search

vz-risk / veris

Vocabulary for Event Recording and Incident Sharing (VERIS)
http://verisframework.org
Other
565 stars 161 forks source link

Add Sequencing to VERIS #127

Open gdbassett opened 8 years ago

gdbassett commented 8 years ago

VERIS does not currently capture the sequence in which actions happen and attributes are compromised. Add sequencing to VERIS to allow capturing the order of things happening.

gdbassett commented 8 years ago

This should be done in such a way as incidents can be coded without sequencing when the sequence isn't known.

This should also be done in such a way that it does not add significant complexity.

This should also allow people who don't want to use sequencing to keep using VERIS without sequencing.

gdbassett commented 8 years ago

We will implement this by adding a list to the incident in the schema. Inside the incident will be an object with the properties: action, actor, asset, attribute, confidence, control_failure, discovery_method, timeline (other than incident), victim.

The veris R object will then be a derivative of a data.frame but with a property which is a list of dataframes. The primary dataframe will look like the current, compressed, data. The list will have the data that is tied to a specific step.

By doing this, the verisr object will still be parsable as normal. However, anyone wishing to parse the steps, will be able to do so.

In the standard excel, a number representing the step will be appended to each step. If no number exists, it will be assumed to be in the first step. (If both a first step and no step column exist for the same enumeration, need to decide whether to combine them or throw an error. Probably combine but throw a warning.)

This will allow an existing standard excel file to be imported, but if steps are desired, they will be importable as well.

Ultimately, this adds minimum complexity to the standard and tool chain while still providing the ability for people to capture sequencing in their incidents, breaches, (and potentially pen tests).

gdbassett commented 8 years ago

( would prefer to have an object which acts as an array for a data.frame where only 1 dimension is allowed to vary by 'type' and standard tools will see it as a dataframe (with other dimensions compressed) unless they are aware of the other dimensions, however no such object exists and creating one is beyond my skill.

gdbassett commented 8 years ago

Hadley suggested tibbles with lists as a storage structure: http://r4ds.had.co.nz/many-models.html#list-columns-1

gdbassett commented 7 years ago

schema updated in VERIS v2

gdbassett commented 4 years ago

Define sequence using parent-child relationships

Rather than try and build sequencing into VERIS, it may make sense to simply allow multiple rows per plus.master_id. We could then add a plus.Parents and/or plus.Children column(s) to hold a list of master_ids.

The benefit is this would allow sequencing between breaches where one breach leads to another. It would also allow non 1:1 relationships. Finally, it could potentially be used to have a breach lead to a value_chain transaction that leads to another breach.

This still requires getenumCI() (and any other analysis) to determine 'n' by counting unique plus.master_id's rather than number of rows.

gdbassett commented 2 years ago

Waiting on attack flow.