Skip to content

Actor Variables

Kevin Thompson edited this page Jun 2, 2014 · 10 revisions

These are the enumerations and free-text fields defined in VERIS version 1.3 for subfields in Internal Actor, External Actor, and Partner Actor

Motive

Applies to External, Internal, and Partner
Question Text: What motives drove the actor(s) to act?
Purpose: Motive is an key component of understanding and defending against intelligent threat actors.
Developer notes: While this is common to all categories of actors, it is inherited and associated with each. In other words, if an incident involves both an external actors and an internal actor, different motives may be assigned for each.

Values

Multi-select: choose all that apply

  • NA : Not Applicable (unintentional action)
  • Espionage : Espionage or competitive advantage
  • Fear : Fear or duress
  • Financial : Financial or personal gain
  • Fun : Fun, curiosity, or pride
  • Grudge : Grudge or personal offense
  • Ideology : Ideology or protest
  • Convenience : Convenience of expediency
  • Secondary : Aid in a different attack
  • Unknown : Unknown
  • Other : Other

Actor.external.variety

Applies to external actors
Question text: What varieties of external actors were involved? Purpose: Identifying the specific variety helps assess the resources, capabilities, and tendencies of the actor.

If the actor is a former employee, then make sure to select the External variety of “Former employee” instead of an insider. If the former employee uses their still-active account, that falls under Misuse.

Values

Multi-select: choose all that apply

  • Acquaintance: Relative or acquaintance of employee
  • Activist : Activist group
  • Auditor : Auditor
  • Competitor : Competitor
  • Customer : Customer (B2C)
  • Force majeure : Force majeure (nature and chance)
  • Former employee : Former employee (no longer had access)
  • Nation-state : Nation-state
  • Organized crime : Organized or professional criminal group
  • State-affiliated : State-sponsored or affiliated group
  • Terrorist : Terrorist group
  • Unaffiliated : Unaffiliated person(s)
  • Unknown : Unknown
  • Other : Other

Actor.external.name

Applies to external actors
Question text: What are the names of the external actors were involved?
Purpose: Names can be used to track a threat actor over time or to link threat actors described to different intelligence groups

Name is an array of strings. Each string should be a unique name given to the threat actor. The name can be the actual name of a person, a code name given by an intelligence group, or a handle used by the actor.

Actor.internal.job_change

Applies to internal actors
Question text: Were there any recent job actions involving the internal actor?
Purpose: Used to track how job actions may influence an internal actor to take action.

Values

Multi-select: choose all that apply

  • Hired : Recently hired
  • Promoted : Recently promoted
  • Lateral move : Lateral move
  • Resigned : Recently resigned
  • Let go : Fired, laid off, or let go
  • Demoted : Recently demoted or hours reduced
  • Passed over : Recently passed over for promotion
  • Unknown : Unknown
  • Other : Other
  • Reprimanded : Recently reprimanded
  • Job eval : Recent poor job evaluation
  • Personal issues : Personal issues

Actor.internal.variety

Question text: What varieties of internal actors were involved?
User notes: If the employee resigned or was let go before the incident, select “former employee” under External actors instead.
Purpose: Identifying the specific variety helps assess the resources, capabilities, and tendencies of the actor.

Values

Multi-select: choose all that apply

  • Auditor : Auditor
  • Call center : Call center staff
  • Cashier : Cashier, teller, or waiter
  • End-user : End-user or regular employee
  • Executive : Executive or upper management
  • Finance : Finance or accounting staff
  • Helpdesk : Helpdesk staff
  • Human resources : Human resources staff
  • Maintenance : Maintenance or janitorial staff
  • Manager : Manager or supervisor
  • Guard : Security guard
  • Developer : Software developer
  • System admin : System or network administrator
  • Unknown : Unknown
  • Other : Other

Notes

This is just a free-text field where the analyst can record any relevant information that was not adequately described by the other variables or which explains the choices the analyst made in coding the incident.

Clone this wiki locally