VERIS

---

Introduction

Accurate, structured incident data is essential for effective analysis, reporting, and response. VERIS (Vocabulary for Event Recording and Incident Sharing) provides a standardized approach to categorize security incidents, improving insights and facilitating data sharing. By utilizing VERIS, organizations can leverage it in ServiceNow to gain both strategic and tactical visibility into incidents, enabling better response and post incident analysis.

---

Section 1: What is VERIS?

VERIS is a data driven, structured vocabulary for recording and categorizing security incidents, originally developed to align with the Data Breach Investigations Report (DBIR). The schema helps organizations consistently categorize incidents, enabling clearer incident analysis and facilitating threat intelligence sharing.

Although VERIS includes many categories, this example focuses on five core components:

• Actors: Identifies the individuals or entities involved in an incident (e.g., external attackers, internal employees, partners).
• Actions: Describes activities performed during the incident, such as hacking, malware, or social engineering.
• Assets: Lists impacted resources, including servers, databases, networks, and other systems.
• Attributes: Defines the impact on confidentiality, integrity, and availability, providing an understanding of the incident’s effect.
• Incident Details: Captures the incident outcome, specifying whether it was a True Positive or False Positive and the final resolution status (e.g., mitigated, contained, remediated).

Section 2: Enhancing VERIS with Tactical Data Fields

By adding tactical data fields to VERIS, organizations can capture real time details of each incident stage, offering visibility that supports response efforts as well as post incident reporting. Below are suggested fields that add depth to VERIS:

• Attack Stage
  • Purpose: Captures the current phase of the attack.
  • Options: Initial Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), Actions on Objectives.
• Response Actions Taken
  • Purpose: Logs countermeasures deployed at each stage.
  • Examples: Isolate Affected System, Block IP/Domain, Deploy Patch, Reset Credentials.
• Attack Vectors Used
  • Purpose: Details how each phase of the attack was executed.
  • Options: Phishing (email, SMS), Drive by Download, Remote Access Tool, Credential Theft.
• Lateral Movement Indicators
  • Purpose: Tracks techniques used to expand reach within the environment.
  • Examples: Credential Dumping, Network Scanning, Privilege Escalation.
• Detection Timing
  • Purpose: Logs when each phase of the attack was detected.
  • Options: Pre Attack, During Attack, Post Attack.
• Preventive Measures
  • Purpose: Identifies preventive controls in place or those that failed.
  • Examples: EDR, Multi Factor Authentication, Email Filtering, IDS.
• Success/Failure of Attack Phase
  • Purpose: Indicates whether the attacker completed a particular phase.
  • Options: Success, Partial Success, Failure.
• Exfiltration Details
  • Purpose: Tracks details of data exfiltration, if applicable.
  • Examples: Method (e.g., FTP, direct download), Data Type (PII, financial), Volume of Data.
• Command and Control (C2) Indicators
  • Purpose: Logs known C2 indicators.
  • Examples: C2 Server IP, Domain, Communication Protocol (HTTP, HTTPS, DNS).

---

Section 3: Configuring Enhanced VERIS in ServiceNow

ServiceNow can be customized to incorporate both the standard and enhanced VERIS fields, allowing precise data capture and streamlined reporting. Below are steps to configure this setup:

• Create Custom Fields for VERIS Attributes:
  • Actors, Actions, Assets, Attributes, and Incident Details: Use dropdowns or multi select fields to capture standard VERIS categories.
  • Enhanced Fields: Add fields for Attack Stage, Response Actions, Attack Vectors, and other tactical indicators.
• Develop Incident Templates:
  • Create templates with preconfigured VERIS and enhanced fields for common incident types (e.g., phishing, malware).
  • Use templates to streamline data entry and enforce consistency.
• Set Up Categorization Rules:
  • Use ServiceNow workflows to automate incident categorization based on characteristics and pre set VERIS values.
  • Apply logic for Incident Details tagging, setting outcomes as True/False Positive based on resolution status.
• Create Dashboards for Enhanced VERIS Reporting:
  • Design dashboards displaying incidents by VERIS attributes and enhanced tactical data.
  • Include visualizations of True/False Positive ratios, Attack Stages, and Response Actions Taken to provide a real time view of incident progression.

---

Section 4: Automating Data Entry in ServiceNow with Enhanced VERIS

Automation in ServiceNow improves data consistency and accelerates response times. Here’s how to automate VERIS and enhanced field entries:

• Workflow Setup:
  • Use Flow Designer to trigger workflows that auto-populate VERIS and enhanced fields based on incident characteristics.
  • Example: If an incident is flagged as “Phishing” and resolved, the workflow can set Attack Stage to “Delivery” and Incident Details to “True Positive – Contained.”
• Scripted Actions:
  • Use JavaScript in ServiceNow’s scripting environment to automate classification and set VERIS and tactical fields.

Example Script:

if (current.u_incident_type == 'Phishing' && current.state == 'Resolved') {
current.u_veris_action = 'Social';
current.u_veris_actor = 'External';
current.u_attack_stage = 'Delivery';
current.u_incident_details = 'True Positive - Contained';
}

• Data Validation:
  • Set mandatory fields for key VERIS and enhanced attributes to ensure accurate and comprehensive data capture.

---

Section 5: Visualizing Enhanced VERIS Data in ServiceNow

Key visualizations for a VERIS driven dashboard include:

• Actor Breakdown: Pie chart displaying incidents by actor type (e.g., internal, external).
• Attack Stage Tracking: Bar chart showing the distribution of incidents across different attack stages.
• Response Effectiveness: Ratio of true positives vs. false positives, providing insight into detection accuracy.
• Common Attack Vectors: Visual representation of the most frequently used attack vectors (e.g., phishing, credential theft).

Section 6: Reporting and Sharing Enhanced VERIS Tagged Incidents

• Automated Reports: Schedule weekly or monthly reports summarizing True Positive / False Positive incidents, their stages, and resolutions.
• Threat Intelligence Sharing: Use structured data from VERIS to support threat intelligence initiatives, enabling collaboration with external partners.
• DBIR Alignment: With VERIS tagged data, align reports with DBIR standards for consistent industry wide categorization and benchmarking.

---

Conclusion

Implementing an enhanced VERIS framework in ServiceNow provides a structured, tactical approach to incident management. This comprehensive framework supports consistent incident handling, deeper insights, and better alignment with external reporting standards, offering organizations a robust foundation for modern security incident management.