Merge branch 'paulingega-sa-main' into main
commit
3c8db10777
|
@ -559,23 +559,8 @@
|
|||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"name": "threatmatch-alert-types",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"name": "threatmatch-incident-types",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"name": "threatmatch-malware-types",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"name": "threatmatch-sectors",
|
||||
"description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"name": "ThreatMatch",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
|
@ -630,5 +615,5 @@
|
|||
}
|
||||
],
|
||||
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
|
||||
"version": "20210325"
|
||||
"version": "20210413"
|
||||
}
|
||||
|
|
26
README.md
26
README.md
|
@ -10,7 +10,6 @@ Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) (2.4) and ot
|
|||
|
||||
The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools.
|
||||
|
||||
|
||||
### CERT-XLM
|
||||
|
||||
[CERT-XLM](https://github.com/MISP/misp-taxonomies/tree/main/CERT-XLM) :
|
||||
|
@ -31,6 +30,11 @@ The Detection Maturity Level (DML) model is a capability maturity model for refe
|
|||
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
|
||||
The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_PAP)
|
||||
|
||||
### ThreatMatch
|
||||
|
||||
[ThreatMatch](https://github.com/MISP/misp-taxonomies/tree/main/ThreatMatch) :
|
||||
The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_ThreatMatch)
|
||||
|
||||
### access-method
|
||||
|
||||
[access-method](https://github.com/MISP/misp-taxonomies/tree/main/access-method) :
|
||||
|
@ -566,26 +570,6 @@ TTPs are representations of the behavior or modus operandi of cyber adversaries.
|
|||
[targeted-threat-index](https://github.com/MISP/misp-taxonomies/tree/main/targeted-threat-index) :
|
||||
The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [Overview](https://www.misp-project.org/taxonomies.html#_targeted_threat_index)
|
||||
|
||||
### threatmatch-alert-types
|
||||
|
||||
[threatmatch-alert-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-alert-types) :
|
||||
The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_alert_types)
|
||||
|
||||
### threatmatch-incident-types
|
||||
|
||||
[threatmatch-incident-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-incident-types) :
|
||||
The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_incident_types)
|
||||
|
||||
### threatmatch-malware-types
|
||||
|
||||
[threatmatch-malware-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-malware-types) :
|
||||
The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_malware_types)
|
||||
|
||||
### threatmatch-sectors
|
||||
|
||||
[threatmatch-sectors](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-sectors) :
|
||||
The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_sectors)
|
||||
|
||||
### threats-to-dns
|
||||
|
||||
[threats-to-dns](https://github.com/MISP/misp-taxonomies/tree/main/threats-to-dns) :
|
||||
|
|
48
summary.md
48
summary.md
|
@ -1,5 +1,5 @@
|
|||
# Taxonomies
|
||||
- Generation date: 2021-03-24
|
||||
- Generation date: 2021-04-13
|
||||
- license: CC-0
|
||||
- description: Manifest file of MISP taxonomies available.
|
||||
|
||||
|
@ -180,7 +180,7 @@
|
|||
- threat-vector
|
||||
### circl
|
||||
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection
|
||||
- version: 4
|
||||
- version: 5
|
||||
- Predicates
|
||||
- incident-classification
|
||||
- topic
|
||||
|
@ -280,6 +280,16 @@
|
|||
- report
|
||||
- origin
|
||||
- analyse
|
||||
### cti
|
||||
- description: Cyber Threat Intelligence cycle to control workflow state of your process.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- planning
|
||||
- collection
|
||||
- processing-and-analysis
|
||||
- dissemination-done
|
||||
- feedback-received
|
||||
- feedback-pending
|
||||
### current-event
|
||||
- description: Current events - Schemes of Classification in Incident Response and Detection
|
||||
- version: 1
|
||||
|
@ -837,6 +847,11 @@
|
|||
- dns
|
||||
- host-file
|
||||
- other
|
||||
### ioc
|
||||
- description: An IOC classification to facilitate automation of malicious and non malicious artifacts
|
||||
- version: 2
|
||||
- Predicates
|
||||
- artifact-state
|
||||
### iot
|
||||
- description: Internet of Things taxonomy, based on IOT UK report https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-Taxonomy-Report.pdf
|
||||
- version: 2
|
||||
|
@ -1144,26 +1159,14 @@
|
|||
- Predicates
|
||||
- targeting-sophistication-base-value
|
||||
- technical-sophistication-multiplier
|
||||
### threatmatch-alert-types
|
||||
- description: The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- alert_type
|
||||
### threatmatch-incident-types
|
||||
- description: The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- incident_type
|
||||
### threatmatch-malware-types
|
||||
- description: The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- malware_type
|
||||
### threatmatch-sectors
|
||||
- description: The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
|
||||
### ThreatMatch
|
||||
- description: The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- sector
|
||||
- incident-type
|
||||
- malware-type
|
||||
- alert-type
|
||||
### threats-to-dns
|
||||
- description: An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614
|
||||
- version: 1
|
||||
|
@ -1282,6 +1285,13 @@
|
|||
- victim:revenue:iso_currency_code
|
||||
- attribute:availability:duration:unit
|
||||
- attribute:confidentiality:data:variety
|
||||
### vmray
|
||||
- description: VMRay taxonomies to map VMRay Thread Identifier scores and artifacts.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- artifact
|
||||
- verdict
|
||||
- vti_analysis_score
|
||||
### vocabulaire-des-probabilites-estimatives
|
||||
- description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité
|
||||
- version: 3
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
## Alert types
|
||||
Alert tags are used by the ThreatMatch platform to categorise a relevant threat.
|
||||
Tags should be used for all CIISI and TIBER projects.
|
|
@ -1,99 +0,0 @@
|
|||
{
|
||||
"namespace": "threatmatch-alert-types",
|
||||
"expanded": "Alert Types for Sharing into ThreatMatch and MISP.",
|
||||
"version": 1,
|
||||
"description": "The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"refs": [
|
||||
"https://www.secalliance.com/platform/",
|
||||
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "alert_type",
|
||||
"expanded": "Alert type"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "alert_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Actor Campaigns",
|
||||
"expanded": "Actor Campaigns"
|
||||
},
|
||||
{
|
||||
"value": "Credential Breaches",
|
||||
"expanded": "Credential Breaches"
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
"expanded": "DDoS"
|
||||
},
|
||||
{
|
||||
"value": "Exploit Alert",
|
||||
"expanded": "Exploit Alert"
|
||||
},
|
||||
{
|
||||
"value": "General Notification",
|
||||
"expanded": "General Notification"
|
||||
},
|
||||
{
|
||||
"value": "High Impact Vulnerabilities",
|
||||
"expanded": "High Impact Vulnerabilities"
|
||||
},
|
||||
{
|
||||
"value": "Information Leakages",
|
||||
"expanded": "Information Leakages"
|
||||
},
|
||||
{
|
||||
"value": "Malware Analysis",
|
||||
"expanded": "Malware Analysis"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Domains",
|
||||
"expanded": "Nefarious Domains"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Forum Mention",
|
||||
"expanded": "Nefarious Forum Mention"
|
||||
},
|
||||
{
|
||||
"value": "Pastebin Dumps",
|
||||
"expanded": "Pastebin Dumps"
|
||||
},
|
||||
{
|
||||
"value": "Phishing Attempts",
|
||||
"expanded": "Phishing Attempts"
|
||||
},
|
||||
{
|
||||
"value": "PII Exposure",
|
||||
"expanded": "PII Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Sensitive Information Disclosures",
|
||||
"expanded": "Sensitive Information Disclosures"
|
||||
},
|
||||
{
|
||||
"value": "Social Media Alerts",
|
||||
"expanded": "Social Media Alerts"
|
||||
},
|
||||
{
|
||||
"value": "Supply Chain Event",
|
||||
"expanded": "Supply Chain Event"
|
||||
},
|
||||
{
|
||||
"value": "Technical Exposure",
|
||||
"expanded": "Technical Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Threat Actor Updates",
|
||||
"expanded": "Threat Actor Updates"
|
||||
},
|
||||
{
|
||||
"value": "Trigger Events",
|
||||
"expanded": "Trigger Events"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
## Incident types
|
||||
Incident tags are used by the ThreatMatch platform to categorise a relevant incident event.
|
||||
Tags should be used for all CIISI and TIBER projects.
|
|
@ -1,175 +0,0 @@
|
|||
{
|
||||
"namespace": "threatmatch-incident-types",
|
||||
"expanded": "Incident Types for Sharing into ThreatMatch and MISP",
|
||||
"version": 1,
|
||||
"description": "The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"refs": [
|
||||
"https://www.secalliance.com/platform/",
|
||||
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "incident_type",
|
||||
"expanded": "Threat Match incident types"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "incident_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "ATM Attacks",
|
||||
"expanded": "ATM Attacks"
|
||||
},
|
||||
{
|
||||
"value": "ATM Breach",
|
||||
"expanded": "ATM Breach"
|
||||
},
|
||||
{
|
||||
"value": "Attempted Exploitation",
|
||||
"expanded": "Attempted Exploitation"
|
||||
},
|
||||
{
|
||||
"value": "Botnet Activity",
|
||||
"expanded": "Botnet Activity"
|
||||
},
|
||||
{
|
||||
"value": "Business Email Compromise",
|
||||
"expanded": "Business Email Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Crypto Mining",
|
||||
"expanded": "Crypto Mining"
|
||||
},
|
||||
{
|
||||
"value": "Data Breach/Compromise",
|
||||
"expanded": "Data Breach/Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Data Dump",
|
||||
"expanded": "Data Dump"
|
||||
},
|
||||
{
|
||||
"value": "Data Leakage",
|
||||
"expanded": "Data Leakage"
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
"expanded": "DDoS"
|
||||
},
|
||||
{
|
||||
"value": "Defacement Activity",
|
||||
"expanded": "Defacement Activity"
|
||||
},
|
||||
{
|
||||
"value": "Denial of Service (DoS)",
|
||||
"expanded": "Denial of Service (DoS)"
|
||||
},
|
||||
{
|
||||
"value": "Disruption Activity",
|
||||
"expanded": "Disruption Activity"
|
||||
},
|
||||
{
|
||||
"value": "Espionage",
|
||||
"expanded": "Espionage"
|
||||
},
|
||||
{
|
||||
"value": "Espionage Activity",
|
||||
"expanded": "Espionage Activity"
|
||||
},
|
||||
{
|
||||
"value": "Exec Targeting ",
|
||||
"expanded": "Exec Targeting "
|
||||
},
|
||||
{
|
||||
"value": "Exposure of Data",
|
||||
"expanded": "Exposure of Data"
|
||||
},
|
||||
{
|
||||
"value": "Extortion Activity",
|
||||
"expanded": "Extortion Activity"
|
||||
},
|
||||
{
|
||||
"value": "Fraud Activity",
|
||||
"expanded": "Fraud Activity"
|
||||
},
|
||||
{
|
||||
"value": "General Notification",
|
||||
"expanded": "General Notification"
|
||||
},
|
||||
{
|
||||
"value": "Hacktivism Activity",
|
||||
"expanded": "Hacktivism Activity"
|
||||
},
|
||||
{
|
||||
"value": "Malicious Insider",
|
||||
"expanded": "Malicious Insider"
|
||||
},
|
||||
{
|
||||
"value": "Malware Infection",
|
||||
"expanded": "Malware Infection"
|
||||
},
|
||||
{
|
||||
"value": "Man in the Middle Attacks",
|
||||
"expanded": "Man in the Middle Attacks"
|
||||
},
|
||||
{
|
||||
"value": "MFA Attack",
|
||||
"expanded": "MFA Attack"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Malware",
|
||||
"expanded": "Mobile Malware"
|
||||
},
|
||||
{
|
||||
"value": "Phishing Activity",
|
||||
"expanded": "Phishing Activity"
|
||||
},
|
||||
{
|
||||
"value": "Ransomware Activity",
|
||||
"expanded": "Ransomware Activity"
|
||||
},
|
||||
{
|
||||
"value": "Social Engineering Activity",
|
||||
"expanded": "Social Engineering Activity"
|
||||
},
|
||||
{
|
||||
"value": "Social Media Compromise",
|
||||
"expanded": "Social Media Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Spear-phishing Activity",
|
||||
"expanded": "Spear-phishing Activity"
|
||||
},
|
||||
{
|
||||
"value": "Spyware",
|
||||
"expanded": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "SQL Injection Activity",
|
||||
"expanded": "SQL Injection Activity"
|
||||
},
|
||||
{
|
||||
"value": "Supply Chain Compromise",
|
||||
"expanded": "Supply Chain Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Trojanised Software",
|
||||
"expanded": "Trojanised Software"
|
||||
},
|
||||
{
|
||||
"value": "Vishing",
|
||||
"expanded": "Vishing"
|
||||
},
|
||||
{
|
||||
"value": "Website Attack (Other)",
|
||||
"expanded": "Website Attack (Other)"
|
||||
},
|
||||
{
|
||||
"value": "Unknown",
|
||||
"expanded": "Unknown"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
## Malware types
|
||||
Malware tags are used by the ThreatMatch platform to categorise malware types.
|
||||
Tags should be used for all CIISI and TIBER projects.
|
|
@ -1,115 +0,0 @@
|
|||
{
|
||||
"namespace": "threatmatch-malware-types",
|
||||
"expanded": "Malware Types for Sharing into ThreatMatch and MISP",
|
||||
"version": 1,
|
||||
"description": "The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"refs": [
|
||||
"https://www.secalliance.com/platform/",
|
||||
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "malware_type",
|
||||
"expanded": "Malware type"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "malware_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Adware",
|
||||
"expanded": "Adware"
|
||||
},
|
||||
{
|
||||
"value": "Backdoor",
|
||||
"expanded": "Backdoor"
|
||||
},
|
||||
{
|
||||
"value": "Banking Trojan",
|
||||
"expanded": "Banking Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Botnet",
|
||||
"expanded": "Botnet"
|
||||
},
|
||||
{
|
||||
"value": "Destructive",
|
||||
"expanded": "Destructive"
|
||||
},
|
||||
{
|
||||
"value": "Downloader",
|
||||
"expanded": "Downloader"
|
||||
},
|
||||
{
|
||||
"value": "Exploit Kit",
|
||||
"expanded": "Exploit Kit"
|
||||
},
|
||||
{
|
||||
"value": "Fileless Malware",
|
||||
"expanded": "Fileless Malware"
|
||||
},
|
||||
{
|
||||
"value": "Keylogger",
|
||||
"expanded": "Keylogger"
|
||||
},
|
||||
{
|
||||
"value": "Legitimate Tool",
|
||||
"expanded": "Legitimate Tool"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Application",
|
||||
"expanded": "Mobile Application"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Malware",
|
||||
"expanded": "Mobile Malware"
|
||||
},
|
||||
{
|
||||
"value": "Point-of-Sale (PoS)",
|
||||
"expanded": "Point-of-Sale (PoS)"
|
||||
},
|
||||
{
|
||||
"value": "Remote Access Trojan",
|
||||
"expanded": "Remote Access Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Rootkit",
|
||||
"expanded": "Rootkit"
|
||||
},
|
||||
{
|
||||
"value": "Skimmer",
|
||||
"expanded": "Skimmer"
|
||||
},
|
||||
{
|
||||
"value": "Spyware",
|
||||
"expanded": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "Surveillance Tool",
|
||||
"expanded": "Surveillance Tool"
|
||||
},
|
||||
{
|
||||
"value": "Trojan",
|
||||
"expanded": "Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Virus",
|
||||
"expanded": "Virus "
|
||||
},
|
||||
{
|
||||
"value": "Worm",
|
||||
"expanded": "Worm"
|
||||
},
|
||||
{
|
||||
"value": "Zero-day",
|
||||
"expanded": "Zero-day"
|
||||
},
|
||||
{
|
||||
"value": "Unknown",
|
||||
"expanded": "Unknown"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
## Sector types
|
||||
Extensive list of sector definition tags.
|
||||
Tags should be used for all CIISI and TIBER projects.
|
|
@ -1,167 +0,0 @@
|
|||
{
|
||||
"namespace": "threatmatch-sectors",
|
||||
"expanded": "Sector Types for Sharing into ThreatMatch and MISP",
|
||||
"version": 1,
|
||||
"description": "The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"refs": [
|
||||
"https://www.secalliance.com/platform/",
|
||||
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "sector",
|
||||
"expanded": "Threat Match sector definitions"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "sector",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Banking & Capital Markets",
|
||||
"expanded": "Banking & capital markets"
|
||||
},
|
||||
{
|
||||
"value": "Financial Services",
|
||||
"expanded": "Financial Services"
|
||||
},
|
||||
{
|
||||
"value": "Insurance",
|
||||
"expanded": "Insurance"
|
||||
},
|
||||
{
|
||||
"value": "Pension",
|
||||
"expanded": "Pension"
|
||||
},
|
||||
{
|
||||
"value": "Government & Public Service",
|
||||
"expanded": "Government & Public Service"
|
||||
},
|
||||
{
|
||||
"value": "Diplomatic Services",
|
||||
"expanded": "Diplomatic Services"
|
||||
},
|
||||
{
|
||||
"value": "Energy, Utilities & Mining",
|
||||
"expanded": "Energy, Utilities & Mining"
|
||||
},
|
||||
{
|
||||
"value": "Telecommunications",
|
||||
"expanded": "Telecommunications"
|
||||
},
|
||||
{
|
||||
"value": "Technology",
|
||||
"expanded": "Technology"
|
||||
},
|
||||
{
|
||||
"value": "Academic/Research Institutes",
|
||||
"expanded": "Academic/Research Institutes"
|
||||
},
|
||||
{
|
||||
"value": "Aerospace, Defence & Security",
|
||||
"expanded": "Aerospace, Defence & Security"
|
||||
},
|
||||
{
|
||||
"value": "Agriculture",
|
||||
"expanded": "Agriculture"
|
||||
},
|
||||
{
|
||||
"value": "Asset & Wealth Management",
|
||||
"expanded": "Asset & Wealth Management"
|
||||
},
|
||||
{
|
||||
"value": "Automotive",
|
||||
"expanded": "Automotive"
|
||||
},
|
||||
{
|
||||
"value": "Business and Professional Services",
|
||||
"expanded": "Business and Professional Services"
|
||||
},
|
||||
{
|
||||
"value": "Capital Projects & Infrastructure",
|
||||
"expanded": "Capital Projects & Infrastructure"
|
||||
},
|
||||
{
|
||||
"value": "Charity/Not-for-Profit",
|
||||
"expanded": "Charity/Not-for-Profit"
|
||||
},
|
||||
{
|
||||
"value": "Chemicals",
|
||||
"expanded": "Chemicals"
|
||||
},
|
||||
{
|
||||
"value": "Commercial Aviation",
|
||||
"expanded": "Commercial Aviation"
|
||||
},
|
||||
{
|
||||
"value": "Commodities",
|
||||
"expanded": "Commodities"
|
||||
},
|
||||
{
|
||||
"value": "Education",
|
||||
"expanded": "Education"
|
||||
},
|
||||
{
|
||||
"value": "Engineering & Construction",
|
||||
"expanded": "Engineering & Construction"
|
||||
},
|
||||
{
|
||||
"value": "Entertainment & Media",
|
||||
"expanded": "Entertainment & Media"
|
||||
},
|
||||
{
|
||||
"value": "Forest, Paper & Packaging",
|
||||
"expanded": "Forest, Paper & Packaging"
|
||||
},
|
||||
{
|
||||
"value": "Healthcare",
|
||||
"expanded": "Healthcare"
|
||||
},
|
||||
{
|
||||
"value": "Hospitality & Leisure",
|
||||
"expanded": "Hospitality & Leisure"
|
||||
},
|
||||
{
|
||||
"value": "Industrial Manufacturing",
|
||||
"expanded": "Industrial Manufacturing"
|
||||
},
|
||||
{
|
||||
"value": "IT Industry",
|
||||
"expanded": "IT Industry"
|
||||
},
|
||||
{
|
||||
"value": "Legal",
|
||||
"expanded": "Legal"
|
||||
},
|
||||
{
|
||||
"value": "Metals",
|
||||
"expanded": "Metals"
|
||||
},
|
||||
{
|
||||
"value": "Pharmaceuticals & Life Sciences",
|
||||
"expanded": "Pharmaceuticals & Life Sciences"
|
||||
},
|
||||
{
|
||||
"value": "Private Equity",
|
||||
"expanded": "Private Equity"
|
||||
},
|
||||
{
|
||||
"value": "Retail & Consumer",
|
||||
"expanded": "Retail & Consumer"
|
||||
},
|
||||
{
|
||||
"value": "Semiconductors",
|
||||
"expanded": "Semiconductors"
|
||||
},
|
||||
{
|
||||
"value": "Sovereign Investment Funds",
|
||||
"expanded": "Sovereign Investment Funds"
|
||||
},
|
||||
{
|
||||
"value": "Transport & Logistics",
|
||||
"expanded": "Transport & Logistics"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,2 @@
|
|||
## ThreatMatch
|
||||
Incident types, Alert types, Malware types and Sectors should be used for all CIISI and TIBER projects.
|
|
@ -0,0 +1,514 @@
|
|||
{
|
||||
"namespace": "ThreatMatch",
|
||||
"expanded": "ThreatMatch categories for sharing into ThreatMatch and MISP",
|
||||
"version": 1,
|
||||
"description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
"refs": [
|
||||
"https://www.secalliance.com/platform/",
|
||||
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "sector",
|
||||
"expanded": "Extensive list of sector definition tags"
|
||||
},
|
||||
{
|
||||
"value": "incident-type",
|
||||
"expanded": "Incident tags are used by the ThreatMatch platform to categorise a relevant incident event."
|
||||
},
|
||||
{
|
||||
"value": "malware-type",
|
||||
"expanded": "Malware tags are used by the ThreatMatch platform to categorise malware types."
|
||||
},
|
||||
{
|
||||
"value": "alert-type",
|
||||
"expanded": "Alert tags are used by the ThreatMatch platform to categorise a relevant threat."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "sector",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Banking & Capital Markets",
|
||||
"expanded": "Banking & capital markets"
|
||||
},
|
||||
{
|
||||
"value": "Financial Services",
|
||||
"expanded": "Financial Services"
|
||||
},
|
||||
{
|
||||
"value": "Insurance",
|
||||
"expanded": "Insurance"
|
||||
},
|
||||
{
|
||||
"value": "Pension",
|
||||
"expanded": "Pension"
|
||||
},
|
||||
{
|
||||
"value": "Government & Public Service",
|
||||
"expanded": "Government & Public Service"
|
||||
},
|
||||
{
|
||||
"value": "Diplomatic Services",
|
||||
"expanded": "Diplomatic Services"
|
||||
},
|
||||
{
|
||||
"value": "Energy, Utilities & Mining",
|
||||
"expanded": "Energy, Utilities & Mining"
|
||||
},
|
||||
{
|
||||
"value": "Telecommunications",
|
||||
"expanded": "Telecommunications"
|
||||
},
|
||||
{
|
||||
"value": "Technology",
|
||||
"expanded": "Technology"
|
||||
},
|
||||
{
|
||||
"value": "Academic/Research Institutes",
|
||||
"expanded": "Academic/Research Institutes"
|
||||
},
|
||||
{
|
||||
"value": "Aerospace, Defence & Security",
|
||||
"expanded": "Aerospace, Defence & Security"
|
||||
},
|
||||
{
|
||||
"value": "Agriculture",
|
||||
"expanded": "Agriculture"
|
||||
},
|
||||
{
|
||||
"value": "Asset & Wealth Management",
|
||||
"expanded": "Asset & Wealth Management"
|
||||
},
|
||||
{
|
||||
"value": "Automotive",
|
||||
"expanded": "Automotive"
|
||||
},
|
||||
{
|
||||
"value": "Business and Professional Services",
|
||||
"expanded": "Business and Professional Services"
|
||||
},
|
||||
{
|
||||
"value": "Capital Projects & Infrastructure",
|
||||
"expanded": "Capital Projects & Infrastructure"
|
||||
},
|
||||
{
|
||||
"value": "Charity/Not-for-Profit",
|
||||
"expanded": "Charity/Not-for-Profit"
|
||||
},
|
||||
{
|
||||
"value": "Chemicals",
|
||||
"expanded": "Chemicals"
|
||||
},
|
||||
{
|
||||
"value": "Commercial Aviation",
|
||||
"expanded": "Commercial Aviation"
|
||||
},
|
||||
{
|
||||
"value": "Commodities",
|
||||
"expanded": "Commodities"
|
||||
},
|
||||
{
|
||||
"value": "Education",
|
||||
"expanded": "Education"
|
||||
},
|
||||
{
|
||||
"value": "Engineering & Construction",
|
||||
"expanded": "Engineering & Construction"
|
||||
},
|
||||
{
|
||||
"value": "Entertainment & Media",
|
||||
"expanded": "Entertainment & Media"
|
||||
},
|
||||
{
|
||||
"value": "Forest, Paper & Packaging",
|
||||
"expanded": "Forest, Paper & Packaging"
|
||||
},
|
||||
{
|
||||
"value": "Healthcare",
|
||||
"expanded": "Healthcare"
|
||||
},
|
||||
{
|
||||
"value": "Hospitality & Leisure",
|
||||
"expanded": "Hospitality & Leisure"
|
||||
},
|
||||
{
|
||||
"value": "Industrial Manufacturing",
|
||||
"expanded": "Industrial Manufacturing"
|
||||
},
|
||||
{
|
||||
"value": "IT Industry",
|
||||
"expanded": "IT Industry"
|
||||
},
|
||||
{
|
||||
"value": "Legal",
|
||||
"expanded": "Legal"
|
||||
},
|
||||
{
|
||||
"value": "Metals",
|
||||
"expanded": "Metals"
|
||||
},
|
||||
{
|
||||
"value": "Pharmaceuticals & Life Sciences",
|
||||
"expanded": "Pharmaceuticals & Life Sciences"
|
||||
},
|
||||
{
|
||||
"value": "Private Equity",
|
||||
"expanded": "Private Equity"
|
||||
},
|
||||
{
|
||||
"value": "Retail & Consumer",
|
||||
"expanded": "Retail & Consumer"
|
||||
},
|
||||
{
|
||||
"value": "Semiconductors",
|
||||
"expanded": "Semiconductors"
|
||||
},
|
||||
{
|
||||
"value": "Sovereign Investment Funds",
|
||||
"expanded": "Sovereign Investment Funds"
|
||||
},
|
||||
{
|
||||
"value": "Transport & Logistics",
|
||||
"expanded": "Transport & Logistics"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "incident_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "ATM Attacks",
|
||||
"expanded": "ATM Attacks"
|
||||
},
|
||||
{
|
||||
"value": "ATM Breach",
|
||||
"expanded": "ATM Breach"
|
||||
},
|
||||
{
|
||||
"value": "Attempted Exploitation",
|
||||
"expanded": "Attempted Exploitation"
|
||||
},
|
||||
{
|
||||
"value": "Botnet Activity",
|
||||
"expanded": "Botnet Activity"
|
||||
},
|
||||
{
|
||||
"value": "Business Email Compromise",
|
||||
"expanded": "Business Email Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Crypto Mining",
|
||||
"expanded": "Crypto Mining"
|
||||
},
|
||||
{
|
||||
"value": "Data Breach/Compromise",
|
||||
"expanded": "Data Breach/Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Data Dump",
|
||||
"expanded": "Data Dump"
|
||||
},
|
||||
{
|
||||
"value": "Data Leakage",
|
||||
"expanded": "Data Leakage"
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
"expanded": "DDoS"
|
||||
},
|
||||
{
|
||||
"value": "Defacement Activity",
|
||||
"expanded": "Defacement Activity"
|
||||
},
|
||||
{
|
||||
"value": "Denial of Service (DoS)",
|
||||
"expanded": "Denial of Service (DoS)"
|
||||
},
|
||||
{
|
||||
"value": "Disruption Activity",
|
||||
"expanded": "Disruption Activity"
|
||||
},
|
||||
{
|
||||
"value": "Espionage",
|
||||
"expanded": "Espionage"
|
||||
},
|
||||
{
|
||||
"value": "Espionage Activity",
|
||||
"expanded": "Espionage Activity"
|
||||
},
|
||||
{
|
||||
"value": "Exec Targeting ",
|
||||
"expanded": "Exec Targeting "
|
||||
},
|
||||
{
|
||||
"value": "Exposure of Data",
|
||||
"expanded": "Exposure of Data"
|
||||
},
|
||||
{
|
||||
"value": "Extortion Activity",
|
||||
"expanded": "Extortion Activity"
|
||||
},
|
||||
{
|
||||
"value": "Fraud Activity",
|
||||
"expanded": "Fraud Activity"
|
||||
},
|
||||
{
|
||||
"value": "General Notification",
|
||||
"expanded": "General Notification"
|
||||
},
|
||||
{
|
||||
"value": "Hacktivism Activity",
|
||||
"expanded": "Hacktivism Activity"
|
||||
},
|
||||
{
|
||||
"value": "Malicious Insider",
|
||||
"expanded": "Malicious Insider"
|
||||
},
|
||||
{
|
||||
"value": "Malware Infection",
|
||||
"expanded": "Malware Infection"
|
||||
},
|
||||
{
|
||||
"value": "Man in the Middle Attacks",
|
||||
"expanded": "Man in the Middle Attacks"
|
||||
},
|
||||
{
|
||||
"value": "MFA Attack",
|
||||
"expanded": "MFA Attack"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Malware",
|
||||
"expanded": "Mobile Malware"
|
||||
},
|
||||
{
|
||||
"value": "Phishing Activity",
|
||||
"expanded": "Phishing Activity"
|
||||
},
|
||||
{
|
||||
"value": "Ransomware Activity",
|
||||
"expanded": "Ransomware Activity"
|
||||
},
|
||||
{
|
||||
"value": "Social Engineering Activity",
|
||||
"expanded": "Social Engineering Activity"
|
||||
},
|
||||
{
|
||||
"value": "Social Media Compromise",
|
||||
"expanded": "Social Media Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Spear-phishing Activity",
|
||||
"expanded": "Spear-phishing Activity"
|
||||
},
|
||||
{
|
||||
"value": "Spyware",
|
||||
"expanded": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "SQL Injection Activity",
|
||||
"expanded": "SQL Injection Activity"
|
||||
},
|
||||
{
|
||||
"value": "Supply Chain Compromise",
|
||||
"expanded": "Supply Chain Compromise"
|
||||
},
|
||||
{
|
||||
"value": "Trojanised Software",
|
||||
"expanded": "Trojanised Software"
|
||||
},
|
||||
{
|
||||
"value": "Vishing",
|
||||
"expanded": "Vishing"
|
||||
},
|
||||
{
|
||||
"value": "Website Attack (Other)",
|
||||
"expanded": "Website Attack (Other)"
|
||||
},
|
||||
{
|
||||
"value": "Unknown",
|
||||
"expanded": "Unknown"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "malware_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Adware",
|
||||
"expanded": "Adware"
|
||||
},
|
||||
{
|
||||
"value": "Backdoor",
|
||||
"expanded": "Backdoor"
|
||||
},
|
||||
{
|
||||
"value": "Banking Trojan",
|
||||
"expanded": "Banking Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Botnet",
|
||||
"expanded": "Botnet"
|
||||
},
|
||||
{
|
||||
"value": "Destructive",
|
||||
"expanded": "Destructive"
|
||||
},
|
||||
{
|
||||
"value": "Downloader",
|
||||
"expanded": "Downloader"
|
||||
},
|
||||
{
|
||||
"value": "Exploit Kit",
|
||||
"expanded": "Exploit Kit"
|
||||
},
|
||||
{
|
||||
"value": "Fileless Malware",
|
||||
"expanded": "Fileless Malware"
|
||||
},
|
||||
{
|
||||
"value": "Keylogger",
|
||||
"expanded": "Keylogger"
|
||||
},
|
||||
{
|
||||
"value": "Legitimate Tool",
|
||||
"expanded": "Legitimate Tool"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Application",
|
||||
"expanded": "Mobile Application"
|
||||
},
|
||||
{
|
||||
"value": "Mobile Malware",
|
||||
"expanded": "Mobile Malware"
|
||||
},
|
||||
{
|
||||
"value": "Point-of-Sale (PoS)",
|
||||
"expanded": "Point-of-Sale (PoS)"
|
||||
},
|
||||
{
|
||||
"value": "Remote Access Trojan",
|
||||
"expanded": "Remote Access Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Rootkit",
|
||||
"expanded": "Rootkit"
|
||||
},
|
||||
{
|
||||
"value": "Skimmer",
|
||||
"expanded": "Skimmer"
|
||||
},
|
||||
{
|
||||
"value": "Spyware",
|
||||
"expanded": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "Surveillance Tool",
|
||||
"expanded": "Surveillance Tool"
|
||||
},
|
||||
{
|
||||
"value": "Trojan",
|
||||
"expanded": "Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Virus",
|
||||
"expanded": "Virus "
|
||||
},
|
||||
{
|
||||
"value": "Worm",
|
||||
"expanded": "Worm"
|
||||
},
|
||||
{
|
||||
"value": "Zero-day",
|
||||
"expanded": "Zero-day"
|
||||
},
|
||||
{
|
||||
"value": "Unknown",
|
||||
"expanded": "Unknown"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "alert_type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Actor Campaigns",
|
||||
"expanded": "Actor Campaigns"
|
||||
},
|
||||
{
|
||||
"value": "Credential Breaches",
|
||||
"expanded": "Credential Breaches"
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
"expanded": "DDoS"
|
||||
},
|
||||
{
|
||||
"value": "Exploit Alert",
|
||||
"expanded": "Exploit Alert"
|
||||
},
|
||||
{
|
||||
"value": "General Notification",
|
||||
"expanded": "General Notification"
|
||||
},
|
||||
{
|
||||
"value": "High Impact Vulnerabilities",
|
||||
"expanded": "High Impact Vulnerabilities"
|
||||
},
|
||||
{
|
||||
"value": "Information Leakages",
|
||||
"expanded": "Information Leakages"
|
||||
},
|
||||
{
|
||||
"value": "Malware Analysis",
|
||||
"expanded": "Malware Analysis"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Domains",
|
||||
"expanded": "Nefarious Domains"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Forum Mention",
|
||||
"expanded": "Nefarious Forum Mention"
|
||||
},
|
||||
{
|
||||
"value": "Pastebin Dumps",
|
||||
"expanded": "Pastebin Dumps"
|
||||
},
|
||||
{
|
||||
"value": "Phishing Attempts",
|
||||
"expanded": "Phishing Attempts"
|
||||
},
|
||||
{
|
||||
"value": "PII Exposure",
|
||||
"expanded": "PII Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Sensitive Information Disclosures",
|
||||
"expanded": "Sensitive Information Disclosures"
|
||||
},
|
||||
{
|
||||
"value": "Social Media Alerts",
|
||||
"expanded": "Social Media Alerts"
|
||||
},
|
||||
{
|
||||
"value": "Supply Chain Event",
|
||||
"expanded": "Supply Chain Event"
|
||||
},
|
||||
{
|
||||
"value": "Technical Exposure",
|
||||
"expanded": "Technical Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Threat Actor Updates",
|
||||
"expanded": "Threat Actor Updates"
|
||||
},
|
||||
{
|
||||
"value": "Trigger Events",
|
||||
"expanded": "Trigger Events"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue