forked from vz-risk/veris
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchangelog
225 lines (206 loc) · 11.2 KB
/
changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
Version 1.3.4
=============
129-10-31
* Added assets desktop/laptop hierarchy per issues #263
* Removed country requirement per issues #262
* structured credit monitoring fields per issues #260
* structured partner data fields per issues #259
* Added validation for 'other' value 000001 in victim/actor country per issues #252
* Updated 'customer' definition in data_victim to include member per issues #248
* Better defined misrepresentation per issues #244
* Updated description of secondary.victim_id to include naics per issues #238
* made asset.cloud manditory per issues #236 and issues #225
* added email and associated hierarchy to malware.vector per issues #232
* updated 'executive' definition per issues #224
* improved naics validation per issues #223
* added RAT and malware.variety.trojan per issues #215
* added 'escrow' to value_chain per issues #214
* added 'insecure deserialization' per issues #213
* updated 'asset and fraud' definition per issues #212
* added parent-child relationships to descriptions per issues #205
* added 'role' (it/ot) to asset per issues #201
* split 'end-user' and 'employee' in action.social.target but not actor.internal.variety per issues #150
* added physical.variety.snap a picture per issues #93
Version 1.3.3
=============
18-11-29
VERIS has been updated to version 1.3.3. This mostly contains enumeration additions, but has some which affect parsing.
For example, 'discovery_method' was previously a flat list. It is now an object of the form discovery_method.<internal/external/partner>.variety.<enum>. Additionally, several implicit hierarchies have bene formalized in rules.py.
Additionally some under-used fields have been merged with others or removed. See the conversion script for exactly what's happening.
Additionally, almost all tooling has been updated for python3. This may cause issues as python2 limportlib does not work the same as post python3.6 importlib. mergeschema.py must still be run as python2 currently as python3 is not able to serialize the ordereddict (used to keep the schema files in a certain order).
Version 1.3
===========
Schema changes
--------------
* Schema has been documented using ietf.org draft 4 specifications: http://tools.ietf.org/html/draft-fge-json-schema-validation-00
* Add new actor.internal.job_change field (see enumerations below)
* Changes asset.country to an array so that we can model assets that exist in multiple countries.
* Changes victim.country to an array rather than a string.
* Adds a discovery_notes field to describe the discovery in greater detail.
* Removes asset.management, asset.hosting, asset.ownership, and asset.accessibility
* Added asset.governance. This is intended to capture interesting facts about the management of the asset but is not intended to be all-inclusive or apply to all assets. E.g. there would be no selection if a person was the affected asset.
* Removes the existing physical.vector enumeration and renames physical.location to physical.vector. Some of the values from the old physical.vector are now in physical.variety.
* Adds new attribute.confidentiality.data_victim (see enumerations below)
* Adds six character region array to actor.external, actor.partner, and victim.
* Adds actor.external.name, an array of strings used to identify the actor such as 'Syrian Electronic Army' or 'Zero Cool'.
* Renames the related_incidents field to campaign_id
Enumeration changes
-------------------
* actor.motive: Added "Secondary"
* action.hacking.variety: Added "Pass-the-hash"
* attribute.integrity.variety: Added "Defacement"
* attribute.integrity.variety: Renamed "Misappropriation" to "Repurpose"
* attribute.confidentiality.data.variety: Added "Source code"
* attribute.confidentiality.data.variety: Added "Vitual Currency"
* asset.assets.variety: Added "S - Unknown"
* attribute.confidentiality.data.variety: Added "Digital certificate"
* action.misuse.variety: Renamed "Embezzlement" to "Possession abuse"
* action.physical.variety: Renamed "Sabotage" to "Destruction"
* malware.vector: Added "Software update"
* discovery_method: Renamed "Int - reported by user" to "Int - reported by employee"
* discovery_method: Renamed "Int - IT audit" to "Int - IT review"
* action.physical.variety: Added "Skimmer"
* asset.accessibility: Removed all enumerations
* asset.hosting: Removed all enumerations
* asset.management: Removed all enumerations
* asset.ownership: Removed all enumerations
* action.phyiscal.vector: Removed all enumerations
* action.physical.location: Renamed to action.physical.vector
* action.physical.vector: Added "Visitor privileges"
* action.physical.vector: Added "Uncontrolled location"
* action.physical.vector: Added "Privileged access"
* action.physical.variety: Added "Bypassed controls"
* action.physical.variety: Added "Disabled controls""
* attribute.confidentiality.data_victim: Added "Customer"
* attribute.confidentiality.data_victim: Added "Employee"
* attribute.confidentiality.data_victim: Added "Other"
* attribute.confidentiality.data_victim: Added "Partner"
* attribute.confidentiality.data_victim: Added "Patient"
* attribute.confidentiality.data_victim: Added "Student"
* attribute.confidentiality.data_victim: Added "Unknown"
* actor.internal.job_change: Added "Hired"
* actor.internal.job_change: Added "Promoted"
* actor.internal.job_change: Added "Lateral move"
* actor.internal.job_change: Added "Resigned"
* actor.internal.job_change: Added "Let go"
* actor.internal.job_change: Added "Demoted"
* actor.internal.job_change: Added "Passed over"
* actor.internal.job_change: Added "Unknown"
* actor.internal.job_change: Added "Other"
* actor.internal.job_change: Added "Reprimanded"
* actor.internal.job_change: Added "Job eval"
* actor.internal.job_change: Added "Personal issues"
* discovery_method: Removed "Ext - unrelated party"
* discovery_method: Added "Prt - monitoring service"
* discovery_method: Added "Prt - audit"
* discovery_method: Added "Prt - antivirus"
* discovery_method: Added "Prt - incident response"
* discovery_method: Added "Prt - Unknown"
* discovery_method: Added "Prt - Other"
* discovery_method: Added "Ext - incident response"
* discovery_method: Added "Ext - found documents"
* discovery_method: Added "Ext - suspicious traffic"
* discovery_method: Added "Ext - emergency response team"
* discovery_method: Added "Int - data loss prevention"
* discovery_method: Added "Int - infrastructure monitoring"
* asset.governance: Added "Personally owned"
* asset.governance: Added "3rd party owned"
* asset.governance: Added "3rd party managed"
* asset.governance: Added "3rd party hosted"
* asset.governance: Added "Internally isolated"
* asset.governance: Added "Unknown"
Version 1.2
===========
Schema changes
--------------
* Removed investigation date completely
* Added field for target section, called "targeted" (not required)
* Replaced "personal" boolean with "ownership" field for enumeration
listing
* Changed "management" boolean into enumeration listing
* Changed "hosting" boolean into enumeration listing
* Added field "accessibility" for enumeration listing, for where the
asset is in the network (internal facing or internet facing, etc),
will not be associated on a per asset basis.
* Changed "asset" to be required
* Make attribute section not required (near miss, false alarms, etc)
* Change "security_compromise" to "security_incident" to make it more
clear what this variable tracks. This essentially asks "Was this
event a security incident (defined as an event in which a security
attribute (C/P, I/A, A/U) of an asset was compromised).
Enumeration changes
-------------------
* Removed "No" from 'security_incident' (formerly security_compromise),
and add options of "False positive" and "Near miss" *Need feedback
* Added in enumeration for targeted with values of "Unknown", "NA",
"Opportunistic", "Targeted"
* Added "S - Code repository" to enum for asset.variety
* Integrity variety, changed instances of "Modified" to "Modify" to
match tense
* Actor motive, added "Convenience" (intentionally bypassing controls
for convenience)
* Discovery method, added "Int - Unknown" and "Ext - Unknown"
* Hacking variety: Added "Virtual machine escape"
* Ownership, created enumerations of "Victim", "Employee", "Partner",
"Customer", "Unknown", "NA"
* Management, created enumerations of "Internal", "External",
"Unknown","NA"
* Hosting, created enumerations of "Internal", "External - shared",
"External - dedicated", "External", "Unknown", "NA"
* Cloud, changed enumerations to be the component of cloud:
"Hypervisor", "Partner application", "Hosting governance",
"Customer attack", "Hosting error", "User breakout", "Unknown",
"Other"
* accessibility, created enumerations of "External", "Internal",
"Isolated", "Unknown", "NA"
* Malware variety, added "Click fraud" to represent
"Click Fraud/Bitcoin mining"
* Asset variety, changed "U - ATM" to "T - ATM" (kiosk/public facing
user device)
* Asset variety, changed "U - Gas terminal" to "T - Gas terminal"
(kiosk/public facing user device)
* Asset variety, changed "U - PED pad" to "T - PED pad" (kiosk/public
facing user device)
* Asset variety, changed "U - Kiosk" to "T - Kiosk" (kiosk/public
facing user device)
* Hacking vector: Added "Partner" to represent partner connection or
credential
* Convert the country enumeration to be 2-digit codes from ISO 3166
* Removing the "role" of the actor, it appears to be highly correlated
to motive and redundant.
* Removing value of "S - Other Server" in the asset variety since
"S - Other" exists
Version 1.1 (from initial release)
==================================
Schema changes
--------------
* "security_compromise" field is now required
* Any field that is an enumeration, and that enumerations has an
"Unknown" value is now required
* Malware CVE, Malware name and Hacking name are changed from an array
to a string
* Investigation date is no longer required
* Added support for a "plus" section and allowing it to be anything
(place for localized data collection and personalized extension of
the schema)
* Added in an optional "reference" field as a string, so other references
or sources could be listed
Enumeration changes
-------------------
* Removed "public_disclosure" from the enumerations, not used
* Modified employee_count to include options for "Small" and "Large" when
more precise numbers are not known
* External variety, changed "State-sponsored" to "State-affiliated"
* Internal variety, changed "Administrator" to "System admin"
* Malware variety, changed "Client-side" to "Client-side attack"
* Malware variety, changed "Spyware" to "Spyware/keylogger"
* Malware variety, changed "Utility" to "Adminware"
* Hacking variety, changed "Backdoor or C2" to "Use of backdoor or C2"
* Hacking variety, changed "Stolen creds" to "Use of stolen creds"
* Hacking vector, changed "Shell" to "Command shell"
* Social target, changed "Administrator" to "System admin"
* Asset, added "S - Other"
* Asset, changed "P - Administrator" to "P - System admin"
* Fixed typo in South Korea, removed white space at the end of the name.
* Country, changed "Russian Federation" to "Russia"
* Country, changed "United States of America" to "United States"