Specifications used in the MISP project including MISP core format
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

897 lines
27KB

  1. Network Working Group A. Dulaunoy
  2. Internet-Draft A. Iklody
  3. Intended status: Informational D. Servili
  4. Expires: April 6, 2020 CIRCL
  5. October 4, 2019
  6. MISP galaxy format
  7. draft-dulaunoy-misp-galaxy-format
  8. Abstract
  9. This document describes the MISP galaxy format which describes a
  10. simple JSON format to represent galaxies and clusters that can be
  11. attached to MISP events or attributes. A public directory of MISP
  12. galaxies is available and relies on the MISP galaxy format. MISP
  13. galaxies are used to add further informations on a MISP event. MISP
  14. galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware,
  15. threats actors and various other collections of data that can be used
  16. to mark, classify or label data in threat information sharing.
  17. Status of This Memo
  18. This Internet-Draft is submitted in full conformance with the
  19. provisions of BCP 78 and BCP 79.
  20. Internet-Drafts are working documents of the Internet Engineering
  21. Task Force (IETF). Note that other groups may also distribute
  22. working documents as Internet-Drafts. The list of current Internet-
  23. Drafts is at https://datatracker.ietf.org/drafts/current/.
  24. Internet-Drafts are draft documents valid for a maximum of six months
  25. and may be updated, replaced, or obsoleted by other documents at any
  26. time. It is inappropriate to use Internet-Drafts as reference
  27. material or to cite them other than as "work in progress."
  28. This Internet-Draft will expire on April 6, 2020.
  29. Copyright Notice
  30. Copyright (c) 2019 IETF Trust and the persons identified as the
  31. document authors. All rights reserved.
  32. This document is subject to BCP 78 and the IETF Trust's Legal
  33. Provisions Relating to IETF Documents
  34. (https://trustee.ietf.org/license-info) in effect on the date of
  35. publication of this document. Please review these documents
  36. carefully, as they describe your rights and restrictions with respect
  37. Dulaunoy, et al. Expires April 6, 2020 [Page 1]
  38. Internet-Draft MISP galaxy format October 2019
  39. to this document. Code Components extracted from this document must
  40. include Simplified BSD License text as described in Section 4.e of
  41. the Trust Legal Provisions and are provided without warranty as
  42. described in the Simplified BSD License.
  43. Table of Contents
  44. 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
  45. 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
  46. 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
  47. 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
  48. 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
  49. 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
  50. 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
  51. 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 9
  52. 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9
  53. 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 10
  54. 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
  55. 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
  56. 5.1. Normative References . . . . . . . . . . . . . . . . . . 14
  57. 5.2. Informative References . . . . . . . . . . . . . . . . . 14
  58. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
  59. 1. Introduction
  60. Sharing threat information became a fundamental requirements on the
  61. Internet, security and intelligence community at large. Threat
  62. information can include indicators of compromise, malicious file
  63. indicators, financial fraud indicators or even detailed information
  64. about a threat actor. Some of these informations, such as malware or
  65. threat actors are common to several security events. MISP galaxy is
  66. a public repository [MISP-G] of known malware, threats actors and
  67. various other collections of data that can be used to mark, classify
  68. or label data in threat information sharing.
  69. In the MISP galaxy context, clusters help analysts to give more
  70. informations about their cybersecurity events, indicators or threats.
  71. MISP galaxies can be used for classification, filtering, triggering
  72. actions or visualisation depending on their use in threat
  73. intelligence platforms such as MISP [MISP-P].
  74. 1.1. Conventions and Terminology
  75. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  76. "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  77. document are to be interpreted as described in RFC 2119 [RFC2119].
  78. Dulaunoy, et al. Expires April 6, 2020 [Page 2]
  79. Internet-Draft MISP galaxy format October 2019
  80. 2. Format
  81. A cluster is composed of a value (MUST), a description (OPTIONAL) and
  82. metadata (OPTIONAL).
  83. Clusters are represented as a JSON [RFC8259] dictionary.
  84. 2.1. Overview
  85. The MISP galaxy format uses the JSON [RFC8259] format. Each galaxy
  86. is represented as a JSON object with meta information including the
  87. following fields: name, uuid, description, version, type, authors,
  88. source, values, category.
  89. name defines the name of the galaxy. The name is represented as a
  90. string and MUST be present. The uuid represents the Universally
  91. Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid
  92. MUST be preserved. For any updates or transfer of the same object
  93. reference. UUID version 4 is RECOMMENDED when assigning it to a new
  94. object reference and MUST be present. The description is represented
  95. as a string and MUST be present. The uuid is represented as a string
  96. and MUST be present. The version is represented as a decimal and
  97. MUST be present. The type is represented as a string and MUST be
  98. present and MUST match the name of the galaxy file. The source is
  99. represented as a string and MUST be present. Authors are represented
  100. as an array containing one or more authors and MUST be present. The
  101. category is represented as a string and MUST be present and describes
  102. the overall category of the galaxy such as tool or actor.
  103. Values are represented as an array containing one or more values and
  104. MUST be present. Values defines all values available in the galaxy.
  105. 2.2. values
  106. The values array contains one or more JSON objects which represent
  107. all the possible values in the galaxy. The JSON object contains four
  108. fields: value, description, uuid and meta. The value is represented
  109. as a string and MUST be present. The description is represented as a
  110. string and SHOULD be present. The meta or metadata is represented as
  111. a JSON list and SHOULD be present. The uuid represents the
  112. Universally Unique IDentifier (UUID) [RFC4122] of the value
  113. reference. The uuid SHOULD can be present and MUST be preserved.
  114. 2.3. related
  115. Related contains a list of JSON key value pairs which describe the
  116. related values in this galaxy cluster or to other galaxy clusters.
  117. The JSON object contains three fields, dest-uuid, type and tags. The
  118. Dulaunoy, et al. Expires April 6, 2020 [Page 3]
  119. Internet-Draft MISP galaxy format October 2019
  120. dest-uuid represents the target UUID which encompasses a relation of
  121. some type. The dest-uuid is represented as a string and MUST be
  122. present. The type is represented as a string and MUST be present and
  123. SHOULD be selected from the relationship types available in MISP
  124. objects [MISP-R]. The tags is a list of string which labels the
  125. related relationship such as the level of similarities, level of
  126. certainty, trust or confidence in the relationship, false-positive.
  127. A tag is represented in machine tag format which is a string an
  128. SHOULD be present.
  129. "related": [ {
  130. "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
  131. "type": "similar",
  132. "tags": ["estimative-language:likelihood-probability=\"very-likely\""]
  133. } ]
  134. 2.4. meta
  135. Meta contains a list of custom defined JSON key value pairs. Users
  136. SHOULD reuse commonly used keys such as complexity, effectiveness,
  137. country, possible_issues, colour, motive, impact, refs, synonyms,
  138. status, date, encryption, extensions, ransomnotes, ransomnotes-
  139. filenames, ransomnotes-refs, suspected-victims, suspected-state-
  140. sponsor, type-of-incident, target-category, cfr-suspected-victims,
  141. cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
  142. category, suspected-victims, suspected-state-sponsor, attribution-
  143. confidence, payment-method, price, spoken-language, official-refs
  144. wherever applicable. Additional meta field MAY be added without the
  145. need to be referenced or registered in advance.
  146. refs, synonyms, official-refs SHALL be used to give further
  147. informations. refs is represented as an array containing one or more
  148. strings and SHALL be present. synonyms is represented as an array
  149. containing one or more strings and SHALL be present. official-refs is
  150. represented as an array containing one or more strings and SHALL be
  151. present.
  152. date, status MAY be used to give time information about an cluster.
  153. date is represented as a string describing a time or period and SHALL
  154. be present. status is represented as a string describing the current
  155. status of the clusters. It MAY also describe a time or period and
  156. SHALL be present.
  157. colour fields MAY be used at predicates or values level to set a
  158. specify colour that MAY be used by the implementation. The colour
  159. field is described as an RGB colour fill in hexadecimal
  160. representation.
  161. Dulaunoy, et al. Expires April 6, 2020 [Page 4]
  162. Internet-Draft MISP galaxy format October 2019
  163. complexity, effectiveness, impact, possible_issues MAY be used to
  164. give further information in preventive-measure galaxy. complexity is
  165. represented by an enumerated value from a fixed vocabulary and SHALL
  166. be present. effectiveness is represented by an enumerated value from
  167. a fixed vocabulary and SHALL be present. impact is represented by an
  168. enumerated value from a fixed vocabulary and SHALL be present.
  169. possible_issues is represented as a string and SHOULD be present.
  170. Example use of the complexity, effectiveness, impact, possible_issues
  171. fields in the preventive-measure galaxy:
  172. {
  173. "meta": {
  174. "refs": [
  175. "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
  176. ],
  177. "complexity": "Low",
  178. "effectiveness": "Medium",
  179. "impact": "Medium",
  180. "type": [
  181. "GPO"
  182. ],
  183. "possible_issues": "Administrative VBS scripts on Workstations"
  184. },
  185. "value": "Disable WSH",
  186. "description": "Disable Windows Script Host",
  187. "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
  188. }
  189. country, motive, spoken-language MAY be used to give further
  190. information in threat-actor galaxy. country is represented as a
  191. string and SHOULD be present. motive is represented as a string and
  192. SHOULD be present. spoken-language is represented as an array
  193. containing one or more strings describing a language using ISO 639-2
  194. code and SHALL be present.
  195. Example use of the country, motive fields in the threat-actor galaxy:
  196. Dulaunoy, et al. Expires April 6, 2020 [Page 5]
  197. Internet-Draft MISP galaxy format October 2019
  198. {
  199. "meta": {
  200. "country": "CN",
  201. "synonyms": [
  202. "APT14",
  203. "APT 14",
  204. "QAZTeam",
  205. "ALUMINUM"
  206. ],
  207. "refs": [
  208. "http://www.crowdstrike.com/blog/whois-anchor-panda/"
  209. ],
  210. "motive": "Espionage",
  211. "attribution-confidence": 50
  212. },
  213. "value": "Anchor Panda",
  214. "description": "PLA Navy",
  215. "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
  216. }
  217. encryption, extensions, ransomnotes, ransomnotes-filenames,
  218. ransomnotes-refs, payment-method, price MAY be used to give further
  219. information in ransomware galaxy. encryption is represented as a
  220. string and SHALL be present. extensions is represented as an array
  221. containing one or more strings and SHALL be present. ransomnotes is
  222. represented as an array containing one or more strings ans SHALL be
  223. present. ransomnotes-filenames is represented as an array containing
  224. one or more strings ans SHALL be present. ransomnotes-refs is
  225. represented as an array containing one or more strings ans SHALL be
  226. present. payment-method is represented as a string and SHALL be
  227. present. price is represented as a string and SHALL be present.
  228. Example use of the encryption, extensions, ransomnotes fields in the
  229. ransomware galaxy:
  230. Dulaunoy, et al. Expires April 6, 2020 [Page 6]
  231. Internet-Draft MISP galaxy format October 2019
  232. {
  233. "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
  234. "meta": {
  235. "ransomnotes-filenames": [
  236. "RyukReadMe.txt"
  237. ],
  238. "ransomnotes-refs": [
  239. "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig3.png",
  240. "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png"
  241. ],
  242. "refs": [
  243. "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
  244. ]
  245. },
  246. "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718",
  247. "value": "Ryuk ransomware"
  248. }
  249. Example use of the payment-method, price fields in the ransomware
  250. galaxy:
  251. {
  252. "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
  253. "meta": {
  254. "date": "March 2017",
  255. "encryption": "AES-128",
  256. "extensions": [
  257. ".enc"
  258. ],
  259. "payment-method": "Bitcoin",
  260. "price": "0.1",
  261. "ransomnotes": [
  262. "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites."
  263. ],
  264. "refs": [
  265. "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html"
  266. ]
  267. },
  268. "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b",
  269. "value": "CryptoMeister Ransomware"
  270. }
  271. source-uuid, target-uuid SHALL be used to describe relationships.
  272. source-uuid and target-uuid represent the Universally Unique
  273. IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
  274. target-uuid MUST be preserved.
  275. Dulaunoy, et al. Expires April 6, 2020 [Page 7]
  276. Internet-Draft MISP galaxy format October 2019
  277. Example use of the source-uuid, target-uuid fields in the mitre-
  278. enterprise-attack-relationship galaxy:
  279. {
  280. "meta": {
  281. "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
  282. "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
  283. },
  284. "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
  285. "value": "menuPass (G0045) uses EvilGrab (S0152)"
  286. }
  287. cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
  288. incident and cfr-target-category MAY be used to report information
  289. gathered from CFR's (Council on Foreign Relations) [CFR] Cyber
  290. Operations Tracker. cfr-suspected-victims is represented as an array
  291. containing one or more strings and SHALL be present. cfr-suspected-
  292. state-sponsor is represented as a string and SHALL be present. cfr-
  293. type-of-incident is represented as a string or an array and SHALL be
  294. present. RECOMMENDED but not exhaustive list of possible values for
  295. cfr-type-of-incident includes "Espionage", "Denial of service",
  296. "Sabotage". cfr-target-category is represented as an array containing
  297. one or more strings ans SHALL be present. RECOMMENDED but not
  298. exhaustive list of possible values for cfr-target-category includes
  299. "Private sector", "Government", "Civil society", "Military".
  300. Example use of the cfr-suspected-victims, cfr-suspected-state-
  301. sponsor, cfr-type-of-incident, cfr-target-category fields in the
  302. threat-actor galaxy:
  303. Dulaunoy, et al. Expires April 6, 2020 [Page 8]
  304. Internet-Draft MISP galaxy format October 2019
  305. {
  306. "meta": {
  307. "country": "CN",
  308. "refs": [
  309. "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
  310. "https://www.cfr.org/interactive/cyber-operations/apt-16"
  311. ],
  312. "cfr-suspected-victims": [
  313. "Japan",
  314. "Taiwan"
  315. ],
  316. "cfr-suspected-state-sponsor": "China",
  317. "cfr-type-of-incident": "Espionage",
  318. "cfr-target-category": [
  319. "Private sector"
  320. ],
  321. "attribution-confidence": 50
  322. },
  323. "value": "APT 16",
  324. "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
  325. },
  326. attribution-confidence MAY be used to indicate the confidence about
  327. an attribution given by country or cfr-suspected-state-sponsor.
  328. attribution-confidence is represented on a scale from 0 to 100, where
  329. 50 means "no information", the values under 50 mean "probably not,
  330. almost certainly not to impossibility", the values above 50 means
  331. "from probable, almost certain to certainty" and SHALL be present if
  332. country or cfr-suspected-state-sponsor are present.
  333. Impossibility no information Certainty
  334. +
  335. |
  336. +-------------------+------------------>
  337. 0 50 100
  338. 3. JSON Schema
  339. The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy
  340. formats. The main format is the MISP galaxy format used for the
  341. clusters.
  342. 3.1. MISP galaxy format - galaxy
  343. Dulaunoy, et al. Expires April 6, 2020 [Page 9]
  344. Internet-Draft MISP galaxy format October 2019
  345. {
  346. "$schema": "http://json-schema.org/schema#",
  347. "title": "Validator for misp-galaxies - Galaxies",
  348. "id": "https://www.github.com/MISP/misp-galaxies/schema_galaxies.json",
  349. "type": "object",
  350. "additionalProperties": false,
  351. "properties": {
  352. "description": {
  353. "type": "string"
  354. },
  355. "type": {
  356. "type": "string"
  357. },
  358. "version": {
  359. "type": "integer"
  360. },
  361. "name": {
  362. "type": "string"
  363. },
  364. "icon": {
  365. "type": "string"
  366. },
  367. "uuid": {
  368. "type": "string"
  369. },
  370. "namespace": {
  371. "type": "string"
  372. },
  373. "kill_chain_order": {
  374. "type": "object"
  375. }
  376. },
  377. "required": [
  378. "description",
  379. "type",
  380. "version",
  381. "name",
  382. "uuid"
  383. ]
  384. }
  385. 3.2. MISP galaxy format - clusters
  386. {
  387. "$schema": "http://json-schema.org/schema#",
  388. "title": "Validator for misp-galaxies - Clusters",
  389. "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
  390. "type": "object",
  391. Dulaunoy, et al. Expires April 6, 2020 [Page 10]
  392. Internet-Draft MISP galaxy format October 2019
  393. "additionalProperties": false,
  394. "properties": {
  395. "description": {
  396. "type": "string"
  397. },
  398. "type": {
  399. "type": "string"
  400. },
  401. "version": {
  402. "type": "integer"
  403. },
  404. "name": {
  405. "type": "string"
  406. },
  407. "uuid": {
  408. "type": "string"
  409. },
  410. "source": {
  411. "type": "string"
  412. },
  413. "category": {
  414. "type": "string
  415. },
  416. "values": {
  417. "type": "array",
  418. "uniqueItems": true,
  419. "items": {
  420. "type": "object",
  421. "additionalProperties": false,
  422. "properties": {
  423. "description": {
  424. "type": "string"
  425. },
  426. "value": {
  427. "type": "string"
  428. },
  429. "uuid": {
  430. "type": "string"
  431. },
  432. "related": {
  433. "type": "array",
  434. "additionalProperties": false,
  435. "items": {
  436. "type": "object"
  437. },
  438. "properties": {
  439. "dest-uuid": {
  440. "type": "string"
  441. Dulaunoy, et al. Expires April 6, 2020 [Page 11]
  442. Internet-Draft MISP galaxy format October 2019
  443. },
  444. "type": {
  445. "type": "string"
  446. },
  447. "tags": {
  448. "type": "array",
  449. "uniqueItems": true,
  450. "items": {
  451. "type": "string"
  452. }
  453. }
  454. }
  455. },
  456. "meta": {
  457. "type": "object",
  458. "additionalProperties": true,
  459. "properties": {
  460. "type": {
  461. "type": "array",
  462. "uniqueItems": true,
  463. "items": {
  464. "type": "string"
  465. }
  466. },
  467. "complexity": {
  468. "type": "string"
  469. },
  470. "effectiveness": {
  471. "type": "string"
  472. },
  473. "country": {
  474. "type": "string"
  475. },
  476. "possible_issues": {
  477. "type": "string"
  478. },
  479. "colour": {
  480. "type": "string"
  481. },
  482. "motive": {
  483. "type": "string"
  484. },
  485. "impact": {
  486. "type": "string"
  487. },
  488. "refs": {
  489. "type": "array",
  490. "uniqueItems": true,
  491. Dulaunoy, et al. Expires April 6, 2020 [Page 12]
  492. Internet-Draft MISP galaxy format October 2019
  493. "items": {
  494. "type": "string"
  495. }
  496. },
  497. "synonyms": {
  498. "type": "array",
  499. "uniqueItems": true,
  500. "items": {
  501. "type": "string"
  502. }
  503. },
  504. "status": {
  505. "type": "string"
  506. },
  507. "date": {
  508. "type": "string"
  509. },
  510. "encryption": {
  511. "type": "string"
  512. },
  513. "extensions": {
  514. "type": "array",
  515. "uniqueItems": true,
  516. "items": {
  517. "type": "string"
  518. }
  519. },
  520. "ransomnotes": {
  521. "type": "array",
  522. "uniqueItems": true,
  523. "items": {
  524. "type": "string"
  525. }
  526. }
  527. }
  528. }
  529. },
  530. "required": [
  531. "value"
  532. ]
  533. }
  534. },
  535. "authors": {
  536. "type": "array",
  537. "uniqueItems": true,
  538. "items": {
  539. "type": "string"
  540. }
  541. Dulaunoy, et al. Expires April 6, 2020 [Page 13]
  542. Internet-Draft MISP galaxy format October 2019
  543. }
  544. },
  545. "required": [
  546. "description",
  547. "type",
  548. "version",
  549. "name",
  550. "uuid",
  551. "values",
  552. "authors",
  553. "source",
  554. "category
  555. ]
  556. }
  557. 4. Acknowledgements
  558. The authors wish to thank all the MISP community who are supporting
  559. the creation of open standards in threat intelligence sharing.
  560. 5. References
  561. 5.1. Normative References
  562. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
  563. Requirement Levels", BCP 14, RFC 2119,
  564. DOI 10.17487/RFC2119, March 1997,
  565. <https://www.rfc-editor.org/info/rfc2119>.
  566. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
  567. Unique IDentifier (UUID) URN Namespace", RFC 4122,
  568. DOI 10.17487/RFC4122, July 2005,
  569. <https://www.rfc-editor.org/info/rfc4122>.
  570. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
  571. Interchange Format", STD 90, RFC 8259,
  572. DOI 10.17487/RFC8259, December 2017,
  573. <https://www.rfc-editor.org/info/rfc8259>.
  574. 5.2. Informative References
  575. [CFR] CFR, "Cyber Operations Tracker - Council on Foreign
  576. Relations", 2018,
  577. <https://www.cfr.org/interactive/cyber-operations>.
  578. Dulaunoy, et al. Expires April 6, 2020 [Page 14]
  579. Internet-Draft MISP galaxy format October 2019
  580. [JSON-SCHEMA]
  581. "JSON Schema: A Media Type for Describing JSON Documents",
  582. 2016,
  583. <https://tools.ietf.org/html/draft-wright-json-schema>.
  584. [MISP-G] MISP, "MISP Galaxy - Public Repository",
  585. <https://github.com/MISP/misp-galaxy>.
  586. [MISP-G-DOC]
  587. MISP, "MISP Galaxy - Documentation of the Public
  588. Repository", <https://www.misp-project.org/galaxy.html>.
  589. [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
  590. and Threat Sharing", <https://github.com/MISP>.
  591. [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary
  592. of relationships", <https://github.com/MISP/misp-
  593. objects/tree/master/relationships>.
  594. Authors' Addresses
  595. Alexandre Dulaunoy
  596. Computer Incident Response Center Luxembourg
  597. 16, bd d'Avranches
  598. Luxembourg L-1611
  599. Luxembourg
  600. Phone: +352 247 88444
  601. Email: alexandre.dulaunoy@circl.lu
  602. Andras Iklody
  603. Computer Incident Response Center Luxembourg
  604. 16, bd d'Avranches
  605. Luxembourg L-1611
  606. Luxembourg
  607. Phone: +352 247 88444
  608. Email: andras.iklody@circl.lu
  609. Dulaunoy, et al. Expires April 6, 2020 [Page 15]
  610. Internet-Draft MISP galaxy format October 2019
  611. Deborah Servili
  612. Computer Incident Response Center Luxembourg
  613. 16, bd d'Avranches
  614. Luxembourg L-1611
  615. Luxembourg
  616. Phone: +352 247 88444
  617. Email: deborah.servili@circl.lu
  618. Dulaunoy, et al. Expires April 6, 2020 [Page 16]