Mapping Overview

The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a common language for describing security incidents in a structured and repeatable manner. The overall goal is to lay a foundation from which cyber analysts can constructively and cooperatively learn to better measure and manage risk.

VERIS employs a threat model with four primary axes, the "A4" model, to describe incidents. The four axes are:

Each axis has a categorized set of values, called an enumeration, associated with it. Incidents are classified with one or more of those enumeration values for each axis. Examples of incidents mapped to VERIS can be seen in the VERIS Community Database. One other axis outside the 4A model is the Value Chain, which represents pre-attack activities. These activities are essential to a successful campaign and are very closely associated with an entire category of behavior.

In this document, VERIS enumeration values follow the form [Axis].[Category].[Subcategory].[Value]; for example, Action.Malware.Variety.C2 corresponds to the C2 value in the Action axis, Malware category, Variety subcategory.

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK focuses on how external adversaries compromise and operate within computer information networks. ATT&CK describes adversary behaviors using the following core components:

Adversary behaviors can be described by mapping them to the appropriate tactics, techniques, and sub-techniques in ATT&CK.

The 2021 mapping project took enumeration values in VERIS and mapped them to ATT&CK Enterprise Techniques. The resultant mappings could be used to either take a VERIS enumeration value and come up with a list of ATT&CK techniques and sub-techniques, or to take an ATT&CK technique or sub-technique and come up with a list of VERIS enumeration values.

The 2023 update to the mapping project continues the work of the original integration project by updating and expanding the mapping and translation layer between VERIS and ATT&CK to enhance the community's ability to pivot from VERIS to ATT&CK Techniques related to a particular incident. In addition, the documentation has been updated and expanded to provide updated use cases and new scenario examples that further demonstrate how the mappings can support describing and communicating information about security incidents.

Mapping Scope

Axis Scope

Note that some VERIS axes and enumeration values cannot be mapped cleanly to ATT&CK; therefore this project maps onto a subset of the axes and enumerations as detailed here.

Axis Description In Scope Comments
Actor Whose actions affected the asset? Yes Aligns with ATT&CK groups of adversarial activity clusters tracked by common names in the security community.
Action What actions affected the asset? Yes Describes adversary behaviors performed by hands-on-keyboard attackers or automated by software/malware.
Asset Which assets were affected? No Does not describe adversary behavior.
Attributes How was the asset affected? Yes Describes strategic and tactical impact.
Value Chain Capabilities and investments an attacker must acquire prior to the actions on target. Yes Aligns with ATT&CK Tactic TA0042 Resource Development.

Action Axis Scope

Within each of the axes that describe adversary behaviors, the scope is further narrowed based on whether the adversary behaviors for a particular enumeration category align to ATT&CK. For example, ATT&CK does not cover unintentional errors or natural disasters and therefore the Error and Environmental enumeration categories in the Action axis are not mapped.

Category Description In Scope Comments
Malware Automated activity Yes Describes any malicious software, script, or code run on a device that alters state or function without informed consent.
Hacking Hands-on-keyboard activity Yes Describes all attempts to intentionally access or harm information assets without (or exceeding) authorization.
Social Exploitation of human element Yes Describes use of deception, manipulation, intimidation, etc., to exploit users of information assets.
Misuse Unapproved use of access Yes Describes actor-focused categorizations, not behaviors.
Physical Actions involving proximity No Describes physical attacks, which are out of scope for ATT&CK.
Error Unintentional actions No Does not describe intentionally malicious behavior by an adversary, and therefore out of scope for ATT&CK.
Environmental Natural disaster events No Describes physical accidents and not intentionally malicious actions.

Attribute Axis Scope

Category Description In Scope Comments
Confidentiality/Possession Data disclosure Partial Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK.
Integrity/Authenticity State of system changed Partial Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK.
Availability/Utility Availability of system(s) impacted Partial Describes both tactical and strategic goals. Tactical goals are in-scope and mapped to ATT&CK.

Value Chain Axis Scope

Category Description In Scope Comments
Development Software that must be developed to accomplish the actions on target Yes Describes activities establishing capabilities and infrastructure.
Distribution Services used to distribute actor content Yes Describes activities for establishing delivery mechanisms.
Non- Distribution Services Services other than those used for distribution of actor content Yes Describes staging activities for engagement.
Targeting Things that identify exploitable opportunities Yes Aligns with ATT&CK Tactic TA0042 Resource Development.
Cash-Out Methods for converting something into currency No Describes activities after involvement with victim.
Money Laundering Methods for concealing the origins of illegally obtained money No Describes activities after involvement with victim.

Mapping Philosophy and Process

Based on those scoping decisions, the mappings were created by analyzing each in-scope ATT&CK technique/sub-technique and each in-scope VERIS enumeration value. VERIS and ATT&CK are at different levels of abstraction and cannot always perfectly describe the adversary behaviors that they are meant to represent. Some amount of analyst judgment is required, and whenever judgment is involved, there can be differences of opinion. These design decisions document our judgement and rationale.

Guiding Principles and Design Decisions

Mappings are many-to-many:

VERIS enumeration values are mapped to the most specific ATT&CK entity that applies:

ATT&CK techniques are considered in the context of their descriptions and adversary goals:

Any remaining [sub-]techniques are mapped to one of these:

Any techniques that have unspecified components of adversary behavior are mapped to one of these: