This document discusses incident tracking using the VERIS framework. It begins by introducing VERIS as an open-source framework for describing security incidents using a common vocabulary to help with detection, response, and data sharing. It then discusses how VERIS can be implemented through either integrating it with an IT ticketing tool, though this requires customization that is difficult, or through a manual custom system, which is not scalable. The document concludes that properly tracking security incidents requires integrating VERIS classifications into an IT ticketing system through programming, unless a custom solution is developed.

1. Incident Tracking
with VERIS
Judy Nowak, GCIH, CISSP
Cyber Security Consultant, Scalar

2. About Me
Formerly
• Forensic investigator
• Forensic consultant
• Security analyst
Opinions are my own!
Current
• I cannot be a hacker…

3. Is there a tool for
this?
Me

4. How does one implement the
VERIS framework?
Application at an organizational level. Security incidents, not IT incidents.

5. Incident Tracking
& VERIS
Introduction
Integration
with IT
Ticketing
tool
Custom Manual

6. Why does incident tracking matter?
But before I can answer that question…currently…
Incident
Response
FAIL=
Why?
1.Lack of detection
2.Lack of structured response

7. Why does incident tracking matter?
What happened?
How can I make this
better?
What people,
processes & tools do
I need to improve?
Because…

8. • When used with classifications, it can aid with
detection & structured response.
• When implemented correctly, help guide flow of
incidents.
• Audit trail of event(s) for breach notification or legal
requirements.
• Use metrics to help make better decisions.
Why does incident tracking matter?
More specifically…

9. What is VERIS? Why use it?
What is VERIS?
• Vocabulary for event recording & incident sharing.
• Helps describe incidents.
• Open-source framework. Created by Verizon on http://veriscommunity.net/
• Developed to help share incidents anonymously & responsibly.
• Large data sets of breach data (VERIS Community database – VCDB)
available.
9
Why use VERIS?
• Someone has done the hard work of figuring out incident handling specs.
• It can help you determine what to look for (detection).
• It can help with incident structure (handling).
• It can help with producing consistent & repeatable data.

10. VERIS – Vocabulary for Event Recording & Incident Sharing
10
Action
(What)
Asset
(Which)
Attribute
(How)
Actor
(Who)
Risk
Common language
to help describe
security incidents.

11. VERIS Taxonomy High-Level
11
Actor Asset Action Attribute
Actor.
Motive
Actor.
Variety
Confidentiality
Availability
Integrity
Action.
Variety
Social
Malware
Physical
Error
Hacking
Misuse
Environmental
External
Internal
Partner
Financial
Fear
Fun
Shame
Political Adv
Asset.
Variety
Asset.
Owner…
Asset.
Mgmt
Asset.
Hosting
Server
Network
People
Media
Device
Asset.
Cloud
Asset.
Accessib
Internal
Ext shared
Internal
External
Isolated
Hypervisor
Partner App
Employee
Partner
Customer
Internal
External
(simplified version)

12. VERIS can be used as a classification scheme for incidents
12
Phishing, scams
Ransomware, rootkits
Use of stolen credentials, use of backdoor, DoS, XSS
Email misuse, privilege abuse
Assault, tampering
Misconfiguration, unpatched systems
Floods, Fire
Social
Malware
Hacking
Misuse
Physical
Error
Environmental
ACTION

13. How VERIS classification works?
13
Direct Install
Malware
Variety
Download by
malware
Email Link
Email
Attachment
Instant
Messaging
Network
Propagation
Removable
Media
Web
Download
Vector
Rootkit
RAM Scraper
Keylogger
Worm
Trojan
Backdoor
Adware
Downloader
What type is it?
How did it get in?

14. What other taxonomy is there?
14
VERIS
VERSUS
• Best for organizational
level application
• Best for IT ticketing tool
integration
• No commercial tools
available
• Arose out of VERIS
• Applied at low-level technical
end-point solutions only.
• Integrated into many
commercial tools (e.g.
Bromium, eCat, threat feeds).

15. Incident Tracking – IT Ticketing Tools
15
• Do not track security incidents!
• But who you gonna call if
get a weird email? IT
helpdesk!

16. Incident Tracking – IT incidents + Security Incidents in a Ticketing Tool?
16

17. Incident Tracking – Integration with IT Ticketing Tools?
17
• IT ticketing tools do not play nice with
security incidents!
• Customization is painful, and/or
requires programming/re-architecting of
the application.
I have tried…. (because free demos)...

18. Incident Tracking – Custom
18https://incident.veriscommunity.net/s3/example

19. Incident Tracking – Custom
19
2. Things you need to have on
there:
• Unique identifier
• Incident name/description
• Incident location
• Date of notification, actual date
• Name of handler (or IT person)
• Comments
ACTOR
* Who?
* Actor details
ACTION
* What? (malware, social, physical)
* Action details (adware, worm)
* Vector (email, attachment)
ATTRIBUTE
*What was compromised? (CIA)
*Details (maid with a candlestick?)
ASSET
*Which asset category? (server, people, user)
*Which asset type? (email server)
*Which asset name? (TOR_EM_01)
*Who owns it?
*Who manages it?
*Who hosts it?
1. Keep it simple. Ideally
one page!
3. Classify using VERIS!

20. Incident Tracking - Manual
20

21. Conclusion
 Overall VERIS implementation is not easy. No commercial tools available.
 Manual implementation possible, but not scalable.
 To track security incidents properly, integration with IT ticketing tools is required.
 Integration with IT tools requires programming & re-architecting of software
unless…you create a custom solution.
21

22. Q&A