ENISA Threat Taxonomy

A tool for structuring threat information

INITIAL VERSION
1.0
JANUARY 2016

www.enisa.europa.eu European Union Agency For Network And Information Security

 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

About ENISA

The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in information
security. It assists EU member states in implementing relevant EU legislation and works to improve the
resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing
expertise in EU member states by supporting the development of cross-border communities committed to
improving network and information security throughout the EU. More information about ENISA and its
work can be found at www.enisa.europa.eu.

Author
Louis Marinos, ENISA.

Contact
For contacting the authors please use [email protected]
For media enquiries about this paper, please use [email protected].

Acknowledgements
ENISA would like to thank Jakub Radziulis, iTTi, for his support in the consolidation of the threat taxonomy
on the basis of available ENISA material. We would also like to thank the members of the ENISA ETL
Stakeholder Group for reviewing this material: Paolo Passeri, Consulting, UK, Pierluigi Paganini, Chief
Security Information Officer, IT, Paul Samwel, Banking, NL, Tom Koehler, Consulting, DE, Stavros Lingris,
CERT, EU, Jart Armin, Worldwide coalitions/Initiatives, International, Thomas Häberlen, Member State, DE,
Neil Thacker, Consulting, UK, Margrete Raaum, CERT, NO, Shin Adachi, Security Analyst, US, R. Jane Ginn,
Consulting, US, Lance James, Consulting, US, Polo Bais, Member State, NL.

Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or
the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free of charge. Neither
ENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.

Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2015
Reproduction is authorised provided the source is acknowledged.

02
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Table of Contents

1. Introduction/Method/Sources 4
2. Purpose of threat taxonomy 7
State-of-play and next steps 9
3. ENISA Threat Taxonomy 10

03
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

1. Introduction/Method/Sources

The present threat taxonomy is an initial version that has been developed on the basis of available ENISA
material. This material has been used as an ENISA-internal structuring aid for information collection and
threat consolidation purposes. It emerged in the time period 2012-2015. The consolidated threat
taxonomy is an initial version: in 2016, ENISA plans to update and expand it with additional details, such as
definitions of the various threats mentioned.

For the presented threat taxonomy, Cyber Threats should be understood as threats applying to assets
related to information and communication technology. Such threats are materialized mostly in cyberspace,
while some threats included are materialized in the physical world but affect information and cyber-assets.

Besides the ENISA material, the following available threat taxonomies where analysed and – when relevant
– have been integrated in the current version of the ENISA taxonomy:

 All previous ENISA documents in the area of threat landscape.

 forward-whitebook1
 Threat_Taxonomy_Luiijf_Nieuwenhuijs_v52
 New Data Harmonization - abusehelper Collab3
 sp800_150_draft4
 Threat Classification Taxonomy Cross Reference View5
 Taxonomy of DDoS Attack and DDoS Defense Mechanisms6
 Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies7
 Two taxonomies of deception for attacks on information systems8
 Basic Concepts and Taxonomy of Dependable and Secure Computing9
 1997_019_001_52455 taxonomy10
 sp800_30_r1 threat events11
 Threats catalogue IT Grundsutz12

1
http://www.ict-forward.eu/whitebook/, accessed December 2015.
2
http://www.researchgate.net/profile/Eric_Luiijf/publication/220592994_Extensible_threat_taxonomy_for_critical_i
nfrastructures/links/0a85e53603c15d292b000000.pdf, accessed December 2015.
3
https://github.com/certtools/intelmq/wiki/Data-Harmonization, accessed December 2015.
4
http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf, accessed December 2015.
5
http://projects.webappsec.org/w/page/13246977/Threat%20Classification%20Views, accessed December 2015.
6
http://www.eecis.udel.edu/~sunshine/publications/ccr.pdf, accessed December 2015.
7
https://s2erc.georgetown.edu/sites/s2erc/files/CyberISE%20Taxonomy.pdf, accessed December 2015.
8
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.457.5398&rep=rep1&type=pdf, accessed December
2015.
9
http://www.nasa.gov/pdf/636745main_day_3-algirdas_avizienis.pdf, accessed December 2015.
10
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=52454, accessed December 2015.
11
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, accessed December 2015.
12
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/download/threats_catalogue.html;jsessioni
d=A72092E049CA62A0A1B8521261DA8381.2_cid368, accessed December 2015.

04
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

 INSPIRE-D2.2 str. 2313

 OCTAVE Threat Profiles-OCTAVE threat Profiles14
 OWASP Application-threat-modeling-24-72815
 eCSIRT.net16,17
 Howard/Longstaff18
 Longstaff NCSC 201019
 CIF API Feed Types v120
 CIF Taxonomy Assesment v121
 FICORA22
 Andrew Cormack23
 SURFcert24
 HP Tipping Point Event Taxonomy V 2.225
 CESNET CERTS26
 Warden 227
 Mentat28
 7-steps-to-threat-modeling-6-63829
 711_owasp_cats_colored30
 A Taxonomy of Operational Cyber Security Risks31
Following projects where analysed:
 FORWARD project32

13
http://cordis.europa.eu/project/rcn/87757_en.html, accessed December 2015.
14
http://www85.homepage.villanova.edu/timothy.ay/MIS2040/OCTAVEthreatProfiles%5B1%5D.pdf, accessed
December 2015.
15
https://www.owasp.org/index.php/Application_Threat_Modeling, accessed December 2015.
16
http://www.ecsirt.net/cec/service/documents/wp4-clearinghouse-policy-v12.html#HEAD6, accessed December
2015.
17
http://www.terena.org/activities/tf-csirt/meeting39/20130523-DV1.pdf, accessed December 2015.
18
http://infoserve.sandia.gov/sand_doc/1998/988667.pdf, accessed December 2015.
19
https://www.ncsc.nl/conference/conference-2011/speakers/tom-longstaff.html, accessed December 2015.
20
https://code.google.com/p/collective-intelligence-framework/wiki/API_FeedTypes_v1, accessed December 2015.
21
https://code.google.com/p/collective-intelligence-framework/wiki/TaxonomyAssessment_v1, accessed
22
http://personal.inet.fi/koti/erka/Studies/DI/DI_Erka_Koivunen.pdf, accessed December 2015.
23
http://www.terena.org/activities/tf-csirt/pre-meeting3/TLversion0_2.html, accessed December 2015.
24
http://www.terena.org/activities/tf-csirt/meeting39/20130523-DV1.pdf, accessed December 2015.
25
http://h10032.www1.hp.com/ctg/Manual/c03964615, accessed December 2015.
26
http://archiv.cesnet.cz/doc/techzpravy/2010/otrs-csirt-workflow/, accessed December 2015.
27
ftp://homeproj.cesnet.cz/tar/warden/warden-client-2.1.tar.gz, accessed December 2015.
28
https://csirt.cesnet.cz/en/services/mentat, accessed December 2015.
29
http://www.slideshare.net/chinwhei/7-steps-to-threat-modeling, accessed December 2015.
30
https://cwe.mitre.org/data/pdf/711_owasp_cats_colored.pdf, accessed December 2015.
31
http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=9395, accessed December 2015.
32
http://www.ict-forward.eu/, accessed December 2015.

05
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

 VITA project33
 NI2S3 project34
 IMCOSEC project35
 INTERSECTION project36
 INSPIRE project37
 THREVI238
 ESCORTS39
Developed threats taxonomy consist of following fields:

 High level threats: this is the top level threat category, used mainly to discriminate families of
threats.
 Threats: this field indicates the various threats within a category.
 Threats details: in this field details of a specific threat are being described. Threat details are based
on a specific attack type/method or targeting specific IT asset.
Additional fields can be added depending on the use case of this table (see also next section). In the
information collection, for example, we use some additional fields indicating affected assets, threat agents,
related sources/URLs, etc.
It should be noted that the ENISA threat taxonomy is a living document: during its use within ENISA,
additional threats, references, definitions, etc. can be added. ENISA will publish the threat taxonomy every
time new content has been created and consolidated. Interested individuals may visit the corresponding
location and check availability of the ENISA threat taxonomy40.

33
http://www.researchgate.net/publication/220592994_Extensible_threat_taxonomy_for_critical_infrastructures,
accessed December 2015.
34
http://cordis.europa.eu/result/rcn/58659_en.html, accessed December 2015.
35
http://cordis.europa.eu/result/rcn/55741_en.html, accessed December 2015.
36
http://cordis.europa.eu/project/rcn/85347_en.html, accessed December 2015.
37
http://cordis.europa.eu/project/rcn/87757_en.html, accessed December 2015.
38
http://www.threvi2.eu/, accessed December 2015.
39
http://cordis.europa.eu/result/rcn/55021_en.html, accessed December 2015.
40
https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-
landscape#b_start=0, accessed December 2015.

06
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

2. Purpose of threat taxonomy

Threat taxonomy is a classification of threat types and threats at various levels of detail. The purpose of
such a taxonomy is to establish a point of reference for threats encountered, while providing a possibility
to shuffle, arrange, amend and detail threat definitions. To this extend, a threat taxonomy is a living
structure that is being used to maintain a consistent view on threats on the basis of collected information.
The current version of ENISA threat taxonomy has been developed over the past years as an internal tool
used in the collection and consolidation of threat information. When collecting information on various
threats, it is very convenient to store similar things together. To this extend, a threat taxonomy has been
generated. It is worth mentioning that the initial structure has been updated/consolidated with various
sources of threat information. Most of threat information included was from existing threat catalogues the
area of information security and in particular risk management. Besides the references mentioned in the
introduction section, an overview of further threat catalogues can be found here 41. Hence, besides cyber-
threats the ENISA threat taxonomy contains also physical threats that can cause harm to information
technology assets. Yet, due to the focus of ENISA work in the area of cyber-space, the threat taxonomy
presented has a better maturity in the field of cyber-threats.
As until now the threat taxonomy has been used for collection and consolidation of cyber-threat
information, only the cyber-threat part of the taxonomy has been maintained and developed further.
Although all information security threat areas are part of the threat taxonomy, those that are not related
to cyber have not evolved over the time.
In 2015, ENISA has created a consolidated version of these threats, has added some short descriptions to
these threats and has decided to make this material publicly available as a table by means of this
document. The figure below shows this taxonomy in form of a mind map, together with some symbols
indicating its possible use-cases (see Figure 1).

41
http://opensecurityarchitecture.org/cms/images/OSA_images/TC_Comparison.pdf, accessed November 2015.

07
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Violation of laws or regulations/

breach of legislation Physical Information leakage or sharing
No-IP Microsoft attacks
domains seizure Judiciary decision/court order Legal Erroneous use or administration
of devices and systems
Failure to meet contractual
requirements Using information from an Inadequate specifications
Amplification/
Reflection Unintentional unreliable source
Inadequate usability
damages
Spoofing Volume Identity fraud (accidental) Unintentional change of data in
an information system Insecure interfaces (APIs)
Flooding Unsolicited & infected e-mail
Inadequate design and planning Policy/procedure flaws
Denial of service or lack of adaption
Ping of Death Application Malicious code/software Design errors
Collecting WinNuke
XDoS
activity
Earthquakes
Floods
Asset exposure
SSL CA Abuse of information leakage
Diginotar infiltration Generation and use of rogue Landslides
certificates Tsunamis
Routing table Manipulation of hardware & Lightning strike
DNS manipulation software
spoofing Heavy rains
DNS manipulation Manipulation of information Heavy snowfalls
DNS
Falsification of Heavy winds
poisoning Misuse of audit tools
configuration Wildfire
Natural
AS Falsification of records
Disasters disasters Electromagnetic storm
hijacking AS manipulation
Unauthorised use of
administration of devices & Fires
systems Nefarious
Activity/ Dangerours radiation leaks
Unauthorised access to Environm
IMPI Protocol Abuse ental Pollution
DNS Registrar information system/network
disasters Dust
Hijacking
Unauthorised use of software Corrosions
Unauthorised installation of Unfavourable climatic conditions
software
Major events in the environment
Compromising confidential
information Explosions
Abuse of authorizations
Virus Abuse of personal data External case
Worm Damage caused by a third
Hoax Threats party
Trojan Internal case
Rootkit Badware Loss from DMR conflicts
Botnets Remote activity (execution) Loss of (integrity of) sensitive
Spyware Damage/ information
Targeted attacks (including
Loss (IT
Scareware ATP) Loss or destruction of devices,
Assets)
storage media and documents
Rogueware
War driving
Adware Loss of information in the cloud
Interception
Greyware compromising Information leakage
emissions
Nation state Interception of
information Linecards
espionage Connectors
Eavesdropping/
Corporate Espionage Interfering radiations Interception/ Failures of parts of devices
Network devices
espionage Replay of Hijacking Failures of devices or systems
Rogue hardware Servers
messages Failures or disruptions of Data centers
Software interception communication links
Network
(communication networks) Cable break
reconnaissance and
information gathering Failures or disruptions of main Cable cut
supply
Man in the middle/ Power
session hijacking Failures of disruptions of service
Failures/ providers (supply chain) Cooling
Lack of human Repudiation of

Sorting resources
Lack of network
actions

Lack of resources/
Malfunctions
Failures or disruptions of the power
supply
Water

Network devices
Vulnerability
capacity Servers

Consolidating Lack of processing

power
electricity
Internet outage
Loss of support Outages
Malfunctions of devices or systems Data centers exploitation
Malfunctions of parts of devices Linecards
Lack of storage services
capacity Failures of hardware Connectors
Power Lack of physical Absense of personnel
Software bugs
resources
Water Strike
Configuration errors Misconfiguration
Cooling Network outage

Figure 1: ENISA Threat Taxonomy and its use-cases

In short, the indicated use-cases for the threat taxonomy are:

 Collection: When information is being collected, findings can be grouped around a certain cyber-
threat, although this is often not clearly mentioned in the source text. In the collection phase is as a
place to associate various findings under a common threat, putting thus information in context.
 Sorting/Consolidation: When sufficient information has been collected about a cyber-threat, a
consolidated view about the state-of-play may be generated. This information might include trends,
statistics and references. It is then subject to further grouping and prioritization (i.e. in form of one of
the top 15 cyber-threats, possibly containing a number of detailed threats).
 Asset exposure: The threats of the taxonomy may be assigned to assets. This is being done in order to
express the exposure of an asset to threats. Usually, threats explore weaknesses/vulnerabilities of
assets to materialise. Hence, vulnerabilities/weaknesses may also be assigned to threats exploring
them, either directly or indirectly through the assets.

08
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

The current version of ENISA threat taxonomy is an initial document whose development will be continued
in 2016. In addition to this document, the ENISA threat taxonomy is going to be published in form of an
excel table. Please note that the excel table is contains fields used in the ENISA collection work and
contains additional fields and some examples for the content of these fields.
In its current version, the ENISA threat taxonomy has been reviewed by the ENISA Threat Landscape
Stakeholder Group.

State-of-play and next steps

As indicated in this document, the current version is considered to be “initial”. In 2016, ENISA is going to
invest some effort in amending the threat taxonomy with some definitions of the threats and eventually
additional information. In addition, examples are going to be given as they can found in various reports.
In addition to the tabular form presented in this document, additional formats of the threat taxonomy are
going to be produced and adapted to the various use cases (e.g. excel sheet, mind maps, etc.). Finally,
feedback that will be received from experts/users of the current version of the taxonomy are going to be
included in the upcoming versions.

09
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

3. ENISA Threat Taxonomy

Line
High Level Threats Threats Threat details Comments
number

Physical attack (deliberate/

1 Threats of intentional, hostile human actions.
intentional)

2 Fraud Fraud committed by humans.

Fraud committed by employees or others that are in relation with

3 Fraud committed by employees
entities, who have access to entities' information and IT assets.

Intentional actions (non-fulfilment or defective fulfilment of

4 Sabotage
personal duties) aimed to cause disruption or damage to IT assets.

5 Vandalism Act of physically damaging IT assets.

Theft (of devices, storage media and

6 Stealing information or IT assets. Robbery.
documents)

Theft of mobile devices (smartphones/ Taking away another person's property in the form of mobile
7
tablets) devices, for example smartphones, tablets.

Taking away another person's hardware property (except mobile

8 Theft of fixed hardware
devices), which often contains business-sensitive data.

Stealing documents from private/company archives, often for the

9 Theft of documents
purpose of re-sale or to achieve personal benefits.

Stealing media devices, on which copies of essential information

10 Theft of backups
are kept.

Sharing information with unauthorised entities. Loss of information

confidentiality due to intentional human actions (e.g., information
11 Information leak /sharing
leak may occur due to loss of paper copies of confidential
information).

10
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Unauthorized physical access /

12 Unapproved access to facility.
Unauthorised entry to premises

13 Coercion, extortion or corruption Actions following acts of coercion, extortion or corruption.

14 Damage from the warfare Threats of direct impact of warfare activities.

15 Terrorist attack Threats from terrorists.

Unintentional damage / loss

16 Threats of unintentional human actions or errors.
of information or IT assets

Information leak /sharing due to human Information leak / sharing caused by humans, due to their
17
error mistakes.

Accidental leaks/sharing of data by Unintentional distribution of private or sensitive data to an

18
employees unauthorized entity by a staff member.

Threat of leaking private data (a result of using applications for

19 Leaks of data via mobile applications
mobile devices).

20 Leaks of data via Web applications Threat of leaking important information using web applications.

21 Leaks of information transferred by network Threat of eavesdropping of unsecured network traffic.

Information leak / sharing / damage caused by misuse of IT assets

Erroneous use or administration of devices
22 (lack of awareness of application features) or wrong / improper IT
and systems
assets configuration or management.

Loss of information due to maintenance Threat of loss of information by incorrectly performed maintenance
23
errors / operators' errors of devices or systems or other operator activities.

Loss of information due to configuration/ Threat of loss of information due to errors in installation or system
24
installation error configuration.

Threat of unavailability of information due to errors in the use of

25 Increasing recovery time
backup media and increasing information recovery time.

11
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of unavailability of information or damage to IT assets

26 Loss of information due to user errors caused by user errors (using IT infrastructure) or IT software
recovery time.

Using information from an unreliable Bad decisions based on unreliable sources of information or
27
source unchecked information.

Unintentional change of data in an Loss of information integrity due to human error (information
28
information system system user mistake).

Threats caused by improper IT assets or business processes design

Inadequate design and planning or
29 (inadequate specifications of IT products, inadequate usability,
improper adaptation
insecure interfaces, policy/procedure flows, design errors).

30 Damage caused by a third party Threats of damage to IT assets caused by third party.

Threats of damage to IT assets caused by breach of security

31 Security failure caused by third party
regulations by third party.

Damages resulting from penetration Threats to information systems caused by conducting IT

32
testing penetration tests inappropriately.

33 Loss of information in the cloud Threats of losing information or data stored in the cloud.

Threats of losing information or data, or changing information

34 Loss of (integrity of) sensitive information
classified as sensitive.

Threat of losing integrity of certificates used for authorisation

35 Loss of integrity of certificates
services.

Loss of devices, storage media and

36 Threats of unavailability (losing) of IT assets and documents.
documents

37 Loss of devices/ mobile devices Threat of losing mobile devices.

38 Loss of storage media Threat of losing data-storage media.

39 Loss of documentation of IT Infrastructure Threat of losing important documentation.

12
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threats of unavailability (destruction) of data and records

40 Destruction of records
(information) stored in devices and storage media.

Threat of loss of important data due to using removable media,

41 Infection of removable media
web or mail infection.

Threat of loss of records by improper /unauthorised use of storage

42 Abuse of storage
devices.

Disaster (natural, Threats of damage to information assets caused by natural or

43
environmental) environmental factors.

Disaster (natural earthquakes, floods,

44 landslides, tsunamis, heavy rains, heavy Large scale natural disasters.
snowfalls, heavy winds)

45 Fire Threat of fire.

Threat of disruption of work of IT systems (hardware) due to

46 Pollution, dust, corrosion
pollution, dust or corrosion (arising from the air).

Threat of damage to IT hardware caused by thunder strike

47 Thunderstrike
(overvoltage).

48 Water Threat of damage to IT hardware caused by water.

49 Explosion Threat of damage to IT hardware caused by explosion.

50 Dangerous radiation leak Threat of damage to IT hardware caused by radiation leak.

Threat of disruption of work of IT systems due to climatic

51 Unfavourable climatic conditions
conditions that have a negative effect on hardware.

Loss of data or accessibility of IT

52 infrastructure as a result of heightened Threat of disruption of work of IT systems due to high humidity.
humidity

Lost of data or accessibility of IT

Threat of disruption of work of IT systems due to high or low
53 infrastructure as a result of very high
temperature.
temperature

13
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threats from space / Electromagnetic Threats of the negative impact of solar radiation to satellites and
54
storm radio wave communication systems - electromagnetic storm.

Threat of destruction of IT assets caused by animals: mice, rats,

55 Wildlife
birds.

Threat of failure/malfunction of IT supporting infrastructure (i.e.

degradation of quality, improper working parameters, jamming).
56 Failures/ Malfunction
The cause of a failure is mostly an internal issue (e.g.. overload of
the power grid in a building).

57 Failure of devices or systems Threat of failure of IT hardware and/or software assets or its parts.

58 Failure of data media Threat of failure of data media.

59 Hardware failure Threat of failure of IT hardware.

60 Failure of applications and services Threat of failure of software/applications or services.

Failure of parts of devices (connectors, plug-

61 Threat of failure of IT equipment or its part.
ins)

Failure or disruption of communication

62 Threat of failure or malfunction of communications links.
links (communication networks)

Threat of failure of communications links due to problems with

63 Failure of cable networks
cable network.

Threat of failure of communications links due to problems with

64 Failure of wireless networks
wireless networks.

Threat of failure of communications links due to problems with

65 Failure of mobile networks
mobile networks.

Threat of failure or disruption of supply required for information

66 Failure or disruption of main supply
systems.

67 Failure or disruption of power supply Threat of failure or malfunction of power supply.

14
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of failure of IT assets due to improper work of cooling

68 Failure of cooling infrastructure
infrastructure.

Failure or disruption of service providers Threat of failure or disruption of third party services required for
69
(supply chain) proper operation of information systems.

Malfunction of equipment (devices or Threat of malfunction of IT hardware and/or software assets or its
70
systems) parts (i.e. improper working parameters, jamming, rebooting).

Threat of complete lack or loss of resources necessary for IT

71 Outages infrastructure. The cause of an outage is mostly an external issue
(i.e electricity blackout in the whole city).

72 Absence of personnel Unavailability of key personnel and their competences.

Unavailability of staff due to a strike (large scale absence of

73 Strike
personnel).

Unavailability of support services required for proper operation of

74 Loss of support services
the information system.

75 Internet outage Unavailability of the Internet connection.

76 Network outage Unavailability of communication links.

Threat of lack of communications links due to problems with cable

77 Outage of cable networks
network.

Threat of lack of communications links due to problems with

78 Outage of short-range wireless networks
wireless networks (802.11 networks, Bluetooth, NFC etc.).

Threat of lack of communications links due to problems with

79 Outages of long-range wireless networks mobile networks like cellular network (3G, LTE, GSM etc.) or
satellite links.

Threats that alter communication between two parties. These

Eavesdropping/ Interception/
80 attacks do not have to install additional tools/software on a
Hijacking
victim's site.

15
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of locating and possibly exploiting connection to the

81 War driving
wireless network.

Threat of disclosure of transmitted information using interception

82 Intercepting compromising emissions
and analysis of compromising emission.

Threat of interception of information which is improperly secured

83 Interception of information
in transmission or by improper actions of staff.

84 Corporate espionage Threat of obtaining information secrets by dishonest means.

Threats of stealing information by nation state espionage (e.g.

85 Nation state espionage
China based governmental espionage, NSA from USA).

Information leakage due to unsecured Wi-Fi, Threat of obtaining important information by insecure network
86
rogue access points rogue access points etc.

Threat of failure of IT hardware or transmission connection due to

87 Interfering radiation electromagnetic induction or electromagnetic radiation emitted by
an outside source.

Threat in which valid data transmission is maliciously or

88 Replay of messages
fraudulently repeated or delayed.

Network Reconnaissance, Network traffic Threat of identifying information about a network to find security
89
manipulation and Information gathering weaknesses.

90 Man in the middle/ Session hijacking Threats that relay or alter communication between two parties.

Threats of nefarious activities that require use of tools by the

attacker. These attacks require installation of additional
91 Nefarious Activity/ Abuse
tools/software or performing additional steps on the victim's IT
infrastructure/software.

92 Identity theft (Identity Fraud/ Account) Threat of identity theft action.

93 Credentials-stealing trojans Threat of identity theft action by malware computer programs.

Threat of receiving unsolicited email which affects information

94 Receiving unsolicited E-mail
security and efficiency.

16
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of receiving unsolicited, undesired, or illegal email

95 SPAM
messages.

Threat emanating from unwanted emails that may contain infected

96 Unsolicited infected e-mails
attachments or links to malicious / infected web sites.

Threat of service unavailability due to massive requests for

97 Denial of service
services.

Distributed denial of network service (DDoS)

(network layer attack i.e. Protocol Threat of service unavailability due to a massive number of
98
exploitation / Malformed packets / Flooding requests for access to network services from malicious clients.
/ Spoofing)

Distributed denial of application service

Threat of service unavailability due to massive requests sent by
99 (DDoS) (application layer attack i.e. Ping of
multiple malicious clients.
Death / XDoS / WinNuke / HTTP Floods)

Distributed DoS (DDoS) to both network and

Threat of creating a massive number of requests, using
100 application services (amplification/reflection
multiplication/amplification methods.
methods i.e. NTP/ DNS /…/ BitTorrent)

101 Malicious code/ software/ activity Threat of malicious code or software execution.

102 Search Engine Poisoning Threat of deliberate manipulation of search engine indexes.

103 Exploitation of fake trust of social media Threat of malicious activities making use of trusted social media.

104 Worms/ Trojans Threat of malware computer programs (trojans/worms).

105 Rootkits Threat of stealthy types of malware software.

106 Mobile malware Threat of mobile malware programs.

Threat of using mobile malware software that is recognised as

107 Infected trusted mobile apps
trusted one.

17
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of exploiting bugs, design flaws or configuration oversights

108 Elevation of privileges in an operating system or software application to gain elevated
access to resources.

Threat of utilizing custom web applications embedded within social

Web application attacks / injection attacks
109 media sites, which can lead to installation of malicious code onto
(Code injection: SQL, XSS)
computers to be used to gain unauthorized access.

Threat of using software that aims to gather information about a

110 Spyware or deceptive adware
person or organization without their knowledge.

111 Viruses Threat of infection by viruses.

Threat of internet fraud or malicious software that mislead users

Rogue security software/ Rogueware /
112 into believing there is a virus on their computer, and manipulates
Scareware
them to pay money for fake removal tool.

Threat of infection of computer system or device by malware that

113 Ransomware restricts access to it and demands that the user pay a ransom to
remove the restriction.

Threat to IT assets due to the use of web available exploits or

114 Exploits/Exploit Kits
exploits software.

Threat of social engineering type attacks (target: manipulation of

115 Social Engineering
personnel behaviour).

Threat of an email fraud method in which the perpetrator sends

out legitimate-looking email in an attempt to gather personal and
116 Phishing attacks
financial information from recipients. Typically, the messages
appear to come from well-known and trustworthy websites.

Spear-phishing is a targeted e-mail message that has been crafted

117 Spear phishing attacks to create fake trust and thus lure the victim to unveil some business
or personal secrets that can be abused by the adversary.

118 Abuse of Information Leakage Threat of leaking important information.

Leakage affecting mobile privacy and mobile Threat of leaking important information due to using malware
119
applications mobile applications.

18
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Leakage affecting web privacy and web Threat of leakage important information due to using malware web
120
applications applications.

121 Leakage affecting network traffic Threat of leaking important information in network traffic.

122 Leakage affecting cloud computing Threat of leaking important information in cloud computing.

123 Generation and use of rogue certificates Threat of use of rogue certificates.

124 Loss of (integrity of) sensitive information Threat of loss of sensitive information due to loss of integrity.

Threat of attack consisting in the exploitation of the web session

125 Man in the middle/ Session hijacking
control mechanism, which is normally managed by a session token.

Threat of install fake trust signed software (malware) e.g. fake OS

126 Social Engineering / signed malware
updates.

Threat of attack due to malware application signed by a certificate

127 Fake SSL certificates
that is typically inherently trusted by an endpoint.

128 Manipulation of hardware and software Threat of unauthorised manipulation of hardware and software.

129 Anonymous proxies Threat of unauthorised manipulation by anonymous proxies.

Abuse of computing power of cloud to Threat of using large computing powers to generate attacks on
130
launch attacks (cybercrime as a service) demand.

Abuse of vulnerabilities, 0-day

131 Threat of attacks using 0-day or known IT assets vulnerabilities.
vulnerabilities

Access of web sites through chains of HTTP Threat of bypassing the security mechanism using HTTP proxies
132
Proxies (Obfuscation) (bypassing the website blacklist).

133 Access to device software Threat of unauthorised manipulation by access to device software.

Threat of unauthorized modifications to code or data, attacking its

134 Alternation of software
integrity.

19
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

135 Rogue hardware Threat of manipulation due to unauthorized access to hardware.

Threat of intentional data manipulation to mislead information

136 Manipulation of information systems or somebody or to cover other nefarious activities (loss of
integrity of information).

137 Repudiation of actions Threat of intentional data manipulation to repudiate action.

138 Address space hijacking (IP prefixes) Threat of the illegitimate takeover of groups of IP addresses.

Threat of route packets of network to IP addresses other than that

139 Routing table manipulation was intended via sender by unauthorised manipulation of routing
table.

DNS poisoning / DNS spoofing / DNS

140 Threat of falsification of DNS information.
Manipulations

141 Falsification of record Threat of intentional data manipulation to falsify records.

Threat of overtaking by the attacker the ownership of a whole

142 Autonomous System hijacking
autonomous system and its prefixes despite origin validation.

Threat of manipulation by the attacker of a whole autonomous

143 Autonomous System manipulation
system in order to perform malicious actions.

Threat of intentional manipulation due to falsification of

144 Falsification of configurations
configurations.

Threat of nefarious actions performed using audit tools (discovery

145 Misuse of audit tools
of security weaknesses in information systems).

Misuse of information/ information Threat of nefarious action due to misuse of information /

146
systems (including mobile apps) information systems.

147 Unauthorized activities Threat of nefarious action due to unauthorised activities.

Unauthorised use or administration of Threat of nefarious action due to unauthorised use of devices and
148
devices and systems systems.

20
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

149 Unauthorised use of software Threat of nefarious action due to unauthorised use of software.

Unauthorized access to the information

Threat of unauthorised access to the information systems /
150 systems / networks (IMPI Protocol / DNS
network.
Registrar Hijacking)

151 Network Intrusion Threat of unauthorised access to network.

152 Unauthorized changes of records Threat of unauthorised changes of information.

153 Unauthorized installation of software Threat of unauthorised installation of software.

Web based attacks (Drive-by download / Threat of installation of unwanted malware software by misusing
154
malicious URLs / Browser based attacks) websites.

Compromising confidential information

155 Threat of data breach.
(data breaches)

156 Hoax Threat of loss of IT assets security due to cheating.

157 False rumour and/or fake warning Threat of disruption of work due to rumours and/or a fake warning.

158 Remote activity (execution) Threat of nefarious action by attacker remote activity.

159 Remote Command Execution Threat of nefarious action due to remote command execution.

Threat of infection of software that has a remote administration

160 Remote Access Tool (RAT)
capabilities allowing an attacker to control the victim's computer.

161 Botnets / Remote activity Threat of penetration by software from malware distribution.

Threat of sophisticated, targeted attack which combine many

162 Targeted attacks (APTs etc.)
attack techniques.

Threat of mobile software that aims to gather information about a

163 Mobile malware
person or organization without their knowledge.

21
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of attack focused on a single user or department within an

organization, coming from someone within the company in a
164 Spear phishing attacks
position of trust and requesting information such as login, IDs and
passwords.

Installation of sophisticated and targeted Threat of malware delivered by sophisticated and targeted
165
malware software.

Threat of malware residing on the websites which a group often

166 Watering Hole attacks
uses.

Threat of damage or loss of IT assets due to improperly executed

167 Failed business process
business process.

Threat of unauthorised access via systematically checking all

168 Brute force
possible keys or passwords until the correct one is found.

169 Abuse of authorizations Threat of using authorised access to perform illegitimate actions.

Threat of financial or legal penalty or loss of trust of customers and

170 Legal
collaborators due to legislation.

Violation of rules and regulations / Breach Threat of financial or legal penalty or loss of trust of customers and
171
of legislation collaborators due to violation of law or regulations.

Threat of financial penalty or loss of trust of customers and

172 Failure to meet contractual requirements
collaborators due to failure to meet contractual requirements.

Threat of financial penalty or loss of trust of customers and

Failure to meet contractual requirements by
173 collaborators due to a third party's failure to meet contractual
third party
requirements

Threat of financial or legal penalty or loss of trust of customers and

Unauthorized use of IPR protected
174 collaborators due to improper/illegal use of IPR protected material
resources
(IPR- Intellectual Property Rights.

Threat of financial or legal penalty or loss of trust of customers and

175 Illegal usage of File Sharing services
collaborators due to improper/illegal use of file sharing services.

176 Abuse of personal data Threat of illegal use of personal data.

22
 ENISA Threat Taxonomy
Initial Version | 1.0 | January 2016

Threat of financial or legal penalty or loss of trust of customers and

177 Judiciary decisions/court order
collaborators due to judiciary decisions/court order.

23
ENISA
European Union Agency for Network
and Information Security
Science and Technology Park of Crete (ITE)
Vassilika Vouton, 700 13, Heraklion, Greece

Athens Office
1 Vass. Sofias & Meg. Alexandrou
Marousi 151 24, Athens, Greece

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710
[email protected]
www.enisa.europa.eu