From 92d4d18c1594ac95d86e79183d42fe57e3143d80 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Tue, 12 Apr 2022 16:12:02 +0200 Subject: [PATCH 1/5] Add machinetag.json GrayZone of Active Defense, originaly published by Washington University, v2 created and updated by DCG420 --- GrayZone/machinetag.json | 228 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 228 insertions(+) create mode 100644 GrayZone/machinetag.json diff --git a/GrayZone/machinetag.json b/GrayZone/machinetag.json new file mode 100644 index 0000000..acc0274 --- /dev/null +++ b/GrayZone/machinetag.json @@ -0,0 +1,228 @@ +{ + "namespace": "GrayZone", + "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", + "version": 2, + + "predicates":[ + { + "value": "Adversary Emulation", + "expanded": "" + }, + { + "value": "Beacons", + "expanded": "" + }, + { + "value": "Deterrence", + "expanded": "" + }, + { + "value": "Deception", + "expanded": "" + }, + { + "value": "Tarpits, Sandboxes and Honeypots", + "expanded": "" + }, + { + "value": "Threat Intelligence", + "expanded": "" + }, + { + "value": "Threat Hunting", + "expanded": "" + }, + { + "value": "Adversary Takedowns", + "expanded": "" + }, + { + "value": "Ransomware", + "expanded": "" + }, + { + "value": "Rescue Missions", + "expanded": "" + }, + { + "value": "Sanctions, Indictments & Trade Remedies", + "expanded": "" + } + ], + "values": [{ + "predicate": "Adversary Emulation", + "entry": [{ + "value": "Threat Modeling", + "expanded": "Arch threat modeling", + "description": "Modeling threat in services or/and in applications" + }, + { + "value": "Purple Teaming", + "expanded": "Purple team colaboration", + "description": "Colaboration between red and blue team" + }, + { + "value": "Blue Team", + "expanded": "Blue Team activities", + "description": "Defenders team actins, TTPs etc." + }, + { + "value": "Red Team", + "expanded": "Red Team activities", + "description": "Actionns, TTPs etc.of Red Team" + } + ] + }, + { + "predicate": "Beacons", + "entry": [{ + "value": "Inform", + "expanded": "Information from beacon", + "description": "Provide defender with informations about beacon user, intentional or not" + }, + { + "value": "Notify", + "expanded": "Notification from beacon", + "description": "Beacon will just send alert, that has been accessed" + } + ] + }, + { + "predicate": "Deterrence", + "entry": [{ + "value": "by Retaliation", + "expanded": "Retaliation risk", + "description": "Adversary is threatened by retaliation if it will continue in actions" + }, + { + "value": "by Denial", + "expanded": "Risk of Denial", + "description": "Deny action ever happened - example: if the atribution is important for adversary" + }, + { + "value": "by Entanglement", + "expanded": "Risk of reputation loss", + "description": "By continuing in action adversary may be exhibited to punishment from defenders ally" + } + ] + }, + { + "predicate": "Deception", + "entry": [{ + "value": "Deception", + "expanded": "Deceptive actions", + "description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals" + }, + { + "value": "Denial", + "expanded": "Supress anything", + "description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc." + }, + { + "value": "CounterDeception", + "expanded": "Answer to deception", + "description": "Answer to deception from adversary is counterdeception, for example: answer to phish with shadow user account to uncover next adversary actions" + }, + { + "value": "Counter-Deception", + "expanded": "Active counterdeception", + "description": "Answer to adversary ddeception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)" + } + ] + }, + { + "predicate": "Tarpits, Sandboxes and Honeypots", + "entry": [{ + "value": "Honeypots", + "expanded": "Honeypots", + "description": "Emulating technical resources as services or whole meachines or identities" + }, + { + "value": "Sandboxes", + "expanded": "Sandboxes", + "description": "Place for secure detonation of anything" + }, + { + "value": "Tarpits", + "expanded": "Slow Downs", + "description": "You can slow adversary from action for example by sending slow responses to request" + } + ] + }, + { + "predicate": "Threat Intelligence", + "entry": [{ + "value": "Passive - OSINT", + "expanded": "OpenSourceINTelligence", + "description": "Use of OSINT for creating of Threat Intelligence" + }, + { + "value": "Pasive - platforms", + "expanded": "Platforms for TI", + "description": "Save, share and colaborate on threat inelligence platforms" + }, + { + "value": "Counter-Intelligence public", + "expanded": "Counter Intelligence", + "description": "Active retrieval of Threat Intelligence for purpose of defense collected with available public resources - example: active monitoring of web services to uncover action before happen (forum hacktivist group)" + }, + { + "value": "Counter-Intelligence government", + "expanded": "Counter Intelligence", + "description": "Active retrieval of Threat Intelligence for purpose of defense collected with non-public resources - example: cooperation between secret services in EU" + } + ] + }, + { + "predicate": "Threat Hunting", + "entry": [{ + "value": "Threat Hunting", + "expanded": "Threat Hunting", + "description": "Threat Hunting is actovoty of active search for possible signs of adversary in environment" + }] + }, + { + "predicate": "Adversary Takedowns", + "entry": [{ + "value": "Botnet Takedowns", + "expanded": "Botnet Takedowns", + "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + }, + { + "value": "Domain Takedowns", + "expanded": "Domain Takedowns", + "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + }, + { + "value": "Infrastructure Takedowns", + "expanded": "Whole environment takedowns", + "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + } + ] + }, + { + "predicate": "Ransomware", + "entry": [{ + "value": "Ransomware", + "expanded": "Ransmware by defenders", + "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + }] + }, + { + "predicate": "Rescue Missions", + "entry": [{ + "value": "Rescue Missions", + "expanded": "Rescue Missions", + "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + }] + }, + { + "predicate": "Sanctions, Indictments & Trade Remedies", + "entry": [{ + "value": "Sanctions, Indictments & Trade Remedies", + "expanded": "Business and diplomatic actions and counteractions", + "description": "Activity with approval of legal gevernmental entities ie. courts, states, governments to stop unwanted actions or prevent them" + }] + } + ] +} From b62e125310d74a8e94994928918ab734d635b37d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 29 Apr 2022 08:28:28 +0200 Subject: [PATCH 2/5] chg: [clean-up] some clean-up, typo and JSON forms. Open question: what's the original reference of the document? Is it this one https://cynergia.mx/wp-content/uploads/2016/12/CCHS-ActiveDefenseReportFINAL.pdf ? Some elements are missing in the taxonomy. --- GrayZone/machinetag.json | 147 +++++++++++++++++++++------------------ 1 file changed, 81 insertions(+), 66 deletions(-) diff --git a/GrayZone/machinetag.json b/GrayZone/machinetag.json index acc0274..4071b64 100644 --- a/GrayZone/machinetag.json +++ b/GrayZone/machinetag.json @@ -2,80 +2,82 @@ "namespace": "GrayZone", "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", "version": 2, - - "predicates":[ + "predicates": [ { - "value": "Adversary Emulation", - "expanded": "" + "value": "Adversary Emulation", + "expanded": "" }, { - "value": "Beacons", - "expanded": "" + "value": "Beacons", + "expanded": "" }, { - "value": "Deterrence", - "expanded": "" + "value": "Deterrence", + "expanded": "" }, { - "value": "Deception", - "expanded": "" + "value": "Deception", + "expanded": "" }, { - "value": "Tarpits, Sandboxes and Honeypots", - "expanded": "" + "value": "Tarpits, Sandboxes and Honeypots", + "expanded": "" }, { - "value": "Threat Intelligence", - "expanded": "" + "value": "Threat Intelligence", + "expanded": "" }, { - "value": "Threat Hunting", - "expanded": "" + "value": "Threat Hunting", + "expanded": "" }, { - "value": "Adversary Takedowns", - "expanded": "" + "value": "Adversary Takedowns", + "expanded": "" }, { - "value": "Ransomware", - "expanded": "" + "value": "Ransomware", + "expanded": "" }, { - "value": "Rescue Missions", - "expanded": "" + "value": "Rescue Missions", + "expanded": "" }, { - "value": "Sanctions, Indictments & Trade Remedies", - "expanded": "" + "value": "Sanctions, Indictments & Trade Remedies", + "expanded": "" } ], - "values": [{ + "values": [ + { "predicate": "Adversary Emulation", - "entry": [{ + "entry": [ + { "value": "Threat Modeling", "expanded": "Arch threat modeling", "description": "Modeling threat in services or/and in applications" }, { "value": "Purple Teaming", - "expanded": "Purple team colaboration", - "description": "Colaboration between red and blue team" + "expanded": "Purple team collaboration", + "description": "Collaboration between red and blue team" }, { "value": "Blue Team", "expanded": "Blue Team activities", - "description": "Defenders team actins, TTPs etc." + "description": "Defenders team actions, TTPs etc." }, { "value": "Red Team", "expanded": "Red Team activities", - "description": "Actionns, TTPs etc.of Red Team" + "description": "Actions, TTPs etc.of Red Team" } ] }, { "predicate": "Beacons", - "entry": [{ + "entry": [ + { "value": "Inform", "expanded": "Information from beacon", "description": "Provide defender with informations about beacon user, intentional or not" @@ -89,7 +91,8 @@ }, { "predicate": "Deterrence", - "entry": [{ + "entry": [ + { "value": "by Retaliation", "expanded": "Retaliation risk", "description": "Adversary is threatened by retaliation if it will continue in actions" @@ -97,7 +100,7 @@ { "value": "by Denial", "expanded": "Risk of Denial", - "description": "Deny action ever happened - example: if the atribution is important for adversary" + "description": "Deny action ever happened - example: if the attribution is important for adversary" }, { "value": "by Entanglement", @@ -108,34 +111,36 @@ }, { "predicate": "Deception", - "entry": [{ + "entry": [ + { "value": "Deception", "expanded": "Deceptive actions", "description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals" }, { "value": "Denial", - "expanded": "Supress anything", + "expanded": "Suppress anything", "description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc." }, { "value": "CounterDeception", "expanded": "Answer to deception", - "description": "Answer to deception from adversary is counterdeception, for example: answer to phish with shadow user account to uncover next adversary actions" + "description": "Answer to deception from adversary is counter-deception, for example: answer to phish with shadow user account to uncover next adversary actions" }, { "value": "Counter-Deception", "expanded": "Active counterdeception", - "description": "Answer to adversary ddeception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)" + "description": "Answer to adversary deception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)" } ] }, { "predicate": "Tarpits, Sandboxes and Honeypots", - "entry": [{ + "entry": [ + { "value": "Honeypots", "expanded": "Honeypots", - "description": "Emulating technical resources as services or whole meachines or identities" + "description": "Emulating technical resources as services or whole machines or identities" }, { "value": "Sandboxes", @@ -151,15 +156,16 @@ }, { "predicate": "Threat Intelligence", - "entry": [{ + "entry": [ + { "value": "Passive - OSINT", "expanded": "OpenSourceINTelligence", "description": "Use of OSINT for creating of Threat Intelligence" }, { - "value": "Pasive - platforms", + "value": "Passive - platforms", "expanded": "Platforms for TI", - "description": "Save, share and colaborate on threat inelligence platforms" + "description": "Save, share and collaborate on threat intelligence platforms" }, { "value": "Counter-Intelligence public", @@ -175,54 +181,63 @@ }, { "predicate": "Threat Hunting", - "entry": [{ - "value": "Threat Hunting", - "expanded": "Threat Hunting", - "description": "Threat Hunting is actovoty of active search for possible signs of adversary in environment" - }] + "entry": [ + { + "value": "Threat Hunting", + "expanded": "Threat Hunting", + "description": "Threat Hunting is the activity of active search for possible signs of adversary in environment" + } + ] }, { "predicate": "Adversary Takedowns", - "entry": [{ + "entry": [ + { "value": "Botnet Takedowns", "expanded": "Botnet Takedowns", - "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them" }, { "value": "Domain Takedowns", "expanded": "Domain Takedowns", - "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them" }, { "value": "Infrastructure Takedowns", "expanded": "Whole environment takedowns", - "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" + "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them" } ] }, { "predicate": "Ransomware", - "entry": [{ - "value": "Ransomware", - "expanded": "Ransmware by defenders", - "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" - }] + "entry": [ + { + "value": "Ransomware", + "expanded": "Ransomware by defenders", + "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them" + } + ] }, { "predicate": "Rescue Missions", - "entry": [{ - "value": "Rescue Missions", - "expanded": "Rescue Missions", - "description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" - }] + "entry": [ + { + "value": "Rescue Missions", + "expanded": "Rescue Missions", + "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them" + } + ] }, { "predicate": "Sanctions, Indictments & Trade Remedies", - "entry": [{ - "value": "Sanctions, Indictments & Trade Remedies", - "expanded": "Business and diplomatic actions and counteractions", - "description": "Activity with approval of legal gevernmental entities ie. courts, states, governments to stop unwanted actions or prevent them" - }] + "entry": [ + { + "value": "Sanctions, Indictments & Trade Remedies", + "expanded": "Business and diplomatic actions and counteractions", + "description": "Activity with approval of legal governmental entities ie. courts, states, governments to stop unwanted actions or prevent them" + } + ] } ] } From 7b47d136c2817c616dffdabfabe538e6cb9bc882 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 29 Apr 2022 08:35:26 +0200 Subject: [PATCH 3/5] chg: [manifest] updated --- MANIFEST.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index ce6fb38..bb05178 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -18,6 +18,11 @@ "name": "DML", "version": 1 }, + { + "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", + "name": "GrayZone", + "version": 2 + }, { "description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.", "name": "PAP", @@ -269,9 +274,9 @@ "version": 10 }, { - "description": "Reasons why an event has been extended. ", + "description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf", "name": "extended-event", - "version": 1 + "version": 2 }, { "description": "The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals – either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.", @@ -680,5 +685,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20220314" + "version": "20220429" } From a29b08ef77a94b51db64743fbff22c926b65884c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 29 Apr 2022 08:40:47 +0200 Subject: [PATCH 4/5] chg: [GrayZone] fixes --- GrayZone/machinetag.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/GrayZone/machinetag.json b/GrayZone/machinetag.json index 4071b64..7fc0c56 100644 --- a/GrayZone/machinetag.json +++ b/GrayZone/machinetag.json @@ -1,51 +1,51 @@ { "namespace": "GrayZone", "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", - "version": 2, + "version": 3, "predicates": [ { "value": "Adversary Emulation", - "expanded": "" + "expanded": "Adversary Emulation" }, { "value": "Beacons", - "expanded": "" + "expanded": "Beacons" }, { "value": "Deterrence", - "expanded": "" + "expanded": "Deterrence" }, { "value": "Deception", - "expanded": "" + "expanded": "Deception" }, { "value": "Tarpits, Sandboxes and Honeypots", - "expanded": "" + "expanded": "Tarpits, Sandboxes and Honeypots" }, { "value": "Threat Intelligence", - "expanded": "" + "expanded": "Threat Intelligence" }, { "value": "Threat Hunting", - "expanded": "" + "expanded": "Threat Hunting" }, { "value": "Adversary Takedowns", - "expanded": "" + "expanded": "Adversary Takedowns" }, { "value": "Ransomware", - "expanded": "" + "expanded": "Ransomware" }, { "value": "Rescue Missions", - "expanded": "" + "expanded": "Rescue Missions" }, { "value": "Sanctions, Indictments & Trade Remedies", - "expanded": "" + "expanded": "Sanctions, Indictments & Trade Remedies" } ], "values": [ From d22887f55e28c48b58b981fa011a6d6222de5dc7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 29 Apr 2022 08:41:32 +0200 Subject: [PATCH 5/5] chg: [manifest] updated --- MANIFEST.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index bb05178..cd6883f 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -21,7 +21,7 @@ { "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", "name": "GrayZone", - "version": 2 + "version": 3 }, { "description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",