Open gdbassett opened 8 years ago
This should be done in such a way as incidents can be coded without sequencing when the sequence isn't known.
This should also be done in such a way that it does not add significant complexity.
This should also allow people who don't want to use sequencing to keep using VERIS without sequencing.
We will implement this by adding a list to the incident in the schema. Inside the incident will be an object with the properties: action
, actor
, asset
, attribute
, confidence
, control_failure
, discovery_method
, timeline
(other than incident), victim
.
The veris R object will then be a derivative of a data.frame but with a property which is a list of dataframes. The primary dataframe will look like the current, compressed, data. The list will have the data that is tied to a specific step.
By doing this, the verisr object will still be parsable as normal. However, anyone wishing to parse the steps, will be able to do so.
In the standard excel, a number representing the step will be appended to each step. If no number exists, it will be assumed to be in the first step. (If both a first step and no step column exist for the same enumeration, need to decide whether to combine them or throw an error. Probably combine but throw a warning.)
This will allow an existing standard excel file to be imported, but if steps are desired, they will be importable as well.
Ultimately, this adds minimum complexity to the standard and tool chain while still providing the ability for people to capture sequencing in their incidents, breaches, (and potentially pen tests).
( would prefer to have an object which acts as an array for a data.frame where only 1 dimension is allowed to vary by 'type' and standard tools will see it as a dataframe (with other dimensions compressed) unless they are aware of the other dimensions, however no such object exists and creating one is beyond my skill.
Hadley suggested tibbles with lists as a storage structure: http://r4ds.had.co.nz/many-models.html#list-columns-1
schema updated in VERIS v2
Define sequence using parent-child relationships
Rather than try and build sequencing into VERIS, it may make sense to simply allow multiple rows per plus.master_id. We could then add a plus.Parents and/or plus.Children column(s) to hold a list of master_ids.
The benefit is this would allow sequencing between breaches where one breach leads to another. It would also allow non 1:1 relationships. Finally, it could potentially be used to have a breach lead to a value_chain transaction that leads to another breach.
This still requires getenumCI() (and any other analysis) to determine 'n' by counting unique plus.master_id's rather than number of rows.
Waiting on attack flow.
VERIS does not currently capture the sequence in which actions happen and attributes are compromised. Add sequencing to VERIS to allow capturing the order of things happening.