diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md index 2776028..7aab67c 100644 --- a/misp-galaxy-format/raw.md +++ b/misp-galaxy-format/raw.md @@ -153,7 +153,8 @@ Example use of the country, motive fields in the threat-actor galaxy: "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], - "motive": "Espionage" + "motive": "Espionage", + "attribution-confidence": 50 }, "value": "Anchor Panda", "description": "PLA Navy", @@ -219,7 +220,8 @@ Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type- "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" - ] + ], + "attribution-confidence": 50 }, "value": "APT 16", "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" diff --git a/misp-galaxy-format/raw.md.txt b/misp-galaxy-format/raw.md.txt index 398c330..593a2c3 100755 --- a/misp-galaxy-format/raw.md.txt +++ b/misp-galaxy-format/raw.md.txt @@ -73,7 +73,7 @@ Table of Contents 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 8 + 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 @@ -256,6 +256,32 @@ Internet-Draft MISP galaxy format September 2018 Example use of the country, motive fields in the threat-actor galaxy: + + + + + + + + + + + + + + + + + + + + + +Dulaunoy, et al. Expires March 24, 2019 [Page 5] + +Internet-Draft MISP galaxy format September 2018 + + { "meta": { "country": "CN", @@ -268,20 +294,14 @@ Internet-Draft MISP galaxy format September 2018 "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], - "motive": "Espionage" + "motive": "Espionage", + "attribution-confidence": 50 }, "value": "Anchor Panda", "description": "PLA Navy", "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" } - - -Dulaunoy, et al. Expires March 24, 2019 [Page 5] - -Internet-Draft MISP galaxy format September 2018 - - encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be @@ -295,6 +315,29 @@ Internet-Draft MISP galaxy format September 2018 Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy: + + + + + + + + + + + + + + + + + + +Dulaunoy, et al. Expires March 24, 2019 [Page 6] + +Internet-Draft MISP galaxy format September 2018 + + { "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", "meta": { @@ -330,14 +373,6 @@ Internet-Draft MISP galaxy format September 2018 "value": "menuPass (G0045) uses EvilGrab (S0152)" } - - - -Dulaunoy, et al. Expires March 24, 2019 [Page 6] - -Internet-Draft MISP galaxy format September 2018 - - cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- incident and cfr-target-category MAY be used to report information gathered from CFR's (Council on Foreign Relations) [CFR] Cyber @@ -352,6 +387,13 @@ Internet-Draft MISP galaxy format September 2018 exhaustive list of possible values for cfr-target-category includes "Private sector", "Government", "Civil society", "Military". + + +Dulaunoy, et al. Expires March 24, 2019 [Page 7] + +Internet-Draft MISP galaxy format September 2018 + + Example use of the cfr-suspected-victims, cfr-suspected-state- sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy: @@ -371,7 +413,8 @@ Internet-Draft MISP galaxy format September 2018 "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" - ] + ], + "attribution-confidence": 50 }, "value": "APT 16", "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" @@ -385,15 +428,6 @@ Internet-Draft MISP galaxy format September 2018 "from probable, almost certain to certainty" and SHALL be present if country or cfr-suspected-state-sponsor are present. - - - - -Dulaunoy, et al. Expires March 24, 2019 [Page 7] - -Internet-Draft MISP galaxy format September 2018 - - Impossibility no information Certainty + | @@ -406,40 +440,6 @@ Internet-Draft MISP galaxy format September 2018 The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters. - -3.1. MISP galaxy format - galaxy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -450,6 +450,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 8] Internet-Draft MISP galaxy format September 2018 +3.1. MISP galaxy format - galaxy + { "$schema": "http://json-schema.org/schema#", "title": "Validator for misp-galaxies - Galaxies", @@ -496,8 +498,6 @@ Internet-Draft MISP galaxy format September 2018 { "$schema": "http://json-schema.org/schema#", "title": "Validator for misp-galaxies - Clusters", - "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", - "type": "object", @@ -506,6 +506,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 9] Internet-Draft MISP galaxy format September 2018 + "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", + "type": "object", "additionalProperties": false, "properties": { "description": { @@ -552,8 +554,6 @@ Internet-Draft MISP galaxy format September 2018 "type": "object" }, "properties": { - "dest-uuid": { - "type": "string" @@ -562,6 +562,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 10] Internet-Draft MISP galaxy format September 2018 + "dest-uuid": { + "type": "string" }, "type": { "type": "string" @@ -608,8 +610,6 @@ Internet-Draft MISP galaxy format September 2018 "type": "string" }, "refs": { - "type": "array", - "uniqueItems": true, @@ -618,6 +618,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 11] Internet-Draft MISP galaxy format September 2018 + "type": "array", + "uniqueItems": true, "items": { "type": "string" } @@ -664,8 +666,6 @@ Internet-Draft MISP galaxy format September 2018 "type": "array", "uniqueItems": true, "items": { - "type": "string" - } @@ -674,6 +674,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 12] Internet-Draft MISP galaxy format September 2018 + "type": "string" + } } }, "required": [ @@ -723,8 +725,6 @@ Internet-Draft MISP galaxy format September 2018 - - Dulaunoy, et al. Expires March 24, 2019 [Page 13] Internet-Draft MISP galaxy format September 2018