Rules

Introduction to INSCT’s Rule-Based National Significant Identification System

INSCT has built a rule-based system to identify cyber incidents of national significance. Our system has two parts:

  1. The first part is a data-schema to describe incidents.
  2. The second part is a set of rules to determine nationally significant incidents from the stored data …
Read the Document

Scoring Rules: NIST NVD vs. INSCT CyberINS

NIST’s National Vulnerability Database distinguishes between levels of vulnerability according to a generalized notion of significant impact.

However, NIST suggests no criteria or standards for determining why the Common Vulnerability Scoring System (CVSS) scale is divided accordingly. NVD simply links its “Vulnerability Severity Ratings” of “low,” “medium,” and “high” to the numeric CVSS scores.

Thus, NIST vulnerabilities are labeled:

  • “Low” severity if they have a CVSS base score of 0.0-3.9.
  • “Medium” severity if they have a CVSS base score of 4.0-6.9.
  • “High” severity if they have a CVSS base score of 7.0-10.0.

INSCT, however, has analyzed this US-CERT NVID-based data using a new concept of factors and rules that measure national cybersecurity risks. The CyberINS tool scoring rules build on six critical event attributes:

  1. Victim
  2. Attacker/Motive
  3. Action
  4. Asset
  5. Corrective action
  6. Impact

These factors differ both from NVD-reported scores (based on the CVSS v2 system) and US-CERT scores, based on NVD-data, to generate gross scores that identify incidents of national significance. In general, each analytical process is calculated using six or more basic metrics.

Cyber Incident Scoring Components by Database

INSCT INS

NVD CVSS

US-CERT (CVSS score)

Victim

Access Vector

Access Vector

Primary Vendor/Product

Attacker/Motive

Access Complexity

Access Complexity

Vulnerability Description

Action

Authentication

Authentication

Report Date

Asset

Confidentiality Impact

Confidentiality Impact

Source/Patch Info

Corrective Action

Integrity Impact

Integrity Impact

Severity Rating

Impact

Availability Impact

Availability

In INSCT’s data schema, the six cyber event attributes (i.e., victim, attacker/motive) are defined according to identifying characteristics. For instance, the “victim” attribute is categorized according to the victim’s industry and revenue, and these sub-attributes are further sorted by various descriptors, such as healthcare, government, finance, education, or US$100-200 million; US$200-500 million; etc.

Using this taxonomy, the CyberINS web application allocates a point value to each of the six attributes to produce a final score of its national significance. INSCT’s scoring rules (and the other two analytics) use an ascending 10-point scale, with higher scores reflecting more severe cyber events.

Whereas NVD scores are determined by the affected vendor, INSCT’s CyberINS tool determines scores based on the nature of the event. Each attribute characteristic is scored along three lines:

  • Neutral characteristics receive a point value of “0” because they are not seen as determining an incident’s national significance.
  • More critical characteristics receive a point value of “1” because they contribute to an incident’s determination as “nationally significant.”
  • Extremely critical characteristics, such as particularly sensitive industries (i.e., the defense industry) are automatically assigned a point value of “10” to immediately identify an “incident of national significance.”

INSCT’s CyberINS rules were developed following a review of existing incident databases and industry metrics, including the DHS/US-CERT Federal Incident Reporting Guidelines, the Center for Internet Security (CIS) Security Metrics v1.1.0, and Verizon’s Vocabulary for Enterprise Risk and Incident Sharing (VERIS) for documenting data breaches.

Examples: CyberINS Taxonomy & Scoring Rule Scale

This visualization of INSCT’s CyberINS tool taxonomy uses an example that categorizes a hypothetical cyber event affecting a large commercial bank, using the “Victim” and “Attacker” attributes.

CyberINS_Taxonomy_Fig1
CyberINS_Taxonomy)Fig2

The following chart provides an example of the CyberINS tool scoring rules on a low-to-high-scale:

CyberINS_Taxonomy_Fig3