MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-taxonomies

pull/141/head
Deborah Servili 2019-04-05 11:14:40 +02:00
parent 1a08f2c9b8 c53f505b8e
commit 5385a7fa75
13 changed files with 1946 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
MANIFEST.json
View File

@ -75,6 +75,11 @@
"name": "cssa",
"description": "The CSSA agreed sharing taxonomy."
},
{
"version": 1,
"name": "dcso-sharing",
"description": "DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide"
},
{
"version": 2,
"name": "ddos",
@ -110,6 +115,11 @@
"name": "domain-abuse",
"description": "Taxonomy to tag domain names used for cybercrime."
},
{
"version": 1,
"name": "drugs",
"description": "A taxonomy based on the superclass and class of drugs, based on https://www.drugbank.ca/releases/latest"
},
{
"version": 1,
"name": "ecsirt",
@ -301,7 +311,7 @@
"description": "Sectors and sub sectors as identified by the NIS Directive."
},
{
"version": 1,
"version": 2,
"name": "economical-impact",
"description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information."
},
@ -406,14 +416,39 @@
"description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems."
},
{
"version": 2,
"version": 5,
"name": "exercise",
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise"
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise."
},
{
"version": 1,
"name": "data-classification",
"description": "Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book."
},
{
"version": 1,
"name": "type",
"description": "Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence."
},
{
"version": 1,
"name": "information-security-data-source",
"description": "Taxonomy to classify the information security data sources"
},
{
"version": 1,
"name": "cryptocurrency-threat",
"description": "Threats targetting cryptocurrency, based on CipherTrace report."
},
{
"version": 1,
"name": "flesch-reading-ease",
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)."
}
],
"path": "machinetag.json",
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
"description": "Manifest file of MISP taxonomies available.",
"license": "CC-0",
"version": "20181127"
"version": "20190315"
}

1
README.md
View File

@ -27,6 +27,7 @@ The following taxonomies are described:
- [Cyber Kill Chain](./kill-chain) from Lockheed Martin
- [The Cyber Threat Framework](./cyber-threat-framework) was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.
- DE German (DE) [Government classification markings (VS)](./de-vs)
- [DCSO Sharing Taxonomy](./dcso-sharing) - DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide
- [DHS CIIP Sectors](./dhs-ciip-sectors)
- [Diamond Model for Intrusion Analysis](./diamond-model)
- [Detection Maturity Level](./DML)

2
cryptocurrency-threat/machinetag.json
View File

@ -46,5 +46,5 @@
],
"refs": [
"https://ciphertrace.com/wp-content/uploads/2019/01/crypto_aml_report_2018q4.pdf"
],
]
}

36
data-classification/machinetag.json Normal file
View File

@ -0,0 +1,36 @@
{
"predicates": [
{
"description": "Data which is regulated under a specific regulation or law such as PII, SPD, PCI or PHI.",
"expanded": "Regulated data",
"value": "regulated-data"
},
{
"description": "Data which represents a specific commercial value and is confidential to an organisation such as trade secrets, customer accounts.",
"expanded": "Commercially confidential information (CCI)",
"value": "commercially-confidential-information"
},
{
"description": "Data which represents a specific financial value to an organisation such as payroll, investment information.",
"expanded": "Financially sensitive information (FSI)",
"value": "financially-sensitive-information"
},
{
"description": "Data which is sensitive to the valuation of an organisation such as inside information (as defined by a Financial Services Authority).",
"expanded": "Valuation sensitive information (VSI)",
"value": "valuation-sensitive-information"
},
{
"description": "Data which is sensitive such as email or letters.",
"expanded": "Sensitive information",
"value": "sensitive-information"
}
],
"refs": [
"https://www.wiley.com/en-be/Solving+Cyber+Risk:+Protecting+Your+Company+and+Society-p-9781119490920"
],
"version": 1,
"description": "Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.",
"expanded": "Data Classification",
"namespace": "data-classification"
}

42
dcso-sharing/machinetag.json Normal file
View File

@ -0,0 +1,42 @@
{
"namespace": "dcso-sharing",
"description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.",
"version": 1,
"predicates": [
{
"value": "event-type"
}
],
"values": [
{
"predicate": "event-type",
"entry": [
{
"value": "Observation",
"expanded": "This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.",
"colour": "#00233e"
},
{
"value": "Incident",
"expanded": "This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type \"Report\" for second-hand information. Events of this type are typically created and consumed by analysts.",
"colour": "#005d81"
},
{
"value": "Report",
"expanded": "Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type \"Incident\" instead.",
"colour": "#3f97b8"
},
{
"value": "Analysis",
"expanded": "This event builds on \"observation\", \"incident\", and \"report\" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.",
"colour": "#5a8915"
},
{
"value": "Collection",
"expanded": "This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.",
"colour": "#94a850"
}
]
}
]
}

1384
drugs/machinetag.json Normal file
View File

File diff suppressed because it is too large Load Diff

40
economical-impact/machinetag.json
View File

@ -1,8 +1,8 @@
{
"namespace": "economical-impact",
"expanded": " Economical Impact",
"description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information.",
"version": 1,
"description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).",
"version": 2,
"refs": [
"https://www.misp-project.org/"
],
@ -28,7 +28,23 @@
},
{
"value": "less-than-1M-euro",
"expanded": "Less than EUR 1 000 000"
"expanded": "Less than 1 million EUR"
},
{
"value": "less-than-10M-euro",
"expanded": "Less than 10 million EUR"
},
{
"value": "less-than-100M-euro",
"expanded": "Less than 100 million EUR"
},
{
"value": "less-than-1B-euro",
"expanded": "Less than 1 billion EUR"
},
{
"value": "more-than-1B-euro",
"expanded": "More than 1 billion EUR"
}
]
},
@ -53,7 +69,23 @@
},
{
"value": "less-than-1M-euro",
"expanded": "Less than EUR 1 000 000"
"expanded": "Less than 1 million EUR"
},
{
"value": "less-than-10M-euro",
"expanded": "Less than 10 million EUR"
},
{
"value": "less-than-100M-euro",
"expanded": "Less than 100 million EUR"
},
{
"value": "less-than-1B-euro",
"expanded": "Less than 1 billion EUR"
},
{
"value": "more-than-1B-euro",
"expanded": "More than 1 billion EUR"
}
]
}

25
exercise/machinetag.json
View File

@ -29,6 +29,11 @@
"description": "NATO-EU Parallel and Coordinated Exercise. PACE focuses on four key areas, namely situational awareness, effectiveness of our instruments to counter cyber threats at EU level, speed of reaction and appropriate reactivity of our crisis response mechanisms, as well as our capacity to communicate fast and in a coordinated way.",
"expanded": "PACE",
"value": "pace"
},
{
"description": "Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network",
"expanded": "Cyber SOPEx",
"value": "cyber-sopex"
}
],
"values": [
@ -69,6 +74,11 @@
"value": "2018",
"expanded": "2018",
"description": "Locked Shields 2018"
},
{
"value": "2019",
"expanded": "2019",
"description": "Locked Shields 2019"
}
]
},
@ -110,9 +120,22 @@
"expanded": "2018"
}
]
},
{
"predicate": "cyber-sopex",
"entry": [
{
"value": "2019",
"expanded": "2019"
},
{
"value": "2018",
"expanded": "2018"
}
]
}
],
"version": 3,
"version": 5,
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"expanded": "Exercise",
"namespace": "exercise"

60
flesch-reading-ease/machinetag.json Normal file
View File

@ -0,0 +1,60 @@
{
"namespace": "flesch-reading-ease",
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
"version": 1,
"predicates": [
{
"value": "score",
"expanded": "Score"
}
],
"values": [
{
"predicate": "score",
"entry": [
{
"value": "90-100",
"expanded": "Very Easy",
"description": "Very easy to read. Easily understood by an average 11-year-old student.",
"numerical_value": 100
},
{
"value": "80-89",
"expanded": "Easy",
"description": "Easy to read. Conversational English for consumers.",
"numerical_value": 89
},
{
"value": "70-79",
"expanded": "Fairly Easy",
"description": "Fairly easy to read.",
"numerical_value": 79
},
{
"value": "60-69",
"expanded": "Standard",
"description": "Plain English. Easily understood by 13- to 15-year-old students.",
"numerical_value": 69
},
{
"value": "50-59",
"expanded": "Fairly Difficult",
"description": "Fairly difficult to read.",
"numerical_value": 59
},
{
"value": "30-49",
"expanded": "Difficult",
"description": "Difficult to read.",
"numerical_value": 49
},
{
"value": "0-29",
"expanded": "Very Confusing",
"description": "Very difficult to read. Best understood by university graduates.",
"numerical_value": 29
}
]
}
]
}

258
information-security-data-source/machinetag.json Normal file
View File

@ -0,0 +1,258 @@
{
"namespace": "information-security-data-source",
"description": "Taxonomy to classify the information security data sources.",
"refs": [
"https://www.sciencedirect.com/science/article/pii/S0167404818304978"
],
"version": 1,
"predicates": [
{
"value": "type-of-information",
"expanded": "Type of information",
"description": "Type of provided information"
},
{
"value": "originality",
"expanded": "Originality",
"description": "Originality and novelty of the provided information"
},
{
"value": "timeliness-sharing-behavior",
"expanded": "Timeliness sharing behavior",
"description": "Timeliness of the provided information"
},
{
"value": "integrability-format",
"expanded": "Integrability format",
"description": "Level of integrability format for the provided information"
},
{
"value": "integrability-interface",
"expanded": "Integrability interface",
"description": "Level of integrability interface for the provided information"
},
{
"value": "trustworthiness-creditabilily",
"expanded": "Trustworthiness creditability",
"description": "Source of the creditability"
},
{
"value": "trustworthiness-traceability",
"expanded": "Trustworthiness traceability",
"description": "Traceability of the provided information"
},
{
"value": "trustworthiness-feedback-mechanism",
"expanded": "Trustworthiness feedback mechanism",
"description": "Feedback such as user ratings or comments regarding the usefulness of the provided information"
},
{
"value": "type-of-source",
"expanded": "Type of source",
"description": "Types of information security data source"
}
],
"values": [
{
"predicate": "type-of-information",
"entry": [
{
"value": "vulnerability",
"expanded": "Vulnerability",
"description": "Information regarding a weakness of an asset which might be exploited by a threat"
},
{
"value": "threat",
"expanded": "Threat",
"description": "Information regarding the potential cause on an unwanted incident"
},
{
"value": "countermeasure",
"expanded": "Countermeasure",
"description": "Information regarding any administrative, managerial, technical or legal control that is used to counteract an information security risk"
},
{
"value": "attack",
"expanded": "Attack",
"description": "Information regarding any unauthorized attempt to access, alter or destroy an asset"
},
{
"value": "risk",
"expanded": "Risk",
"description": "Information describing the consequences of a potential event, such as an attack"
},
{
"value": "asset",
"expanded": "Asset",
"description": "Information regarding any object or characteristic that has value to an organization"
}
]
},
{
"predicate": "originality",
"entry": [
{
"value": "original-source",
"expanded": "Original source",
"description": "Information originates from the data sources which publish their own information"
},
{
"value": "secondary-source",
"expanded": "Secondary source",
"description": "Information is integrated or copied from another information security data source"
}
]
},
{
"predicate": "timeliness-sharing-behavior",
"entry": [
{
"value": "routine-sharing",
"expanded": "Routine sharing",
"description": "Information is published at a specific point in time on a regular basis, such as daily, weakly or monthly reports"
},
{
"value": "incident-specific",
"expanded": "Incident specific",
"description": "Information is published whenever news are available or a new incident occurs"
}
]
},
{
"predicate": "integrability-format",
"entry": [
{
"value": "structured",
"expanded": "Structured",
"description": "The provided security information is available in an standardized and structured data format such as MISP core format"
},
{
"value": "unstructured",
"expanded": "Unstructured",
"description": "The provided security information is available in unstructured form without following a common data representation format"
}
]
},
{
"predicate": "integrability-interface",
"entry": [
{
"value": "no-interface",
"expanded": "No interface",
"description": "The information security data source doesnt provide any interface to access the information"
},
{
"value": "api",
"expanded": "API",
"description": "The information security data source provides an application programming interface (APIs) to obtain the provided information"
},
{
"value": "rss-feeds",
"expanded": "RSS Feeds",
"description": "The information security data source provides an RSS Feed to keep track of the provided information"
},
{
"value": "export",
"expanded": "Export",
"description": "The information security data source provides an interface to export contents as XML, JSON or plain text"
}
]
},
{
"predicate": "trustworthiness-creditabilily",
"entry": [
{
"value": "vendor",
"expanded": "Vendor",
"description": "The publisher of the information is a vendor"
},
{
"value": "government",
"expanded": "Government",
"description": "The publisher of the information is a government"
},
{
"value": "security-expert",
"expanded": "Security expert",
"description": "The publisher of the information is a security expert"
},
{
"value": "normal-user",
"expanded": "Normal user",
"description": "The publisher of the information is a normal user"
}
]
},
{
"predicate": "trustworthiness-traceability",
"entry": [
{
"value": "yes",
"expanded": "Yes",
"description": "The provided information is classified as traceable if it can be traced back, based on meta-data, to a specific publisher and a publishing date"
},
{
"value": "no",
"expanded": "No",
"description": "The provided information cannot be traced back (meta-data are not provided)"
}
]
},
{
"predicate": "trustworthiness-feedback-mechanism",
"entry": [
{
"value": "yes",
"expanded": "Yes",
"description": "The provided information is validated by including user rating, comments or additional analysis"
},
{
"value": "no",
"expanded": "No",
"description": "The provided information is not validated (a user rating, comments is not available)"
}
]
},
{
"predicate": "type-of-source",
"entry": [
{
"value": "news-website",
"expanded": "News website"
},
{
"value": "expert-blog",
"expanded": "Expert blog"
},
{
"value": "security-product-vendor-website",
"expanded": "(Security product) vendor website"
},
{
"value": "vulnerability-database",
"expanded": "Vulnerability database"
},
{
"value": "mailing-list-archive",
"expanded": "Mailing list archive"
},
{
"value": "social-network",
"expanded": "Social network"
},
{
"value": "streaming-portal",
"expanded": "Streaming portal"
},
{
"value": "forum",
"expanded": "Forum"
},
{
"value": "other",
"expanded": "Other"
}
]
}
]
}

8
passivetotal/machinetag.json
View File

@ -2,15 +2,15 @@
"namespace": "passivetotal",
"expanded": "PassiveTotal",
"description": "Tags from RiskIQ's PassiveTotal service",
"version": 1,
"version": 2,
"predicates": [
{
"value": "sinkholed",
"expanded": "Sinkhole Status"
},
{
"value": "ever-comprimised",
"expanded": "Ever Comprimised?"
"value": "ever-compromised",
"expanded": "Ever Compromised?"
},
{
"value": "dynamic-dns",
@ -36,7 +36,7 @@
]
},
{
"predicate": "ever-comprimised",
"predicate": "ever-compromised",
"entry": [
{
"value": "yes",

9
tools/website-genlist.py Normal file
View File

@ -0,0 +1,9 @@
import json
import os
import re
filename = os.path.join("../", "MANIFEST.json")
with open(filename) as fp:
t = json.load(fp)
for taxo in sorted(t['taxonomies'], key=lambda k: k['name']):
print ("[{}](https://github.com/MISP/misp-taxonomies/tree/master/{}):\n: {}[HTML](https://www.misp-project.org/taxonomies.html#_{})\n".format(taxo['name'], taxo['name'], taxo['description'], re.sub(r'-', '_',taxo['name'])))

53
type/machinetag.json
View File

@ -2,10 +2,61 @@
"predicates": [
{
"expanded": "Open Source Intelligence",
"description": "gathered from open sources",
"value": "OSINT"
},
{
"expanded": "Signal Intelligence",
"description": "gathered from interception of signals",
"value": "SIGINT"
},
{
"expanded": "Technical Intelligence",
"description": "gathered from analysis of weapons and equipment used by the armed forces of foreign nations, or environmental conditions",
"value": "TECHINT"
},
{
"expanded": "Cyberspace Intelligence",
"description": "gathered from active or passive exploitation (CNE) in the cyberspace",
"value": "CYBINT"
},
{
"expanded": "Digital Network Intelligence",
"description": "gathered from active or passive expoilation (CNE) in the digital network.",
"value": "DNINT"
},
{
"expanded": "Human Intelligence",
"description": "gathered from a person in the location in question",
"value": "HUMINT"
},
{
"expanded": "Medical Intelligence",
"description": "gathered from analysis of medical records and/or actual physiological examinations to determine health and/or particular ailments/allergetic conditions for consideration",
"value": "MEDINT"
},
{
"expanded": "Geospatial Intelligence",
"description": "gathered from satellite, aerial photography, mapping/terrain data",
"value": "GEOINT"
},
{
"expanded": "Imagery Intelligence",
"description": "gathered from satellite and aerial photography",
"value": "IMINT"
},
{
"expanded": "Measurement and signature intelligence",
"description": "gathered from electro-optical, nuclear survey, geophysical measurements, radar, materials analysis",
"value": "MASINT"
},
{
"expanded": "Financial Intelligence",
"description": "gathered from analysis of monetary or financial transactions",
"value": "FININT"
}
],
"version": 1,
"description": "Taxonomy to describe different types of data",
"description": "Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence.",
"namespace": "type"
}