2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Network Working Group A. Dulaunoy
|
|
|
|
|
Internet-Draft A. Iklody
|
|
|
|
|
Intended status: Informational CIRCL
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Expires: 24 August 2024 21 February 2024
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MISP taxonomy format
|
2023-12-24 14:07:40 +01:00
|
|
|
|
draft-08
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
Abstract
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
This document describes the MISP taxonomy format, a simple JSON
|
|
|
|
|
format used to represent machine tags (also known as triple tags)
|
|
|
|
|
vocabularies. A public directory, known as MISP taxonomies, is
|
|
|
|
|
available and utilizes the MISP taxonomy format. These taxonomies
|
|
|
|
|
are employed to classify cybersecurity events, threats, suspicious
|
|
|
|
|
events, or indicators.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
Status of This Memo
|
|
|
|
|
|
|
|
|
|
This Internet-Draft is submitted in full conformance with the
|
|
|
|
|
provisions of BCP 78 and BCP 79.
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
|
|
|
Task Force (IETF). Note that other groups may also distribute
|
|
|
|
|
working documents as Internet-Drafts. The list of current Internet-
|
2018-11-30 08:05:04 +01:00
|
|
|
|
Drafts is at https://datatracker.ietf.org/drafts/current/.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|
|
|
|
and may be updated, replaced, or obsoleted by other documents at any
|
|
|
|
|
time. It is inappropriate to use Internet-Drafts as reference
|
|
|
|
|
material or to cite them other than as "work in progress."
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
This Internet-Draft will expire on 24 August 2024.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
Copyright Notice
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Copyright (c) 2024 IETF Trust and the persons identified as the
|
2016-10-16 11:01:14 +02:00
|
|
|
|
document authors. All rights reserved.
|
|
|
|
|
|
|
|
|
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
2023-12-24 14:07:40 +01:00
|
|
|
|
Provisions Relating to IETF Documents (https://trustee.ietf.org/
|
|
|
|
|
license-info) in effect on the date of publication of this document.
|
|
|
|
|
Please review these documents carefully, as they describe your rights
|
|
|
|
|
and restrictions with respect to this document.
|
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 1]
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table of Contents
|
|
|
|
|
|
|
|
|
|
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|
|
|
|
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
|
|
|
|
|
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
|
|
|
|
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
|
2017-04-11 09:00:44 +02:00
|
|
|
|
2.2. predicates . . . . . . . . . . . . . . . . . . . . . . . 4
|
2016-10-16 11:01:14 +02:00
|
|
|
|
2.3. values . . . . . . . . . . . . . . . . . . . . . . . . . 4
|
|
|
|
|
2.4. optional fields . . . . . . . . . . . . . . . . . . . . . 4
|
|
|
|
|
2.4.1. colour . . . . . . . . . . . . . . . . . . . . . . . 4
|
2017-04-11 09:00:44 +02:00
|
|
|
|
2.4.2. description . . . . . . . . . . . . . . . . . . . . . 5
|
2016-10-16 11:01:14 +02:00
|
|
|
|
2.4.3. numerical_value . . . . . . . . . . . . . . . . . . . 5
|
|
|
|
|
3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
2017-04-11 09:00:44 +02:00
|
|
|
|
3.1. Sample Manifest . . . . . . . . . . . . . . . . . . . . . 7
|
|
|
|
|
4. Sample Taxonomy in MISP taxonomy format . . . . . . . . . . . 7
|
|
|
|
|
4.1. Admiralty Scale Taxonomy . . . . . . . . . . . . . . . . 7
|
|
|
|
|
4.2. Open Source Intelligence - Classification . . . . . . . . 9
|
2018-11-30 08:05:04 +01:00
|
|
|
|
4.3. Available taxonomies in the public directory . . . . . . 11
|
2023-12-24 14:07:40 +01:00
|
|
|
|
5. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 22
|
|
|
|
|
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25
|
|
|
|
|
7. Normative References . . . . . . . . . . . . . . . . . . . . 25
|
|
|
|
|
8. Informative References . . . . . . . . . . . . . . . . . . . 25
|
|
|
|
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
1. Introduction
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Sharing threat information has become a fundamental requirement in
|
|
|
|
|
the Internet security and intelligence community at large. This
|
2016-10-16 11:01:14 +02:00
|
|
|
|
information can include indicators of compromise, malicious file
|
2024-02-22 08:05:30 +01:00
|
|
|
|
indicators, financial fraud indicators, or even detailed information
|
|
|
|
|
about a threat actor. Classification plays a crucial role while
|
|
|
|
|
sharing such indicators or information, ensuring adequate
|
|
|
|
|
distribution, understanding, validation, or action regarding the
|
|
|
|
|
shared information. The MISP taxonomies are a public repository of
|
|
|
|
|
known vocabularies that can be utilized in threat information
|
|
|
|
|
sharing.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
Machine tags were introduced in 2007 [machine-tags] to allow users to
|
2016-10-16 12:13:34 +02:00
|
|
|
|
be more precise when tagging their pictures with geolocation. So a
|
|
|
|
|
machine tag is a tag which uses a special syntax to provide more
|
|
|
|
|
information to users and machines. Machine tags are also known as
|
|
|
|
|
triple tags due to their format.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
In the MISP taxonomy context, machine tags help analysts to classify
|
|
|
|
|
their cybersecurity events, indicators or threats. MISP taxonomies
|
|
|
|
|
can be used for classification, filtering, triggering actions or
|
|
|
|
|
visualisation depending on their use in threat intelligence platforms
|
|
|
|
|
such as MISP [MISP-P].
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 2]
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
1.1. Conventions and Terminology
|
|
|
|
|
|
|
|
|
|
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
|
|
|
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|
|
|
|
document are to be interpreted as described in RFC 2119 [RFC2119].
|
|
|
|
|
|
|
|
|
|
2. Format
|
|
|
|
|
|
|
|
|
|
A machine tag is composed of a namespace (MUST), a predicate (MUST)
|
|
|
|
|
and an optional value (OPTIONAL).
|
|
|
|
|
|
2016-10-16 12:13:34 +02:00
|
|
|
|
Machine tags are represented as a string. Below listed are a set of
|
|
|
|
|
sample machine tags for different namespaces such as tlp, admiralty-
|
|
|
|
|
scale and osint.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
tlp:amber
|
|
|
|
|
admiralty-scale:information-credibility="1"
|
|
|
|
|
osint:source-type="blog-post"
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
The MISP taxonomy format describes how to define a machine tag
|
|
|
|
|
namespace in a parseable format. The objective is to provide a
|
2016-10-16 12:13:34 +02:00
|
|
|
|
simple format to describe machine tag (aka triple tag) vocabularies.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
2.1. Overview
|
|
|
|
|
|
2019-06-23 17:21:15 +02:00
|
|
|
|
The MISP taxonomy format uses the JSON [RFC8259] format. Each
|
2016-10-16 11:01:14 +02:00
|
|
|
|
namespace is represented as a JSON object with meta information
|
2017-05-05 16:52:14 +02:00
|
|
|
|
including the following fields: namespace, description, version,
|
|
|
|
|
type.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
namespace defines the overall namespace of the machine tag. The
|
|
|
|
|
namespace is represented as a string and MUST be present. The
|
2017-02-13 16:38:22 +01:00
|
|
|
|
description is represented as a string and MUST be present. A
|
2019-06-23 17:21:15 +02:00
|
|
|
|
version is represented as a unsigned integer MUST be present. A type
|
2017-05-05 16:52:14 +02:00
|
|
|
|
defines where a specific taxonomy is applicable and a type can be
|
|
|
|
|
applicable at event, user or org level. The type is represented as
|
|
|
|
|
an array containing one or more type and SHOULD be present. If a
|
|
|
|
|
type is not mentioned, by default, the taxonomy is applicable at
|
2018-11-30 08:05:04 +01:00
|
|
|
|
event level only. An exclusive boolean property MAY be present and
|
|
|
|
|
defines at namespace level if the predicates are mutually exclusive.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
predicates defines all the predicates available in the namespace
|
|
|
|
|
defined. predicates is represented as an array of JSON objects.
|
|
|
|
|
predicates MUST be present and MUST at least content one element.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2017-05-05 16:52:14 +02:00
|
|
|
|
values defines all the values for each predicate in the namespace
|
|
|
|
|
defined. values SHOULD be present.
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 3]
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
2.2. predicates
|
|
|
|
|
|
|
|
|
|
The predicates array contains one or more JSON objects which lists
|
|
|
|
|
all the possible predicates. The JSON object contains two fields:
|
|
|
|
|
value and expanded. value MUST be present. expanded SHOULD be
|
|
|
|
|
present. value is represented as a string and describes the predicate
|
|
|
|
|
value. The predicate value MUST not contain spaces or colons.
|
2017-02-13 16:38:22 +01:00
|
|
|
|
expanded is represented as a string and describes the human-readable
|
2018-11-30 08:05:04 +01:00
|
|
|
|
version of the predicate value. An exclusive property MAY be present
|
|
|
|
|
and defines at namespace level if the values are mutually exclusive.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
2.3. values
|
|
|
|
|
|
2016-10-16 12:13:34 +02:00
|
|
|
|
The values array contain one or more JSON objects which lists all the
|
|
|
|
|
possible values of a predicate. The JSON object contains two fields:
|
2016-10-16 11:01:14 +02:00
|
|
|
|
predicate and entry. predicate is represented as a string and
|
|
|
|
|
describes the predicate value. entry is an array with one or more
|
|
|
|
|
JSON objects. The JSON object contains two fields: value and
|
2017-02-13 16:38:22 +01:00
|
|
|
|
expanded. value MUST be present. expanded SHOULD be present. value is
|
|
|
|
|
represented as a string and describes the machine parsable value.
|
|
|
|
|
expanded is represented as a string and describes the human-readable
|
|
|
|
|
version of the value.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
2.4. optional fields
|
|
|
|
|
|
|
|
|
|
2.4.1. colour
|
|
|
|
|
|
|
|
|
|
colour fields MAY be used at predicates or values level to set a
|
2016-10-16 12:13:34 +02:00
|
|
|
|
specify colour that MAY be used by the implementation. The colour
|
2016-10-16 11:01:14 +02:00
|
|
|
|
field is described as an RGB colour fill in hexadecimal
|
|
|
|
|
representation.
|
|
|
|
|
|
|
|
|
|
Example use of the colour field in the Traffic Light Protocol (TLP):
|
|
|
|
|
|
2017-05-05 16:52:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 4]
|
2017-05-05 16:52:14 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"predicates": [
|
|
|
|
|
{
|
|
|
|
|
"colour": "#CC0033",
|
|
|
|
|
"expanded": "(TLP:RED) Information exclusively and directly
|
|
|
|
|
given to (a group of) individual recipients.
|
|
|
|
|
Sharing outside is not legitimate.",
|
|
|
|
|
"value": "red"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"colour": "#FFC000",
|
|
|
|
|
"expanded": "(TLP:AMBER) Information exclusively given
|
|
|
|
|
to an organization; sharing limited within
|
|
|
|
|
the organization to be effectively acted upon.",
|
|
|
|
|
"value": "amber"
|
|
|
|
|
}...]
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
2.4.2. description
|
|
|
|
|
|
|
|
|
|
description fields MAY be used at predicates or values level to add a
|
|
|
|
|
descriptive and human-readable information about the specific
|
|
|
|
|
predicate or value. The field is represented as a string.
|
2016-10-16 12:13:34 +02:00
|
|
|
|
Implementations MAY use the description field to improve more
|
2016-10-16 11:01:14 +02:00
|
|
|
|
contextual information. The description at the namespace level is a
|
|
|
|
|
MUST as described above.
|
|
|
|
|
|
|
|
|
|
2.4.3. numerical_value
|
|
|
|
|
|
2016-10-16 12:13:34 +02:00
|
|
|
|
numerical_value fields MAY be used at a predicate or value level to
|
2016-10-16 11:01:14 +02:00
|
|
|
|
add a machine-readable numeric value to a specific predicate or
|
2016-10-16 12:13:34 +02:00
|
|
|
|
value. The field is represented as a JSON number. Implementations
|
2016-10-16 11:01:14 +02:00
|
|
|
|
SHOULD use the decimal value provided to support scoring or
|
|
|
|
|
filtering.
|
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
The decimal range for numerical_value SHOULD use a range from 0 up to
|
|
|
|
|
100. The range is recommended to support common mathematical
|
|
|
|
|
properties among taxonomies.
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
Example use of the numerical_value in the MISP confidence level:
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 5]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"predicate": "confidence-level",
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Completely confident",
|
|
|
|
|
"value": "completely-confident",
|
|
|
|
|
"numerical_value": 100
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Usually confident",
|
|
|
|
|
"value": "usually-confident",
|
|
|
|
|
"numerical_value": 75
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Fairly confident",
|
|
|
|
|
"value": "fairly-confident",
|
|
|
|
|
"numerical_value": 50
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Rarely confident",
|
|
|
|
|
"value": "rarely-confident",
|
|
|
|
|
"numerical_value": 25
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Unconfident",
|
|
|
|
|
"value": "unconfident",
|
|
|
|
|
"numerical_value": 0
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Confidence cannot be evaluated",
|
|
|
|
|
"value": "confidence-cannot-be-evalued"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
3. Directory
|
|
|
|
|
|
|
|
|
|
The MISP taxonomies directory is publicly available [MISP-T] in a git
|
|
|
|
|
repository. The repository contains a directory per namespace then a
|
|
|
|
|
file machinetag.json which contains the taxonomy as described in the
|
|
|
|
|
format above. In the root of the repository, a MANIFEST.json exists
|
|
|
|
|
containing a list of all the taxonomies.
|
|
|
|
|
|
|
|
|
|
The MANIFEST.json file is composed of an JSON object with metadata
|
|
|
|
|
like version, license, description, url and path. A taxonomies array
|
|
|
|
|
describes the taxonomy available with the description, name and
|
|
|
|
|
version field.
|
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 6]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
3.1. Sample Manifest
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"version": "20161009",
|
|
|
|
|
"license": "CC-0",
|
|
|
|
|
"description": "Manifest file of MISP taxonomies available.",
|
|
|
|
|
"url":
|
|
|
|
|
"https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
|
|
|
|
|
"path": "machinetag.json",
|
|
|
|
|
"taxonomies": [
|
|
|
|
|
{
|
|
|
|
|
"description": "The Admiralty Scale (also called the NATO System)
|
|
|
|
|
is used to rank the reliability of a source and
|
|
|
|
|
the credibility of an information.",
|
|
|
|
|
"name": "admiralty-scale",
|
|
|
|
|
"version": 1
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"description": "Open Source Intelligence - Classification.",
|
|
|
|
|
"name": "osint",
|
|
|
|
|
"version": 2
|
|
|
|
|
}]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
4. Sample Taxonomy in MISP taxonomy format
|
|
|
|
|
|
|
|
|
|
4.1. Admiralty Scale Taxonomy
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
"namespace": "admiralty-scale",
|
|
|
|
|
"description": "The Admiralty Scale (also called the NATO System)
|
|
|
|
|
is used to rank the reliability of a source and
|
|
|
|
|
the credibility of an information.",
|
|
|
|
|
"version": 1,
|
|
|
|
|
"predicates": [
|
|
|
|
|
{
|
|
|
|
|
"value": "source-reliability",
|
|
|
|
|
"expanded": "Source Reliability"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "information-credibility",
|
|
|
|
|
"expanded": "Information Credibility"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"values": [
|
|
|
|
|
{
|
|
|
|
|
"predicate": "source-reliability",
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 7]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"value": "a",
|
|
|
|
|
"expanded": "Completely reliable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "b",
|
|
|
|
|
"expanded": "Usually reliable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "c",
|
|
|
|
|
"expanded": "Fairly reliable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "d",
|
|
|
|
|
"expanded": "Not usually reliable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "e",
|
|
|
|
|
"expanded": "Unreliable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "f",
|
|
|
|
|
"expanded": "Reliability cannot be judged"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"predicate": "information-credibility",
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
"value": "1",
|
|
|
|
|
"expanded": "Confirmed by other sources"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "2",
|
|
|
|
|
"expanded": "Probably true"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "3",
|
|
|
|
|
"expanded": "Possibly true"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "4",
|
|
|
|
|
"expanded": "Doubtful"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "5",
|
|
|
|
|
"expanded": "Improbable"
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 8]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
{
|
|
|
|
|
"value": "6",
|
|
|
|
|
"expanded": "Truth cannot be judged"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
4.2. Open Source Intelligence - Classification
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"values": [
|
|
|
|
|
{
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Blog post",
|
|
|
|
|
"value": "blog-post"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Technical or analysis report",
|
|
|
|
|
"value": "technical-report"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "News report",
|
|
|
|
|
"value": "news-report"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Pastie-like website",
|
|
|
|
|
"value": "pastie-website"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Electronic forum",
|
|
|
|
|
"value": "electronic-forum"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Mailing-list",
|
|
|
|
|
"value": "mailing-list"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Block or Filter List",
|
|
|
|
|
"value": "block-or-filter-list"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"expanded": "Expansion",
|
|
|
|
|
"value": "expansion"
|
|
|
|
|
}
|
|
|
|
|
],
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 9]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
"predicate": "source-type"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"predicate": "lifetime",
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
"value": "perpetual",
|
|
|
|
|
"expanded": "Perpetual",
|
|
|
|
|
"description": "Information available publicly on long-term"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "ephemeral",
|
|
|
|
|
"expanded": "Ephemeral",
|
|
|
|
|
"description": "Information available publicly on short-term"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"predicate": "certainty",
|
|
|
|
|
"entry": [
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 100,
|
|
|
|
|
"value": "100",
|
|
|
|
|
"expanded": "100% Certainty",
|
|
|
|
|
"description": "100% Certainty"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 93,
|
|
|
|
|
"value": "93",
|
|
|
|
|
"expanded": "93% Almost certain",
|
|
|
|
|
"description": "93% Almost certain"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 75,
|
|
|
|
|
"value": "75",
|
|
|
|
|
"expanded": "75% Probable",
|
|
|
|
|
"description": "75% Probable"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 50,
|
|
|
|
|
"value": "50",
|
|
|
|
|
"expanded": "50% Chances about even",
|
|
|
|
|
"description": "50% Chances about even"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 30,
|
|
|
|
|
"value": "30",
|
|
|
|
|
"expanded": "30% Probably not",
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 10]
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
"description": "30% Probably not"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 7,
|
|
|
|
|
"value": "7",
|
|
|
|
|
"expanded": "7% Almost certainly not",
|
|
|
|
|
"description": "7% Almost certainly not"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"numerical_value": 0,
|
|
|
|
|
"value": "0",
|
|
|
|
|
"expanded": "0% Impossibility",
|
|
|
|
|
"description": "0% Impossibility"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"namespace": "osint",
|
|
|
|
|
"description": "Open Source Intelligence - Classification",
|
|
|
|
|
"version": 3,
|
|
|
|
|
"predicates": [
|
|
|
|
|
{
|
|
|
|
|
"value": "source-type",
|
|
|
|
|
"expanded": "Source Type"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "lifetime",
|
|
|
|
|
"expanded": "Lifetime of the information
|
|
|
|
|
as Open Source Intelligence"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "certainty",
|
|
|
|
|
"expanded": "Certainty of the elements mentioned
|
|
|
|
|
in this Open Source Intelligence"
|
|
|
|
|
}
|
2017-04-11 09:00:44 +02:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
4.3. Available taxonomies in the public directory
|
|
|
|
|
|
|
|
|
|
The public directory of MISP taxonomies [MISP-T] contains a variety
|
|
|
|
|
of taxonomy in various fields such as:
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
CERT-XLM: CERT-XLM Security Incident Classification.
|
|
|
|
|
DFRLab-dichotomies-of-disinformation: DFRLab Dichotomies of
|
|
|
|
|
Disinformation.
|
|
|
|
|
DML: The Detection Maturity Level (DML) model is a capability
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 11]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
maturity model for referencing ones maturity in detecting cyber
|
|
|
|
|
attacks. It's designed for organizations who perform intel-driven
|
|
|
|
|
detection and response and who put an emphasis on having a mature
|
|
|
|
|
detection program.
|
|
|
|
|
GrayZone: Gray Zone of Active defense includes all elements which
|
|
|
|
|
lay between reactive defense elements and offensive operations.
|
|
|
|
|
It does fill the gray spot between them. Taxo may be used for
|
|
|
|
|
active defense planning or modeling.
|
|
|
|
|
PAP: The Permissible Actions Protocol - or short: PAP - was designed
|
|
|
|
|
to indicate how the received information can be used.
|
|
|
|
|
access-method: The access method used to remotely access a system.
|
|
|
|
|
accessnow: Access Now classification to classify an issue (such as
|
|
|
|
|
security, human rights, youth rights).
|
|
|
|
|
action-taken: Action taken in the case of a security incident (CSIRT
|
2018-11-30 08:05:04 +01:00
|
|
|
|
perspective).
|
2023-12-24 14:07:40 +01:00
|
|
|
|
admiralty-scale: The Admiralty Scale or Ranking (also called the
|
|
|
|
|
NATO System) is used to rank the reliability of a source and the
|
|
|
|
|
credibility of an information. Reference based on FM 2-22.3 (FM
|
|
|
|
|
34-52) HUMAN INTELLIGENCE COLLECTOR OPERATIONS and NATO documents.
|
|
|
|
|
adversary: An overview and description of the adversary
|
|
|
|
|
infrastructure
|
|
|
|
|
ais-marking: The AIS Marking Schema implementation is maintained by
|
|
|
|
|
the National Cybersecurity and Communication Integration Center
|
|
|
|
|
(NCCIC) of the U.S. Department of Homeland Security (DHS)
|
|
|
|
|
analyst-assessment: A series of assessment predicates describing the
|
|
|
|
|
analyst capabilities to perform analysis. These assessment can be
|
2018-11-30 08:05:04 +01:00
|
|
|
|
assigned by the analyst him/herself or by another party evaluating
|
|
|
|
|
the analyst.
|
2023-12-24 14:07:40 +01:00
|
|
|
|
approved-category-of-action: A pre-approved category of action for
|
|
|
|
|
indicators being shared with partners (MIMIC).
|
|
|
|
|
artificial-satellites: This taxonomy was designed to describe
|
|
|
|
|
artificial satellites
|
|
|
|
|
aviation: A taxonomy describing security threats or incidents
|
|
|
|
|
against the aviation sector.
|
|
|
|
|
binary-class: Custom taxonomy for types of binary file.
|
|
|
|
|
cccs: Internal taxonomy for CCCS.
|
|
|
|
|
circl: CIRCL Taxonomy - Schemes of Classification in Incident
|
|
|
|
|
Response and Detection.
|
|
|
|
|
cnsd: La presente taxonomia es la primera versión disponible
|
|
|
|
|
para el Centro Nacional de Seguridad Digital del Perú.
|
|
|
|
|
coa: Course of action taken within organization to discover, detect,
|
|
|
|
|
deny, disrupt, degrade, deceive and/or destroy an attack.
|
|
|
|
|
collaborative-intelligence: Collaborative intelligence support
|
|
|
|
|
language is a common language to support analysts to perform their
|
|
|
|
|
analysis to get crowdsourced support when using threat
|
|
|
|
|
intelligence sharing platform like MISP. The objective of this
|
|
|
|
|
language is to advance collaborative analysis and to share earlier
|
|
|
|
|
than later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 12]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
common-taxonomy: Common Taxonomy for Law enforcement and CSIRTs
|
|
|
|
|
copine-scale: The COPINE Scale is a rating system created in Ireland
|
|
|
|
|
and used in the United Kingdom to categorise the severity of
|
|
|
|
|
images of child sex abuse. The scale was developed by staff at
|
|
|
|
|
the COPINE (Combating Paedophile Information Networks in Europe)
|
|
|
|
|
project. The COPINE Project was founded in 1997, and is based in
|
|
|
|
|
the Department of Applied Psychology, University College Cork,
|
|
|
|
|
Ireland.
|
|
|
|
|
course-of-action: A Course Of Action analysis considers six
|
|
|
|
|
potential courses of action for the development of a cyber
|
|
|
|
|
security capability.
|
|
|
|
|
crowdsec: Crowdsec IP address classifications and behaviors
|
|
|
|
|
taxonomy.
|
|
|
|
|
cryptocurrency-threat: Threats targetting cryptocurrency, based on
|
|
|
|
|
CipherTrace report.
|
|
|
|
|
csirt-americas: Taxonomía CSIRT Américas.
|
|
|
|
|
csirt_case_classification: It is critical that the CSIRT provide
|
|
|
|
|
consistent and timely response to the customer, and that sensitive
|
|
|
|
|
information is handled appropriately. This document provides the
|
|
|
|
|
guidelines needed for CSIRT Incident Managers (IM) to classify the
|
|
|
|
|
case category, criticality level, and sensitivity level for each
|
|
|
|
|
CSIRT case. This information will be entered into the Incident
|
|
|
|
|
Tracking System (ITS) when a case is created. Consistent case
|
|
|
|
|
classification is required for the CSIRT to provide accurate
|
|
|
|
|
reporting to management on a regular basis. In addition, the
|
|
|
|
|
classifications will provide CSIRT IM's with proper case handling
|
|
|
|
|
procedures and will form the basis of SLA's between the CSIRT and
|
|
|
|
|
other Company departments.
|
|
|
|
|
cssa: The CSSA agreed sharing taxonomy.
|
|
|
|
|
cti: Cyber Threat Intelligence cycle to control workflow state of
|
|
|
|
|
your process.
|
|
|
|
|
current-event: Current events - Schemes of Classification in
|
|
|
|
|
Incident Response and Detection
|
|
|
|
|
cyber-threat-framework: Cyber Threat Framework was developed by the
|
|
|
|
|
US Government to enable consistent characterization and
|
|
|
|
|
categorization of cyber threat events, and to identify trends or
|
|
|
|
|
changes in the activities of cyber adversaries.
|
|
|
|
|
https://www.dni.gov/index.php/cyber-threat-framework
|
|
|
|
|
(https://www.dni.gov/index.php/cyber-threat-framework)
|
|
|
|
|
cycat: Taxonomy used by CyCAT, the Universal Cybersecurity Resource
|
|
|
|
|
Catalogue, to categorize the namespaces it supports and uses.
|
|
|
|
|
cytomic-orion: Taxonomy to describe desired actions for Cytomic
|
|
|
|
|
Orion
|
|
|
|
|
dark-web: Criminal motivation and content detection the dark web: A
|
|
|
|
|
categorisation model for law enforcement. ref: Janis Dalins,
|
|
|
|
|
Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project
|
|
|
|
|
and extended by the JRC (Joint Research Centre) of the European
|
|
|
|
|
Commission.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 13]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
data-classification: Data classification for data potentially at
|
|
|
|
|
risk of exfiltration based on table 2.1 of Solving Cyber Risk
|
|
|
|
|
book.
|
|
|
|
|
dcso-sharing: Taxonomy defined in the DCSO MISP Event Guide. It
|
|
|
|
|
provides guidance for the creation and consumption of MISP events
|
|
|
|
|
in a way that minimises the extra effort for the sending party,
|
|
|
|
|
while enhancing the usefulness for receiving parties.
|
|
|
|
|
ddos: Distributed Denial of Service - or short: DDoS - taxonomy
|
|
|
|
|
supports the description of Denial of Service attacks and
|
|
|
|
|
especially the types they belong too.
|
|
|
|
|
de-vs: German (DE) Government classification markings (VS).
|
|
|
|
|
death-possibilities: Taxonomy of Death Possibilities
|
|
|
|
|
deception: Deception is an important component of information
|
|
|
|
|
operations, valuable for both offense and defense.
|
|
|
|
|
dga: A taxonomy to describe domain-generation algorithms often
|
|
|
|
|
called DGA. Ref: A Comprehensive Measurement Study of Domain
|
|
|
|
|
Generating Malware Daniel Plohmann and others.
|
|
|
|
|
dhs-ciip-sectors: DHS critical sectors as in https://www.dhs.gov/
|
|
|
|
|
critical-infrastructure-sectors (https://www.dhs.gov/critical-
|
|
|
|
|
infrastructure-sectors)
|
|
|
|
|
diamond-model: The Diamond Model for Intrusion Analysis establishes
|
|
|
|
|
the basic atomic element of any intrusion activity, the event,
|
|
|
|
|
composed of four core features: adversary, infrastructure,
|
|
|
|
|
capability, and victim.
|
|
|
|
|
diamond-model-for-influence-operations: The diamond model for
|
|
|
|
|
influence operations analysis is a framework that leads analysts
|
|
|
|
|
and researchers toward a comprehensive understanding of a malign
|
|
|
|
|
influence campaign by addressing the socio-political, technical,
|
|
|
|
|
and psychological aspects of the campaign. The diamond model for
|
|
|
|
|
influence operations analysis consists of 5 components: 4 corners
|
|
|
|
|
and a core element. The 4 corners are divided into 2 axes:
|
|
|
|
|
influencer and audience on the socio-political axis, capabilities
|
|
|
|
|
and infrastructure on the technical axis. Narrative makes up the
|
|
|
|
|
core of the diamond.
|
|
|
|
|
dni-ism: A subset of Information Security Marking Metadata ISM as
|
|
|
|
|
required by Executive Order (EO) 13526. As described by DNI.gov
|
|
|
|
|
as Data Encoding Specifications for Information Security Marking
|
|
|
|
|
Metadata in Controlled Vocabulary Enumeration Values for ISM
|
|
|
|
|
domain-abuse: Domain Name Abuse - taxonomy to tag domain names used
|
|
|
|
|
for cybercrime.
|
|
|
|
|
doping-substances: This taxonomy aims to list doping substances
|
|
|
|
|
drugs: A taxonomy based on the superclass and class of drugs. Based
|
|
|
|
|
on https://www.drugbank.ca/releases/latest
|
|
|
|
|
(https://www.drugbank.ca/releases/latest)
|
|
|
|
|
economical-impact: Economical impact is a taxonomy to describe the
|
|
|
|
|
financial impact as positive or negative gain to the tagged
|
|
|
|
|
information (e.g. data exfiltration loss, a positive gain for an
|
|
|
|
|
adversary).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 14]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ecsirt: Incident Classification by the ecsirt.net version mkVI of 31
|
|
|
|
|
March 2015 enriched with IntelMQ taxonomy-type mapping.
|
|
|
|
|
enisa: The present threat taxonomy is an initial version that has
|
|
|
|
|
been developed on the basis of available ENISA material. This
|
|
|
|
|
material has been used as an ENISA-internal structuring aid for
|
|
|
|
|
information collection and threat consolidation purposes. It
|
|
|
|
|
emerged in the time period 2012-2015.
|
|
|
|
|
estimative-language: Estimative language to describe quality and
|
|
|
|
|
credibility of underlying sources, data, and methodologies based
|
|
|
|
|
Intelligence Community Directive 203 (ICD 203) and JP 2-0, Joint
|
|
|
|
|
Intelligence
|
|
|
|
|
eu-marketop-and-publicadmin: Market operators and public
|
|
|
|
|
administrations that must comply to some notifications
|
|
|
|
|
requirements under EU NIS directive
|
|
|
|
|
eu-nis-sector-and-subsectors: Sectors, subsectors, and digital
|
|
|
|
|
services as identified by the NIS Directive
|
|
|
|
|
euci: EU classified information (EUCI) means any information or
|
|
|
|
|
material designated by a EU security classification, the
|
|
|
|
|
unauthorised disclosure of which could cause varying degrees of
|
|
|
|
|
prejudice to the interests of the European Union or of one or more
|
|
|
|
|
of the Member States.
|
|
|
|
|
europol-event: This taxonomy was designed to describe the type of
|
|
|
|
|
events
|
|
|
|
|
europol-incident: This taxonomy was designed to describe the type of
|
|
|
|
|
incidents by class.
|
|
|
|
|
event-assessment: A series of assessment predicates describing the
|
|
|
|
|
event assessment performed to make judgement(s) under a certain
|
|
|
|
|
level of uncertainty.
|
|
|
|
|
event-classification: Classification of events as seen in tools such
|
|
|
|
|
as RT/IR, MISP and other
|
|
|
|
|
exercise: Exercise is a taxonomy to describe if the information is
|
|
|
|
|
part of one or more cyber or crisis exercise.
|
|
|
|
|
extended-event: Reasons why an event has been extended. This
|
|
|
|
|
taxonomy must be used on the extended event. The competitive
|
|
|
|
|
analysis aspect is from Psychology of Intelligence Analysis by
|
|
|
|
|
Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/
|
|
|
|
|
PsychofIntelNew.pdf (http://www.foo.be/docs/intelligence/
|
|
|
|
|
PsychofIntelNew.pdf)
|
|
|
|
|
failure-mode-in-machine-learning: The purpose of this taxonomy is to
|
|
|
|
|
jointly tabulate both the of these failure modes in a single
|
|
|
|
|
place. Intentional failures wherein the failure is caused by an
|
|
|
|
|
active adversary attempting to subvert the system to attain her
|
|
|
|
|
goals - either to misclassify the result, infer private training
|
|
|
|
|
data, or to steal the underlying algorithm. Unintentional
|
|
|
|
|
failures wherein the failure is because an ML system produces a
|
|
|
|
|
formally correct but completely unsafe outcome.
|
|
|
|
|
false-positive: This taxonomy aims to ballpark the expected amount
|
|
|
|
|
of false positives.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 15]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
file-type: List of known file types.
|
|
|
|
|
financial: Financial taxonomy to describe financial services,
|
|
|
|
|
infrastructure and financial scope.
|
|
|
|
|
flesch-reading-ease: Flesch Reading Ease is a revised system for
|
|
|
|
|
determining the comprehension difficulty of written material. The
|
|
|
|
|
scoring of the flesh score can have a maximum of 121.22 and there
|
|
|
|
|
is no limit on how low a score can be (negative score are valid).
|
|
|
|
|
fpf: The Future of Privacy Forum (FPF) visual guide to practical de-
|
|
|
|
|
identification (https://fpf.org/2016/04/25/a-visual-guide-to-
|
|
|
|
|
practical-data-de-identification/) taxonomy is used to evaluate
|
|
|
|
|
the degree of identifiability of personal data and the types of
|
|
|
|
|
pseudonymous data, de-identified data and anonymous data. The
|
|
|
|
|
work of FPF is licensed under a creative commons attribution 4.0
|
|
|
|
|
international license.
|
|
|
|
|
fr-classif: French gov information classification system
|
|
|
|
|
gdpr: Taxonomy related to the REGULATION (EU) 2016/679 OF THE
|
|
|
|
|
EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of
|
|
|
|
|
natural persons with regard to the processing of personal data and
|
|
|
|
|
on the free movement of such data, and repealing Directive 95/46/
|
|
|
|
|
EC (General Data Protection Regulation)
|
|
|
|
|
gea-nz-activities: Information needed to track or monitor moments,
|
|
|
|
|
periods or events that occur over time. This type of information
|
|
|
|
|
is focused on occurrences that must be tracked for business
|
|
|
|
|
reasons or represent a specific point in the evolution of 'The
|
|
|
|
|
Business'.
|
|
|
|
|
gea-nz-entities: Information relating to instances of entities or
|
|
|
|
|
things.
|
|
|
|
|
gea-nz-motivators: Information relating to authority or governance.
|
|
|
|
|
gsma-attack-category: Taxonomy used by GSMA for their information
|
|
|
|
|
sharing program with telco describing the attack categories
|
|
|
|
|
gsma-fraud: Taxonomy used by GSMA for their information sharing
|
|
|
|
|
program with telco describing the various aspects of fraud
|
|
|
|
|
gsma-network-technology: Taxonomy used by GSMA for their information
|
|
|
|
|
sharing program with telco describing the types of infrastructure.
|
|
|
|
|
WiP
|
|
|
|
|
honeypot-basic: Updated (CIRCL, Seamus Dowling and EURECOM) from
|
2018-11-30 08:05:04 +01:00
|
|
|
|
Christian Seifert, Ian Welch, Peter Komisarczuk, 'Taxonomy of
|
|
|
|
|
Honeypots', Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF
|
|
|
|
|
WELLINGTON, School of Mathematical and Computing Sciences, June
|
2023-12-24 14:07:40 +01:00
|
|
|
|
2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/
|
|
|
|
|
CS-TR-06-12.pdf
|
|
|
|
|
(http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-
|
|
|
|
|
TR-06-12.pdf)
|
|
|
|
|
ics: FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution
|
|
|
|
|
(IOC) Project
|
|
|
|
|
iep: Forum of Incident Response and Security Teams (FIRST)
|
|
|
|
|
Information Exchange Policy (IEP) framework
|
|
|
|
|
iep2-policy: Forum of Incident Response and Security Teams (FIRST)
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 16]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Information Exchange Policy (IEP) v2.0 Policy
|
|
|
|
|
iep2-reference: Forum of Incident Response and Security Teams
|
|
|
|
|
(FIRST) Information Exchange Policy (IEP) v2.0 Reference
|
|
|
|
|
ifx-vetting: The IFX taxonomy is used to categorise information
|
|
|
|
|
(MISP events and attributes) to aid in the intelligence vetting
|
|
|
|
|
process
|
|
|
|
|
incident-disposition: How an incident is classified in its process
|
|
|
|
|
to be resolved. The taxonomy is inspired from NASA Incident
|
|
|
|
|
Response and Management Handbook. https://www.nasa.gov/
|
|
|
|
|
pdf/589502main_ITS-HBK-2810.09-02%20%5bNASA%20Information%20Securi
|
|
|
|
|
ty%20Incident%20Management%5d.pdf#page=9 (https://www.nasa.gov/
|
|
|
|
|
pdf/589502main_ITS-HBK-2810.09-02%20%5bNASA%20Information%20Securi
|
|
|
|
|
ty%20Incident%20Management%5d.pdf#page=9)
|
|
|
|
|
infoleak: A taxonomy describing information leaks and especially
|
|
|
|
|
information classified as being potentially leaked. The taxonomy
|
|
|
|
|
is based on the work by CIRCL on the AIL framework. The taxonomy
|
|
|
|
|
aim is to be used at large to improve classification of leaked
|
|
|
|
|
information.
|
|
|
|
|
information-origin: Taxonomy for tagging information by its origin:
|
|
|
|
|
human-generated or AI-generated.
|
|
|
|
|
information-security-data-source: Taxonomy to classify the
|
|
|
|
|
information security data sources.
|
|
|
|
|
information-security-indicators: A full set of operational
|
|
|
|
|
indicators for organizations to use to benchmark their security
|
|
|
|
|
posture.
|
|
|
|
|
interactive-cyber-training-audience: Describes the target of cyber
|
|
|
|
|
training and education.
|
|
|
|
|
interactive-cyber-training-technical-setup: The technical setup
|
|
|
|
|
consists of environment structure, deployment, and orchestration.
|
|
|
|
|
interactive-cyber-training-training-environment: The training
|
|
|
|
|
environment details the environment around the training,
|
|
|
|
|
consisting of training type and scenario.
|
|
|
|
|
interactive-cyber-training-training-setup: The training setup
|
|
|
|
|
further describes the training itself with the scoring, roles, the
|
|
|
|
|
training mode as well as the customization level.
|
|
|
|
|
interception-method: The interception method used to intercept
|
|
|
|
|
traffic.
|
|
|
|
|
ioc: An IOC classification to facilitate automation of malicious and
|
|
|
|
|
non malicious artifacts
|
|
|
|
|
iot: Internet of Things taxonomy, based on IOT UK report
|
|
|
|
|
https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-Taxonomy-
|
|
|
|
|
Report.pdf (https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-
|
|
|
|
|
Taxonomy-Report.pdf)
|
|
|
|
|
kill-chain: The Cyber Kill Chain, a phase-based model developed by
|
|
|
|
|
Lockheed Martin, aims to help categorise and identify the stage of
|
|
|
|
|
an attack.
|
|
|
|
|
maec-delivery-vectors: Vectors used to deliver malware based on MAEC
|
|
|
|
|
5.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 17]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
maec-malware-behavior: Malware behaviours based on MAEC 5.0
|
|
|
|
|
maec-malware-capabilities: Malware Capabilities based on MAEC 5.0
|
|
|
|
|
maec-malware-obfuscation-methods: Obfuscation methods used by
|
|
|
|
|
malware based on MAEC 5.0
|
|
|
|
|
malware_classification: Classification based on different
|
|
|
|
|
categories. Based on https://www.sans.org/reading-
|
|
|
|
|
room/whitepapers/incident/malware-101-viruses-32848
|
|
|
|
|
(https://www.sans.org/reading-room/whitepapers/incident/malware-
|
|
|
|
|
101-viruses-32848)
|
|
|
|
|
misinformation-website-label: classification for the identification
|
|
|
|
|
of type of misinformation among websites. Source:False,
|
|
|
|
|
Misleading, Clickbait-y, and/or Satirical News Sources by Melissa
|
|
|
|
|
Zimdars 2019
|
|
|
|
|
misp: MISP taxonomy to infer with MISP behavior or operation.
|
|
|
|
|
misp-workflow: MISP workflow taxonomy to support result of workflow
|
|
|
|
|
execution.
|
|
|
|
|
monarc-threat: MONARC Threats Taxonomy
|
|
|
|
|
ms-caro-malware: Malware Type and Platform classification based on
|
|
|
|
|
Microsoft's implementation of the Computer Antivirus Research
|
|
|
|
|
Organization (CARO) Naming Scheme and Malware Terminology. Based
|
|
|
|
|
on https://www.microsoft.com/en-us/security/portal/mmpc/shared/
|
|
|
|
|
malwarenaming.aspx (https://www.microsoft.com/en-
|
|
|
|
|
us/security/portal/mmpc/shared/malwarenaming.aspx),
|
|
|
|
|
https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
glossary.aspx
|
|
|
|
|
(https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
glossary.aspx),
|
|
|
|
|
https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
objectivecriteria.aspx
|
|
|
|
|
(https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
objectivecriteria.aspx), and http://www.caro.org/definitions/
|
|
|
|
|
index.html (http://www.caro.org/definitions/index.html). Malware
|
|
|
|
|
families are extracted from Microsoft SIRs since 2008 based on
|
|
|
|
|
https://www.microsoft.com/security/sir/archive/default.aspx
|
|
|
|
|
(https://www.microsoft.com/security/sir/archive/default.aspx) and
|
|
|
|
|
https://www.microsoft.com/en-us/security/portal/threat/
|
|
|
|
|
threats.aspx (https://www.microsoft.com/en-
|
|
|
|
|
us/security/portal/threat/threats.aspx). Note that SIRs do NOT
|
|
|
|
|
include all Microsoft malware families.
|
|
|
|
|
ms-caro-malware-full: Malware Type and Platform classification based
|
|
|
|
|
on Microsoft's implementation of the Computer Antivirus Research
|
|
|
|
|
Organization (CARO) Naming Scheme and Malware Terminology. Based
|
|
|
|
|
on https://www.microsoft.com/en-us/security/portal/mmpc/shared/
|
|
|
|
|
malwarenaming.aspx (https://www.microsoft.com/en-
|
|
|
|
|
us/security/portal/mmpc/shared/malwarenaming.aspx),
|
|
|
|
|
https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
glossary.aspx
|
|
|
|
|
(https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 18]
|
2019-06-23 17:21:15 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
glossary.aspx),
|
|
|
|
|
https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
objectivecriteria.aspx
|
|
|
|
|
(https://www.microsoft.com/security/portal/mmpc/shared/
|
|
|
|
|
objectivecriteria.aspx), and http://www.caro.org/definitions/
|
|
|
|
|
index.html (http://www.caro.org/definitions/index.html). Malware
|
|
|
|
|
families are extracted from Microsoft SIRs since 2008 based on
|
|
|
|
|
https://www.microsoft.com/security/sir/archive/default.aspx
|
|
|
|
|
(https://www.microsoft.com/security/sir/archive/default.aspx) and
|
|
|
|
|
https://www.microsoft.com/en-us/security/portal/threat/
|
|
|
|
|
threats.aspx (https://www.microsoft.com/en-
|
|
|
|
|
us/security/portal/threat/threats.aspx). Note that SIRs do NOT
|
|
|
|
|
include all Microsoft malware families.
|
|
|
|
|
mwdb: Malware Database (mwdb) Taxonomy - Tags used across the
|
|
|
|
|
platform
|
|
|
|
|
nato: NATO classification markings.
|
|
|
|
|
nis: The taxonomy is meant for large scale cybersecurity incidents,
|
|
|
|
|
as mentioned in the Commission Recommendation of 13 September
|
|
|
|
|
2017, also known as the blueprint. It has two core parts: The
|
|
|
|
|
nature of the incident, i.e. the underlying cause, that triggered
|
|
|
|
|
the incident, and the impact of the incident, i.e. the impact on
|
|
|
|
|
services, in which sector(s) of economy and society.
|
|
|
|
|
nis2: The taxonomy is meant for large scale cybersecurity incidents,
|
|
|
|
|
as mentioned in the Commission Recommendation of 13 May 2022, also
|
|
|
|
|
known as the provisional agreement. It has two core parts: The
|
|
|
|
|
nature of the incident, i.e. the underlying cause, that triggered
|
|
|
|
|
the incident, and the impact of the incident, i.e. the impact on
|
|
|
|
|
services, in which sector(s) of economy and society.
|
|
|
|
|
open_threat: Open Threat Taxonomy v1.1 base on James Tarala of SANS
|
|
|
|
|
http://www.auditscripts.com/resources/
|
|
|
|
|
open_threat_taxonomy_v1.1a.pdf
|
|
|
|
|
(http://www.auditscripts.com/resources/
|
|
|
|
|
open_threat_taxonomy_v1.1a.pdf), https://files.sans.org/summit/
|
|
|
|
|
Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-
|
|
|
|
|
Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-
|
|
|
|
|
James-Tarala-SANS-Institute.pdf (https://files.sans.org/summit/
|
|
|
|
|
Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-
|
|
|
|
|
Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-
|
|
|
|
|
James-Tarala-SANS-Institute.pdf), https://www.youtube.com/
|
|
|
|
|
watch?v=5rdGOOFC_yE (https://www.youtube.com/watch?v=5rdGOOFC_yE),
|
|
|
|
|
and
|
|
|
|
|
https://www.rsaconference.com/writable/presentations/file_upload/
|
|
|
|
|
str-r04_using-an-open-source-threat-model-for-prioritized-defense-
|
|
|
|
|
final.pdf
|
|
|
|
|
(https://www.rsaconference.com/writable/presentations/file_upload/
|
|
|
|
|
str-r04_using-an-open-source-threat-model-for-prioritized-defense-
|
|
|
|
|
final.pdf)
|
|
|
|
|
osint: Open Source Intelligence - Classification (MISP taxonomies)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 19]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pandemic: Pandemic
|
|
|
|
|
passivetotal: Tags from RiskIQ's PassiveTotal service
|
|
|
|
|
pentest: Penetration test (pentest) classification.
|
|
|
|
|
phishing: Taxonomy to classify phishing attacks including
|
|
|
|
|
techniques, collection mechanisms and analysis status.
|
|
|
|
|
poison-taxonomy: Non-exhaustive taxonomy of natural poison
|
|
|
|
|
political-spectrum: A political spectrum is a system to characterize
|
|
|
|
|
and classify different political positions in relation to one
|
|
|
|
|
another.
|
|
|
|
|
priority-level: After an incident is scored, it is assigned a
|
|
|
|
|
priority level. The six levels listed below are aligned with
|
|
|
|
|
NCCIC, DHS, and the CISS to help provide a common lexicon when
|
|
|
|
|
discussing incidents. This priority assignment drives NCCIC
|
|
|
|
|
urgency, pre-approved incident response offerings, reporting
|
|
|
|
|
requirements, and recommendations for leadership escalation.
|
|
|
|
|
Generally, incident priority distribution should follow a similar
|
|
|
|
|
pattern to the graph below. Based on https://www.us-cert.gov/
|
|
|
|
|
NCCIC-Cyber-Incident-Scoring-System (https://www.us-cert.gov/
|
|
|
|
|
NCCIC-Cyber-Incident-Scoring-System).
|
|
|
|
|
pyoti: PyOTI automated enrichment schemes for point in time
|
|
|
|
|
classification of indicators.
|
|
|
|
|
ransomware: Ransomware is used to define ransomware types and the
|
|
|
|
|
elements that compose them.
|
|
|
|
|
ransomware-roles: The seven roles seen in most ransomware incidents.
|
|
|
|
|
retention: Add a retenion time to events to automatically remove the
|
|
|
|
|
IDS-flag on ip-dst or ip-src attributes. We calculate the time
|
|
|
|
|
elapsed based on the date of the event. Supported time units are:
|
|
|
|
|
d(ays), w(eeks), m(onths), y(ears). The numerical_value is just
|
|
|
|
|
for sorting in the web-interface and is not used for calculations.
|
|
|
|
|
rsit: Reference Security Incident Classification Taxonomy
|
|
|
|
|
rt_event_status: Status of events used in Request Tracker.
|
|
|
|
|
runtime-packer: Runtime or software packer used to combine
|
|
|
|
|
compressed or encrypted data with the decompression or decryption
|
|
|
|
|
code. This code can add additional obfuscations mechanisms
|
|
|
|
|
including polymorphic-packer or other obfuscation techniques.
|
|
|
|
|
This taxonomy lists all the known or official packer used for
|
|
|
|
|
legitimate use or for packing malicious binaries.
|
|
|
|
|
scrippsco2-fgc: Flags describing the sample
|
|
|
|
|
scrippsco2-fgi: Flags describing the sample for isotopic data (C14,
|
|
|
|
|
O18)
|
|
|
|
|
scrippsco2-sampling-stations: Sampling stations of the Scripps CO2
|
|
|
|
|
Program
|
|
|
|
|
sentinel-threattype: Sentinel indicator threat types.
|
|
|
|
|
smart-airports-threats: Threat taxonomy in the scope of securing
|
|
|
|
|
smart airports by ENISA. https://www.enisa.europa.eu/publications/
|
|
|
|
|
securing-smart-airports (https://www.enisa.europa.eu/publications/
|
|
|
|
|
securing-smart-airports)
|
|
|
|
|
social-engineering-attack-vectors: Attack vectors used in social
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 20]
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
engineering as described in 'A Taxonomy of Social Engineering
|
|
|
|
|
Defense Mechanisms' by Dalal Alharthi and others.
|
|
|
|
|
srbcert: SRB-CERT Taxonomy - Schemes of Classification in Incident
|
|
|
|
|
Response and Detection
|
|
|
|
|
state-responsibility: A spectrum of state responsibility to more
|
|
|
|
|
directly tie the goals of attribution to the needs of
|
|
|
|
|
policymakers.
|
|
|
|
|
stealth_malware: Classification based on malware stealth techniques.
|
|
|
|
|
Described in https://vxheaven.org/lib/pdf/
|
|
|
|
|
Introducing%20Stealth%20Malware%20Taxonomy.pdf
|
|
|
|
|
(https://vxheaven.org/lib/pdf/
|
|
|
|
|
Introducing%20Stealth%20Malware%20Taxonomy.pdf)
|
|
|
|
|
stix-ttp: TTPs are representations of the behavior or modus operandi
|
|
|
|
|
of cyber adversaries.
|
|
|
|
|
targeted-threat-index: The Targeted Threat Index is a metric for
|
|
|
|
|
assigning an overall threat ranking score to email messages that
|
|
|
|
|
deliver malware to a victim's computer. The TTI metric was first
|
|
|
|
|
introduced at SecTor 2013 by Seth Hardy as part of the talk
|
|
|
|
|
"RATastrophe: Monitoring a Malware Menagerie" along with Katie
|
|
|
|
|
Kleemola and Greg Wiseman.
|
|
|
|
|
thales_group: Thales Group Taxonomy - was designed with the aim of
|
|
|
|
|
enabling desired sharing and preventing unwanted sharing between
|
|
|
|
|
Thales Group security communities.
|
|
|
|
|
threatmatch: The ThreatMatch Sectors, Incident types, Malware types
|
|
|
|
|
and Alert types are applicable for any ThreatMatch instances and
|
|
|
|
|
should be used for all CIISI and TIBER Projects.
|
|
|
|
|
threats-to-dns: An overview of some of the known attacks related to
|
|
|
|
|
DNS as described by Torabi, S., Boukhtouta, A., Assi, C., &
|
|
|
|
|
Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing
|
|
|
|
|
Passive DNS Traffic: A Survey of Implemented Systems. IEEE
|
|
|
|
|
Communications Surveys & Tutorials, 1-1. doi:10.1109/
|
|
|
|
|
comst.2018.2849614
|
|
|
|
|
tlp: The Traffic Light Protocol (TLP) (v2.0) was created to
|
|
|
|
|
facilitate greater sharing of potentially sensitive information
|
|
|
|
|
and more effective collaboration. Information sharing happens
|
|
|
|
|
from an information source, towards one or more recipients. TLP
|
|
|
|
|
is a set of four standard labels (a fifth label is included in
|
|
|
|
|
amber to limit the diffusion) used to indicate the sharing
|
|
|
|
|
boundaries to be applied by the recipients. Only labels listed in
|
|
|
|
|
this standard are considered valid by FIRST. This taxonomy
|
|
|
|
|
includes additional labels for backward compatibility which are no
|
|
|
|
|
more validated by FIRST SIG.
|
|
|
|
|
tor: Taxonomy to describe Tor network infrastructure
|
|
|
|
|
trust: The Indicator of Trust provides insight about data on what
|
|
|
|
|
can be trusted and known as a good actor. Similar to a whitelist
|
|
|
|
|
but on steroids, reusing features one would use with Indicators of
|
|
|
|
|
Compromise, but to filter out what is known to be good.
|
|
|
|
|
type: Taxonomy to describe different types of intelligence gathering
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 21]
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
discipline which can be described the origin of intelligence.
|
|
|
|
|
unified-kill-chain: The Unified Kill Chain is a refinement to the
|
|
|
|
|
Kill Chain.
|
|
|
|
|
use-case-applicability: The Use Case Applicability categories
|
|
|
|
|
reflect standard resolution categories, to clearly display
|
|
|
|
|
alerting rule configuration problems.
|
|
|
|
|
veris: Vocabulary for Event Recording and Incident Sharing (VERIS)
|
|
|
|
|
vmray: VMRay taxonomies to map VMRay Thread Identifier scores and
|
|
|
|
|
artifacts.
|
|
|
|
|
vocabulaire-des-probabilites-estimatives: Ce vocabulaire attribue
|
|
|
|
|
des valeurs en pourcentage à certains énoncés de
|
|
|
|
|
probabilité
|
|
|
|
|
workflow: Workflow support language is a common language to support
|
2018-11-30 08:05:04 +01:00
|
|
|
|
intelligence analysts to perform their analysis on data and
|
|
|
|
|
information.
|
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
5. JSON Schema
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2017-04-11 09:00:44 +02:00
|
|
|
|
The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP
|
|
|
|
|
taxonomy document as literally described before. The JSON Schema is
|
|
|
|
|
used validating a MISP taxonomy. The validation is a _MUST_ if the
|
|
|
|
|
taxonomy is included in the MISP taxonomies directory.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
{
|
|
|
|
|
"$schema": "http://json-schema.org/schema#",
|
|
|
|
|
"title": "Validator for misp-taxonomies",
|
|
|
|
|
"id": "https://www.github.com/MISP/misp-taxonomies/schema.json",
|
|
|
|
|
"defs": {
|
|
|
|
|
"entry": {
|
|
|
|
|
"type": "array",
|
|
|
|
|
"uniqueItems": true,
|
|
|
|
|
"items": {
|
|
|
|
|
"type": "object",
|
|
|
|
|
"additionalProperties": false,
|
|
|
|
|
"properties": {
|
|
|
|
|
"numerical_value": {
|
|
|
|
|
"type": "number"
|
|
|
|
|
},
|
|
|
|
|
"expanded": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"description": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"colour": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"value": {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 22]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"required": [
|
|
|
|
|
"value"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"values": {
|
|
|
|
|
"type": "array",
|
|
|
|
|
"uniqueItems": true,
|
|
|
|
|
"items": {
|
|
|
|
|
"type": "object",
|
|
|
|
|
"additionalProperties": false,
|
|
|
|
|
"properties": {
|
|
|
|
|
"entry": {
|
|
|
|
|
"$ref": "#/defs/entry"
|
|
|
|
|
},
|
|
|
|
|
"predicate": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"required": [
|
|
|
|
|
"predicate"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"predicates": {
|
|
|
|
|
"type": "array",
|
|
|
|
|
"uniqueItems": true,
|
|
|
|
|
"items": {
|
|
|
|
|
"type": "object",
|
|
|
|
|
"additionalProperties": false,
|
|
|
|
|
"properties": {
|
|
|
|
|
"numerical_value": {
|
|
|
|
|
"type": "number"
|
|
|
|
|
},
|
|
|
|
|
"colour": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"description": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"expanded": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"value": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 23]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
},
|
|
|
|
|
"exclusive": {
|
|
|
|
|
"type": "boolean"
|
|
|
|
|
},
|
|
|
|
|
"required": [
|
|
|
|
|
"value"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"type": "object",
|
|
|
|
|
"additionalProperties": false,
|
|
|
|
|
"properties": {
|
|
|
|
|
"version": {
|
|
|
|
|
"type": "integer"
|
|
|
|
|
},
|
|
|
|
|
"description": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"expanded": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"namespace": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
},
|
|
|
|
|
"exclusive": {
|
|
|
|
|
"type": "boolean"
|
|
|
|
|
},
|
|
|
|
|
"type": {
|
|
|
|
|
"type": "array",
|
|
|
|
|
"uniqueItems": true,
|
|
|
|
|
"items": {
|
|
|
|
|
"type": "string",
|
|
|
|
|
"enum": [
|
|
|
|
|
"org",
|
|
|
|
|
"user",
|
|
|
|
|
"attribute",
|
|
|
|
|
"event"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"refs": {
|
|
|
|
|
"type": "array",
|
|
|
|
|
"uniqueItems": true,
|
|
|
|
|
"items": {
|
|
|
|
|
"type": "string"
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 24]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
},
|
|
|
|
|
"predicates": {
|
|
|
|
|
"$ref": "#/defs/predicates"
|
|
|
|
|
},
|
|
|
|
|
"values": {
|
|
|
|
|
"$ref": "#/defs/values"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"required": [
|
|
|
|
|
"namespace",
|
|
|
|
|
"description",
|
|
|
|
|
"version",
|
|
|
|
|
"predicates"
|
|
|
|
|
]
|
|
|
|
|
}
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
6. Acknowledgements
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2017-09-21 15:59:55 +02:00
|
|
|
|
The authors wish to thank all the MISP community who are supporting
|
|
|
|
|
the creation of open standards in threat intelligence sharing.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
7. Normative References
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
|
|
|
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|
|
|
|
Requirement Levels", BCP 14, RFC 2119,
|
2018-11-30 08:05:04 +01:00
|
|
|
|
DOI 10.17487/RFC2119, March 1997,
|
|
|
|
|
<https://www.rfc-editor.org/info/rfc2119>.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2019-06-23 17:21:15 +02:00
|
|
|
|
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
|
|
|
|
|
Interchange Format", STD 90, RFC 8259,
|
|
|
|
|
DOI 10.17487/RFC8259, December 2017,
|
|
|
|
|
<https://www.rfc-editor.org/info/rfc8259>.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
8. Informative References
|
2017-04-11 09:00:44 +02:00
|
|
|
|
|
|
|
|
|
[JSON-SCHEMA]
|
2023-12-24 14:07:40 +01:00
|
|
|
|
Wright, A., "JSON Schema: A Media Type for Describing JSON
|
|
|
|
|
Documents", 2016,
|
2018-11-30 08:05:04 +01:00
|
|
|
|
<https://tools.ietf.org/html/draft-wright-json-schema>.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
[MISP-P] Community, M., "MISP Project - Open Source Threat
|
|
|
|
|
Intelligence Platform and Open Standards For Threat
|
|
|
|
|
Information Sharing", <https://github.com/MISP>.
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
[MISP-T] Community, M., "MISP Taxonomies - shared and common
|
|
|
|
|
vocabularies of tags",
|
|
|
|
|
<https://github.com/MISP/misp-taxonomies>.
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 25]
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Internet-Draft MISP taxonomy format February 2024
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
2023-12-24 14:07:40 +01:00
|
|
|
|
[machine-tags]
|
|
|
|
|
Cope, A. S., "Machine tags", 2007,
|
|
|
|
|
<https://www.flickr.com/groups/51035612836@N01/
|
|
|
|
|
discuss/72157594497877875/>.
|
|
|
|
|
|
2016-10-16 11:01:14 +02:00
|
|
|
|
Authors' Addresses
|
|
|
|
|
|
|
|
|
|
Alexandre Dulaunoy
|
|
|
|
|
Computer Incident Response Center Luxembourg
|
2023-12-24 14:07:40 +01:00
|
|
|
|
122, rue Adolphe Fischer
|
|
|
|
|
L-L-1521 Luxembourg
|
2016-10-16 11:01:14 +02:00
|
|
|
|
Luxembourg
|
|
|
|
|
|
|
|
|
|
Phone: +352 247 88444
|
|
|
|
|
Email: alexandre.dulaunoy@circl.lu
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Andras Iklody
|
|
|
|
|
Computer Incident Response Center Luxembourg
|
2023-12-24 14:07:40 +01:00
|
|
|
|
122, rue Adolphe Fischer
|
|
|
|
|
L-L-1521 Luxembourg
|
2016-10-16 11:01:14 +02:00
|
|
|
|
Luxembourg
|
|
|
|
|
|
|
|
|
|
Phone: +352 247 88444
|
|
|
|
|
Email: andras.iklody@circl.lu
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2018-11-30 08:05:04 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-02-22 08:05:30 +01:00
|
|
|
|
Dulaunoy & Iklody Expires 24 August 2024 [Page 26]
|