Events are our method of communicating some activity taking place against a seed within your organisation
We align to NIST 800-61 (available here), and assign all events with a priority ranging from 1 (most important) to 5 (least important).
Specifically, we consider the following factors:
- Functional Impact: A measure of the actual, ongoing impact to the organization. In many cases (e.g., scans and probes or a successfully defended attack), little or no impact may be experienced due to the incident.
- Observed Activity: This considers what is known about threat actor activity on the network.
- Actor Characterization: Attribution of an incident to a particular actor set and understanding the skill levels and intentions of that actor.
- Potential Impact: The potential impact value is calculated based on statistics about the seed in question, such as sensitivty of location, degree of protection in place.
This priority assignment should be used to drive urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation
Priority 1 – Emergency
An Emergency priority event poses an imminent and critical threat
Priority 2 – Severe
A Severe priority incident is likely to result in a significant impact
Priority 3 – High
A High priority event is likely to result in a demonstrable impact
Priority 4 – Medium
A Medium priority event may lead to a degree of negative impact.
Priority 5 – Low
A Low priority event is unlikely to cause a negative impact.
A baseline priority event is highly unlikely to cause any negative impact.
The bulk of incidents will likely fall into the baseline priority level with many of them being routine observations of benign activity.