From 4f55907c41be3816fe03c4feb9123c34604e3940 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Dec 2023 13:42:16 +0100 Subject: [PATCH] chg: [misp-galaxy] updated to the latest version --- misp-galaxy-format/Makefile | 2 +- misp-galaxy-format/raw.md | 20 +- misp-galaxy-format/raw.md.txt | 342 +++++++++++++++++----------------- 3 files changed, 185 insertions(+), 179 deletions(-) diff --git a/misp-galaxy-format/Makefile b/misp-galaxy-format/Makefile index 8a7138f..3c90d93 100644 --- a/misp-galaxy-format/Makefile +++ b/misp-galaxy-format/Makefile @@ -1,4 +1,4 @@ -MMARK:=mmark -xml2 -page +MMARK:=mmark docs = $(wildcard *.md) diff --git a/misp-galaxy-format/raw.md b/misp-galaxy-format/raw.md index eef5c44..b8afe35 100644 --- a/misp-galaxy-format/raw.md +++ b/misp-galaxy-format/raw.md @@ -5,8 +5,14 @@ category = "info" docName = "draft-dulaunoy-misp-galaxy-format" ipr= "trust200902" area = "Security" +submissiontype = "independent" -date = 2019-10-04T00:00:00Z + +[seriesInfo] +name = "Internet-Draft" +value = "draft-08" +stream = "independent" +status = "informational" [[author]] initials="A." @@ -18,9 +24,9 @@ organization = "Computer Incident Response Center Luxembourg" email = "alexandre.dulaunoy@circl.lu" phone = "+352 247 88444" [author.address.postal] - street = "16, bd d'Avranches" + street = "122, rue Adolphe Fischer" city = "Luxembourg" - code = "L-1611" + code = "L-1521" country = "Luxembourg" [[author]] initials="A." @@ -32,9 +38,9 @@ organization = "Computer Incident Response Center Luxembourg" email = "andras.iklody@circl.lu" phone = "+352 247 88444" [author.address.postal] - street = " 16, bd d'Avranches" + street = "122, rue Adolphe Fischer" city = "Luxembourg" - code = "L-1611" + code = "L-1521" country = "Luxembourg" [[author]] initials="D." @@ -46,9 +52,9 @@ organization = "Computer Incident Response Center Luxembourg" email = "deborah.servili@circl.lu" phone = "+352 247 88444" [author.address.postal] - street = " 16, bd d'Avranches" + street = "122, rue Adolphe Fischer" city = "Luxembourg" - code = "L-1611" + code = "L-1521" country = "Luxembourg" %%% diff --git a/misp-galaxy-format/raw.md.txt b/misp-galaxy-format/raw.md.txt index 01b007d..6cf7c61 100755 --- a/misp-galaxy-format/raw.md.txt +++ b/misp-galaxy-format/raw.md.txt @@ -5,12 +5,12 @@ Network Working Group A. Dulaunoy Internet-Draft A. Iklody Intended status: Informational D. Servili -Expires: April 6, 2020 CIRCL - October 4, 2019 +Expires: 26 June 2024 CIRCL + 24 December 2023 MISP galaxy format - draft-dulaunoy-misp-galaxy-format + draft-08 Abstract @@ -38,36 +38,31 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 6, 2020. + This Internet-Draft will expire on 26 June 2024. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal - Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info) in effect on the date of - publication of this document. Please review these documents - carefully, as they describe your rights and restrictions with respect + Provisions Relating to IETF Documents (https://trustee.ietf.org/ + license-info) in effect on the date of publication of this document. + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. -Dulaunoy, et al. Expires April 6, 2020 [Page 1] +Dulaunoy, et al. Expires 26 June 2024 [Page 1] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 - to this document. Code Components extracted from this document must - include Simplified BSD License text as described in Section 4.e of - the Trust Legal Provisions and are provided without warranty as - described in the Simplified BSD License. - Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 - 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 @@ -76,9 +71,8 @@ Table of Contents 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 10 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 - 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.1. Normative References . . . . . . . . . . . . . . . . . . 14 - 5.2. Informative References . . . . . . . . . . . . . . . . . 14 + 5. Normative References . . . . . . . . . . . . . . . . . . . . 14 + 6. Informative References . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction @@ -105,15 +99,6 @@ Table of Contents "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. - - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 2] - -Internet-Draft MISP galaxy format October 2019 - - 2. Format A cluster is composed of a value (MUST), a description (OPTIONAL) and @@ -121,6 +106,14 @@ Internet-Draft MISP galaxy format October 2019 Clusters are represented as a JSON [RFC8259] dictionary. + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 2] + +Internet-Draft MISP galaxy format December 2023 + + 2.1. Overview The MISP galaxy format uses the JSON [RFC8259] format. Each galaxy @@ -162,14 +155,6 @@ Internet-Draft MISP galaxy format October 2019 Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 3] - -Internet-Draft MISP galaxy format October 2019 - - dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and MUST be present. The type is represented as a string and MUST be present and @@ -177,6 +162,14 @@ Internet-Draft MISP galaxy format October 2019 objects [MISP-R]. The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 3] + +Internet-Draft MISP galaxy format December 2023 + + A tag is represented in machine tag format which is a string an SHOULD be present. @@ -190,15 +183,15 @@ Internet-Draft MISP galaxy format October 2019 Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, - country, possible_issues, colour, motive, impact, refs, synonyms, - status, date, encryption, extensions, ransomnotes, ransomnotes- - filenames, ransomnotes-refs, suspected-victims, suspected-state- - sponsor, type-of-incident, target-category, cfr-suspected-victims, - cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target- - category, suspected-victims, suspected-state-sponsor, attribution- - confidence, payment-method, price, spoken-language, official-refs - wherever applicable. Additional meta field MAY be added without the - need to be referenced or registered in advance. + country, external_id, possible_issues, colour, motive, impact, refs, + synonyms, status, date, encryption, extensions, ransomnotes, + ransomnotes-filenames, ransomnotes-refs, suspected-victims, + suspected-state-sponsor, type-of-incident, target-category, cfr- + suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, + cfr-target-category, suspected-victims, suspected-state-sponsor, + attribution-confidence, payment-method, price, spoken-language, + official-refs wherever applicable. Additional meta field MAY be + added without the need to be referenced or registered in advance. refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more @@ -218,14 +211,6 @@ Internet-Draft MISP galaxy format October 2019 field is described as an RGB colour fill in hexadecimal representation. - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 4] - -Internet-Draft MISP galaxy format October 2019 - - complexity, effectiveness, impact, possible_issues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL @@ -234,6 +219,13 @@ Internet-Draft MISP galaxy format October 2019 enumerated value from a fixed vocabulary and SHALL be present. possible_issues is represented as a string and SHOULD be present. + + +Dulaunoy, et al. Expires 26 June 2024 [Page 4] + +Internet-Draft MISP galaxy format December 2023 + + Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy: @@ -277,30 +269,38 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 5] + + + + + + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 5] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 - { - "meta": { - "country": "CN", - "synonyms": [ - "APT14", - "APT 14", - "QAZTeam", - "ALUMINUM" - ], - "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" - ], - "motive": "Espionage", - "attribution-confidence": 50 - }, - "value": "Anchor Panda", - "description": "PLA Navy", - "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" - } + { + "meta": { + "country": "CN", + "synonyms": [ + "APT14", + "APT 14", + "QAZTeam", + "ALUMINUM" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "motive": "Espionage", + "attribution-confidence": 50 + }, + "value": "Anchor Panda", + "description": "PLA Navy", + "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" + } encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, payment-method, price MAY be used to give further @@ -333,13 +333,13 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 6] +Dulaunoy, et al. Expires 26 June 2024 [Page 6] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 { - "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", + "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", "meta": { "ransomnotes-filenames": [ "RyukReadMe.txt" @@ -389,22 +389,22 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 7] +Dulaunoy, et al. Expires 26 June 2024 [Page 7] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 Example use of the source-uuid, target-uuid fields in the mitre- enterprise-attack-relationship galaxy: - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" - }, - "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", - "value": "menuPass (G0045) uses EvilGrab (S0152)" - } + { + "meta": { + "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" + }, + "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", + "value": "menuPass (G0045) uses EvilGrab (S0152)" + } cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- incident and cfr-target-category MAY be used to report information @@ -445,9 +445,9 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 8] +Dulaunoy, et al. Expires 26 June 2024 [Page 8] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 { @@ -480,12 +480,12 @@ Internet-Draft MISP galaxy format October 2019 "from probable, almost certain to certainty" and SHALL be present if country or cfr-suspected-state-sponsor are present. - Impossibility no information Certainty - + - | - +-------------------+------------------> + Impossibility no information Certainty + + + | + +-------------------+------------------> - 0 50 100 + 0 50 100 3. JSON Schema @@ -501,9 +501,9 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 9] +Dulaunoy, et al. Expires 26 June 2024 [Page 9] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 { @@ -549,19 +549,24 @@ Internet-Draft MISP galaxy format October 2019 3.2. MISP galaxy format - clusters + + + + + + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 10] + +Internet-Draft MISP galaxy format December 2023 + + { "$schema": "http://json-schema.org/schema#", "title": "Validator for misp-galaxies - Clusters", "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", "type": "object", - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 10] - -Internet-Draft MISP galaxy format October 2019 - - "additionalProperties": false, "properties": { "description": { @@ -605,19 +610,19 @@ Internet-Draft MISP galaxy format October 2019 "type": "array", "additionalProperties": false, "items": { + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 11] + +Internet-Draft MISP galaxy format December 2023 + + "type": "object" }, "properties": { "dest-uuid": { "type": "string" - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 11] - -Internet-Draft MISP galaxy format October 2019 - - }, "type": { "type": "string" @@ -661,19 +666,19 @@ Internet-Draft MISP galaxy format October 2019 "type": "string" }, "impact": { + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 12] + +Internet-Draft MISP galaxy format December 2023 + + "type": "string" }, "refs": { "type": "array", "uniqueItems": true, - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 12] - -Internet-Draft MISP galaxy format October 2019 - - "items": { "type": "string" } @@ -717,19 +722,19 @@ Internet-Draft MISP galaxy format October 2019 } }, "authors": { + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 13] + +Internet-Draft MISP galaxy format December 2023 + + "type": "array", "uniqueItems": true, "items": { "type": "string" } - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 13] - -Internet-Draft MISP galaxy format October 2019 - - } }, "required": [ @@ -750,9 +755,7 @@ Internet-Draft MISP galaxy format October 2019 The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. -5. References - -5.1. Normative References +5. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, @@ -769,48 +772,45 @@ Internet-Draft MISP galaxy format October 2019 DOI 10.17487/RFC8259, December 2017, . -5.2. Informative References +6. Informative References - [CFR] CFR, "Cyber Operations Tracker - Council on Foreign - Relations", 2018, + [CFR] Relations, C. O. F., "Cyber Operations Tracker - Council + on Foreign Relations", 2018, . - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 14] +Dulaunoy, et al. Expires 26 June 2024 [Page 14] -Internet-Draft MISP galaxy format October 2019 +Internet-Draft MISP galaxy format December 2023 [JSON-SCHEMA] - "JSON Schema: A Media Type for Describing JSON Documents", - 2016, + Wright, A., "JSON Schema: A Media Type for Describing JSON + Documents", 2016, . - [MISP-G] MISP, "MISP Galaxy - Public Repository", + [MISP-G] Community, M., "MISP Galaxy - Public Repository", . [MISP-G-DOC] - MISP, "MISP Galaxy - Documentation of the Public + Community, M., "MISP Galaxy - Documentation of the Public Repository", . - [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform - and Threat Sharing", . + [MISP-P] Community, M., "MISP Project - Malware Information Sharing + Platform and Threat Sharing", . - [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary - of relationships", . + [MISP-R] Community, M., "MISP Object Relationship Types - common + vocabulary of relationships", . Authors' Addresses Alexandre Dulaunoy Computer Incident Response Center Luxembourg - 16, bd d'Avranches - Luxembourg L-1611 + 122, rue Adolphe Fischer + L-L-1521 Luxembourg Luxembourg Phone: +352 247 88444 @@ -819,36 +819,29 @@ Authors' Addresses Andras Iklody Computer Incident Response Center Luxembourg - 16, bd d'Avranches - Luxembourg L-1611 + 122, rue Adolphe Fischer + L-L-1521 Luxembourg Luxembourg Phone: +352 247 88444 Email: andras.iklody@circl.lu - - - - - - - - - - -Dulaunoy, et al. Expires April 6, 2020 [Page 15] - -Internet-Draft MISP galaxy format October 2019 - - Deborah Servili Computer Incident Response Center Luxembourg - 16, bd d'Avranches - Luxembourg L-1611 + 122, rue Adolphe Fischer + L-L-1521 Luxembourg Luxembourg Phone: +352 247 88444 + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 15] + +Internet-Draft MISP galaxy format December 2023 + + Email: deborah.servili@circl.lu @@ -893,4 +886,11 @@ Internet-Draft MISP galaxy format October 2019 -Dulaunoy, et al. Expires April 6, 2020 [Page 16] + + + + + + + +Dulaunoy, et al. Expires 26 June 2024 [Page 16]