Threat Actions
Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.
Malware is any malicious software, script, or code run on a device that alters its state or function without the owner’s informed consent. Examples include viruses, worms, spyware, keyloggers, backdoors, etc.
VERIS version 1.3 defines the following variables for malware actions:
Hacking is defined within VERIS as all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, denial of service attacks, etc.
VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.
VERIS version 1.3 defines the following variables for hacking actions:
Social tactics employ deception, manipulation, intimidation, etc to exploit the human element, or users, of information assets. Includes pretexting, phishing, blackmail, threats, scams, etc.
VERIS version 1.3 defines the following variables for social actions:
Misuse is defined as the use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended. Includes administrative abuse, use policy violations, use of non-approved assets, etc. These actions can be malicious or non-malicious in nature. Misuse is exclusive to parties that enjoy a degree of trust from the organization, such as insiders and partners.
VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.
VERIS version 1.3 defines the following variables for misuse actions:
Physical actions encompass deliberate threats that involve proximity, possession, or force. Includes theft, tampering, snooping, sabotage, local device access, assault, etc.
VERIS classification note: Natural hazards and power failures are often classified under physical threats. We include such events in the Environmental category and restrict the Physical category to intentional actions perpetrated by a human actor. This is done for several reasons, including the assessment of threat frequency and the alignment of controls.
VERIS version 1.3 defines the following variables for physical actions:
Error broadly encompasses anything done (or left undone) incorrectly or inadvertently. Includes omissions, misconfigurations, programming errors, trips and spills, malfunctions, etc. It does NOT include something done (or left undone) intentionally or by default that later proves to be unwise or inadequate.
VERIS version 1.3 defines the following variables for error actions:
The Environmental category not only includes natural events such as earthquakes and floods, but also hazards associated with the immediate environment or infrastructure in which assets are located. The latter encompasses power failures, electrical interference, pipe leaks, and atmospheric conditions.
VERIS classification note: Every incident needs to have an Actor. In the case of incidents where there was an environmental action the Actor should be recorded as an external actor with a motive of "Force majeure". Country and motive set to NA.
VERIS version 1.3 defines the following variables for environmental actions: