chg: [misp-taxonomy-format] JSON reference is now RFC 8259 - Comment from Carsten Bormann

pull/28/head
Alexandre Dulaunoy 2019-06-23 17:21:15 +02:00
parent 56ee9b01a5
commit d3d9f8a3c8
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 139 additions and 83 deletions

View File

@ -82,7 +82,7 @@ to describe machine tag (aka triple tag) vocabularies.
## Overview ## Overview
The MISP taxonomy format uses the JSON [@!RFC4627] format. Each namespace is represented as a JSON object with meta information including the following fields: namespace, description, version, type. The MISP taxonomy format uses the JSON [@!RFC8259] format. Each namespace is represented as a JSON object with meta information including the following fields: namespace, description, version, type.
namespace defines the overall namespace of the machine tag. The namespace is represented as a string and **MUST** be present. The description is represented as a string and **MUST** be present. A version is represented as a unsigned integer **MUST** be present. A type defines where a specific taxonomy is applicable and a type can be applicable at event, user or org level. The type is represented as an array containing one or more type and **SHOULD** be present. If a type is not mentioned, by default, the taxonomy is applicable at event level only. An exclusive boolean property **MAY** be present and defines at namespace level if the predicates are mutually exclusive. namespace defines the overall namespace of the machine tag. The namespace is represented as a string and **MUST** be present. The description is represented as a string and **MUST** be present. A version is represented as a unsigned integer **MUST** be present. A type defines where a specific taxonomy is applicable and a type can be applicable at event, user or org level. The type is represented as an array containing one or more type and **SHOULD** be present. If a type is not mentioned, by default, the taxonomy is applicable at event level only. An exclusive boolean property **MAY** be present and defines at namespace level if the predicates are mutually exclusive.

View File

@ -79,13 +79,13 @@ Table of Contents
4.1. Admiralty Scale Taxonomy . . . . . . . . . . . . . . . . 7 4.1. Admiralty Scale Taxonomy . . . . . . . . . . . . . . . . 7
4.2. Open Source Intelligence - Classification . . . . . . . . 9 4.2. Open Source Intelligence - Classification . . . . . . . . 9
4.3. Available taxonomies in the public directory . . . . . . 11 4.3. Available taxonomies in the public directory . . . . . . 11
5. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 19 5. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 20
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1. Normative References . . . . . . . . . . . . . . . . . . 22 7.1. Normative References . . . . . . . . . . . . . . . . . . 23
7.2. Informative References . . . . . . . . . . . . . . . . . 22 7.2. Informative References . . . . . . . . . . . . . . . . . 23
7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 23 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
@ -145,7 +145,7 @@ Internet-Draft MISP taxonomy format November 2017
2.1. Overview 2.1. Overview
The MISP taxonomy format uses the JSON [RFC4627] format. Each The MISP taxonomy format uses the JSON [RFC8259] format. Each
namespace is represented as a JSON object with meta information namespace is represented as a JSON object with meta information
including the following fields: namespace, description, version, including the following fields: namespace, description, version,
type. type.
@ -153,7 +153,7 @@ Internet-Draft MISP taxonomy format November 2017
namespace defines the overall namespace of the machine tag. The namespace defines the overall namespace of the machine tag. The
namespace is represented as a string and MUST be present. The namespace is represented as a string and MUST be present. The
description is represented as a string and MUST be present. A description is represented as a string and MUST be present. A
version is represented as a decimal and MUST be present. A type version is represented as a unsigned integer MUST be present. A type
defines where a specific taxonomy is applicable and a type can be defines where a specific taxonomy is applicable and a type can be
applicable at event, user or org level. The type is represented as applicable at event, user or org level. The type is represented as
an array containing one or more type and SHOULD be present. If a an array containing one or more type and SHOULD be present. If a
@ -683,11 +683,22 @@ Internet-Draft MISP taxonomy format November 2017
to support analysts to perform their analysis to get crowdsourced to support analysts to perform their analysis to get crowdsourced
support when using threat intelligence sharing platform like MISP. support when using threat intelligence sharing platform like MISP.
common-taxonomy:
The Common Taxonomy for Law Enforcement and The National Network
of CSIRTs bridges the gap between the CSIRTs and international Law
Enforcement communities by adding a legislative framework to
facilitate the harmonisation of incident reporting to competent
authorities, the development of useful statistics and sharing
information within the entire cybercrime ecosystem.
copine-scale: copine-scale:
The COPINE Scale is a rating system created in Ireland and used in The COPINE Scale is a rating system created in Ireland and used in
the United Kingdom to categorise the severity of images of child the United Kingdom to categorise the severity of images of child
sex abuse. sex abuse.
cryptocurrency-threat:
Threats targetting cryptocurrency, based on CipherTrace report.
csirt_case_classification: csirt_case_classification:
FIRST CSIRT Case Classification. FIRST CSIRT Case Classification.
@ -701,7 +712,24 @@ Internet-Draft MISP taxonomy format November 2017
of cyber adversaries. <https://www.dni.gov/index.php/cyber-threat- of cyber adversaries. <https://www.dni.gov/index.php/cyber-threat-
framework> framework>
data-classification:
Data classification for data potentially at risk of exfiltration
based on table 2.1 of Solving Cyber Risk book.
dcso-sharing:
DCSO Sharing Taxonomy to classify certain types of MISP events
using the DCSO Event Guide
ddos: ddos:
Dulaunoy & Iklody Expires June 2, 2018 [Page 13]
Internet-Draft MISP taxonomy format November 2017
Distributed Denial of Service - or short: DDoS - taxonomy supports Distributed Denial of Service - or short: DDoS - taxonomy supports
the description of Denial of Service attacks and especially the the description of Denial of Service attacks and especially the
types they belong too. types they belong too.
@ -723,16 +751,13 @@ Internet-Draft MISP taxonomy format November 2017
ISM (Information Security Marking Metadata) V13 as described by ISM (Information Security Marking Metadata) V13 as described by
DNI.gov (Director of National Intelligence - US). DNI.gov (Director of National Intelligence - US).
Dulaunoy & Iklody Expires June 2, 2018 [Page 13]
Internet-Draft MISP taxonomy format November 2017
domain-abuse: domain-abuse:
Taxonomy to tag domain names used for cybercrime. Taxonomy to tag domain names used for cybercrime.
drugs:
A taxonomy based on the superclass and class of drugs, based on
<https://www.drugbank.ca/releases/latest>
economical-impact: economical-impact:
Economical impact is a taxonomy to describe the financial impact Economical impact is a taxonomy to describe the financial impact
as positive or negative gain to the tagged information. as positive or negative gain to the tagged information.
@ -753,6 +778,14 @@ Internet-Draft MISP taxonomy format November 2017
(6.2.(a)) and JP 2-0, Joint Intelligence. (6.2.(a)) and JP 2-0, Joint Intelligence.
eu-marketop-and-publicadmin: eu-marketop-and-publicadmin:
Dulaunoy & Iklody Expires June 2, 2018 [Page 14]
Internet-Draft MISP taxonomy format November 2017
Market operators and public administrations that must comply to Market operators and public administrations that must comply to
some notifications requirements under EU NIS directive. some notifications requirements under EU NIS directive.
@ -764,7 +797,9 @@ Internet-Draft MISP taxonomy format November 2017
designated by a EU security classification, the unauthorised designated by a EU security classification, the unauthorised
disclosure of which could cause varying degrees of prejudice to disclosure of which could cause varying degrees of prejudice to
the interests of the European Union or of one or more of the the interests of the European Union or of one or more of the
Member States as described in CELEX 32013D0488 Member States as described in COUNCIL DECISION of 23 September
2013 on the security rules for protecting EU classified
information
europol-event: europol-event:
EUROPOL type of events taxonomy. EUROPOL type of events taxonomy.
@ -778,19 +813,11 @@ Internet-Draft MISP taxonomy format November 2017
uncertainty. uncertainty.
event-classification: event-classification:
Dulaunoy & Iklody Expires June 2, 2018 [Page 14]
Internet-Draft MISP taxonomy format November 2017
Event Classification. Event Classification.
exercise: exercise:
Exercise is a taxonomy to describe if the information is part of Exercise is a taxonomy to describe if the information is part of
one or more cyber or crisis exercise one or more cyber or crisis exercise.
false-positive: false-positive:
This taxonomy aims to ballpark the expected amount of false This taxonomy aims to ballpark the expected amount of false
@ -799,7 +826,22 @@ Internet-Draft MISP taxonomy format November 2017
file-type: file-type:
List of known file types. List of known file types.
flesch-reading-ease:
Flesch Reading Ease is a revised system for determining the
comprehension difficulty of written material. The scoring of the
flesh score can have a maximum of 121.22 and there is no limit on
how low a score can be (negative score are valid).
fpf: fpf:
Dulaunoy & Iklody Expires June 2, 2018 [Page 15]
Internet-Draft MISP taxonomy format November 2017
The Future of Privacy Forum (FPF) visual guide to practical de- The Future of Privacy Forum (FPF) visual guide to practical de-
identification [1] taxonomy is used to evaluate the degree of identification [1] taxonomy is used to evaluate the degree of
identifiability of personal data and the types of pseudonymous identifiability of personal data and the types of pseudonymous
@ -833,15 +875,6 @@ Internet-Draft MISP taxonomy format November 2017
Christian Seifert, Ian Welch, Peter Komisarczuk, 'Taxonomy of Christian Seifert, Ian Welch, Peter Komisarczuk, 'Taxonomy of
Honeypots', Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF Honeypots', Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF
WELLINGTON, School of Mathematical and Computing Sciences, June WELLINGTON, School of Mathematical and Computing Sciences, June
Dulaunoy & Iklody Expires June 2, 2018 [Page 15]
Internet-Draft MISP taxonomy format November 2017
2006, <http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR- 2006, <http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-
06/CS-TR-06-12.pdf> 06/CS-TR-06-12.pdf>
@ -858,10 +891,20 @@ Internet-Draft MISP taxonomy format November 2017
taxonomy is inspired from NASA Incident Response and Management taxonomy is inspired from NASA Incident Response and Management
Handbook. Handbook.
Dulaunoy & Iklody Expires June 2, 2018 [Page 16]
Internet-Draft MISP taxonomy format November 2017
infoleak: infoleak:
A taxonomy describing information leaks and especially information A taxonomy describing information leaks and especially information
classified as being potentially leaked. classified as being potentially leaked.
information-security-data-source:
Taxonomy to classify the information security data sources
information-security-indicators: information-security-indicators:
Information security indicators have been standardized by the ETSI Information security indicators have been standardized by the ETSI
Industrial Specification Group (ISG) ISI. These indicators Industrial Specification Group (ISG) ISI. These indicators
@ -890,14 +933,6 @@ Internet-Draft MISP taxonomy format November 2017
Malware Capabilities based on MAEC 5.0 Malware Capabilities based on MAEC 5.0
maec-malware-obfuscation-methods: maec-malware-obfuscation-methods:
Dulaunoy & Iklody Expires June 2, 2018 [Page 16]
Internet-Draft MISP taxonomy format November 2017
Obfuscation methods used by malware based on MAEC 5.0 Obfuscation methods used by malware based on MAEC 5.0
malware_classification: malware_classification:
@ -910,6 +945,15 @@ Internet-Draft MISP taxonomy format November 2017
MONARC threat taxonomy. MONARC threat taxonomy.
ms-caro-malware: ms-caro-malware:
Dulaunoy & Iklody Expires June 2, 2018 [Page 17]
Internet-Draft MISP taxonomy format November 2017
Malware Type and Platform classification based on Microsoft's Malware Type and Platform classification based on Microsoft's
implementation of the Computer Antivirus Research Organization implementation of the Computer Antivirus Research Organization
(CARO) Naming Scheme and Malware Terminology. (CARO) Naming Scheme and Malware Terminology.
@ -946,14 +990,6 @@ Internet-Draft MISP taxonomy format November 2017
to help provide a common lexicon when discussing incidents. This to help provide a common lexicon when discussing incidents. This
priority assignment drives NCCIC urgency, pre-approved incident priority assignment drives NCCIC urgency, pre-approved incident
response offerings, reporting requirements, and recommendations response offerings, reporting requirements, and recommendations
Dulaunoy & Iklody Expires June 2, 2018 [Page 17]
Internet-Draft MISP taxonomy format November 2017
for leadership escalation. Generally, incident priority for leadership escalation. Generally, incident priority
distribution should follow a similar pattern to the graph below. distribution should follow a similar pattern to the graph below.
Based on <https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring- Based on <https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-
@ -966,6 +1002,14 @@ Internet-Draft MISP taxonomy format November 2017
Status of events used in Request Tracker. Status of events used in Request Tracker.
runtime-packer: runtime-packer:
Dulaunoy & Iklody Expires June 2, 2018 [Page 18]
Internet-Draft MISP taxonomy format November 2017
Runtime or software packer used to combine compressed data with Runtime or software packer used to combine compressed data with
the decompression code. The decompression code can add additional the decompression code. The decompression code can add additional
obfuscations mechanisms including polymorphic-packer or other obfuscations mechanisms including polymorphic-packer or other
@ -999,20 +1043,29 @@ Internet-Draft MISP taxonomy format November 2017
tor: tor:
Taxonomy to describe Tor network infrastructure Taxonomy to describe Tor network infrastructure
type:
Taxonomy to describe different types of intelligence gathering
discipline which can be described the origin of intelligence.
use-case-applicability:
The Use Case Applicability categories reflect standard resolution
categories, to clearly display alerting rule configuration
problems.
veris: veris:
Vocabulary for Event Recording and Incident Sharing (VERIS). Vocabulary for Event Recording and Incident Sharing (VERIS).
vocabulaire-des-probabilites-estimatives:
Vocabulaire des probabilites estimatives
Dulaunoy & Iklody Expires June 2, 2018 [Page 18]
Dulaunoy & Iklody Expires June 2, 2018 [Page 19]
Internet-Draft MISP taxonomy format November 2017 Internet-Draft MISP taxonomy format November 2017
vocabulaire-des-probabilites-estimatives:
Vocabulaire des probabilites estimatives
workflow: workflow:
Workflow support language is a common language to support Workflow support language is a common language to support
intelligence analysts to perform their analysis on data and intelligence analysts to perform their analysis on data and
@ -1058,17 +1111,17 @@ Internet-Draft MISP taxonomy format November 2017
} }
} }
}, },
"values": {
"type": "array",
"uniqueItems": true,
Dulaunoy & Iklody Expires June 2, 2018 [Page 19] Dulaunoy & Iklody Expires June 2, 2018 [Page 20]
Internet-Draft MISP taxonomy format November 2017 Internet-Draft MISP taxonomy format November 2017
"values": {
"type": "array",
"uniqueItems": true,
"items": { "items": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
@ -1114,17 +1167,17 @@ Internet-Draft MISP taxonomy format November 2017
"value" "value"
] ]
} }
}
}
},
Dulaunoy & Iklody Expires June 2, 2018 [Page 20] Dulaunoy & Iklody Expires June 2, 2018 [Page 21]
Internet-Draft MISP taxonomy format November 2017 Internet-Draft MISP taxonomy format November 2017
}
}
},
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
"properties": { "properties": {
@ -1170,17 +1223,17 @@ Internet-Draft MISP taxonomy format November 2017
"$ref": "#/defs/values" "$ref": "#/defs/values"
} }
}, },
"required": [
"namespace",
"description",
Dulaunoy & Iklody Expires June 2, 2018 [Page 21] Dulaunoy & Iklody Expires June 2, 2018 [Page 22]
Internet-Draft MISP taxonomy format November 2017 Internet-Draft MISP taxonomy format November 2017
"required": [
"namespace",
"description",
"version", "version",
"predicates" "predicates"
] ]
@ -1200,10 +1253,10 @@ Internet-Draft MISP taxonomy format November 2017
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
JavaScript Object Notation (JSON)", RFC 4627, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC4627, July 2006, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc4627>. <https://www.rfc-editor.org/info/rfc8259>.
7.2. Informative References 7.2. Informative References
@ -1223,22 +1276,20 @@ Internet-Draft MISP taxonomy format November 2017
[MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of
tags", <https://github.com/MISP/misp-taxonomies>. tags", <https://github.com/MISP/misp-taxonomies>.
Dulaunoy & Iklody Expires June 2, 2018 [Page 22]
Internet-Draft MISP taxonomy format November 2017
7.3. URIs 7.3. URIs
[1] https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de- [1] https://fpf.org/2016/04/25/a-visual-guide-to-practical-data-de-
identification/ identification/
Dulaunoy & Iklody Expires June 2, 2018 [Page 23]
Internet-Draft MISP taxonomy format November 2017
Authors' Addresses Authors' Addresses
Alexandre Dulaunoy Alexandre Dulaunoy
@ -1285,4 +1336,9 @@ Authors' Addresses
Dulaunoy & Iklody Expires June 2, 2018 [Page 23]
Dulaunoy & Iklody Expires June 2, 2018 [Page 24]