Merge branch 'master' of github.com:mausding/misp-taxonomies

2016-09-22 14:47:35 +02:00 · 2016-09-22 14:47:35 +02:00 · 620ca15833
parent 1eee0633d8 ab94a8fb42
commit 620ca15833
8 changed files with 134 additions and 29 deletions
--- a/README.md
+++ b/README.md
@ -24,6 +24,7 @@ The following taxonomies are described:
 - [Europol Incident](./europol-incident) - Europol class of incident taxonomy
 - [Europol Events](./europol-events) - Europol type of events taxonomy
 - [FIRST CSIRT Case](./csirt_case_classification) classification
+- [FIRST Information Exchange Policy (IEP)](./iep) framework
 - [Information Security Indicators](./information-security-indicators) -  ETSI GS ISI 001-1 (V1.1.2): ISI Indicators 
 - [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US)
 - [Malware](./malware) classification based on a SANS document
@ -91,6 +92,8 @@ EUROPOL type of events taxonomy

 FIRST CSIRT Case Classification.

+### [FIRST Information Exchange Policy (IEP)](./iep) framework
+
 ### [Information Security Indicators](./information-security-indicators) -  ETSI GS ISI 001-1 (V1.1.2): ISI Indicators 

 Information security indicators have been standardized by the [ETSI Industrial Specification Group (ISG) ISI](http://www.etsi.org/technologies-clusters/technologies/information-security-indicators). These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).
@ -125,6 +128,12 @@ The Traffic Light Protocol - or short: TLP - was designed with the objective to

 Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/).

+# Reserved Taxonomy
+
+The following taxonomy namespaces are reserved and used internally to MISP.
+
+- [galaxy](./galaxy/) mapping taxonomy with cluster:element:"value".
+
 # How to contribute your taxonomy?

 It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like [Admiralty Scale](./admiralty-scale)), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like [MISP](https://www.github.com/MISP/MISP).
@ -166,3 +175,7 @@ Once you are happy with your file go to MISP Web GUI taxonomies/index and update
        ...
 ~~~~

+# License
+
+The MISP taxonomies are licensed under [CC0 1.0 Universal (CC0 1.0)](https://creativecommons.org/publicdomain/zero/1.0/) -  Public Domain Dedication. If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.
+
--- a/iep/machinetag.json
+++ b/iep/machinetag.json
@ -1,7 +1,7 @@
 {
  "namespace": "iep",
  "description": "Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework",
-  "version": 1,
+  "version": 2,
  "predicates": [
    {
      "value": "id",
@ -234,7 +234,7 @@
          "expanded": "Recipients MAY resell the information received."
        },
        {
-          "value": "MUST NO",
+          "value": "MUST NOT",
          "expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format."
        }
      ]
--- a/malware_classification/README.md
+++ b/malware_classification/README.md
@ -2,7 +2,7 @@

 ## Malware Categories

-All malware samples should be classified into one of the categories listed in the table below. 
+All malware samples should be classified into one of the categories listed in the table below.

 <dl>
 <dt>Virus</dt>
@ -29,11 +29,14 @@ All malware samples should be classified into one of the categories listed in th
 <dt>Spyware</dt>
 <dd><dd>

+<dt>Botnet</dt>
+<dd><dd>
+
 </dl>

 ## Obfuscation Classification

-All malware samples should be classified into one of the categories listed in the table below. 
+All malware samples should be classified into one of the categories listed in the table below.

 <dl>
 <dt>no-obfuscation</dt>
--- a/malware_classification/machinetag.json
+++ b/malware_classification/machinetag.json
@ -55,6 +55,10 @@
        {
          "value": "Spyware",
          "expanded": "Spyware"
+        },
+        {
+           "value": "Botnet",
+           "expanded": "Botnet"
        }
      ]
    },
--- a/misp/machinetag.json
+++ b/misp/machinetag.json
@ -26,6 +26,69 @@
          "value": "pgpfingerprint"
        }
     ]
+    },
+    {
+     "predicate": "confidence-level",
+     "entry": [
+        {
+          "expanded": "Completely confident",
+          "value": "completely-confident",
+          "numerical_value": 100
+        },
+        {
+          "expanded": "Usually confident",
+          "value": "usually-confident",
+          "numerical_value": 75
+        },
+        {
+          "expanded": "Fairly confident",
+          "value": "fairly-confident",
+          "numerical_value": 50
+        },
+        {
+          "expanded": "Rarely confident",
+          "value": "rarely-confident",
+          "numerical_value": 25
+        },
+        {
+          "expanded": "Unconfident",
+          "value": "unconfident",
+          "numerical_value": 0
+        },
+        {
+          "expanded": "Confidence cannot be evaluated",
+          "value": "confidence-cannot-be-evalued"
+        }
+     ]
+    },
+    {
+     "predicate": "threat-level",
+     "entry": [
+        {
+           "expanded": "No risk",
+           "value": "no-risk",
+           "numerical_value": 0,
+           "description": "Harmless information. (CEUS threat level)"
+        },
+        {
+           "expanded": "Low risk",
+           "value": "low-risk",
+           "numerical_value": 25,
+           "description": "Low risk which can include mass-malware. (CEUS threat level)"
+        },
+        {
+           "expanded": "Medium risk",
+           "value": "medium-risk",
+           "numerical_value": 50,
+           "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)"
+        },
+        {
+           "expanded": "High risk",
+           "value": "high-risk",
+           "numerical_value": 100,
+           "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)"
+        }
+     ]
    }
  ],
  "predicates": [
@ -40,10 +103,18 @@
    {
      "expanded": "Information related to the contributor.",
      "value": "contributor"
+    },
+    {
+      "expanded": "Confidence level",
+      "value": "confidence-level"
+    },
+    {
+      "expanded": "Cyberthreat Effect Universal Scale - MISP's internal threat level taxonomy",
+      "value": "threat-level"
    }
  ],
-  "version": 1,
-  "description": "MISP internal taxonomy to infer with MISP behavior or operation.",
+  "version": 2,
+  "description": "MISP taxonomy to infer with MISP behavior or operation.",
  "expanded": "MISP",
  "namespace": "misp"
 }
--- a/osint/machinetag.json
+++ b/osint/machinetag.json
@ -48,36 +48,43 @@
      "predicate": "certainty",
      "entry": [
        {
-          "value": "1",
+          "numerical_value": 100,
+          "value": "100",
          "expanded": "100% Certainty",
          "description": "100% Certainty"
        },
        {
-          "value": "0.93",
+          "numerical_value": 93,
+          "value": "93",
          "expanded": "93% Almost certain",
          "description": "93% Almost certain"
        },
        {
-          "value": "0.75",
+          "numerical_value": 75,
+          "value": "75",
          "expanded": "75% Probable",
          "description": "75% Probable"
        },
        {
-          "value": "0.5",
+          "numerical_value": 50,
+          "value": "50",
          "expanded": "50% Chances about even",
          "description": "50% Chances about even"
        },
        {
-          "value": "0.3",
+          "numerical_value": 30,
+          "value": "30",
          "expanded": "30% Probably not",
          "description": "30% Probably not"
        },
        {
-          "value": "0.07",
+          "numerical_value": 7,
+          "value": "7",
          "expanded": "7% Almost certainly not",
          "description": "7% Almost certainly not"
        },
        {
+          "numerical_value": 0,
          "value": "0",
          "expanded": "0% Impossibility",
          "description": "0% Impossibility"
@ -99,7 +106,7 @@
    },
    {
      "value": "certainty",
-      "expanded": "Certainty of the elements mentioned in this Open Source Intelligence - ref https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html"
+      "expanded": "Certainty of the elements mentioned in this Open Source Intelligence"
    }
  ]
 }
--- a/tlp/machinetag.json
+++ b/tlp/machinetag.json
@ -1,34 +1,41 @@
 {
-  "namespace": "tlp",
-  "expanded": "Traffic Light Protocol",
-  "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
-  "version": 3,
+  "values": null,
  "predicates": [
    {
-      "value": "red",
+      "colour": "#CC0033",
+      "description": "Not for disclosure, restricted to participants only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.",
      "expanded": "(TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate.",
-      "colour": "#ff0000"
+      "value": "red"
    },
    {
-      "value": "amber",
+      "colour:": "#FFC000",
+      "description": "Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.",
      "expanded": "(TLP:AMBER) Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon.",
-      "colour:": "#ffa800"
+      "value": "amber"
    },
    {
-      "value": "green",
+      "colour": "#339900",
+      "description": "Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.",
      "expanded": "(TLP:GREEN) Information given to a community or a group of organizations at large. The information cannot be publicly released.",
-      "colour": "#00ad1c"
+      "value": "green"
    },
    {
-      "value": "white",
+      "colour": "#ffffff",
+      "description": "Disclosure is not limited.  Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.",
      "expanded": "(TLP:WHITE) Information can be shared publicly in accordance with the law.",
-      "colour": "#ffffff"
+      "value": "white"
    },
    {
-      "value": "ex:chr",
+      "colour": "#d208f4",
      "expanded": "(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.",
-      "colour": "#d208f4"
+      "value": "ex:chr"
    }
  ],
-  "values": null
+  "refs": [
+    "https://www.first.org/tlp"
+  ],
+  "version": 4,
+  "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
+  "expanded": "Traffic Light Protocol",
+  "namespace": "tlp"
 }
--- a/tools/machinetag.py
+++ b/tools/machinetag.py
@ -30,7 +30,7 @@ import json
 import os.path
 import argparse

-taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'iep', 'kill-chain', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors','estimative-language', 'ms-caro-malware', 'information-security-indicators', 'open-threat']
+taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'iep', 'kill-chain', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'csirt_case_classification', 'malware_classification', 'de-vs', 'fr-classif','eu-critical-sectors','dhs-ciip-sectors','estimative-language', 'ms-caro-malware', 'information-security-indicators', 'open-threat', 'misp']
 argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies))
 argParser.add_argument('-e', action='store_true', help='Include expanded tags')
 argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')