfiltrate data, or provide channels to malware CnC servers.
• SMTP sends data from a host to a mail server and between mail servers and is not always
monitored.
• IMAP and POP3 are used to download email messages from a mail server to the host
computer and can be responsible for bringing malware to the host.
• Security monitoring can identify when a malware attachment entered the network and
which host it first infected.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Monitoring Common Protocols
ICMP
▪ ICMP can be used to craft a number of types of exploits.
• Can be used to identify hosts on a network, the structure of a network, and
determine the operating systems at use on the network.
• Can also be used as a vehicle for various types of DoS attacks.
• ICMP can also be used for data exfiltration through ICMP traffic from inside the
network.
• ICMP tunneling - Malware uses crafted ICMP packets to transfer files from infected hosts
to threat actors.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Security Technologies
ACLs
▪ ACLs may provide a false sense of security.
• Attackers can determine which IP addresses, protocols, and ports are allowed by
Access Control Lists (ACLs), by port scanning, penetration testing, or through
other forms of reconnaissance.
• Attackers can craft packets that use spoofed source IP addresses or applications
can establish connections on arbitrary ports.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Security Technologies
NAT and PAT
▪ NAT and PAT can complicate security monitoring.
• Multiple IP addresses are mapped to one or more public addresses that
are visible on the Internet.
• Hides the individual IP addresses that are inside the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Security Technologies
Encryption, Encapsulation, and Tunneling
▪ Encryption
• Makes traffic contents unreadable by cybersecurity analysts.
• Part of Virtual Private Network (VPN) and HTTPS.
▪ Virtual point-to-point connection between an internal host and threat actor
devices
• Malware can establish an encrypted tunnel that rides on a common and trusted
protocol, and use it to exfiltrate data from the network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Security Technologies
Peer-to-Peer Networking and Tor
▪ Peer-to-Peer network activity
• Can circumvent firewall protections and is a common vector for the spread of malware.
• Three types of Peer-to-Peer applications exist: file sharing, processor sharing, and IM
• File-sharing P2P applications should not be allowed on corporate networks.
▪ Tor is a software platform and network of Peer-to-Peer hosts that function as Internet routers
on the Tor network.
• Allows users to browse the Internet anonymously using a special browser.
• Can be used to hide identity of threat actors and used by criminal organizations.

Tor
P2P Operation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Security Technologies
Load Balancing
▪ Load balancing is the distribution of traffic between devices or network paths to
prevent overwhelming network resources.
• Some load balancing approaches use DNS to send traffic to resources that have the
same domain name but multiple IP addresses.
• This can result in a single Internet transaction being represented by multiple IP
addresses on the incoming packets.
• This may cause suspicious features to appear in packet captures.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
5.2 Evaluating Alerts

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Sources of Alerts
Security Onion
▪ Security Onion is an open-source suite of
Network Security Monitoring (NSM) tools that
run on an Ubuntu Linux distribution.

▪ Some components of Security Onion are


owned and maintained by corporations, such as
Cisco and Riverbend Technologies, but are
made available as open source.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Sources of Alerts
Detection Tools for Collection
▪ CapME provides the cybersecurity analyst with an
easy-to-read means of viewing an entire Layer 4
session.
A Security Onion Architecture
▪ Snort uses rules and signatures to generate alerts.

▪ Bro uses policies, in the form of scripts that


determine what data to log and when to issue alert
notifications.

▪ OSSEC actively monitors host system operations,


including conducting file integrity monitoring, local
log monitoring, system process monitoring, and
rootkit detection.

▪ Suricata uses native multithreading, which allows


the distribution of packet stream processing across
multiple processor cores.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Sources of Alerts
Analysis Tools
A Security Onion Architecture ▪ Sguil – This provides a high-level
cybersecurity analysts’ console for
investigating security alerts from a wide
variety of sources.

▪ ELSA – Logging sources such as HIDS,


NIDS, firewalls, syslog clients and servers,
domain services, and others can be
configured to make their logs available to
ELSA databases.
▪ Wireshark – This is a packet capture
application that is integrated into the
Security Onion suite.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Sources of Alerts
Alert Generation
▪ Alerts are generated in Security Onion by Sguil Window
many sources including Snort, Bro, Suricata,
and OSSEC, among others.
▪ Sguil provides a console that integrates alerts
from multiple sources into a timestamped
queue.
▪ Alerts will generally include the following five-
tuples information:
• SrcIP - the source IP address for the event.
• SPort - the source (local) Layer 4 port for the
event.
• DstIP - the destination IP for the event.
• DPort - the destination Layer 4 port for the
event.
• Pr - the IP protocol number for the event.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Sources of Alerts
Rules and Alerts
▪ Alerts can come from a number of sources:
• NIDS - Snort, Bro and Suricata
• HIDS – OSSEC
• Asset management and monitoring - Passive Asset Detection System (PADS)
• HTTP, DNS, and TCP transactions - Recorded by Bro and pcaps
• Syslog messages - Multiple sources

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Sources of Alerts
Snort Rule Structure
▪ Snort rules consist of the rule header and
rule options.
• Rule header contains the action, protocol,
addressing, and port information
• Rule options include the text message
that identifies the alert also metadata
about the alert.
▪ Snort rules come from a variety of
sources including Emerging Threats
(ET), SourceFire, and Cisco Talos.
▪ PulledPork is a Security Onion
component that can download new rules
automatically from snort.org.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Sources of Alerts
Lab – Snort and Firewall Rules

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Overview of Alert Evaluation
The Need for Alert Evaluation
▪ Exploits will inevitably evade
protection measures, no matter how
sophisticated they may be.
▪ Detection rules should be overly
conservative.
▪ It is necessary to have skilled
cybersecurity analysts investigate
alerts to determine if an exploit has
actually occurred.
▪ Tier 1 cybersecurity analysts will work
through queues of alerts in a tool like
Sguil, pivoting to tools like Bro,
Wireshark, and ELSA .
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Overview of Alert Evaluation
Evaluating Alerts
▪ Alerts can be classified as follows:
• True Positive: The alert has been verified to be an actual security incident.
• False Positive: The alert does not indicate an actual security incident.
• True Negative: No security incident has occurred.
• False Negative: An undetected incident has occurred.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
5.3 Working with Network
Security Data

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
A Common Data Platform
ELSA
▪ Enterprise Log Search and Archive
(ELSA) is an enterprise-level tool for
searching and archiving NSM data that
originates from multiple sources.
▪ ELSA is able to normalize log file entries
into a common schema that can then be
displayed in the ELSA web interface.
▪ ELSA receives logs over Syslog-NG,
stores logs in MySQL databases, and
indexes using Sphinx Search.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
A Common Data Platform
Data Reduction
▪ Data reduction is the identification of
data that should be gathered and
stored to reduce the burden on
systems.
▪ By limiting the volume of data, tools
like ELSA will be far more useful.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
A Common Data Platform
Data Normalization
▪ Data normalization is the process of combining data from a number of
sources into a common format for indexing and searching.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
A Common Data Platform
Data Archiving
▪ Retaining NSM data indefinitely is not
feasible due to storage and access issues.
▪ Compliance frameworks may require
storage of data for a specified period of
time.
▪ ELSA can be configured to retain data for
a period of time. The default is 90 days.
▪ Sguil alert data is retained for 30 days by
default.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
A Common Data Platform
Lab – Convert Data Into a Universal Format

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Investigating Network Data
Working in Sguil
▪ In Security Onion, the first place that a
cybersecurity analyst will go to verify
alerts is Sguil.
▪ Sguil automatically correlates similar
alerts into a single line and provides a
way to view correlated events
represented by that line.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Investigating Network Data
Sguil Queries
▪ Queries can be constructed in Sguil using the Query Builder, which simplifies
constructing queries.
▪ Cybersecurity analyst must know the field names and some issues with field
values.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Investigating Network Data
Pivoting from Sguil
▪ Sguil provides the ability to “pivot”
the investigation to other tools such
as ELSA, Wireshark, or Bro.

▪ Log files are available in ELSA,


relevant packet captures can be
displayed in Wireshark, and
transcripts of TCP sessions and Bro
information are also available.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Investigating Network Data
Event Handling in Sguil
▪ Three tasks can be completed
in Sguil to manage alerts.
• Alerts that have been found to
be false positives can be
expired.
• An event can be escalated by
pressing the F9 key.
• An event can be categorized.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Investigating Network Data
Working in ELSA
▪ ELSA provides access to a large
number of log file entries.
▪ ELSA will only retrieve the first 100
records for the previous 48 hours.
▪ The easiest way to see information in
ELSA is to issue the built-in queries that
appear to the left of the ELSA window
and then adjust the dates and resubmit
the query using the Submit Query
button.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Investigating Network Data
Queries in ELSA
▪ ELSA provides field summary and value information for every field that is indexed in the
query results. This permits refining queries based on a wide range of values.
▪ Clicking an entry in the Value column will display the query with the value added to the
previous query. This process can be repeated to narrow down search results easily.
▪ Regular expressions are executed in ELSA using the grep function.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Investigating Network Data
Investigating Process or API Calls
▪ If malware can fool an OS kernel into
allowing it to make system calls, many
exploits are possible.
▪ OSSEC rules detect changes in host-
based parameters like the execution of
software processes, changes in user
privileges, and registry modifications,
among others.
▪ OSSEC rules will trigger an alert in Sguil.

▪ Choosing OSSEC as the source program


in ELSA results in a view of the OSSEC
events that occurred on the host.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Investigating Network Data
Investigating File Details
▪ When ELSA is opened directly, a query short cut exists for Files.

▪ Opening the Files queries and selecting Mime Types in the menu displays a list of the
types of files that have been downloaded.
▪ MD5 and SHA-1 hashes for downloaded files are also available.

▪ File hash values can be submitted to online sites to determine if the file is known
malware.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Investigating Network Data
Lab – Regular Expression Tutorial

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Investigating Network Data
Lab – Extract an Executable from a PCAP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Enhancing the Work of the Cybersecurity Analyst
Dashboards and Visualizations
▪ Dashboards provide an interactive combination of data and visualizations designed to
improve the value of large amounts of information.
▪ Allow analysts to focus on specific details and information

▪ ELSA capable of designing custom dashboards

▪ Squert provides a visual interface

▪ Cisco Talos provides an interactive dashboard

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Enhancing the Work of the Cybersecurity Analyst
Workflow Management
▪ Network security monitoring requires workflows to be managed.
• Enhances efficiency of the cyberoperations team
• Increases the accountability of staff
• Ensures that all potential alerts are treated properly
• Each alert should be systematically assigned, processed, and documented
▪ Sguil provides basic workflow management but not a good choice for large operations, third
party systems are available that can be customized
▪ Automated queries add efficiency to workflow
• Search for complex security incidents that may evade other tools
• ELSA query can be configured as an alert rule and run regularly
• Can be created in a scripting language such as Python

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
5.4 Incident Response Models

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
The Cyber Kill Chain
Steps of the Cyber Kill Chain®
Steps of the Cyber Kill Chain
▪ Developed by Lockheed Martin to
identify and prevent cyber intrusions.
• The steps of the Cyber Kill Chain
help analysts understand the
techniques, tools, and procedures of
threat actors.
• The threat actor gains more access
to the target as they progress
through the steps.
• The goal is to stop them as early as
possible to lessen the damage done.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
The Cyber Kill Chain
Reconnaissance
▪ Reconnaissance is when the threat actor performs research,
gathers intelligence, and selects targets.
▪ Organizations may provide information on websites, public-
facing network devices, in news articles, conference
proceedings, and social media outlets.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
The Cyber Kill Chain
Weaponization
▪ Weaponization uses the vulnerability information gathered in
the reconnaissance step to identify and develop a weapon
against specific targeted systems in the organization.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
The Cyber Kill Chain
Delivery
▪ Delivery is when the threat actor delivers the developed
weapon using either a website, a removable USB media, or
an email attachment.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
The Cyber Kill Chain
Exploitation
▪ Exploitation is when the threat actor triggers the
weapon and executes it to compromise the vulnerability
and gain control of the target.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
The Cyber Kill Chain
Installation
▪ Installation is when the threat actor establishes a back
door into the system to allow for continued access to the
target.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
The Cyber Kill Chain
Command and Control
▪ Command & Control (CnC or C2) is when an outside
server channel is used by the threat actor to manipulate a
target by issuing commands to the software that they
installed on the target.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
The Cyber Kill Chain
Actions on Objectives
▪ Actions on Objectives is the final step of the kill chain and
is when the attacker achieves attack objective.
• Can be used for data theft, performing a DDoS attack, or using
the compromised network to create and send spam.
• Threat actor is deeply rooted in the systems of the
organization and may be extremely difficult to remove from the
network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
The Diamond Model of Intrusion
Diamond Model Overview
▪ The Diamond Model identifies four parts involved in a security incident.

• Adversary – Parties responsible for the


Meta-features expand intrusion.
the model to include
important elements. • Capability – Tool or technique used by the
threat actor.
• Infrastructure – The network path(s) used
by the threat actor to establish and
maintain command and control.
• Victim – The target of the attack. The
victim could then used as part of the
infrastructure to launch other attacks.

▪ The adversary uses capabilities over infrastructure to attack the victim.


• Each line in the model shows how each part reached the other.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
The Diamond Model of Intrusion
Pivoting Across the Diamond Model
▪ The Diamond Model is ideal for illustrating how the adversary pivots from one event to the next.

For example

1) An employee reports that his computer is acting abnormally


and a scan indicates the computer is infected with malware.

2) An analysis of the malware reveals that the malware contains


a list of CnC domain names.

3) These domain names resolve to a list of IP addresses.

4) These IP addresses are used to investigate logs to determine


if other victims in the organization are using the CnC channel.

5) The IP addresses are also used to identify the adversary.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
The Diamond Model of Intrusion
The Diamond Model and the Cyber Kill Chain
▪ The example illustrates the process used by an adversary as they traverse the Cyber Kill Chain.

1) Adversary conducts a web search for victim company Gadgets,


Inc. receiving as part of the results their domain gadgets.com.
Reconnaissance
2) Adversary searches “network administrator gadget.com” and
Weaponization discovers the network administrators’ email addresses.

Delivery
3) Adversary sends phishing emails with a Trojan horse attached to
the network administrators.
Exploitation
4) One network administrator (NA1) opens the malicious attachment
which executes the enclosed exploit.
Installation
5) NA1’s host registers with a CnC controller by sending an HTTP
C2 Post message and receiving an HTTP Response in return.

6) Analysis of the malware identifies additional backup IP addresses.


Action on
Objectives
7) Through a CnC HTTP response message sent to NA1’s host, the
malware begins to act as a proxy for new TCP connections.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
The Diamond Model of Intrusion
The Diamond Model and the Cyber Kill Chain (Cont.)
▪ The example illustrates the process used by an adversary as they traverse the Cyber Kill Chain.

8) Through the proxy established on NA1’s host, Adversary does a


web search for “most important research ever” and finds Victim 2,
Reconnaissance Interesting Research Inc.

Weaponization 9) Adversary checks NA1’s email contact list for any contacts from
Interesting Research Inc. and discovers the contact for the
Delivery Interesting Research Inc. Chief Research Officer.

10) Chief Research Officer of Interesting Research Inc. receives a


Exploitation
spear-phish email from Gadget Inc.’s NA1’s email address sent
from NA1’s host with the same payload as observed in Event 3.
Installation
The adversary now has two compromised victims from which
C2 additional attacks can be launched.

Action on
Objectives

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
The VERIS Schema
What is the VERIS Schema?
▪ Vocabulary for Event Recording and Incident Sharing (VERIS) schema is a set of metrics to
describe security incidents in a structured way.
VERIS schema
▪ In the VERIS schema, risk is defined as the
intersection of four landscapes of Threat, Asset,
Impact, and Control.

▪ Information from each landscape helps to


understand the level of risk to the organization.

▪ VERIS helps to determine these landscapes using


real security incidents to help risk management
assessment.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
The VERIS Schema
Create a VERIS Record
▪ When creating records to add to the database, start with the
basic facts about the incident and use the VERIS elements
outlined by the community.
• The only required fields in the record are those where the attribute
is present.
• As more is known about the incident, data can be added.

▪ Additional information can be recorded by adding VERIS labels


to the existing record.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
The VERIS Schema
Top-Level and Second-Level Elements
▪ The VERIS Schema identifies five top-level elements, providing a different aspect of the incident.
• Each top-level element contains several second-level elements for classifying collected incident data.

▪ Impact Assessment – All incidents have an impact, whether


it is minor or widespread, which can only be determined after
an incident has occurred.

▪ Discovery and Response – Identifies the timeline of events,


the method of incident discovery, and what the response
was to the incident, including how it was remediated.

▪ Incident Description - Describes an incident completely,


using the A4 threat model developed by Verizon.

▪ Victim Demographics – Describes the organization that has


experienced the incident and its characteristics.

▪ Incident Tracking – Records general information about the


incident so organizations can identify, store, and retrieve
incidents over time.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
The VERIS Schema
The VERIS Community Database
▪ The VERIS Community Database
(VCDB) is a very useful shared
database for organizations willing to
participate.
• Organizations can submit security
incident details to the VCDB for the
community to use.
• The larger and more robust the VCDB
becomes, the more useful it will be in
prevention, detection, and remediation
of security incidents.
• It will also become a very useful tool
for risk management, saving
organizations data, time, effort, and
money.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60

You might also like