-
Notifications
You must be signed in to change notification settings - Fork 160
Threat Actions
Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.
Malware is any malicious software, script, or code run on a device that alters its state or function without the owner’s informed consent. Examples include viruses, worms, spyware, keyloggers, backdoors, etc.
VERIS version 1.3 defines the following variables for malware actions:
- variety (required)
- vector (required)
- cve
- name
- notes
Hacking is defined within VERIS as all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, denial of service attacks, etc.
VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.
VERIS version 1.3 defines the following variables for hacking actions:
- variety (required)
- vector (required)
- cve
- notes