MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into master

pull/169/head
Nedfire23 2019-10-24 13:30:59 +02:00 committed by GitHub
parent 125c362ae1 47a4080c14
commit a2ba83430d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 4438 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
MANIFEST.json
View File

@ -61,7 +61,12 @@
"description": "CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place."
},
{
"version": 2,
"version": 1,
"name": "coa",
"description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack."
},
{
"version": 3,
"name": "collaborative-intelligence",
"description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP."
},
@ -75,6 +80,11 @@
"name": "cssa",
"description": "The CSSA agreed sharing taxonomy."
},
{
"version": 1,
"name": "dcso-sharing",
"description": "DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide"
},
{
"version": 2,
"name": "ddos",
@ -110,6 +120,11 @@
"name": "domain-abuse",
"description": "Taxonomy to tag domain names used for cybercrime."
},
{
"version": 1,
"name": "drugs",
"description": "A taxonomy based on the superclass and class of drugs, based on https://www.drugbank.ca/releases/latest"
},
{
"version": 1,
"name": "ecsirt",
@ -128,7 +143,7 @@
{
"version": 1,
"name": "euci",
"description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013D0488&from=EN"
"description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in COUNCIL DECISION of 23 September 2013 on the security rules for protecting EU classified information"
},
{
"version": 2,
@ -181,7 +196,7 @@
"description": "Malware classification based on a SANS whitepaper about malware."
},
{
"version": 5,
"version": 9,
"name": "misp",
"description": "Internal MISP taxonomy."
},
@ -241,7 +256,7 @@
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
},
{
"version": 1,
"version": 2,
"name": "targeted-threat-index",
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
},
@ -261,7 +276,7 @@
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
},
{
"version": 1,
"version": 2,
"name": "vocabulaire-des-probabilites-estimatives",
"description": "Vocabulaire des probabilités estimatives"
},
@ -301,7 +316,7 @@
"description": "Sectors and sub sectors as identified by the NIS Directive."
},
{
"version": 2,
"version": 3,
"name": "economical-impact",
"description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information."
},
@ -351,7 +366,7 @@
"version": 1
},
{
"version": 1,
"version": 3,
"name": "false-positive",
"description": "This taxonomy aims to ballpark the expected amount of false positives."
},
@ -406,7 +421,7 @@
"description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems."
},
{
"version": 2,
"version": 5,
"name": "exercise",
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise."
},
@ -424,7 +439,7 @@
"version": 1,
"name": "information-security-data-source",
"description": "Taxonomy to classify the information security data sources"
}, //
},
{
"version": 1,
"name": "gea-nz-entities",
@ -439,11 +454,81 @@
"version": 2,
"name": "gea-nz-motivators",
"description": "Information relating to authority or governance."
},
{
"version": 1,
"name": "cryptocurrency-threat",
"description": "Threats targetting cryptocurrency, based on CipherTrace report."
},
{
"version": 1,
"name": "flesch-reading-ease",
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)."
},
{
"version": 3,
"name": "common-taxonomy",
"description": "The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem."
},
{
"version": 1,
"name": "ransomware",
"description": "Ransomware is used to define ransomware types and the elements that compose them."
},
{
"version": 3,
"name": "dark-web",
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project."
},
{
"version": 2,
"name": "retention",
"description": "Retention taxonomy to describe the retention period of the tagged information."
},
{
"version": 1,
"name": "threats-to-dns",
"description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 11. doi:10.1109/comst.2018.2849614"
},
{
"version": 1,
"name": "csirt-americas",
"description": "Taxonomy from CSIRTAmericas.org."
},
{
"version": 1,
"name": "scrippsco2-fgc",
"description": "Flags describing the sample"
},
{
"version": 1,
"name": "scrippsco2-fgi",
"description": "Flags describing the sample for isotopic data (C14, O18)"
},
{
"version": 1,
"name": "scrippsco2-sampling-stations",
"description": "Sampling stations of the Scripps CO2 Program"
},
{
"version": 4,
"name": "phishing",
"description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status."
},
{
"description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project",
"version": 1,
"name": "ics"
},
{
"name": "course-of-action",
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"version": 2
}
],
"path": "machinetag.json",
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
"description": "Manifest file of MISP taxonomies available.",
"license": "CC-0",
"version": "20190106"
"version": "20191023"
}

5
README.md
View File

@ -12,7 +12,7 @@ The following taxonomies can be used in MISP (as local or distributed tags) or i
The following taxonomies are described:
- [Access-now](./accessnow)
- [access-method](./access-method)
- [action-taken](./action-taken)
- [Admiralty Scale](./admiralty-scale)
- [adversary](./adversary) - description of an adversary infrastructure
@ -23,9 +23,11 @@ The following taxonomies are described:
- CIRCL [Taxonomy - Schemes of Classification in Incident Response and Detection](./circl)
- [The CSSA agreed sharing taxonomy](./cssa)
- [Collaborative intelligence](./collaborative-intelligence) - Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP. The objective of this language is to advance collaborative analysis and to share earlier than later.
- [Cryptocurrency Threat](./cryptocurrency-threat) - Threats targetting cryptocurrency, based on CipherTrace report.
- [Cyber Kill Chain](./kill-chain) from Lockheed Martin
- [The Cyber Threat Framework](./cyber-threat-framework) was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.
- DE German (DE) [Government classification markings (VS)](./de-vs)
- [DCSO Sharing Taxonomy](./dcso-sharing) - DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide
- [DHS CIIP Sectors](./dhs-ciip-sectors)
- [Diamond Model for Intrusion Analysis](./diamond-model)
- [Detection Maturity Level](./DML)
@ -46,6 +48,7 @@ The following taxonomies are described:
- [NATO Classification Marking](./nato)
- [Open Threat Taxonomy v1.1 (SANS)](./open_threat)
- [OSINT Open Source Intelligence - Classification](./osint)
- [Ransomware](./ransomware)
- [runtime-packer](./runtime-packer) - Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o
bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
- [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX

42
analyst-assessment/machinetag.json
View File

@ -5,27 +5,27 @@
{
"expanded": "Less than 1 year",
"value": "less-than-1-year",
"numerical_value": 1
"numerical_value": 20
},
{
"expanded": "Between 1 and 5 years",
"value": "between-1-and-5-years",
"numerical_value": 2
"numerical_value": 40
},
{
"expanded": "Between 5 and 10 years",
"value": "between-5-and-10-years",
"numerical_value": 3
"numerical_value": 60
},
{
"expanded": "Between 10 and 20 years",
"value": "between-10-and-20-years",
"numerical_value": 4
"numerical_value": 80
},
{
"expanded": "More than 20 years",
"value": "more-than-20-years",
"numerical_value": 5
"numerical_value": 100
}
],
"predicate": "experience"
@ -56,27 +56,27 @@
{
"expanded": "Less than 1 year",
"value": "less-than-1-year",
"numerical_value": 1
"numerical_value": 20
},
{
"expanded": "Between 1 and 5 years",
"value": "between-1-and-5-years",
"numerical_value": 2
"numerical_value": 40
},
{
"expanded": "Between 5 and 10 years",
"value": "between-5-and-10-years",
"numerical_value": 3
"numerical_value": 60
},
{
"expanded": "Between 10 and 20 years",
"value": "between-10-and-20-years",
"numerical_value": 4
"numerical_value": 80
},
{
"expanded": "More than 20 years",
"value": "more-than-20-years",
"numerical_value": 5
"numerical_value": 100
}
],
"predicate": "binary-reversing-experience"
@ -132,27 +132,27 @@
{
"expanded": "Less than 1 year",
"value": "less-than-1-year",
"numerical_value": 1
"numerical_value": 20
},
{
"expanded": "Between 1 and 5 years",
"value": "between-1-and-5-years",
"numerical_value": 2
"numerical_value": 40
},
{
"expanded": "Between 5 and 10 years",
"value": "between-5-and-10-years",
"numerical_value": 3
"numerical_value": 60
},
{
"expanded": "Between 10 and 20 years",
"value": "between-10-and-20-years",
"numerical_value": 4
"numerical_value": 80
},
{
"expanded": "More than 20 years",
"value": "more-than-20-years",
"numerical_value": 5
"numerical_value": 100
}
],
"predicate": "web-experience"
@ -162,27 +162,27 @@
{
"expanded": "Less than 1 year",
"value": "less-than-1-year",
"numerical_value": 1
"numerical_value": 20
},
{
"expanded": "Between 1 and 5 years",
"value": "between-1-and-5-years",
"numerical_value": 2
"numerical_value": 40
},
{
"expanded": "Between 5 and 10 years",
"value": "between-5-and-10-years",
"numerical_value": 3
"numerical_value": 60
},
{
"expanded": "Between 10 and 20 years",
"value": "between-10-and-20-years",
"numerical_value": 4
"numerical_value": 80
},
{
"expanded": "More than 20 years",
"value": "more-than-20-years",
"numerical_value": 5
"numerical_value": 100
}
],
"predicate": "crypto-experience"
@ -229,7 +229,7 @@
"org",
"user"
],
"version": 2,
"version": 3,
"description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.",
"expanded": "Analyst (Self) Assessment",
"namespace": "analyst-assessment"

6
circl/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "circl",
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
"version": 2,
"version": 3,
"predicates": [
{
"value": "incident-classification",
@ -83,6 +83,10 @@
{
"value": "wiper",
"expanded": "Wiper"
},
{
"value": "sextortion",
"expanded": "sextortion"
}
]
},

377
coa/machinetag.json Normal file
View File

@ -0,0 +1,377 @@
{
"namespace": "coa",
"description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.",
"version": 2,
"predicates": [
{
"value": "discover",
"expanded": "Search historical data for an indicator."
},
{
"value": "detect",
"expanded": "Set up a detection rule for an indicator for future alerting."
},
{
"value": "deny",
"expanded": "Prevent an event from taking place."
},
{
"value": "disrupt",
"expanded": "Make an event fail when it is taking place."
},
{
"value": "degrade",
"expanded": "Slow down attacker activity; reduce attacker efficiency."
},
{
"value": "deceive",
"expanded": "Pretend only that an action was successful or provide misinformation to the attacker."
},
{
"value": "destroy",
"expanded": "Offensive action against the attacker."
}
],
"values": [
{
"predicate": "discover",
"entry": [
{
"value": "proxy",
"expanded": "Searched historical proxy logs.",
"colour": "#005065"
},
{
"value": "ids",
"expanded": "Searched historical IDS logs.",
"colour": "#00586f"
},
{
"value": "firewall",
"expanded": "Searched historical firewall logs.",
"colour": "#005f78"
},
{
"value": "pcap",
"expanded": "Discovered in packet-capture logs",
"colour": "#006681"
},
{
"value": "remote-access",
"expanded": "Searched historical remote access logs.",
"colour": "#006e8b"
},
{
"value": "authentication",
"expanded": "Searched historical authentication logs.",
"colour": "#007594"
},
{
"value": "honeypot",
"expanded": "Searched historical honeypot data.",
"colour": "#007c9d"
},
{
"value": "syslog",
"expanded": "Searched historical system logs.",
"colour": "#0084a6"
},
{
"value": "web",
"expanded": "Searched historical WAF and web application logs.",
"colour": "#008bb0"
},
{
"value": "database",
"expanded": "Searched historcial database logs.",
"colour": "#0092b9"
},
{
"value": "mail",
"expanded": "Searched historical mail logs.",
"colour": "#009ac2"
},
{
"value": "antivirus",
"expanded": "Searched historical antivirus alerts.",
"colour": "#00a1cb"
},
{
"value": "malware-collection",
"expanded": "Retro hunted in a malware collection.",
"colour": "#00a8d5"
},
{
"value": "other",
"expanded": "Searched other historical data.",
"colour": "#00b0de"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#00b7e7"
}
]
},
{
"predicate": "detect",
"entry": [
{
"value": "proxy",
"expanded": "Detect by Proxy infrastructure",
"colour": "#0abdeb"
},
{
"value": "nids",
"expanded": "Detect by Network Intrusion detection system.",
"colour": "#13c5f4"
},
{
"value": "hids",
"expanded": "Detect by Host Intrusion detection system.",
"colour": "#24c9f5"
},
{
"value": "other",
"expanded": "Detect by other tools.",
"colour": "#35cef5"
},
{
"value": "syslog",
"expanded": "Detect in system logs.",
"colour": "#45d2f6"
},
{
"value": "firewall",
"expanded": "Detect by firewall.",
"colour": "#56d6f7"
},
{
"value": "email",
"expanded": "Detect by MTA.",
"colour": "#67daf8"
},
{
"value": "web",
"expanded": "Detect by web infrastructure including WAF.",
"colour": "#78def8"
},
{
"value": "database",
"expanded": "Detect in database.",
"colour": "#89e2f9"
},
{
"value": "remote-access",
"expanded": "Detect in remote-access logs.",
"colour": "#9ae6fa"
},
{
"value": "malware-collection",
"expanded": "Detect in malware-collection.",
"colour": "#aaeafb"
},
{
"value": "antivirus",
"expanded": "Detect with antivirus.",
"colour": "#bbeefb"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#ccf2fc"
}
]
},
{
"predicate": "deny",
"entry": [
{
"value": "proxy",
"expanded": "Implemented a proxy filter.",
"colour": "#f09105"
},
{
"value": "firewall",
"expanded": "Implemented a block rule on a firewall.",
"colour": "#f99a0e"
},
{
"value": "waf",
"expanded": "Implemented a block rule on a web application firewall.",
"colour": "#f9a11f"
},
{
"value": "email",
"expanded": "Implemented a filter on a mail transfer agent.",
"colour": "#faa830"
},
{
"value": "chroot",
"expanded": "Implemented a chroot jail.",
"colour": "#faaf41"
},
{
"value": "remote-access",
"expanded": "Blocked an account for remote access.",
"colour": "#fbb653"
},
{
"value": "other",
"expanded": "Denied an action by other means.",
"colour": "#fbbe64"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#fbc575"
}
]
},
{
"predicate": "disrupt",
"entry": [
{
"value": "nips",
"expanded": "Implemented a rule on a network IPS.",
"colour": "#660389"
},
{
"value": "hips",
"expanded": "Implemented a rule on a host-based IPS.",
"colour": "#73039a"
},
{
"value": "other",
"expanded": "Disrupted an action by other means.",
"colour": "#8003ab"
},
{
"value": "email",
"expanded": "Quarantined an email.",
"colour": "#8d04bd"
},
{
"value": "memory-protection",
"expanded": "Implemented memory protection like DEP and/or ASLR.",
"colour": "#9a04ce"
},
{
"value": "sandboxing",
"expanded": "Exploded in a sandbox.",
"colour": "#a605df"
},
{
"value": "antivirus",
"expanded": "Activated an antivirus signature.",
"colour": "#b305f0"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#bc0ef9"
}
]
},
{
"predicate": "degrade",
"entry": [
{
"value": "bandwidth",
"expanded": "Throttled the bandwidth.",
"colour": "#0421ce"
},
{
"value": "tarpit",
"expanded": "Implement a network tarpit.",
"colour": "#0523df"
},
{
"value": "other",
"expanded": "Degraded an action by other means.",
"colour": "#0526f0"
},
{
"value": "email",
"expanded": "Queued an email.",
"colour": "#0e2ff9"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#1f3ef9"
}
]
},
{
"predicate": "deceive",
"entry": [
{
"value": "honeypot",
"expanded": "Implemented an interactive honeypot.",
"colour": "#0eb274"
},
{
"value": "DNS",
"expanded": "Implemented DNS redirects, e.g. a response policy zone.",
"colour": "#10c37f"
},
{
"value": "other",
"expanded": "Deceived the attacker with other technology.",
"colour": "#11d389"
},
{
"value": "email",
"expanded": "Implemented email redirection.",
"colour": "#12e394"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#1bec9d"
}
]
},
{
"predicate": "destroy",
"entry": [
{
"value": "arrest",
"expanded": "Arrested the threat actor.",
"colour": "#c33210"
},
{
"value": "seize",
"expanded": "Seized attacker infrastructure.",
"colour": "#d33611"
},
{
"value": "physical",
"expanded": "Physically destroyed attacker hardware.",
"colour": "#e33b12"
},
{
"value": "dos",
"expanded": "Performed a denial-of-service attack against attacker infrastructure.",
"colour": "#ec441b"
},
{
"value": "hack-back",
"expanded": "Hack back against the threat actor.",
"colour": "#ed512b"
},
{
"value": "other",
"expanded": "Carried out other offensive actions against the attacker.",
"colour": "#ee5e3b"
},
{
"value": "unspecified",
"expanded": "Unspecified information.",
"colour": "#f06c4c"
}
]
}
]
}

7
collaborative-intelligence/machinetag.json
View File

@ -2,7 +2,7 @@
"namespace": "collaborative-intelligence",
"expanded": "collaborative intelligence support language",
"description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP. The objective of this language is to advance collaborative analysis and to share earlier than later.",
"version": 2,
"version": 3,
"predicates": [
{
"value": "request",
@ -18,6 +18,11 @@
"value": "sample",
"expanded": "Request a binary sample"
},
{
"value": "extracted-malware-config",
"expanded": "Extracted malware config",
"description": "Request of the malware configuration extracted from the malware sample tagged."
},
{
"value": "deobfuscated-sample",
"expanded": "Request a deobfuscated sample of the shared sample"

213
common-taxonomy/machinetag.json Normal file
View File

@ -0,0 +1,213 @@
{
"values": [
{
"entry": [
{
"description": "Malware detected in a system.",
"expanded": "Infection",
"value": "infection"
},
{
"description": "Malware attached to a message or email message containing link to malicious URL or IP.",
"expanded": "Distribution",
"value": "distribution"
},
{
"description": "System used as a command-and-control point by a botnet. Also included in this field are systems serving as a point for gathering information stolen by botnets.",
"expanded": "Command & Control (C&C)",
"value": "command-and-control"
},
{
"description": "System attempting to gain access to a port normally linked to a specific type of malware / System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.",
"expanded": "Malicious connection",
"value": "malicious-connection"
}
],
"predicate": "malware"
},
{
"entry": [
{
"description": "Single source using specially designed software to affect the normal functioning of a specific service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from one single source to a specific service, aimed at affecting its normal functioning.",
"expanded": "Denial of Service (DoS) / Distributed Denial of Service (DDoS)",
"value": "dos-ddos"
},
{
"description": "Logical and physical activities which although they are not aimed at causing damage to information or at preventing its transmission among systems have this effect.",
"expanded": "Sabotage",
"value": "sabotage"
}
],
"predicate": "availability"
},
{
"entry": [
{
"description": "Single system scan searching for open ports or services using these ports for responding / Scanning a network aimed at identifying systems which are active in the same network / Transfer of a specific DNS zone.",
"expanded": "Scanning",
"value": "scanning"
},
{
"description": "Logical or physical interception of communications.",
"expanded": "Sniffing",
"value": "sniffing"
},
{
"description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting web sites for phishing purposes.",
"expanded": "Phishing",
"value": "phishing"
}
],
"predicate": "information-gathering"
},
{
"entry": [
{
"description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique / Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful attempt to include files in the system under attack by using file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.",
"expanded": "Exploitation of vulnerability attempt",
"value": "vulnerability-exploitation-attempt"
},
{
"description": "Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login by using system access credentials previously loaded into a dictionary.",
"expanded": "Login attempt",
"value": "login-attempt"
}
],
"predicate": "intrusion-attempt"
},
{
"entry": [
{
"description": "Unauthorised use of a tool exploiting a specific vulnerability of the system / Unauthorised manipulation or reading of information contained in a database by using the SQL injection technique / Attack performed with the use of cross-site scripting techniques / Unauthorised inclusion of files into a system under attack with the use of file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.",
"expanded": "(Successful) Exploitation of vulnerability",
"value": "vulnerability-exploitation"
},
{
"description": "Unauthorised access to a system or component by using stolen access credentials.",
"expanded": "Compromising an account",
"value": "account-compromise"
}
],
"predicate": "intrusion"
},
{
"entry": [
{
"description": "Unauthorised access to a system or component / Unauthorised access to a set of information / Unauthorised access to and sharing of a specific set of information.",
"expanded": "Unauthorised access",
"value": "unauthorised-access"
},
{
"description": "Unauthorised changes to a specific set of information / Unauthorised deleting of a specific set of information.",
"expanded": "Unauthorised modification / deletion",
"value": "unauthorised-modification-or-deletion"
}
],
"predicate": "information-security"
},
{
"entry": [
{
"description": "Use of institutional resources for purposes other than those intended.",
"expanded": "Misuse or unauthorised use of resources",
"value": "resources-misuse"
},
{
"description": "Unauthorised use of the name of an institution.",
"expanded": "False representation",
"value": "false-representation"
}
],
"predicate": "fraud"
},
{
"entry": [
{
"description": "Sending an unusually large quantity of email messages / Unsolicited or unwanted email message sent to the recipient.",
"expanded": "SPAM",
"value": "spam"
},
{
"description": "Unauthorised distribution or sharing of content protected by Copyright and related rights.",
"expanded": "Copyright",
"value": "copyright"
},
{
"description": "Distribution or sharing of illegal content such as child sexual exploitation material, racism, xenophobia, etc.",
"expanded": "Child Sexual Exploitation, racism or incitement to violence",
"value": "cse-racism-violence-incitement"
}
],
"predicate": "abusive-content"
},
{
"entry": [
{
"description": "Incidents which do not fit the existing classification, acting as an indicator for the classifications update.",
"expanded": "Unclassified incident",
"value": "unclassified-incident"
},
{
"description": "Unprocessed incidents which have remained undetermined from the beginning.",
"expanded": "Undetermined incident",
"value": "undetermined-incident"
}
],
"predicate": "other"
}
],
"predicates": [
{
"description": "Infection of one or various systems with a specific type of malware / Connection performed by/from/to (a) suspicious system(s)",
"expanded": "Malicious software/code",
"value": "malware"
},
{
"description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative / Premeditated action to damage a system, interrupt a process, change or delete information, etc.",
"expanded": "Availability",
"value": "availability"
},
{
"description": "Active and passive gathering of information on systems or networks / Unauthorised monitoring and reading of network traffic / Attempt to gather information on a user or a system through phishing methods.",
"expanded": "Information Gathering",
"value": "information-gathering"
},
{
"description": "Attempt to intrude by exploiting vulnerability in a system, component or network / Attempt to log in to services or authentication/access control mechanisms.",
"expanded": "Intrusion Attempt",
"value": "intrusion-attempt"
},
{
"description": "Actual intrusion by exploiting vulnerability in the system, component or network / Actual intrusion in a system, component or network by compromising a user or administrator account.",
"expanded": "Intrusion",
"value": "intrusion"
},
{
"description": "Unauthorised access to a particular set of information / Unauthorised change or elimination of a particular set of information.",
"expanded": "Information Security",
"value": "information-security"
},
{
"description": "Loss of property caused with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.",
"expanded": "Fraud",
"value": "fraud"
},
{
"description": "Sending SPAM messages / Distribution and sharing of copyright protected content / Dissemination of content forbidden by law.",
"expanded": "Abusive Content",
"value": "abusive-content"
},
{
"description": "Incidents not classified in the existing classification.",
"expanded": "Other",
"value": "other"
}
],
"version": 3,
"description": "Common Taxonomy for Law enforcement and CSIRTs",
"refs": [
"https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts",
"https://www.enisa.europa.eu/publications/tools-and-methodologies-to-support-cooperation-between-csirts-and-law-enforcement"
],
"namespace": "common-taxonomy"
}

32
copine-scale/machinetag.json
View File

@ -2,50 +2,60 @@
"predicates": [
{
"expanded": "Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise subjected to something that implies pain; (b) Pictures where an animal is involved in some form of sexual behavior with a child",
"value": "level-10"
"value": "level-10",
"numerical_value": 100
},
{
"expanded": "Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation, or oral sex involving an adult",
"value": "level-9"
"value": "level-9",
"numerical_value": 90
},
{
"expanded": "Assault: Pictures of children being subjected to a sexual assault, involving digital touching, involving an adult",
"value": "level-8"
"value": "level-8",
"numerical_value": 80
},
{
"expanded": "Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse by child, not involving an adult",
"value": "level-7"
"value": "level-7",
"numerical_value": 70
},
{
"expanded": "Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially clothed, or fully clothed",
"value": "level-6"
"value": "level-6",
"numerical_value": 60
},
{
"expanded": "Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in sexualized or provocative poses",
"value": "level-5"
"value": "level-5",
"numerical_value": 50
},
{
"expanded": "Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the amount, context, and organization suggests sexual interest)",
"value": "level-4"
"value": "level-4",
"numerical_value": 40
},
{
"expanded": "Erotica: Surreptitiously taken photographs of children in play areas or other safe environments showing either underwear or varying degrees of nakedness",
"value": "level-3"
"value": "level-3",
"numerical_value": 30
},
{
"expanded": "Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate sources",
"value": "level-2"
"value": "level-2",
"numerical_value": 20
},
{
"expanded": "Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming costumes, and so on, from either commercial sources or family albums; pictures of children playing in normal settings, in which the context or organization of pictures by the collector indicates inappropriateness",
"value": "level-1"
"value": "level-1",
"numerical_value": 10
}
],
"refs": [
"https://en.wikipedia.org/wiki/COPINE_scale",
"http://journals.sagepub.com/doi/pdf/10.1177/1079063217724768"
],
"version": 1,
"version": 2,
"description": "The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to categorise the severity of images of child sex abuse. The scale was developed by staff at the COPINE (Combating Paedophile Information Networks in Europe) project. The COPINE Project was founded in 1997, and is based in the Department of Applied Psychology, University College Cork, Ireland.",
"expanded": "COPINE Scale",
"namespace": "copine-scale",

56
course-of-action/machinetag.json Normal file
View File

@ -0,0 +1,56 @@
{
"namespace": "course-of-action",
"expanded": "Courses of Action",
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"version": 1,
"predicates": [
{
"value": "passive",
"expanded": "Passive actions have no influence of the adversarys doing."
},
{
"value": "active",
"expanded": "Active actions can impact the adversary doing."
}
],
"values": [
{
"predicate": "passive",
"entry": [
{
"value": "discover",
"expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
},
{
"value": "detect",
"expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."
}
]
},
{
"predicate": "active",
"entry": [
{
"value": "deny",
"expanded": "The deny action prevents the event from taking place. Common examples include a firewall block or a proxy filter."
},
{
"value": "disrupt",
"expanded": "Disruption makes the event fail as it is occurring. Examples include quarantining or memory protection measures."
},
{
"value": "degrade",
"expanded": "Degrading will not immediately fail an event, but it will slow down the further actions of the attacker. This tactic allows you to catch up during an incident response process, but you have to consider that the attackers may eventually succeed in achieving their objectives. Throttling bandwidth is one way to degrade an intrusion."
},
{
"value": "decieve",
"expanded": "Deception allows you to learn more about the intentions of the attacker by making them think the action was successful. One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot."
},
{
"value": "destroy",
"expanded": "The destroy action is rarely for 'usual' defenders, as this is an offensive action against the attacker. These actions, including physical destructive actions and arresting the attackers, are usually left to law enforcement agencies."
}
]
}
]
}

50
cryptocurrency-threat/machinetag.json Normal file
View File

@ -0,0 +1,50 @@
{
"namespace": "cryptocurrency-threat",
"description": "Threats targetting cryptocurrency, based on CipherTrace report.",
"version": 1,
"predicates": [
{
"value": "SIM Swapping",
"expanded": "An identity theft technique that takes over a victim's mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency."
},
{
"value": "Crypto Dusting",
"expanded": "A new form of blockchain spam that erodes the recipient's reputation by sending cryptocurrency from known money mixers."
},
{
"value": "Sanction Evasion",
"expanded": "Nation states using cryptocurrencies has been promoted by the Iranian and Venezuelan governments."
},
{
"value": "Next-Generation Crypto Mixers",
"expanded": "Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality, cleanse cryptocurrency through exchanges."
},
{
"value": "Shadow Money Service Businesses",
"expanded": "Unlicensed Money Service Businesses (MSBs) banking cryptocurrency without the knowledge of host financial institutions, and thus exposing banks to unknown risk."
},
{
"value": "Datacenter-Scale Crypto Jacking: ",
"expanded": "Takeover attacks that mine for cryptocurrency at a massive scale have been discovered in datacenters, including AWS."
},
{
"value": "Lightning Network Transactions",
"expanded": "Enable anonymous bitcoin transactions by going \"off-chain,\" and cannow scale to $2,150,000."
},
{
"value": "Decentralized Stable Coins",
"expanded": "Stabilized tokens that can be designed for use as private coins."
},
{
"value": "Email Extortion and Bomb Threats",
"expanded": "Cyber-extortionists stepped up mass-customized phishing emails campaigns using old passwords and spouse names in 2018. Bomb threat extortion scams demanding bitcoin spiked in December."
},
{
"value": "Crypto Robbing Ransomware",
"expanded": "Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage."
}
],
"refs": [
"https://ciphertrace.com/wp-content/uploads/2019/01/crypto_aml_report_2018q4.pdf"
]
}

63
csirt-americas/machinetag.json Normal file
View File

@ -0,0 +1,63 @@
{
"namespace": "csirt-americas",
"description": "Taxonomía CSIRT Américas.",
"version": 1,
"predicates": [
{
"value": "defacement",
"expanded": "Defacement"
},
{
"value": "malware",
"expanded": "Malware"
},
{
"value": "ddos",
"expanded": "DDoS"
},
{
"value": "phishing",
"expanded": "Phishing"
},
{
"value": "spam",
"expanded": "Spam"
},
{
"value": "botnet",
"expanded": "Botnet"
},
{
"value": "fastflux",
"expanded": "Fastflux"
},
{
"value": "cryptojacking",
"expanded": "Cryptojacking"
},
{
"value": "xss",
"expanded": "XSS"
},
{
"value": "sqli",
"expanded": "SQL Injection"
},
{
"value": "vulnerability",
"expanded": "Vulnerability"
},
{
"value": "infoleak",
"expanded": "Information leak"
},
{
"value": "compromise",
"expanded": "System compromise"
},
{
"value": "other",
"expanded": "Other"
}
]
}

42
cssa/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "cssa",
"description": "The CSSA agreed sharing taxonomy.",
"version": 4,
"version": 6,
"predicates": [
{
"value": "sharing-class",
@ -11,6 +11,10 @@
"value": "origin",
"expanded": "Origin"
},
{
"value": "report",
"expanded": "Report"
},
{
"value": "analyse",
"expanded": "Please analyse sample",
@ -24,17 +28,40 @@
{
"value": "high_profile",
"expanded": "Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.",
"colour": "#007695"
"colour": "#007695",
"numerical_value": 95
},
{
"value": "vetted",
"expanded": "Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.",
"colour": "#008aaf"
"colour": "#008aaf",
"numerical_value": 50
},
{
"value": "unvetted",
"expanded": "Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.",
"colour": "#00b3e2"
"colour": "#00b3e2",
"numerical_value": 10
}
]
},
{
"predicate": "report",
"entry": [
{
"value": "details",
"expanded": "Description of the incidence.",
"colour": "#fbc166"
},
{
"value": "link",
"expanded": "Link to the original report location.",
"colour": "#fbcb7f"
},
{
"value": "attached",
"expanded": "Attached report.",
"colour": "#fcd597"
}
]
},
@ -59,13 +86,18 @@
{
"value": "email",
"expanded": "Information coming out of email infrastructure.",
"colour": "#3cb08a"
"colour": "#3db08a"
},
{
"value": "3rd-party",
"expanded": "Information from outside the company.",
"colour": "#46c098"
},
{
"value": "report",
"expanded": "Information coming from a report.",
"colour": "#22644e"
},
{
"value": "other",
"expanded": "If none of the other origins applies.",

355
dark-web/machinetag.json Normal file
View File

@ -0,0 +1,355 @@
{
"namespace": "dark-web",
"expanded": "Dark Web",
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project",
"version": 3,
"predicates": [
{
"value": "topic",
"description": "Topic associated with the materials tagged",
"expanded": "Topic"
},
{
"value": "motivation",
"description": "Motivation with the materials tagged",
"expanded": "Motivation"
},
{
"value": "structure",
"description": "Structure of the materials tagged",
"expanded": "Structure"
}
],
"values": [
{
"predicate": "topic",
"entry": [
{
"value": "drugs-narcotics",
"expanded": "Drugs/Narcotics",
"description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)."
},
{
"value": "electronics",
"expanded": "Electronics",
"description": "Electronics and high tech materials, described or to sell for example."
},
{
"value": "finance",
"expanded": "Finance",
"description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc."
},
{
"value": "finance-crypto",
"expanded": "CryptoFinance",
"description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc."
},
{
"value": "credit-card",
"expanded": "Credit-Card",
"description": "Credit cards and payments materials"
},
{
"value": "cash-in",
"expanded": "Cash-in",
"description": "Buying parts of assets, conversion from liquid assets, currency, etc."
},
{
"value": "cash-out",
"expanded": "Cash-out",
"description": "Selling parts of assets, conversion to liquid assets, currency, etc."
},
{
"value": "escrow",
"expanded": "Escrow",
"description": "Third party keeping assets in behalf of two other parties making a transactions."
},
{
"value": "hacking",
"expanded": "Hacking",
"description": "Materials relating to the illegal access to or alteration of data and/or electronic services."
},
{
"value": "identification-credentials",
"expanded": "Identification/Credentials",
"description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials."
},
{
"value": "intellectual-property-copyright-materials",
"expanded": "Intellectual Property/Copyright Materials",
"description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders."
},
{
"value": "pornography-adult",
"expanded": "Pornography - Adult",
"description": "Lawful, ethical pornography (i.e. involving only consenting adults)."
},
{
"value": "pornography-child-exploitation",
"expanded": "Pornography - Child (Child Exploitation)",
"description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities"
},
{
"value": "pornography-illicit-or-illegal",
"expanded": "Pornography - Illicit or Illegal",
"description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc."
},
{
"value": "search-engine-index",
"expanded": "Search Engine/Index",
"description": "Site providing links/references to other sites/services. Referred to as a nexus by (Moore and Rid, 2016)"
},
{
"value": "unclear",
"expanded": "Unclear",
"description": "Unable to completely establish topic of material."
},
{
"value": "extremism",
"expanded": "Extremism",
"description": "Illegal or of concern levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes."
},
{
"value": "violence",
"expanded": "Violence",
"description": "Materials relating to violence against persons or property."
},
{
"value": "weapons",
"expanded": "Weapons",
"description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients."
},
{
"value": "softwares",
"expanded": "Softwares",
"description": "Illegal or armful software distribution"
},
{
"value": "counteir-feit-materials",
"expanded": "Counter-feit materials",
"description": "Fake identification papers."
},
{
"value": "gambling",
"expanded": "Gambling",
"description": "Games involving money"
},
{
"value": "library",
"expanded": "Library",
"description": "Library or list of books"
},
{
"value": "other-not-illegal",
"expanded": "Other not illegal",
"description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors."
},
{
"value": "legitimate",
"expanded": "Legitimate",
"description": "Legitimate websites"
},
{
"value": "chat",
"expanded": "Chats platforms",
"description": "Chats space or equivalent, which are not forums"
},
{
"value": "mixer",
"expanded": "Mixer",
"description": "Anonymization tools for crypto-currencies transactions"
},
{
"value": "mystery-box",
"expanded": "Mystery-Box",
"description": "Mystery Box seller"
},
{
"value": "anonymizer",
"expanded": "Anonymizer",
"description": "Anonymization tools"
},
{
"value": "vpn-provider",
"expanded": "VPN-Provider",
"description": "Provides VPN services and related"
},
{
"value": "email-provider",
"expanded": "EMail-Provider",
"description": "Provides e-mail services and related"
},
{
"value": "ponies",
"expanded": "Ponies",
"description": "self-explanatory. It's ponies"
},
{
"value": "games",
"expanded": "Games",
"description": "Flash or online games"
},
{
"value": "parody",
"expanded": "Parody or Joke",
"description": "Meme, Parody, Jokes, Trolling, ..."
},
{
"value": "whistleblower",
"expanded": "Whistleblower",
"description": "Exposition and sharing of confidential information with protection of the witness in mind"
}
]
},
{
"predicate": "motivation",
"entry": [
{
"value": "education-training",
"expanded": "Education & Training",
"description": "Materials providing instruction - e.g. how to guides"
},
{
"value": "wiki",
"expanded": "Wiki",
"description": "Wiki pages, documentation and information display"
},
{
"value": "forum",
"expanded": "Forum",
"description": "Sites specifically designed for multiple users to communicate as peers"
},
{
"value": "file-sharing",
"expanded": "File Sharing",
"description": "General file sharing, typically (but not limited to) movie/image sharing"
},
{
"value": "hosting",
"expanded": "Hosting",
"description": "Hosting providers, e-mails, websites, file-storage etc."
},
{
"value": "ddos-services",
"expanded": "DDoS-Services",
"description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc."
},
{
"value": "general",
"expanded": "General",
"description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites."
},
{
"value": "information-sharing-reportage",
"expanded": "Information Sharing/Reportage",
"description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy."
},
{
"value": "scam",
"expanded": "Scam",
"description": "Intentional confidence trick to fraud people or group of people"
},
{
"value": "political-speech",
"expanded": "Political-Speech",
"description": "Political, activism, without extremism."
},
{
"value": "conspirationist",
"expanded": "Conspirationist",
"description": "Conspirationist content, fake news, etc."
},
{
"value": "hate-speech",
"expanded": "Hate-Speech",
"description": "Racism, violent, hate... speech."
},
{
"value": "religious",
"expanded": "Religious",
"description": "Religious, faith, doctrinal related content."
},
{
"value": "marketplace-for-sale",
"expanded": "Marketplace/For Sale",
"description": "Services/goods for sale, regardless of means of payment."
},
{
"value": "smuggling",
"expanded": "Smuggling",
"description": "Information or trading of wild animals, prohibited goods, ... "
},
{
"value": "recruitment-advocacy",
"expanded": "Recruitment/Advocacy",
"description": "Propaganda"
},
{
"value": "system-placeholder",
"expanded": "System/Placeholder",
"description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2"
},
{
"value": "unclear",
"expanded": "Unclear",
"description": "Unable to completely establish motivation of material."
}
]
},
{
"predicate": "structure",
"entry": [
{
"value": "incomplete",
"expanded": "Incomplete websites or information",
"description": "Websites and pages that are unable to load completely properly"
},
{
"value": "captcha",
"expanded": "Captcha and Solvers",
"description": "Captchas and solvers elements"
},
{
"value": "login-forms",
"expanded": "Logins forms and gates",
"description": "Authentication pages, login page, login forms that block access to an internal part of a website."
},
{
"value": "contact-forms",
"expanded": "Contact forms and gates",
"description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..."
},
{
"value": "encryption-keys",
"expanded": "Encryption and decryption keys",
"description": "e.g. PGP Keys, passwords, ..."
},
{
"value": "police-notice",
"expanded": "Police Notice",
"description": "Closed websites, with police-equivalent banners"
},
{
"value": "legal-statement",
"expanded": "Legal-Statement",
"description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..."
},
{
"value": "test",
"expanded": "Test",
"description": "Test websites without any real consequences or effects"
},
{
"value": "videos",
"expanded": "Videos",
"description": "Videos and streaming"
},
{
"value": "unclear",
"expanded": "Unclear",
"description": "Unable to completely establish structure of material."
}
]
}
]
}

42
dcso-sharing/machinetag.json Normal file
View File

@ -0,0 +1,42 @@
{
"namespace": "dcso-sharing",
"description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.",
"version": 1,
"predicates": [
{
"value": "event-type"
}
],
"values": [
{
"predicate": "event-type",
"entry": [
{
"value": "Observation",
"expanded": "This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.",
"colour": "#00233e"
},
{
"value": "Incident",
"expanded": "This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type \"Report\" for second-hand information. Events of this type are typically created and consumed by analysts.",
"colour": "#005d81"
},
{
"value": "Report",
"expanded": "Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type \"Incident\" instead.",
"colour": "#3f97b8"
},
{
"value": "Analysis",
"expanded": "This event builds on \"observation\", \"incident\", and \"report\" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.",
"colour": "#5a8915"
},
{
"value": "Collection",
"expanded": "This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.",
"colour": "#94a850"
}
]
}
]
}

1384
drugs/machinetag.json Normal file
View File

File diff suppressed because it is too large Load Diff

56
economical-impact/machinetag.json
View File

@ -2,7 +2,7 @@
"namespace": "economical-impact",
"expanded": " Economical Impact",
"description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).",
"version": 2,
"version": 3,
"refs": [
"https://www.misp-project.org/"
],
@ -12,39 +12,48 @@
"entry": [
{
"value": "none",
"expanded": "No loss"
"expanded": "No loss",
"numerical_value": 0
},
{
"value": "less-than-25k-eur",
"expanded": "Less than 25K EUR"
"expanded": "Less than 25K EUR",
"numerical_value": 10
},
{
"value": "less-than-50k-euro",
"expanded": "Less than 50K EUR"
"expanded": "Less than 50K EUR",
"numerical_value": 20
},
{
"value": "less-than-100k-euro",
"expanded": "Less than 100K EUR"
"expanded": "Less than 100K EUR",
"numerical_value": 30
},
{
"value": "less-than-1M-euro",
"expanded": "Less than 1 million EUR"
"expanded": "Less than 1 million EUR",
"numerical_value": 40
},
{
"value": "less-than-10M-euro",
"expanded": "Less than 10 million EUR"
"expanded": "Less than 10 million EUR",
"numerical_value": 50
},
{
"value": "less-than-100M-euro",
"expanded": "Less than 100 million EUR"
"expanded": "Less than 100 million EUR",
"numerical_value": 60
},
{
"value": "less-than-1B-euro",
"expanded": "Less than 1 billion EUR"
"expanded": "Less than 1 billion EUR",
"numerical_value": 70
},
{
"value": "more-than-1B-euro",
"expanded": "More than 1 billion EUR"
"expanded": "More than 1 billion EUR",
"numerical_value": 80
}
]
},
@ -53,39 +62,48 @@
"entry": [
{
"value": "none",
"expanded": "No gain"
"expanded": "No gain",
"numerical_value": 0
},
{
"value": "less-than-25k-eur",
"expanded": "Less than 25K EUR"
"expanded": "Less than 25K EUR",
"numerical_value": 10
},
{
"value": "less-than-50k-euro",
"expanded": "Less than 50K EUR"
"expanded": "Less than 50K EUR",
"numerical_value": 20
},
{
"value": "less-than-100k-euro",
"expanded": "Less than 100K EUR"
"expanded": "Less than 100K EUR",
"numerical_value": 30
},
{
"value": "less-than-1M-euro",
"expanded": "Less than 1 million EUR"
"expanded": "Less than 1 million EUR",
"numerical_value": 40
},
{
"value": "less-than-10M-euro",
"expanded": "Less than 10 million EUR"
"expanded": "Less than 10 million EUR",
"numerical_value": 50
},
{
"value": "less-than-100M-euro",
"expanded": "Less than 100 million EUR"
"expanded": "Less than 100 million EUR",
"numerical_value": 60
},
{
"value": "less-than-1B-euro",
"expanded": "Less than 1 billion EUR"
"expanded": "Less than 1 billion EUR",
"numerical_value": 70
},
{
"value": "more-than-1B-euro",
"expanded": "More than 1 billion EUR"
"expanded": "More than 1 billion EUR",
"numerical_value": 80
}
]
}

11
estimative-language/machinetag.json
View File

@ -2,7 +2,7 @@
"namespace": "estimative-language",
"expanded": "Estimative languages",
"description": "Estimative language to describe quality and credibility of underlying sources, data, and methodologies based Intelligence Community Directive 203 (ICD 203) and JP 2-0, Joint Intelligence",
"version": 3,
"version": 4,
"predicates": [
{
"value": "likelihood-probability",
@ -62,17 +62,20 @@
{
"value": "low",
"expanded": "Low",
"description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'"
"description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'",
"numerical_value": 0
},
{
"value": "moderate",
"expanded": "Moderate",
"description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'."
"description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'.",
"numerical_value": 55
},
{
"value": "high",
"expanded": "High",
"description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'."
"description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'.",
"numerical_value": 95
}
]
}

25
exercise/machinetag.json
View File

@ -29,6 +29,11 @@
"description": "NATO-EU Parallel and Coordinated Exercise. PACE focuses on four key areas, namely situational awareness, effectiveness of our instruments to counter cyber threats at EU level, speed of reaction and appropriate reactivity of our crisis response mechanisms, as well as our capacity to communicate fast and in a coordinated way.",
"expanded": "PACE",
"value": "pace"
},
{
"description": "Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network",
"expanded": "Cyber SOPEx",
"value": "cyber-sopex"
}
],
"values": [
@ -69,6 +74,11 @@
"value": "2018",
"expanded": "2018",
"description": "Locked Shields 2018"
},
{
"value": "2019",
"expanded": "2019",
"description": "Locked Shields 2019"
}
]
},
@ -110,9 +120,22 @@
"expanded": "2018"
}
]
},
{
"predicate": "cyber-sopex",
"entry": [
{
"value": "2019",
"expanded": "2019"
},
{
"value": "2018",
"expanded": "2018"
}
]
}
],
"version": 3,
"version": 5,
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"expanded": "Exercise",
"namespace": "exercise"

11
false-positive/machinetag.json
View File

@ -1,13 +1,18 @@
{
"namespace": "false-positive",
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
"version": 1,
"version": 3,
"expanded": "False positive",
"predicates": [
{
"value": "risk",
"expanded": "Risk",
"description": "Risk of having false positives in the tagged value."
},
{
"value": "confirmed",
"expanded": "Confirmed",
"description": "Confirmed false positives in the tagged value."
}
],
"values": [
@ -18,7 +23,7 @@
"value": "low",
"expanded": "Low",
"description": "The risk of having false positives in the tagged value is low.",
"numerical_value": 25
"numerical_value": 75
},
{
"value": "medium",
@ -30,7 +35,7 @@
"value": "high",
"expanded": "High",
"description": "The risk of having false positives in the tagged value is high.",
"numerical_value": 75
"numerical_value": 25
}
]
}

60
flesch-reading-ease/machinetag.json Normal file
View File

@ -0,0 +1,60 @@
{
"namespace": "flesch-reading-ease",
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
"version": 1,
"predicates": [
{
"value": "score",
"expanded": "Score"
}
],
"values": [
{
"predicate": "score",
"entry": [
{
"value": "90-100",
"expanded": "Very Easy",
"description": "Very easy to read. Easily understood by an average 11-year-old student.",
"numerical_value": 100
},
{
"value": "80-89",
"expanded": "Easy",
"description": "Easy to read. Conversational English for consumers.",
"numerical_value": 89
},
{
"value": "70-79",
"expanded": "Fairly Easy",
"description": "Fairly easy to read.",
"numerical_value": 79
},
{
"value": "60-69",
"expanded": "Standard",
"description": "Plain English. Easily understood by 13- to 15-year-old students.",
"numerical_value": 69
},
{
"value": "50-59",
"expanded": "Fairly Difficult",
"description": "Fairly difficult to read.",
"numerical_value": 59
},
{
"value": "30-49",
"expanded": "Difficult",
"description": "Difficult to read.",
"numerical_value": 49
},
{
"value": "0-29",
"expanded": "Very Confusing",
"description": "Very difficult to read. Best understood by university graduates.",
"numerical_value": 29
}
]
}
]
}

567
ics/machinetag.json Normal file
View File

@ -0,0 +1,567 @@
{
"predicates": [
{
"value": "ot-security-issues",
"expanded": "OT IR Security Issues"
},
{
"expanded": "OT Network/Data Transmission Protocols in Automobile / Vehicle / Aviation",
"value": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation"
},
{
"expanded": "OT Network/Data Transmission Protocols in Automatic Meter Reading",
"value": "ot-network-data-transmission-protocols-automatic-meter-reading"
},
{
"expanded": "OT Network/Data Transmission Protocols in Industrial Control System",
"value": "ot-network-data-transmission-protocols-industrial-control-system"
},
{
"expanded": "OT Network/Data Transmission Protocols in Building Automation",
"value": "ot-network-data-transmission-protocols-building-automation"
},
{
"expanded": "OT Network/Data Transmission Protocols in Power System Automation",
"value": "ot-network-data-transmission-protocols-power-system-automation"
},
{
"expanded": "OT Network/Data Transmission Protocols in Process Automation",
"value": "ot-network-data-transmission-protocols-process-automation"
},
{
"expanded": "OT IR Communication Interface",
"value": "ot-communication-interface"
},
{
"expanded": "OT Operating Systems",
"value": "ot-operating-systems"
},
{
"expanded": "OT Components Category",
"value": "ot-components-category"
}
],
"values": [
{
"predicate": "ot-security-issues",
"entry": [
{
"value": "Message Authentication",
"expanded": "Message Authentication",
"description": "Auth in used protocols is attacked and falsification command can be sent"
},
{
"value": "Message Integrity Checking",
"expanded": "Message Integrity Checking",
"description": "Message poart of the sent protocol is maliciously tampered"
},
{
"value": "Message Encryption",
"expanded": "Message Encryption",
"description": "Self explanatory, i.e. Weak encryption is attacked"
},
{
"value": "Command Injection",
"expanded": "Command Injection",
"description": "Either Remote Command Injection or Local. On local can be timer triggered under tampered firmware"
},
{
"value": "Replay Attack",
"expanded": "Replay Attack",
"description": "Self explanatory"
},
{
"value": "Man in the middle (MITM) Attack",
"expanded": "Man in the middle (MITM) Attack",
"description": "Self explanatory"
},
{
"value": "Undocumented instructions",
"expanded": "Undocumented instructions",
"description": "Vendor's left several instruction used for development or trouble shooting that is finally leaked and used to performed malicious activities on the devices."
},
{
"value": "Vendor proprietary protocols",
"expanded": "Vendor proprietary protocols",
"description": "Internal vendor protocols used for development or trouble shooting, that is being maliciously for an attack."
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation",
"entry": [
{
"value": "ARINC 429",
"expanded": "ARINC 429"
},
{
"value": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)",
"expanded": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)"
},
{
"value": "Factory Instrumentation Protocol",
"expanded": "Factory Instrumentation Protocol"
},
{
"value": "FlexRay",
"expanded": "FlexRay"
},
{
"value": "IEBus",
"expanded": "IEBus"
},
{
"value": "J1587",
"expanded": "J1587"
},
{
"value": "J1708",
"expanded": "J1708"
},
{
"value": "Keyword Protocol 2000",
"expanded": "Keyword Protocol 2000"
},
{
"value": "Unified Diagnostic Services",
"expanded": "Unified Diagnostic Services"
},
{
"value": "LIN",
"expanded": "LIN"
},
{
"value": "MOST",
"expanded": "MOST"
},
{
"value": "VAN",
"expanded": "VAN"
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-automatic-meter-reading",
"entry": [
{
"value": "ANSI C12.18",
"expanded": "ANSI C12.18"
},
{
"value": "IEC 61107",
"expanded": "IEC 61107"
},
{
"value": "DLMS/IEC 62056",
"expanded": "DLMS/IEC 62056"
},
{
"value": "M-Bus",
"expanded": "M-Bus"
},
{
"value": "Modbus",
"expanded": "Modbus"
},
{
"value": "ZigBee",
"expanded": "ZigBee"
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-industrial-control-system",
"entry": [
{
"value": "MTConnect",
"expanded": "MTConnect"
},
{
"value": "OPC",
"expanded": "OPC"
},
{
"value": "DA",
"expanded": "DA"
},
{
"value": "HDA",
"expanded": "HDA"
},
{
"value": "UA",
"expanded": "UA"
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-building-automation",
"entry": [
{
"value": "1-Wire",
"expanded": "1-Wire"
},
{
"value": "BACnet",
"expanded": "BACnet"
},
{
"value": "C-Bus",
"expanded": "C-Bus"
},
{
"value": "CEBus",
"expanded": "CEBus"
},
{
"value": "DALI",
"expanded": "DALI"
},
{
"value": "DSI",
"expanded": "DSI"
},
{
"value": "DyNet",
"expanded": "DyNet"
},
{
"value": "Factory Instrumentation Protocol",
"expanded": "Factory Instrumentation Protocol"
},
{
"value": "KNX",
"expanded": "KNX"
},
{
"value": "LonTalk",
"expanded": "LonTalk"
},
{
"value": "Modbus",
"expanded": "Modbus"
},
{
"value": "oBIX",
"expanded": "oBIX"
},
{
"value": "VSCP",
"expanded": "VSCP"
},
{
"value": "X10",
"expanded": "X10"
},
{
"value": "xAP",
"expanded": "xAP"
},
{
"value": "xPL",
"expanded": "xPL"
},
{
"value": "ZigBee",
"expanded": "ZigBee"
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-power-system-automation",
"entry": [
{
"value": "IEC 60870",
"expanded": "IEC 60870"
},
{
"value": "DNP3",
"expanded": "DNP3"
},
{
"value": "Factory Instrumentation Protocol",
"expanded": "Factory Instrumentation Protocol"
},
{
"value": "IEC 61850",
"expanded": "IEC 61850"
},
{
"value": "IEC 62351",
"expanded": "IEC 62351"
},
{
"value": "Modbus",
"expanded": "Modbus"
},
{
"value": "Profibus",
"expanded": "Profibus"
}
]
},
{
"predicate": "ot-network-data-transmission-protocols-process-automation",
"entry": [
{
"value": "AS-i",
"expanded": "AS-i"
},
{
"value": "BSAP",
"expanded": "BSAP"
},
{
"value": "CC-Link Industrial Networks",
"expanded": "CC-Link Industrial Networks"
},
{
"value": "CIP",
"expanded": "CIP"
},
{
"value": "CAN bus",
"expanded": "CAN bus"
},
{
"value": "ControlNet",
"expanded": "ControlNet"
},
{
"value": "DF-1",
"expanded": "DF-1"
},
{
"value": "DirectNET",
"expanded": "DirectNET"
},
{
"value": "EtherCAT",
"expanded": "EtherCAT"
},
{
"value": "Ethernet Global Data (EGD)",
"expanded": "Ethernet Global Data (EGD)"
},
{
"value": "Ethernet Powerlink",
"expanded": "Ethernet Powerlink"
},
{
"value": "EtherNet/IP",
"expanded": "EtherNet/IP"
},
{
"value": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)",
"expanded": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)"
},
{
"value": "Factory Instrumentation Protocol",
"expanded": "Factory Instrumentation Protocol"
},
{
"value": "FINS",
"expanded": "FINS"
},
{
"value": "FOUNDATION fieldbus (H1 HSE)",
"expanded": "FOUNDATION fieldbus (H1 HSE)"
},
{
"value": "GE SRTP",
"expanded": "GE SRTP"
},
{
"value": "HART Protocol",
"expanded": "HART Protocol"
},
{
"value": "Honeywell SDS",
"expanded": "Honeywell SDS"
},
{
"value": "HostLink",
"expanded": "HostLink"
},
{
"value": "INTERBUS",
"expanded": "INTERBUS"
},
{
"value": "IO-Link",
"expanded": "IO-Link"
},
{
"value": "MECHATROLINK",
"expanded": "MECHATROLINK"
},
{
"value": "MelsecNet",
"expanded": "MelsecNet"
},
{
"value": "Modbus",
"expanded": "Modbus"
},
{
"value": "Optomu",
"expanded": "Optomu"
},
{
"value": "PieP",
"expanded": "PieP"
},
{
"value": "Profibus",
"expanded": "Profibus"
},
{
"value": "PROFINET IO",
"expanded": "PROFINET IO"
},
{
"value": "RAPIEnet",
"expanded": "RAPIEnet"
},
{
"value": "SERCOS interface",
"expanded": "SERCOS interface"
},
{
"value": "SERCOS III",
"expanded": "SERCOS III"
},
{
"value": "Sinec H1",
"expanded": "Sinec H1"
},
{
"value": "SynqNet",
"expanded": "SynqNet"
},
{
"value": "TTEthernet",
"expanded": "TTEthernet"
},
{
"value": "TCP/IP",
"expanded": "TCP/IP"
}
]
},
{
"predicate": "ot-communication-interface",
"entry": [
{
"value": "rs-232",
"expanded": "RS-232 (comm port)",
"description": "Serial communication with an implementation comprises 2 data lines, 6 control lines and one ground."
},
{
"value": "rs-422, rs-423 or rs-485",
"expanded": "RS-422, RS-423 or RS-485",
"description": "RS-422 is compatible to RS-232, used in situations where long distances are required, it can drive up to 1200m at 100kbit/s, and up to 1Mbit/s over short distances. RS-422 uses a differential driver, uses a four-conductor cable, and up to ten receivers can be on a multi-dropped network or bus. RS-485 is like RS-422 but RS-422 allows just one driver with multiple receivers whereas RS-485 supports multiple drivers and receivers RS-485 also allows up to thirty two (32) multi-dropped receivers or transmitters on a multi-dropped network or bus. At 90 kbit/s, the maximum cable length is 1250 m, and at 10 Mbit/s it is 15 m. The devices are half-duplex (i.e. send or receive, but not both at the same time). For more nodes or long distances, you can use repeaters that regenerate the signals and begin a new RS-485 line. "
},
{
"value": "ieee-488-gpib",
"expanded": "IEEE-488 (GPIB)",
"description": "Known as Hewlett-Packard HP-IB but was renamed as GPIB (General Purpose Interface Bus) by the IEEE-488 (1975). IEEE-488 interface comprises 8 data lines, 8 control lines and 8 ground lines. Up to 15 devices can be interconnected on one bus. Each device is assigned a unique primary address, ranging from 4-30, by setting the address switches on the device. Devices are linked in either a daisy-chain or star (or some combination) configuration with up to 20 m of shielded 24-conductor cable. A maximum separation of 4 m is specified between any two devices, and an average of 2m over the entire bus. The data transfer rate can be up to 1 Mbyte/s. Three types of devices can be connected to an IEEE-488 bus (Listeners, Talkers, and Controllers)"
},
{
"value": "ieee-1394-firewire",
"expanded": "IEEE-1394 (FireWire)",
"description": "The IEEE-1394 defines a serial serial interface that can use the bus cable to power devices. Firewire transmits data in packets and incurs some overhead as a result. Firewire frames are 125 msec long which means that despite a 'headline' transfer speed of 400 Mbit/s Firewire can be substantially slower in responding to instruments' service requests. Firewire uses a peer-peer protocol, similar to IEEE-488. Using standard cable, the maximum length bus comprises 16 hops of 4.5m each. Each hop connects two devices, but each physical device can contain four logical nodes. A Firewire cable contains two twisted-pairs (signals and clock) and two untwisted conductors (power and ground)."
},
{
"value": "usb-universal-serial-bus",
"expanded": "USB (Universal Serial Bus)",
"description": "USB is the bus topology, and host-target protocol, mean that giving existing PC-based instruments a USB port not as trivial as it could be, but instruments with USB ports are coming onto the ICS market increasing numbers. USB 1.1 has many features as serial data transmission, device powering, data sent in 1 ms packets. USB offers 1.5- and 12-Mbit/s speeds. Individual devices can use the bus for a maximum of 50% of the time. In practice, the maximum rate is not more than 0.6 Mbyte/s. USB 2.0 specification was released in 2000. In addition to increasing the signaling rate from 12 MHz to 480 MHz, the specification describes a more advanced feature set and uses bandwidth more efficiently than 'Classic' USB. Version 2 of USB seems likely to prevent IEEE 1394 becoming widely adopted in instrument systems."
},
{
"value": "ethernet",
"expanded": "Ethernet",
"description": "Instruments with ethernet interfaces have the great advantage that they can be accessed and controlled from a desktop anywhere in the world. A web-enabled ICS device behaves can be operated with standard browser. Systems with comm based on these interface can make use of existing Ethernet networks and connecting an instrument directly into the internet makes sharing of data easy. Fast data transfer is possible. However, when connected to the public internet it is difficult to secure or maintain its security and a full evaluation of the risks involved for this interface usage is very essential."
},
{
"value": "others",
"expanded": "Others",
"description": "Other communication interface not listed."
}
]
},
{
"predicate": "ot-operating-systems",
"entry": [
{
"value": "rtos",
"expanded": "RTOS",
"description": "Please see the URL reference, there are a lot of it to be listed in here. These OS are also referred as Firmware. https://en.wikipedia.org/wiki/Comparison_of_real-time_operating_systems"
},
{
"value": "linux-embedded-base-os",
"expanded": "Linux Embedded Base OS",
"description": "Yocto\\nBuildroot\\nOpenWRT\\nB & R Linux\\n Scientific Linux\\nRaspbian\\nAndroid"
},
{
"value": "bsd",
"expanded": "BSD",
"description": "NetBSD (NetBSD Embedded Systems)\\nFreeBSD (Modified. i.e.: Orbis OS)"
},
{
"value": "microsoft",
"expanded": "Microsoft",
"description": "Windows 10 IoT Enterprise\\n Windows Embedded 8.1 Industry Professional\\n Windows 7 Professional/Ultimate\\n Windows Embedded Standard 7\\n Windows Embedded Standard 2009\\n Windows CE 6.0\\n"
}
]
},
{
"predicate": "ot-components-category",
"entry": [
{
"value": "programmable-logic-controller",
"expanded": "Programmable Logic Controller (PLC)",
"description": "1. Computing device with user-programmable memory to storing instructions to operate a physical process.\\n\\n 2.Various PLC types for different processses"
},
{
"value": "remote-terminal-unit",
"expanded": "Remote Terminal Unit (RTU)",
"description": "1. Data aquisitionand control unit designedto support field sites and remote stations.\\n\\n2. Wired and wireless communication capabilities.\\n\\n3. No stored program logic."
},
{
"value": "human-machine-interface",
"expanded": "Human-Machine Interface (HMI)",
"description": "1. Hardware/software that operators used to interact with control system.\\n\\n2. From physical control panels to a complete computer systems"
},
{
"value": "sensors",
"expanded": "Sensors",
"description": "Pressure, Temperature, Flow, Voltage, Optical, Proximity"
},
{
"value": "actuators",
"expanded": "Actuators",
"description": "Variable Frequency Drive, Servo Drive, Valve, Circuit Breaker"
},
{
"value": "communications",
"expanded": "Communications",
"description": "Modems, Routers, Serial - Ethernet Converters, Swtiches"
},
{
"value": "supervisory-level-devices",
"expanded": "Supervisory Level Devices",
"description": "1. Control Server (Supervisory systems that hosts control software to manage lower level control devices like PLC).\\n\\n2. Data Historian (Centralized database for information about process, control activity and status record).\\n\\n3. Engineering workstations (Creating and revising control systems anbd programs, incl. project files)."
}
]
}
],
"refs": [
"https://www.first.org/global/sigs/cti/",
"https://www.isa.org/isa99/",
"https://www.isa.org/intech/201810standards/"
],
"version": 1,
"description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project",
"expanded": "Industrial Control System (ICS)",
"namespace": "ics"
}

26
infoleak/machinetag.json
View File

@ -33,7 +33,7 @@
"expanded": "Test"
}
],
"version": 3,
"version": 5,
"description": "A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information.",
"namespace": "infoleak",
"values": [
@ -52,6 +52,10 @@
"value": "iban",
"expanded": "IBAN"
},
{
"value": "ip",
"expanded": "IP address"
},
{
"value": "mail",
"expanded": "Mail"
@ -96,6 +100,14 @@
"value": "pgp-message",
"expanded": "PGP message"
},
{
"value": "pgp-public-key-block",
"expanded": "PGP public key block"
},
{
"value": "pgp-signature",
"expanded": "PGP signature"
},
{
"value": "pgp-private-key",
"expanded": "PGP private key"
@ -165,6 +177,10 @@
"value": "iban",
"expanded": "IBAN"
},
{
"value": "ip",
"expanded": "IP address"
},
{
"value": "mail",
"expanded": "Mail"
@ -209,6 +225,14 @@
"value": "pgp-message",
"expanded": "PGP message"
},
{
"value": "pgp-public-key-block",
"expanded": "PGP public key block"
},
{
"value": "pgp-signature",
"expanded": "PGP signature"
},
{
"value": "pgp-private-key",
"expanded": "PGP private key"

12
jq_all_the_things.sh
View File

@ -1,5 +1,17 @@
#!/bin/bash
# Seeds sponge, from moreutils
#Validate all Jsons first
for dir in `find . -name "*.json"`
do
echo validating ${dir}
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
done
set -e
set -x

6
maec-malware-capabilities/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "maec-malware-capabilities",
"description": "Malware Capabilities based on MAEC 5.0",
"version": 1,
"version": 2,
"predicates": [
{
"value": "maec-malware-capability",
@ -66,7 +66,7 @@
},
{
"value": "integrity-violation",
"expanded": "integrity-violationk"
"expanded": "integrity-violation"
},
{
"value": "machine-access-control",
@ -130,7 +130,7 @@
},
{
"value": "communicate-with-c2-server",
"expanded": "communicate-with-c2-servern"
"expanded": "communicate-with-c2-server"
},
{
"value": "compromise-data-availability",

29
mapping/mapping.json
View File

@ -1,6 +1,9 @@
{
"DDoS": {
"values": [
"rsit:availability=\"dos\"",
"rsit:availability=\"ddos\"",
"rsit:vulnerable=\"ddos-amplifier\"",
"ecsirt:availability=\"ddos\"",
"europol-incident:availability=\"dos-ddos\"",
"ms-caro-malware:malware-type=\"DDoS\"",
@ -26,6 +29,7 @@
},
"exploit": {
"values": [
"rsit:intrusion-attempts=\"exploit\"",
"veris:action:malware:variety=\"Exploit vuln\"",
"ecsirt:intrusion-attempts=\"exploit\"",
"europol-event:exploit",
@ -35,6 +39,8 @@
},
"malware": {
"values": [
"rsit:malicious-code=\"malware-distribution\"",
"rsit:malicious-code=\"malware-configuration\"",
"ecsirt:malicious-code=\"malware\"",
"circl:incident-classification=\"malware\""
]
@ -57,6 +63,7 @@
},
"spam": {
"values": [
"rsit:abusive-content=\"spam\"",
"circl:incident-classification=\"spam\"",
"ecsirt:abusive-content=\"spam\"",
"enisa:nefarious-activity-abuse=\"spam\"",
@ -68,6 +75,7 @@
},
"scan": {
"values": [
"rsit:information-gathering=\"scanner\"",
"circl:incident-classification=\"scan\"",
"ecsirt:information-gathering=\"scanner\"",
"europol-incident:information-gathering=\"scanning\""
@ -87,6 +95,7 @@
},
"phishing": {
"values": [
"rsit:fraud=\"phishing\"",
"circl:incident-classification=\"phishing\"",
"ecsirt:fraud=\"phishing\"",
"veris:action:social:variety=\"Phishing\"",
@ -96,6 +105,7 @@
},
"brute force": {
"values": [
"rsit:intrusion-attempts=\"brute-force\"",
"ecsirt:intrusion-attempts=\"brute-force\"",
"veris:action:malware:variety=\"Brute force\"",
"europol-event:brute-force-attempt",
@ -111,6 +121,7 @@
},
"c&c": {
"values": [
"rsit:malicious-code=\"c2-server\"",
"ecsirt:malicious-code=\"c&c\"",
"europol-incident:malware=\"c&c\"",
"europol-event:c&c-server-hosting",
@ -168,6 +179,24 @@
"ecsirt:malicious-code=\"worm\""
]
},
"content": {
"values": [
"rsit:abusive-content=\"harmful-speech\"",
"rsit:abusive-content=\"violence\"",
"rsit:fraud=\"copyright\"",
"rsit:fraud=\"masquerade\""
]
},
"other": {
"values": [
"rsit:other=\"other\""
]
},
"test": {
"values": [
"rsit:test=\"test\""
]
},
"tlp-white": {
"values": [
"tlp:white",

38
misp/machinetag.json
View File

@ -66,7 +66,8 @@
},
{
"expanded": "Confidence cannot be evaluated",
"value": "confidence-cannot-be-evalued"
"value": "confidence-cannot-be-evalued",
"numerical_value": 50
}
]
},
@ -105,7 +106,7 @@
{
"expanded": "Generated automatically without human verification",
"value": "unsupervised",
"numerical_value": 100
"numerical_value": 0
},
{
"expanded": "Generated automatically but verified by a human",
@ -115,7 +116,7 @@
{
"expanded": "Output of human analysis",
"value": "manual",
"numerical_value": 0
"numerical_value": 100
}
]
},
@ -125,6 +126,31 @@
{
"expanded": "misp2stix",
"value": "misp2stix"
},
{
"expanded": "misp2yara",
"value": "misp2yara"
}
]
},
{
"predicate": "misp2yara",
"entry": [
{
"expanded": "generated",
"value": "generated"
},
{
"expanded": "as-is",
"value": "as-is"
},
{
"expanded": "valid",
"value": "valid"
},
{
"expanded": "invalid",
"value": "invalid"
}
]
}
@ -169,9 +195,13 @@
"description": "Tool associated with the information taggged",
"expanded": "Tool",
"value": "tool"
},
{
"expanded": "misp2yara export tool",
"value": "misp2yara"
}
],
"version": 7,
"version": 9,
"description": "MISP taxonomy to infer with MISP behavior or operation.",
"expanded": "MISP",
"namespace": "misp"

228
phishing/machinetag.json Normal file
View File

@ -0,0 +1,228 @@
{
"namespace": "phishing",
"description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.",
"version": 3,
"predicates": [
{
"value": "techniques",
"expanded": "Techniques",
"description": "Phishing techniques used."
},
{
"value": "distribution",
"expanded": "Distribution",
"description": "How the phishing is distributed."
},
{
"value": "report-type",
"expanded": "Report type",
"description": "How the phishing information was reported."
},
{
"value": "report-origin",
"expanded": "Report origin",
"description": "Origin or source of the phishing information such as tools or services."
},
{
"value": "action",
"expanded": "Action",
"description": "Action(s) taken related to the phishing tagged with this taxonomy."
},
{
"value": "state",
"expanded": "State",
"description": "State of the phishing."
},
{
"value": "psychological-acceptability",
"expanded": "Psychological acceptability",
"description": "Quality of the phishing by its level of acceptance by the target."
},
{
"value": "principle-of-persuasion",
"expanded": "Principle of Persuasion",
"description": "The principle of persuasion used during the attack to higher psychological acceptability."
}
],
"values": [
{
"predicate": "techniques",
"entry": [
{
"value": "fake-website",
"expanded": "Social engineering fake website",
"description": "Adversary controls a fake website to phish for credentials or information."
},
{
"value": "email-spoofing",
"expanded": "Social engineering email spoofing",
"description": "Adversary sends email with domains related to target. Adversary controls the domains used."
},
{
"value": "clone-phishing",
"expanded": "Clone phishing",
"description": "Adversary clones an email to target potential victims with duplicated content."
},
{
"value": "voice-phishing",
"expanded": "Voice phishing",
"description": "Adversary uses voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also known as vishing."
},
{
"value": "search-engines-abuse",
"expanded": "Social engineering search engines abuse",
"description": "Adversary controls the search engine result to get an advantage"
},
{
"value": "sms-phishing",
"expanded": "SMS phishing",
"description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing technique at a later stage."
}
]
},
{
"predicate": "distribution",
"entry": [
{
"value": "spear-phishing",
"expanded": "Spear phishing",
"description": "Adversary attempts targeted phishing to a user or a specific group of users based on knowledge known by the adversary."
},
{
"value": "bulk-phishing",
"expanded": "Bulk phishing",
"description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims."
}
]
},
{
"predicate": "report-type",
"entry": [
{
"value": "manual-reporting",
"expanded": "Manual reporting",
"description": "Phishing reported by a human (e.g. tickets, manual reporting)."
},
{
"value": "automatic-reporting",
"expanded": "Automatic reporting",
"description": "Phishing collected by automatic reporting (e.g. phishing report tool, API)."
}
]
},
{
"predicate": "report-origin",
"entry": [
{
"value": "url-abuse",
"expanded": "url-abuse",
"description": "CIRCL url-abuse service."
},
{
"value": "lookyloo",
"expanded": "lookyloo",
"description": "CIRCL lookyloo service."
},
{
"value": "phishtank",
"expanded": "Phishtank",
"description": "Phishtank service."
},
{
"value": "spambee",
"expanded": "Spambee",
"description": "C-3 Spambee service."
}
]
},
{
"predicate": "action",
"entry": [
{
"value": "take-down",
"expanded": "Take down",
"description": "Take down notification sent to the operator where the phishing infrastructure is hosted."
},
{
"value": "pending-law-enforcement-request",
"expanded": "Pending law enforcement request",
"description": "Law enforcement requests are ongoing on the phishing infrastructure."
},
{
"value": "pending-dispute-resolution",
"expanded": "Pending dispute resolution",
"description": "Dispute resolution sent to competent authorities (e.g. domain authority, trademark dispute)."
}
]
},
{
"predicate": "state",
"entry": [
{
"value": "unknown",
"expanded": "Phishing state is unknown or cannot be evaluated",
"numerical_value": 50
},
{
"value": "active",
"expanded": "Phishing state is active and actively used by the adversary",
"numerical_value": 100
},
{
"value": "down",
"expanded": "Phishing state is known to be down",
"numerical_value": 0
}
]
},
{
"predicate": "psychological-acceptability",
"entry": [
{
"value": "unknown",
"expanded": "Phishing acceptance rate is unknown."
},
{
"value": "low",
"expanded": "Phishing acceptance rate is low.",
"numerical_value": 25
},
{
"value": "medium",
"expanded": "Phishing acceptance rate is medium.",
"numerical_value": 50
},
{
"value": "high",
"expanded": "Phishing acceptance rate is high.",
"numerical_value": 75
}
]
},
{
"predicate": "principle-of-persuasion",
"entry": [
{
"value": "authority",
"expanded": "Society trains people not to question authority so they are conditioned to respond to it. People usually follow an expert or pretense of authority and do a great deal for someone they think is an authority."
},
{
"value": "social-proof",
"expanded": "People tend to mimic what the majority of people do or seem to be doing. People let their guard and suspicion down when everyone else appears to share the same behaviours and risks. In this way, they will not be held solely responsible for their actions."
},
{
"value": "liking-similarity-deception",
"expanded": "People prefer to abide to whom (they think) they know or like, or to whom they are similar to or familiar with, as well as attracted to."
},
{
"value": "commitment-reciprocation-consistency",
"expanded": "People feel more confident in their decision once they commit (publically) to a specific action and need to follow it through until the end. This is true whether in the workplace, or in a situation when their action is illegal. People have tendency to believe what others say and need, and they want to appear consistent in what they do, for instance, when they owe a favour. There is an automatic response of repaying a favour."
},
{
"value": "distraction",
"expanded": "People focus on one thing and ignore other things that may happen without them noticing; they focus attention on what they can gain, what they need, what they can lose or miss out on, or if that thing will soon be unavailable, has been censored, restricted or will be more expensive later. These distractions can heighten peoples emotional state and make them forget other logical facts to consider when making decisions."
}
]
}
]
}

191
ransomware/machinetag.json Normal file
View File

@ -0,0 +1,191 @@
{
"namespace": "ransomware",
"expanded": "ransomware types and elements",
"description": "Ransomware is used to define ransomware types and the elements that compose them.",
"version": 4,
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf",
"https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf",
"https://bartblaze.blogspot.com/p/the-purpose-of-ransomware.html"
],
"predicates": [
{
"value": "type",
"expanded": "Type",
"description": "Type is used to describe the type of a ransomware and how it works."
},
{
"value": "element",
"expanded": "Element",
"description": "Elements that composed or are linked to a ransomware and its execution."
},
{
"value": "complexity-level",
"expanded": "Complexity level",
"description": "Level of complexity of the ransomware."
},
{
"value": "purpose",
"expanded": "Purpose",
"description": "Purpose of the ransomware."
}
],
"values": [
{
"predicate": "type",
"entry": [
{
"value": "scareware",
"expanded": "Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software."
},
{
"value": "locker-ransomware",
"expanded": "Locker ransomware, also called screen locker, denies access to the browser, computer or device."
},
{
"value": "crypto-ransomware",
"expanded": "Crypto ransomware, also called data locker or cryptoware, prevents access to files or data. Crypto ransomware doesnt necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does."
}
]
},
{
"predicate": "element",
"entry": [
{
"value": "ransomnote",
"expanded": "A ransomnote is the message left by the attacker to threaten their victim and ask for a ransom. It is usually seen as a text or HTML file, or a picture set as background."
},
{
"value": "ransomware-appended-extension",
"expanded": "This is the extension added by the ransomware to the files."
},
{
"value": "ransomware-encrypted-extensions",
"expanded": "This is the list of extensions that will be encrypted by the ransomware. Beware to keep the order."
},
{
"value": "ransomware-excluded-extensions",
"expanded": "This is the list of extensions that will not be encrypted by the ransomware. Beware to keep the order."
},
{
"value": "dropper",
"expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks, often by containing the malware inside of itself."
},
{
"value": "downloader",
"expanded": "A downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of containing it."
}
]
},
{
"predicate": "complexity-level",
"entry": [
{
"value": "no-actual-encryption-scareware",
"expanded": "No actual encryption (scareware). Infection merely poses as a ransomware by displaying a ransom note or message while not actually encrypting user files."
},
{
"value": "display-ransomnote-before-encrypting",
"expanded": "Displaying the ransom note before the encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption."
},
{
"value": "decryption-essentials-extracted-from-binary",
"expanded": "Decryption essentials can be reverse engineered from ransomware code or the user's system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by reverse engineering the ransomware binary. "
},
{
"value": "derived-encryption-key-predicted ",
"expanded": "Another possibility of reverse engineering the key is demonstrated in the case of Linux.Encoder, a type of ransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible."
},
{
"value": "same-key used-for-each-infection",
"expanded": "Ransomware uses the same key for every victim. If the same key is used to encrypt all victims during a campaign, then one victim can share the secret key with others."
},
{
"value": "encryption-circumvented",
"expanded": "Decryption possible without key - files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known ciphertext attacks due to key reuse and hence this is a poor implementation of an encryption algorithm."
},
{
"value": "file-restoration-possible-using-shadow-volume-copies",
"expanded": "Files can be restored using Shadow Volume Copies (“Previous Versions”) on the New Technology File System (NTFS), that were neglected to be deleted by the ransomware."
},
{
"value": "file-restoration-possible-using-backups",
"expanded": "Files can be restored using a System State backup, System Image backup or other means of backup mechanisms (such as third-party backup software) that will render the ransomware's extortion attempt unsuccessful."
},
{
"value": "key-recovered-from-file-system-or-memory",
"expanded": "Decryption key can be retrieved from the host machines file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can examine the right file or folder to discover the decryption key."
},
{
"value": "due-diligence-prevented-ransomware-from-acquiring-key",
"expanded": "User can prevent ransomware from acquiring the encryption key. Ransomware belongs in this category if its encryption procedure can be interrupted or blocked by due diligence on part of the user. For example, CryptoLocker discussed above cannot commence operation until it receives a key from the C&C server. A host or border firewall can block a list of known C&C servers hence rendering ransomware ineffective."
},
{
"value": "click-and-run-decryptor-exists",
"expanded": "Easy “Click-and-run” solutions such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files."
},
{
"value": "kill-switch-exists-outside-of-attacker-s-control",
"expanded": "There exists a kill switch outside of an attackers control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attackers control as anyone could register it and neutralize the ransomware outbreak."
},
{
"value": "decryption-key-recovered-from-a-C&C-server-or-network-communications",
"expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500,000 victims."
},
{
"value": "custom-encryption-algorithm-used",
"expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCode ransomware that emerged in 2005 with weak custom encryption."
},
{
"value": "decryption-key-recovered-under-specialized-lab-setting",
"expanded": "Key can only be retrieved under rare, specialized laboratory settings. For example, in the case of WannaCry, a vulnerability in a cryptographic API on an unpatched Windows XP system allowed users to acquire from RAM the prime numbers used to compute private keys and hence retrieve the decryption key. However, the victim had to have been running a specific version of Windows XP and be fortunate enough that the related address space in memory has not been reallocated to another process. In another example, it is theoretically possible to reverse WannaCry encryption by exploiting a flaw in the pseudo-random-number-generator (PRNG) in an unpatched Windows XP system that reveals keys generated in the past. Naturally, these specialized conditions are not true for most victims."
},
{
"value": "small-subset-of-files-left-unencrypted",
"expanded": "A small subset of files left unencrypted by the ransomware for any number of reasons. Certain ransomware are known to only encrypt a file if its size exceeds a predetermined value. In addition, ransomware might decrypt a few files for free to prove decryption is possible. In such cases, a small number of victims may be lucky enough to only need these unencrypted files and can tolerate loss of the rest."
},
{
"value": "encryption-model-is-seemingly-flawless",
"expanded": "Encryption model is resistant to cryptographic attacks and has been implemented seemingly flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no proven way yet to decrypt the files without paying the ransom."
}
]
},
{
"predicate": "purpose",
"entry": [
{
"value": "deployed-as-ransomware-extortion",
"expanded": "This has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s). In fact, ransomware is simple extortion, but via digital means."
},
{
"value": "deployed-to-showcase-skills-for-fun-or-for-testing-purposes",
"expanded": "Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more particularly to showcase their coding skills.\nAnother example may be to send ransomware 'as a joke' or for fun to your friends, and giving them a bad time.\nSome cybercriminals may be testing the waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own programming skills, or the lack thereof."
},
{
"value": "deployed-as-smokescreen",
"expanded": "A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself."
},
{
"value": "deployed-to-cause-frustration",
"expanded": "Another possible angle that goes hand in hand with the classic extortion scheme - deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose."
},
{
"value": "deployed-out-of-frustration",
"expanded": "Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company."
},
{
"value": "deployed-as-a-cover-up",
"expanded": "This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'."
},
{
"value": "deployed-as-a-penetration-test-or-user-awareness-training",
"expanded": "Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose."
},
{
"value": "deployed-as-a-means-of-disruption-destruction",
"expanded": "Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale."
}
]
}
]
}

66
retention/machinetag.json Normal file
View File

@ -0,0 +1,66 @@
{
"namespace": "retention",
"expanded": "retention",
"description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.",
"version": 2,
"refs": [
"https://en.wikipedia.org/wiki/Retention_period"
],
"predicates": [
{
"value": "expired",
"expanded": "Set when the retention period has expired",
"numerical_value": 0
},
{
"value": "1d",
"expanded": "1 day",
"numerical_value": 1
},
{
"value": "2d",
"expanded": "2 days",
"numerical_value": 2
},
{
"value": "7d",
"expanded": "7 days",
"numerical_value": 7
},
{
"value": "2w",
"expanded": "2 weeks",
"numerical_value": 14
},
{
"value": "1m",
"expanded": "1 month",
"numerical_value": 30
},
{
"value": "2m",
"expanded": "2 months",
"numerical_value": 60
},
{
"value": "3m",
"expanded": "3 months",
"numerical_value": 90
},
{
"value": "6m",
"expanded": "6 months",
"numerical_value": 180
},
{
"value": "1y",
"expanded": "1 year",
"numerical_value": 365
},
{
"value": "10y",
"expanded": "10 year",
"numerical_value": 3650
}
]
}

130
rsit/machinetag.json
View File

@ -4,17 +4,17 @@
"entry": [
{
"description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.",
"expanded": "spam",
"expanded": "Spam",
"value": "spam"
},
{
"description": "Discreditation or discrimination of somebody e.g. cyber stalking, racism and threats against one or more individuals).",
"description": "Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.",
"expanded": "Harmful Speech",
"value": "harmful-speech"
},
{
"description": "Child Pornography, glorification of violence, ...",
"expanded": "Child/Sexual/Violence/...",
"description": "Child pornography, glorification of violence, etc.",
"expanded": "Child Porn/Sexual/Violent Content",
"value": "violence"
}
],
@ -23,34 +23,24 @@
{
"entry": [
{
"description": "Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.",
"expanded": "Virus",
"value": "virus"
"description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit.",
"expanded": "Infected System",
"value": "infected-system"
},
{
"description": "see 'virus'",
"expanded": "Worm",
"value": "worm"
"description": "Command-and-control server contacted by malware on infected systems.",
"expanded": "C2 Server",
"value": "c2-server"
},
{
"description": "see 'virus'",
"expanded": "Trojan",
"value": "trojan"
"description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.",
"expanded": "Malware Distribution",
"value": "malware-distribution"
},
{
"description": "see 'virus'",
"expanded": "Spyware",
"value": "spyware"
},
{
"description": "see 'virus'",
"expanded": "Dialer",
"value": "dialer"
},
{
"description": "see 'virus'",
"expanded": "Rootkit",
"value": "rootkit"
"description": "URI hosting a malware configuration file, e.g. webinjects for a banking trojan.",
"expanded": "Malware Configuration",
"value": "malware-configuration"
}
],
"predicate": "malicious-code"
@ -58,7 +48,7 @@
{
"entry": [
{
"description": "Attacks that send requests to a system to discover weak points. This includes also some kind of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.",
"description": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.",
"expanded": "Scanning",
"value": "scanner"
},
@ -78,8 +68,8 @@
{
"entry": [
{
"description": "An attempt to compromise a system or to disrupt any service by exploiting vunerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)",
"expanded": "Exploiting of known Vulnerabilities",
"description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)",
"expanded": "Exploitation of known Vulnerabilities",
"value": "ids-alert"
},
{
@ -88,7 +78,7 @@
"value": "brute-force"
},
{
"description": "An attempt using an unknown exploit.",
"description": "An attack using an unknown exploit.",
"expanded": "New attack signature",
"value": "exploit"
}
@ -98,24 +88,24 @@
{
"entry": [
{
"description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. Also includes being part of a botnet.",
"description": "Compromise of a system where the attacker gained administrative privileges.",
"expanded": "Privileged Account Compromise",
"value": "privileged-account-compromise"
},
{
"description": "see 'Privileged Account Compromise'",
"description": "Compromise of a system using an unprivileged (user/service) account.",
"expanded": "Unprivileged Account Compromise",
"value": "unprivileged-account-compromise"
},
{
"description": "see 'Privileged Account Compromise'",
"description": "Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.",
"expanded": "Application Compromise",
"value": "application-compromise"
},
{
"description": "see 'Privileged Account Compromise'",
"expanded": "Bot",
"value": "bot"
"description": "Physical intrusion, e.g. into corporate building or data center.",
"expanded": "Burglary",
"value": "burglary"
}
],
"predicate": "intrusions"
@ -123,23 +113,28 @@
{
"entry": [
{
"description": "Denial of Service.",
"expanded": "DoS",
"description": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.",
"expanded": "Denial of Service",
"value": "dos"
},
{
"description": "Distributed Denial of Service.",
"expanded": "DDoS",
"description": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.",
"expanded": "Distributed Denial of Service",
"value": "ddos"
},
{
"description": "Sabotage.",
"description": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.",
"expanded": "Misconfiguration",
"value": "misconfiguration"
},
{
"description": "Physical sabotage, e.g cutting wires or malicious arson.",
"expanded": "Sabotage",
"value": "sabotage"
},
{
"description": "Outage (no malice).",
"expanded": "Outage (no malice)",
"description": "Outage caused e.g. by air condition failure or natural disaster.",
"expanded": "Outage",
"value": "outage"
}
],
@ -148,14 +143,19 @@
{
"entry": [
{
"description": "Besides local abuse of data and systems, the security of information can be endangered by successful compromise of an account or application. In addition, attacks that intercept and access information during transmission (wiretapping, spoofing or hijacking) are possible. Human/configuration/software error can also be the cause.",
"description": "Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.",
"expanded": "Unauthorised access to information",
"value": "Unauthorised-information-access"
"value": "unauthorised-information-access"
},
{
"description": "see 'Unauthorised access to information'",
"description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.",
"expanded": "Unauthorised modification of information",
"value": "Unauthorised-information-modification"
"value": "unauthorised-information-modification"
},
{
"description": "Loss of data, e.g. caused by harddisk failure or physical theft.",
"expanded": "Data Loss",
"value": "data-loss"
}
],
"predicate": "information-content-security"
@ -163,7 +163,7 @@
{
"entry": [
{
"description": "Using resources for unauthorized purposes including profit-making ventures (E.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes).",
"description": "Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.",
"expanded": "Unauthorized use of resources",
"value": "unauthorized-use-of-resources"
},
@ -173,12 +173,12 @@
"value": "copyright"
},
{
"description": "Type of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.",
"description": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.",
"expanded": "Masquerade",
"value": "masquerade"
},
{
"description": "Masquerading as another entity in order to persuade the user to reveal a private credential.",
"description": "Masquerading as another entity in order to persuade the user to reveal private credentials.",
"expanded": "Phishing",
"value": "phishing"
}
@ -188,9 +188,29 @@
{
"entry": [
{
"description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc.",
"expanded": "Open for abuse",
"value": "vulnerable-service"
"description": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.",
"expanded": "Weak crypto",
"value": "weak-crypto"
},
{
"description": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.",
"expanded": "DDoS amplifier",
"value": "ddos-amplifier"
},
{
"description": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.",
"expanded": "Potentially unwanted accessible services",
"value": "potentially-unwanted-accessible"
},
{
"description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.",
"expanded": "Information disclosure",
"value": "information-disclosure"
},
{
"description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.",
"expanded": "Vulnerable system",
"value": "vulnerable-system"
}
],
"predicate": "vulnerable"
@ -199,7 +219,7 @@
"entry": [
{
"description": "All incidents which don't fit in one of the given categories should be put into this class.",
"expanded": "other",
"expanded": "Other",
"value": "other"
}
],
@ -273,7 +293,7 @@
"value": "test"
}
],
"version": 1,
"version": 3,
"description": "Reference Security Incident Classification Taxonomy",
"namespace": "rsit"
}

67
scrippsco2-fgc/machinetag.json Normal file
View File

@ -0,0 +1,67 @@
{
"predicates": [
{
"description": "Potentially Suspect Data Accepted",
"expanded": "accepted-suspect",
"value": "-3"
},
{
"description": "Accepted value from continuous analyzer replacing flask data",
"expanded": "accepted-continuous-analyzer",
"value": "-2"
},
{
"description": "Acepted Value retained although individual measurements deviated by more than selected tolerance",
"expanded": "accepted-deviated-tolerance",
"value": "-1"
},
{
"description": "Accepted Value",
"expanded": "accepted",
"value": "0"
},
{
"description": "Rejected during analysis",
"expanded": "rejected-during-analysis",
"value": "1"
},
{
"description": "Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at MLO between Dec 1962 and Sep 1968)",
"expanded": "rejected-legacy-difference-night-mlo",
"value": "2"
},
{
"description": "Rejected flask measurement; used continuous data instead",
"expanded": "rejected-continuous-data",
"value": "3"
},
{
"description": "Rejected Replicates do not agree to selected tolerance or single flask",
"expanded": "rejected-tolerance-single-flask",
"value": "4"
},
{
"description": "Rejected Daily average deviates from fit by more than 3 standard deviations",
"expanded": "rejected-derivation",
"value": "5"
},
{
"description": "Rejected to improve local distribution of data such as too many data of generally poor quality (used only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)",
"expanded": "rejected-legacy-poor-quality-kum-ljo",
"value": "6"
},
{
"description": "Rejected Unsteady air at site (La Jolla only)",
"expanded": "rejected-unsteady-ljo",
"value": "7"
},
{
"description": "Rejected manually (see input/flag_flasks.csv)",
"expanded": "rejected-manual",
"value": "8"
}
],
"version": 1,
"description": "Flags describing the sample",
"namespace": "scrippsco2-fgc"
}

42
scrippsco2-fgi/machinetag.json Normal file
View File

@ -0,0 +1,42 @@
{
"predicates": [
{
"description": "Suspect but accepted isotopic measurement",
"expanded": "accepted-suspect",
"value": "-3"
},
{
"description": "Accepted isotopic measurement",
"expanded": "accepted",
"value": "0"
},
{
"description": "Rejected",
"expanded": "rejected",
"value": "3"
},
{
"description": "Outlier from fit",
"expanded": "outlier",
"value": "5"
},
{
"description": "Other rejected, older data",
"expanded": "rejected-old-data",
"value": "6"
},
{
"description": "Flask extracted but not analyzed yet",
"expanded": "extracted-not-analyzed",
"value": "8"
},
{
"description": "Flask not extracted",
"expanded": "not-extracted",
"value": "9"
}
],
"version": 1,
"description": "Flags describing the sample for isotopic data (C14, O18)",
"namespace": "scrippsco2-fgi"
}

59
scrippsco2-sampling-stations/machinetag.json Normal file
View File

@ -0,0 +1,59 @@
{
"predicates": [
{
"expanded": "Alert, NWT, Canada",
"value": "ALT"
},
{
"expanded": "Point Barrow, Alaska",
"value": "PTB"
},
{
"expanded": "Station P",
"value": "STP"
},
{
"expanded": "La Jolla Pier, California",
"value": "LJO"
},
{
"expanded": "Baja California Sur, Mexico",
"value": "BCS"
},
{
"expanded": "Mauna Loa Observatory, Hawaii",
"value": "MLO"
},
{
"expanded": "Cape Kumukahi, Hawaii ",
"value": "KUM"
},
{
"expanded": "Christmas Island, Fanning Island",
"value": "CHR"
},
{
"expanded": "American Samoa",
"value": "SAM"
},
{
"expanded": "Kermadec Islands, Raoul Island",
"value": "KER"
},
{
"expanded": "Baring Head, New Zealand",
"value": "NZD"
},
{
"expanded": "Palmer Station, Antarctica",
"value": "PSA"
},
{
"expanded": "South Pole",
"value": "SPO"
}
],
"version": 1,
"description": "Sampling stations of the Scripps CO2 Program",
"namespace": "scrippsco2-sampling-stations"
}

25
targeted-threat-index/machinetag.json
View File

@ -5,32 +5,32 @@
{
"expanded": "Not targeted, e.g. spam or financially motivated malware.",
"value": "not-targeted",
"numerical_value": 0
"numerical_value": 1
},
{
"expanded": "Targeted but not customized. Sent with a message that is obviously false with little to no validation required.",
"value": "targeted-but-not-customized",
"numerical_value": 1
"numerical_value": 25
},
{
"expanded": "Targeted and poorly customized. Content is generally relevant to the target. May look questionable.",
"value": "targeted-and-poorly-customized",
"numerical_value": 2
"numerical_value": 50
},
{
"expanded": "Targeted and customized. May use a real person/organization or content to convince the target the message is legitimate. Content is specifically relevant to the target and looks legitimate.",
"value": "targeted-and-customized",
"numerical_value": 3
"numerical_value": 65
},
{
"expanded": "Targeted and well-customized. Uses a real person/organization and content to convince the target the message is legitimate. Probably directly addressing the recipient. Content is specifically relevant to the target, looks legitimate, and can be externally referenced (e.g. by a website). May be sent from a hacked account.",
"value": "targeted-and-well-customized",
"numerical_value": 4
"numerical_value": 85
},
{
"expanded": "Targeted and highly customized using sensitive data. Individually targeted and customized, likely using inside/sensitive information that is directly relevant to the target.",
"value": "targeted-and-highly-customized-using-sensitive-data",
"numerical_value": 5
"numerical_value": 100
}
],
"predicate": "targeting-sophistication-base-value"
@ -45,22 +45,22 @@
{
"expanded": "The sample contains a simple method of protection, such as one of the following: code protection using publicly available tools where the reverse method is available, such as UPX packing; simple anti-reversing techniques such as not using import tables, or a call to IsDebuggerPresent(); self-disabling in the presence of AV software.",
"value": "the-sample-contains-a-simple-method-of-protection",
"numerical_value": 1.25
"numerical_value": 25
},
{
"expanded": "The sample contains multiple minor code protection techniques (anti-reversing tricks, packing, VM / reversing tools detection) that require some low-level knowledge. This level includes malware where code that contains the core functionality of the program is decrypted only in memory.",
"value": "the-sample-contains-multiple-minor-code-protection-techniques",
"numerical_value": 1.5
"numerical_value": 50
},
{
"expanded": "The sample contains minor code protection techniques along with at least one advanced protection method such as rootkit functionality or a custom virtualized packer.",
"value": "the-sample-contains-minor-code-protection-techniques-plus-one-advanced",
"numerical_value": 1.75
"numerical_value": 75
},
{
"expanded": "The sample contains multiple advanced protection techniques, e.g. rootkit capability, virtualized packer, multiple anti-reversing techniques, and is clearly designed by a professional software engineering team.",
"value": "the-sample-contains-multiple-advanced-protection-techniques",
"numerical_value": 2
"numerical_value": 100
}
],
"predicate": "technical-sophistication-multiplier"
@ -78,9 +78,10 @@
"value": "technical-sophistication-multiplier"
}
],
"version": 1,
"version": 2,
"refs": [
"https://citizenlab.org/2013/10/targeted-threat-index/"
"https://citizenlab.org/2013/10/targeted-threat-index/",
"https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf"
],
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman.",
"namespace": "targeted-threat-index"

129
threats-to-dns/machinetag.json Normal file
View File

@ -0,0 +1,129 @@
{
"namespace": "threats-to-dns",
"expanded": "Threats to DNS",
"description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 11. doi:10.1109/comst.2018.2849614",
"version": 1,
"predicates": [
{
"value": "dns-protocol-attacks",
"description": "DNS protocol attacks",
"expanded": "DNS protocol attacks"
},
{
"value": "dns-server-attacks",
"description": "DNS server attacks",
"expanded": "DNS server attacks"
},
{
"value": "dns-abuse-or-misuse",
"description": "DNS abuse/misuse"
}
],
"values": [
{
"predicate": "dns-protocol-attacks",
"entry": [
{
"value": "man-in-the-middle-attack",
"expanded": "Man-in-the-middle attack",
"description": "Man-in-the-middle attack"
},
{
"value": "dns-spoofing",
"expanded": "DNS spoofing",
"description": "DNS spoofing"
},
{
"value": "dns-rebinding",
"expanded": "DNS rebinding",
"description": "DNS rebinding"
}
]
},
{
"predicate": "dns-server-attacks",
"entry": [
{
"value": "server-dos-and-ddos",
"expanded": "Server DoS & DDoS",
"description": "Server DoS & DDoS"
},
{
"value": "server-hijacking",
"expanded": "Server hijacking",
"description": "Server hijacking"
},
{
"value": "cache-poisoning",
"expanded": "Cache poisoning",
"description": "Cache poisoning"
}
]
},
{
"predicate": "dns-abuse-or-misuse",
"entry": [
{
"value": "domain-name-registration-abuse-cybersquatting",
"expanded": "Domain name registration abuse such as cybersquatting",
"description": "Domain name registration abuse such as cybersquatting"
},
{
"value": "domain-name-registration-abuse-typosquatting",
"expanded": "Domain name registration abuse such as typosquatting",
"description": "Domain name registration abuse such as typosquatting"
},
{
"value": "domain-name-registration-abuse-domain-reputation-and-re-registration",
"expanded": "Domain name registration abuse as domain reputation and re-registration",
"description": "Domain name registration abuse as domain reputation and re-gistration"
},
{
"value": "dns-reflection-dns-amplification",
"expanded": "DNS reflection - DNS amplification",
"description": "DNS reflection - DNS amplification"
},
{
"value": "malicious-or-compromised-domains-ips-malicious-botnets-c2",
"expanded": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)",
"description": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)"
},
{
"value": "malicious-or-compromised-domains-ips-fast-flux-domains",
"expanded": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks",
"description": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks"
},
{
"value": "malicious-or-compromised-domains-ips-malicious-dgas",
"expanded": "Malicious or compromised domains/IPs - Malicious DGAs",
"description": "Malicious or compromised domains/IPs - Malicious DGAs"
},
{
"value": "covert-channels-malicious-dns-tunneling",
"expanded": "Covert channels - Malicious DNS tunneling",
"description": "Covert channels - Malicious DNS tunneling"
},
{
"value": "covert-channels-malicious-payload-distribution",
"expanded": "Covert channels - Malicious DNS tunneling",
"description": "Covert channels - Malicious DNS tunneling"
},
{
"value": "benign-services-applications-malicious-dns-resolvers",
"expanded": "Benign services and applications - Malicious DNS resolvers",
"description": "Benign services and applications - Malicious DNS resolvers"
},
{
"value": "benign-services-applications-malicious-scanners",
"expanded": "Benign services and applications - Malicious scanners",
"description": "Benign services and applications - Malicious scanners"
},
{
"value": "benign-services-applications-url-shorteners",
"expanded": "Benign services and applications - URL shorteners",
"description": "Benign services and applications - URL shorteners"
}
]
}
]
}

17
vocabulaire-des-probabilites-estimatives/machinetag.json
View File

@ -4,23 +4,28 @@
"entry": [
{
"expanded": "Presque aucune chance - Quasi impossible Presque impossible Minces chances Très douteux Très peu probable Très improbable Improbable Peu de chances - 7 % (marge derreur denviron 5 %)",
"value": "presque-aucune-chance"
"value": "presque-aucune-chance",
"numerical_value": 7
},
{
"expanded": "Probablement pas - Invraisemblable Peu probable - 30 % (marge derreur denviron 10 %)",
"value": "probablement-pas"
"value": "probablement-pas",
"numerical_value": 30
},
{
"expanded": "Chances à peu près égales - une chance sur deux - 50% (marge derreur denviron 10 %)",
"value": "chances-à-peu-près-egales"
"value": "chances-à-peu-près-egales",
"numerical_value": 50
},
{
"expanded": "Probable - Vraisemblable Probable - 75 % (marge derreur denviron 12 %)",
"value": "probable"
"value": "probable",
"numerical_value": 75
},
{
"expanded": "Quasi certaine - Certain Presque certain Très probable - 93% (marge derreur denviron 6 %)",
"value": "quasi-certaine"
"value": "quasi-certaine",
"numerical_value": 93
}
],
"predicate": "degré-de-probabilité"
@ -33,7 +38,7 @@
"value": "degré-de-probabilité"
}
],
"version": 1,
"version": 2,
"description": "Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité",
"expanded": "Vocabulaire des probabilités estimatives",
"namespace": "vocabulaire-des-probabilites-estimatives",

24
workflow/machinetag.json
View File

@ -1,8 +1,8 @@
{
"namespace": "workflow",
"expanded": "workflow to support analysis",
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. ",
"version": 8,
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
"version": 9,
"predicates": [
{
"value": "todo",
@ -55,10 +55,18 @@
"value": "create-missing-misp-galaxy-cluster",
"expanded": "Create missing MISP galaxy cluster about the information tagged"
},
{
"value": "create-missing-misp-galaxy-cluster-relationship",
"expanded": "create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)"
},
{
"value": "create-missing-misp-galaxy",
"expanded": "Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware or activity)"
},
{
"value": "create-missing-relationship",
"expanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)"
},
{
"value": "add-context",
"expanded": "Add contextual information about the information tagged"
@ -90,6 +98,14 @@
{
"value": "additional-task",
"expanded": "Used to point an additional task that can not be describe by the rest of the taxonomy and need to be done"
},
{
"value": "create-event",
"expanded": "A new MISP event need to be created from the tag reference"
},
{
"value": "preserve-evidence",
"expanded": "Preseve evidence mentioned in the information tagged"
}
]
},
@ -107,6 +123,10 @@
{
"value": "draft",
"expanded": "Draft means the information tagged can be released as a preliminary version or outline"
},
{
"value": "ongoing",
"expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst."
}
]
}