You may not be aware of the fact that the #spiffy Verizon Biz folk have some VERIS open source components, one of which is the XML schema for the “Vocabulary for Event Recording and Incident Sharing”.
While most Java-backends will readily slurp up and spit back archaic XML data, the modern web is a JSON world and I wanted to take a stab at encoding the sample incident in JSON format since I’m pretty convinced this type of data is definitely a NoSQL candidate and that JSON is the future.
I didn’t run this past the VZB folk prior to the post, but I think I got it right (well, it validates, at least :-) :
{
"VERIS_community": {
"incident": {
"incident_uid": "String",
"handler_id": "String",
"security_compromise": "String",
"related_incidents": { "related_incident_id": "String" },
"summary": "String",
"notes": "String",
"victim": {
"victim_id": "String",
"industry": "000",
"employee_count": "25,001 to 50,000",
"location": {
"country": "String",
"region": "String"
},
"revenue": {
"amount": "0",
"iso_currency_code": "USD"
},
"security_budget": {
"amount": "0",
"iso_currency_code": "USD"
},
"notes": "String"
},
"agent": [
{
"motive": "String",
"role": "String",
"notes": "String"
},
{
"type": "External",
"motive": "String",
"role": "String",
"notes": "String",
"external_variety": "String",
"origins": {
"origin": {
"country": "String",
"region": "String"
}
},
"ips": { "ip": "String" }
},
{
"type": "Internal",
"motive": "String",
"role": "String",
"notes": "String",
"internal_variety": "String"
},
{
"type": "Partner",
"motive": "String",
"role": "String",
"notes": "String",
"industry": "0000",
"origins": {
"origin": {
"country": "String",
"region": "String"
}
}
}
],
"action": [
{ "notes": "Some notes about a generic action." },
{
"type": "Malware",
"notes": "String",
"malware_function": "String",
"malware_vector": "String",
"cves": { "cve": "String" },
"names": { "name": "String" },
"filenames": { "filename": "String" },
"hash_values": { "hash_value": "String" },
"outbound_IPs": { "outbound_IP": "String" },
"outbound_URLs": { "outbound_URL": "String" }
},
{
"type": "Hacking",
"notes": "String",
"hacking_method": "String",
"hacking_vector": "String",
"cves": { "cve": "String" }
},
{
"type": "Social",
"notes": "String",
"social_tactic": "String",
"social_channel": "String",
"email": {
"addresses": { "address": "String" },
"subject_lines": { "subject_line": "String" },
"urls": { "url": "String" }
}
},
{
"type": "Misuse",
"notes": "Notes for a misuse action.",
"misuse_variety": "String",
"misuse_venue": "String"
},
{
"type": "Physical",
"notes": "Notes for a physical action.",
"physical_variety": "String",
"physical_location": "String",
"physical_access": "String"
},
{
"type": "Error",
"notes": "Notes for a Error action.",
"error_variety": "String",
"error_reason": "String"
},
{
"type": "Environmental",
"notes": "Notes for a environmental action.",
"environmental_variety": "String"
}
],
"assets": {
"asset_variety": "String",
"asset_ownership": "String",
"asset_hosting": "String",
"asset_management": "String",
"os": "String",
"notes": "String"
},
"attribute": [
{ "notes": "String" },
{
"type": "ConfidentialityPossession",
"notes": "String",
"data_disclosure": "String",
"data": {
"data_variety": "String",
"amount": "0"
},
"data_state": "String"
},
{
"type": "AvailabilityUtility",
"notes": "String",
"availability_utility_variety": "String",
"availability_utility_duration": "String"
}
],
"timeline": {
"timestamp_first_known_action": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
},
"timestamp_data_exfiltration": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
},
"timestamp_incident_discovery": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
},
"timestamp_containment": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
},
"timestamp_initial_compromise": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
},
"timestamp_investigation": {
"year": "2001",
"month": "--12",
"day": "---17",
"time": "14:20:00.0Z"
}
},
"discovery_method": "String",
"control_failure": "String",
"corrective_action": "String",
"loss": {
"loss_variety": "String",
"loss_amount": {
"amount": "0",
"iso_currency_code": "USD"
}
},
"impact_rating": "String",
"impact_estimate": {
"amount": "0",
"iso_currency_code": "USD"
},
"certainty": "String"
}
}
}
I believe I’d advocate for the “timestamps” to be more timestamp-y in the JSON version (the dashes do not make much sense to me even in the XML version) and any fields with min/max range values to be separated to actual min & max fields. I’m going try to find some cycles to mock up a MongoDB / Node.js sample to show how this JSON format would work. At a minimum, even a rough conversion from XML to JSON when requested by a browser would make it easier for client-side data rendering/manipulation.
If you’re not thinking about using VERIS for documenting incidents or hounding your vendors to enable easier support for it, you should be. If you’re skittish about recording incidents anonymously into the VERIS Community, you should get over it (barring capacity constraints).
2 Comments
DO WANT.
Seriously, everything our developers write now handles JSON.
hrbrmstr,
Are you building an internal incident reporting app? Very cool!
I wonder if folks would be more willing to share with the VERIS community if they could filter and export incidents in a local app, then upload to public?