From f36edde0945ceea750b6ebca64f95b1d8acdb752 Mon Sep 17 00:00:00 2001 From: Sebastien Tricaud Date: Mon, 13 Apr 2020 18:22:27 -0700 Subject: [PATCH 1/4] Adding the Taxonomy for Trust --- trust/machinetag.json | 89 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 trust/machinetag.json diff --git a/trust/machinetag.json b/trust/machinetag.json new file mode 100644 index 0000000..b5c7b4e --- /dev/null +++ b/trust/machinetag.json @@ -0,0 +1,89 @@ +{ + "version": 1, + "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", + "expanded": "Indicators of Trust", + "namespace": "trust", + "exclusive": true, + "predicates": [ + { + "value": "trust", + "expanded": "How much trust the analyst has with this indicator." + }, + { + "value": "frequency", + "expanded": "Recency/count of occurence at which the indicator occurs in data." + }, + { + "value": "valid", + "expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)." + } + ], + "values": [ + { + "predicate": "trust", + "entry": [ + { + "value": "unknown", + "expanded": "Unknown Confidence State" + }, + { + "value": "none", + "expanded": "Cannot Trust, no confidence" + }, + { + "value": "partial", + "expanded": "Low confidence" + }, + { + "value": "relationship", + "expanded": "Inherited Full Trust by a third party that we trust" + }, + { + "value": "full", + "expanded": "We fully trust it" + } + ] + }, + { + "predicate": "frequency", + "entry": [ + { + "value": "hourly", + "expanded": "This attribute is likely to happen at an hourly interval" + }, + { + "value": "daily", + "expanded": "This attribute is likely to happen at a daily interval" + }, + { + "value": "weekly", + "expanded": "This attribute is likely to happen at a weekly interval" + }, + { + "value": "monthly", + "expanded": "This attribute is likely to happen at a monthly interval" + }, + { + "value": "yearly", + "expanded": "Thie attribute is likely to happen at a yearly interval" + } + ] + }, + { + "predicate": "valid", + "entry": [ + { + "value": "true", + "expanded": "This Trust is valid" + }, + { + "value": "false", + "expanded": "This trust is invalid. Such as a MD5 Hash etc." + } + ] + } + ], + "refs": [ + "https://trust.fyi/" + ] +} From d34502fad767896a1e19b9763b3353071e84c83d Mon Sep 17 00:00:00 2001 From: Sebastien Tricaud Date: Mon, 13 Apr 2020 18:27:57 -0700 Subject: [PATCH 2/4] Change the README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index a3077fd..a4de5a5 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ bfuscation techniques. This taxonomy lists all the known or official packer used - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP) - [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer.](./targeted-threat-index) - [TLP - Traffic Light Protocol](./tlp) +- [Trust - Indicators of Trust](./trust) - [Type](./type) - [Vocabulaire des probabilités estimatives](./vocabulaire-des-probabilites-estimatives) - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) @@ -180,6 +181,10 @@ The Permissible Actions Protocol - or short: PAP - was designed to indicate how The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. +### [Trust - Indicators of Trust](./trust) + +The Trust Taxonomy provides a way to use Indicators of Trust within MISP to get insight on data about what can be trusted. Similar to a whitelist but on steroids, leveraging MISP features one would use with Inidicators of Compromise, but to filter out what is known to be good. + ### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/). From 3dd06b302e751949cc462a3588a7ba9eef262e42 Mon Sep 17 00:00:00 2001 From: Sebastien Tricaud Date: Mon, 13 Apr 2020 18:29:26 -0700 Subject: [PATCH 3/4] Adding the trust taxonomy to the MANIFEST --- MANIFEST.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MANIFEST.json b/MANIFEST.json index da8a7fe..87e1de6 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -543,6 +543,11 @@ "name": "tlp", "version": 5 }, + { + "description": "The Indicators of Trust provide insight on data about what can be trusted", + "name": "trust", + "version": 1 + }, { "description": "Taxonomy to describe Tor network infrastructure", "name": "tor", From 9dbd12eccb5c3d2b16fa60cba07143951c89e9b6 Mon Sep 17 00:00:00 2001 From: Sebastien Tricaud Date: Mon, 13 Apr 2020 18:30:06 -0700 Subject: [PATCH 4/4] After running ./jq_all_the_things.sh --- trust/machinetag.json | 174 +++++++++++++++++++++--------------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/trust/machinetag.json b/trust/machinetag.json index b5c7b4e..69313ae 100644 --- a/trust/machinetag.json +++ b/trust/machinetag.json @@ -1,89 +1,89 @@ { - "version": 1, - "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", - "expanded": "Indicators of Trust", - "namespace": "trust", - "exclusive": true, - "predicates": [ - { - "value": "trust", - "expanded": "How much trust the analyst has with this indicator." - }, - { - "value": "frequency", - "expanded": "Recency/count of occurence at which the indicator occurs in data." - }, - { - "value": "valid", - "expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)." - } - ], - "values": [ - { - "predicate": "trust", - "entry": [ - { - "value": "unknown", - "expanded": "Unknown Confidence State" - }, - { - "value": "none", - "expanded": "Cannot Trust, no confidence" - }, - { - "value": "partial", - "expanded": "Low confidence" - }, - { - "value": "relationship", - "expanded": "Inherited Full Trust by a third party that we trust" - }, - { - "value": "full", - "expanded": "We fully trust it" - } - ] - }, - { - "predicate": "frequency", - "entry": [ - { - "value": "hourly", - "expanded": "This attribute is likely to happen at an hourly interval" - }, - { - "value": "daily", - "expanded": "This attribute is likely to happen at a daily interval" - }, - { - "value": "weekly", - "expanded": "This attribute is likely to happen at a weekly interval" - }, - { - "value": "monthly", - "expanded": "This attribute is likely to happen at a monthly interval" - }, - { - "value": "yearly", - "expanded": "Thie attribute is likely to happen at a yearly interval" - } - ] - }, - { - "predicate": "valid", - "entry": [ - { - "value": "true", - "expanded": "This Trust is valid" - }, - { - "value": "false", - "expanded": "This trust is invalid. Such as a MD5 Hash etc." - } - ] - } - ], - "refs": [ - "https://trust.fyi/" - ] + "version": 1, + "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", + "expanded": "Indicators of Trust", + "namespace": "trust", + "exclusive": true, + "predicates": [ + { + "value": "trust", + "expanded": "How much trust the analyst has with this indicator." + }, + { + "value": "frequency", + "expanded": "Recency/count of occurence at which the indicator occurs in data." + }, + { + "value": "valid", + "expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)." + } + ], + "values": [ + { + "predicate": "trust", + "entry": [ + { + "value": "unknown", + "expanded": "Unknown Confidence State" + }, + { + "value": "none", + "expanded": "Cannot Trust, no confidence" + }, + { + "value": "partial", + "expanded": "Low confidence" + }, + { + "value": "relationship", + "expanded": "Inherited Full Trust by a third party that we trust" + }, + { + "value": "full", + "expanded": "We fully trust it" + } + ] + }, + { + "predicate": "frequency", + "entry": [ + { + "value": "hourly", + "expanded": "This attribute is likely to happen at an hourly interval" + }, + { + "value": "daily", + "expanded": "This attribute is likely to happen at a daily interval" + }, + { + "value": "weekly", + "expanded": "This attribute is likely to happen at a weekly interval" + }, + { + "value": "monthly", + "expanded": "This attribute is likely to happen at a monthly interval" + }, + { + "value": "yearly", + "expanded": "Thie attribute is likely to happen at a yearly interval" + } + ] + }, + { + "predicate": "valid", + "entry": [ + { + "value": "true", + "expanded": "This Trust is valid" + }, + { + "value": "false", + "expanded": "This trust is invalid. Such as a MD5 Hash etc." + } + ] + } + ], + "refs": [ + "https://trust.fyi/" + ] }