Taxonomies used in MISP taxonomy system and can be used by other information sharing tool. https://www.circl.lu/doc/misp-taxonomies/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Raphaël Vinot a3f7cf8561 fix: Reorder predicates 1 day ago
CERT-XLM fix: Typos in predicate names (CERT-XLM & pentest). 2 years ago
DFRLab-dichotomies-of-disinformation fix: Reorder predicates 1 day ago
DML add DML taxonomy 2 years ago
PAP chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
access-method new: CCCS taxonomies, first batch 1 year ago
accessnow chg: description improved of the accessnow and action-taken taxonomies 1 year ago
action-taken chg: description improved of the accessnow and action-taken taxonomies 1 year ago
admiralty-scale chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
adversary Improve consistency when lising the predicates, remove duplicates 2 years ago
ais-marking chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
analyst-assessment chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
approved-category-of-action new: CCCS taxonomies, first batch 1 year ago
binary-class chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
cccs new: Add all other relevant taxonomies 1 year ago
circl chg: [circl] sextortion added - #133 fixed 9 months ago
coa chg: [coa] typo fixed for deceive 3 months ago
collaborative-intelligence chg: [collaborative-intelligence] request malware config added 5 months ago
common-taxonomy chg: [common-taxonomy] version fixed 10 months ago
copine-scale chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
course-of-action Added Course of Action A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. 5 months ago
cryptocurrency-threat chg: [cryptocurrency-threat] fixing small typo 1 year ago
csirt-americas chg:minor text changes 7 months ago
csirt_case_classification JQ all the things 3 years ago
cssa fix: reorder predicates, make pytaxonomies happy 2 months ago
cyber-threat-framework chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
dark-web add: [tags] crypto, contreband, etc. 6 months ago
data-classification add: [data-classification] Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book. 1 year ago
dcso-sharing chg: [dcso-sharing] fix the namespace name 11 months ago
ddos chg: [description] fixed 1 year ago
de-vs Update README.md 4 years ago
dhs-ciip-sectors JQ all the things 3 years ago
diamond-model Correct Diamond model taxonomy description 3 months ago
dni-ism Improve consistency when lising the predicates, remove duplicates 2 years ago
domain-abuse Improve consistency when lising the predicates, remove duplicates 2 years ago
drugs fix: Bad filename for the drugs taxonomy 10 months ago
economical-impact chg: [economical-impact] No need to bump version twice 3 months ago
ecsirt eCSIRT taxonomy updated to fully support version mkVI of 31 March 2015 and still support IntelMQ taxonomy-type mapping. 2 years ago
enisa Improve consistency when lising the predicates, remove duplicates 2 years ago
estimative-language chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
eu-marketop-and-publicadmin JQ all the things 3 years ago
eu-nis-sector-and-subsectors fix typo 1 year ago
euci chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
europol-event Add schema 3 years ago
europol-incident JQ all the things 3 years ago
event-assessment chg: [event-assessment] fixing typographic error 1 year ago
event-classification chg: [event-classification] event-classification renamed + description updated 1 year ago
exercise chg: [exercise] Cyber Coalition 2019 and more added 2 months ago
failure-mode-in-machine-learning fix: Reorder predicates 1 day ago
false-positive chg: [false-positive] missing expanded 3 months ago
file-type [fix] trim space content of value 1 year ago
flesch-reading-ease chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
fpf Add taxonomy to classify the degree of identifiability of personal data 1 year ago
fr-classif chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
gdpr Add taxonomy to classify special categories of personal data as defined in the GDPR 1 year ago
gea-nz-activities <comit> 3 months ago
gea-nz-entities <GEA-Manifest> 3 months ago
gea-nz-motivators fix: reorder predicates, make pytaxonomies happy 2 months ago
gsma-attack-category new: [gsma-attack-category] first version of Taxonomy used by GSMA for their information sharing program with telco describing the attack categories. 1 year ago
gsma-fraud fix: Typo, empty entries 1 year ago
gsma-network-technology fix: Typo, empty entries 1 year ago
honeypot-basic chg: [honeypot-basic] medium interaction added (based on various papers definition from EURECOM to Georg Wicherski paper) 1 year ago
ics chg: Reorder predicates in ICS 5 months ago
iep Improve consistency when lising the predicates, remove duplicates 2 years ago
iep2-policy chg: [iep2] MANIFEST updated, set version value to string (all are strings in taxonomies) 1 month ago
iep2-reference chg: [iep2] MANIFEST updated, set version value to string (all are strings in taxonomies) 1 month ago
ifx-vetting new: Added Manifest and Markdown generators 3 months ago
incident-disposition chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
infoleak chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
information-security-data-source fix: reorder predicates 1 year ago
information-security-indicators JQ all the things 3 years ago
interception-method new: CCCS taxonomies, first batch 1 year ago
iot chg: [IoT] put the exclusive flag on the "Data Sharing Level" 3 months ago
kill-chain Merge branch 'master' of github.com:MISP/misp-taxonomies 3 years ago
maec-delivery-vectors fix: make namespace consistent for MAEC 1 year ago
maec-malware-behavior fix: duplicate removed 1 year ago
maec-malware-capabilities chg: [maec-malware-capabilities] typo fixed - #149 fixed 8 months ago
maec-malware-obfuscation-methods fix: make namespace consistent for MAEC 1 year ago
malware_classification Update schema, fix taxonomies accordingly. 3 years ago
mapping chg: [mapping] updated to the latest version 9 months ago
misp fix: reorder predicates, make pytaxonomies happy 2 months ago
monarc-threat chg: [monarc] change the namespace to monarc-threat (more to come) 1 year ago
ms-caro-malware Remove jso file 3 years ago
ms-caro-malware-full Improve consistency when lising the predicates, remove duplicates 2 years ago
mwdb chg: [mwdb] added missing expanded predicate values 2 months ago
nato chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
nis Update README.md 1 year ago
open_threat Fix inconsistencies between MANIFEST, directory names and taxonomies 3 years ago
osint chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
passivetotal chg: [passivetotal] typo fixed 1 year ago
pentest chg: [description] fixed 1 year ago
phishing chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
priority-level chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
ransomware chg: [ransomware] jq all the things 9 months ago
retention chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
rsit fix: Typo in rsit, predicates order in misp 7 months ago
rt_event_status chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
runtime-packer Fixed 2 years ago
scrippsco2-fgc fix: Missing patenthesis. 7 months ago
scrippsco2-fgi fix: Missing patenthesis. 7 months ago
scrippsco2-sampling-stations new: Scripps CO2 taxonomies 7 months ago
smart-airports-threats chg: reorder predicates in smart-airports-threats 1 year ago
stealth_malware stealth_malware to match taxonomy namespace 3 years ago
stix-ttp JQ all the things 3 years ago
targeted-threat-index chg: [numerical_value] Incremented version of taxonomies having num_val 3 months ago
threats-to-dns new: [threats-to-dns] New taxonomy threats to DNS 8 months ago
tlp add: exclusive property added to express exclusivity at predicate or value level 2 years ago
tools chg: [tools] a quick-and-dirty script to dump missing expanded fields 2 months ago
tor New taxonomy to describe Tor network infrastructure added 2 years ago
type add: [type] Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence. 1 year ago
use-case-applicability fix: Remove extra comma 1 year ago
veris chg: Saner veris taxonomy generation 1 year ago
vocabulaire-des-probabilites-estimatives chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
workflow chg: [exclusive] Set `exclusive` meta for relevant taxonomies 3 months ago
.travis.yml chg: [travis] Python 3.8 test added - removed the nightly build (3.9 is heavily broken) 1 month ago
LICENSE.md chg: [licensing] 2-clause BSD added in addition to CC0 1 year ago
MANIFEST.json chg: [DFRLab] fix namespace to match default directory 1 week ago
README.md chg: [doc] copyright statement updated 3 months ago
jq_all_the_things.sh fix jq_all_the_things script 1 year ago
schema.json fix: Force non-empty strings and arrays 1 year ago
schema_mapping.json Add schema for mapping 2 years ago
summary.md chg: [doc] summary updated 1 month ago
validate_all.sh Properly fix manifest. 2 years ago

README.md

MISP Taxonomies

Build Status

MISP Taxonomies is a set of common classification libraries to tag, classify and organise information. Taxonomy allows to express the same vocabulary among a distributed set of users and organisations.

Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.

Overview of the MISP taxonomies

The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools.

The following taxonomies are described:

Admiralty Scale

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

Adversary

An overview and description of the adversary infrastructure.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.

Cyber Kill Chain from Lockheed Martin

Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

Cyber Threat Framework from DNI.gov

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.

DE German (DE) Government classification markings (VS)

Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).

DHS CIIP Sectors

DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.

Diamond Model for Intrusion Analysis

The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack as described in http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.

Detection Maturity Level

The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It’s designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.

Domain Name Abuse

Taxonomy to tag domain names used for cybercrime. We suggest to use europol-incident(./europol-incident) to tag abuse-activity.

eCSIRT and IntelMQ incident classification

eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

ENISA ENISA Threat Taxonomy

ENISA Threat Taxonomy - A tool for structuring threat information as published

Estimative Language Estimative Language (ICD 203)

Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)).

EU NIS Critical Infrastructure Operators

Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

EUCI classification

EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described.

Europol Incident

EUROPOL class of incident taxonomy

Europol Events

EUROPOL type of events taxonomy

FIRST CSIRT Case classification

FIRST CSIRT Case Classification.

FIRST Information Exchange Policy (IEP) framework

Information Security Indicators - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user’s deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).

Information Security Marking Metadata DNI (Director of National Intelligence - US)

ISM (Information Security Marking Metadata) V13 as described by DNI.gov.

Malware classification

Malware classification based on a SANS whitepaper about malware.

ms-caro-malware Malware Type and Platform classification based on Microsoft’s implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.

NATO Classification Marking

Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

Open Threat Taxonomy v1.1

Open Threat Taxonomy v1.1 base on James Tarala of SANS ref.

STIX-TTP

STIX-TTP exposes a set classification tools that represents the behavior or modus operandi of cyber adversaries as normalized in STIX. TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.

Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer.

The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. More info about TTI.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. It’s a protocol/taxonomy similar to TLP informing the recipients of information what they can do with the received information.

TLP - Traffic Light Protocol

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Vocabulary for Event Recording and Incident Sharing VERIS

Vocabulary for Event Recording and Incident Sharing is a format created by the VERIS community.

Reserved Taxonomy

The following taxonomy namespaces are reserved and used internally to MISP.

  • galaxy mapping taxonomy with cluster:element:“value”.

Documentation

A documentation of the taxonomies is generated automatically from the taxonomies description and available in PDF and HTML.

How to contribute your taxonomy?

It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like Admiralty Scale), create a directory matching your name space, put your machinetag file in the directory and pull your request. That’s it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like MISP.

For more information, “Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP” presentation given to the last MISP training in Luxembourg.

How to add your private taxonomy to MISP

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json

Create a JSON file describing your taxonomy as triple tags.

Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.

MISP Taxonomies

Tools

machinetag.py is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.

% cd tools
% python machinetag.py
        admiralty-scale:source-reliability="a"
        admiralty-scale:source-reliability="b"
        admiralty-scale:source-reliability="c"
        admiralty-scale:source-reliability="d"
        admiralty-scale:source-reliability="e"
        admiralty-scale:source-reliability="f"
        admiralty-scale:information-credibility="1"
        admiralty-scale:information-credibility="2"
        admiralty-scale:information-credibility="3"
        admiralty-scale:information-credibility="4"
        admiralty-scale:information-credibility="5"
        admiralty-scale:information-credibility="6"
        ...

Library

  • PyTaxonomies is a Python module to use easily the MISP Taxonomies.

License

The MISP taxonomies (JSON files) are dual-licensed under:

or

~~~~ Copyright © 2015-2019 Alexandre Dulaunoy - a@foo.be Copyright © 2015-2019 CIRCL - Computer Incident Response Center Luxembourg Copyright © 2015-2019 Andras Iklody Copyright © 2015-2019 Raphael Vinot Copyright © 2016-2019 Various contributors to MISP Project

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
   this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ~~~~~

If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.