SQLite forensic's notes
Start your own Cyber Threat Intelligence based on Data Breaches
But how can we decide the priorities? Cyber attackers are often looking backward more than forward, it is therefore sufficient to analyze what has happened so far and act accordingly. Sounds easy, but what has happened so far?
We all know so-called Cyber Threat Intelligence (CTI) Reports, we all read our yearly set of documents – full of statistics, charts, trends and comments – and we all do not have any idea about the underlying, often proprietary, data. But when we read the documents, we can note at least the following:
Until now generic CTI reports have helped to identify the most obvious critical issues, now it’s time to go further, we need details about actors, victims, and vectors. Maintaining a list of incidents and statistics is useful, but to make data usable they must be normalized and include technical, industrial, and social aspects. Many lists and databases exists with data describing actors, victims, impacted assets, and other aspects of an attack, but normally they just describe what happened or categorize a very minimal number of information.
For specific tasks, in risk management process, it is useful to have solid data and not just perceptions. A good dataset should answer questions like what is the role of flash drives in incidents? How flash drives are involved in attacks to companies like mine?
To craft our own report, we need raw high quality data; we can then observe them from our perspective and extract the facets we need. It is not enough to have Financial or Malware and another couple of columns to highlight – even with limited data – the patterns used in common attacks; we need to know more precisely who the actors are, who the victims, and what is being manipulated.
VERIS Database is the most structured and complete database of incidents we have seen; incidents are analyzed, data – where known – are normalized and verified, so that the consistency is maintained. Each incident is described with four elements:
Furthermore, the victim is assigned to an industrial sector using the NAICS standard (but the conversion to SIC/ISIC and others is possible), this is fundamental to obtain data concerning specific companies in our sector.
As example, in Manufacturing we have Petroleum and Coal Products Manufacturing and Chemical Manufacturing and although similar, there can be many differences, especially in IT standards. Taking a quick look at the data, we can spot the pattern used in attacks, the differences, and adjust our risk matrix:
Pivoting data from the Sector perspective:
|Sector||Asset Variety||Action Variety||Actor|
|3240 – Petroleum and Coal Products Manufacturing||S – Database||Misconfiguration||Internal|
|3250 – Chemical Manufacturing||U – Laptop||Theft||External|
|3250 – Chemical Manufacturing||M – Payment card||Possession abuse||Internal|
Pivoting data from the Asset perspective:
|Asset Variety||Actor||Action Variety||C-I-A Impact|
|S – Database||External||Knowledge abuse||CIA|
|S – Database||Internal||Misconfiguration||-IA|
|S – Database||Internal||Abuse of functionality||-IA|
Although they may seem like hot water, these are facts! Different from perceptions and with a high value as starting point or as integration in a risk management framework.
The VERIS Database is available as JSON file, very easy to parse with R, Phyton/Panda/Jupiter, or other tools. For our risk analysis, we prefer to flatten the JSON in CSV, extract the parameters we are interested in and pivot the data with worksheets.
As mentioned before, VERIS Database is not the only data source in the net. Here some database of incidents:
Here some other CTI resources:
When doing intelligence work, models are sought that take into account multiple variables; intuition is a good thing, but concrete facts are needed to support decisions on how much and where allocate resources. It is not an easy job mostly because, even with continuous incidents happening, there are not enough public data, nor analyzed and organized in an effective manner. Several initiatives have been undertaken in recent years to at least be able to share data, but we have still a long way ahead.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here