Use Case: Cyber Incident Breach Reporting - STIXProject/use-cases GitHub Wiki


Cyber Incident/Breach Reporting

Abstraction Level (High, Medium or Low): High

Related Use Cases:

Description: A tool consumes various event alerts and correlates into an incident record. Correlated incident is converted to VERIS framework, commensurate to the fidelity of the raw data. After initial conversion, the incident is assigned to a human analyst who will add additional analysis. Final output for each incident is in a consumable, actionable format.

Example: A retail organization gathers incident and breach metrics on all correlated events handled in their SIEM. The same organization records details involving internal investigations. Events outputted by tools and details recorded by incident responders are correlated and recorded as a single security incident. The incident is aggregated with other internal events, analysis is performed for internal consumption and information is provided to a data sharing community to uncover industry threat landscape trends.

Stakeholders/Goals:

  • Data Providers: Group or organization that reports breach information
  • Goal: Collection of breach information and efficient conversion from raw data to a standardized format with minimal manual processes.
  • Security Analyst: Person(s) who receive individual breach reports and analyze data
  • Goal: Receive data in format that facilitates temporal, aggregate, relational analysis using common statistical tools. Format should facilitate production of quality reporting and visualization.
  • Strategic Planner: Consume output of analysis of breach data and incorporate as data point in security decision making process.
  • Goal: Format facilitates aggregate metrics that are useful in decision making process.
  • Data Sharing Community: Group of organizations that share incident data to identify trends in tactics, techniques, and procedures targeting their industry.
  • Goal: Community members provide and consume data from multiple sources to improve the overall incident data set.
  • Goal: Provide analysis on overall incident set for community use.

Dependencies:

  1. Cyber Breach Analysis and Categorization

Main Success Scenario:

  1. Strategic planners use real-world breach data to improve decision making process.