search

vz-risk / veris

Vocabulary for Event Recording and Incident Sharing (VERIS)
http://verisframework.org
Other
565 stars 161 forks source link

Inferred value_chain values #400

Closed gdbassett closed 2 years ago

gdbassett commented 2 years ago

Some of the value_chain values can be inferred for enrichment. Others should be recommended. Here are some options:

Enrich: action.social.variety.Phishing -> value_chain.distribution.variety.Email action.malware.variety.C2 -> value_chain.non-distribution services.variety.C2 action.malware.variety.Ransomware -> value_chain.cash-out.variety.Cryptocurrency action.social.variety.Phishing -> value_chain.targeting.variety.Email addresses action.social.variety.Pretexting -> value_chain.development.variety.Persona action.social.vector.Email -> value_chain.distribution.variety.Email

Recommend: action.Malware -> value_chain.development.variety.Unknown # may not apply for publicly available malware action.malware.variety.Ransomware -> value_chain.development.variety.Ransomware action.malwawre.variety.Trojan -> value_chain.development.variety.Trojan action.hacking.variety.Use of stolen creds -> value_chain.targeting.variety.Lost or stolen credentials # only if used for initial access action.hacking.variety.Exploit vuln -> value_chain.targeting.variety.Vulnerabilities action.malware.variety.Downloader -> value_chain.distribution.variety.Loader action.hacking.variety.Exploit misconfig -> value_chain.targeting.variety.Misconfigurations action.hacking.variety.Exploit vuln -> value_chain.development.variety.Exploit action.social.vector.Website -> value_chain.development.variety.Website action.social.vector.Email -> value_chain.targeting.variety.Email addresses action.malware.vector.Web application -> value_chain.development.variety.Website

gdbassett commented 2 years ago

(for enriched, add to note field the enrichment)

action.malware.vector.Web application -> value_chain.distribution.variety.Website?

(to be continued)

gdbassett commented 2 years ago

@planglois925 to review and add comment by monday.

gdbassett commented 2 years ago

action.malware.vector.C2 -> value_chain.non-distribution services.variety.C2 (variety->vector per issue/383) action.social.variety.Pretexting -> value_chain.development.variety.Persona - move to recommended since often the persona is duplicated otn developed. action.social.vector.Web application -> value_chain.development.variety.Website (Website -> Web application per issue/401)