This field would record if an internal actor has recently been hired, fired, promoted, or demoted. Passed over for a promotion might be good to have in that enumeration as well. @whbaker is going to dig up a previous enumeration that had similar variables for us to look at.

Right now we have a fair number of incidents in the VERIS Community Database that have a notes field present but nothing in the notes field. Generally I don't like to include a field unless it has some information in it. So I would like to update the schema so that when a notes field is present the minimum length of the string is one. That way any empty notes fields will be caught and we can fix them.

Any objection to doing that?

The plus object in the json schema does not have any type defined, which causes issues on schema validation. I believe type: ["object", "any"] is the appropriate way of defining this branch.

Right now when source code is stolen we code that up as Trade Secrets. After discussing the matter it seems like source code is worth calling out because it happens frequently enough that it might warrant it's own value in the enumeration, it may be distorting the view of other trade secret theft, and because source code is a type of data asset which has the ability to further an attack in a different way.

In the 1.2.1 schema it is difficult to model an incident where an actor attacks a site and gain access only for the purpose of furthering an attack on a different target. A real-world example would be any of the strategic web compromises that FireEye has put on it's blog in 2013. http://www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html

Right now we are proposing adding a field to the schema with a name like "secondary objective" which would hold an enumeration of sub-reasons why this site was hit.

At first we were thinking of just adding an actor motive of "furthering another attack" but we worry that doing that would blur the lines and make it harder to identify that this was an espionage attack, it just wasn't the primary target. We also considered having a boolean field that would just be a yes/no about whether this attack was being done to further a different attack.

Currently the convert1_3.py script will replace the source json file. It'd be nice to allow a different destination location so the original 1.2.1 files are not overwritten during conversion. This isn't a huge priority as it's a one shot deal and easily worked around.

VCDB now has it's own repo

This is a change more to the validation scripts, rather than a change to the schema since the schema already allows for strings in the victim.industry field.

We sometimes run into incidents where we know the victim was manufacturing but we don't know any more detail than that. So should the naics code be 31, 32, or 33? We will now allow putting in "31-33" if the victim is an unknown manufacturer, "44-45" for retail unspecified, and "48-49" for transportation unspecified.

Pass-the-hash or Pass the hash?

I cloned the repository on my laptop running 10.8.2, installed simplejson using pip and tried to execute json2csv.py but received an error:

$ python json2csv.py
../vcdb/hhs_osint00001.json
    running with label:
    trying to parse impact
    running with label: impact
    trying to parse impact.overall_rating
        simply assigning: impact.overall_rating to Unknown
    trying to parse incident_id
        simply assigning: incident_id to hhs_osint00001
    trying to parse attribute
    running with label: attribute
    trying to parse attribute.confidentiality
    running with label: attribute.confidentiality
    trying to parse attribute.confidentiality.data
    trying to parse attribute.confidentiality.data
    running with label: attribute.confidentiality.data
    trying to parse attribute.confidentiality.data.amount
        simply assigning: attribute.confidentiality.data.amount to 506 (int)
    trying to parse attribute.confidentiality.data.variety
        simply assigning: attribute.confidentiality.data.variety to Medical
    trying to parse attribute.confidentiality.data_total
        simply assigning: attribute.confidentiality.data_total to 506 (int)
    trying to parse attribute.confidentiality.data_disclosure
        simply assigning: attribute.confidentiality.data_disclosure to Yes
    trying to parse discovery_method
        simply assigning: discovery_method to Unknown
    trying to parse schema_version
        simply assigning: schema_version to 1.2
    trying to parse action
    running with label: action
    trying to parse action.hacking
    running with label: action.hacking
    trying to parse action.hacking.vector
    trying to parse action.hacking.vector
        simply assigning: action.hacking.vector to Unknown
    trying to parse action.hacking.variety
    trying to parse action.hacking.variety
        simply assigning: action.hacking.variety to Unknown
    trying to parse security_incident
        simply assigning: security_incident to Confirmed
    trying to parse plus
    running with label: plus
    trying to parse plus.master_id
        simply assigning: plus.master_id to hhs_osint00001
    trying to parse actor
    running with label: actor
    trying to parse actor.external
    running with label: actor.external
    trying to parse actor.external.motive
    trying to parse actor.external.motive
        simply assigning: actor.external.motive to Unknown
    trying to parse actor.external.country
    trying to parse actor.external.country
        simply assigning: actor.external.country to Unknown
    trying to parse actor.external.variety
    trying to parse actor.external.variety
        simply assigning: actor.external.variety to Unknown
    trying to parse victim
    trying to parse victim
    running with label: victim
    trying to parse victim.victim_id
        simply assigning: victim.victim_id to Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan
    trying to parse victim.industry
        simply assigning: victim.industry to 525120
    trying to parse victim.country
        simply assigning: victim.country to US
    trying to parse victim.employee_count
        simply assigning: victim.employee_count to 1 to 10
    trying to parse victim.state
        simply assigning: victim.state to In
    trying to parse timeline
    running with label: timeline
    trying to parse timeline.incident
    running with label: timeline.incident
    trying to parse timeline.incident.year
        simply assigning: timeline.incident.year to 2011 (int)
    trying to parse timeline.incident.day
        simply assigning: timeline.incident.day to 9 (int)
    trying to parse timeline.incident.month
        simply assigning: timeline.incident.month to 8 (int)
    trying to parse timeline.discovery
    running with label: timeline.discovery
    trying to parse timeline.discovery.unit
        simply assigning: timeline.discovery.unit to Unknown
    trying to parse source_id
        simply assigning: source_id to hhs
    trying to parse asset
    running with label: asset
    trying to parse asset.assets
    trying to parse asset.assets
    running with label: asset.assets
    trying to parse asset.assets.variety
        simply assigning: asset.assets.variety to S - Other
    output returned has 29 items
{'victim.industry': '525120', 'attribute': 'Confidentiality', 'attribute.confidentiality.data_disclosure': 'Yes', 'timeline.incident.month': 8, 'schema_version': '1.2', 'victim.victim_id': 'Ashley Industrial Molding, Inc. Employee Welfare Benefit Plan', 'victim.state': 'In', 'impact.overall_rating': 'Unknown', 'discovery_method': 'Unknown', 'timeline.incident.year': 2011, 'actor': 'External', 'actor.external.variety': 'Unknown', 'plus.master_id': 'hhs_osint00001', 'action.hacking.vector': 'Unknown', 'actor.external.country': 'Unknown', 'attribute.confidentiality.data_total': 506, 'timeline.discovery.unit': 'Unknown', 'actor.external.motive': 'Unknown', 'source_id': 'hhs', 'attribute.confidentiality.data.variety': 'Medical', 'asset.assets.variety': 'S - Other', 'action.hacking.variety': 'Unknown', 'victim.employee_count': '1 to 10', 'incident_id': 'hhs_osint00001', 'timeline.incident.day': 9, 'security_incident': 'Confirmed', 'action': 'Hacking', 'victim.country': 'US', 'attribute.confidentiality.data.amount': 506}
        0 combinations: 1
    -> not length of localnames, dumping as is
Traceback (most recent call last):
  File "json2csv.py", line 142, in <module>
    recursive(output, keylist)
  File "json2csv.py", line 85, in recursive
    writer.writerow(alldata)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/csv.py", line 148, in writerow
    return self.writer.writerow(self._dict_to_list(rowdict))
  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/csv.py", line 144, in _dict_to_list
    ", ".join(wrong_fields))
ValueError: dict contains fields not in fieldnames: victim.industry, attribute, attribute.confidentiality.data_disclosure, timeline.incident.month, schema_version, victim.victim_id, victim.state, impact.overall_rating, discovery_method, timeline.incident.year, actor, actor.external.variety, plus.master_id, action.hacking.vector, actor.external.country, attribute.confidentiality.data_total, timeline.discovery.unit, actor.external.motive, source_id, attribute.confidentiality.data.variety, asset.assets.variety, action.hacking.variety, victim.employee_count, incident_id, timeline.incident.day, security_incident, action, victim.country, attribute.confidentiality.data.amount

Need to decide on a proper name, but we want to have a way to model that malware was installed on a machine through the use of a software update server. In other words, an actor gained access to something like Microsoft System Center or Lumenion's product and used it to push malware to the endpoints. A real-world example is Operation Troy from March of 2013. https://blogs.mcafee.com/mcafee-labs/dissecting-operation-troy-cyberespionage-in-south-korea

Because sabotage is a loaded word that implies insider even though that isn't always accurate.

Oh my God, it's a mirage! I'm telling y'all it's sabotage!

I have seen a couple incidents where this might still be the best choice for discovery method.

For example, there was an incident where an insider was taking photographs of credit cards for ID theft purposes. The incident was reported to the victim company by the manager at the photo development place to which she took the photos for printing.

Another incident involved documents that were published to the website that had sensitive information in them. A concerned member of the community reported the publishing error to the victim organization.

We have so many website defacements and right now we model that by indicating an integrity loss variety of "modify data." We think that we can model a defacement more clearly by giving defacement it's own variable in the enumeration.

The current wording can be a bit confusing because we don't like to think of IT people as users. This makes it clear that it was reported by an employee that saw something odd.

We will add an array to the schema for strings that are used to identify the actor. Sometimes multiple actor names are given so we wanted to have an array rather than a string here. e.g. actor.name = ['Angry Dragon','DragonBall','Bob McCracken']

RENAME physical.location to physical.vector and remove what is currently
physical.vector. Then we should add some enumerations to physical.variety
to reflect what is currently in vector.

When finished there will be one fewer subfields in the physical action

Campaign_id will hold a guid or some unique identifier to indicate that several incidents were part of the same campaign. @whbaker was going to find some definition of a campaign that he saw somewhere and share it with us.

We use Misappropriation to indicate that an attacker made use of an asset for something that it wasn't intended for. For example, installing malware on a machine to participate in a Distributed Denial of Service attack. However, to many people the word misappropriation means that money was stolen. To make the intended purpose more clear, we are going to rename Misappropriation to Repurpose to indicate than an asset has been repurposed by an attacker.

Specifically, the schema should have a $shema property to indicate if it has been written to conform with Draft3 or Draft4.

Also, every array in the schema should have minItems set to 1 so that a validator will not allow empty arrays.

Finally, every array should have unique set to true so that an array may not contain more than one of the same value

Digital certificates

The word embezzlement is another loaded term that people often think only has to do with money and so it doesn't always get marked when it should. It follows that we also get incidents where money was stolen and so embezzlement gets selected even though that might not be appropriate to describe the computer security incident.

To make things more clear, we want to rename attribute.integrity.Embezzlement to "Possession abuse"

We decided in our meeting that we wanted to add some enumerations to reflect when an organization learns about a breach from a partner rather than an external party.

Prt - monitoring service
Prt - audit
Prt - antivirus
Prt - incident response
Prt - Unknown
Prt - Other
Ext - incident response
Ext - found documents
Ext - suspicious traffic
Ext - emergency response team
Int - data loss prevention

The key point in deciding whether the notification came from a partner versus an external party is whether or not there was some business arrangement with the group doing the notification. So if a customer of Verizon's Managed Security Service was notified by Verizon of malware activity that would be Prt - Monitoring service. However, if Verizon were investigating a case and discovered some other victim that had no business relationship with Verizon then the notification would be Ext - Unrelated.

That way we can properly model when the affected assets are in multiple countries

From veriscommunity.net:

VERIS uses WASC's Threat Classification as a baseline for this list; descriptions of these attacks can be found there. We have considered incorporating or allowing other attack classifications (e.g., CAPEC), and would appreciate feedback from the community on this.

I agree that we should consider importing the CAPEC dictionary for use here. It allows for better alignment with the STIX/TAXII stack and is far more comprehensive, at the cost of a much larger set here (perhaps we could avoid some child nodes below a certain depth).

Alternately, it might be worth mapping our (and WASC's) enumerations to that standard.

Right now, we have several "characteristics" that add context around assets: accessibility, ownership, management, hosting, and cloud. While these things can be determined when there's a forensics investigation, most users/use cases of VERIS don't use these fields. Given that, and since we'd like to simplify VERIS where possible, I propose an approach that simplifies and combines some of these into one field.

To me, the real research questions driving us to collect all those (or try) is that we (and others) are concerned that 3rd parties place our assets at risk in various ways. Furthermore, we care less about the simple fact of whether an asset was externally or internally hosted as much as we care whether that fact contributed to the incident.

How about one "asset.governance" field that includes appropriate enums from these separate field?

Suggested enum (array) for "asset.governance" combining accessibility, ownership, management, hosting:

Personally owned
Externally owned
Externally managed
Externally hosted
Internally isolated
Unknown
Not collected

Question: is "externally" the right descriptor here? Would "3rd party" be better?
I'm not sure we can fit the cloud options in here, but someone feel free to suggest that.

We already have a malware vector for software update where a compromised server that is trusted by a workstation sends malware. However, we might also need an asset variety to cover the compromised server. I would like to propose adding "S - Configuration management" to the asset enumeration to cover incidents like this one: http://classic.slashdot.org/story/14/05/17/051214

So we can model that some of the data was stored encrypted and some of it was stored unencrypted.

Should we add a value of Not collected to all of our enumerations so we can differentiate between stuff that we don't know and stuff that we didn't even try to collect.

Right now there is no field to explain the discovery classification.

Right now we have some variables that we collect in the plus section such as plus.attribute.confidentiality.. We have found some instances where these variables were set even though the incident did not have a confidentiality attribute affected.

Script should check if incident.plus.attribute.confidentiality is present. Then check if incident.attribute.confidentiality is present. Raise error if not present

We talked about having an enumeration for when someone uses a hand-held skimming device vs. when they actually tamper with a machine like in ATM skimming.

Remember, we added "Possession abuse" as a misuse variety, so I think that using "Posession abuse" and "Tampering"

The schema indicates that asset.country should be a list but does not indicate a list of what. That needs to be changed so that asset.country is a list of strings. Thanks to @davidski for pointing that out.

Sometimes we know that a victim was in Asia but we do not know the specific country. We wanted to add a field that would allow us to capture what we do know. The proposal is to create a six digit string which combines the United Nations region codes (http://unstats.un.org/unsd/methods/m49/m49regin.htm). So, for example, If we knew that an incident happened in Africa, the code would be 002000. If we knew that it was North Africa then the code would be 002015.

One big advantage to doing it this way is that the UN has already created a list of countries and which region and subregion codes they belong to. If we were to create our own list we would have to do that work ourselves. Yuck.

I think we might have discussed and dismissed this, but we should reconsider. We have quite a few instances when company A is hacked and data from company B is compromised. Since 3rd party risk is an important issue and many are interested, this supports an important research question - How often do incidents compromise partner data stored on the victim's systems?

Right now we're using S - Other whenever we know that a server was compromised but we don't know what kind of sever. It would be better to use S - Unknown for this situation and use S - Other when we know what kind of server it was and it is something that we don't have a variable for in the enumeration.

The enumeration will still be hacking.vector.partner but we will change the label to indicate that we use this for when a partner's credentials are stolen and used to attack the victim.

The word audit implies that a formal inspection of controls and log files was being done. Often times something much less formal is done which results in discovery.

convert-1.2.py uses country_to_code.json to convert country names to the correct two letter codes. The script converts pre-1.2 VERIS files containing "United States of America" to "United States" before doing the lookup, but the country-to-code.json file contains "United States of America" and not "United States". This causes all conversion for US entries to fail

Swapping those values around in convert-1.2.py allows the run to complete.

Example is a skimmer discovered by routine checkup of ATM. Applies to systems/apps as well.

We would make the label "Virtual currency, including crypto currencies." This is to help us model incidents where bitcoins are stolen or even in-game currency that can be used to purchase virtual stuff.

Maybe we just leave it blank instead, but there is no obvious option to select when info belonging to the compromised org was stolen (eg, internal documents).

See https://gist.github.com/blackfist/9672061

So we can model when a victim has assets that are affected in multiple countries.

Right now the checkValidity script does not do any checking of the plus section because that is the area where organizations are invited to put whatever they want. However, and organization may want to validate what they put into the plus section.

The checkValidity script should be updated so that you can specify a file that contains a json schema for the plus section which will be validated along with the rest of the incident.