Menu
Browse

CODEBOOK

CIA Posture
Cyber security involves safeguarding the Confidentiality, Integrity, and Availability (CIA) of information systems. These three principles form the foundation of effective cyber security:

  • Confidentiality: Ensures that sensitive information is accessed only by authorised individuals, preventing data breaches and unauthorised disclosures.
  • Integrity: Protects the accuracy and reliability of data by preventing unauthorised modifications or tampering, ensuring that the information remains trustworthy.
  • Availability: Ensures that information systems and data are accessible when needed by authorised users, minimising downtime caused by cyber attacks or system failures.
By adhering to the CIA triad, organisations can better protect their digital assets from evolving cyber threats.
STIX Motives

Below is the list of potential motives or motivations for cyber incidents, based on STIX 2.1. Reference:
STIX Attack Motivation Vocabulary

Motive Description
Accidental A non-hostile actor whose benevolent or harmless intent inadvertently causes harm.

For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.
Coercion Being forced to act on someone else's behalf.

Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.
Dominance A desire to assert superiority over someone or something else.

Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.
Ideology A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts.

Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty.

For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.
Notoriety Seeking prestige or to become well known through some activity.

Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.
Organizational Gain Seeking advantage over a competing organization, including a military organization.

Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.
Personal Gain The desire to improve one’s own financial status.

Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft.

While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.
Personal Satisfaction A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc.

Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.
Revenge A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization.

A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.
Unpredictable Acting without identifiable reason or purpose and creating unpredictable events.

Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims.
STIX Industry Sectors

Below is the list of STIX Industry Sectors, based on STIX 2.1. Reference:
STIX Industry Sector Vocabulary

Type Description
Agriculture The production of food, crops, and livestock for human consumption.
Aerospace The design, development, and manufacturing of aircraft and spacecraft.
Automotive Manufacturing and design of vehicles for personal and commercial use.
Chemical Production and distribution of chemicals, from industrial to consumer products.
Commercial Retail, trade, and business sectors focused on selling goods and services.
Communications Industries responsible for telephone, broadcasting, and internet communications.
Construction Building infrastructure including roads, bridges, and buildings.
Defense Government and military sectors involved in national security and defense technology.
Education Institutions focused on academic learning and research.
Energy The generation and distribution of power, including oil, gas, and renewable energy.
Entertainment Industries related to media, film, music, and other forms of entertainment.
Financial Services Institutions like banks, investment firms, and payment processors.
Government Emergency Services Services related to law enforcement, fire departments, and emergency medical response.
Government Local Local government agencies and services at the municipal or county level.
Government National National-level government bodies and agencies.
Government Public Services Public-facing government services including social services and welfare programs.
Government Regional Regional or state-level government agencies and services.
Healthcare Organizations and professionals involved in medical care and public health.
Hospitality & Leisure Hotels, restaurants, and tourism-related services.
Infrastructure - Dams Management and operation of dam systems for water control and power generation.
Infrastructure - Nuclear Industries focused on the development and management of nuclear power plants.
Infrastructure - Water Management of water systems for consumption and sanitation purposes.
Insurance Companies providing risk management through insurance policies.
Manufacturing Industries involved in the production of goods and materials.
Mining Extraction of minerals, metals, and other natural resources.
Non-Profit Organizations that provide services and operate without a profit motive.
Pharmaceuticals Development, production, and marketing of drugs and medical treatments.
Retail Businesses involved in the sale of goods directly to consumers.
Technology Companies focused on software, hardware, and technology development.
Telecommunications Industries involved in providing communication services, including mobile and internet.
Transportation Industries focused on moving people and goods via air, land, and sea.
Utilities Provision of essential services such as electricity, gas, and water.
STIX Threat Actor Types

Below is the list of STIX Threat Actor Types, based on STIX 2.1. Reference:
STIX Threat Actor Type Vocabulary

Type Description
Activist Highly motivated supporter of a social or political cause, aiming to disrupt an organization’s business model or damage its image. This category includes anarchists, cyber vandals, and hacktivists.
Competitor An organization aiming to gain an advantage over a rival by stealing intellectual property, trade secrets, or business data.
Crime Syndicate An enterprise organized to conduct large-scale criminal activity for profit, often associated with organized crime.
Criminal Individuals or small groups committing crimes, often for personal financial gain. Common activities include intellectual property theft and extortion.
Hacker Individuals who break into networks for the thrill or challenge, using either advanced skills or pre-made attack scripts.
Insider-Accidental Non-hostile insiders who unintentionally expose the organization to harm through human error or lack of training.
Insider-Disgruntled Current or former insiders seeking revenge, potentially leveraging extensive internal knowledge to harm the organization.
Nation-State Actors working for or on behalf of a government, often with sophisticated tools, resources, and training to conduct espionage or political attacks.
Sensationalist Individuals or small groups seeking fame by exposing sensitive information to cause public relations crises, without political goals.
Spy Actors collecting sensitive information for use, dissemination, or sale, typically part of a well-resourced intelligence organization.
Terrorist Individuals or groups using violence or cyber techniques to promote political or ideological goals, often raising funds through criminal activity.
Unknown Actors whose motivations or identities cannot yet be determined due to insufficient information.
Tactics, Techniques & Procedures (TTPS)

Below is a list of tactics, techniques, and procedures (TTPs) definitions, aligned with those used in the CISSM Events database:

Name Description
Message Manipulation Interfering with the target's ability to communicate accurately. Examples: Hijacking social media accounts, defacing websites with political messages.
External Denial of Service Attacks from outside the network to disrupt communication. Examples: DDoS attacks like ICMP flood, SYN flood, BGP hijack.
Internal Denial of Service Disruption from within the network. Examples: Resetting routers, installing disruptive malware on file servers.
Data Attack Manipulation, destruction, or encryption of data. Examples: Wiper viruses, ransomware, altering data with stolen credentials.
Physical Attack Using IT components to damage physical systems. Examples: Manipulating PLCs to cause grid shutdowns, overheating a blast furnace.
Exfiltration from Sensors Theft of data from peripheral devices. Example: Compromising PoS devices to steal credit card data.
Exfiltration from End Host Theft of data from user devices. Examples: Malicious links, using compromised credentials.
Exfiltration from Network Infrastructure Theft via networking equipment. Example: VPNFilter malware compromising routers.
Exfiltration from Application Server Exploiting server vulnerabilities to steal data. Examples: SQL injection, direct access to email servers.
Exfiltration from Data in Transit Intercepting data in transit. Example: Unencrypted data stolen from PoS devices or unsecured Wi-Fi.