Incident Types and Taxonomies Used in Cybersec Community

Incident types and taxonomies used in cybersec community

In the face of this complex and multi-faceted landscape of threat actors and IoCs, security experts can benefit greatly from a shared knowledge base of information to draw from. Using commonly understood incident types and taxonomies that help to identify, describe, and map threats and incidents with their correlated behaviors, we can start developing formalized processes for more effective incident response.

It also makes it easier for cybersecurity professionals from different industries, regions, or disciplines to share information, advice, and recommendations. Being aware of, and incorporating, some of the latest and most widely used taxonomies can help you adopt a more proactive security posture.


LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.


Important Cybersec Taxonomies and Frameworks

NIST SP 800-30

Created by the National Institute of Standards and Technology (NIST), SP 800-30 is also known as the “Guide for Conducting a Risk Assessment.” The main goal of this document is to help organizations carry out formalized risk assessment procedures to better respond to security threats according to their unique risk profile.

The document lays out a comprehensive risk assessment across a number of steps:

  1. Preparing for an assessment
  2. Conducting an assessment
  3. Communicate results
  4. Maintain assessment


However, as part of helping security operatives with threat modelling, SP 800-30 also comes with a set of taxonomies to describe threat sources and incidents (Tables D-1 D2):

Taxonomy of Threat Sources

In combination with their other taxonomies and tables, this taxonomy can be used to map out incidents, their markers, effects as well as preventative and response measures. SP 800-30 uses standardized taxonomies, rating scales, and categorizations so that the impact of security-related decisions can be clearly communicated, even to those who are not security experts.

MITRE Shield and ATT&CK

As a federally-funded organization and self-described security problem-solving authority, MITRE heads think tanks and public-private partnerships to help solve security challenges related to national security and infrastructure. The ATT&CK framework (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base for security professionals to use behavior-based threat models to build, test, and refine behavioral-based detection capabilities over time.

The knowledge base consists of matrices that map out the common tactics, techniques, and procedures (TTPs) of cybercriminals using common taxonomies.

For example, some of the main attack categories include:

  • Detection
  • Lateral Movement
  • Exfiltration

Under “Detection,” you’ll find sub-categories, such as:

  • Abuse Elevation Control Mechanism
  • Access Token Manipulation
  • BITS Jobs, etc.

The ultimate idea is to create a comprehensive database that correlates common symptoms, behaviors, and techniques of various threats and attacks and to link these to proposed countermeasures.

Once an IoC has occurred, the ATT&CK framework can help answer questions like:

  • How did they get in?
  • How did they through the network?
  • How did they evade detection?
  • What was their objective?
  • What specific methods did they use?

This could help speed up incident response, forensic analysis, and help the detection and prevention of future incidents.

ENISA – European Union Agency for Network and Information Security

ENISA describes itself as a centre of network and information security expertise for the EU, its member states, the private sector and EU citizens. Its goal is to work towards developing advice and security recommendations as well as promoting good practice when dealing with security-related incidents.

A recently set up task force was tasked with developing an incident taxonomy classification system that can be used by all. Previously, two separate taxonomies were used, namely “Common Taxonomy for Law Enforcement and CSIRTs”, and “ mkVI”.

The new system was based on the latest version of the taxonomy, mkVI:

As you can see, this is one of the most accessible taxonomies to get familiar with. You can find the entire incident taxonomy here. It uses everyday language to categorize and describe cybersecurity incidents almost everyone is aware of.


While there are more incident types and taxonomies out there, these are some of the most widely accepted and used articles you should be aware of. These documents usually come with guidance on how to incorporate and use these taxonomies within your own security operations and are well worth your time to get acquainted with.