# New Frontiers of Cybersecurity: The Cyber Taxonomy of ACN

In the increasingly complex landscape of cybersecurity, a fundamental aspect is the classification of incidents. In this regard, the Cyber Taxonomy of ACN (TC-ACN) aims to serve as a new Italian standard, officially adopted in July 2024. This tool provides a common platform for describing cybersecurity events and incidents, helping to overcome the terminological fragmentation that currently characterizes the sector.

## Objectives of the ACN Taxonomy

The primary interest of TC-ACN is to create a uniform language that facilitates communication and information exchange among the various entities involved in cybersecurity management. With a well-defined methodological structure, TC-ACN is designed to be a valuable support for sharing information related to cyber events, as well as for properly reporting incidents to CSIRT Italia.

This new standard stands out for its complexity, surpassing traditional incident classification models. While ENISA’s “Reference Incident Classification Taxonomy” is based on 11 classes and 32 types of incidents, TC-ACN offers a much more detailed perspective, with a total of 144 attributes and 22 predicates organized into four main macro-categories.

## The Four Macro-Categories of TC-ACN

The ACN taxonomy is divided into four macro-categories, each providing specific and detailed information about incidents:

1. **Baseline Characterization (BC)**: This category represents the starting point for incident analysis. It focuses on the zero level of the investigation, which includes assessing the damages incurred, the nature of the attack, and its extent. Additionally, it helps define the geographic and organizational boundaries of the event, thus offering a comprehensive view of the situation.

2. **Threat Type (TT)**: This section delves into the technical aspects related to the incident, analyzing the vulnerabilities exploited and the attack techniques used (e.g., phishing, malware, system exploits, etc.). This level of detail is crucial for understanding attack methods and preventing future threats.

3. **Threat Actor (TA)**: Here, the origin and responsibility for the attack are highlighted. The actor who perpetrated the incident may be an individual, an organized criminal group, an insider, or even a state entity. Understanding the motivations and resources available to the actor allows for a more precise assessment of the risks associated with the incident and the adoption of appropriate countermeasures.

4. **Additional Context (AC)**: Finally, this category gathers additional details that may influence the understanding of the event and response strategies. It includes information on affected systems (servers, endpoints, specific networks), any correlations with previous events, security tools in use, and potential escalation scenarios.

## A Paradigm Shift

Unlike ENISA’s traditional taxonomy, which tends to categorize events into rigid classes (such as availability, fraud, information gathering, etc.), TC-ACN adopts a more expressive approach. It is inspired by vulnerability management according to the Common Vulnerability Scoring System (CVSS), providing descriptive vectors that more thoroughly outline the type of threat, its origin and motivation, impact, techniques, and systems involved.

For example, a TC-ACN vector such as “BC:IM-DE BC:RO-MA BC:SE-HI BC:VG-IT” would indicate an incident that led to the exposure of sensitive data on national territory, classified as severe, and caused by malicious acts. The ability to express such complexity of information allows for characterizing incidents from multiple perspectives, facilitating both threat mitigation and information sharing among all parties involved.

## Implementing the Cyber Taxonomy of ACN

Adopting TC-ACN presents challenges, as the…