After discussions with BofA, realized that we're currently using attack type IDs defined by NetScout.
As BofA don't use NetScout, this presents an issue: What attack type definitions do we use that are vendor neutral?
Rich had a list based on observational data. And I started a table. But this work need to be completed. And we need to decide if we go with more informal string names or identify attack types using ordinals.
One thing that I think is critical is that attacks can be put under multiple categories. Many attacks will fit both a generic name (e.g. "amplification") and a more specific name (e.g. "DNS amplification using ...").
After discussions with BofA, realized that we're currently using attack type IDs defined by NetScout.
As BofA don't use NetScout, this presents an issue: What attack type definitions do we use that are vendor neutral?
Rich had a list based on observational data. And I started a table. But this work need to be completed. And we need to decide if we go with more informal string names or identify attack types using ordinals.
One thing that I think is critical is that attacks can be put under multiple categories. Many attacks will fit both a generic name (e.g. "amplification") and a more specific name (e.g. "DNS amplification using ...").