Documentation
--
+Table of Content
+ ++
Layout and features
+Main page:
+The main page lists the events stored in the +CyDefSIG site. See data structure section for further details.
+The site PGP public key and log-out +button are at the bottom of the page and will be accessible in +any page of the site.
+Left Menu
+The left menu allows the user navigating to the different features/pages of the site:
+-
+
- New Event:
+
Allow user to create a new event. See How to share a malware signatures in CyDefSIG + section for further details.
+ - List Events:
+
List all events and allows users to
+-
+
- display the details of the events +
- contact the publishing party of an even by clicking Contact Reporter button in the Event page. +
- Modify or delete an event and attributes you have imported. +
+ - List Attributes:
+
Lists all attributes cross events.
+ - Search Attribute:
+
You can search for attributes based on key words + and apply a filtering based on the category and or attribute type.
+ - Export:
+
Different format are supported: XML (all or per + event), text (all or per attribute type), and IDS format. Note that + only the attributes that have been selected to be in the part of IDS + will be included in this latter.
+ - News:
+
Provide the latest news regarding the site like last changes.
+ - My Profile:
+
Allows to setup the user profile:
+-
+
- email address to which new events will be sent, +
- the AuthKey used to automate the export of events/attributes from the application + (see Export), +
- NIDS starting SID, +
- PGP public key used to encrypt the events sent by email +
+ - Member List
+
Provide statstics about the site.
+
How to share a malware/attack attributes in CyDefSIG
+Data structure
+The following diagram depicts the data structure to store malware signatures.
+
-
+
- An Event is a containers that hosts + one or more attributes of a malware. This is the main data + structure that host the signatures of a malware. An event is + identified by a unique id number automatically assigned by the + system. +
An Attribute is a characteristic of + malware that can be used as a descriptor. Attributes are categorised + and always linked to an Event via the Event id.
+
Note that it may happen that different events are +related to a same malware or variants as the data may be imported by +different groups. The application creates automatically links between +events with same attributes.
+ +Sharing malware/attack information steps by steps
+
+Mandatory fields are marked with *
+-
+
- Click on New Event (left menu) +
- Fill-in the form:
+
-
+
- Date*: date of the malware was discovered +
- Risk*: estimated risk level related to the malware.
+ Guideline for risk level: +-
+
- Undefined (default) +
- Low - TBD +
- Med - Advanced Persistent Threat +
- High - Very sophisticated APT (e.g. including 0-day) +
+ - Private*: is the event sharable with other CyDefSIG servers. (only in sync-mode) +
- Info*: High level information that can help to understand the malware/attack,
+ like title and high level behavior.
+ This field should remain as short as possible (recommended max 50 words). + The full description of the malware behavior and its artifacts must + be defined as an attribute (other).
+
+ - Click Submit
+
+ Note that at this stage, the information is + shared on the site but no notification is sent to the other parties + yet.
+ - Click Add Attribute or Add Attachment + + +
- Fill-in the form:
+ For Attribute: +
+ -
+
- Category*: see Category section below +
- Type*: see Type section below +
- Private*: prevent upload of this specific Attribute to other CyDefSIG servers. (only in sync-mode) +
- IDS Signature?: Check this box if you want + the attribute to be part of the IDS signature generated by the site. + Make sure that the information in value is usable in an IDS + signature, do not check if it is free text, Vulnerability. +
- Value: enter the attribute value. Note + that the value format will be validated for some types like hash and + IP addresses. +
- Batch Import: check this box to import + data in batch. Enter an attribute value per line, each entry will be + assigned the selected Category and Type. +
- Click Submit +
- For Attachment:
+
+ -
+
- Category: see Category section below +
- Select the file to upload +
- Malware: Check this box if the file to upload is
+ harmful. The system will then encrypt with zip before storing the
+ file with the default password, "infected". This will protect
+ other systems against accidental infection.
+ Note that a hash will be automatically computed + and added to the event as an attribute.
+ - Click Upload +
- Redo steps 5-6 as many time as attributes you need to upload. +
- Click Publish Event once all attributes are uploaded.
+The application will then send the event with all uploaded information + to all users of the site.
+
+ In sync-mode the event will also be uploaded to other CyDefSIG servers users have configured in their profile.You can modify, delete or add new attributes after publishing. In that case, any + change will be accessible by other users via the GUI and only + released by email to all users once you re-Publish the event.
+
+
Export and Import
CyDefSIG has full support for automated data export and import.
IDS and script export
diff --git a/app/View/Users/terms.ctp b/app/View/Users/terms.ctp index 27fea5c12..2602f8928 100644 --- a/app/View/Users/terms.ctp +++ b/app/View/Users/terms.ctp @@ -1,15 +1,16 @@CyDefSIG Terms and Conditions
+Form->create('User'); + echo $this->Form->hidden('termsaccepted', array('default'=> '1')); + echo $this->Form->end(__('Accept Terms', true)); +} +?>CyDefSIG is a platform for a trusted official service to share Malware signatures with the Belgian Defence ADIV/SGRS.
As a member of CyDefSIG you accept all the following:
-
-
- Members accept their commitment to share signature information (about new/unknown malware and attacks they have detected) into the CyDefSIG system. -
- The Belgian Defense can't be held liable or responsible in any way for
-
-
-
- the quality of information published in the CyDefSIG system or for the (in)proper functioning of the CyDefSIG system -
- accidental or fraudulent misuse of CyDefSIG -
- All systems that handle information from CyDefSIG must be properly secured using the best practices. +
- Members accept their intention to share signature information (about new/unknown malware and attacks they have detected) into the CyDefSIG system.
- All information from CyDefSIG must be treated as Unclassified or Restricted only releasable to the CyDefSIG registered parties (comparable to TLP amber), and should thus never be further distributed without prior approval by the publishing party.
- Members are required to report any known security issue or vulnerability with the CyDefSIG system to the Belgian Defence ADIV/SGRS.
- CyDefSIG may be terminated by either Party by giving the other Party a seven (7) days notice. Shared information can never be reclaimed. @@ -17,27 +18,27 @@
Disclaimer of Warranty.
-- There is no warranty for the system, to the extent permitted by applicable law.
+
- There is no warranty for the system, to the extent permitted by applicable law. The Belgian Defence and services provide the system "as is" without warranty of any kind, - either expressed or implied, including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose. The entire risk as to the quality - and performance of the system is with you (any user of the system). - Should the system prove defective, you any user of the system, assume all your resulting + either expressed or implied, including, but not limited to, the implied warranties of + merchantability and fitness for a particular purpose. The entire risk as to the quality + and performance of the system is with you (any user of the system). + Should the system prove defective, you any user of the system, assume all your resulting costs and consequences.
Limitation of liability.
-
-
- No Party or its affiliates, agents or representatives shall be liable to the other Party -or its affiliates agents or representatives for any indirect, incidental, consequential, -exemplary, punitive or special damages in connection with anything that is undertaken by the -parties under the use of this system, or anything arising out of this use. This Section -applies to the maximum extent permitted by applicable law and regardless of whether the liability +
- No Party or its affiliates, agents or representatives shall be liable to the other Party +or its affiliates agents or representatives for any indirect, incidental, consequential, +exemplary, punitive or special damages in connection with anything that is undertaken by the +parties under the use of this system, or anything arising out of this use. This Section +applies to the maximum extent permitted by applicable law and regardless of whether the liability is based on breach of these terms, tort, or any other legal theory -
- In no event will the Belgian Defence, or any other party providing the system, be liable -to you (any user of the system) for damages, including any general, special, incidental or -consequential damages arising out of the use or inability to use the system (including but -not limited to loss of data or data being rendered inaccurate or losses sustained by you or -third parties or a failure of the system to operate with any other systems), even if such +
- In no event will the Belgian Defence, or any other party providing the system, be liable +to you (any user of the system) for damages, including any general, special, incidental or +consequential damages arising out of the use or inability to use the system (including but +not limited to loss of data or data being rendered inaccurate or losses sustained by you or +third parties or a failure of the system to operate with any other systems), even if such holder or other party has been advised of the possibility of such damages.