MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Move cfr-type-of-incident to meta

pull/621/head
Koen Van Impe 2021-01-28 12:25:39 +01:00
parent 23778666ba
commit 87b22f363c
2 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
clusters/rsit.json
View File

@ -7,12 +7,12 @@
"name": "rsit",
"source": "https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force",
"type": "rsit",
"uuid": "ed3f9269-8f08-4f78-8aee-ce0028f41b61",
"uuid": "9da6e48a-5475-4f1b-af54-f917ec72d995",
"values": [
{
"cfr-type-of-incident": "Spam",
"description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.",
"meta": {
"cfr-type-of-incident": "Spam",
"kill_chain": [
"RSIT:Abusive Content"
]
@ -26,24 +26,24 @@
"type": "similar"
}
],
"uuid": "b81d1a4a-c71d-457b-9e02-7ea885a56564",
"uuid": "bae9e253-9515-4f1f-b34f-e8fc6747c2e0",
"value": "Abusive Content:Spam"
},
{
"cfr-type-of-incident": "Harmful Speech",
"description": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.",
"meta": {
"cfr-type-of-incident": "Harmful Speech",
"kill_chain": [
"RSIT:Abusive Content"
]
},
"uuid": "a5fb0564-7bb6-4478-9713-9c23085df32e",
"uuid": "a54e52f9-0335-43da-8878-bb60a710d56c",
"value": "Abusive Content:Harmful Speech"
},
{
"cfr-type-of-incident": "(Child) Sexual Exploitation/Sexual/Violent Content",
"description": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.",
"meta": {
"cfr-type-of-incident": "(Child) Sexual Exploitation/Sexual/Violent Content",
"kill_chain": [
"RSIT:Abusive Content"
]
@ -57,24 +57,24 @@
"type": "similar"
}
],
"uuid": "abfbf4ae-a10a-43aa-9ef2-0dbbaac3c789",
"uuid": "15bd72f9-5ebc-4fef-8fbf-32c2d848f076",
"value": "Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content"
},
{
"cfr-type-of-incident": "Infected System",
"description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server",
"meta": {
"cfr-type-of-incident": "Infected System",
"kill_chain": [
"RSIT:Malicious Code"
]
},
"uuid": "e841c237-e39c-4804-a780-f6fc4a2e6371",
"uuid": "aa3e1167-566c-43c2-afc0-f62f557689c6",
"value": "Malicious Code:Infected System"
},
{
"cfr-type-of-incident": "C2 Server",
"description": "Command-and-control server contacted by malware on infected systems.",
"meta": {
"cfr-type-of-incident": "C2 Server",
"kill_chain": [
"RSIT:Malicious Code"
]
@ -88,35 +88,35 @@
"type": "similar"
}
],
"uuid": "9c1bbe1b-8f51-4edc-8974-eb049617d6d1",
"uuid": "85b1f79e-49e7-4501-9b5c-a39ffce47428",
"value": "Malicious Code:C2 Server"
},
{
"cfr-type-of-incident": "Malware Distribution",
"description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).",
"meta": {
"cfr-type-of-incident": "Malware Distribution",
"kill_chain": [
"RSIT:Malicious Code"
]
},
"uuid": "4eb23762-69e1-45fb-9e4a-700e0c183ac5",
"uuid": "dd1b8e11-cec5-48d0-aaf2-a3d099a96c42",
"value": "Malicious Code:Malware Distribution"
},
{
"cfr-type-of-incident": "Malware Configuration",
"description": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.",
"meta": {
"cfr-type-of-incident": "Malware Configuration",
"kill_chain": [
"RSIT:Malicious Code"
]
},
"uuid": "c6eb8e72-40cc-4fc6-b2ca-dc8ba88c8fa3",
"uuid": "0a6d604c-e78a-417e-b557-808c2ce260c3",
"value": "Malicious Code:Malware Configuration"
},
{
"cfr-type-of-incident": "Scanning",
"description": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.",
"meta": {
"cfr-type-of-incident": "Scanning",
"kill_chain": [
"RSIT:Information Gathering"
]
@ -144,13 +144,13 @@
"type": "similar"
}
],
"uuid": "1f09c97b-fee4-4376-b525-809bb61de579",
"uuid": "5c96ebd0-d77f-479c-bc8f-247038f901f0",
"value": "Information Gathering:Scanning"
},
{
"cfr-type-of-incident": "Sniffing",
"description": "Observing and recording of network traffic (wiretapping).",
"meta": {
"cfr-type-of-incident": "Sniffing",
"kill_chain": [
"RSIT:Information Gathering"
]
@ -171,24 +171,24 @@
"type": "similar"
}
],
"uuid": "4958bdb2-8d0d-4bc7-8762-5a967a92868b",
"uuid": "8fda8ab1-077e-43b4-9284-880921ea0b86",
"value": "Information Gathering:Sniffing"
},
{
"cfr-type-of-incident": "Social Engineering",
"description": "Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).",
"meta": {
"cfr-type-of-incident": "Social Engineering",
"kill_chain": [
"RSIT:Information Gathering"
]
},
"uuid": "a7d12859-b60f-4536-b356-fcaaf8234403",
"uuid": "33a950d3-cc97-4589-b8cf-db8ca6140ea2",
"value": "Information Gathering:Social Engineering"
},
{
"cfr-type-of-incident": "Exploitation of known Vulnerabilities",
"description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)",
"meta": {
"cfr-type-of-incident": "Exploitation of known Vulnerabilities",
"kill_chain": [
"RSIT:Intrusion Attempts"
]
@ -223,13 +223,13 @@
"type": "similar"
}
],
"uuid": "b0e536ba-dce3-430d-a7f6-bcf99ca6de44",
"uuid": "ae99314d-0810-4b46-8ee8-4af7cdb146d0",
"value": "Intrusion Attempts:Exploitation of known Vulnerabilities"
},
{
"cfr-type-of-incident": "Login attempts",
"description": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.",
"meta": {
"cfr-type-of-incident": "Login attempts",
"kill_chain": [
"RSIT:Intrusion Attempts"
]
@ -271,24 +271,24 @@
"type": "similar"
}
],
"uuid": "f4b8f7d6-bccb-49ef-b478-66a77e2c2238",
"uuid": "0cc1cf66-a838-4bdd-ace1-2da34a93520c",
"value": "Intrusion Attempts:Login attempts"
},
{
"cfr-type-of-incident": "New attack signature",
"description": "An attack using an unknown exploit.",
"meta": {
"cfr-type-of-incident": "New attack signature",
"kill_chain": [
"RSIT:Intrusion Attempts"
]
},
"uuid": "a2687bac-9a4f-4e90-a094-8b2f481ceaef",
"uuid": "8ae29dc9-a208-4d7e-b79b-2573790df212",
"value": "Intrusion Attempts:New attack signature"
},
{
"cfr-type-of-incident": "Privileged Account Compromise",
"description": "Compromise of a system where the attacker gained administrative privileges.",
"meta": {
"cfr-type-of-incident": "Privileged Account Compromise",
"kill_chain": [
"RSIT:Intrusions"
]
@ -302,13 +302,13 @@
"type": "similar"
}
],
"uuid": "68cf72aa-0125-445e-adf8-de0efe4a664c",
"uuid": "dea60439-7e04-4af8-aeab-2840893195f7",
"value": "Intrusions:Privileged Account Compromise"
},
{
"cfr-type-of-incident": "Unprivileged Account Compromise",
"description": "Compromise of a system using an unprivileged (user/service) account.",
"meta": {
"cfr-type-of-incident": "Unprivileged Account Compromise",
"kill_chain": [
"RSIT:Intrusions"
]
@ -322,13 +322,13 @@
"type": "similar"
}
],
"uuid": "bc82f61e-7a39-4d2f-bc86-4f8ec886af01",
"uuid": "f1b691cb-2824-4e3a-9d5b-76aea4a087db",
"value": "Intrusions:Unprivileged Account Compromise"
},
{
"cfr-type-of-incident": "Application Compromise",
"description": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.",
"meta": {
"cfr-type-of-incident": "Application Compromise",
"kill_chain": [
"RSIT:Intrusions"
]
@ -342,35 +342,35 @@
"type": "similar"
}
],
"uuid": "d12415bd-d965-4afe-94a3-e56e16c78004",
"uuid": "b0980068-8827-4bde-83c4-9ad70bc675e9",
"value": "Intrusions:Application Compromise"
},
{
"cfr-type-of-incident": "System Compromise",
"description": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.",
"meta": {
"cfr-type-of-incident": "System Compromise",
"kill_chain": [
"RSIT:Intrusions"
]
},
"uuid": "995f7028-9b13-4519-80f1-1b22f36aefb4",
"uuid": "f380a50f-3cdf-4ceb-ab75-bb046f0c03cc",
"value": "Intrusions:System Compromise"
},
{
"cfr-type-of-incident": "Burglary",
"description": "Physical intrusion, e.g. into corporate building or data-centre.",
"meta": {
"cfr-type-of-incident": "Burglary",
"kill_chain": [
"RSIT:Intrusions"
]
},
"uuid": "2720eeb7-4611-4330-b3da-2d3c9c5e6667",
"uuid": "17c92ab0-831f-4fec-944d-1faeb8c55e7b",
"value": "Intrusions:Burglary"
},
{
"cfr-type-of-incident": "Denial of Service",
"description": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.",
"meta": {
"cfr-type-of-incident": "Denial of Service",
"kill_chain": [
"RSIT:Availability"
]
@ -384,13 +384,13 @@
"type": "similar"
}
],
"uuid": "28883628-32cc-4bc6-8142-c1fc2c01bd9e",
"uuid": "ccec8e6a-c316-485c-99f1-84e2ab0162e7",
"value": "Availability:Denial of Service"
},
{
"cfr-type-of-incident": "Distributed Denial of Service",
"description": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.",
"meta": {
"cfr-type-of-incident": "Distributed Denial of Service",
"kill_chain": [
"RSIT:Availability"
]
@ -404,57 +404,57 @@
"type": "similar"
}
],
"uuid": "ff14d9d0-c952-4995-9871-5aea332002c9",
"uuid": "bef4187f-1176-4551-83d8-8a1ba9987379",
"value": "Availability:Distributed Denial of Service"
},
{
"cfr-type-of-incident": "Misconfiguration",
"description": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.",
"meta": {
"cfr-type-of-incident": "Misconfiguration",
"kill_chain": [
"RSIT:Availability"
]
},
"uuid": "8e9f1fa4-e657-4311-a362-a80fdd0b7f33",
"uuid": "6e004e50-54b0-4ad0-aced-b790226a7de9",
"value": "Availability:Misconfiguration"
},
{
"cfr-type-of-incident": "Sabotage",
"description": "Physical sabotage, e.g cutting wires or malicious arson.",
"meta": {
"cfr-type-of-incident": "Sabotage",
"kill_chain": [
"RSIT:Availability"
]
},
"uuid": "c63fcb56-69bb-4b35-a1ea-13d8f3272ae0",
"uuid": "bd3d6608-0693-420f-a476-af460e3d0bf1",
"value": "Availability:Sabotage"
},
{
"cfr-type-of-incident": "Outage",
"description": "Outage caused e.g. by air condition failure or natural disaster.",
"meta": {
"cfr-type-of-incident": "Outage",
"kill_chain": [
"RSIT:Availability"
]
},
"uuid": "934a52bd-da26-4f62-9ec7-d21c01db2802",
"uuid": "599dd157-848b-4020-ba96-fa2b053be448",
"value": "Availability:Outage"
},
{
"cfr-type-of-incident": "Unauthorised access to information",
"description": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.",
"meta": {
"cfr-type-of-incident": "Unauthorised access to information",
"kill_chain": [
"RSIT:Information Content Security"
]
},
"uuid": "ddbaedeb-dc34-4f6b-a3b1-6337270cb175",
"uuid": "3c938a8d-0d0c-4b42-81dd-9c11011596c3",
"value": "Information Content Security:Unauthorised access to information"
},
{
"cfr-type-of-incident": "Unauthorised modification of information",
"description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.",
"meta": {
"cfr-type-of-incident": "Unauthorised modification of information",
"kill_chain": [
"RSIT:Information Content Security"
]
@ -468,68 +468,68 @@
"type": "similar"
}
],
"uuid": "b6f82050-4732-46b4-b110-d582c553ed0f",
"uuid": "02fb1edd-59a5-4a2f-a48c-5f1d66b2c6cf",
"value": "Information Content Security:Unauthorised modification of information"
},
{
"cfr-type-of-incident": "Data Loss",
"description": "Loss of data, e.g. caused by harddisk failure or physical theft.",
"meta": {
"cfr-type-of-incident": "Data Loss",
"kill_chain": [
"RSIT:Information Content Security"
]
},
"uuid": "d9c04af1-deb8-44a8-9085-7857d5a2015d",
"uuid": "b0d64016-8546-45a7-8853-6716a2f1f811",
"value": "Information Content Security:Data Loss"
},
{
"cfr-type-of-incident": "Leak of confidential information",
"description": "Leaked confidential information like credentials or personal data.",
"meta": {
"cfr-type-of-incident": "Leak of confidential information",
"kill_chain": [
"RSIT:Information Content Security"
]
},
"uuid": "a49fcb43-c94e-4a13-b39e-ed34bfbe2633",
"uuid": "d3b4c23d-3c4d-4d0a-bf9b-3b4d3b005c66",
"value": "Information Content Security:Leak of confidential information"
},
{
"cfr-type-of-incident": "Unauthorised use of resources",
"description": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.",
"meta": {
"cfr-type-of-incident": "Unauthorised use of resources",
"kill_chain": [
"RSIT:Fraud"
]
},
"uuid": "38f58cf2-e72c-4d8e-ac1f-9a5180aaad99",
"uuid": "6614e73f-dff9-49fb-9a9b-586862bd648f",
"value": "Fraud:Unauthorised use of resources"
},
{
"cfr-type-of-incident": "Copyright",
"description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
"meta": {
"cfr-type-of-incident": "Copyright",
"kill_chain": [
"RSIT:Fraud"
]
},
"uuid": "99b749d8-f9c6-445b-82d5-3722f0d664dd",
"uuid": "0f297d48-b06d-47fe-8ab0-3652581c6ade",
"value": "Fraud:Copyright"
},
{
"cfr-type-of-incident": "Masquerade",
"description": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.",
"meta": {
"cfr-type-of-incident": "Masquerade",
"kill_chain": [
"RSIT:Fraud"
]
},
"uuid": "1057ec33-5932-4696-80b0-ad3ce26d6c23",
"uuid": "06f24b83-7a24-448c-9114-f1b3afcd0b3f",
"value": "Fraud:Masquerade"
},
{
"cfr-type-of-incident": "Phishing",
"description": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.",
"meta": {
"cfr-type-of-incident": "Phishing",
"kill_chain": [
"RSIT:Fraud"
]
@ -543,24 +543,24 @@
"type": "similar"
}
],
"uuid": "9c16409a-2029-470e-8579-77d953b2c6d3",
"uuid": "d6ceeb8e-a17b-43b1-bad6-5a81192e2ebd",
"value": "Fraud:Phishing"
},
{
"cfr-type-of-incident": "Weak crypto",
"description": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.",
"meta": {
"cfr-type-of-incident": "Weak crypto",
"kill_chain": [
"RSIT:Vulnerable"
]
},
"uuid": "c8ca2965-f8df-4a74-92b3-4a473608ef90",
"uuid": "13fad3df-5134-49d3-8a1a-efc693f3599c",
"value": "Vulnerable:Weak crypto"
},
{
"cfr-type-of-incident": "DDoS amplifier",
"description": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.",
"meta": {
"cfr-type-of-incident": "DDoS amplifier",
"kill_chain": [
"RSIT:Vulnerable"
]
@ -574,73 +574,73 @@
"type": "similar"
}
],
"uuid": "41ee48e3-92e0-4f0c-b2f0-461325e149bc",
"uuid": "e476bbab-662a-4318-9b71-9d1862baf727",
"value": "Vulnerable:DDoS amplifier"
},
{
"cfr-type-of-incident": "Potentially unwanted accessible services",
"description": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.",
"meta": {
"cfr-type-of-incident": "Potentially unwanted accessible services",
"kill_chain": [
"RSIT:Vulnerable"
]
},
"uuid": "a2dbfb66-dc27-41e0-976f-4888dcab0cb3",
"uuid": "7934ae88-0a0a-4e1c-91b4-6d95182b4dbc",
"value": "Vulnerable:Potentially unwanted accessible services"
},
{
"cfr-type-of-incident": "Information disclosure",
"description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.",
"meta": {
"cfr-type-of-incident": "Information disclosure",
"kill_chain": [
"RSIT:Vulnerable"
]
},
"uuid": "609449a3-5951-42b4-a4cd-196e09a3120f",
"uuid": "67686969-ad06-400b-bed3-1b0126599bd1",
"value": "Vulnerable:Information disclosure"
},
{
"cfr-type-of-incident": "Vulnerable system",
"description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.",
"meta": {
"cfr-type-of-incident": "Vulnerable system",
"kill_chain": [
"RSIT:Vulnerable"
]
},
"uuid": "4d1c5a5e-1244-457b-9e33-c0b1695d5e51",
"uuid": "1a27c5d3-1920-4d49-89e2-644f8b130380",
"value": "Vulnerable:Vulnerable system"
},
{
"cfr-type-of-incident": "Uncategorised",
"description": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.",
"meta": {
"cfr-type-of-incident": "Uncategorised",
"kill_chain": [
"RSIT:Other"
]
},
"uuid": "88e0d210-0b5a-405d-a979-5375f6cb2d01",
"uuid": "fc39b7d5-575c-4a16-8507-d8a1c1e1589c",
"value": "Other:Uncategorised"
},
{
"cfr-type-of-incident": "Undetermined",
"description": "The categorisation of the incident is unknown/undetermined.",
"meta": {
"cfr-type-of-incident": "Undetermined",
"kill_chain": [
"RSIT:Other"
]
},
"uuid": "6bdbec29-d198-4031-a15e-33e8973c5f05",
"uuid": "cf73ef8a-5c48-4341-811c-611c7ff1ec8c",
"value": "Other:Undetermined"
},
{
"cfr-type-of-incident": "Test",
"description": "Meant for testing.",
"meta": {
"cfr-type-of-incident": "Test",
"kill_chain": [
"RSIT:Test"
]
},
"uuid": "bdeb2700-cc42-4ccc-a3bc-950c6c495102",
"uuid": "10f3f13f-52df-4f38-9940-c879d332261b",
"value": "Test:Test"
}
],

2
galaxies/rsit.json
View File

@ -19,6 +19,6 @@
"name": "Reference Security Incident Classification Taxonomy",
"namespace": "RSIT",
"type": "rsit",
"uuid": "97eb5924-b784-437a-9110-6ed07d587fc4",
"uuid": "ddff602c-d2a3-431e-b9e2-2eb5a39a6473",
"version": 1
}