Skip to content

Threat Actors

Jump to bottom Edit New page
Kevin Thompson edited this page May 30, 2014 · 1 revision

Entities that cause or contribute to an incident are referred to as threat actors. There can be more than one actor involved in any particular incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors - External, Internal, and Partner.

VERIS classification note: If the actor’s role in the breach is limited to a contributory error, the actor would not be included here. For example, if an insider’s unintentional misconfiguration of an application left it vulnerable to attack, the insider would not be considered a threat actor if the application were successfully breached by another actor. An insider who deliberately steals data or whose inappropriate behavior (e.g., policy violations) facilitated the breach would be considered a threat actor in the breach.

External Actors

External threats originate from sources outside of the organization and its network of partners. Examples include criminal groups, lone hackers, former employees, and government entities. Also includes God (as in “acts of”), “Mother Nature,” and random chance. Typically, no trust or privilege is implied for external entities.

VERIS version 1.3 defines the following variables for external actors:

Internal Actors

Internal threats are those originating from within the organization. This encompasses company full-time employees, independent contractors, interns, and other staff. Insiders are trusted and privileged (some more than others).

VERIS version 1.3 defines the following variables for internal actors:

Partner Actors

Partners include any third party sharing a business relationship with the organization. This includes suppliers, vendors, hosting providers, outsourced IT support, etc. some level of trust and privilege is usually implied between business partners.

VERIS version 1.3 defines the following variables for partner actors

Unknown Actors

Actor is a required field in VERIS, however in some cases the analyst has no idea if the threat actor was internal, external, or partner. In these cases, the analyst should put Unknown as the actor. Unknown actor has no subfields and is represented by an empty object when the incident is converted to JSON.

"actor" : { "unknown" : {} }

Add a custom footer
Add a custom sidebar
Clone this wiki locally