misp-taxonomies/README.md

126 lines
6.3 KiB
Markdown
Raw Normal View History

2015-11-21 17:04:18 +01:00
# MISP Taxonomies
2016-04-11 12:42:01 +02:00
[![Build Status](https://travis-ci.org/MISP/misp-taxonomies.svg?branch=master)](https://travis-ci.org/MISP/misp-taxonomies)
2015-11-24 09:57:35 +01:00
Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.
2015-11-21 17:04:18 +01:00
2016-01-10 17:53:04 +01:00
![Overview of the MISP taxonomies](tools/docs/images/taxonomy-explanation.png)
The following taxonomies can be used in MISP (as local or distributed tags) or in other tools willing to share common taxonomies among security information sharing tools.
2015-11-24 11:34:24 +01:00
The following taxonomies are described:
- [Admiralty Scale](./admiralty-scale)
2016-05-06 21:00:22 +02:00
- [adversary](./adversary) - description of an adversary infrastructure
2015-11-24 11:34:24 +01:00
- CIRCL [Taxonomy - Schemes of Classification in Incident Response and Detection](./circl)
- DE German (DE) [Government classification markings (VS)](./de-vs)
2016-05-06 20:57:39 +02:00
- [DHS CIIP Sectors](./dhs-ciip-sectors)
2015-11-25 16:18:39 +01:00
- [eCSIRT](./ecsirt) and IntelMQ incident classification
2016-05-06 21:00:22 +02:00
- [EU critical sectors](./eu-critical-sectors) - EU critical sectors
2015-12-01 17:42:19 +01:00
- [EUCI](./euci) - EU classified information marking
2016-02-09 07:44:49 +01:00
- [FIRST CSIRT Case](./first_csirt_case_classification) classification
2015-11-28 20:14:14 +01:00
- [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US)
2016-02-09 07:44:49 +01:00
- [Malware](./malware) classification based on a SANS document
2016-01-10 17:59:09 +01:00
- [NATO Classification Marking](./nato)
2016-01-22 08:29:48 +01:00
- [OSINT Open Source Intelligence - Classification](./osint)
2015-11-24 11:34:24 +01:00
- [TLP - Traffic Light Protocol](./tlp)
- Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
### [Admiralty Scale](./admiralty-scale)
2015-11-21 17:04:18 +01:00
The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.
2016-05-06 20:55:20 +02:00
### [Adversary](./adversary)
An overview and description of the adversary infrastructure.
2015-11-24 11:34:24 +01:00
### CIRCL [Taxonomy - Schemes of Classification in Incident Response and Detection](./circl)
2015-11-22 10:04:13 +01:00
CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.
### DE German (DE) [Government classification markings (VS)](./de-vs)
Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).
2016-05-06 20:57:39 +02:00
### [DHS CIIP Sectors](./dhs-ciip-sectors)
DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.
2015-11-25 16:18:39 +01:00
### [eCSIRT](./ecsirt) and IntelMQ incident classification
eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.
2016-05-06 21:00:22 +02:00
### [EU Critical Sectors](./eu-critical-sectors)
Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.
2015-12-01 17:27:29 +01:00
### [EUCI](./euci) classification
EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States [as described](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013D0488&from=EN).
### [FIRST CSIRT Case](./first_csirt_case_classification) classification
FIRST CSIRT Case Classification.
2015-11-28 20:14:14 +01:00
### [Information Security Marking Metadata](./dni-ism) DNI (Director of National Intelligence - US)
ISM (Information Security Marking Metadata) [V13](http://www.dni.gov/index.php/about/organization/chief-information-officer/information-security-marking-metadata) as described by DNI.gov.
2016-02-09 07:40:25 +01:00
### [Malware](./malware) classification
Malware classification based on a [SANS whitepaper about malware](https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848).
2016-01-10 17:59:09 +01:00
### [NATO Classification Marking](./nato)
Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.
2015-11-24 11:34:24 +01:00
### [TLP - Traffic Light Protocol](./tlp)
2015-11-22 08:22:01 +01:00
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
2015-11-24 11:34:24 +01:00
### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
2015-11-24 09:55:00 +01:00
Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/).
2015-11-24 11:32:13 +01:00
# How to contribute your taxonomy?
2016-02-09 07:44:49 +01:00
It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like [Admiralty Scale](./admiralty-scale)), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like [MISP](https://www.github.com/MISP/MISP).
2015-11-24 11:32:13 +01:00
2016-05-05 23:40:33 +02:00
For more information, "[Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP](https://www.circl.lu/assets/files/misp-training/3.2-MISP-Taxonomy-Tagging.pdf)" presentation given to the last MISP training in Luxembourg.
2016-04-02 09:51:43 +02:00
2016-02-05 17:55:10 +01:00
# How to add your private taxonomy to MISP
~~~~shell
2016-02-13 20:06:12 +01:00
$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
2016-02-13 20:06:12 +01:00
$ vi machinetag.json
2016-02-05 17:55:10 +01:00
~~~~
Create a JSON file Create a JSON file describing your taxonomy as triple tags.
2016-02-13 20:06:12 +01:00
Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.
2016-02-05 17:55:10 +01:00
2015-11-21 17:04:18 +01:00
# MISP Taxonomies - tools
[machinetag.py](./tools/machinetag.py) is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.
~~~~shell
% cd tools
2016-04-11 12:42:01 +02:00
% python machinetag.py
admiralty-scale:source-reliability="a"
admiralty-scale:source-reliability="b"
admiralty-scale:source-reliability="c"
admiralty-scale:source-reliability="d"
admiralty-scale:source-reliability="e"
admiralty-scale:source-reliability="f"
admiralty-scale:information-credibility="1"
admiralty-scale:information-credibility="2"
admiralty-scale:information-credibility="3"
admiralty-scale:information-credibility="4"
admiralty-scale:information-credibility="5"
admiralty-scale:information-credibility="6"
...
2015-11-21 17:04:18 +01:00
~~~~