Breach Severity Levels

L0: Prebreach activities

Not a breach yet. Initial compromise: procuring credentials, emailing malware. 

L1: Execution on one computer

Adversary being able to execute code on one computer (most cases: automatically triggered malware)

L2: Command and Control

Adversary has established C&C and has manual shell access

L3: Discovery (any network)

Adversary access to the internal network (ability to scan other computers on the network and to sniff traffic in promiscuous mode

L4: Discovery (management network)

Being able to access management UIs of other computers, appliances, network devices (like HTTP(s) tcp 443, Windows RDP tcp 3389; Linux SSH tcp 22)

L5: Network manipulation for sniffing

Confirmed traffic subversion (mostly through ARP poisoning) on the subnets with management UIs of other computers, appliances, network devices

L6: Credential compromise (network scale privileged account) 

Confirmed compromise (not the use of it yet) of the network level privileged account (a administrative account used on multiple computers like MS AD Domain Administrator, Linux account with group: wheel privileges)

L7: Lateral movement with successful execution on the other end

Confirmed lateral/pivoting movement from one computer to another with the ability to execute code from the new computer

L8: Successful login with network scale privileged account

Confirmed successful login into the UI of the one central IT management systems like AD Domain Controller, Centralized Network|Firewall policy solution (a solution from which security posture of the entire infrastructure can be weakened)

L9: Confirmed change network scale change

Confirmed change through the UI of the one central IT management systems like AD Domain Controller, Centralized Network|Firewall policy solution (a solution from which security posture of the entire infrastructure can be weakened). Some examples would be: a creation of the new service or AD domain administration or similar accounts, issuing a new SSL certificates.

L10: Collection

Confirmed access to sensitive data

L11: Exfiltration

Data exfiltration. This is what is called “an incident” for which all the “incident response”-s are written. In the media and the industry, it’s called “a data breach”.

References

1. Cyber Breach Severity Levels: Are Three Levels Enough? How about a Dozen? | by Ivan Fedorets | Medium (ivancyber.com) 

2. Cybersecurity — Cyber Breach Model — Part 2 | by Ivan Fedorets | Aug, 2023 | Medium