ETSI GS ISI 002 V1.2.1 (2015-11)

ETSI GS ISI 002 V1.2.1 (2015-11)






GROUP SPECIFICATION
Information Security Indicators (ISI);
Event Model
A security event classification model and taxonomy

---------------------- Page: 1 ----------------------
2 ETSI GS ISI 002 V1.2.1 (2015-11)



Reference
RGS/ISI-002ed2
Keywords
ICT, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GS ISI 002 V1.2.1 (2015-11)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 7
Introduction . 7
1 Scope . 9
2 References . 9
2.1 Normative references . 9
2.2 Informative references . 9
3 Definitions and abbreviations . 10
3.1 Definitions . 10
3.2 Abbreviations . 14
4 Positioning of the proposed event classification model . 16
4.1 Relationship with the ISO 27004 standard . 16
4.2 The critical importance of positioning the model appropriately . 16
4.3 The necessity for the model to rest on a detailed taxonomy . 18
4.4 Description of the taxonomy . 18
4.5 Complex security incidents versus basic security incidents . 20
4.6 The key drivers underlying the representation proposed . 21
4.7 The general description of the representation . 21
4.8 Link between the event model representation and the list of indicators (and related families) . 22
5 Comparison with other event classification models . 22
5.0 Introduction . 22
5.1 Risk analysis methods classifications . 23
5.2 CAPEC classification . 23
5.3 FIRST classifications . 23
6 Detailed description of the proposed representation of the different categories and sub-categories . 24
6.0 Introduction . 24
6.1 Intrusions and external attacks (Category IEX). 24
6.2 Malfunctions (Category IMF) . 26
6.3 Deviant internal behaviours (Category IDB) . 28
6.4 Behavioural vulnerabilities (Category VBH) . 30
6.5 Software vulnerabilities (Category VSW) . 32
6.6 Configuration vulnerabilities (Category VCF) . 33
6.7 General security (technical & organizational) vulnerabilities (Category VTC and Category VOR) . 33
7 Practical uses of the event classification model . 35
7.0 Introduction . 35
7.1 The classification model pivotal role. 35
7.2 The objective shared with operational risks . 36
7.3 The link with existing studies on cybercrime motivation (threat intelligence) . 37
7.4 The link with incident exchange . 40
7.5 Other uses of the classification model . 42
Annex A (informative): Overview of the ISO 27004 standard measurement model . 44
Annex B (informative): Field dictionary for the taxonomy . 45
B.0 Introduction . 45
B.1 Incidents . 45
B.1.1 Who and/or Why . 45
B.1.1.1 Accident . 45
B.1.1.2 Unwitting or unintentional act (error) . 45
B.1.1.3 Unawareness or carelessness or irresponsibility . 46
B.1.1.4 Malicious act . 46
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GS ISI 002 V1.2.1 (2015-11)
B.1.2 What . 47
B.1.2.1 Unauthorized access to a system and/or to information . 47
B.1.2.2 Unauthorized action on the information system and/or against the organization . 48
B.1.2.3 Installation of unauthorized software programs (malware) on a system (without the owner's consent) . 49
B.1.2.4 Information system remote disturbance . 49
B.1.2.5 Social engineering attacks . 49
B.1.2.6 Personal attack on organization's personnel or organization disturbance . 50
B.1.2.7 Physical intrusion or illicit action . 50
B.1.2.8 Illicit activity carried out on the public Internet (harming an organization) . 50
B.1.2.9 Various errors (administration, handling, programming, general use) . 51
B.1.2.10 Breakdown or malfunction . 52
B.1.2.11 Environmental events (unavailability caused by a natural disaster) . 52
B.1.3 How . 52
B.1.3.1 Unauthorized access to a system and/or to information . 52
B.1.3.2 Unauthorized action on the information system and/or against the organization . 53
B.1.3.3 Installation of unauthorized software programs (malware) on a system (without the owner's consent) . 54
B.1.3.4 Information system remote disturbance . 55
B.1.3.5 Social engineering attacks . 56
B.1.3.6 Personal attack on organization's personnel or organization disturbance . 56
B.1.3.7 Physical intrusion or illicit action . 56
B.1.3.8 Illicit activity carried out on the public Internet network (harming an organization) . 57
B.1.3.9 Various errors (administration, handling, programming, general use) . 57
B.1.3.10 Breakdown or malfunction . 57
B.1.3.11 Environmental events (unavailability caused by a natural disaster) . 57
B.1.4 Status . 57
B.1.4.1 Security event attempt (or occurrence) underway . 57
B.1.4.2 Succeeded (or performed) security event . 58
B.1.4.3 Failed security event . 58
B.1.5 With what vulnerability(ies) exploited (up to 3 combined kinds of vulnerabilities) . 58
B.1.5.1 Behavioural vulnerability . 58
B.1.5.2 Software vulnerability. 58
B.1.5.3 Configuration vulnerability . 58
B.1.5.4 General security vulnerability . 58
B.1.5.5 Conception vulnerability . 58
B.1.5.6 Material vulnerability . 58
B.1.6 On what kind of asset . 58
B.1.6.1 Data bases and applications . 58
B.1.6.2 Systems . 59
B.1.6.3 Networks and telecommunications . 61
B.1.6.4 Offline storage devices . 62
B.1.6.5 End-user devices . 62
B.1.6.6 People . 63
B.1.6.7 Facilities and environment . 63
B.1.7 With what CIA consequences . 64
B.1.7.1 Loss of confidentiality (with types of loss and with the amount of data as a possible complement) . 64
B.1.7.2 Loss of integrity (with types of loss) . 65
B.1.7.3 Loss of availability (with types of loss and with the duration as a possible complement) . 65
B.1.8 With what kind of impact . 66
B.1.8.1 Direct impact . 66
B.1.8.2 Indirect impact . 66
B.2 Vulnerabilities . 66
B.2.1 What . 66
B.2.1.1 Behavioural vulnerabilities . 66
B.2.1.2 Software vulnerabilities . 69
B.2.1.3 Configuration vulnerabilities . 69
B.2.1.4 General security (organizational) vulnerabilities . 70
B.2.1.5 Conception vulnerability . 72
B.2.1.6 Material vulnerability . 72
B.2.2 On what kind of assets . 73
B.2.3 Who (only for behavioural vulnerabilities) . 73
B.2.4 For what purpose (only for behavioural vulnerabilities) . 73
ETSI

---------------------- Page: 4 ----------------------
5 ETSI GS ISI 002 V1.2.1 (2015-11)
B.2.5 To what kind of possible exploitation . 74
Annex C (informative): Authors & contributors . 75
Annex D (informative): Bibliography . 76
History . 78

ETSI

---------------------- Page: 5 ----------------------
6 ETSI GS ISI 002 V1.2.1 (2015-11)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security
Indicators (ISI).
The present document is included in a series of 6 ISI specifications. These 6 specifications are the following (see
figure 1 summarizing the various concepts involved in event detection and interactions between all parts):
• ETSI GS ISI 001-1 [i.3] addressing (together with its associated guide ETSI GS ISI 001-2 [i.4]) information
security indicators, meant to measure application and effectiveness of preventative measures.
• The present document (ETSI GS ISI 002) addressing the underlying event classification model and the
associated taxonomy.
• ETSI GS ISI 003 [i.11] addressing the key issue of assessing an organization's maturity level regarding overall
event detection (technology/process/ people) in order to evaluate event detection results.
• ETSI GS ISI 004 [i.12] addressing demonstration through examples how to produce indicators and how to
detect the related events with various means and methods (with a classification of the main categories of use
cases/symptoms).
• ETSI GS ISI 005 [i.13] addressing ways to produce security events and to test the effectiveness of existing
detection means within organizations (for major types of events), which is a more detailed and a more case by
case approach than in ETSI GS ISI 003 [i.11] and which can therefore complement it.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GS ISI 002 V1.2.1 (2015-11)
GS ISG ISI Series Summary Definition
Event
reaction
measures
Fake events
(Simulation)
Security Event
Real Detected
prevention detection
events events
measures
measures
Residual risk
(event model-
centric vision)

Figure 1: Positioning the 5 GS ISI against the 3 main security measures
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
A corporate Cyber Defence and SIEM approach implements continuously security improvements with the main goals
to:
• operationally and constantly reduce the residual risk incurred by their Information Systems (see figure 2,
which highlights the two associated types of events - incidents and vulnerabilities - and the joint area covered
by IT security policy through the concept of usage or implementation drift); and
• to assess the actual application and real effectiveness of their security policies (or of their ISMS, if they have
one), for the purpose of their constant improvement.
Such an approach, which to a large extent relies on using the traces available in the Information System's various
components, is organized around an "event-model centric" vision, and can also be tied up to the PDCA model that is
commonly used in quality and security areas. As such, this primarily involves implementing this model's PDCA
"Check" step on the basis of very detailed knowledge of threats and vulnerabilities.
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GS ISI 002 V1.2.1 (2015-11)
The 3 kinds of residual risk
Area covered by
IT Security policy
Known Known
Unknown
Actually
residual residual
residual
covered
risk
risk
risk
risk
(accepted)
(suffered)
Incidents exploi-
Incidents exploiting Incidents not
ting unknown
known but uncovered possible
Incidents exploiting
vulnerabilities
or not tackled vulne- (vulnerabilities
known vulnerabilities
rabilities due to usage remediated by
or implementation drift operational or
not practices)

Figure 2: The 3 kinds of residual risks
Worldwide trends in ICT security show that significant progress can be accomplished within a few years with the
deployment of an organization-wide operational Cyber Defence and SIEM approach. A recent survey by a major
consulting firm of 15 major companies and organizations brings to light nine key success criteria. The two most
important criteria are:
• The reliance of the Cyber Defence and SIEM approach on a security event classification model that takes into
account both incidents and vulnerabilities, and that stresses particular attention to malicious and intentional
acts, the monitored events themselves being selected on the basis of main relevant CIA risks and associated
metrics (e.g. statistics).
• Training with this model for the relevant people using the Information System, with particular attention to the
presentation of concrete examples of disasters associated with inventoried security event main types.
As such, the present document's objective is to build a full taxonomy to thoroughly describe all IT security events (and
when appropriate and necessary non-IT security events) and, based on this, to present an original representation that
leverages the current international best practices and enables diversified and complex uses. The choice of a detailed
taxonomy, which describes security events through a set of attributes (different for incidents and vulnerabilities),
ensures that all possible situations can be taken into account with the required flexibility (especially thanks to the
provided open dictionary), while the representation chosen for the taxonomy, highlighting the main categories generally
accepted by industry consensus, makes the event classification model easier to understand and embrace for
stakeholders.
®
The present document is based on work carried out by the Club R2GS , a French association created in 2008,
specializing in Cyber Defence and Security Information and Event Management (SIEM), gathering large French
companies and organizations (mainly users). The present document (ETSI GS ISI 002), as well as the other GS of ISG
ISI, are therefore based on a strong experience, this community of users having adopted and used the event
classification model and the related reference framework for indicators for more than three years on a national and
world-wide scale.
ETSI

---------------------- Page: 8 ----------------------
9 ETSI GS ISI 002 V1.2.1 (2015-11)
1 Scope
The present document provides a comprehensive security event classification model and associated taxonomy (based on
existing results and hands-on user experience), covering both security incidents and vulnerabilities. The two latter ones
become nonconformities when they violate an organization's security policy. The present document mainly supports
operational security staff in their effort to qualify and categorize detected security events, and more generally all
stakeholders (especially CISOs and IT security managers) in their needs to establish a common language.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] NIST SP 800-126 Revision 2 (September 2011): "The Technical Specification for the Security
Content Automation Protocol (SCAP): SCAP Version 1.2".
[i.2] MITRE CCE List Version 5.20120314 (March 2012): "Common Configuration Enumeration".
[i.3] ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of
operational indicators for organizatio
...