MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [state-responsibility] various clean-up

pull/226/head
Alexandre Dulaunoy 2022-01-22 18:15:41 +01:00
parent e6a4c4e117
commit 9e98745cba
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 167 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
MANIFEST.json
View File

@ -573,6 +573,11 @@
"name": "smart-airports-threats",
"version": 1
},
{
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"name": "state-responsibility",
"version": 1
},
{
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
"name": "stealth_malware",
@ -655,5 +660,5 @@
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
"version": "20220106"
"version": "20220122"
}

7
README.md
View File

@ -530,7 +530,7 @@ Taxonomy to classify phishing attacks including techniques, collection mechanism
### political-spectrum
[political-spectrum](https://github.com/MISP/misp-taxonomies/tree/main/political-spectrum) :
political spectrum is a system to characterize and classify different political positions [Overview](https://www.misp-project.org/taxonomies.html#_political_spectrum)
A political spectrum is a system to characterize and classify different political positions in relation to one another. [Overview](https://www.misp-project.org/taxonomies.html#_political_spectrum)
### priority-level
@ -582,6 +582,11 @@ Sampling stations of the Scripps CO2 Program [Overview](https://www.misp-project
[smart-airports-threats](https://github.com/MISP/misp-taxonomies/tree/main/smart-airports-threats) :
Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports [Overview](https://www.misp-project.org/taxonomies.html#_smart_airports_threats)
### state-responsibility
[state-responsibility](https://github.com/MISP/misp-taxonomies/tree/main/state-responsibility) :
A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers. [Overview](https://www.misp-project.org/taxonomies.html#_state_responsibility)
### stealth_malware
[stealth_malware](https://github.com/MISP/misp-taxonomies/tree/main/stealth_malware) :

121
state-responsibility/machinetag.json
View File

@ -1,62 +1,61 @@
{
"predicates": [
{
"description": "The national government will help stop the third-party attack, which may originate from its territory or merely be transiting through its networks. This responsibility is the most passive on the scale: though the government is cooperating, it still has some small share of responsibility for the insecure systems involved in the attack. In reality, nations cannot ensure the proper behavior of the tens or hundreds of millions of computers in their borders at all times.",
"expanded": "State-prohibited.",
"value": "state-prohibited."
},
{
"description": "The national government is cooperative and would stop the third-party attack but is unable to do so. The country might lack the proper laws, procedures, technical tools, or political will to use them. Though the nation could itself be a victim, it bears some passive responsibility for the attack, both for being unable to stop it and for having insecure systems in the first place.",
"expanded": "State-prohibited-but-inadequate",
"value": "state-prohibited-but-inadequate."
},
{
"description": "The national government knows about the third-party attacks but, as a matter of policy, is unwilling to take any official action. A government may even agree with the goals and results of the attackers and tip them off to avoid being detected.",
"expanded": "State-ignored",
"value": "state-ignored"
},
{
"description": "Third parties control and conduct the attack, but the national government encourages them to continue as a matter of policy. This encouragement could include editorials in state-run press or leadership publicly agreeing with the goals of the attacks; members of government cyber offensive or intelligence organizations may be encouraged to undertake supportive recreational hacking while off duty. The nation is unlikely to be cooperative in any investigation and is likely to tip off the attackers",
"expanded": "State-encouraged",
"value": "state-encouraged"
},
{
"description": "Third parties control and conduct the attack, but the state provides some support, such as informal coordination between like-minded individuals in the government and the attacking group. To further their policy while retaining plausible deniability, the government may encourage members of their cyber forces to undertake 'recreational hacking' while off duty.",
"expanded": "State-shaped",
"value": "state-shaped"
},
{
"description": "The national government coordinates the third-party attackers—usually out of public view—by 'suggesting' targets, timing, or other operational details. The government may also provide technical or tactical assistance. Similar to state-shaped attacks, the government may encourage its cyber forces to engage in recreational hacking during off hours",
"expanded": "State-coordinated",
"value": "state-coordinated"
},
{
"description": "The national government, as a matter of policy, directs third-party proxies to conduct the attack on its behalf. This is as “state-sponsored” as an attack can be, without direct attack from government cyber forces. Any attackers that are under state control could be considered to be de facto agents of the state under international law.",
"expanded": "State-ordered",
"value": "state-ordered"
},
{
"description": "Elements of cyber forces of the national government conduct the attack. In this case, however, they carry out attacks without the knowledge, or approval, of the national leadership, which may act to stop the attacks should they learn of them. For example, local units or junior officers could be taking the initiative to counterattack out of the senior officers sight. More worrisome, this category could include sophisticated and persistent attacks from large bureaucracies conducting attacks that are at odds with the national leadership. Based on current precedence, a state could likely be held responsible by international courts for such rogue attacks.",
"expanded": "State-rogue-conducted.",
"value": "state-rogue-conducted"
},
{
"description": "The national government, as a matter of policy, directly controls and conducts the attack using its own cyber forces",
"expanded": "State-executed",
"value": "state-executed"
},
{
"description": "The national government integrates third-party attackers and government cyber forces, with common command and control. Orders and coordination may be formal or informal, but the government is in control of selecting targets, timing, and tempo. The attackers are de facto agents of the state",
"expanded": "State-integrated",
"value": "state-integrated"
}
],
"refs": [
"https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF"
],
"version": 1,
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"expanded": "The Spectrum of State Responsibility",
"namespace": "state-responsibility"
}
"predicates": [
{
"description": "The national government will help stop the third-party attack, which may originate from its territory or merely be transiting through its networks. This responsibility is the most passive on the scale: though the government is cooperating, it still has some small share of responsibility for the insecure systems involved in the attack. In reality, nations cannot ensure the proper behavior of the tens or hundreds of millions of computers in their borders at all times.",
"expanded": "State-prohibited.",
"value": "state-prohibited."
},
{
"description": "The national government is cooperative and would stop the third-party attack but is unable to do so. The country might lack the proper laws, procedures, technical tools, or political will to use them. Though the nation could itself be a victim, it bears some passive responsibility for the attack, both for being unable to stop it and for having insecure systems in the first place.",
"expanded": "State-prohibited-but-inadequate",
"value": "state-prohibited-but-inadequate."
},
{
"description": "The national government knows about the third-party attacks but, as a matter of policy, is unwilling to take any official action. A government may even agree with the goals and results of the attackers and tip them off to avoid being detected.",
"expanded": "State-ignored",
"value": "state-ignored"
},
{
"description": "Third parties control and conduct the attack, but the national government encourages them to continue as a matter of policy. This encouragement could include editorials in state-run press or leadership publicly agreeing with the goals of the attacks; members of government cyber offensive or intelligence organizations may be encouraged to undertake supportive recreational hacking while off duty. The nation is unlikely to be cooperative in any investigation and is likely to tip off the attackers",
"expanded": "State-encouraged",
"value": "state-encouraged"
},
{
"description": "Third parties control and conduct the attack, but the state provides some support, such as informal coordination between like-minded individuals in the government and the attacking group. To further their policy while retaining plausible deniability, the government may encourage members of their cyber forces to undertake 'recreational hacking' while off duty.",
"expanded": "State-shaped",
"value": "state-shaped"
},
{
"description": "The national government coordinates the third-party attackers—usually out of public view—by 'suggesting' targets, timing, or other operational details. The government may also provide technical or tactical assistance. Similar to state-shaped attacks, the government may encourage its cyber forces to engage in recreational hacking during off hours",
"expanded": "State-coordinated",
"value": "state-coordinated"
},
{
"description": "The national government, as a matter of policy, directs third-party proxies to conduct the attack on its behalf. This is as “state-sponsored” as an attack can be, without direct attack from government cyber forces. Any attackers that are under state control could be considered to be de facto agents of the state under international law.",
"expanded": "State-ordered",
"value": "state-ordered"
},
{
"description": "Elements of cyber forces of the national government conduct the attack. In this case, however, they carry out attacks without the knowledge, or approval, of the national leadership, which may act to stop the attacks should they learn of them. For example, local units or junior officers could be taking the initiative to counterattack out of the senior officers sight. More worrisome, this category could include sophisticated and persistent attacks from large bureaucracies conducting attacks that are at odds with the national leadership. Based on current precedence, a state could likely be held responsible by international courts for such rogue attacks.",
"expanded": "State-rogue-conducted.",
"value": "state-rogue-conducted"
},
{
"description": "The national government, as a matter of policy, directly controls and conducts the attack using its own cyber forces",
"expanded": "State-executed",
"value": "state-executed"
},
{
"description": "The national government integrates third-party attackers and government cyber forces, with common command and control. Orders and coordination may be formal or informal, but the government is in control of selecting targets, timing, and tempo. The attackers are de facto agents of the state",
"expanded": "State-integrated",
"value": "state-integrated"
}
],
"refs": [
"https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF"
],
"version": 1,
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"expanded": "The Spectrum of State Responsibility",
"namespace": "state-responsibility"
}

111
summary.md
View File

@ -1,5 +1,5 @@
# Taxonomies
- Generation date: 2021-04-13
- Generation date: 2022-01-22
- license: CC-0
- description: Manifest file of MISP taxonomies available.
@ -229,7 +229,7 @@
- level-1
### course-of-action
- description: A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.
- version: 1
- version: 2
- Predicates
- passive
- active
@ -317,7 +317,7 @@
- action
### dark-web
- description: Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project
- version: 3
- version: 4
- Predicates
- topic
- motivation
@ -347,6 +347,17 @@
- Predicates
- Einstufung
- Schutzwort
### deception
- description: Deception is an important component of information operations, valuable for both offense and defense.
- version: 1
- Predicates
- space
- time
- participant
- causality
- quality
- essence
- speech-act-theory
### dhs-ciip-sectors
- description: DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors
- version: 2
@ -375,8 +386,8 @@
- nonuscontrols
- dissem
### domain-abuse
- description: Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity
- version: 1
- description: Domain Name Abuse - taxonomy to tag domain names used for cybercrime.
- version: 2
- Predicates
- domain-status
- domain-access-method
@ -549,7 +560,7 @@
- event-class
### exercise
- description: Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.
- version: 8
- version: 10
- Predicates
- cyber-europe
- cyber-storm
@ -600,11 +611,11 @@
- anonymous-data
### fr-classif
- description: French gov information classification system
- version: 3
- version: 6
- Predicates
- classifiees-defense
- non-classifiees-defense
- classifiees
- non-classifiees
- special-france
### gdpr
- description: Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- version: 0
@ -836,6 +847,35 @@
- VTC
- VOR
- IMP
### interactive-cyber-training-audience
- description: Describes the target of cyber training and education.
- version: 1
- Predicates
- sector
- purpose
- proficiency-level
- target-audience
### interactive-cyber-training-technical-setup
- description: The technical setup consists of environment structure, deployment, and orchestration.
- version: 1
- Predicates
- environment-structure
- deployment
- orchestration
### interactive-cyber-training-training-environment
- description: The training environment details the environment around the training, consisting of training type and scenario.
- version: 1
- Predicates
- training-type
- scenario
### interactive-cyber-training-training-setup
- description: The training setup further describes the training itself with the scoring, roles, the training mode as well as the customization level.
- version: 1
- Predicates
- scoring
- roles
- training-mode
- customization-level
### interception-method
- description: The interception method used to intercept traffic.
- version: 1
@ -929,8 +969,8 @@
- should-not-sync
- tool
- misp2yara
- ids
- event-type
- ids
### monarc-threat
- description: MONARC Threats Taxonomy
- version: 1
@ -1015,7 +1055,7 @@
- vulnerability
### phishing
- description: Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.
- version: 4
- version: 5
- Predicates
- techniques
- distribution
@ -1025,6 +1065,12 @@
- state
- psychological-acceptability
- principle-of-persuasion
### political-spectrum
- description: A political spectrum is a system to characterize and classify different political positions in relation to one another.
- version: 1
- Predicates
- ideology
- left-right-spectrum
### priority-level
- description: After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System.
- version: 2
@ -1065,7 +1111,7 @@
- 10y
### rsit
- description: Reference Security Incident Classification Taxonomy
- version: 1002
- version: 1003
- Predicates
- abusive-content
- malicious-code
@ -1143,6 +1189,20 @@
- natural-and-social-phenomena
- third-party-failures
- malicious-actions
### state-responsibility
- description: A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.
- version: 1
- Predicates
- state-prohibited.
- state-prohibited-but-inadequate.
- state-ignored
- state-encouraged
- state-shaped
- state-coordinated
- state-ordered
- state-rogue-conducted
- state-executed
- state-integrated
### stealth_malware
- description: Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
- version: 1
@ -1159,9 +1219,21 @@
- Predicates
- targeting-sophistication-base-value
- technical-sophistication-multiplier
### ThreatMatch
### thales_group
- description: Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.
- version: 2
- Predicates
- distribution
- to_block
- minarm
- acn
- sigpart
- ioc_confidence
- tlp:black
- Watcher
### threatmatch
- description: The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1
- version: 3
- Predicates
- sector
- incident-type
@ -1210,6 +1282,13 @@
- IMINT
- MASINT
- FININT
### unified-kill-chain
- description: The Unified Kill Chain is a refinement to the Kill Chain.
- version: 1
- Predicates
- Initial Foothold
- Network Propagation
- Action on Objectives
### use-case-applicability
- description: The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.
- version: 1
@ -1289,9 +1368,9 @@
- description: VMRay taxonomies to map VMRay Thread Identifier scores and artifacts.
- version: 1
- Predicates
- artifact
- verdict
- vti_analysis_score
- artifact
### vocabulaire-des-probabilites-estimatives
- description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité
- version: 3
@ -1299,7 +1378,7 @@
- degré-de-probabilité
### workflow
- description: Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.
- version: 10
- version: 11
- Predicates
- todo
- state