Do we want to add something about deploying the payload into hacking instead of malware

[swidup]

Put in an issue in Veris wars to discuss whether we want to have a result of Execute for malware and put the deploy payload into hacking instead of malware. Issue 19010 was the GitHub case we were on when debating this.

[gdbassett]

This leads to a longer question about sequencing in VERIS. It wraps in 'what' the sequence is (action leads to what? asset/attributes/results). Veris has some issues with sequencing. We tend to treat sequences as the 4A's happening at each 'step', however the action clearly causes the attribute to happen against the asset resulting in the result (kind of a causal path within the step). (with the action taken by an actor.) This generally aligns with Attack Flow's action-(state change)->asset-(state requirement)-> structure as well. In more complex cases, an action may affect multiple assets or an asset may require multiple actions to cause the state change. This would not immediately be codable with the '4-part causal step' (action (done by actor)-(attribute)->asset-(result)->), though the complexities might be able to be broken down into multiple 4-part causal paths.

It also creates the question of how are results different from attributes. They're clearly different and both clearly valuable, but it's not clear what their relationship is.

[gdbassett]

Phil: a good framework for adjudicating this how will we answer questions with it.

[gdbassett]

Result is meant to capture the 'direction' an attack took: in - infiltrate out - exfiltrate up (permissions) - elevate sideways - lateral movement stay-in-place - deploy payload

(We should also probably have establish persistence, though I don't know how much we'd get it.)