commit
031f69080d
|
@ -3,18 +3,18 @@
|
||||||
{
|
{
|
||||||
"entry": [
|
"entry": [
|
||||||
{
|
{
|
||||||
"description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.",
|
"description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.",
|
||||||
"expanded": "Spam",
|
"expanded": "Spam",
|
||||||
"value": "spam"
|
"value": "spam"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.",
|
"description": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.",
|
||||||
"expanded": "Harmful Speech",
|
"expanded": "Harmful Speech",
|
||||||
"value": "harmful-speech"
|
"value": "harmful-speech"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Child pornography, glorification of violence, etc.",
|
"description": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.",
|
||||||
"expanded": "Child Porn/Sexual/Violent Content",
|
"expanded": "(Child) Sexual Exploitation/Sexual/Violent Content",
|
||||||
"value": "violence"
|
"value": "violence"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
@ -23,7 +23,7 @@
|
||||||
{
|
{
|
||||||
"entry": [
|
"entry": [
|
||||||
{
|
{
|
||||||
"description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit.",
|
"description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server",
|
||||||
"expanded": "Infected System",
|
"expanded": "Infected System",
|
||||||
"value": "infected-system"
|
"value": "infected-system"
|
||||||
},
|
},
|
||||||
|
@ -33,12 +33,12 @@
|
||||||
"value": "c2-server"
|
"value": "c2-server"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.",
|
"description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).",
|
||||||
"expanded": "Malware Distribution",
|
"expanded": "Malware Distribution",
|
||||||
"value": "malware-distribution"
|
"value": "malware-distribution"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "URI hosting a malware configuration file, e.g. webinjects for a banking trojan.",
|
"description": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.",
|
||||||
"expanded": "Malware Configuration",
|
"expanded": "Malware Configuration",
|
||||||
"value": "malware-configuration"
|
"value": "malware-configuration"
|
||||||
}
|
}
|
||||||
|
@ -73,7 +73,7 @@
|
||||||
"value": "ids-alert"
|
"value": "ids-alert"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Multiple login attempts (Guessing / cracking of passwords, brute force).",
|
"description": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.",
|
||||||
"expanded": "Login attempts",
|
"expanded": "Login attempts",
|
||||||
"value": "brute-force"
|
"value": "brute-force"
|
||||||
},
|
},
|
||||||
|
@ -98,12 +98,17 @@
|
||||||
"value": "unprivileged-account-compromise"
|
"value": "unprivileged-account-compromise"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.",
|
"description": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.",
|
||||||
"expanded": "Application Compromise",
|
"expanded": "Application Compromise",
|
||||||
"value": "application-compromise"
|
"value": "application-compromise"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Physical intrusion, e.g. into corporate building or data center.",
|
"description": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.",
|
||||||
|
"expanded": "System Compromise",
|
||||||
|
"value": "system-compromise"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Physical intrusion, e.g. into corporate building or data-centre.",
|
||||||
"expanded": "Burglary",
|
"expanded": "Burglary",
|
||||||
"value": "burglary"
|
"value": "burglary"
|
||||||
}
|
}
|
||||||
|
@ -143,12 +148,12 @@
|
||||||
{
|
{
|
||||||
"entry": [
|
"entry": [
|
||||||
{
|
{
|
||||||
"description": "Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.",
|
"description": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.",
|
||||||
"expanded": "Unauthorised access to information",
|
"expanded": "Unauthorised access to information",
|
||||||
"value": "unauthorised-information-access"
|
"value": "unauthorised-information-access"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.",
|
"description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.",
|
||||||
"expanded": "Unauthorised modification of information",
|
"expanded": "Unauthorised modification of information",
|
||||||
"value": "unauthorised-information-modification"
|
"value": "unauthorised-information-modification"
|
||||||
},
|
},
|
||||||
|
@ -156,6 +161,11 @@
|
||||||
"description": "Loss of data, e.g. caused by harddisk failure or physical theft.",
|
"description": "Loss of data, e.g. caused by harddisk failure or physical theft.",
|
||||||
"expanded": "Data Loss",
|
"expanded": "Data Loss",
|
||||||
"value": "data-loss"
|
"value": "data-loss"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Leaked confidential information like credentials or personal data.",
|
||||||
|
"expanded": "Leak of confidential information",
|
||||||
|
"value": "data-leak"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"predicate": "information-content-security"
|
"predicate": "information-content-security"
|
||||||
|
@ -163,9 +173,9 @@
|
||||||
{
|
{
|
||||||
"entry": [
|
"entry": [
|
||||||
{
|
{
|
||||||
"description": "Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.",
|
"description": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.",
|
||||||
"expanded": "Unauthorized use of resources",
|
"expanded": "Unauthorised use of resources",
|
||||||
"value": "unauthorized-use-of-resources"
|
"value": "unauthorised-use-of-resources"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
|
"description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
|
||||||
|
@ -178,7 +188,7 @@
|
||||||
"value": "masquerade"
|
"value": "masquerade"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Masquerading as another entity in order to persuade the user to reveal private credentials.",
|
"description": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.",
|
||||||
"expanded": "Phishing",
|
"expanded": "Phishing",
|
||||||
"value": "phishing"
|
"value": "phishing"
|
||||||
}
|
}
|
||||||
|
@ -208,7 +218,7 @@
|
||||||
"value": "information-disclosure"
|
"value": "information-disclosure"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.",
|
"description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.",
|
||||||
"expanded": "Vulnerable system",
|
"expanded": "Vulnerable system",
|
||||||
"value": "vulnerable-system"
|
"value": "vulnerable-system"
|
||||||
}
|
}
|
||||||
|
@ -218,9 +228,14 @@
|
||||||
{
|
{
|
||||||
"entry": [
|
"entry": [
|
||||||
{
|
{
|
||||||
"description": "All incidents which don't fit in one of the given categories should be put into this class.",
|
"description": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.",
|
||||||
"expanded": "Other",
|
"expanded": "Uncategorised",
|
||||||
"value": "other"
|
"value": "other"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The categorisation of the incident is unknown/undetermined.",
|
||||||
|
"expanded": "Undetermined",
|
||||||
|
"value": "undetermined"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"predicate": "other"
|
"predicate": "other"
|
||||||
|
@ -258,7 +273,7 @@
|
||||||
"value": "intrusion-attempts"
|
"value": "intrusion-attempts"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. Also includes being part of a botnet.",
|
"description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorised local access. Also includes being part of a botnet.",
|
||||||
"expanded": "Intrusions",
|
"expanded": "Intrusions",
|
||||||
"value": "intrusions"
|
"value": "intrusions"
|
||||||
},
|
},
|
||||||
|
@ -293,7 +308,7 @@
|
||||||
"value": "test"
|
"value": "test"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 3,
|
"version": 1002,
|
||||||
"description": "Reference Security Incident Classification Taxonomy",
|
"description": "Reference Security Incident Classification Taxonomy",
|
||||||
"namespace": "rsit"
|
"namespace": "rsit"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue