Upload
terrymacdonald
View
436
Download
1
Embed Size (px)
Citation preview
Powerpoint TemplatesPage 1
Powerpoint Templates
The VERIS FrameworkFrom Risk to Response
Powerpoint TemplatesPage 3
What is VERIS
• It describes:• Incident Tracking• Victim Demographics• Incident Description• Discovery & Response• Impact Assessment• Indicators of Compromise
DamnUseful
Powerpoint TemplatesPage 4
Incident Description
• Actor (Who did it?)
• Action (What did they do?)
• Asset (What did they do it to?)
• Attributes (What did we lose?)
Powerpoint TemplatesPage 5
Incident Description Examples
• Actor: external.activist internal.helpdesk
• Action: malware.backdoor hacking.mitm environmental.meteorite
• Asset: server.file userdevice.mobilephone people.helpdesk
• Attributes: confidentiality.secrets integrity.fradulenttransaction availability.loss
Powerpoint TemplatesPage 6
So what?
• VERIS lets us measure the types of security incidents we are experiencing
• We can then compare ourselves globally against the DBIR
• We can look for trends in the local threats we are experiencing.
• We can identify areas that need better protection
Powerpoint TemplatesPage 8
Use VERIS everywhere!
• The VERIS framework can help
VERIS
VERIS can be very useful
Powerpoint TemplatesPage 9
Identify Risks with VERIS
You can use VERIS to classify risks:
•‘An external attacker will brute force the main web server customer portal login to gain administrative access to the customer portal’
Maps to the VERIS framework
•Actor: external (2nd level too specific so ignore)•Action: hacking.brute_force•Asset: server.web•Attribute: integrity.modified_data
Powerpoint TemplatesPage 10
SIEM Use Cases with VERIS
You can use VERIS to develop SIEM Use Cases!
For each risk description:•Identify systems and devices that are on the traffic path•Identify which log events would be triggered by the attack happening e.g. Logs from the external firewall, NIDS,
load balancer, the web server
•Develop a SIEM rule to alert incident response staff when that use case happens.
e.g. external.hacking.brute_force.server.web
Powerpoint TemplatesPage 11
Respond with VERIS
You can use VERIS to respond to attacks!
When a SIEM rule alerts you know that a particular risk is being realised
For each SIEM rule you can create a matching IR pre-plan to identify:
•How to stop or contain the attack•Who to call to help (make them have their own pre-plans too)
Powerpoint TemplatesPage 12
Respond with VERIS
e.g.
1 x SIEM rule
It can be one rule to many pre-plans
An IR Pre-plan:
Containing the steps to follow.
Equals
external.hacking.brute_force.server.web
Actor Action Asset
Powerpoint TemplatesPage 13
Measure with VERIS
• Build VERIS classification into your ticketing systems
• Report on the VERIS data
• Use VERIS to highlight where your attacks are coming from
• Create your own DBIR!
• Highlight what you are seeing
Powerpoint TemplatesPage 14
Model with VERIS
You can use VERIS to improve your risk models!
•By tracking what attacks you see, you can begin to understand where you are most likely at risk
•Create a risk model which maps change in incidents to change in risk
•Compare yourself to the world using DBIR
•Find trends if possible to work out new threats that need to be included
Powerpoint TemplatesPage 15
Model with VERIS
Updating the risk model is your feedback loop!
Threats change over time and we need to adapt.
Using the same language (VERIS) makes it easy to use reality to update our theoretical risk models
Powerpoint TemplatesPage 16
Model with VERIS
BUT:•Is biased to your detective capability!
•Many different types of risk model definitions so no standard risk description lang.
•What the world sees is not always what we see here in NZ
•No good shared data for NZ (can the NZITF or APCERT help here?)
Powerpoint TemplatesPage 18
The VERIS value
• Classifies incidents
• We can use that incident data to work out where we are most under threat
• Target investment at that areas that need it most
• Track how much that investment helped
• Show management ROI
Powerpoint TemplatesPage 19
Powerpoint Templates