Jakub Onderka 2021-02-18 12:51:22 +01:00 committed by GitHub
parent 82fbe9b0a8
commit 37406214ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 21 deletions

View File

@ -3,18 +3,18 @@
{ {
"entry": [ "entry": [
{ {
"description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.", "description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.",
"expanded": "Spam", "expanded": "Spam",
"value": "spam" "value": "spam"
}, },
{ {
"description": "Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", "description": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.",
"expanded": "Harmful Speech", "expanded": "Harmful Speech",
"value": "harmful-speech" "value": "harmful-speech"
}, },
{ {
"description": "Child pornography, glorification of violence, etc.", "description": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.",
"expanded": "Child Porn/Sexual/Violent Content", "expanded": "(Child) Sexual Exploitation/Sexual/Violent Content",
"value": "violence" "value": "violence"
} }
], ],
@ -23,7 +23,7 @@
{ {
"entry": [ "entry": [
{ {
"description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit.", "description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server",
"expanded": "Infected System", "expanded": "Infected System",
"value": "infected-system" "value": "infected-system"
}, },
@ -33,12 +33,12 @@
"value": "c2-server" "value": "c2-server"
}, },
{ {
"description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.", "description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).",
"expanded": "Malware Distribution", "expanded": "Malware Distribution",
"value": "malware-distribution" "value": "malware-distribution"
}, },
{ {
"description": "URI hosting a malware configuration file, e.g. webinjects for a banking trojan.", "description": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.",
"expanded": "Malware Configuration", "expanded": "Malware Configuration",
"value": "malware-configuration" "value": "malware-configuration"
} }
@ -73,7 +73,7 @@
"value": "ids-alert" "value": "ids-alert"
}, },
{ {
"description": "Multiple login attempts (Guessing / cracking of passwords, brute force).", "description": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.",
"expanded": "Login attempts", "expanded": "Login attempts",
"value": "brute-force" "value": "brute-force"
}, },
@ -98,12 +98,17 @@
"value": "unprivileged-account-compromise" "value": "unprivileged-account-compromise"
}, },
{ {
"description": "Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.", "description": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.",
"expanded": "Application Compromise", "expanded": "Application Compromise",
"value": "application-compromise" "value": "application-compromise"
}, },
{ {
"description": "Physical intrusion, e.g. into corporate building or data center.", "description": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.",
"expanded": "System Compromise",
"value": "system-compromise"
},
{
"description": "Physical intrusion, e.g. into corporate building or data-centre.",
"expanded": "Burglary", "expanded": "Burglary",
"value": "burglary" "value": "burglary"
} }
@ -143,12 +148,12 @@
{ {
"entry": [ "entry": [
{ {
"description": "Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", "description": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.",
"expanded": "Unauthorised access to information", "expanded": "Unauthorised access to information",
"value": "unauthorised-information-access" "value": "unauthorised-information-access"
}, },
{ {
"description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.", "description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.",
"expanded": "Unauthorised modification of information", "expanded": "Unauthorised modification of information",
"value": "unauthorised-information-modification" "value": "unauthorised-information-modification"
}, },
@ -156,6 +161,11 @@
"description": "Loss of data, e.g. caused by harddisk failure or physical theft.", "description": "Loss of data, e.g. caused by harddisk failure or physical theft.",
"expanded": "Data Loss", "expanded": "Data Loss",
"value": "data-loss" "value": "data-loss"
},
{
"description": "Leaked confidential information like credentials or personal data.",
"expanded": "Leak of confidential information",
"value": "data-leak"
} }
], ],
"predicate": "information-content-security" "predicate": "information-content-security"
@ -163,9 +173,9 @@
{ {
"entry": [ "entry": [
{ {
"description": "Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", "description": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.",
"expanded": "Unauthorized use of resources", "expanded": "Unauthorised use of resources",
"value": "unauthorized-use-of-resources" "value": "unauthorised-use-of-resources"
}, },
{ {
"description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).", "description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).",
@ -178,7 +188,7 @@
"value": "masquerade" "value": "masquerade"
}, },
{ {
"description": "Masquerading as another entity in order to persuade the user to reveal private credentials.", "description": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.",
"expanded": "Phishing", "expanded": "Phishing",
"value": "phishing" "value": "phishing"
} }
@ -208,7 +218,7 @@
"value": "information-disclosure" "value": "information-disclosure"
}, },
{ {
"description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.", "description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.",
"expanded": "Vulnerable system", "expanded": "Vulnerable system",
"value": "vulnerable-system" "value": "vulnerable-system"
} }
@ -218,9 +228,14 @@
{ {
"entry": [ "entry": [
{ {
"description": "All incidents which don't fit in one of the given categories should be put into this class.", "description": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.",
"expanded": "Other", "expanded": "Uncategorised",
"value": "other" "value": "other"
},
{
"description": "The categorisation of the incident is unknown/undetermined.",
"expanded": "Undetermined",
"value": "undetermined"
} }
], ],
"predicate": "other" "predicate": "other"
@ -258,7 +273,7 @@
"value": "intrusion-attempts" "value": "intrusion-attempts"
}, },
{ {
"description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. Also includes being part of a botnet.", "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorised local access. Also includes being part of a botnet.",
"expanded": "Intrusions", "expanded": "Intrusions",
"value": "intrusions" "value": "intrusions"
}, },
@ -293,7 +308,7 @@
"value": "test" "value": "test"
} }
], ],
"version": 3, "version": 1002,
"description": "Reference Security Incident Classification Taxonomy", "description": "Reference Security Incident Classification Taxonomy",
"namespace": "rsit" "namespace": "rsit"
} }