Schedule 8 - Management Information and KPIs CIE
- Madeleine Laband
- Jonathan Ellwood
- Sam Eastwood
Management Information
Revisions: |
|
|
Date: | Author: | Description: |
26/10/2023 | Jonathan Ellwood | First Version Published |
Assured Service Providers (ASPs) are required to report the following information to IASME on a calendar monthly basis in relation to Cyber Incident Exercising activities.
The requirement to provide this information applies to all actions carried out by the ASP in relation to Incident Exercising irrespective of whether the client was referred to the ASP in relation to the NSCS Level 2 scheme.
For the avoidance of doubt, the timely sharing of this information is a key part of the ASP role. ASPs who are unable or unwilling to share this information will not be able to be part of the scheme.
The Delivery Partner will provide instructions on how this information shall be shared. The expectation is via the use of an online platform, but there may be occasions when the information is requested to be sent using a different method.
ID | Metric | Column Header to be used to report metric | Values Required |
1 | Activity Type
| The type of exercise delivery.
| IR WORKSHOP TTX LIVEPLAY |
2 | NCSC involvement | Whether the NCSC was involved in the exercise delivery.
| Y N |
3 | NCSC Reference | Reference number provided by NCSC where there was NCSC involvement.
| Ref. No. (eg. CIM-9999) NONE |
4 | The Customer organisational type | Customer Type | Public Private Non-Profit |
5 | The Customer sector (using NCSC Sector Groups)
| Customer Sector | (Refer to Look up table for values) |
6 | The Customer size (using NCSC definitions)
Note: Use the guidelines below to determine organisation size:
Large enterprises: 250 employees or more Medium-sized enterprises: 50 to 249 employees. Small enterprises: 10 to 49 employees. Micro enterprise 1-9 employees. Sole Trader 1 employee
| Customer Organisation Size | Large Medium Small Micro Sole Trader
|
7 | Cyber Essentials certification | The level of Cyber Essentials certification held by the customer. | NONE CYBER ESSENTIALS CYBER ESSENTIALS+ |
Supplementary questions to be included where an incident occurred on a network or system covered by Cyber Essentials:
8 | Cyber Essentials review with the NCSC | Whether the Customer is prepared to engage with the NCSC to review the application of Cyber Essentials in relation to the incident | Y N N/A |
9 | Cyber Advisor usage | Whether the Customer used a Cyber Advisor in gaining Cyber Essentials | Y N N/A |
|
|
|
|
10 | The initial access method (https://attack.mitre.org/tactics/TA0001/ )
Note: there could be multiple entries per incident or exercise reported, so drop-down options not possible.
(Refer to the ATT&CK table and also include the additional options listed for unidentified access methods) | Initial access (TA001) | (Refer to the ATT&CK table. Data to be entered using TA001 values and not descriptors eg. T1200; separated by semi-colons where there is more than one value).
|
11 | Vulnerabilities exploited for initial access
| Vulnerabilities exploited | List any CVEs believed to have been exploited; separated by semi-colons where there is more than one value |
12 | Exfiltration (https://attack.mitre.org/tactics/TA0010/ )
Note: there could be multiple entries per incident or exercise reported, so drop-down options not possible.
Refer to the ATT&CK table and also include the additional options listed for unidentified exfiltration methods) | Exfiltration (TA0010) | (Refer to the ATT&K table. Data to be entered using TA010 values and not descriptors eg. T1030; separated by semi-colons where there is more than one value).
|
13 | The incident impact (https://attack.mitre.org/tactics/TA0040/ )
Note: there could be multiple entries per incident or exercise reported, so drop-down options not possible.
Refer to the ATT&CK table and also include the additional options listed for unidentified impact)
| Impact (TA0040) | (Refer to the ATT&CK table. Data to be entered using TA0040 values and not descriptors eg. T1565; separated by semi-colons where there is more than one value).
|
14 | Threat Actor Type (https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_tqbl8z36yoir - section 10.22)
| Threat Actor Type | (Refer to Look up tables for values) |
15 | Actor Sophistication (https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_tqbl8z36yoir - section 10.24)
| Actor Sophistication | (Refer to Look up tables for values |
The following lookup tables of values should be used in relation to the fields above where “refer to look up table for values” is specified:
Look-up tables for drop-down values
Customer Sector |
Customer Size | Customer Type | Actor Sophistication |
Academia | Sole Trader | Public | None |
Automotive | Micro | Private | Minimal |
Charity | Small | Non-Profit | Intermediate |
Chemicals | Medium |
| Advanced |
Civil Nuclear | Large |
| Expert |
Construction |
|
| Innovator |
Consultancy |
|
| Strategic |
Defence |
|
|
|
Diplomacy | Actor Type |
|
|
Emergency Services | Activist |
|
|
Energy – Electricity | Competitor |
|
|
Energy – Gas | Crime-Syndicate |
|
|
Energy – Oil | Criminal |
|
|
Engineering | Hacker |
|
|
Environmental | Insider-Accidental |
|
|
Finance | Insider-Disgruntled |
|
|
Food | Nation-State |
|
|
Health | Sensationalist |
|
|
HMG - Agencies and Public Bodies | Spy |
|
|
HMG - Devolved Administrations | Terrorist |
|
|
HMG - High Profile Groups | Unknown |
|
|
HMG - Local Government |
|
|
|
HMG - Ministerial Departments |
|
|
|
HMG - Non-Ministerial Departments |
|
|
|
HMG - Public Corporations |
|
|
|
IT |
|
|
|
Intelligence |
|
|
|
Law Enforcement |
|
|
|
Legal |
|
|
|
Leisure |
|
|
|
Managed Services |
|
|
|
Manufacturing |
|
|
|
Media |
|
|
|
Membership Organisations |
|
|
|
Mining |
|
|
|
Pharmaceuticals |
|
|
|
Political |
|
|
|
Postal Services |
|
|
|
Property |
|
|
|
R&D |
|
|
|
Retail |
|
|
|
Telecoms |
|
|
|
Transport – Aviation |
|
|
|
Transport – Maritime |
|
|
|
Transport – Rail |
|
|
|
Transport – Road |
|
|
|
Waste Management |
|
|
|
Water |
|
|
|
Other |
|
|
|
ATT&CK codes to be used for related drop-down values. Additional values to also be added to each related column.
TA0001 - Initial Access | ||
T1189 | Drive-by Compromise | |
T1190 | Exploit Public-Facing Application | |
T1133 | External Remote Services | |
T1200 | Hardware Additions | |
T1566 | Phishing | |
T1566 | 0.001 | Spearphishing Attachment |
T1566 | 0.002 | Spearphishing Link |
T1566 | 0.003 | Spearphishing via Service |
T1091 | Replication Through Removable Media | |
T1195 | Supply Chain Compromise | |
T1195 | 0.001 | Compromise Software Dependencies and Development Tools |
T1195 | 0.002 | Compromise Software Supply Chain |
T1195 | 0.003 | Compromise Hardware Supply Chain |
T1199 | Trusted Relationship | |
T1078 | Valid Accounts | |
T1078 | 0.001 | Default Accounts |
T1078 | 0.002 | Domain Accounts |
T1078 | 0.003 | Local Accounts |
T1078 | 0.004 | Cloud Accounts |
|
| |
|
| |
TA0010 - Exfiltration | ||
T1020 | Automated Exfiltration | |
T1020 | 0.001 | Traffic Duplication |
T1030 | Data Transfer Size Limits | |
T1048 | Exfiltration Over Alternative Protocol | |
T1048 | 0.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
T1048 | 0.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
T1048 | 0.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
T1041 | Exfiltration Over C2 Channel | |
T1011 | Exfiltration Over Other Network Medium | |
T1011 | 0.001 | Exfiltration Over Bluetooth |
T1052 | Exfiltration Over Physical Medium | |
T1052 | 0.001 | Exfiltration over USB |
T1567 | Exfiltration Over Web Service | |
T1567 | 0.001 | Exfiltration to Code Repository |
T1567 | 0.002 | Exfiltration to Cloud Storage |
T1029 | Scheduled Transfer | |
T1537 | Transfer Data to Cloud Account | |
|
| |
|
| |
TA0040 - Impact | ||
T1531 | Account Access Removal | |
T1485 | Data Destruction | |
T1486 | Data Encrypted for Impact | |
T1565 | Data Manipulation | |
T1565 | 0.001 | Stored Data Manipulation |
T1565 | 0.002 | Transmitted Data Manipulation |
T1565 | 0.003 | Runtime Data Manipulation |
T1491 | Defacement | |
T1491 | 0.001 | Internal Defacement |
T1491 | 0.002 | External Defacement |
T1561 | Disk Wipe | |
T1561 | 0.001 | Disk Content Wipe |
T1561 | 0.002 | Disk Structure Wipe |
T1499 | Endpoint Denial of Service | |
T1499 | 0.001 | OS Exhaustion Flood |
T1499 | 0.002 | Service Exhaustion Flood |
T1499 | 0.003 | Application Exhaustion Flood |
T1499 | 0.004 | Application or System Exploitation |
T1495 | Firmware Corruption | |
T1490 | Inhibit System Recovery | |
T1498 | Network Denial of Service | |
T1498 | 0.001 | Direct Network Flood |
T1498 | 0.002 | Reflection Amplification |
T1496 | Resource Hijacking | |
T1489 | Service Stop | |
T1529 | System Shutdown/Reboot | |
Additional drop-down values for unknown information (to be included as extra values for all 3 ATT&CK data requested)
Additional Options |
|
N0001 | No activity of this kind was identified |
N0002 | Unable to answer as required data doesn't exist anymore due to configuration of customer environment |
N0003 | Unable to answer as required data doesn't exist anymore due to actions taken by attacker |
N0004 | Customer didn't request this to be investigated |
N0005 | Other Reason |
© The IASME Consortium Ltd 2023 All rights reserved