Let’s start with a story. In August of 2012 Toyota fired a programmer that worked on their part sourcing software but failed to revoke his access immediately. A few hours after the programmer was fired, he logged into Toyota systems and planted logic bombs that caused some functions of the application to fail. He also downloaded trade secrets presumably to take to the next company he went to work for. Toyota IT security said it would take days to figure out the extent of the damage from this programmers actions. Let’s tell another story. 2 months ago on the Verizon Security blog we put up a story about a man that outsourced his own job. How many people heard about that? A company decided to start proactively reviewing its log files and found weird VPN connections coming in from China using an employees credentials. The company used 2FA on VPN and the employee was in his cubicle. It turns out that this guy had hired a Chinese company to do his programming work for him, and he mailed his RSA token to them so they could log in. He just showed up and collected a check.Let’s talk about security incidents.
All of us have security incidents
And (almost) all of us are aware of that.
Large majority of us are trying to reduce the frequency and severity of security incidents by applying controls
But the majority of the majority is using ad-hoc processes and select controls based on gut instinct or blindly following checklists.
In fact, most organizations don’t document their security incidents either because they don’t know about them or because they lack the process maturity to do so.
Among organizations that do record security incidents, many times it is in the form of free form text. Most are not using a defined schema to capture consistent data.
85.3% of statistics are made up on the spot.
100% of the statistics I just shared are made up but …
Overall very few organizations are recording security incidents using a standard schema that is open to the public and suitable for performing data analysis and sharing anonymized incident information with other organizations.
That’s what we’re here to talk about. VERIS is an open framework which you can use to record information security incidents in a format suitable for data analysis and sharing.
In order to place controls, we need to make decisions. This is a representation of what we need to make security decisions. We need to have some model of how the world works, we need to have data, and we need to have a framework to support that data. Our model builds the framework, our framework fills the data, and the data helps us to re-evaluate our models.
The goal is to move ever closer to evidence-based risk management. Right now our models are based on gut instinct and so our controls are based on gut instinct. There’s nothing wrong with that to start with, but …
Few of us are gathering the data to re-evalute our model. The loop never gets closed up. The most common excuse that I hear for why we can’t move towards EBRM is that we don’t have the data to do so, and yet few of us are gathering data.
No data means that we’re uncertain. We don’t know how often bad things happen to us. We don’t know how bad those things hurt us. We don’t know if those bad things have anything in common.
But in addition to not having data, we also don’t have a framework to describe things. A framework that allows us to put information into buckets so that we can count it properly. A vocabulary that ensures that when I talk about an incident you understand what I mean.
VERIS is our attempt to solve the framework piece of the puzzle.
We use VERIS to collect data about security incidents that we investigate and we use that to produce the Verizon Data Breach Investigations Report
Our analysis of a sample - of information security incidents that resulted in a loss of control of non public data - significant enough to ask for outside professional assistance.This is a sample of facts, we investigate these incidents
For those who may not know what the DBIR is…Emphasize the large number of partners this year (was 5 last year), and that they span prublic-private and international boundaries. We do this to widen the perspective of the report, reduce bias, and make the dataset as representative as we can of “what’s really going on out there.” If you’re talking to an org that might make a good partner, offer them the opportunity. We can follow up with more info.
Talk about the four A’s here
Even our so-called “highly adaptive adversaries” exhibit very clear patterns in their motives and methods. This is extremely important to grasp and leverage for securing our organizations.
Wrapping some analysis and wording around those frequency-based patterns yields this. In many ways, Table 1 summarizes the 2013 DBIR. The rest of the report puts a lot more #s and %s around these points, but the basic actor-focused approach exhibited here is the way we decided to organize our findings this year. And that makes sense. In analyzing the complex dataset we received for this report, we noticed a very strong correlation among the motives, methods, etc of different groups of threat actors.
This gives a more detailed view of the most common threat actions. It’s quite interesting that physical tampering (mostly ATM skimming) is the most common. Highlight that some actions are mostly used in financial crimes, others in espionage, some fairly equal in both. Some differences in large v small orgs.
This pulls out just “hacking” actions – those used to gain unauthorized network/system access. Main point is to show the large percentage of attacks that tie back to weak or stolen credentials. 4 of 5 intrusions trace back to this.
This is very similar to previous years.
Similar to previous years, except that “unrelated party” is at the top. Suggest reading the report to understand what that’s about.
You can do this too, and you might be able to do it better than we can.Gasp! Let’s do that as an exerciseCustomizationSampling BiasNear Misses
Customization. You can answer your own questions that Verizon is not going to answer for you
This is an area that we do not have a lot of insight into right now. You probably have better data about this than we do.
Remember these three guys? Let’s VERISize this case.Is the actor Internal, External or Partner?What is the motivation of the actor? [espionage, fear, financial, fun, grudge, ideology]What is the role of the actor in this incident? [malicious, inappropriate, indirect, unintentional]
What actions were present in this incident [Malware, Hacking, Social, Misuse, Error, Physical, Environmental]
One common objection we hear about sharing incident data is that it is not real-time or tactical for defense. You won’t be able to use the information in VERIS to update your firewall black list. Some people feel then that the information is VERIS is less valuable. Tactical intel (what you can change right now) is surely part of the solution – BUT –It would be foolish to ignore or downplay the fact that we’re still having the same problems from 5, 10, 20 years ago and don’t seem to be learning our lesson. The DBIR tells us year after year “brute force attacks, social engineering, and malware.” Most orgs can’t answer “what are the top attacks against your organization in the last year” with any quantitative rigor. They fall back to anecdote and media regurgitation.
How to VERISize v2 - BSidesQuebec2013
Getting Started with VERIS
Risk and Intelligence Researcher,
Verizon RISK Team
Risk Management: Operating Model
“The difference between the
amount of information required to
perform the task and the amount
of information already possessed
by the organization.”
Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
The DBIR is an ongoing study that analyzes forensic evidence to uncover
how sensitive data is stolen from organizations, who’s doing it, why
they’re doing it, and what might be done to prevent it.
- 2013 DBIR 19 global contributors
47,000+ security incidents
621 confirmed data breaches
Methodology: Data Collection and
DBIR participants use the
Vocabulary for Event
Recording and Incident
Sharing (VERIS) framework
to collect and
Enables case data to be
shared anonymously to
RISK Team for analysis
VERIS is a (open and free) set of metrics designed to provide a common language
for describing security incidents (or threats) in a structured and repeatable
(i.e. you can do this too)
How VERIS works
“An external attacker sends a phishing email
that successfully lures an executive to open
an attachment. Once executed, malware is
installed on the exec’s laptop, creating a
backdoor. The attacker then accesses the
laptop via the backdoor, viewing email and
other sensitive data. The attacker then finds
and accesses a mapped file server that an
internal admin failed to properly secure
during the build/deployment process. This
results in intellectual property being stolen
from the server…”
VERIS takes this and…
• Company industry
• Company size
• Geographic location
• of business unit in incident
• Size of security
A4 event model
– What acts against us
– What the agent does to the
– What the agent acts against
– The result of the agent’s action
against the asset
A4 event model
The series of events (a4) creates an “attack model”
A security INCIDENT is a series of EVENTS that adversely affect the
information assets of an organization. Every event is comprised of the
Type: Organized criminal group
Type: SQL injection
Path: Web application
Platform: Acme Server 2008
Data: Payment card data
1> 2> 3> 4 > 5
Discovery & Mitigation
• Incident timeline
• Discovery method
• Evidence sources
• Control capability
• Corrective action
Most straightforward manner in which the incident
could be prevented
The cost of preventative controls
• Impact categorization
– Sources of Impact (direct, indirect)
– Similar to ISO 27005/FAIR
• Impact estimation
– Distribution for amount of impact
• Impact qualification
– Relative impact rating
Build your understanding
• Go to http://veriscommunity.net for full
details of the framework.
• While you’re at http://veriscommunity.net
join the VERIS mailing list.
• You can ask questions about the framework
and specific questions about how to
Build your collector
• People, this is just a survey!
– Use any of the millions of online survey websites
to make your collector.
– Build this thing in Sharepoint and add a workflow