How to Identify the Type of Incident
|
Incident Classification |
Incident examples |
Description |
|---|---|---|
|
Abusive content |
Spam |
Spam – unsolicited bulk email – means that the recipient did not give permission to receive it and the message is part of a larger set of messages with identical content. This category also includes emails or websites containing discriminatory or defamatory content, pornography, promotion of violence, and similar material. |
|
Malicious Code |
Vírus |
Software that is intentionally included or inserted into a system with malicious intent. Activation of the code usually requires user interaction. |
|
Information Gathering |
Scanning |
Scanning refers to sending requests to a system to identify weaknesses. This includes testing processes used to gather information about devices, services, and accounts, such as fingerd, DNS queries, ICMP, SMTP (EXPN, RCPT, …), etc. Sniffing involves monitoring and recording network traffic for this purpose. Social engineering refers to obtaining information from people using non-technical methods (deception, tricks, threats). |
|
Intrusion Attempts |
Exploiting known vulnerabilities |
An attempt to compromise a system or disrupt a service by exploiting a vulnerability with a standardized identifier (e.g., CVE), such as buffer overflow, backdoor, XSS (cross-site scripting), etc. This category also includes repeated unsuccessful login attempts (guessing, brute-force attacks) as well as attempts using previously unknown methods. |
|
Intrusions |
Privileged account compromise |
Successful compromise of a system or application (service). This may occur remotely by exploiting known or new vulnerabilities, or through unauthorized local access. |
|
Availability |
DoS |
In this type of attack, a system is overwhelmed with such a volume of packets that operations are delayed or the system crashes. Examples of remote DoS attacks include SYN flooding, ping flooding, email bombing (DDoS: TFN, Trinity, …). Availability may also be affected by local actions (destruction, power outage, etc.), force majeure, spontaneous failures, or human error, without malicious intent or gross negligence. |
|
Information Content Security |
Unauthorised access to information |
In addition to local misuse of data and systems, information security may be compromised through successful account or application compromise. Attacks may also intercept and access information during transmission (wiretapping, spoofing or hijacking). Causes may also include human, configuration, or software errors. |
|
Fraud |
Unauthorized use of resources |
This includes the use of resources for unauthorized purposes, including financial gain (e.g., participation in illegal chain emails or pyramid schemes). It also includes the sale and installation of unlicensed copies of commercial software or other copyrighted materials. Furthermore, it includes attacks where one entity illegitimately impersonates another for benefit, as well as phishing (pretending to be another entity to trick users into revealing private credentials). |
|
Vulnerable |
Software/service vulnerabilities, configuration errors, unpatched systems |
Open resolvers, printers accessible to the public, vulnerabilities identified by tools such as Nessus, outdated antivirus signatures, etc. |
|
Other |
Al incidents which do not fit in one of the given categories should be put into this class. |
If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised. |
|
Test Event |
Any activity intended to test the above-mentioned incident types |
Any activity intended to test the above-mentioned incident types. |
https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy