diff --git a/MANIFEST.json b/MANIFEST.json index da8a7fe..87e1de6 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -543,6 +543,11 @@ "name": "tlp", "version": 5 }, + { + "description": "The Indicators of Trust provide insight on data about what can be trusted", + "name": "trust", + "version": 1 + }, { "description": "Taxonomy to describe Tor network infrastructure", "name": "tor", diff --git a/README.md b/README.md index a3077fd..a4de5a5 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ bfuscation techniques. This taxonomy lists all the known or official packer used - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP) - [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer.](./targeted-threat-index) - [TLP - Traffic Light Protocol](./tlp) +- [Trust - Indicators of Trust](./trust) - [Type](./type) - [Vocabulaire des probabilités estimatives](./vocabulaire-des-probabilites-estimatives) - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) @@ -180,6 +181,10 @@ The Permissible Actions Protocol - or short: PAP - was designed to indicate how The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. +### [Trust - Indicators of Trust](./trust) + +The Trust Taxonomy provides a way to use Indicators of Trust within MISP to get insight on data about what can be trusted. Similar to a whitelist but on steroids, leveraging MISP features one would use with Inidicators of Compromise, but to filter out what is known to be good. + ### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/). diff --git a/trust/machinetag.json b/trust/machinetag.json new file mode 100644 index 0000000..69313ae --- /dev/null +++ b/trust/machinetag.json @@ -0,0 +1,89 @@ +{ + "version": 1, + "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", + "expanded": "Indicators of Trust", + "namespace": "trust", + "exclusive": true, + "predicates": [ + { + "value": "trust", + "expanded": "How much trust the analyst has with this indicator." + }, + { + "value": "frequency", + "expanded": "Recency/count of occurence at which the indicator occurs in data." + }, + { + "value": "valid", + "expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)." + } + ], + "values": [ + { + "predicate": "trust", + "entry": [ + { + "value": "unknown", + "expanded": "Unknown Confidence State" + }, + { + "value": "none", + "expanded": "Cannot Trust, no confidence" + }, + { + "value": "partial", + "expanded": "Low confidence" + }, + { + "value": "relationship", + "expanded": "Inherited Full Trust by a third party that we trust" + }, + { + "value": "full", + "expanded": "We fully trust it" + } + ] + }, + { + "predicate": "frequency", + "entry": [ + { + "value": "hourly", + "expanded": "This attribute is likely to happen at an hourly interval" + }, + { + "value": "daily", + "expanded": "This attribute is likely to happen at a daily interval" + }, + { + "value": "weekly", + "expanded": "This attribute is likely to happen at a weekly interval" + }, + { + "value": "monthly", + "expanded": "This attribute is likely to happen at a monthly interval" + }, + { + "value": "yearly", + "expanded": "Thie attribute is likely to happen at a yearly interval" + } + ] + }, + { + "predicate": "valid", + "entry": [ + { + "value": "true", + "expanded": "This Trust is valid" + }, + { + "value": "false", + "expanded": "This trust is invalid. Such as a MD5 Hash etc." + } + ] + } + ], + "refs": [ + "https://trust.fyi/" + ] +}