forked from vz-risk/veris
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchangelog
185 lines (176 loc) · 9.15 KB
/
changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
Version 1.3
===========
Schema changes
--------------
* Schema has been documented using ietf.org draft 4 specifications: http://tools.ietf.org/html/draft-fge-json-schema-validation-00
* Add new actor.internal.job_change field (see enumerations below)
* Changes asset.country to an array so that we can model assets that exist in multiple countries.
* Changes victim.country to an array rather than a string.
* Adds a discovery_notes field to describe the discovery in greater detail.
* Removes asset.management, asset.hosting, asset.ownership, and asset.accessibility
* Added asset.governance. This is intended to capture interesting facts about the management of the asset but is not intended to be all-inclusive or apply to all assets. E.g. there would be no selection if a person was the affected asset.
* Removes the existing physical.vector enumeration and renames physical.location to physical.vector. Some of the values from the old physical.vector are now in physical.variety.
* Adds new attribute.confidentiality.data_victim (see enumerations below)
* Adds six character region array to actor.external, actor.partner, and victim.
* Adds actor.external.name, an array of strings used to identify the actor such as 'Syrian Electronic Army' or 'Zero Cool'.
* Renames the related_incidents field to campaign_id
Enumeration changes
-------------------
* actor.motive: Added "Secondary"
* action.hacking.variety: Added "Pass-the-hash"
* attribute.integrity.variety: Added "Defacement"
* attribute.integrity.variety: Renamed "Misappropriation" to "Repurpose"
* attribute.confidentiality.data.variety: Added "Source code"
* attribute.confidentiality.data.variety: Added "Vitual Currency"
* asset.assets.variety: Added "S - Unknown"
* attribute.confidentiality.data.variety: Added "Digital certificate"
* action.misuse.variety: Renamed "Embezzlement" to "Possession abuse"
* action.physical.variety: Renamed "Sabotage" to "Destruction"
* malware.vector: Added "Software update"
* discovery_method: Renamed "Int - reported by user" to "Int - reported by employee"
* discovery_method: Renamed "Int - IT audit" to "Int - IT review"
* action.physical.variety: Added "Skimmer"
* asset.accessibility: Removed all enumerations
* asset.hosting: Removed all enumerations
* asset.management: Removed all enumerations
* asset.ownership: Removed all enumerations
* action.phyiscal.vector: Removed all enumerations
* action.physical.location: Renamed to action.physical.vector
* action.physical.vector: Added "Visitor privileges"
* action.physical.vector: Added "Uncontrolled location"
* action.physical.vector: Added "Privileged access"
* action.physical.variety: Added "Bypassed controls"
* action.physical.variety: Added "Disabled controls""
* attribute.confidentiality.data_victim: Added "Customer"
* attribute.confidentiality.data_victim: Added "Employee"
* attribute.confidentiality.data_victim: Added "Other"
* attribute.confidentiality.data_victim: Added "Partner"
* attribute.confidentiality.data_victim: Added "Patient"
* attribute.confidentiality.data_victim: Added "Student"
* attribute.confidentiality.data_victim: Added "Unknown"
* actor.internal.job_change: Added "Hired"
* actor.internal.job_change: Added "Promoted"
* actor.internal.job_change: Added "Lateral move"
* actor.internal.job_change: Added "Resigned"
* actor.internal.job_change: Added "Let go"
* actor.internal.job_change: Added "Demoted"
* actor.internal.job_change: Added "Passed over"
* actor.internal.job_change: Added "Unknown"
* actor.internal.job_change: Added "Other"
* actor.internal.job_change: Added "Reprimanded"
* actor.internal.job_change: Added "Job eval"
* actor.internal.job_change: Added "Personal issues"
* discovery_method: Removed "Ext - unrelated party"
* discovery_method: Added "Prt - monitoring service"
* discovery_method: Added "Prt - audit"
* discovery_method: Added "Prt - antivirus"
* discovery_method: Added "Prt - incident response"
* discovery_method: Added "Prt - Unknown"
* discovery_method: Added "Prt - Other"
* discovery_method: Added "Ext - incident response"
* discovery_method: Added "Ext - found documents"
* discovery_method: Added "Ext - suspicious traffic"
* discovery_method: Added "Ext - emergency response team"
* discovery_method: Added "Int - data loss prevention"
* discovery_method: Added "Int - infrastructure monitoring"
* asset.governance: Added "Personally owned"
* asset.governance: Added "3rd party owned"
* asset.governance: Added "3rd party managed"
* asset.governance: Added "3rd party hosted"
* asset.governance: Added "Internally isolated"
* asset.governance: Added "Unknown"
Version 1.2
===========
Schema changes
--------------
* Removed investigation date completely
* Added field for target section, called "targeted" (not required)
* Replaced "personal" boolean with "ownership" field for enumeration
listing
* Changed "management" boolean into enumeration listing
* Changed "hosting" boolean into enumeration listing
* Added field "accessibility" for enumeration listing, for where the
asset is in the network (internal facing or internet facing, etc),
will not be associated on a per asset basis.
* Changed "asset" to be required
* Make attribute section not required (near miss, false alarms, etc)
* Change "security_compromise" to "security_incident" to make it more
clear what this variable tracks. This essentially asks "Was this
event a security incident (defined as an event in which a security
attribute (C/P, I/A, A/U) of an asset was compromised).
Enumeration changes
-------------------
* Removed "No" from 'security_incident' (formerly security_compromise),
and add options of "False positive" and "Near miss" *Need feedback
* Added in enumeration for targeted with values of "Unknown", "NA",
"Opportunistic", "Targeted"
* Added "S - Code repository" to enum for asset.variety
* Integrity variety, changed instances of "Modified" to "Modify" to
match tense
* Actor motive, added "Convenience" (intentionally bypassing controls
for convenience)
* Discovery method, added "Int - Unknown" and "Ext - Unknown"
* Hacking variety: Added "Virtual machine escape"
* Ownership, created enumerations of "Victim", "Employee", "Partner",
"Customer", "Unknown", "NA"
* Management, created enumerations of "Internal", "External",
"Unknown","NA"
* Hosting, created enumerations of "Internal", "External - shared",
"External - dedicated", "External", "Unknown", "NA"
* Cloud, changed enumerations to be the component of cloud:
"Hypervisor", "Partner application", "Hosting governance",
"Customer attack", "Hosting error", "User breakout", "Unknown",
"Other"
* accessibility, created enumerations of "External", "Internal",
"Isolated", "Unknown", "NA"
* Malware variety, added "Click fraud" to represent
"Click Fraud/Bitcoin mining"
* Asset variety, changed "U - ATM" to "T - ATM" (kiosk/public facing
user device)
* Asset variety, changed "U - Gas terminal" to "T - Gas terminal"
(kiosk/public facing user device)
* Asset variety, changed "U - PED pad" to "T - PED pad" (kiosk/public
facing user device)
* Asset variety, changed "U - Kiosk" to "T - Kiosk" (kiosk/public
facing user device)
* Hacking vector: Added "Partner" to represent partner connection or
credential
* Convert the country enumeration to be 2-digit codes from ISO 3166
* Removing the "role" of the actor, it appears to be highly correlated
to motive and redundant.
* Removing value of "S - Other Server" in the asset variety since
"S - Other" exists
Version 1.1 (from initial release)
==================================
Schema changes
--------------
* "security_compromise" field is now required
* Any field that is an enumeration, and that enumerations has an
"Unknown" value is now required
* Malware CVE, Malware name and Hacking name are changed from an array
to a string
* Investigation date is no longer required
* Added support for a "plus" section and allowing it to be anything
(place for localized data collection and personalized extension of
the schema)
* Added in an optional "reference" field as a string, so other references
or sources could be listed
Enumeration changes
-------------------
* Removed "public_disclosure" from the enumerations, not used
* Modified employee_count to include options for "Small" and "Large" when
more precise numbers are not known
* External variety, changed "State-sponsored" to "State-affiliated"
* Internal variety, changed "Administrator" to "System admin"
* Malware variety, changed "Client-side" to "Client-side attack"
* Malware variety, changed "Spyware" to "Spyware/keylogger"
* Malware variety, changed "Utility" to "Adminware"
* Hacking variety, changed "Backdoor or C2" to "Use of backdoor or C2"
* Hacking variety, changed "Stolen creds" to "Use of stolen creds"
* Hacking vector, changed "Shell" to "Command shell"
* Social target, changed "Administrator" to "System admin"
* Asset, added "S - Other"
* Asset, changed "P - Administrator" to "P - System admin"
* Fixed typo in South Korea, removed white space at the end of the name.
* Country, changed "Russian Federation" to "Russia"
* Country, changed "United States of America" to "United States"