The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner. The overall goal is to lay a foundation from which cyber analysts can constructively and cooperatively learn to better measure and manage risk.
VERIS employs a threat model with four primary axes, the "A4" model, to describe incidents. The four axes are:
Each axis has a categorized set of values, called an enumeration, associated with it. Incidents are classified with one or more of those enumeration values for each axis. Examples of incidents mapped to VERIS can be seen in the VERIS Community Database. One other axis outside the 4A model is the Value Chain, which represents pre-attack activities. These activities are essential to a successful campaign and are very closely associated with an entire category of behavior.
In this document, VERIS enumeration values follow the form [Axis].[Category].[Subcategory].[Value]; for example, Action.Malware.Variety.C2 corresponds to the C2 value in the Action axis, Malware category, Variety subcategory.
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK focuses on how external adversaries compromise and operate within computer information networks. ATT&CK describes adversary behaviors using the following core components:
Adversary behaviors can be described by mapping them to the appropriate tactics, techniques, and sub-techniques in ATT&CK.
The 2021 mapping project took enumeration values in VERIS and mapped them to ATT&CK Enterprise Techniques. The resultant mappings could be used to either take a VERIS enumeration value and come up with a list of ATT&CK techniques and sub-techniques, or to take an ATT&CK technique or sub-technique and come up with a list of VERIS enumeration values.
The 2023 update to the mapping project continues the work of the original integration project by updating and expanding the mapping and translation layer between VERIS and ATT&CK to enhance the community's ability to pivot from VERIS to ATT&CK Techniques related to a particular incident. In addition, the documentation has been updated and expanded to provide updated use cases and new scenario examples that further demonstrate how the mappings can support describing and communicating information about security incidents.
Note that some VERIS axes and enumeration values cannot be mapped cleanly to ATT&CK; therefore this project maps onto a subset of the axes and enumerations as detailed here.
| Axis | Description | In Scope | Comments |
|---|---|---|---|
| Actor | Whose actions affected the asset? | Yes | Aligns with ATT&CK groups of adversarial activity clusters tracked by common names in the security community. |
| Action | What actions affected the asset? | Yes | Describes adversary behaviors performed by hands-on-keyboard attackers or automated by software/malware. |
| Asset | Which assets were affected? | No | Does not describe adversary behavior. |
| Attributes | How was the asset affected? | Yes | Describes strategic and tactical impact. |
| Value Chain | Capabilities and investments an attacker must acquire prior to the actions on target. | Yes | Aligns with ATT&CK Tactic TA0042 Resource Development. |
Within each of the axes that describe adversary behaviors, the scope is further narrowed based on whether the adversary behaviors for a particular enumeration category align to ATT&CK. For example, ATT&CK does not cover unintentional errors or natural disasters and therefore the Error and Environmental enumeration categories in the Action axis are not mapped.
| Category | Description | In Scope | Comments |
|---|---|---|---|
| Malware | Automated activity | Yes | Describes any malicious software, script, or code run on a device that alters state or function without informed consent. |
| Hacking | Hands-on-keyboard activity | Yes | Describes all attempts to intentionally access or harm information assets without (or exceeding) authorization. |
| Social | Exploitation of human element | Yes | Describes use of deception, manipulation, intimidation, etc., to exploit users of information assets. |
| Misuse | Unapproved use of access | Yes | Describes actor-focused categorizations, not behaviors. |
| Physical | Actions involving proximity | No | Describes physical attacks, which are out of scope for ATT&CK. |
| Error | Unintentional actions | No | Does not describe intentionally malicious behavior by an adversary, and therefore out of scope for ATT&CK. |
| Environmental | Natural disaster events | No | Describes physical accidents and not intentionally malicious actions. |
| Category | Description | In Scope | Comments |
|---|---|---|---|
| Confidentiality/Possession | Data disclosure | Partial | Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK. |
| Integrity/Authenticity | State of system changed | Partial | Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK. |
| Availability/Utility | Availability of system(s) impacted | Partial | Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK. |
| Category | Description | In Scope | Comments |
|---|---|---|---|
| Development | Software that must be developed to accomplish the actions on target | Yes | Describes activities establishing capabilities and infrastructure. |
| Distribution | Services used to distribute actor content | Yes | Describes activities for establishing delivery mechanisms. |
| Non- Distribution Services | Services other than those used for distribution of actor content | Yes | Describes staging activities for engagement. |
| Targeting | Things that identify exploitable opportunities | Yes | Aligns with ATT&CK Tactic TA0042 Resource Development. |
| Cash-Out | Methods for converting something into currency | No | Describes activities after involvement with victim. |
| Money Laundering | Methods for concealing the origins of illegally obtained money | No | Describes activities after involvement with victim. |
Based on those scoping decisions, the mappings were created by analyzing each in-scope ATT&CK technique/sub-technique and each in-scope VERIS enumeration value. VERIS and ATT&CK are at different levels of abstraction and cannot always perfectly describe the adversary behaviors that they are meant to represent. Some amount of analyst judgment is required, and whenever judgment is involved, there can be differences of opinion. These design decisions document our judgement and rationale.
Mappings are many-to-many:
VERIS enumeration values are mapped to the most specific ATT&CK entity that applies:
ATT&CK techniques are considered in the context of their descriptions and adversary goals:
Any remaining [sub-]techniques are mapped to one of these:
Any techniques that have unspecified components of adversary behavior are mapped to one of these: