MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [galaxy] attribution-confidence added to the examples

pull/23/head
Alexandre Dulaunoy 2019-03-11 20:35:44 +01:00
parent 7327d0deab
commit 091eadabeb
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 75 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
misp-galaxy-format/raw.md
View File

@ -153,7 +153,8 @@ Example use of the country, motive fields in the threat-actor galaxy:
"refs": [ "refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/" "http://www.crowdstrike.com/blog/whois-anchor-panda/"
], ],
"motive": "Espionage" "motive": "Espionage",
"attribution-confidence": 50
}, },
"value": "Anchor Panda", "value": "Anchor Panda",
"description": "PLA Navy", "description": "PLA Navy",
@ -219,7 +220,8 @@ Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"cfr-target-category": [ "cfr-target-category": [
"Private sector" "Private sector"
] ],
"attribution-confidence": 50
}, },
"value": "APT 16", "value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"

142
misp-galaxy-format/raw.md.txt
View File

@ -73,7 +73,7 @@ Table of Contents
2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 8 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9
3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
@ -256,6 +256,32 @@ Internet-Draft MISP galaxy format September 2018
Example use of the country, motive fields in the threat-actor galaxy: Example use of the country, motive fields in the threat-actor galaxy:
Dulaunoy, et al. Expires March 24, 2019 [Page 5]
Internet-Draft MISP galaxy format September 2018
{ {
"meta": { "meta": {
"country": "CN", "country": "CN",
@ -268,20 +294,14 @@ Internet-Draft MISP galaxy format September 2018
"refs": [ "refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/" "http://www.crowdstrike.com/blog/whois-anchor-panda/"
], ],
"motive": "Espionage" "motive": "Espionage",
"attribution-confidence": 50
}, },
"value": "Anchor Panda", "value": "Anchor Panda",
"description": "PLA Navy", "description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
} }
Dulaunoy, et al. Expires March 24, 2019 [Page 5]
Internet-Draft MISP galaxy format September 2018
encryption, extensions, ransomnotes, ransomnotes-filenames, encryption, extensions, ransomnotes, ransomnotes-filenames,
ransomnotes-refs MAY be used to give further information in ransomnotes-refs MAY be used to give further information in
ransomware galaxy. encryption is represented as a string and SHALL be ransomware galaxy. encryption is represented as a string and SHALL be
@ -295,6 +315,29 @@ Internet-Draft MISP galaxy format September 2018
Example use of the encryption, extensions, ransomnotes fields in the Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy: ransomware galaxy:
Dulaunoy, et al. Expires March 24, 2019 [Page 6]
Internet-Draft MISP galaxy format September 2018
{ {
"description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
"meta": { "meta": {
@ -330,14 +373,6 @@ Internet-Draft MISP galaxy format September 2018
"value": "menuPass (G0045) uses EvilGrab (S0152)" "value": "menuPass (G0045) uses EvilGrab (S0152)"
} }
Dulaunoy, et al. Expires March 24, 2019 [Page 6]
Internet-Draft MISP galaxy format September 2018
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
incident and cfr-target-category MAY be used to report information incident and cfr-target-category MAY be used to report information
gathered from CFR's (Council on Foreign Relations) [CFR] Cyber gathered from CFR's (Council on Foreign Relations) [CFR] Cyber
@ -352,6 +387,13 @@ Internet-Draft MISP galaxy format September 2018
exhaustive list of possible values for cfr-target-category includes exhaustive list of possible values for cfr-target-category includes
"Private sector", "Government", "Civil society", "Military". "Private sector", "Government", "Civil society", "Military".
Dulaunoy, et al. Expires March 24, 2019 [Page 7]
Internet-Draft MISP galaxy format September 2018
Example use of the cfr-suspected-victims, cfr-suspected-state- Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy: threat-actor galaxy:
@ -371,7 +413,8 @@ Internet-Draft MISP galaxy format September 2018
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"cfr-target-category": [ "cfr-target-category": [
"Private sector" "Private sector"
] ],
"attribution-confidence": 50
}, },
"value": "APT 16", "value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
@ -385,15 +428,6 @@ Internet-Draft MISP galaxy format September 2018
"from probable, almost certain to certainty" and SHALL be present if "from probable, almost certain to certainty" and SHALL be present if
country or cfr-suspected-state-sponsor are present. country or cfr-suspected-state-sponsor are present.
Dulaunoy, et al. Expires March 24, 2019 [Page 7]
Internet-Draft MISP galaxy format September 2018
Impossibility no information Certainty Impossibility no information Certainty
+ +
| |
@ -406,40 +440,6 @@ Internet-Draft MISP galaxy format September 2018
The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy
formats. The main format is the MISP galaxy format used for the formats. The main format is the MISP galaxy format used for the
clusters. clusters.
3.1. MISP galaxy format - galaxy
@ -450,6 +450,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 8]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
3.1. MISP galaxy format - galaxy
{ {
"$schema": "http://json-schema.org/schema#", "$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Galaxies", "title": "Validator for misp-galaxies - Galaxies",
@ -496,8 +498,6 @@ Internet-Draft MISP galaxy format September 2018
{ {
"$schema": "http://json-schema.org/schema#", "$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters", "title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
@ -506,6 +506,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 9]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false, "additionalProperties": false,
"properties": { "properties": {
"description": { "description": {
@ -552,8 +554,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "object" "type": "object"
}, },
"properties": { "properties": {
"dest-uuid": {
"type": "string"
@ -562,6 +562,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 10]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"dest-uuid": {
"type": "string"
}, },
"type": { "type": {
"type": "string" "type": "string"
@ -608,8 +610,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "string" "type": "string"
}, },
"refs": { "refs": {
"type": "array",
"uniqueItems": true,
@ -618,6 +618,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 11]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"type": "array",
"uniqueItems": true,
"items": { "items": {
"type": "string" "type": "string"
} }
@ -664,8 +666,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
"items": { "items": {
"type": "string"
}
@ -674,6 +674,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 12]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"type": "string"
}
} }
}, },
"required": [ "required": [
@ -723,8 +725,6 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 13] Dulaunoy, et al. Expires March 24, 2019 [Page 13]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018