misp-galaxy/README.md

# misp-galaxy

[![Build Status](https://travis-ci.org/MISP/misp-galaxy.svg?branch=master)](https://travis-ci.org/MISP/misp-galaxy)

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or
attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There
are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish.

Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied
to each cluster to permit a limited or broader distribution scheme.

Vocabularies are from existing standards (like STIX, Veris, MISP and so on) or custom ones.

The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded
to localized information (which is not shared) or additional information (that can be shared).

# Available clusters

- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.
- [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures.
- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
- [clusters/rat.json](clusters/rat.json) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
- [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries.
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.


# Available Vocabularies

A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) and generated from the JSON.


## Common

- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.

## Threat Actor

- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.
- [vocabularies/threat-actor/sophistication.json](vocabularies/threat-actor/sophistication.json) - The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor.
- [vocabularies/threat-actor/type.json](vocabularies/threat-actor/type.json) - The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor.

## MISP Integration

Starting from [MISP 2.4.56](http://www.misp-project.org/2016/12/07/MISP.2.4.56.released.html), galaxy is integrated within the MISP threat sharing platform and users can directly benefit from the available clusters to attach them to the MISP event.

![MISP Integration of the MISP galaxy](doc/images/screenshot.png)
## How to contribute?

In the world of threat intelligence, there are many different models or approaches to order, classify or describe threat actors, threats or activity groups. We welcome new ways of describing threat intelligence as the galaxy model allows to reuse the ones you use or trust for your organization or community.

Fork the project, update or create elements or clusters and make a pull-request.

We recommend to validate the JSON file using [jq](https://stedolan.github.io/jq/) before doing a pull-request.

## License

MISP galaxy is licensed under [CC0 1.0 Universal (CC0 1.0)](https://creativecommons.org/publicdomain/zero/1.0/) -  Public Domain Dedication.
First explanation 2016-02-28 09:24:57 +01:00			`# misp-galaxy`

Add Travis file (validate json files) 2016-04-11 12:49:57 +02:00			`[![Build Status](https://travis-ci.org/MISP/misp-galaxy.svg?branch=master)](https://travis-ci.org/MISP/misp-galaxy)`

First explanation 2016-02-28 09:24:57 +01:00			`MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or`
			`attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There`
README updated to reflect the new structure 2016-10-31 11:45:00 +01:00			`are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish.`
First explanation 2016-02-28 09:24:57 +01:00
README updated to reflect the new structure 2016-10-31 11:45:00 +01:00			`Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied`
fix small grammatical errors in README.md 2016-02-29 22:17:03 +01:00			`to each cluster to permit a limited or broader distribution scheme.`
First explanation 2016-02-28 09:24:57 +01:00
README updated to reflect the new structure 2016-10-31 11:45:00 +01:00			`Vocabularies are from existing standards (like STIX, Veris, MISP and so on) or custom ones.`
adversary tools added + some clarification 2016-03-17 07:47:39 +01:00
			`The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded`
			`to localized information (which is not shared) or additional information (that can be shared).`

First explanation 2016-02-28 09:24:57 +01:00			`# Available clusters`

fix: Preventive measures added. 2017-01-12 22:40:31 +01:00			`- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.`
			`- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.`
			`- [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures.`
ransomware galaxy 2017-01-30 16:25:40 +01:00			`- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml`
RAT added 2017-06-02 16:17:26 +02:00			`- [clusters/rat.json](clusters/rat.json) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.`
exploit-kit and TDS added 2017-01-05 20:50:08 +01:00			`- [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries.`
threat-actor fixed 2016-12-04 18:00:10 +01:00			`- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP`
fix: Preventive measures added. 2017-01-12 22:40:31 +01:00			`- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.`
First explanation 2016-02-28 09:24:57 +01:00
update readme 2016-12-22 14:24:23 +01:00
README updated to reflect the new structure 2016-10-31 11:45:00 +01:00			`# Available Vocabularies`
First explanation 2016-02-28 09:24:57 +01:00
PDF added 2017-05-11 23:11:56 +02:00			`A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) and generated from the JSON.`


README updated to reflect the new structure 2016-10-31 11:45:00 +01:00			`## Common`

			`- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.`

			`## Threat Actor`

			`- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1`
			`- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1`
			`- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.`
			`- [vocabularies/threat-actor/sophistication.json](vocabularies/threat-actor/sophistication.json) - The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor.`
			`- [vocabularies/threat-actor/type.json](vocabularies/threat-actor/type.json) - The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor.`
First explanation 2016-02-28 09:24:57 +01:00
MISP integration added 2016-12-17 10:45:27 +01:00			`## MISP Integration`

			`Starting from [MISP 2.4.56](http://www.misp-project.org/2016/12/07/MISP.2.4.56.released.html), galaxy is integrated within the MISP threat sharing platform and users can directly benefit from the available clusters to attach them to the MISP event.`

			`![MISP Integration of the MISP galaxy](doc/images/screenshot.png)`
First explanation 2016-02-28 09:24:57 +01:00			`## How to contribute?`

Clarification regarding the contribution and the different models 2017-01-04 11:54:35 +01:00			`In the world of threat intelligence, there are many different models or approaches to order, classify or describe threat actors, threats or activity groups. We welcome new ways of describing threat intelligence as the galaxy model allows to reuse the ones you use or trust for your organization or community.`

MISP distribution to be applied on cluster objects. 2016-02-28 09:28:13 +01:00			`Fork the project, update or create elements or clusters and make a pull-request.`
First explanation 2016-02-28 09:24:57 +01:00
Recommendation regarding the pull-request 2016-04-02 09:40:40 +02:00			`We recommend to validate the JSON file using [jq](https://stedolan.github.io/jq/) before doing a pull-request.`

License (PD) added 2016-09-06 11:30:03 +02:00			`## License`

			`MISP galaxy is licensed under [CC0 1.0 Universal (CC0 1.0)](https://creativecommons.org/publicdomain/zero/1.0/) - Public Domain Dedication.`