Attribution is a process in which an (authorised) actor ascribes responsibility for a cyber incident to another actor.
- Average Attribution Time Period: Average attribution time period indicates the average time between the starting year of an incident and its attribution.
- Technical Attribution: Technical attribution determines who performed a cyber incident based on IT forensic evidence and technical traces left behind. Thus, technical attribution can be restricted to the execution of the ways and means of an incident and its characteristics, without identifying the actual implementing or responsible party, e.g., in the case of hacking-for-hire schemes.
- Political Attribution: Political attribution refers to the public identification of an actor that policymakers (or authorised personnel) hold responsible for a cyber incident. Policymakers regularly consider how the severity of the cyber incident relates to the potential consequences of this public ascription of political and/or legal responsibility.
- Legal Attribution: Legal attribution refers to the ascription of legal responsibility of an actor for violating international and/or national law, e.g., through criminal prosecution or indictment of an actor for carrying out a cyber incident. Legal attribution may pursue the following goals: establishing legal accountability of the responsible actors, deterring similar future incidents, establishing primary legal rules for acceptable behaviour in cyberspace, and standards of proof for legal attribution.
CIA Triad of Information Security
The CIA Triad is a heuristic model that organisations use to evaluate and thus ensure the security of their information. The acronym stands for Confidentiality, Integrity, and Availability of (private) information. Decisions in organisations that unfold relevance for their information security are to be reviewed on the basis of these essential components.
Organisations should use these key categories to review decisions that have significance for their information security.
- Confidentiality: Confidentiality determines the limits of access rights of users to information. Only a person authorised to do so should have the right to access, keep (know), and, if necessary, change the information. If an unauthorised person obtains access without respective rights, the confidentiality of the information is violated.
- Integrity: Integrity refers to the state of protection of information from unauthorised alteration. If a piece of information has been tampered with by an unauthorised user, then the integrity of that information is violated. Thus, integrity measures ensure that information accessed by the user is trustworthy.
- Availability: Availability refers to the accessibility of information. It must be ensured that a piece of information is accessible by an authorised user in a timely and uninterrupted way. If information is not accessible to an authorised user, then availability is violated.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is an open industry standard for determining the severity of security vulnerabilities along three categories. The base category rates a vulnerability along metrics that remain the same over time. The temporal category evaluates a vulnerability along metrics that change over time. The environmental category evaluates a vulnerability along metrics relevant to a particular computer system. A numerical score from 0 to 10 is then assigned in each category. Depending on the final score, the severity of the vulnerability is classified as Low, Medium, High, or Critical. The purpose of the CVSS is to establish a comparable measurement system between organisations and, in particular, to prioritise severe vulnerabilities and their remediations.
- User Interaction: User interaction is a metric in the base category of the Common Vulnerability Scoring System. User interaction captures whether a user's action (other than the initiator's) is necessary to exploit a vulnerability successfully. The severity of a vulnerability is higher if a user's action is not necessary and the exploitation of the vulnerability depends only on the initiator. The severity of a vulnerability is lower if a user's action is necessary and the exploitation of the vulnerability does not depend only on the initiator.
A cyber attack is defined as the use of computational technology in cyberspace for disruptive or destructive purposes. Common goals of cyber attacks are disrupting information availability or causing physically devastating effects, e.g., if the targeted networks are connected to critical infrastructure. They are also called "Cyber Network Attacks" (CNA), in contrast to "Cyber Network Exploitation" (CNE), which do not result in disruptive effects.
A cyber campaign involves a series of interrelated cyber operations over time. The interrelated cyber incidents may differ in their technical and operational execution, but they all share an overarching strategic objective. As a result, a cyber campaign develops a cumulative advantage for the attacker over other cyber actors.
A cyber incident refers to the singular successful technical breach of information security to the detriment of the targeted computer system, its information system, network, and/or the included information. In theory, a cyber incident can also be caused by technical failures or human errors.
A cyber operation refers to the singular or multiple uses of information technology against a computer system to achieve operational goals, e.g., in military contexts. Cyber attacks and cyber espionage can usually pursue these operational goals. Thus, cyber operations can be CNAs and CNEs.
A cyber proxy is an actor causing a cyber incident on behalf of a beneficiary. Both the cyber proxy and the beneficiary can be state or non-state actors, although the beneficiary is usually a state. The dependency relationship between cyber proxy and beneficiary may vary, ranging from state-integrated to state-ignored cyber proxies. The beneficiary uses cyber proxies to obfuscate or plausibly deny political and/or legal responsibility for a cyber incident, as well as to compensate for the lack of state resources in the cyber domain.
Data corruption refers to the loss of integrity of information. This means that the information is not in its expected condition, which can negatively impact the functioning of affected programmes and systems. Data corruption occurs unintentionally due to programme errors, or intentionally as part of cyber incidents by malicious cyber actors.
Data exfiltration refers to the unauthorised transfer of information from a computer or computer system to an unauthorised system. Data exfiltration is a breach of confidentiality in information security. The most common cause is cyber incidents by malicious cyber actors, but it can also be enabled by analogue means, e.g., through the theft of USB sticks.
Data theft is a type of cyber incident that is initiated in order to gather information from a targeted computer or computer system. Although data or information is not “lost” for the target - it still possesses it - the data is no longer confidential. Data theft can be grounded on political, financial, economic and personal motivations. If state actors are involved, it is regularly called “Cyber Espionage.”
Doxxing refers to the disclosure of information without the permission of the originator. The term doxxing originally referred to personal information. In the context of cyber incidents, the subsequently-published information is usually stolen first via hacking activities. This combination is often referred to as “hack-and-leak.”
Disruption is a type of cyber incident with the goal of taking an information technology process/service out of service. A disruption violates the availability of information security. The disruption can cause a temporary or permanent effect. Typical examples of disruptions are (Distributed) Denials of Service, website defacements, or wipers.
A denial of service is a disruptive cyber attack and refers to the targeted overload of data traffic in order to interrupt a webserver. A denial of service (DoS) occurs between a computer system and a targeted computer system. A distributed denial of service (DDoS) occurs between a large number of infected computer systems, a so-called botnet, and a targeted computer system. DDoS attacks mainly impact the availability of targeted systems.
A website defacement is a disruptive cyber attack and refers to the unauthorised modification of website content, often combined with a DDoS. However, it usually causes no severe and lasting damages to the targeted systems.
An exploit is a programme that utilises vulnerabilities in software and/or hardware. An exploit can be used to first find a vulnerability, and then to change the sequence of the originally written code so that the manipulated code gets activated. In the context of cyber incidents, exploits are mainly used to enable unauthorised access to a computer or computer system.
Hijacking is a type of cyber incident with the goal of gaining control of a computer or computer system. Hijacking includes intrusion and privileged escalation within the controlled network(s). Technical characteristics are, among others, the use of Command-and-Control-Server and invasive malware, such as wiper-malware. Hijacking enables an attacker to cause potentially devastating damage not only to the affected networks, but also to connected physical systems.
- Hijacking without misuse: Hijacking without misuse refers to a cyber incident in which a cyber actor has successfully penetrated a computer or computer system and escalated its privileges without performing subsequent malicious actions. Cyber actors penetrate computers or computer systems without abusing the escalated privileges because they want to gain strategic access for potential future cyber operations, via the creation of so-called “beachheads.”
- Hijacking with misuse: Hijacking with misuse refers to a cyber incident in which a cyber actor has successfully penetrated a computer or computer system, escalated its privileges, and performed subsequent malicious acts. Hijacking is a prerequisite for data theft and disruption in many cyber incidents. However, there can be also other forms of misuse, such as the unauthorised rerouting of bank transfers, enabled via hacking.
An incident type categorises coded cyber incidents with regard to the observed effect/impact, e.g., if data has been stolen (data theft) or if a website has been disrupted (disruption). Hijacking with or without misuse is a more technical-oriented substitution category, indicating if the attackers gained deeper access to the targeted networks, thereby allowing for more sophisticated attacks. In addition, EuRepoC also differentiates between data theft and data theft & doxxing. Since 2022, EuRepoC also codes the incident type "ransomware."
Malware is a collective term for all types of harmful software programmes. The goal of malware is to perform unwanted or harmful functions in a targeted computer or computer system. From a technical perspective, almost any software can be transformed into malware via malicious abuse.
MITRE ATT&CK is a publicly available framework for the technical description and classification of cyber incidents. The framework consists of 14 categories, which include further techniques and sub-techniques.
- Initial access: Initial access is a category under the MITRE ATT&CK framework and includes nine techniques that use different attack vectors to gain the initial foothold into a computer or computer system.
- Impact: Impact is a category under the MITRE ATT&CK framework and contains 13 techniques that cyber actors use to violate the availability or integrity of information.
The payload is the part of the information that contains the message to be sent. In the context of cyber incidents, the payload is the part of information in which a cyber actor hides malware as a harmless message.
Phishing is a technique of obtaining information by a malicious cyber actor posing as a trustworthy person. In the context of cyber incidents, cyber actors typically use phishing to gain initial access to a computer or computer system by sending malicious information in the name of a trustworthy person, usually via email to the targeted individual (spear-phishing). The malicious email may contain either an attachment or a link that leads to the computer being infected with malicious software.
Sinkholing describes a technique used to neutralise malicious attacks by directing internet activity to a different part of a network or server so that the targeted part remains secure.