From 3099290e4c34feba97136f9ec026f79cbac2efe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 Feb 2017 12:02:51 +0100 Subject: [PATCH] JQ all the things --- MANIFEST.json | 8 +- adversary/machinetag.json | 16 +- csirt_case_classification/machinetag.json | 1 - dhs-ciip-sectors/machinetag.json | 146 ++- diamond-model/machinetag.json | 4 +- domain-abuse/machinetag.json | 22 +- enisa/machinetag.json | 1067 ++++++++--------- eu-marketop-and-publicadmin/machinetag.json | 142 ++- europol-incident/machinetag.json | 362 +++--- .../machinetag.json | 27 +- jq_all_the_things.sh | 2 +- malware_classification/machinetag.json | 5 +- misp/machinetag.json | 50 +- passivetotal/machinetag.json | 154 +-- stix-ttp/machinetag.json | 225 ++-- 15 files changed, 1141 insertions(+), 1090 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 6f4b4c4..73001e5 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -40,7 +40,7 @@ "name": "dni-ism", "version": 3 }, - { + { "description": "Taxonomy to tag domain names used for cybercrime.", "name": "domain-abuse", "version": 1 @@ -166,9 +166,9 @@ "version": 1 }, { - "description" : "Tags for RiskIQ's passivetotal service", - "name" : "passivetotal", - "version" : 1 + "description": "Tags for RiskIQ's passivetotal service", + "name": "passivetotal", + "version": 1 } ] } diff --git a/adversary/machinetag.json b/adversary/machinetag.json index e73b765..75c0f80 100644 --- a/adversary/machinetag.json +++ b/adversary/machinetag.json @@ -38,9 +38,9 @@ } ] }, - { - "predicate": "infrastructure-action", - "entry": [ + { + "predicate": "infrastructure-action", + "entry": [ { "value": "passive-only", "expanded": "Only passive requests shall be performed to avoid detection by the adversary" @@ -57,11 +57,11 @@ "value": "pending-law-enforcement-request", "expanded": "Law enforcement requests are ongoing on the adversary infrastructure" } - ] - }, + ] + }, { - "predicate": "infrastructure-state", - "entry": [ + "predicate": "infrastructure-state", + "entry": [ { "value": "unknown", "expanded": "Infrastructure state is unknown or cannot be evaluated" @@ -74,7 +74,7 @@ "value": "down", "expanded": "Infrastructure state is known to be down" } - ] + ] }, { "predicate": "infrastructure-type", diff --git a/csirt_case_classification/machinetag.json b/csirt_case_classification/machinetag.json index 7a13c57..6f304ef 100644 --- a/csirt_case_classification/machinetag.json +++ b/csirt_case_classification/machinetag.json @@ -102,4 +102,3 @@ } ] } - diff --git a/dhs-ciip-sectors/machinetag.json b/dhs-ciip-sectors/machinetag.json index cca7a2f..9e965ff 100644 --- a/dhs-ciip-sectors/machinetag.json +++ b/dhs-ciip-sectors/machinetag.json @@ -1,64 +1,86 @@ { - "namespace": "dhs-ciip-sectors", - "description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors", - "version": 2, - "predicates": [{ - "value": "DHS-critical-sectors", - "expanded": "DHS critical sectors" - }, { - "value": "sector", - "expanded": "Sector" - }], - "values": [{ - "predicate": "DHS-critical-sectors", - "entry": [{ - "value": "chemical", - "expanded": "Chemical" - }, { - "value": "commercial-facilities", - "expanded": "Commercial Facilities" - }, { - "value": "communications", - "expanded": "Communications" - }, { - "value": "critical-manufacturing", - "expanded": "Critical Manufacturing" - }, { - "value": "dams", - "expanded": "Dams" - }, { - "value": "dib", - "expanded": "Defense Industrial Base" - }, { - "value": "emergency-services", - "expanded": "Emergency services" - }, { - "value": "energy", - "expanded": "energy" - }, { - "value": "financial-services", - "expanded": "Financial Services" - }, { - "value": "food-agriculture", - "expanded": "Food and Agriculture" - }, { - "value": "government-facilities", - "expanded": "Government Facilities" - }, { - "value": "healthcare-public", - "expanded": "Healthcare and Public Health" - }, { - "value": "it", - "expanded": "Information Technology" - }, { - "value": "nuclear", - "expanded": "Nuclear" - }, { - "value": "transport", - "expanded": "Transportation Systems" - }, { - "value": "water", - "expanded": "Water and water systems" - }] - }] + "namespace": "dhs-ciip-sectors", + "description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors", + "version": 2, + "predicates": [ + { + "value": "DHS-critical-sectors", + "expanded": "DHS critical sectors" + }, + { + "value": "sector", + "expanded": "Sector" + } + ], + "values": [ + { + "predicate": "DHS-critical-sectors", + "entry": [ + { + "value": "chemical", + "expanded": "Chemical" + }, + { + "value": "commercial-facilities", + "expanded": "Commercial Facilities" + }, + { + "value": "communications", + "expanded": "Communications" + }, + { + "value": "critical-manufacturing", + "expanded": "Critical Manufacturing" + }, + { + "value": "dams", + "expanded": "Dams" + }, + { + "value": "dib", + "expanded": "Defense Industrial Base" + }, + { + "value": "emergency-services", + "expanded": "Emergency services" + }, + { + "value": "energy", + "expanded": "energy" + }, + { + "value": "financial-services", + "expanded": "Financial Services" + }, + { + "value": "food-agriculture", + "expanded": "Food and Agriculture" + }, + { + "value": "government-facilities", + "expanded": "Government Facilities" + }, + { + "value": "healthcare-public", + "expanded": "Healthcare and Public Health" + }, + { + "value": "it", + "expanded": "Information Technology" + }, + { + "value": "nuclear", + "expanded": "Nuclear" + }, + { + "value": "transport", + "expanded": "Transportation Systems" + }, + { + "value": "water", + "expanded": "Water and water systems" + } + ] + } + ] } diff --git a/diamond-model/machinetag.json b/diamond-model/machinetag.json index fc6882e..f8e8947 100644 --- a/diamond-model/machinetag.json +++ b/diamond-model/machinetag.json @@ -3,7 +3,9 @@ "expanded": "Diamond Model for Intrusion Analysis", "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.", "version": 1, - "ref": ["http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"], + "ref": [ + "http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf" + ], "predicates": [ { "value": "Adversary", diff --git a/domain-abuse/machinetag.json b/domain-abuse/machinetag.json index 1ec527d..8ea4da5 100644 --- a/domain-abuse/machinetag.json +++ b/domain-abuse/machinetag.json @@ -22,9 +22,9 @@ { "value": "active", "expanded": "Registered & active", - "description": "Domain name is registered and DNS is delegated" + "description": "Domain name is registered and DNS is delegated" }, - { + { "value": "inactive", "expanded": "Registered & inactive", "description": "Domain name is registered and DNS is not delegated" @@ -34,17 +34,17 @@ "expanded": "Registered & suspended", "description": "Domain name is registered & DNS delegation is temporarily removed by the registry" }, - { + { "value": "not-registered", "expanded": "Not registered", "description": "Domain name is not registered and open for registration" }, - { + { "value": "not-registrable", "expanded": "Not registrable", "description": "Domain is not registered and cannot be registered" }, - { + { "value": "grace-period", "expanded": "Grace period", "description": "Domain is deleted and still reserved for previous owner" @@ -57,24 +57,24 @@ { "value": "criminal-registration", "expanded": "Criminal registration", - "description": "Domain name is registered for criminal purposes" + "description": "Domain name is registered for criminal purposes" }, { "value": "compromised-webserver", "expanded": "Compromised webserver", - "description": "Webserver is compromised for criminal purposes" + "description": "Webserver is compromised for criminal purposes" }, { "value": "compromised-dns", "expanded": "Compromised DNS", - "description": "Compromised authoritative DNS or compromised delegation" + "description": "Compromised authoritative DNS or compromised delegation" }, { "value": "sinkhole", "expanded": "Sinkhole", - "description": "Domain Name is sinkholed for research, detection, LE" + "description": "Domain Name is sinkholed for research, detection, LE" } - ] + ] } ] -} \ No newline at end of file +} diff --git a/enisa/machinetag.json b/enisa/machinetag.json index 7517f39..318525c 100644 --- a/enisa/machinetag.json +++ b/enisa/machinetag.json @@ -264,7 +264,7 @@ "description": "Threat of disruption of work of IT systems due to high or low temperature." }, { - "value": "threats-from-space-or-electromagnetic-storm", + "value": "threats-from-space-or-electromagnetic-storm", "expanded": "Threats from space / Electromagnetic storm", "description": "Threats of the negative impact of solar radiation to satellites and radio wave communication systems - electromagnetic storm." }, @@ -273,617 +273,616 @@ "expanded": "Wildlife", "description": "Threat of destruction of IT assets caused by animals: mice, rats, birds." } - ] + ] }, { "predicate": "failures-malfunction", "entry": [ - { - "value": "failure-of-devices-or-systems", - "expanded": "Failure of devices or systems", - "description": "Threat of failure of IT hardware and/or software assets or its parts." - }, - { + { + "value": "failure-of-devices-or-systems", + "expanded": "Failure of devices or systems", + "description": "Threat of failure of IT hardware and/or software assets or its parts." + }, + { "value": "failure-of-data-media", "expanded": "Failure of data media", "description": "Threat of failure of data media." - }, - { + }, + { "value": "hardware-failure", "expanded": "Hardware failure", "description": "Threat of failure of IT hardware." - }, - { + }, + { "value": "failure-of-applications-and-services", "expanded": "Failure of applications and services", "description": "Threat of failure of software/applications or services." - }, - { + }, + { "value": "failure-of-parts-of-devices-connectors-plug-ins", "expanded": "Failure of parts of devices (connectors, plug-ins)", "description": "Threat of failure of IT equipment or its part." - }, - { + }, + { "value": "failure-or-disruption-of-communication-links-communication networks", "expanded": "Failure or disruption of communication links (communication networks)", "description": "Threat of failure or malfunction of communications links." - - }, - { + }, + { "value": "failure-of-cable-networks", "expanded": "Failure of cable networks", "description": "Threat of failure of communications links due to problems with cable network." - }, - { + }, + { "value": "failure-of-wireless-networks", "expanded": "Failure of wireless networks", "description": "Threat of failure of communications links due to problems with wireless networks." - }, - { + }, + { "value": "failure-of-mobile-networks", "expanded": "Failure of mobile networks", "description": "Threat of failure of communications links due to problems with mobile networks." - }, - { + }, + { "value": "failure-or-disruption-of-main-supply", "expanded": "Failure or disruption of main supply", "description": "Threat of failure or disruption of supply required for information systems." - }, - { + }, + { "value": "failure-or-disruption-of-power-supply", "expanded": "Failure or disruption of power supply", "description": "Threat of failure or malfunction of power supply." - }, - { + }, + { "value": "failure-of-cooling-infrastructure", "expanded": "Failure of cooling infrastructure", "description": "Threat of failure of IT assets due to improper work of cooling infrastructure." - }, - { + }, + { "value": "failure-or-disruption-of-service-providers-supply-chain", "expanded": "Failure or disruption of service providers (supply chain)", "description": "Threat of failure or disruption of third party services required for proper operation of information systems." - }, - { + }, + { "value": "malfunction-of-equipment-devices-or-systems", "expanded": "Malfunction of equipment (devices or systems)", "description": "Threat of malfunction of IT hardware and/or software assets or its parts (i.e. improper working parameters, jamming, rebooting)." - } - ] + } + ] }, { "predicate": "outages", "entry": [ - { + { "value": "absence-of-personnel", "expanded": "Absence of personnel", "description": "Unavailability of key personnel and their competences." - }, - { + }, + { "value": "strike", "expanded": "Strike", "description": "Unavailability of staff due to a strike (large scale absence of personnel)." - }, - { + }, + { "value": "loss-of-support-services", "expanded": "Loss of support services", "description": "Unavailability of support services required for proper operation of the information system." - }, - { + }, + { "value": "internet-outage", "expanded": "Internet outage", "description": "Unavailability of the Internet connection." - }, - { + }, + { "value": "network-outage", "expanded": "Network outage", "description": "Unavailability of communication links." - }, - { + }, + { "value": "outage-of-cable-networks", "expanded": "Outage of cable networks", "description": "Threat of lack of communications links due to problems with cable network." - }, - { + }, + { "value": "Outage-of-short-range-wireless-networks", "expanded": "Outage of short-range wireless networks", "description": "Threat of lack of communications links due to problems with wireless networks (802.11 networks, Bluetooth, NFC etc.)." - }, - { + }, + { "value": "outages-of-long-range-wireless-networks", "expanded": "Outages of long-range wireless networks", "description": "Threat of lack of communications links due to problems with mobile networks like cellular network (3G, LTE, GSM etc.) or satellite links." - } + } ] }, { - "predicate": "eavesdropping-interception-hijacking", - "entry": [ - { - "value": "war-driving", - "expanded": "War driving", - "description": "Threat of locating and possibly exploiting connection to the wireless network." - }, - { - "value": "intercepting-compromising-emissions", - "expanded": "Intercepting compromising emissions", - "description": "Threat of disclosure of transmitted information using interception and analysis of compromising emission." - }, - { - "value": "interception-of-information", - "expanded": "Interception of information", - "description": "Threat of interception of information which is improperly secured in transmission or by improper actions of staff." - }, - { - "value": "corporate-espionage", - "expanded": "Corporate espionage", - "description": "Threat of obtaining information secrets by dishonest means." - }, - { - "value": "nation-state-espionage", - "expanded": "Nation state espionage", - "description": "Threats of stealing information by nation state espionage (e.g. China based governmental espionage, NSA from USA)." - }, - { - "value": "information-leakage-due-to-unsecured-wi-fi-like-rogue-access-points", - "expanded": "Information leakage due to unsecured Wi-Fi, rogue access points", - "description": "Threat of obtaining important information by insecure network rogue access points etc." - }, - { - "value": "interfering-radiation", - "expanded": "Interfering radiation", - "description": "Threat of failure of IT hardware or transmission connection due to electromagnetic induction or electromagnetic radiation emitted by an outside source." - }, - { - "value": "replay-of-messages", - "expanded": "Replay of messages", - "description": "Threat in which valid data transmission is maliciously or fraudulently repeated or delayed." - }, - { - "value": "network-reconnaissance-network-traffic-manipulation-and-information-gathering", - "expanded": "Network Reconnaissance, Network traffic manipulation and Information gathering", - "description": "Threat of identifying information about a network to find security weaknesses." - }, - { - "value": "man-in-the-middle-session-hijacking", - "expanded": "Man in the middle/ Session hijacking", - "description": "Threats that relay or alter communication between two parties." - } - ] + "predicate": "eavesdropping-interception-hijacking", + "entry": [ + { + "value": "war-driving", + "expanded": "War driving", + "description": "Threat of locating and possibly exploiting connection to the wireless network." + }, + { + "value": "intercepting-compromising-emissions", + "expanded": "Intercepting compromising emissions", + "description": "Threat of disclosure of transmitted information using interception and analysis of compromising emission." + }, + { + "value": "interception-of-information", + "expanded": "Interception of information", + "description": "Threat of interception of information which is improperly secured in transmission or by improper actions of staff." + }, + { + "value": "corporate-espionage", + "expanded": "Corporate espionage", + "description": "Threat of obtaining information secrets by dishonest means." + }, + { + "value": "nation-state-espionage", + "expanded": "Nation state espionage", + "description": "Threats of stealing information by nation state espionage (e.g. China based governmental espionage, NSA from USA)." + }, + { + "value": "information-leakage-due-to-unsecured-wi-fi-like-rogue-access-points", + "expanded": "Information leakage due to unsecured Wi-Fi, rogue access points", + "description": "Threat of obtaining important information by insecure network rogue access points etc." + }, + { + "value": "interfering-radiation", + "expanded": "Interfering radiation", + "description": "Threat of failure of IT hardware or transmission connection due to electromagnetic induction or electromagnetic radiation emitted by an outside source." + }, + { + "value": "replay-of-messages", + "expanded": "Replay of messages", + "description": "Threat in which valid data transmission is maliciously or fraudulently repeated or delayed." + }, + { + "value": "network-reconnaissance-network-traffic-manipulation-and-information-gathering", + "expanded": "Network Reconnaissance, Network traffic manipulation and Information gathering", + "description": "Threat of identifying information about a network to find security weaknesses." + }, + { + "value": "man-in-the-middle-session-hijacking", + "expanded": "Man in the middle/ Session hijacking", + "description": "Threats that relay or alter communication between two parties." + } + ] }, { - "predicate": "legal", - "entry": [ - { - "value": "violation-of-rules-and-regulations-breach-of-legislation", - "expanded": "Violation of rules and regulations / Breach of legislation", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to violation of law or regulations." - }, - { - "value": "failure-to-meet-contractual-requirements", - "expanded": "Failure to meet contractual requirements", - "description": "Threat of financial penalty or loss of trust of customers and collaborators due to failure to meet contractual requirements." - }, - { - "value": "failure-to-meet-contractual-requirements-by-third-party", - "expanded": "Failure to meet contractual requirements by third party", - "description": "Threat of financial penalty or loss of trust of customers and collaborators due to a third party's failure to meet contractual requirements" - }, - { - "value": "unauthorized-use-of-IPR-protected-resources", - "expanded": "Unauthorized use of IPR protected resources", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of IPR protected material (IPR- Intellectual Property Rights." - }, - { - "value": "illegal-usage-of-file-sharing-services", - "expanded": "Illegal usage of File Sharing services", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of file sharing services." - }, - { - "value": "abuse-of-personal-data", - "expanded": "Abuse of personal data", - "description": "Threat of illegal use of personal data." - }, - { - "value": "judiciary-decisions-or-court-order", - "expanded": "Judiciary decisions/court order", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to judiciary decisions/court order." - } - ] + "predicate": "legal", + "entry": [ + { + "value": "violation-of-rules-and-regulations-breach-of-legislation", + "expanded": "Violation of rules and regulations / Breach of legislation", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to violation of law or regulations." + }, + { + "value": "failure-to-meet-contractual-requirements", + "expanded": "Failure to meet contractual requirements", + "description": "Threat of financial penalty or loss of trust of customers and collaborators due to failure to meet contractual requirements." + }, + { + "value": "failure-to-meet-contractual-requirements-by-third-party", + "expanded": "Failure to meet contractual requirements by third party", + "description": "Threat of financial penalty or loss of trust of customers and collaborators due to a third party's failure to meet contractual requirements" + }, + { + "value": "unauthorized-use-of-IPR-protected-resources", + "expanded": "Unauthorized use of IPR protected resources", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of IPR protected material (IPR- Intellectual Property Rights." + }, + { + "value": "illegal-usage-of-file-sharing-services", + "expanded": "Illegal usage of File Sharing services", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of file sharing services." + }, + { + "value": "abuse-of-personal-data", + "expanded": "Abuse of personal data", + "description": "Threat of illegal use of personal data." + }, + { + "value": "judiciary-decisions-or-court-order", + "expanded": "Judiciary decisions/court order", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to judiciary decisions/court order." + } + ] }, { - "predicate": "nefarious-activity-abuse", - "entry": [ - { - "value": "identity-theft-identity-fraud-account)", - "expanded": "Identity theft (Identity Fraud/ Account)", - "description": "Threat of identity theft action." - }, - { - "value": "credentials-stealing-trojans", - "expanded": "Credentials-stealing trojans", - "description": "Threat of identity theft action by malware computer programs." - }, - { - "value": "receiving-unsolicited-e-mail", - "expanded": "Receiving unsolicited E-mail", - "description": "Threat of receiving unsolicited email which affects information security and efficiency." - }, - { - "value": "spam", - "expanded": "SPAM", - "description": "Threat of receiving unsolicited, undesired, or illegal email messages." - }, - { - "value": "unsolicited-infected-e-mails", - "expanded": "Unsolicited infected e-mails", - "description": "Threat emanating from unwanted emails that may contain infected attachments or links to malicious / infected web sites." - }, - { - "value": "denial-of-service", - "expanded": "Denial of service", - "description": "Threat of service unavailability due to massive requests for services." - }, - { - "value": "distributed-denial-of-network-service-network-layer-attack", - "expanded": "Distributed denial of network service (DDoS) (network layer attack i.e. Protocol exploitation / Malformed packets / Flooding / Spoofing)", - "description": "Threat of service unavailability due to a massive number of requests for access to network services from malicious clients." - }, - { - "value": "distributed-denial-of-network-service-application-layer-attack", - "expanded": "Distributed denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS / WinNuke / HTTP Floods)", - "description": "Threat of service unavailability due to massive requests sent by multiple malicious clients." - }, - { - "value": "distributed-denial-of-network-service-amplification-reflection-attack", - "expanded": "Distributed DoS (DDoS) to both network and application services (amplification/reflection methods i.e. NTP/ DNS /.../ BitTorrent)", - "description": "Threat of creating a massive number of requests, using multiplication/amplification methods." - }, - { - "value": "malicious-code-software-activity", - "expanded": "Malicious code/ software/ activity" - }, - { - "value": "search-engine-poisoning", - "expanded": "Search Engine Poisoning", - "description": "Threat of deliberate manipulation of search engine indexes." - }, - { - "value": "exploitation-of-fake-trust-of-social-media", - "expanded": "Exploitation of fake trust of social media", - "description": "Threat of malicious activities making use of trusted social media." - }, - { - "value": "worms-trojans", - "expanded": "Worms/ Trojans", - "description": "Threat of malware computer programs (trojans/worms)." - }, - { - "value": "rootkits", - "expanded": "Rootkits", - "description": "Threat of stealthy types of malware software." - }, - { - "value": "mobile-malware", - "expanded": "Mobile malware", - "description": "Threat of mobile malware programs." - }, - { - "value": "infected-trusted-mobile-apps", - "expanded": "Infected trusted mobile apps", - "description": "Threat of using mobile malware software that is recognised as trusted one." - }, - { - "value": "elevation-of-privileges", - "expanded": "Elevation of privileges", - "description": "Threat of exploiting bugs, design flaws or configuration oversights in an operating system or software application to gain elevated access to resources." - }, - { - "value": "web-application-attacks-injection-attacks-code-injection-SQL-XSS", - "expanded": "Web application attacks / injection attacks (Code injection: SQL, XSS)", - "description": "Threat of utilizing custom web applications embedded within social media sites, which can lead to installation of malicious code onto computers to be used to gain unauthorized access." - }, - { - "value": "spyware-or-deceptive-adware", - "expanded": "Spyware or deceptive adware", - "description": "Threat of using software that aims to gather information about a person or organization without their knowledge." - }, - { - "value": "viruses", - "expanded": "Viruses", - "description": "Threat of infection by viruses." - }, - { - "value": "rogue-security-software-rogueware-scareware", - "expanded": "Rogue security software/ Rogueware / Scareware", - "description": "Threat of internet fraud or malicious software that mislead users into believing there is a virus on their computer, and manipulates them to pay money for fake removal tool." - }, - { - "value": "ransomware", - "expanded": "Ransomware", - "description": "Threat of infection of computer system or device by malware that restricts access to it and demands that the user pay a ransom to remove the restriction." - }, - { - "value": "exploits-exploit-kits", - "expanded": "Exploits/Exploit Kits", - "description": "Threat to IT assets due to the use of web available exploits or exploits software." - }, - { - "value": "social-engineering", - "expanded": "Social Engineering", - "description": "Threat of social engineering type attacks (target: manipulation of personnel behaviour)." - }, - { - "value": "phishing-attacks", - "expanded": "Phishing attacks", - "description": "Threat of an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites." - }, - { - "value": "spear-phishing-attacks", - "expanded": "Spear phishing attacks", - "description": "Spear-phishing is a targeted e-mail message that has been crafted to create fake trust and thus lure the victim to unveil some business or personal secrets that can be abused by the adversary." - }, - { - "value": "abuse-of-information-leakage", - "expanded": "Abuse of Information Leakage", - "description": "Threat of leaking important information." - }, - { - "value": "leakage-affecting-mobile-privacy-and-mobile-applications", - "expanded": "Leakage affecting mobile privacy and mobile applications", - "description": "Threat of leaking important information due to using malware mobile applications." - }, - { - "value": "leakage-affecting-web-privacy-and-web-applications", - "expanded": "Leakage affecting web privacy and web applications", - "description": "Threat of leakage important information due to using malware web applications." - }, - { - "value": "leakage-affecting-network-traffic", - "expanded": "Leakage affecting network traffic", - "description": "Threat of leaking important information in network traffic." - }, - { - "value": "leakage-affecting-cloud-computing", - "expanded": "Leakage affecting cloud computing", - "description": "Threat of leaking important information in cloud computing." - }, - { - "value": "generation-and-use-of-rogue-certificates", - "expanded": "Generation and use of rogue certificates", - "description": "Threat of use of rogue certificates." - }, - { - "value": "loss-of-integrity-of-sensitive-information", - "expanded": "Loss of (integrity of) sensitive information", - "description": "Threat of loss of sensitive information due to loss of integrity." - }, - { - "value": "man-in-the-middle-session-hijacking", - "expanded": "Man in the middle / Session hijacking", - "description": "Threat of attack consisting in the exploitation of the web session control mechanism, which is normally managed by a session token." - }, - { - "value": "social-engineering-via-signed-malware", - "expanded": "Social Engineering / signed malware", - "description": "Threat of install fake trust signed software (malware) e.g. fake OS updates." - }, - { - "value": "fake-SSL-certificates", - "expanded": "Fake SSL certificates", - "description": "Threat of attack due to malware application signed by a certificate that is typically inherently trusted by an endpoint." - }, - { - "value": "manipulation-of-hardware-and-software", - "expanded": "Manipulation of hardware and software", - "description": "Threat of unauthorised manipulation of hardware and software." - }, - { - "value": "anonymous-proxies", - "expanded": "Anonymous proxies", - "description": "Threat of unauthorised manipulation by anonymous proxies." - }, - { - "value": "abuse-of-computing-power-of-cloud-to-launch-attacks-cybercrime-as-a-service)", - "expanded": "Abuse of computing power of cloud to launch attacks (cybercrime as a service)", - "description": "Threat of using large computing powers to generate attacks on demand." - }, - { - "value": "abuse-of-vulnerabilities-0-day-vulnerabilities", - "expanded": "Abuse of vulnerabilities, 0-day vulnerabilities", - "description": "Threat of attacks using 0-day or known IT assets vulnerabilities." - }, - { - "value": "access-of-web-sites-through-chains-of-HTTP-Proxies-Obfuscation", - "expanded": "Access of web sites through chains of HTTP Proxies (Obfuscation)", - "description": "Threat of bypassing the security mechanism using HTTP proxies (bypassing the website blacklist)." - }, - { - "value": "access-to-device-software", - "expanded": "Access to device software", - "description": "Threat of unauthorised manipulation by access to device software." - }, - { - "value": "alternation-of-software", - "expanded": "Alternation of software", - "description": "Threat of unauthorized modifications to code or data, attacking its integrity." - }, - { - "value": "rogue-hardware", - "expanded": "Rogue hardware", - "description": "Threat of manipulation due to unauthorized access to hardware." - }, - { - "value": "manipulation-of-information", - "expanded": "Manipulation of information", - "description": "Threat of intentional data manipulation to mislead information systems or somebody or to cover other nefarious activities (loss of integrity of information)." - }, - { - "value": "repudiation-of-actions", - "expanded": "Repudiation of actions", - "description": "Threat of intentional data manipulation to repudiate action." - }, - { - "value": "address-space-hijacking-IP-prefixes", - "expanded": "Address space hijacking (IP prefixes)", - "description": "Threat of the illegitimate takeover of groups of IP addresses." - }, - { - "value": "routing-table-manipulation", - "expanded": "Routing table manipulation", - "description": "Threat of route packets of network to IP addresses other than that was intended via sender by unauthorised manipulation of routing table." - }, - { - "value": "DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations", - "expanded": "DNS poisoning / DNS spoofing / DNS Manipulations", - "description": "Threat of falsification of DNS information." - }, - { - "value": "falsification-of-record", - "expanded": "Falsification of record", - "description": "Threat of intentional data manipulation to falsify records." - }, - { - "value": "autonomous-system-hijacking", - "expanded": "Autonomous System hijacking", - "description": "Threat of overtaking by the attacker the ownership of a whole autonomous system and its prefixes despite origin validation." - }, - { - "value": "autonomous-system-manipulation", - "expanded": "Autonomous System manipulation", - "description": "Threat of manipulation by the attacker of a whole autonomous system in order to perform malicious actions." - }, - { - "value": "falsification-of-configurations", - "expanded": "Falsification of configurations", - "description": "Threat of intentional manipulation due to falsification of configurations." - }, - { - "value": "misuse-of-audit-tools", - "expanded": "Misuse of audit tools", - "description": "Threat of nefarious actions performed using audit tools (discovery of security weaknesses in information systems)" - }, - { - "value": "misuse-of-information-or-information systems-including-mobile-apps", - "expanded": "Misuse of information/ information systems (including mobile apps)", - "description": "Threat of nefarious action due to misuse of information / information systems." - }, - { - "value": "unauthorized-activities", - "expanded": "Unauthorized activities", - "description": "Threat of nefarious action due to unauthorised activities." - }, - { - "value": "Unauthorised-use-or-administration-of-devices-and-systems", - "expanded": "Unauthorised use or administration of devices and systems", - "description": "Threat of nefarious action due to unauthorised use of devices and systems." - }, - { - "value": "unauthorised-use-of-software", - "expanded": "Unauthorised use of software", - "description": "Threat of nefarious action due to unauthorised use of software." - }, - { - "value": "unauthorized-access-to-the-information-systems-or-networks-like-IMPI-Protocol-DNS-Registrar-Hijacking)", - "expanded": "Unauthorized access to the information systems-or-networks (IMPI Protocol / DNS Registrar Hijacking)", - "description": "Threat of unauthorised access to the information systems / network." - }, - { - "value": "network-intrusion", - "expanded": "Network Intrusion", - "description": "Threat of unauthorised access to network." - }, - { - "value": "unauthorized-changes-of-records", - "expanded": "Unauthorized changes of records", - "description": "Threat of unauthorised changes of information." - }, - { - "value": "unauthorized-installation-of-software", - "expanded": "Unauthorized installation of software", - "description": "Threat of unauthorised installation of software." - }, - { - "value": "Web-based-attacks-drive-by-download-or-malicious-URLs-or-browser-based-attacks", - "expanded": "Web based attacks (Drive-by download / malicious URLs / Browser based attacks)", - "description": "Threat of installation of unwanted malware software by misusing websites." - }, - { - "value": "compromising-confidential-information-like-data-breaches", - "expanded": "Compromising confidential information (data breaches)", - "description": "Threat of data breach." - }, - { - "value": "hoax", - "expanded": "Hoax", - "description": "Threat of loss of IT assets security due to cheating." - }, - { - "value": "false-rumour-and-or-fake-warning", - "expanded": "False rumour and/or fake warning", - "description": "Threat of disruption of work due to rumours and/or a fake warning." - }, - { - "value": "remote-activity-execution", - "expanded": "Remote activity (execution)", - "description": "Threat of nefarious action by attacker remote activity." - }, - { - "value": "remote-command-execution", - "expanded": "Remote Command Execution", - "description": "Threat of nefarious action due to remote command execution." - }, - { - "value": "remote-access-tool", - "expanded": "Remote Access Tool (RAT)", - "description": "Threat of infection of software that has a remote administration capabilities allowing an attacker to control the victim's computer." - }, - { - "value": "botnets-remote-activity", - "expanded": "Botnets / Remote activity", - "description": "Threat of penetration by software from malware distribution." - }, - { - "value": "targeted-attacks", - "expanded": "Targeted attacks (APTs etc.)", - "description": "Threat of sophisticated, targeted attack which combine many attack techniques." - }, - { - "value": "mobile-malware", - "expanded": "Mobile malware", - "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge." - }, - { - "value": "spear-phishing-attacks", - "expanded": "Spear phishing attacks", - "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords." - }, - { - "value": "installation-of-sophisticated-and-targeted-malware", - "expanded": "Installation of sophisticated and targeted malware", - "description": "Threat of malware delivered by sophisticated and targeted software." - }, - { - "value": "watering-hole-attacks", - "expanded": "Watering Hole attacks", - "description": "Threat of malware residing on the websites which a group often uses." - }, - { - "value": "failed-business-process", - "expanded": "Failed business process", - "description": "Threat of damage or loss of IT assets due to improperly executed business process." - }, - { - "value": "brute-force", - "expanded": "Brute force", - "description": "Threat of unauthorised access via systematically checking all possible keys or passwords until the correct one is found." - }, - { - "value": "abuse-of-authorizations", - "expanded": "Abuse of authorizations", - "description": "Threat of using authorised access to perform illegitimate actions." - } - ] + "predicate": "nefarious-activity-abuse", + "entry": [ + { + "value": "identity-theft-identity-fraud-account)", + "expanded": "Identity theft (Identity Fraud/ Account)", + "description": "Threat of identity theft action." + }, + { + "value": "credentials-stealing-trojans", + "expanded": "Credentials-stealing trojans", + "description": "Threat of identity theft action by malware computer programs." + }, + { + "value": "receiving-unsolicited-e-mail", + "expanded": "Receiving unsolicited E-mail", + "description": "Threat of receiving unsolicited email which affects information security and efficiency." + }, + { + "value": "spam", + "expanded": "SPAM", + "description": "Threat of receiving unsolicited, undesired, or illegal email messages." + }, + { + "value": "unsolicited-infected-e-mails", + "expanded": "Unsolicited infected e-mails", + "description": "Threat emanating from unwanted emails that may contain infected attachments or links to malicious / infected web sites." + }, + { + "value": "denial-of-service", + "expanded": "Denial of service", + "description": "Threat of service unavailability due to massive requests for services." + }, + { + "value": "distributed-denial-of-network-service-network-layer-attack", + "expanded": "Distributed denial of network service (DDoS) (network layer attack i.e. Protocol exploitation / Malformed packets / Flooding / Spoofing)", + "description": "Threat of service unavailability due to a massive number of requests for access to network services from malicious clients." + }, + { + "value": "distributed-denial-of-network-service-application-layer-attack", + "expanded": "Distributed denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS / WinNuke / HTTP Floods)", + "description": "Threat of service unavailability due to massive requests sent by multiple malicious clients." + }, + { + "value": "distributed-denial-of-network-service-amplification-reflection-attack", + "expanded": "Distributed DoS (DDoS) to both network and application services (amplification/reflection methods i.e. NTP/ DNS /.../ BitTorrent)", + "description": "Threat of creating a massive number of requests, using multiplication/amplification methods." + }, + { + "value": "malicious-code-software-activity", + "expanded": "Malicious code/ software/ activity" + }, + { + "value": "search-engine-poisoning", + "expanded": "Search Engine Poisoning", + "description": "Threat of deliberate manipulation of search engine indexes." + }, + { + "value": "exploitation-of-fake-trust-of-social-media", + "expanded": "Exploitation of fake trust of social media", + "description": "Threat of malicious activities making use of trusted social media." + }, + { + "value": "worms-trojans", + "expanded": "Worms/ Trojans", + "description": "Threat of malware computer programs (trojans/worms)." + }, + { + "value": "rootkits", + "expanded": "Rootkits", + "description": "Threat of stealthy types of malware software." + }, + { + "value": "mobile-malware", + "expanded": "Mobile malware", + "description": "Threat of mobile malware programs." + }, + { + "value": "infected-trusted-mobile-apps", + "expanded": "Infected trusted mobile apps", + "description": "Threat of using mobile malware software that is recognised as trusted one." + }, + { + "value": "elevation-of-privileges", + "expanded": "Elevation of privileges", + "description": "Threat of exploiting bugs, design flaws or configuration oversights in an operating system or software application to gain elevated access to resources." + }, + { + "value": "web-application-attacks-injection-attacks-code-injection-SQL-XSS", + "expanded": "Web application attacks / injection attacks (Code injection: SQL, XSS)", + "description": "Threat of utilizing custom web applications embedded within social media sites, which can lead to installation of malicious code onto computers to be used to gain unauthorized access." + }, + { + "value": "spyware-or-deceptive-adware", + "expanded": "Spyware or deceptive adware", + "description": "Threat of using software that aims to gather information about a person or organization without their knowledge." + }, + { + "value": "viruses", + "expanded": "Viruses", + "description": "Threat of infection by viruses." + }, + { + "value": "rogue-security-software-rogueware-scareware", + "expanded": "Rogue security software/ Rogueware / Scareware", + "description": "Threat of internet fraud or malicious software that mislead users into believing there is a virus on their computer, and manipulates them to pay money for fake removal tool." + }, + { + "value": "ransomware", + "expanded": "Ransomware", + "description": "Threat of infection of computer system or device by malware that restricts access to it and demands that the user pay a ransom to remove the restriction." + }, + { + "value": "exploits-exploit-kits", + "expanded": "Exploits/Exploit Kits", + "description": "Threat to IT assets due to the use of web available exploits or exploits software." + }, + { + "value": "social-engineering", + "expanded": "Social Engineering", + "description": "Threat of social engineering type attacks (target: manipulation of personnel behaviour)." + }, + { + "value": "phishing-attacks", + "expanded": "Phishing attacks", + "description": "Threat of an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites." + }, + { + "value": "spear-phishing-attacks", + "expanded": "Spear phishing attacks", + "description": "Spear-phishing is a targeted e-mail message that has been crafted to create fake trust and thus lure the victim to unveil some business or personal secrets that can be abused by the adversary." + }, + { + "value": "abuse-of-information-leakage", + "expanded": "Abuse of Information Leakage", + "description": "Threat of leaking important information." + }, + { + "value": "leakage-affecting-mobile-privacy-and-mobile-applications", + "expanded": "Leakage affecting mobile privacy and mobile applications", + "description": "Threat of leaking important information due to using malware mobile applications." + }, + { + "value": "leakage-affecting-web-privacy-and-web-applications", + "expanded": "Leakage affecting web privacy and web applications", + "description": "Threat of leakage important information due to using malware web applications." + }, + { + "value": "leakage-affecting-network-traffic", + "expanded": "Leakage affecting network traffic", + "description": "Threat of leaking important information in network traffic." + }, + { + "value": "leakage-affecting-cloud-computing", + "expanded": "Leakage affecting cloud computing", + "description": "Threat of leaking important information in cloud computing." + }, + { + "value": "generation-and-use-of-rogue-certificates", + "expanded": "Generation and use of rogue certificates", + "description": "Threat of use of rogue certificates." + }, + { + "value": "loss-of-integrity-of-sensitive-information", + "expanded": "Loss of (integrity of) sensitive information", + "description": "Threat of loss of sensitive information due to loss of integrity." + }, + { + "value": "man-in-the-middle-session-hijacking", + "expanded": "Man in the middle / Session hijacking", + "description": "Threat of attack consisting in the exploitation of the web session control mechanism, which is normally managed by a session token." + }, + { + "value": "social-engineering-via-signed-malware", + "expanded": "Social Engineering / signed malware", + "description": "Threat of install fake trust signed software (malware) e.g. fake OS updates." + }, + { + "value": "fake-SSL-certificates", + "expanded": "Fake SSL certificates", + "description": "Threat of attack due to malware application signed by a certificate that is typically inherently trusted by an endpoint." + }, + { + "value": "manipulation-of-hardware-and-software", + "expanded": "Manipulation of hardware and software", + "description": "Threat of unauthorised manipulation of hardware and software." + }, + { + "value": "anonymous-proxies", + "expanded": "Anonymous proxies", + "description": "Threat of unauthorised manipulation by anonymous proxies." + }, + { + "value": "abuse-of-computing-power-of-cloud-to-launch-attacks-cybercrime-as-a-service)", + "expanded": "Abuse of computing power of cloud to launch attacks (cybercrime as a service)", + "description": "Threat of using large computing powers to generate attacks on demand." + }, + { + "value": "abuse-of-vulnerabilities-0-day-vulnerabilities", + "expanded": "Abuse of vulnerabilities, 0-day vulnerabilities", + "description": "Threat of attacks using 0-day or known IT assets vulnerabilities." + }, + { + "value": "access-of-web-sites-through-chains-of-HTTP-Proxies-Obfuscation", + "expanded": "Access of web sites through chains of HTTP Proxies (Obfuscation)", + "description": "Threat of bypassing the security mechanism using HTTP proxies (bypassing the website blacklist)." + }, + { + "value": "access-to-device-software", + "expanded": "Access to device software", + "description": "Threat of unauthorised manipulation by access to device software." + }, + { + "value": "alternation-of-software", + "expanded": "Alternation of software", + "description": "Threat of unauthorized modifications to code or data, attacking its integrity." + }, + { + "value": "rogue-hardware", + "expanded": "Rogue hardware", + "description": "Threat of manipulation due to unauthorized access to hardware." + }, + { + "value": "manipulation-of-information", + "expanded": "Manipulation of information", + "description": "Threat of intentional data manipulation to mislead information systems or somebody or to cover other nefarious activities (loss of integrity of information)." + }, + { + "value": "repudiation-of-actions", + "expanded": "Repudiation of actions", + "description": "Threat of intentional data manipulation to repudiate action." + }, + { + "value": "address-space-hijacking-IP-prefixes", + "expanded": "Address space hijacking (IP prefixes)", + "description": "Threat of the illegitimate takeover of groups of IP addresses." + }, + { + "value": "routing-table-manipulation", + "expanded": "Routing table manipulation", + "description": "Threat of route packets of network to IP addresses other than that was intended via sender by unauthorised manipulation of routing table." + }, + { + "value": "DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations", + "expanded": "DNS poisoning / DNS spoofing / DNS Manipulations", + "description": "Threat of falsification of DNS information." + }, + { + "value": "falsification-of-record", + "expanded": "Falsification of record", + "description": "Threat of intentional data manipulation to falsify records." + }, + { + "value": "autonomous-system-hijacking", + "expanded": "Autonomous System hijacking", + "description": "Threat of overtaking by the attacker the ownership of a whole autonomous system and its prefixes despite origin validation." + }, + { + "value": "autonomous-system-manipulation", + "expanded": "Autonomous System manipulation", + "description": "Threat of manipulation by the attacker of a whole autonomous system in order to perform malicious actions." + }, + { + "value": "falsification-of-configurations", + "expanded": "Falsification of configurations", + "description": "Threat of intentional manipulation due to falsification of configurations." + }, + { + "value": "misuse-of-audit-tools", + "expanded": "Misuse of audit tools", + "description": "Threat of nefarious actions performed using audit tools (discovery of security weaknesses in information systems)" + }, + { + "value": "misuse-of-information-or-information systems-including-mobile-apps", + "expanded": "Misuse of information/ information systems (including mobile apps)", + "description": "Threat of nefarious action due to misuse of information / information systems." + }, + { + "value": "unauthorized-activities", + "expanded": "Unauthorized activities", + "description": "Threat of nefarious action due to unauthorised activities." + }, + { + "value": "Unauthorised-use-or-administration-of-devices-and-systems", + "expanded": "Unauthorised use or administration of devices and systems", + "description": "Threat of nefarious action due to unauthorised use of devices and systems." + }, + { + "value": "unauthorised-use-of-software", + "expanded": "Unauthorised use of software", + "description": "Threat of nefarious action due to unauthorised use of software." + }, + { + "value": "unauthorized-access-to-the-information-systems-or-networks-like-IMPI-Protocol-DNS-Registrar-Hijacking)", + "expanded": "Unauthorized access to the information systems-or-networks (IMPI Protocol / DNS Registrar Hijacking)", + "description": "Threat of unauthorised access to the information systems / network." + }, + { + "value": "network-intrusion", + "expanded": "Network Intrusion", + "description": "Threat of unauthorised access to network." + }, + { + "value": "unauthorized-changes-of-records", + "expanded": "Unauthorized changes of records", + "description": "Threat of unauthorised changes of information." + }, + { + "value": "unauthorized-installation-of-software", + "expanded": "Unauthorized installation of software", + "description": "Threat of unauthorised installation of software." + }, + { + "value": "Web-based-attacks-drive-by-download-or-malicious-URLs-or-browser-based-attacks", + "expanded": "Web based attacks (Drive-by download / malicious URLs / Browser based attacks)", + "description": "Threat of installation of unwanted malware software by misusing websites." + }, + { + "value": "compromising-confidential-information-like-data-breaches", + "expanded": "Compromising confidential information (data breaches)", + "description": "Threat of data breach." + }, + { + "value": "hoax", + "expanded": "Hoax", + "description": "Threat of loss of IT assets security due to cheating." + }, + { + "value": "false-rumour-and-or-fake-warning", + "expanded": "False rumour and/or fake warning", + "description": "Threat of disruption of work due to rumours and/or a fake warning." + }, + { + "value": "remote-activity-execution", + "expanded": "Remote activity (execution)", + "description": "Threat of nefarious action by attacker remote activity." + }, + { + "value": "remote-command-execution", + "expanded": "Remote Command Execution", + "description": "Threat of nefarious action due to remote command execution." + }, + { + "value": "remote-access-tool", + "expanded": "Remote Access Tool (RAT)", + "description": "Threat of infection of software that has a remote administration capabilities allowing an attacker to control the victim's computer." + }, + { + "value": "botnets-remote-activity", + "expanded": "Botnets / Remote activity", + "description": "Threat of penetration by software from malware distribution." + }, + { + "value": "targeted-attacks", + "expanded": "Targeted attacks (APTs etc.)", + "description": "Threat of sophisticated, targeted attack which combine many attack techniques." + }, + { + "value": "mobile-malware", + "expanded": "Mobile malware", + "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge." + }, + { + "value": "spear-phishing-attacks", + "expanded": "Spear phishing attacks", + "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords." + }, + { + "value": "installation-of-sophisticated-and-targeted-malware", + "expanded": "Installation of sophisticated and targeted malware", + "description": "Threat of malware delivered by sophisticated and targeted software." + }, + { + "value": "watering-hole-attacks", + "expanded": "Watering Hole attacks", + "description": "Threat of malware residing on the websites which a group often uses." + }, + { + "value": "failed-business-process", + "expanded": "Failed business process", + "description": "Threat of damage or loss of IT assets due to improperly executed business process." + }, + { + "value": "brute-force", + "expanded": "Brute force", + "description": "Threat of unauthorised access via systematically checking all possible keys or passwords until the correct one is found." + }, + { + "value": "abuse-of-authorizations", + "expanded": "Abuse of authorizations", + "description": "Threat of using authorised access to perform illegitimate actions." + } + ] } ], "predicates": [ diff --git a/eu-marketop-and-publicadmin/machinetag.json b/eu-marketop-and-publicadmin/machinetag.json index 22f0893..59c9d25 100644 --- a/eu-marketop-and-publicadmin/machinetag.json +++ b/eu-marketop-and-publicadmin/machinetag.json @@ -1,62 +1,84 @@ { - "namespace": "eu-marketop-and-publicadmin", - "description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive", - "version": 1, - "predicates": [{ - "value": "critical-infra-operators", - "expanded": "Critical Infrastructure Operators" - }, { - "value": "info-services", - "expanded": "Information Society services enablers" - }, { - "value": "public-admin", - "expanded": "Public administration" - }], - "values": [{ - "predicate": "critical-infra-operators", - "entry": [{ - "value": "transport", - "expanded": "Transport" - }, { - "value": "energy", - "expanded": "Energy" - }, { - "value": "health", - "expanded": "Health" - }, { - "value": "financial", - "expanded": "Financial market operators" - }, { - "value": "banking", - "expanded": "Banking" - }] - }, { - "predicate": "info-services", - "entry": [{ - "value": "e-commerce", - "expanded": "e-commerce platforms" - }, { - "value": "internet-payment", - "expanded": "Internet payment" - }, { - "value": "cloud", - "expanded": "cloud computing" - }, { - "value": "search-engines", - "expanded": "search engines" - }, { - "value": "socnet", - "expanded": "social networks" - }, { - "value": "app-stores", - "expanded": "application stores" - }] - }, { - "predicate": "public-admin", - "entry": [{ - "value": "public-admin", - "expanded": "Public Administrations" - }] - }] + "namespace": "eu-marketop-and-publicadmin", + "description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive", + "version": 1, + "predicates": [ + { + "value": "critical-infra-operators", + "expanded": "Critical Infrastructure Operators" + }, + { + "value": "info-services", + "expanded": "Information Society services enablers" + }, + { + "value": "public-admin", + "expanded": "Public administration" + } + ], + "values": [ + { + "predicate": "critical-infra-operators", + "entry": [ + { + "value": "transport", + "expanded": "Transport" + }, + { + "value": "energy", + "expanded": "Energy" + }, + { + "value": "health", + "expanded": "Health" + }, + { + "value": "financial", + "expanded": "Financial market operators" + }, + { + "value": "banking", + "expanded": "Banking" + } + ] + }, + { + "predicate": "info-services", + "entry": [ + { + "value": "e-commerce", + "expanded": "e-commerce platforms" + }, + { + "value": "internet-payment", + "expanded": "Internet payment" + }, + { + "value": "cloud", + "expanded": "cloud computing" + }, + { + "value": "search-engines", + "expanded": "search engines" + }, + { + "value": "socnet", + "expanded": "social networks" + }, + { + "value": "app-stores", + "expanded": "application stores" + } + ] + }, + { + "predicate": "public-admin", + "entry": [ + { + "value": "public-admin", + "expanded": "Public Administrations" + } + ] + } + ] } - diff --git a/europol-incident/machinetag.json b/europol-incident/machinetag.json index 12101f1..823c7e8 100644 --- a/europol-incident/machinetag.json +++ b/europol-incident/machinetag.json @@ -1,195 +1,195 @@ { - "version": 1, - "description": "This taxonomy was designed to describe the type of incidents by class.", - "expanded": "Europol class of incidents taxonomy", - "namespace": "europol-incident", - "predicates": [ + "version": 1, + "description": "This taxonomy was designed to describe the type of incidents by class.", + "expanded": "Europol class of incidents taxonomy", + "namespace": "europol-incident", + "predicates": [ + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "availability", + "expanded": "Availability" + }, + { + "value": "information-gathering", + "expanded": "Gathering of information" + }, + { + "value": "intrusion-attempt", + "expanded": "Intrusion attempt" + }, + { + "value": "intrusion", + "expanded": "Intrusion" + }, + { + "value": "information-security", + "expanded": "Information security" + }, + { + "value": "fraud", + "expanded": "Fraud" + }, + { + "value": "abusive-content", + "expanded": "Abusive content" + }, + { + "value": "other", + "expanded": "Other" + } + ], + "values": [ + { + "predicate": "malware", + "entry": [ { - "value": "malware", - "expanded": "Malware" + "value": "infection", + "expanded": "Infection", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "availability", - "expanded": "Availability" + "value": "distribution", + "expanded": "Distribution", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "information-gathering", - "expanded": "Gathering of information" + "value": "c&c", + "expanded": "C&C", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "intrusion-attempt", - "expanded": "Intrusion attempt" - }, - { - "value": "intrusion", - "expanded": "Intrusion" - }, - { - "value": "information-security", - "expanded": "Information security" - }, - { - "value": "fraud", - "expanded": "Fraud" - }, - { - "value": "abusive-content", - "expanded": "Abusive content" - }, - { - "value": "other", - "expanded": "Other" + "value": "undetermined", + "expanded": "Undetermined" } - ], - "values": [ + ] + }, + { + "predicate": "availability", + "entry": [ { - "predicate": "malware", - "entry": [ - { - "value": "infection", - "expanded": "Infection", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "distribution", - "expanded": "Distribution", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "c&c", - "expanded": "C&C", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "undetermined", - "expanded": "Undetermined" - } - ] + "value": "dos-ddos", + "expanded": "DoS/DDoS", + "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative." }, { - "predicate": "availability", - "entry": [ - { - "value": "dos-ddos", - "expanded": "DoS/DDoS", - "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative." - }, - { - "value": "sabotage", - "expanded": "Sabotage", - "description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc." - } - ] - }, - { - "predicate": "information-gathering", - "entry": [ - { - "value": "scanning", - "expanded": "Scanning", - "description": "Active and passive gathering of information on systems or networks." - }, - { - "value": "sniffing", - "expanded": "Sniffing", - "description": "Unauthorised monitoring and reading of network traffic." - }, - { - "value": "phishing", - "expanded": "Phishing", - "description": "Attempt to gather information on a user or a system through phishing methods." - } - ] - }, - { - "predicate": "intrusion-attempt", - "entry": [ - { - "value": "exploitation-vulnerability", - "expanded": "Exploitation of vulnerability", - "description": "Attempt to intrude by exploiting a vulnerability in a system, component or network." - }, - { - "value": "login-attempt", - "expanded": "Login attempt", - "description": "Attempt to log in to services or authentication / access control mechanisms." - } - ] - }, - { - "predicate": "intrusion", - "entry": [ - { - "value": "exploitation-vulnerability", - "expanded": "Exploitation of vulnerability", - "description": "Actual intrusion by exploiting a vulnerability in the system, component or network." - }, - { - "value": "compromising-account", - "expanded": "Compromising an account", - "description": "Actual intrusion in a system, component or network by compromising a user or administrator account." - } - ] - }, - { - "predicate": "information-security", - "entry": [ - { - "value": "unauthorized-access", - "expanded": "Unauthorised access", - "description": "Unauthorised access to a particular set of information" - }, - { - "value": "unauthorized-modification", - "expanded": "Unauthorised modification/deletion", - "description": "Unauthorised change or elimination of a particular set of information" - } - ] - }, - { - "predicate": "fraud", - "entry": [ - { - "value": "illegitimate-use-resources", - "expanded": "Misuse or unauthorised use of resources", - "description": "Use of institutional resources for purposes other than those intended." - }, - { - "value": "illegitimate-use-name", - "expanded": "Illegitimate use of the name of a third party", - "description": "Use of the name of an institution without permission to do so." - } - ] - }, - { - "predicate": "abusive-content", - "entry": [ - { - "value": "spam", - "expanded": "SPAM", - "description": " Sending SPAM messages." - }, - { - "value": "copyright", - "expanded": "Copyright", - "description": "Distribution and sharing of copyright protected content." - }, - { - "value": "content-forbidden-by-law", - "expanded": "Dissemination of content forbidden by law.", - "description": "Child pornography, racism and apology of violence." - } - ] - }, - { - "predicate": "other", - "entry": [ - { - "value": "other", - "expanded": "Other", - "description": " Other type of unspecified incident" - } - ] + "value": "sabotage", + "expanded": "Sabotage", + "description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc." } - ] + ] + }, + { + "predicate": "information-gathering", + "entry": [ + { + "value": "scanning", + "expanded": "Scanning", + "description": "Active and passive gathering of information on systems or networks." + }, + { + "value": "sniffing", + "expanded": "Sniffing", + "description": "Unauthorised monitoring and reading of network traffic." + }, + { + "value": "phishing", + "expanded": "Phishing", + "description": "Attempt to gather information on a user or a system through phishing methods." + } + ] + }, + { + "predicate": "intrusion-attempt", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Attempt to intrude by exploiting a vulnerability in a system, component or network." + }, + { + "value": "login-attempt", + "expanded": "Login attempt", + "description": "Attempt to log in to services or authentication / access control mechanisms." + } + ] + }, + { + "predicate": "intrusion", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Actual intrusion by exploiting a vulnerability in the system, component or network." + }, + { + "value": "compromising-account", + "expanded": "Compromising an account", + "description": "Actual intrusion in a system, component or network by compromising a user or administrator account." + } + ] + }, + { + "predicate": "information-security", + "entry": [ + { + "value": "unauthorized-access", + "expanded": "Unauthorised access", + "description": "Unauthorised access to a particular set of information" + }, + { + "value": "unauthorized-modification", + "expanded": "Unauthorised modification/deletion", + "description": "Unauthorised change or elimination of a particular set of information" + } + ] + }, + { + "predicate": "fraud", + "entry": [ + { + "value": "illegitimate-use-resources", + "expanded": "Misuse or unauthorised use of resources", + "description": "Use of institutional resources for purposes other than those intended." + }, + { + "value": "illegitimate-use-name", + "expanded": "Illegitimate use of the name of a third party", + "description": "Use of the name of an institution without permission to do so." + } + ] + }, + { + "predicate": "abusive-content", + "entry": [ + { + "value": "spam", + "expanded": "SPAM", + "description": " Sending SPAM messages." + }, + { + "value": "copyright", + "expanded": "Copyright", + "description": "Distribution and sharing of copyright protected content." + }, + { + "value": "content-forbidden-by-law", + "expanded": "Dissemination of content forbidden by law.", + "description": "Child pornography, racism and apology of violence." + } + ] + }, + { + "predicate": "other", + "entry": [ + { + "value": "other", + "expanded": "Other", + "description": " Other type of unspecified incident" + } + ] + } + ] } diff --git a/information-security-indicators/machinetag.json b/information-security-indicators/machinetag.json index fa1c4f3..b3629b7 100644 --- a/information-security-indicators/machinetag.json +++ b/information-security-indicators/machinetag.json @@ -139,7 +139,8 @@ "description": "This indicator measures illicit entrance of individuals into security perimeter." } ] - },{ + }, + { "predicate": "IMF", "entry": [ { @@ -188,7 +189,8 @@ "description": "This indicator primarily relates to Personal Identifiable Information (PII) protected by privacy laws, to information falling under the PCI-DSS regulation, to information falling under European regulation in the area of breach notification (Telcos and ISPs to begin with), and to information about electronic exchanges between employees and the exterior (electronic messaging and Internet connection). This indicator does not include possible difficulties pertaining to proof forwarding from field operations to governance (state-of-the-art unavailable). This indicator is a sub-set of indicator IMF_LOG.1, but can be identical to this one in advanced organizations." } ] - },{ + }, + { "predicate": "IDB", "entry": [ { @@ -247,7 +249,8 @@ "description": "This event is generally decided and deployed by an administrator in order to improve performance of the system under his/her responsibility (illicit voluntary stoppage). This indicator is a reduced subset of indicator IUS_RGH.5" } ] - },{ + }, + { "predicate": "IWH", "entry": [ { @@ -281,7 +284,8 @@ "description": "This indicator measures security incidents tied to assets (on servers) non-inventoried and not managed by appointed teams. It is a key indicator insofar as a high percentage of incidents corresponds with this indicator on average in the profession (according to some public surveys)." } ] - },{ + }, + { "predicate": "VBH", "entry": [ { @@ -400,7 +404,8 @@ "description": "This vulnerability applies to discussions through on-line media leading to leakage of personal identifiable information (PII) or various business details to be used later (notably for identity usurpation) " } ] - },{ + }, + { "predicate": "VSW", "entry": [ { @@ -419,7 +424,8 @@ "description": "This indicators measures software vulnerabilities detected in Web browsers running on workstations." } ] - },{ + }, + { "predicate": "VCF", "entry": [ { @@ -473,7 +479,8 @@ "description": "This indicator measures accounts inactive for at least 2 months that have not been disabled. These accounts are not used by their users due to prolonged but not definitive absence (long term illness, maternity, etc.), with the exclusion of messaging accounts (which should remain accessible to users from their home)." } ] - },{ + }, + { "predicate": "VTC", "entry": [ { @@ -507,7 +514,8 @@ "description": "This indicator includes access to protected internal areas. The 1st cause is the lack of effective control of users at software level. The 2nd cause is hardware breakdown of a component in the chain." } ] - },{ + }, + { "predicate": "VOR", "entry": [ { @@ -556,7 +564,8 @@ "description": "This indicator measures the launch of new IT projects of a standard type without identification of vulnerabilities and threats and of related security measures. For these IT projects, potential implementation of a simplified risk analysis method or of pre-defined security profiles can be applied." } ] - },{ + }, + { "predicate": "IMP", "entry": [ { diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 617456d..56c816b 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -5,7 +5,7 @@ set -x # Seeds sponge, from moreutils -for dir in ./*/list.json +for dir in ./*/machinetag.json do cat ${dir} | jq . | sponge ${dir} done diff --git a/malware_classification/machinetag.json b/malware_classification/machinetag.json index e7b5151..edaf09e 100644 --- a/malware_classification/machinetag.json +++ b/malware_classification/machinetag.json @@ -57,8 +57,8 @@ "expanded": "Spyware" }, { - "value": "Botnet", - "expanded": "Botnet" + "value": "Botnet", + "expanded": "Botnet" } ] }, @@ -163,4 +163,3 @@ } ] } - diff --git a/misp/machinetag.json b/misp/machinetag.json index f078acf..1788c17 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -19,17 +19,17 @@ "predicate": "api" }, { - "predicate": "contributor", - "entry": [ + "predicate": "contributor", + "entry": [ { "expanded": "OpenPGP Fingerprint", "value": "pgpfingerprint" } - ] + ] }, { - "predicate": "confidence-level", - "entry": [ + "predicate": "confidence-level", + "entry": [ { "expanded": "Completely confident", "value": "completely-confident", @@ -59,36 +59,36 @@ "expanded": "Confidence cannot be evaluated", "value": "confidence-cannot-be-evalued" } - ] + ] }, { - "predicate": "threat-level", - "entry": [ + "predicate": "threat-level", + "entry": [ { - "expanded": "No risk", - "value": "no-risk", - "numerical_value": 0, - "description": "Harmless information. (CEUS threat level)" + "expanded": "No risk", + "value": "no-risk", + "numerical_value": 0, + "description": "Harmless information. (CEUS threat level)" }, { - "expanded": "Low risk", - "value": "low-risk", - "numerical_value": 25, - "description": "Low risk which can include mass-malware. (CEUS threat level)" + "expanded": "Low risk", + "value": "low-risk", + "numerical_value": 25, + "description": "Low risk which can include mass-malware. (CEUS threat level)" }, { - "expanded": "Medium risk", - "value": "medium-risk", - "numerical_value": 50, - "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)" + "expanded": "Medium risk", + "value": "medium-risk", + "numerical_value": 50, + "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)" }, { - "expanded": "High risk", - "value": "high-risk", - "numerical_value": 100, - "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)" + "expanded": "High risk", + "value": "high-risk", + "numerical_value": 100, + "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)" } - ] + ] } ], "predicates": [ diff --git a/passivetotal/machinetag.json b/passivetotal/machinetag.json index a718f0d..fd90fc3 100644 --- a/passivetotal/machinetag.json +++ b/passivetotal/machinetag.json @@ -1,86 +1,86 @@ { - "namespace" : "passivetotal", - "expanded" : "PassiveTotal", - "description": "Tags from RiskIQ's PassiveTotal service", - "version" : 1, - "predicates": [ + "namespace": "passivetotal", + "expanded": "PassiveTotal", + "description": "Tags from RiskIQ's PassiveTotal service", + "version": 1, + "predicates": [ + { + "value": "sinkholed", + "expanded": "Sinkhole Status" + }, + { + "value": "ever-comprimised", + "expanded": "Ever Comprimised?" + }, + { + "value": "class", + "expanded": "Classification" + }, + { + "value": "dynamic-dns", + "expanded": "Dynamic DNS" + } + ], + "values": [ + { + "predicate": "sinkholed", + "entry": [ { - "value" : "sinkholed", - "expanded": "Sinkhole Status" + "value": "yes", + "expanded": "Yes" }, { - "value" : "ever-comprimised", - "expanded" : "Ever Comprimised?" - }, - { - "value" : "class", - "expanded" : "Classification" - }, - { - "value" : "dynamic-dns", - "expanded": "Dynamic DNS" + "value": "no", + "expanded": "No" } - ], - "values" : [ - { - "predicate" : "sinkholed", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] + ] + }, + { + "predicate": "ever-comprimised", + "entry": [ + { + "value": "yes", + "expanded": "Yes" }, { - "predicate" : "ever-comprimised", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] - }, - { - "predicate" : "dynamic-dns", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] - }, - { - "predicate" : "class", - "entry" : [ - { - "value" : "malicious", - "expanded" : "Malicious" - }, - { - "value" : "suspicious", - "expanded": "Malicious" - }, - { - "value": "non-malicious", - "expanded": "Non Malicious" - }, - { - "value" : "unknown", - "expanded" : "Unknown" - } - ] + "value": "no", + "expanded": "No" } - ] + ] + }, + { + "predicate": "dynamic-dns", + "entry": [ + { + "value": "yes", + "expanded": "Yes" + }, + { + "value": "no", + "expanded": "No" + } + ] + }, + { + "predicate": "class", + "entry": [ + { + "value": "malicious", + "expanded": "Malicious" + }, + { + "value": "suspicious", + "expanded": "Malicious" + }, + { + "value": "non-malicious", + "expanded": "Non Malicious" + }, + { + "value": "unknown", + "expanded": "Unknown" + } + ] + } + ] } diff --git a/stix-ttp/machinetag.json b/stix-ttp/machinetag.json index 26fc525..3327e92 100644 --- a/stix-ttp/machinetag.json +++ b/stix-ttp/machinetag.json @@ -1,115 +1,114 @@ { - "namespace": "stix-ttp", - "expanded": "STIX TTP", - "version": 1, - "description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.", - "refs": [ - "http://stixproject.github.io/documentation/idioms/industry-sector/" - ], - "predicates": [ - { - "value": "victim-targeting", - "expanded": "Victim Targeting" - } - ], - "values": [ - { - "predicate": "victim-targeting", - "entry": [ - { - "value": "business-professional-sector", - "expanded": "Business & Professional Services Sector" - }, - { - "value": "retail-sector", - "expanded": "Retail Sector" - }, - { - "value": "financial-sector", - "expanded": "Financial Services Sector" - }, - { - "value": "media-entertainment-sector", - "expanded": "Media & Entertainment Sector" - }, - { - "value": "construction-engineering-sector", - "expanded": "Construction & Engineering Sector" - }, - { - "value": "government-international-organizations-sector", - "expanded": "Goverment & International Organizations" - }, - { - "value": "legal-sector", - "expanded": "Legal Services" - }, - { - "value": "hightech-it-sector", - "expanded": "High-Tech & IT Sector" - }, - { - "value": "healthcare-sector", - "expanded": "Healthcare Sector" - }, - { - "value": "transportation-sector", - "expanded": "Transportation Sector" - }, - { - "value": "aerospace-defence-sector", - "expanded": "Aerospace & Defense Sector" - }, - { - "value": "energy-sector", - "expanded": "Energy Sector" - }, - { - "value": "food-sector", - "expanded": "Food Sector" - }, - { - "value": "natural-resources-sector", - "expanded": "Natural Resources Sector" - }, - { - "value": "other-sector", - "expanded": "Other Sector" - }, - - { - "value": "corporate-employee-information", - "expanded": "Corporate Employee Information" - }, - { - "value": "customer-pii", - "expanded": "Customer PII" - }, - { - "value": "email-lists-archives", - "expanded": "Email Lists/Archives" - }, - { - "value": "financial-data", - "expanded": "Financial Data" - }, - { - "value": "intellectual-property", - "expanded": "Intellectual Property" - }, - { - "value": "mobile-phone-contacts", - "expanded": "Mobile Phone Contacts" - }, - { - "value": "user-credentials", - "expanded": "User Credentials" - }, - { - "value": "authentification-cookies", - "expanded": "Authentication Cookies" - } - ] - } - ] + "namespace": "stix-ttp", + "expanded": "STIX TTP", + "version": 1, + "description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.", + "refs": [ + "http://stixproject.github.io/documentation/idioms/industry-sector/" + ], + "predicates": [ + { + "value": "victim-targeting", + "expanded": "Victim Targeting" + } + ], + "values": [ + { + "predicate": "victim-targeting", + "entry": [ + { + "value": "business-professional-sector", + "expanded": "Business & Professional Services Sector" + }, + { + "value": "retail-sector", + "expanded": "Retail Sector" + }, + { + "value": "financial-sector", + "expanded": "Financial Services Sector" + }, + { + "value": "media-entertainment-sector", + "expanded": "Media & Entertainment Sector" + }, + { + "value": "construction-engineering-sector", + "expanded": "Construction & Engineering Sector" + }, + { + "value": "government-international-organizations-sector", + "expanded": "Goverment & International Organizations" + }, + { + "value": "legal-sector", + "expanded": "Legal Services" + }, + { + "value": "hightech-it-sector", + "expanded": "High-Tech & IT Sector" + }, + { + "value": "healthcare-sector", + "expanded": "Healthcare Sector" + }, + { + "value": "transportation-sector", + "expanded": "Transportation Sector" + }, + { + "value": "aerospace-defence-sector", + "expanded": "Aerospace & Defense Sector" + }, + { + "value": "energy-sector", + "expanded": "Energy Sector" + }, + { + "value": "food-sector", + "expanded": "Food Sector" + }, + { + "value": "natural-resources-sector", + "expanded": "Natural Resources Sector" + }, + { + "value": "other-sector", + "expanded": "Other Sector" + }, + { + "value": "corporate-employee-information", + "expanded": "Corporate Employee Information" + }, + { + "value": "customer-pii", + "expanded": "Customer PII" + }, + { + "value": "email-lists-archives", + "expanded": "Email Lists/Archives" + }, + { + "value": "financial-data", + "expanded": "Financial Data" + }, + { + "value": "intellectual-property", + "expanded": "Intellectual Property" + }, + { + "value": "mobile-phone-contacts", + "expanded": "Mobile Phone Contacts" + }, + { + "value": "user-credentials", + "expanded": "User Credentials" + }, + { + "value": "authentification-cookies", + "expanded": "Authentication Cookies" + } + ] + } + ] }