This table displays publicly disclosed cyber incidents.

What does the Cyber Incidents page contain?

The cyber incidents tracker contains data collected from existing public repositories regarding disclosed cyber incidents of several types and severity. All data is open source.

Six different public databases are used:

1. OT specific databases:

   • TI Safe Incident Hub
   • ICS STRIVE

2. General IT/OT databases:

   • KonBriefing
   • CISSM Cyber Attacks Database
   • Hackmageddon
   • European Repository of Cyber Incidents (EuRepoC)

It's important to note that the incidents in the table may appear duplicated due to the aggregation of data from multiple databases. This approach, while efficient for initial analysis, does not involve a thorough deduplication process, which can lead to some redundancy.

This table displays the victim profile dataset with enriched data from incidents and non-incidents used for attractiveness.

What is the victim profile dataset?

This page displays different insights from the dataset built in the DICYME project for developing the Attractiveness concept. You can read about this indicator in Indicators > Attractiveness.

We have built a dataset that contains targeted entities that appear in public databases where confirmed cyber incident victims are reported. These databases are the European Repository of Cyber Incidents (EuRepoC), Hackmageddon, Jam Cyber, TI Safe Incident Hub, KonBriefing, CISSM Cyber Attacks Database, and ICS STRIVE. We complete the dataset with similar entities that have not reported incidents. For the incidents, they can be one of the following four categories:

1. Data breach: a threat to confidentiality.
2. Destruction: a threat to integrity.
3. Denial of service: a threat to availability.
4. Ransomware: a potential threat to confidentiality, integrity, and availability.

Which data makes up the dataset?

For each incident or non-incident, we have collected its date, the entity name and the incident type, if so. We have also collected the following information about the entity, divided in three groups:

1. Basal attractiveness: an entity may more attractive to an adversary mainly based on its static features, also called firmographic data.

   • Country: headquarters location based on country.
   • Category: entity sector provided by RocketReach tool.
   • Revenue: annual billing of the entity (USD).
   • Earnings: annual profit of the entity (USD).
   • Publicly traded: whether it is listed on the stock exchange (true/false).
   • Employees: size of the entity regarding the number of employees.
   • Profitable: whether it is for-profit (true/false).

2. Online reputation: an entity may be more attractive to an adversary based on its online reputation, defined as the result of what users, customers, or employees write, communicate, and share anywhere on the Internet based on their perceptions and experiences at any moment of their relationship, direct or indirect, with the entity.

   The value of Online reputation is dynamic and comes from a formula that takes into account both the Interactions and Reach of each mention of the entity in social media and social networks.

3. Victimisation: an entity may be more attractive to an adversary if it is often mentioned in underground forums or specific dark websites, or perceived as an approachable victim. Additionally, the entity may become more attractive if there are public data breaches. It's made up of two different concepts:

   • Critic Info: number of direct mentions in dark web leaks.
   • Devices: number of visible devices connected to the Internet.

We hope to include references to scientific papers we have written developing this concept very soon!

What is the Threat Actors Indicator?

The Threat Actors Indicator is a metric that provides an overview of the threat actor regarding a specific target country and industry. Considering public data from the Electronic Transactions Development Agency (ETDA), we compute different partial scores regarding the activity of the actor, its capacity and the target.

The Indicator is composed of three partial scores:

1. Activity score: involves the last_activity_date field, and decreases as the last activity date gets farther away.
2. Capacity score: takes into account the different possible values of objectives field.
3. Target score: this score involves the target_countries, target_regions and target_industries, and requires a target facility_country, facility_region, facility_border_countries and facility_industry.

What is Attractiveness?

This page allows you to discover the Attractiveness concept and understand which elements does it involve and how do they affect to the final indicator.

Attractiveness is the possession of features or the exhibition of behaviours in entities that raise interest for potential adversaries. Thus, the more significant the attractiveness value is, the greater the proneness of an entity to be attacked.

This attractiveness concept is decomposed into three main branches:

1. Basal attractiveness: relevance of the entity in the world.
2. Online reputation: the opinion of individuals and the reach of the entity.
3. Victimisation: the interest that the entity arouses for potential attackers.

You can read about the dataset used for this concept in Data > Victim profile.

We hope to include references to scientific papers we have written developing this concept very soon!

What is CVE2TTPs?

CVE2TTPs is a Machine Learning model that relates Common Vulnerabilities and Exposures (CVE) to Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK framework.

This is an important concept in cybersecurity, as it helps to understand the practical exploitation of vulnerabilities in a structured manner, linking specific software vulnerabilities (CVE entries) to known adversary behaviors TTPs. This practice is crucial for threat intelligence, incident response, and risk management, as it bridges the gap between vulnerabilities in software and how attackers might exploit them in real-world scenarios.