Clusters and elements to attach to MISP events or attributes (like threat actors) https://www.misp-project.org/galaxy.html

Go to file

Alexandre Dulaunoy ba46bb6a0b chg: [threat-actor] fix #561 by using new meta to classify as a campaign only. Based on https://github.com/MISP/misp-galaxy/issues/469 There is an old and persistence issue in attribution world and basically no-one really agrees on this. So we decided to start a specific metadata `threat-actor-classification` on the threat-actor to define the various types per cluster entry: - _operation_: - _A military operation is the coordinated military actions of a state, or a non-state actor, in response to a developing situation. These actions are designed as a military plan to resolve the situation in the state or actor's favor. Operations may be of a combat or non-combat nature and may be referred to by a code name for the purpose of national security. Military operations are often known for their more generally accepted common usage names than their actual operational objectives._ from Wikipedia - In the context of MISP threat-actor name, it's a single specific operation. - _campaign_: - _The term military campaign applies to large scale, long duration, significant military strategy plans incorporating a series of inter-related military operations or battles forming a distinct part of a larger conflict often called a war. The term derives from the plain of Campania, a place of annual wartime operations by the armies of the Roman Republic._ from Wikipedia - In the context of MISP threat-actor-name, it's long-term activity which might be composed of one or more operations. - threat-actor - In the context of MISP threat-actor-name, it's an agreed name by a set of organisations. - activity group - In the context of MISP threat-actor-name, it's a group defined by its set of common techniques or activities. - unknown - In the context of MISP threat-actor-name, it's still not clear if it's an operation, campaign, threat-actor or activity group The meta field is an array to allow specific cluster of threat-actor to show the current disagreement between different organisations about the type (threat actor, activity group, campaign and operation).		2020-07-07 09:13:21 +02:00
clusters	chg: [threat-actor] fix #561 by using new meta to classify as a campaign only.	2020-07-07 09:13:21 +02:00
doc/images	MISP galaxy screenshot	2016-12-17 10:44:29 +01:00
galaxies	fix: small fixes to the bhadra framework	2020-05-19 16:45:40 +02:00
misp	Mapping triples/machine tags with galaxy, clusters and so on	2016-08-12 09:43:26 +02:00
tools	fix: [attack] fixes old MITRE relationships not being removed	2019-10-27 21:06:26 +01:00
vocabularies	Update cert-eu-motive.json	2019-02-20 22:08:24 +00:00
.gitignore	Add test for empty strings	2019-08-30 10:08:16 +02:00
.travis.yml	chg: Bump travis	2020-07-02 11:27:08 +02:00
CONTRIBUTE.md	add: [doc] contribution doc added	2018-12-01 11:06:49 +01:00
LICENSE.md	chg: [licensing] 2-clause BSD added in addition to CC0	2018-12-10 12:38:21 +01:00
README.md	add: [dark-pattern] updates the README	2019-12-04 09:44:39 +01:00
jq_all_the_things.sh	fix: automatically fix missing uuids	2018-10-12 10:55:24 +02:00
schema_clusters.json	fix-tentative	2019-12-05 10:52:22 +01:00
schema_galaxies.json	chg: [schema] optional kill_chain_order field added	2019-02-15 08:57:45 +01:00
schema_misp.json	Add validators for vocabularies and misp	2017-07-25 17:39:06 +02:00
schema_vocabularies.json	Add validators for vocabularies and misp	2017-07-25 17:39:06 +02:00
validate_all.sh	Add test for empty strings	2019-08-30 10:08:16 +02:00

README.md

misp-galaxy

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish.

Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

Vocabularies are from existing standards (like STIX, Veris, MISP and so on) or custom ones.

The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).

Available clusters

clusters/android.json - Android malware galaxy based on multiple open sources.
clusters/banker.json - A list of banker malware.
clusters/stealer.json - A list of malware stealer.
clusters/backdoor.json - A list of backdoor malware.
clusters/botnet.json - A list of known botnets.
clusters/branded_vulnerability.json - List of known vulnerabilities and exploits.
clusters/exploit-kit.json - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
clusters/microsoft-activity-group.json - Activity groups as described by Microsoft.
clusters/preventive-measure.json - Preventive measures.
clusters/ransomware.json - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
clusters/rat.json - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
clusters/tds.json - TDS is a list of Traffic Direction System used by adversaries.
clusters/threat-actor.json - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
clusters/tool.json - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
clusters/mitre-attack-pattern.json - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
clusters/mitre-course-of-action.json - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
clusters/mitre-intrusion-set.json - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
clusters/mitre-malware.json - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
clusters/mitre-tool.json - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
clusters/mitre-enterprise-attack-attack-pattern.json - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
clusters/mitre-enterprise-attack-course-of-action.json - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
clusters/mitre-enterprise-attack-intrusion-set.json - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
clusters/mitre-enterprise-attack-tool.json - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
clusters/mitre-mobile-attack-attack-pattern.json - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
clusters/mitre-mobile-attack-course-of-action.json - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
clusters/mitre-mobile-attack-intrusion-set.json - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
clusters/mitre-mobile-attack-malware.json - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
clusters/mitre-mobile-attack-tool.json - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
clusters/mitre-pre-attack-attack-pattern.json - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
clusters/mitre-pre-attack-intrusion-set.json - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
clusters/sectors.json - Activity sectors
clusters/cert-eu-govsector.json - Cert EU GovSector
clusters/social-dark-patterns.json - Social Engineering - Dark Patterns

Available Vocabularies

A readable PDF overview of the MISP galaxy is available or HTML and generated from the JSON.

Common

vocabularies/common/certainty-level.json - Certainty level of an associated element or cluster.
vocabularies/common/threat-actor-type.json - threat actor type vocab as defined by Cert EU.
vocabularies/common/ttp-category.json - ttp category vocab as defined by Cert EU.
vocabularies/common/ttp-type.json - ttp type vocab as defined by Cert EU.

Threat Actor

vocabularies/threat-actor/cert-eu-motive.json - Motive vocab as defined by Cert EU.
vocabularies/threat-actor/intended-effect-vocabulary.json - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
vocabularies/threat-actor/motivation-vocabulary.json - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
vocabularies/threat-actor/planning-and-operational-support-vocabulary.json - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.
vocabularies/threat-actor/sophistication.json - The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor.
vocabularies/threat-actor/type.json - The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor.

MISP Integration

Starting from MISP 2.4.56, galaxy is integrated within the MISP threat sharing platform and users can directly benefit from the available clusters to attach them to the MISP event.

How to contribute?

Read the contribution document

License

The MISP galaxy (JSON files) are dual-licensed under:

CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication.

 Copyright (c) 2015-2019 Alexandre Dulaunoy - a@foo.be
 Copyright (c) 2015-2019 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2015-2019 Andras Iklody
 Copyright (c) 2015-2019 Raphael Vinot
 Copyright (c) 2015-2019 Deborah Servili
 Copyright (c) 2016-2019 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.