the veris framework - from risk to response
TRANSCRIPT
![Page 1: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/1.jpg)
Powerpoint TemplatesPage 1
Powerpoint Templates
The VERIS FrameworkFrom Risk to Response
![Page 3: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/3.jpg)
Powerpoint TemplatesPage 3
What is VERIS
• It describes:• Incident Tracking• Victim Demographics• Incident Description• Discovery & Response• Impact Assessment• Indicators of Compromise
DamnUseful
![Page 4: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/4.jpg)
Powerpoint TemplatesPage 4
Incident Description
• Actor (Who did it?)
• Action (What did they do?)
• Asset (What did they do it to?)
• Attributes (What did we lose?)
![Page 5: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/5.jpg)
Powerpoint TemplatesPage 5
Incident Description Examples
• Actor: external.activist internal.helpdesk
• Action: malware.backdoor hacking.mitm environmental.meteorite
• Asset: server.file userdevice.mobilephone people.helpdesk
• Attributes: confidentiality.secrets integrity.fradulenttransaction availability.loss
![Page 6: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/6.jpg)
Powerpoint TemplatesPage 6
So what?
• VERIS lets us measure the types of security incidents we are experiencing
• We can then compare ourselves globally against the DBIR
• We can look for trends in the local threats we are experiencing.
• We can identify areas that need better protection
![Page 8: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/8.jpg)
Powerpoint TemplatesPage 8
Use VERIS everywhere!
• The VERIS framework can help
VERIS
VERIS can be very useful
![Page 9: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/9.jpg)
Powerpoint TemplatesPage 9
Identify Risks with VERIS
You can use VERIS to classify risks:
•‘An external attacker will brute force the main web server customer portal login to gain administrative access to the customer portal’
Maps to the VERIS framework
•Actor: external (2nd level too specific so ignore)•Action: hacking.brute_force•Asset: server.web•Attribute: integrity.modified_data
![Page 10: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/10.jpg)
Powerpoint TemplatesPage 10
SIEM Use Cases with VERIS
You can use VERIS to develop SIEM Use Cases!
For each risk description:•Identify systems and devices that are on the traffic path•Identify which log events would be triggered by the attack happening e.g. Logs from the external firewall, NIDS,
load balancer, the web server
•Develop a SIEM rule to alert incident response staff when that use case happens.
e.g. external.hacking.brute_force.server.web
![Page 11: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/11.jpg)
Powerpoint TemplatesPage 11
Respond with VERIS
You can use VERIS to respond to attacks!
When a SIEM rule alerts you know that a particular risk is being realised
For each SIEM rule you can create a matching IR pre-plan to identify:
•How to stop or contain the attack•Who to call to help (make them have their own pre-plans too)
![Page 12: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/12.jpg)
Powerpoint TemplatesPage 12
Respond with VERIS
e.g.
1 x SIEM rule
It can be one rule to many pre-plans
An IR Pre-plan:
Containing the steps to follow.
Equals
external.hacking.brute_force.server.web
Actor Action Asset
![Page 13: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/13.jpg)
Powerpoint TemplatesPage 13
Measure with VERIS
• Build VERIS classification into your ticketing systems
• Report on the VERIS data
• Use VERIS to highlight where your attacks are coming from
• Create your own DBIR!
• Highlight what you are seeing
![Page 14: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/14.jpg)
Powerpoint TemplatesPage 14
Model with VERIS
You can use VERIS to improve your risk models!
•By tracking what attacks you see, you can begin to understand where you are most likely at risk
•Create a risk model which maps change in incidents to change in risk
•Compare yourself to the world using DBIR
•Find trends if possible to work out new threats that need to be included
![Page 15: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/15.jpg)
Powerpoint TemplatesPage 15
Model with VERIS
Updating the risk model is your feedback loop!
Threats change over time and we need to adapt.
Using the same language (VERIS) makes it easy to use reality to update our theoretical risk models
![Page 16: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/16.jpg)
Powerpoint TemplatesPage 16
Model with VERIS
BUT:•Is biased to your detective capability!
•Many different types of risk model definitions so no standard risk description lang.
•What the world sees is not always what we see here in NZ
•No good shared data for NZ (can the NZITF or APCERT help here?)
![Page 18: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/18.jpg)
Powerpoint TemplatesPage 18
The VERIS value
• Classifies incidents
• We can use that incident data to work out where we are most under threat
• Target investment at that areas that need it most
• Track how much that investment helped
• Show management ROI
![Page 19: The Veris Framework - From Risk To Response](https://reader031.vdocuments.us/reader031/viewer/2022013113/58a2db511a28ab692e8b6b5d/html5/thumbnails/19.jpg)
Powerpoint TemplatesPage 19
Powerpoint Templates