How to Identify the Type of Incident

Abusive content

Spam
Harmful Speech
Child/Sexual/Violence
...

Spam – unsolicited bulk email – means that the recipient did not give permission to receive it and the message is part of a larger set of messages with identical content. This category also includes emails or websites containing discriminatory or defamatory content, pornography, promotion of violence, and similar material.

Malicious Code

Vírus
Worm
Trojan
Spyware
Dialler
Rootkit

Software that is intentionally included or inserted into a system with malicious intent. Activation of the code usually requires user interaction.

Information Gathering

Scanning
Sniffing
Social engineering

Scanning refers to sending requests to a system to identify weaknesses. This includes testing processes used to gather information about devices, services, and accounts, such as fingerd, DNS queries, ICMP, SMTP (EXPN, RCPT, …), etc. Sniffing involves monitoring and recording network traffic for this purpose. Social engineering refers to obtaining information from people using non-technical methods (deception, tricks, threats).

Intrusion Attempts

Exploiting known vulnerabilities
Login attempts
New attack signature

An attempt to compromise a system or disrupt a service by exploiting a vulnerability with a standardized identifier (e.g., CVE), such as buffer overflow, backdoor, XSS (cross-site scripting), etc. This category also includes repeated unsuccessful login attempts (guessing, brute-force attacks) as well as attempts using previously unknown methods.

Intrusions

Privileged account compromise
Unprivileged account compromise
Aplication compromise
Bot

Successful compromise of a system or application (service). This may occur remotely by exploiting known or new vulnerabilities, or through unauthorized local access.

Availability

DoS
DDoS
Sabotage
Outage (no malice)

In this type of attack, a system is overwhelmed with such a volume of packets that operations are delayed or the system crashes. Examples of remote DoS attacks include SYN flooding, ping flooding, email bombing (DDoS: TFN, Trinity, …). Availability may also be affected by local actions (destruction, power outage, etc.), force majeure, spontaneous failures, or human error, without malicious intent or gross negligence.

Information Content Security

Unauthorised access to information
Unauthorised modification of information

In addition to local misuse of data and systems, information security may be compromised through successful account or application compromise. Attacks may also intercept and access information during transmission (wiretapping, spoofing or hijacking). Causes may also include human, configuration, or software errors.

Fraud

Unauthorized use of resources
Copyright
Masqurerade
Phishing

This includes the use of resources for unauthorized purposes, including financial gain (e.g., participation in illegal chain emails or pyramid schemes). It also includes the sale and installation of unlicensed copies of commercial software or other copyrighted materials. Furthermore, it includes attacks where one entity illegitimately impersonates another for benefit, as well as phishing (pretending to be another entity to trick users into revealing private credentials).

Vulnerable

Software/service vulnerabilities, configuration errors, unpatched systems

Open resolvers, printers accessible to the public, vulnerabilities identified by tools such as Nessus, outdated antivirus signatures, etc.

Other

Al incidents which do not fit in one of the given categories should be put into this class.

If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.

Test Event

Any activity intended to test the above-mentioned incident types

Any activity intended to test the above-mentioned incident types.