diff --git a/MANIFEST.json b/MANIFEST.json index 86ea506..750caea 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -246,7 +246,12 @@ { "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.", "name": "exercise", - "version": 7 + "version": 8 + }, + { + "description": "Reasons why an event has been extended. ", + "name": "extended-event", + "version": 1 }, { "description": "The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals – either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.", @@ -451,7 +456,7 @@ { "description": "Pandemic", "name": "pandemic", - "version": 2 + "version": 4 }, { "description": "Tags from RiskIQ's PassiveTotal service", @@ -548,6 +553,11 @@ "name": "tor", "version": 1 }, + { + "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", + "name": "trust", + "version": 1 + }, { "description": "Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence.", "name": "type", @@ -580,5 +590,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", - "version": "20200401" + "version": "20200526" } diff --git a/README.md b/README.md index 2b3dad3..a4de5a5 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,7 @@ The Traffic Light Protocol - or short: TLP - was designed with the objective to ### [Trust - Indicators of Trust](./trust) -Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good. +The Trust Taxonomy provides a way to use Indicators of Trust within MISP to get insight on data about what can be trusted. Similar to a whitelist but on steroids, leveraging MISP features one would use with Inidicators of Compromise, but to filter out what is known to be good. ### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) diff --git a/exercise/machinetag.json b/exercise/machinetag.json index 68210aa..43b52d5 100644 --- a/exercise/machinetag.json +++ b/exercise/machinetag.json @@ -34,6 +34,11 @@ "description": "Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network", "expanded": "Cyber SOPEx", "value": "cyber-sopex" + }, + { + "value": "generic", + "expanded": "Generic", + "description": "Generic exercise which are not named." } ], "values": [ @@ -166,9 +171,19 @@ "expanded": "2021" } ] + }, + { + "predicate": "generic", + "entry": [ + { + "value": "comcheck", + "expanded": "Communication check", + "description": "A communication check exercise which can include digital or non-digital communication." + } + ] } ], - "version": 7, + "version": 8, "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.", "expanded": "Exercise", "namespace": "exercise" diff --git a/extended-event/machinetag.json b/extended-event/machinetag.json new file mode 100644 index 0000000..45e05c4 --- /dev/null +++ b/extended-event/machinetag.json @@ -0,0 +1,92 @@ +{ + "namespace": "extended-event", + "description": "Reasons why an event has been extended. ", + "version": 1, + "predicates": [ + { + "value": "competitive-analysis", + "expanded": "Competitive analysis" + }, + { + "value": "extended-analysis", + "expanded": "Extended analysis" + }, + { + "value": "human-readable", + "expanded": "Human readable", + "description": "This extended event makes a human readable output of a machine or technical report." + }, + { + "value": "chunked-event", + "expanded": "Chunked Event", + "description": "This extended event is a part of a large event." + }, + { + "value": "update", + "expanded": "Update", + "description": "Original event is deprecated" + } + ], + "values": [ + { + "predicate": "competitive-analysis", + "entry": [ + { + "value": "devil-advocate", + "expanded": "Devil's advocate", + "description": "Is a competitive analysis of devil's advocate type." + }, + { + "value": "absurd-reasoning", + "expanded": "Absurd reasoning", + "description": "Is a competitive analysis of absurd reasoning type" + }, + { + "value": "role-playing", + "expanded": "Role playing", + "description": "Is a competitive analysis of role playing type" + }, + { + "value": "crystal-ball", + "expanded": "Crystal ball", + "description": "Is a competitive analysis of crystal ball type" + } + ] + }, + { + "predicate": "extended-analysis", + "entry": [ + { + "value": "automatic-expansion", + "expanded": "Automatic expansion", + "description": "This extended event is composed of elements derived from automatic expanxions services" + }, + { + "value": "aggressive-pivoting", + "expanded": "Aggressive pivoting", + "description": "This extended event is composed of elements resulting of a careless pivoting" + }, + { + "value": "complementary-analysis", + "expanded": "Complementary analysis", + "description": "This extended event is composed of elements gathered by a different analyst than the original one" + } + ] + }, + { + "predicate": "chunked-event", + "entry": [ + { + "value": "time-based", + "expanded": "Time based", + "description": "is an element of a serie of extended events, split by matter of time" + }, + { + "value": "counter-based", + "expanded": "Counter based", + "description": "is an element of a serie of extended events, split by number of elements" + } + ] + } + ] +} diff --git a/pandemic/machinetag.json b/pandemic/machinetag.json index f2d8678..aa864a9 100644 --- a/pandemic/machinetag.json +++ b/pandemic/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "pandemic", "description": "Pandemic", - "version": 2, + "version": 4, "predicates": [ { "value": "covid-19", @@ -21,6 +21,16 @@ "value": "cyber", "expanded": "Cyber", "description": "Information tagged about COVID-19 and related to cybersecurity" + }, + { + "value": "disinformation", + "expanded": "Disinformation", + "description": "Information tagged about COVID-19 and related to disinformation" + }, + { + "value": "geostrategy", + "expanded": "Geostrategy", + "description": "Information tagged about COVID-19 and related to geostrategy or geopolitics" } ] } diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 526439f..84e1d50 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -94,6 +94,11 @@ "value": "bulk-phishing", "expanded": "Bulk phishing", "description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims." + }, + { + "value": "whaling", + "expanded": "Whaling phishing", + "description": "Adversary attempts to target executives and high-level employees (like public spokespersons)." } ] }, diff --git a/trust/machinetag.json b/trust/machinetag.json index b6e1dbf..69313ae 100644 --- a/trust/machinetag.json +++ b/trust/machinetag.json @@ -1,74 +1,51 @@ { + "version": 1, + "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", + "expanded": "Indicators of Trust", + "namespace": "trust", + "exclusive": true, "predicates": [ { - "colour": "#2657ff", - "description": "This domain is known to be good", - "expanded": "A domain, the human name given to a host can be trusted", - "value": "domain" + "value": "trust", + "expanded": "How much trust the analyst has with this indicator." }, { - "colour": "#e8c90e", - "description": "This IP is known to be good", - "expanded": "This IP address can be trusted", - "value": "ip" + "value": "frequency", + "expanded": "Recency/count of occurence at which the indicator occurs in data." }, { - "colour": "#0E40E8", - "description": "This SHA256 Hash can be trusted", - "expanded": "This SHA256 Hash can be trusted", - "value": "sha256" - }, - { - "colour": "#0E40E8", - "description": "This SHA384 Hash can be trusted", - "expanded": "This SHA384 Hash can be trusted", - "value": "sha384" - }, - { - "colour": "#0E40E8", - "description": "This SHA512 Hash can be trusted", - "expanded": "This SHA512 Hash can be trusted", - "value": "sha512" - }, - { - "colour": "#00BD25", - "description": "This URI can be trusted", - "expanded": "This URI can be trusted", - "value": "uri" - }, - { - "colour": "#00BD25", - "description": "This URL can be trusted", - "expanded": "This URL can be trusted", - "value": "url" - }, - { - "colour": "#9D9D9D", - "description": "This email is trusted", - "expanded": "This email can be trusted", - "value": "email" + "value": "valid", + "expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)." } ], "values": [ { - "predicate": "confidence", + "predicate": "trust", "entry": [ { - "value": "High", - "expanded": "High confidence" + "value": "unknown", + "expanded": "Unknown Confidence State" }, { - "value": "Low", + "value": "none", + "expanded": "Cannot Trust, no confidence" + }, + { + "value": "partial", "expanded": "Low confidence" }, { - "value": "Medium", - "expanded": "Medium confidence" + "value": "relationship", + "expanded": "Inherited Full Trust by a third party that we trust" + }, + { + "value": "full", + "expanded": "We fully trust it" } ] }, { - "predicate": "periodicity", + "predicate": "frequency", "entry": [ { "value": "hourly", @@ -88,38 +65,25 @@ }, { "value": "yearly", - "expanded": "This attribute is likely to happen at a yearly interval" + "expanded": "Thie attribute is likely to happen at a yearly interval" } ] }, { - "predicate": "change-likelihood", + "predicate": "valid", "entry": [ { - "value": "low", - "expanded": "Low change probability" + "value": "true", + "expanded": "This Trust is valid" }, { - "value": "medium", - "expanded": "Medium change probability" - }, - { - "value": "high", - "expanded": "High change probability" - }, - { - "value": "unknown", - "expanded": "Unknown change probability" + "value": "false", + "expanded": "This trust is invalid. Such as a MD5 Hash etc." } ] } ], "refs": [ "https://trust.fyi/" - ], - "version": 1, - "description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.", - "expanded": "Indicators of Trust", - "namespace": "trust", - "exclusive": true + ] }