diff --git a/README.md b/README.md index bca2ff1..31d51e7 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,8 @@ The following taxonomies are described: - [eCSIRT](./ecsirt) and IntelMQ incident classification - [EU critical sectors](./eu-critical-sectors) - EU critical sectors - [EUCI](./euci) - EU classified information marking +- [Europol Incident](./europol-incident) - Europol class of incident taxonomy +- [Europol Events](./europol-events) - Europol type of events taxonomy - [FIRST CSIRT Case](./first_csirt_case_classification) classification - [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US) - [Malware](./malware) classification based on a SANS document diff --git a/europol-events/machinetag.json b/europol-events/machinetag.json new file mode 100644 index 0000000..fb285a1 --- /dev/null +++ b/europol-events/machinetag.json @@ -0,0 +1,239 @@ +{ + "namespace": "europol-event", + "expanded": "Europol type of events taxonomy", + "description": "This taxonomy was designed to describe the type of events", + "version": 1, + "predicates": [ + { + "value": "infected-by-known-malware", + "expanded": "System(s) infected by known malware", + "description": "The presence of any of the types of malware was detected in a system." + }, + { + "value": "dissemination-malware-email", + "expanded": "Dissemination of malware by email", + "description": "Malware attached to a message or email message containing link to malicious URL." + }, + { + "value": "hosting-malware-webpage", + "expanded": "Hosting of malware on web page", + "description": " Web page disseminating one or various types of malware." + }, + { + "value": "c&c-server-hosting", + "expanded": "Hosting of malware on web page", + "description": "Web page disseminating one or various types of malware." + }, + { + "value": "worm-spreading", + "expanded": "Replication and spreading of a worm", + "description": "System infected by a worm trying to infect other systems." + }, + { + "value": "connection-malware-port", + "expanded": "Connection to (a) suspicious port(s) linked to specific malware", + "description": "System attempting to gain access to a port normally linked to a specific type of malware." + }, + { + "value": "connection-malware-system", + "expanded": "Connection to (a) suspicious system(s) linked to specific malware", + "description": "System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet." + }, + { + "value": "flood", + "expanded": "Flood of requests", + "description": "Mass mailing of requests (network packets, emails, etc...) from one single source to a specific service, aimed at affecting its normal functioning." + }, + { + "value": "exploit-tool-exhausting-resources", + "expanded": "Exploit or tool aimed at exhausting resources (network, processing capacity, sessions, etc...)", + "description": "One single source using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability." + }, + { + "value": "packet-flood", + "expanded": "Packet flooding", + "description": "Mass mailing of requests (network packets, emails, etc...) from various sources to a specific service, aimed at affecting its normal functioning." + }, + { + "value": "exploit-framework-exhausting-resources", + "expanded": "Exploit or tool distribution aimed at exhausting resources", + "description": "Various sources using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability." + }, + { + "value": "vandalism", + "expanded": "Vandalism", + "description": "Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect." + }, + { + "value": "disruption-data-transmission", + "expanded": "Intentional disruption of data transmission and processing mechanisms", + "description": "Logical and physical activities aimed at causing damage to information or at preventing its transmission among systems." + }, + { + "value": "system-probe", + "expanded": "System probe", + "description": "Single system scan searching for open ports or services using these ports for responding." + }, + { + "value": "network-scanning", + "expanded": "Network scanning", + "description": "Scanning a network aimed at identifying systems which are active in the same network." + }, + { + "value": "dns-zone-transfer", + "expanded": "DNS zone transfer", + "description": "Transfer of a specific DNS zone." + }, + { + "value": "wiretapping", + "expanded": "Wiretapping", + "description": "Logical or physical interception of communications." + }, + { + "value": "dissemination-phishing-emails", + "expanded": "Dissemination of phishing emails", + "description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims." + }, + { + "value": "hosting-phishing-sites", + "expanded": "Hosting phishing sites", + "description": "Hosting web sites for phishing purposes." + }, + { + "value": "aggregation-information-phishing-schemes", + "expanded": "Aggregation of information gathered through phishing schemes", + "description": "Collecting data obtained through phishing attacks on web pages, email accounts, etc..." + }, + { + "value": "exploit-attempt", + "expanded": "Exploit attempt", + "description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system." + }, + { + "value": "sql-injection-attempt", + "expanded": "SQL injection attempt", + "description": "Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique." + }, + { + "value": "xss-attempt", + "expanded": "XSS attempt", + "description": "Unsuccessful attempts to perform attacks by using cross-site scripting techniques." + }, + { + "value": "file-inclusion-attempt", + "expanded": "File inclusion attempt", + "description": "Unsuccessful attempt to include files in the system under attack by using file inclusion techniques." + }, + { + "value": "brute-force-attempt", + "expanded": "Brute force attempt", + "description": "Unsuccessful login attempt by using sequential credentials for gaining access to the system." + }, + { + "value": "password-cracking-attempt", + "expanded": "Password cracking attempt", + "description": "Attempt to acquire access credentials by breaking the protective cryptographic keys." + }, + { + "value": "dictionary-attack-attempt", + "expanded": "Dictionary attack attempt", + "description": "Unsuccessful login attempt by using system access credentials previously loaded into a dictionary." + }, + { + "value": "exploit", + "expanded": "Use of a local or remote exploit", + "description": "Successful use of a tool exploiting a specific vulnerability of the system." + }, + { + "value": "sql-injection", + "expanded": "SQL injection", + "description": "Manipulation or reading of information contained in a database by using the SQL injection technique." + }, + { + "value": "xss", + "expanded": "XSS", + "description": "Attacks performed with the use of cross-site scripting techniques." + }, + { + "value": "file-inclusion", + "expanded": "File inclusion", + "description": "Inclusion of files into a system under attack with the use of file inclusion techniques." + }, + { + "value": "control-system-bypass", + "expanded": "Control system bypass", + "description": "Unauthorised access to a system or component by bypassing an access control system in place." + }, + { + "value": "theft-access-credentials", + "expanded": "Theft of access credentials", + "description": "Unauthorised access to a system or component by using stolen access credentials." + }, + { + "value": "unauthorized-access-system", + "expanded": "Unauthorised access to a system", + "description": "Unauthorised access to a system or component." + }, + { + "value": "unauthorized-access-information", + "expanded": "Unauthorised access to information", + "description": "Unauthorised access to a set of information." + }, + { + "value": "data-exfiltration", + "expanded": "Data exfiltration", + "description": "Unauthorised access to and sharing of a specific set of information." + }, + { + "value": "modification-information", + "expanded": "Modification of information", + "description": "Unauthorised changes to a specific set of information." + }, + { + "value": "deletion-information", + "expanded": "Deletion of information", + "description": "Unauthorised deleting of a specific set of information." + }, + { + "value": "illegitimate-use-resources", + "expanded": "Misuse or unauthorised use of resources", + "description": "Use of institutional resources for purposes other than those intended." + }, + { + "value": "illegitimate-use-name", + "expanded": "Illegitimate use of the name of an institution or third party", + "description": "Using the name of an institution without permission to do so." + }, + { + "value": "email-flooding", + "expanded": "Email flooding", + "description": "Sending an unusually large quantity of email messages." + }, + { + "value": "spam", + "expanded": "Sending an unsolicited message", + "description": "Sending an email message that was unsolicited or unwanted by the recipient." + }, + { + "value": "copyrighted-content", + "expanded": "Distribution or sharing of copyright protected content", + "description": "Distribution or sharing of content protected by copyright and related rights." + }, + { + "value": "content-forbidden-by-law", + "expanded": "Dissemination of content forbidden by law (publicly prosecuted offences)", + "description": "Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc..." + }, + { + "value": "unspecified", + "expanded": "Other unspecified event", + "description": "Other unlisted events." + }, + { + "value": "undetermined", + "expanded": "Undetermined", + "description": "Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning." + } + ], + "values": null +} diff --git a/europol-incident/machinetag.json b/europol-incident/machinetag.json new file mode 100644 index 0000000..12101f1 --- /dev/null +++ b/europol-incident/machinetag.json @@ -0,0 +1,195 @@ +{ + "version": 1, + "description": "This taxonomy was designed to describe the type of incidents by class.", + "expanded": "Europol class of incidents taxonomy", + "namespace": "europol-incident", + "predicates": [ + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "availability", + "expanded": "Availability" + }, + { + "value": "information-gathering", + "expanded": "Gathering of information" + }, + { + "value": "intrusion-attempt", + "expanded": "Intrusion attempt" + }, + { + "value": "intrusion", + "expanded": "Intrusion" + }, + { + "value": "information-security", + "expanded": "Information security" + }, + { + "value": "fraud", + "expanded": "Fraud" + }, + { + "value": "abusive-content", + "expanded": "Abusive content" + }, + { + "value": "other", + "expanded": "Other" + } + ], + "values": [ + { + "predicate": "malware", + "entry": [ + { + "value": "infection", + "expanded": "Infection", + "description": "Infecting one or various systems with a specific type of malware." + }, + { + "value": "distribution", + "expanded": "Distribution", + "description": "Infecting one or various systems with a specific type of malware." + }, + { + "value": "c&c", + "expanded": "C&C", + "description": "Infecting one or various systems with a specific type of malware." + }, + { + "value": "undetermined", + "expanded": "Undetermined" + } + ] + }, + { + "predicate": "availability", + "entry": [ + { + "value": "dos-ddos", + "expanded": "DoS/DDoS", + "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative." + }, + { + "value": "sabotage", + "expanded": "Sabotage", + "description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc." + } + ] + }, + { + "predicate": "information-gathering", + "entry": [ + { + "value": "scanning", + "expanded": "Scanning", + "description": "Active and passive gathering of information on systems or networks." + }, + { + "value": "sniffing", + "expanded": "Sniffing", + "description": "Unauthorised monitoring and reading of network traffic." + }, + { + "value": "phishing", + "expanded": "Phishing", + "description": "Attempt to gather information on a user or a system through phishing methods." + } + ] + }, + { + "predicate": "intrusion-attempt", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Attempt to intrude by exploiting a vulnerability in a system, component or network." + }, + { + "value": "login-attempt", + "expanded": "Login attempt", + "description": "Attempt to log in to services or authentication / access control mechanisms." + } + ] + }, + { + "predicate": "intrusion", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Actual intrusion by exploiting a vulnerability in the system, component or network." + }, + { + "value": "compromising-account", + "expanded": "Compromising an account", + "description": "Actual intrusion in a system, component or network by compromising a user or administrator account." + } + ] + }, + { + "predicate": "information-security", + "entry": [ + { + "value": "unauthorized-access", + "expanded": "Unauthorised access", + "description": "Unauthorised access to a particular set of information" + }, + { + "value": "unauthorized-modification", + "expanded": "Unauthorised modification/deletion", + "description": "Unauthorised change or elimination of a particular set of information" + } + ] + }, + { + "predicate": "fraud", + "entry": [ + { + "value": "illegitimate-use-resources", + "expanded": "Misuse or unauthorised use of resources", + "description": "Use of institutional resources for purposes other than those intended." + }, + { + "value": "illegitimate-use-name", + "expanded": "Illegitimate use of the name of a third party", + "description": "Use of the name of an institution without permission to do so." + } + ] + }, + { + "predicate": "abusive-content", + "entry": [ + { + "value": "spam", + "expanded": "SPAM", + "description": " Sending SPAM messages." + }, + { + "value": "copyright", + "expanded": "Copyright", + "description": "Distribution and sharing of copyright protected content." + }, + { + "value": "content-forbidden-by-law", + "expanded": "Dissemination of content forbidden by law.", + "description": "Child pornography, racism and apology of violence." + } + ] + }, + { + "predicate": "other", + "entry": [ + { + "value": "other", + "expanded": "Other", + "description": " Other type of unspecified incident" + } + ] + } + ] +} diff --git a/tools/machinetag.py b/tools/machinetag.py index 9b85ea1..3b2f26d 100755 --- a/tools/machinetag.py +++ b/tools/machinetag.py @@ -30,7 +30,7 @@ import json import os.path import argparse -taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors'] +taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors'] argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies)) argParser.add_argument('-e', action='store_true', help='Include expanded tags') argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')