changelog

Version 1.4.0
=============
24-12-23

• https://github.com/vz-risk/veris/issues/481 - Change Action.Malware.MitM to Action.Malware.AitM
• https://github.com/vz-risk/veris/issues/480 - Change Action.Hacking.MitM to Action.Hacking.AitM
• https://github.com/vz-risk/veris/issues/478 - Add a description to Error.vector.carelessness
• https://github.com/vz-risk/veris/issues/477 - Add additional data varieties for "Session keys" and "API keys" for pairing with "Use of stolen credentials"
• https://github.com/vz-risk/veris/issues/476 - Add to Misuse - Password or Session Sharing
• https://github.com/vz-risk/veris/issues/474 - Stop using Social.Extortion for Ransomware - transfer 2023/2024 caseload over

Version 1.3.7
=============
22-11-17
• https://github.com/vz-risk/veris/issues/449 - Updated the definition of baiting to also include SEO websites
• https://github.com/vz-risk/veris/issues/437 - Added the new enumeration of "Sensitive Personal" as a Data variety
• https://github.com/vz-risk/veris/issues/424 - Removed "recently resigned" from definition of Resigned
• https://github.com/vz-risk/veris/issues/423 - Added "default credentials" to definition of "Use of stolen creds"
• https://github.com/vz-risk/veris/issues/420 - Added additional fields to the pci section to better capture existing PCI controls criteria (fields in_place, full_assessed, breach_cause and breach_contribute)
• https://github.com/vz-risk/veris/issues/419 - Changed description of discovery.internal to actually reflect it was indeed discovered by an internal individual
• https://github.com/vz-risk/veris/issues/417 - Added Persist to Results enumeration
• https://github.com/vz-risk/veris/issues/415 - Provided guidance on what we mean by source_id
• https://github.com/vz-risk/veris/issues/452 - Added numeration action.social.variety.Prompt bombing
• https://github.com/vz-risk/veris/issues/452 - Added enumeration action.hacking.variety.Hijacking
• https://github.com/vz-risk/veris/issues/452 - Added enumeration "Multi-factor credential" to attribute.confidentiality.data_variety
• https://github.com/vz-risk/veris/issues/452 - Added enumeration "M - SIM card" to asset.assets.variety
• https://github.com/vz-risk/veris/issues/451 - Removed the action.error.variety.Omission enumeration and moved values over to "Other"
 https://github.com/vz-risk/veris/issues/429 - Added rule to checkValidity to suggest Interruption with Defacement

Version 1.3.6
=============
21-10-26
• https://github.com/vz-risk/veris/issues/403 - change 'aquire' to 'acquire' in value_chain definition
• https://github.com/vz-risk/veris/issues/406 - Added schema_name field.
• https://github.com/vz-risk/veris/issues/402 - Updated Programming error definition
• https://github.com/vz-risk/veris/issues/385 - Added 'Evasion' enumeration in 'Hacking' and 'Malware'
• https://github.com/vz-risk/veris/issues/376 - Improved Phishing & Pretexting definitions.
• https://github.com/vz-risk/veris/issues/374 - Add 'Other network service' hackking vector
• https://github.com/vz-risk/veris/issues/373 - Add 'Offboarding' to internal discovery variety.
• https://github.com/vz-risk/veris/issues/369 - Attempted to fix typos. May require editing the webapp.
• https://github.com/vz-risk/veris/issues/310 - Updated actor definitions.
• https://github.com/vz-risk/veris/issues/280 - Updated physical in value_chain
• https://github.com/vz-risk/veris/issues/180 - Updated checkValidity to check victim.region
• https://github.com/vz-risk/veris/issues/271 - if action.malware.variety.DoS -> actor.*.motive.Secondary
• https://github.com/vz-risk/veris/issues/383 - Clarify Backdoor and C2. In general, hacking can provide a backdoor. Malware can provide a backdoor or C2. Malware can _use_ C2 and hacking can _use_ a backdoor.
• https://github.com/vz-risk/veris/issues/386 - action.hacking.variety.HTTP Response Splitting -> action.hacking.variety.HTTP response splitting
• https://github.com/vz-risk/veris/issues/401 - action.social.vector.Website -> action.social.vector.Web application (consistent with other actions)
• https://github.com/vz-risk/veris/issues/405 - plus.analysis_status.Needs review -> plus.analysis_status.Ready for review (VCDB & convert_1.3.5_to_1.3.6.py)
• https://github.com/vz-risk/veris/issues/407 - Added update, rules.py, and validation rule to throw an derror if victim.secondary.victim_id is populated but not victim.secondary.amount
• https://github.com/vz-risk/veris/issues/404 - Noted that victim.secondary, action.hacking.vector.Secondary, and value_chain.distribution.variety.Secondary indicate a supply chain breach
• https://github.com/vz-risk/veris/issues/315 - Updated hacking and malware varieties to be consistent
• https://github.com/vz-risk/veris/issues/400 - Infer value chain values.



Version 1.3.5
=============
20-12-01

VERIS updates:
• Result description improved
• Included “credential stuffing” in definition of “use of stolen credentials”
• Added value_chain.NA for when no value_chain exists
• Added “partner” to value_chain.targeting and value_chain.distribution to capture ‘supply chain’ breaches.
• Added “In-memory” (only) to malware varieties.
• Added government levels to victim and made it mandatory. (Use “NA” if industry is not NAICS 92)
• Added cryptocurrencies to iso_currency_code fields.
• Fixed “malware.variety.Ram scraper” to “malware.variety.RAM scraper”
• Added “Web application” as vector for all possible actions.
• Renamed “action.social.vector.Website” to “action.social.vector.Web application”
• Renamed “action.malware.vector.Web download” and  “action.malware.vector.Web drive-by” to “action.malware.vector.Web application - download” and  “action.malware.vector.Web application - drive-by” and set both as children of new parent vector “action.malware.vector.Web application”
• Added “C2” to value_chain.development and “Direct” to value_chain.distribution
• Added “NA”, “Unknown”, “Other”, “Lateral-movement”, and “Deploy payload” to action result fields.  Removed “Infiltrate” from misuse result field.
• Updated definition of cloud NA to make it clear not to use it just because an asset is a user device.
• Updated value_chain.targeting to make it clear how to handle ‘targeted’ breaches.
• Corrected code for 142034 from southeast asia to south asia in region field definitions
• Added description to plus.master_id
• Made summary required. PLEASE FILL IN AT LEAST A SENTENCE OR TWO!
• Removed “discovery_method.external.variety.Monitoring service” and changed all data to “discovery_method.partner.variety.Monitoring service”. External.variety.Monitoring Service are consistently miscoded
• Added “XK” for Kosovo in country lists.
• Corected typo in “data state” enum descriptions
• Updated Action, Actor, Asset, Attribute
• Clarified “actor.external.variety.Organized crime” (it’s an criminal that’s organized, not like crime families)
• Updated “asset.cloud.On-premise assets” description to clarify it includes colo hosting.
• Updated “value_chain.money launderying.NA” description
• Updated “action.misuse.variety.Net misuse” to clarify it includes cloud services
• Data variety definitions (and other definitions in objects in lists) now populate in the webapp
• Webapp version no longer has dashes in place of dots in schema_version
• Lists (plus.event_chain, asset.assets, attribute.confidentiality.data) can now be reordered. Mostly useful for plus.event_chain
• All webapp libraries updated
• Updated “discovery_method.external.variety.Other” definition to include “related 3rd parties”
• checkValidity.py now checks that an internal actor exists if a misuse action exists

VCDB updates:
• “Not applicable” and “Not Applicable” changed to “NA” except for in PCI
• “plus.analysis_status” value “Finalized” changed to “Reviewed” to match DBIR process
• Description updated for “attribute.confidentiality.data_abuse”

verisr updates:
• Value_chain.X now enumerable
• Victim.orgsize.Unknown now added with victim.orgsize.Small/Large
• Character ‘pattern’ column removed
• Improved json2veris error when no input found


Version 1.3.4
=============
129-10-31

* Added assets desktop/laptop hierarchy per issues #263
* Removed country requirement per issues #262
* structured credit monitoring fields per issues #260
* structured partner data fields per issues #259
* Added validation for 'other' value 000001 in victim/actor country per issues #252
* Updated 'customer' definition in data_victim to include member per issues #248
* Better defined misrepresentation per issues #244
* Updated description of secondary.victim_id to include naics per issues #238
* made asset.cloud manditory per issues #236 and issues #225
* added email and associated hierarchy to malware.vector per issues #232
* updated 'executive' definition per issues #224
* improved naics validation per issues #223
* added RAT and malware.variety.trojan per issues #215
* added 'escrow' to value_chain per issues #214
* added 'insecure deserialization' per issues #213
* updated 'asset and fraud' definition per issues #212
* added parent-child relationships to descriptions per issues #205
* added 'role' (it/ot) to asset per issues #201
* split 'end-user' and 'employee' in action.social.target but not actor.internal.variety per issues #150
* added physical.variety.snap a picture per issues #93


Version 1.3.3
=============
18-11-29

VERIS has been updated to version 1.3.3.  This mostly contains enumeration additions, but has some which affect parsing.

For example, 'discovery_method' was previously a flat list.  It is now an object of the form discovery_method.<internal/external/partner>.variety.<enum>.  Additionally, several implicit hierarchies have bene formalized in rules.py.

Additionally some under-used fields have been merged with others or removed. See the conversion script for exactly what's happening.

Additionally, almost all tooling has been updated for python3.  This may cause issues as python2 limportlib does not work the same as post python3.6 importlib.  mergeschema.py must still be run as python2 currently as python3 is not able to serialize the ordereddict (used to keep the schema files in a certain order).



Version 1.3
===========

Schema changes
--------------

 * Schema has been documented using ietf.org draft 4 specifications: http://tools.ietf.org/html/draft-fge-json-schema-validation-00
 * Add new actor.internal.job_change field (see enumerations below)
 * Changes asset.country to an array so that we can model assets that exist in multiple countries.
 * Changes victim.country to an array rather than a string.
 * Adds a discovery_notes field to describe the discovery in greater detail.
 * Removes asset.management, asset.hosting, asset.ownership, and asset.accessibility
 * Added asset.governance. This is intended to capture interesting facts about the management of the asset but is not intended to be all-inclusive or apply to all assets. E.g. there would be no selection if a person was the affected asset.
 * Removes the existing physical.vector enumeration and renames physical.location to physical.vector. Some of the values from the old physical.vector are now in physical.variety.
 * Adds new attribute.confidentiality.data_victim (see enumerations below)
 * Adds six character region array to actor.external, actor.partner, and victim.
 * Adds actor.external.name, an array of strings used to identify the actor such as 'Syrian Electronic Army' or 'Zero Cool'.
 * Renames the related_incidents field to campaign_id

Enumeration changes
-------------------
  * actor.motive: Added "Secondary"
  * action.hacking.variety: Added "Pass-the-hash"
  * attribute.integrity.variety: Added "Defacement"
  * attribute.integrity.variety: Renamed "Misappropriation" to "Repurpose"
  * attribute.confidentiality.data.variety: Added "Source code"
  * attribute.confidentiality.data.variety: Added "Vitual Currency"
  * asset.assets.variety: Added "S - Unknown"
  * attribute.confidentiality.data.variety: Added "Digital certificate"
  * action.misuse.variety: Renamed "Embezzlement" to "Possession abuse"
  * action.physical.variety: Renamed "Sabotage" to "Destruction"
  * malware.vector: Added "Software update"
  * discovery_method: Renamed "Int - reported by user" to "Int - reported by employee"
  * discovery_method: Renamed "Int - IT audit" to "Int - IT review"
  * action.physical.variety: Added "Skimmer"
  * asset.accessibility: Removed all enumerations
  * asset.hosting: Removed all enumerations
  * asset.management: Removed all enumerations
  * asset.ownership: Removed all enumerations
  * action.phyiscal.vector: Removed all enumerations
  * action.physical.location: Renamed to action.physical.vector
  * action.physical.vector: Added "Visitor privileges"
  * action.physical.vector: Added "Uncontrolled location"
  * action.physical.vector: Added "Privileged access"
  * action.physical.variety: Added "Bypassed controls"
  * action.physical.variety: Added "Disabled controls""
  * attribute.confidentiality.data_victim: Added "Customer"
  * attribute.confidentiality.data_victim: Added "Employee"
  * attribute.confidentiality.data_victim: Added "Other"
  * attribute.confidentiality.data_victim: Added "Partner"
  * attribute.confidentiality.data_victim: Added "Patient"
  * attribute.confidentiality.data_victim: Added "Student"
  * attribute.confidentiality.data_victim: Added "Unknown"
  * actor.internal.job_change: Added "Hired"
  * actor.internal.job_change: Added "Promoted"
  * actor.internal.job_change: Added "Lateral move"
  * actor.internal.job_change: Added "Resigned"
  * actor.internal.job_change: Added "Let go"
  * actor.internal.job_change: Added "Demoted"
  * actor.internal.job_change: Added "Passed over"
  * actor.internal.job_change: Added "Unknown"
  * actor.internal.job_change: Added "Other"
  * actor.internal.job_change: Added "Reprimanded"
  * actor.internal.job_change: Added "Job eval"
  * actor.internal.job_change: Added "Personal issues"
  * discovery_method: Removed "Ext - unrelated party"
  * discovery_method: Added "Prt - monitoring service"
  * discovery_method: Added "Prt - audit"
  * discovery_method: Added "Prt - antivirus"
  * discovery_method: Added "Prt - incident response"
  * discovery_method: Added "Prt - Unknown"
  * discovery_method: Added "Prt - Other"
  * discovery_method: Added "Ext - incident response"
  * discovery_method: Added "Ext - found documents"
  * discovery_method: Added "Ext - suspicious traffic"
  * discovery_method: Added "Ext - emergency response team"
  * discovery_method: Added "Int - data loss prevention"
  * discovery_method: Added "Int - infrastructure monitoring"
  * asset.governance: Added "Personally owned"
  * asset.governance: Added "3rd party owned"
  * asset.governance: Added "3rd party managed"
  * asset.governance: Added "3rd party hosted"
  * asset.governance: Added "Internally isolated"
  * asset.governance: Added "Unknown"

Version 1.2
===========

Schema changes
--------------
  * Removed investigation date completely
  * Added field for target section, called "targeted" (not required)
  * Replaced "personal" boolean with "ownership" field for enumeration
listing
  * Changed "management" boolean into enumeration listing
  * Changed "hosting" boolean into enumeration listing
  * Added field "accessibility" for enumeration listing, for where the
asset is in the network (internal facing or internet facing, etc),
will not be associated on a per asset basis.
  * Changed "asset" to be required
  * Make attribute section not required (near miss, false alarms, etc)
  * Change "security_compromise" to "security_incident" to make it more
clear what this variable tracks. This essentially asks "Was this
event a security incident (defined as an event in which a security
attribute (C/P, I/A, A/U) of an asset was compromised).

Enumeration changes
-------------------
  * Removed "No" from 'security_incident' (formerly security_compromise),
and add options of "False positive" and "Near miss" *Need feedback
  * Added in enumeration for targeted with values of "Unknown", "NA",
"Opportunistic", "Targeted"
  * Added "S - Code repository" to enum for asset.variety
  * Integrity variety, changed instances of "Modified" to "Modify" to
match tense
  * Actor motive, added "Convenience" (intentionally bypassing controls
for convenience)
  * Discovery method, added "Int - Unknown" and "Ext - Unknown"
  * Hacking variety: Added "Virtual machine escape"
  * Ownership, created enumerations of "Victim", "Employee", "Partner",
"Customer", "Unknown", "NA"
  * Management, created enumerations of "Internal", "External",
"Unknown","NA"
  * Hosting, created enumerations of "Internal", "External - shared",
"External - dedicated", "External", "Unknown", "NA"
  * Cloud, changed enumerations to be the component of cloud:
"Hypervisor", "Partner application", "Hosting governance",
"Customer attack", "Hosting error", "User breakout", "Unknown",
"Other"
  * accessibility, created enumerations of "External", "Internal",
"Isolated", "Unknown", "NA"
  * Malware variety, added "Click fraud" to represent
"Click Fraud/Bitcoin mining"
  * Asset variety, changed "U - ATM" to "T - ATM" (kiosk/public facing
user device)
  * Asset variety, changed "U - Gas terminal" to "T - Gas terminal"
(kiosk/public facing user device)
  * Asset variety, changed "U - PED pad" to "T - PED pad" (kiosk/public
facing user device)
  * Asset variety, changed "U - Kiosk" to "T - Kiosk" (kiosk/public
facing user device)
  * Hacking vector: Added "Partner" to represent partner connection or
credential
  * Convert the country enumeration to be 2-digit codes from ISO 3166
  * Removing the "role" of the actor, it appears to be highly correlated
to motive and redundant.
  * Removing value of "S - Other Server" in the asset variety since
"S - Other" exists

Version 1.1 (from initial release)
==================================

Schema changes
--------------
  * "security_compromise" field is now required
  * Any field that is an enumeration, and that enumerations has an
"Unknown" value is now required
  * Malware CVE, Malware name and Hacking name are changed from an array
to a string
  * Investigation date is no longer required
  * Added support for a "plus" section and allowing it to be anything
(place for localized data collection and personalized extension of
the schema)
  * Added in an optional "reference" field as a string, so other references
or sources could be listed

Enumeration changes
-------------------
  * Removed "public_disclosure" from the enumerations, not used
  * Modified employee_count to include options for "Small" and "Large" when
more precise numbers are not known
  * External variety, changed "State-sponsored" to "State-affiliated"
  * Internal variety, changed "Administrator" to "System admin"
  * Malware variety, changed "Client-side" to "Client-side attack"
  * Malware variety, changed "Spyware" to "Spyware/keylogger"
  * Malware variety, changed "Utility" to "Adminware"
  * Hacking variety, changed "Backdoor or C2" to "Use of backdoor or C2"
  * Hacking variety, changed "Stolen creds" to "Use of stolen creds"
  * Hacking vector, changed "Shell" to "Command shell"
  * Social target, changed "Administrator" to "System admin"
  * Asset, added "S - Other"
  * Asset, changed "P - Administrator" to "P - System admin"
  * Fixed typo in South Korea, removed white space at the end of the name.
  * Country, changed "Russian Federation" to "Russia"
  * Country, changed "United States of America" to "United States"