Cyber Incidents tracker
This table displays publicly disclosed cyber incidents.
What does the Cyber Incidents page contain?
The cyber incidents tracker contains data collected from existing public repositories regarding disclosed cyber incidents of several types and severity. All data is open source.
Six different public databases are used:
-
OT specific databases:
- TI Safe Incident Hub
- ICS STRIVE
-
General IT/OT databases:
- KonBriefing
- CISSM Cyber Attacks Database
- Hackmageddon
- European Repository of Cyber Incidents (EuRepoC)
It's important to note that the incidents in the table may appear duplicated due to the aggregation of data from multiple databases. This approach, while efficient for initial analysis, does not involve a thorough deduplication process, which can lead to some redundancy.
Victim profile dataset
This table displays the victim profile dataset with enriched data from incidents and non-incidents used for attractiveness.
What is the victim profile dataset?
This page displays different insights from the dataset built in the DICYME project for developing the Attractiveness concept. You can read about this indicator in Indicators > Attractiveness.
We have built a dataset that contains targeted entities that appear in public databases where confirmed cyber incident victims are reported. These databases are the European Repository of Cyber Incidents (EuRepoC), Hackmageddon, Jam Cyber, TI Safe Incident Hub, KonBriefing, CISSM Cyber Attacks Database, and ICS STRIVE. We complete the dataset with similar entities that have not reported incidents. For the incidents, they can be one of the following four categories:
- Data breach: a threat to confidentiality.
- Destruction: a threat to integrity.
- Denial of service: a threat to availability.
- Ransomware: a potential threat to confidentiality, integrity, and availability.
Which data makes up the dataset?
For each incident or non-incident, we have collected its date, the entity name and the incident type, if so. We have also collected the following information about the entity, divided in three groups:
-
Basal attractiveness: an entity may more attractive to an adversary mainly based on its static features, also called firmographic data.
- Country: headquarters location based on country.
- Category: entity sector provided by RocketReach tool.
- Revenue: annual billing of the entity (USD).
- Earnings: annual profit of the entity (USD).
- Publicly traded: whether it is listed on the stock exchange (true/false).
- Employees: size of the entity regarding the number of employees.
- Profitable: whether it is for-profit (true/false).
-
Online reputation: an entity may be more attractive to an adversary based on its online reputation, defined as the result of what users, customers, or employees write, communicate, and share anywhere on the Internet based on their perceptions and experiences at any moment of their relationship, direct or indirect, with the entity.
The value of Online reputation is dynamic and comes from a formula that takes into account both the Interactions and Reach of each mention of the entity in social media and social networks.
-
Victimisation: an entity may be more attractive to an adversary if it is often mentioned in underground forums or specific dark websites, or perceived as an approachable victim. Additionally, the entity may become more attractive if there are public data breaches. It's made up of two different concepts:
- Critic Info: number of direct mentions in dark web leaks.
- Devices: number of visible devices connected to the Internet.
We hope to include references to scientific papers we have written developing this concept very soon!
Logarithmic transformation of data
Logarithmic transformation is an option inside the histogram card, located at the bottom left. You can choose whether or not to apply it for continuous numeric variables. This technique is particularly useful for interpreting data with large ranges, as it enhances pattern visibility and mitigates the influence of extreme values.
When logarithms are applied to the data, the function being used is:
$$ f(x) = \text{sign}(x) \cdot \log(|x|) $$
In particular, if \( x>0 \), this simplifies to:
$$ f(x) = \log(x) $$
Intrusion Detection Systems
Data source
Nozomi Networks Guardian
Count of facilities
Count of networks
Count of cyber assets
What does the Intrusion Detection Systems page contain?
This page contains data collected from Nazomi Networks Guardian, a manufacturer of Intrusion Detection Systems. The data shown represents an indicator value will represent something different from another indicator. Each indicator is associated with a facility. There are a total of 4 facilities. Each indicator also has an associated type:
Indicator ID | Indicator name | Indicator scope |
---|---|---|
1 | Count of Cyber Assets in Scope | Per Site |
2 | Count of Cyber Assets in Scope | Per Network |
4 | Count of Cyber Assets discovered Passively by Datasource | Per Site |
5 | Count of Cyber Assets discovered Passively by Datasource | Per Network |
6 | Count of Cyber Assets known by Datasource | Per Site |
7 | Count of Cyber Assets known by Datasource | Per Network |
8 | Count of Cyber Assets that have Vulnerability Data | Per Site |
9 | Count of Cyber Assets that have been Assessed for Vulnerabilities | Per Site |
10 | Count of Cyber Assets that have been Assessed for Vulnerabilities | Per Network |
11 | Count of Vulnerabilities (last 365 days) | Per Cyber Asset |
12 | Count of Vulnerabilities (last 365 days) | By Severity (CVSS) |
15 | Count of Vulnerabilities (last 365 days) | Per Network |
16 | Count of Vulnerabilities (last 365 days) | Purdue Level |
17 | Count of Vulnerabilities (last 365 days) | Per Site |
18 | Count of Open Vulnerabilities (current) | Per Cyber Asset |
19 | Count of Open Vulnerabilities (current) | By Severity (CVSS) |
22 | Count of Open Vulnerabilities (current) | Per Site |
27 | % of Cyber Assets that have been Assessed for Vulnerabilities | Per Site |
28 | Mean Age of Open Vulnerabilities (by CVE Publish Date) | Per Cyber Asset |
29 | Mean Age of Open Vulnerabilities (by CVE Publish Date) | By Severity (CVSS) |
32 | Mean Age of Open Vulnerabilities (by CVE Publish Date) | Per Network |
33 | Mean Age of Open Vulnerabilities (by CVE Publish Date) | Purdue Level |
34 | Mean Age of Open Vulnerabilities (by CVE Publish Date) | Per Site |
35 | Count of Closed Vulnerabilities (last 365 days) | Per Cyber Asset |
36 | Count of Closed Vulnerabilities (last 365 days) | By Severity (CVSS) |
39 | Count of Closed Vulnerabilities (last 365 days) | Per Network |
40 | Count of Closed Vulnerabilities (last 365 days) | Purdue Level |
41 | Count of Closed Vulnerabilities (last 365 days) | Per Site |
42 | % of Vulnerabilities Closed (last 365 days) | Per Cyber Asset |
43 | % of Vulnerabilities Closed (last 365 days) | By Severity (CVSS) |
46 | % of Vulnerabilities Closed (last 365 days) | Per Network |
47 | % of Vulnerabilities Closed (last 365 days) | Purdue Level |
48 | % of Vulnerabilities Closed (last 365 days) | Per Site |
49 | Mean Time to Remediate Vulnerabilities (by CVE Publish Date) | Per Cyber Asset |
50 | Mean Time to Remediate Vulnerabilities (by CVE Publish Date) | By Severity (CVSS) |
53 | Mean Time to Remediate Vulnerabilities (by CVE Publish Date) | Per Network |
54 | Mean Time to Remediate Vulnerabilities (by CVE Publish Date) | Purdue Level |
55 | Mean Time to Remediate Vulnerabilities (by CVE Publish Date) | Per Site |
62 | Count of Cyber Assets in Scope | Purdue Level |
63 | Count of Cyber Assets discovered Passively by Datasource | Purdue Level |
64 | Count of Cyber Assets where Platform is Known | Per Site |
65 | Count of Cyber Assets where Platform is Known | Per Network |
66 | Count of Cyber Assets where Platform is Known | Purdue Level |
67 | Count of Cyber Assets that have been Assessed for Vulnerabilities | Purdue Level |
68 | Count of Cyber Assets known by Datasource | Purdue Level |
74 | % of Cyber Assets that have Vulnerability Data | Per Site |
75 | % of Cyber Assets that have Vulnerability Data | Per Network |
76 | % of Cyber Assets that have Vulnerability Data | Purdue Level |
77 | Count of Cyber Assets that have Vulnerability Data | Per Network |
78 | Count of Cyber Assets that have Vulnerability Data | Purdue Level |
124 | % of Cyber Assets that have been Assessed for Vulnerabilities | Purdue Level |
125 | % of Cyber Assets that have been Assessed for Vulnerabilities | Per Network |
Threat Actors Indicator
Used databases
Electronic Transactions Development Agency (ETDA)
Extraction dates
Amount of Threat Actors
- 11 Agriculture, Forestry, Fishing and Hunting
- 21 Mining
- 22 Utilities
- 23 Construction
- 31-33 Manufacturing
- 42 Wholesale Trade
- 44-45 Retail Trade
- 48-49 Transportation and Warehousing
- 51 Information
- 52 Finance and Insurance
- 53 Real Estate Rental and Leasing
- 54 Professional, Scientific, and Technical Services
- 55 Management of Companies and Enterprises
- 56 Administrative and Support and Waste Management and Remediation Services
- 61 Educational Services
- 62 Health Care and Social Assistance
- 71 Arts, Entertainment, and Recreation
- 72 Accommodation and Food Services
- 81 Other Services (except Public Administration)
- 92 Public Administration
Extraction date
First activity date
Last activity date
Count of threat actors
Mean actor indicator
Q1 mean actor indicator
Q2 mean actor indicator
Q3 mean actor indicator
Q4 mean actor indicato
What is the Threat Actors Indicator?
The Threat Actors Indicator is a metric that provides an overview of the threat actor regarding a specific target country and industry. Considering public data from the Electronic Transactions Development Agency (ETDA), we compute different partial scores regarding the activity of the actor, its capacity and the target.
The Indicator is composed of three partial scores:
- Activity score: involves the
last_activity_date
field, and decreases as the last activity date gets farther away. - Capacity score: takes into account the different possible values of
objectives
field. - Target score: this score involves the
target_countries
,target_regions
andtarget_industries
, and requires a targetfacility_country
,facility_region
,facility_border_countries
andfacility_industry
.
Attractiveness indicator
What is Attractiveness?
This page allows you to discover the Attractiveness concept and understand which elements does it involve and how do they affect to the final indicator.
Attractiveness is the possession of features or the exhibition of behaviours in entities that raise interest for potential adversaries. Thus, the more significant the attractiveness value is, the greater the proneness of an entity to be attacked.
This attractiveness concept is decomposed into three main branches:
- Basal attractiveness: relevance of the entity in the world.
- Online reputation: the opinion of individuals and the reach of the entity.
- Victimisation: the interest that the entity arouses for potential attackers.
You can read about the dataset used for this concept in Data > Victim profile.
We hope to include references to scientific papers we have written developing this concept very soon!
Logarithmic transformation of data
Logarithmic transformation is an option inside the histograms card. You can choose whether or not to apply it for continuous numeric variables. This technique is particularly useful for interpreting data with large ranges, as it enhances pattern visibility and mitigates the influence of extreme values.
When logarithms are applied to the data, the function being used is:
$$ f(x) = \text{sign}(x) \cdot \log(|x|) $$
In particular, if \( x>0 \), this simplifies to:
$$ f(x) = \log(x) $$
CVE2TTPs model
CVSS v2
CVSS v3
What is CVE2TTPs?
CVE2TTPs is a Machine Learning model that relates Common Vulnerabilities and Exposures (CVE) to Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK framework.
This is an important concept in cybersecurity, as it helps to understand the practical exploitation of vulnerabilities in a structured manner, linking specific software vulnerabilities (CVE entries) to known adversary behaviors TTPs. This practice is crucial for threat intelligence, incident response, and risk management, as it bridges the gap between vulnerabilities in software and how attackers might exploit them in real-world scenarios.
Cyber Risk Quantification Model
About DICYME
DICYME research project
Dynamic Industrial Cyber Risk Modelling based on Evidence (DICYME) research project (CPP2021-009025) addresses the automation of cyber risk and its management in OT cybersecurity environments.
The project examines how threats can differ based on the degree of vulnerability of the target’s infrastructure, the strength of its controls, and external factors such as the interest of the threat agent in conducting an attack.
It is a public-private collaboration project involving the Rey Juan Carlos University and DeNexus TECH SL.
The grant is part of the Spanish State Plan for Scientific, Technical and Innovation Research 2021-2023 and is awarded to public/private programs which seek to promote scientific and technical research. It is part of the wider Recovery, Transformation and Resilience Plan, financed by the European Union’s NextGenerationEU Plan, aimed at building a greener, more digital, and more resilient post-COVID-19 Europe.
DICYME dashboard
This dashboard is part of Activity 3: Visualization and decision-making system.
The goal of the dashboard is to provide a graphical interface that displays data gathered during the project, offering information and aid in decision-making.
Legal disclaimer
All data contained within this website has been acquired from publicly available sources, free of charge, without any restrictions or required credentials; additionally, no private, confidential, proprietary, or classified information (or documentation) from any leaked websites, current or newly discovered, is contained herein.