From 932356b41b1788da0f7db54d63f6f4d933096cd0 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 28 Jan 2019 16:10:11 +0100 Subject: [PATCH 001/113] fix jq_all_the_things script --- jq_all_the_things.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index f558cb3..9a43255 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -1,5 +1,17 @@ #!/bin/bash +# Seeds sponge, from moreutils + +#Validate all Jsons first +for dir in `find . -name "*.json"` +do + echo validating ${dir} + # python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();" + cat ${dir} | jq . >/dev/null + rc=$? + if [[ $rc != 0 ]]; then exit $rc; fi +done + set -e set -x From 99843c03e690458b74827f701e260fc33c76e1a5 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 31 Jan 2019 16:35:55 +0100 Subject: [PATCH 002/113] add cryptocurrency threat taxonomy, based on CipherTrace report --- README.md | 1 + cryptocurrency-threat/machinetag.json | 50 +++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 cryptocurrency-threat/machinetag.json diff --git a/README.md b/README.md index ad70d01..2ac1bba 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ The following taxonomies are described: - CIRCL [Taxonomy - Schemes of Classification in Incident Response and Detection](./circl) - [The CSSA agreed sharing taxonomy](./cssa) - [Collaborative intelligence](./collaborative-intelligence) - Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP. The objective of this language is to advance collaborative analysis and to share earlier than later. +- [Cryptocurrency Threat](./cryptocurrency-threat) - Threats targetting cryptocurrency, based on CipherTrace report. - [Cyber Kill Chain](./kill-chain) from Lockheed Martin - [The Cyber Threat Framework](./cyber-threat-framework) was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. - DE German (DE) [Government classification markings (VS)](./de-vs) diff --git a/cryptocurrency-threat/machinetag.json b/cryptocurrency-threat/machinetag.json new file mode 100644 index 0000000..10ade27 --- /dev/null +++ b/cryptocurrency-threat/machinetag.json @@ -0,0 +1,50 @@ +{ + "namespace": "cryptocurrency-threat", + "description": "Threats targetting cryptocurrency, based on CipherTrace report.", + "version": 1, + "predicates": [ + { + "value": "SIM Swapping", + "expanded": "An identity theft technique that takes over a victim's mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency." + }, + { + "value": "Crypto Dusting", + "expanded": "A new form of blockchain spam that erodes the recipient's reputation by sending cryptocurrency from known money mixers." + }, + { + "value": "Sanction Evasion", + "expanded": "Nation states using cryptocurrencies has been promoted by the Iranian and Venezuelan governments." + }, + { + "value": "Next-Generation Crypto Mixers", + "expanded": "Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality, cleanse cryptocurrency through exchanges." + }, + { + "value": "Shadow Money Service Businesses", + "expanded": "Unlicensed Money Service Businesses (MSBs) banking cryptocurrency without the knowledge of host financial institutions, and thus exposing banks to unknown risk." + }, + { + "value": "Datacenter-Scale Crypto Jacking: ", + "expanded": "Takeover attacks that mine for cryptocurrency at a massive scale have been discovered in datacenters, including AWS." + }, + { + "value": "Lightning Network Transactions", + "expanded": "Enable anonymous bitcoin transactions by going \"off-chain,\" and cannow scale to $2,150,000." + }, + { + "value": "Decentralized Stable Coins", + "expanded": "Stabilized tokens that can be designed for use as private coins." + }, + { + "value": "Email Extortion and Bomb Threats", + "expanded": "Cyber-extortionists stepped up mass-customized phishing emails campaigns using old passwords and spouse names in 2018. Bomb threat extortion scams demanding bitcoin spiked in December." + }, + { + "value": "Crypto Robbing Ransomware", + "expanded": "Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage." + } + ], + "refs": [ + "https://ciphertrace.com/wp-content/uploads/2019/01/crypto_aml_report_2018q4.pdf" + ], +} From 1b781ec4859a0d336a9c9658b6c42898d9aac799 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 1 Feb 2019 18:41:04 +0100 Subject: [PATCH 003/113] chg: [cryptocurrency-threat] fixing small typo --- cryptocurrency-threat/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptocurrency-threat/machinetag.json b/cryptocurrency-threat/machinetag.json index 10ade27..8bba8fa 100644 --- a/cryptocurrency-threat/machinetag.json +++ b/cryptocurrency-threat/machinetag.json @@ -46,5 +46,5 @@ ], "refs": [ "https://ciphertrace.com/wp-content/uploads/2019/01/crypto_aml_report_2018q4.pdf" - ], + ] } From 4c995a260c73373daeddd7304e248e8fea900e75 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 1 Feb 2019 18:44:15 +0100 Subject: [PATCH 004/113] chg: [MANIFEST] fixed --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 8bc5b49..47c050e 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -424,11 +424,16 @@ "version": 1, "name": "information-security-data-source", "description": "Taxonomy to classify the information security data sources" + }, + { + "version": 1, + "name": "cryptocurrency-threat", + "description": "Threats targetting cryptocurrency, based on CipherTrace report." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190106" + "version": "20190201" } From cf1e2fe02b960c68e1b5a8b384fdb48ef1f3b11b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Feb 2019 16:39:34 +0100 Subject: [PATCH 005/113] chg: [exercise] Cyber SOPEx added --- exercise/machinetag.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/exercise/machinetag.json b/exercise/machinetag.json index be5ec65..0c73a0a 100644 --- a/exercise/machinetag.json +++ b/exercise/machinetag.json @@ -29,6 +29,11 @@ "description": "NATO-EU Parallel and Coordinated Exercise. PACE focuses on four key areas, namely situational awareness, effectiveness of our instruments to counter cyber threats at EU level, speed of reaction and appropriate reactivity of our crisis response mechanisms, as well as our capacity to communicate fast and in a coordinated way.", "expanded": "PACE", "value": "pace" + }, + { + "description": "Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network", + "expanded": "Cyber SOPEx", + "value": "cyber-sopex" } ], "values": [ @@ -110,9 +115,22 @@ "expanded": "2018" } ] + }, + { + "predicate": "cyber-sopex", + "entry": [ + { + "value": "2019", + "expanded": "2019" + }, + { + "value": "2018", + "expanded": "2018" + } + ] } ], - "version": 3, + "version": 4, "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.", "expanded": "Exercise", "namespace": "exercise" From 8b57a1bf144e6cfb9a65d7c15cba3ff1eccbc103 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Feb 2019 16:40:30 +0100 Subject: [PATCH 006/113] chg: [MANIFEST] updated for the exercise taxonomy --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 47c050e..2d36db1 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -406,7 +406,7 @@ "description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems." }, { - "version": 2, + "version": 4, "name": "exercise", "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise." }, @@ -435,5 +435,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190201" + "version": "20190225" } From d1ff21cf1be15396207d7c05ffc289ffe7e123f2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 27 Feb 2019 07:30:14 +0100 Subject: [PATCH 007/113] chg: [exercise] locked shields 2019 added --- exercise/machinetag.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/exercise/machinetag.json b/exercise/machinetag.json index 0c73a0a..bb40057 100644 --- a/exercise/machinetag.json +++ b/exercise/machinetag.json @@ -74,6 +74,11 @@ "value": "2018", "expanded": "2018", "description": "Locked Shields 2018" + }, + { + "value": "2019", + "expanded": "2019", + "description": "Locked Shields 2019" } ] }, @@ -130,7 +135,7 @@ ] } ], - "version": 4, + "version": 5, "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.", "expanded": "Exercise", "namespace": "exercise" From bb9cf757ed648786e424b9e2624905a7d0372aa5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 27 Feb 2019 07:31:06 +0100 Subject: [PATCH 008/113] chg: [MANIFEST] updated to the latest version --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 2d36db1..0465a03 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -406,7 +406,7 @@ "description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems." }, { - "version": 4, + "version": 5, "name": "exercise", "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise." }, @@ -435,5 +435,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190225" + "version": "20190226" } From 78b15772a071b621f1658a07be320827d3970561 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 16 Mar 2019 10:28:27 +0100 Subject: [PATCH 009/113] new: [flesch-reading-ease] Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid). --- MANIFEST.json | 7 +++- flesch-reading-ease/machinetag.json | 60 +++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 flesch-reading-ease/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 0465a03..2bc7b0a 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -429,11 +429,16 @@ "version": 1, "name": "cryptocurrency-threat", "description": "Threats targetting cryptocurrency, based on CipherTrace report." + }, + { + "version": 1, + "name": "flesch-reading-ease", + "description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190226" + "version": "20190315" } diff --git a/flesch-reading-ease/machinetag.json b/flesch-reading-ease/machinetag.json new file mode 100644 index 0000000..b91afb9 --- /dev/null +++ b/flesch-reading-ease/machinetag.json @@ -0,0 +1,60 @@ +{ + "namespace": "flesch-reading-ease", + "description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).", + "version": 1, + "predicates": [ + { + "value": "score", + "expanded": "Score" + } + ], + "values": [ + { + "predicate": "score", + "entry": [ + { + "value": "90-100", + "expanded": "Very Easy", + "description": "Very easy to read. Easily understood by an average 11-year-old student.", + "numerical_value": 100 + }, + { + "value": "80-89", + "expanded": "Easy", + "description": "Easy to read. Conversational English for consumers.", + "numerical_value": 89 + }, + { + "value": "70-79", + "expanded": "Fairly Easy", + "description": "Fairly easy to read.", + "numerical_value": 79 + }, + { + "value": "60-69", + "expanded": "Standard", + "description": "Plain English. Easily understood by 13- to 15-year-old students.", + "numerical_value": 69 + }, + { + "value": "50-59", + "expanded": "Fairly Difficult", + "description": "Fairly difficult to read.", + "numerical_value": 59 + }, + { + "value": "30-49", + "expanded": "Difficult", + "description": "Difficult to read.", + "numerical_value": 49 + }, + { + "value": "0-29", + "expanded": "Very Confusing", + "description": "Very difficult to read. Best understood by university graduates.", + "numerical_value": 29 + } + ] + } + ] +} From 9704a7fced8d4c8ad0303d0856f079f0db984d4d Mon Sep 17 00:00:00 2001 From: Mezz Date: Mon, 25 Mar 2019 13:22:56 +0100 Subject: [PATCH 010/113] DCSO Sharing Taxonomy added --- MANIFEST.json | 5 +++++ README.md | 1 + dcso-sharing/machinetag.json | 43 ++++++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 dcso-sharing/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 2bc7b0a..0646d25 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -75,6 +75,11 @@ "name": "cssa", "description": "The CSSA agreed sharing taxonomy." }, + { + "version": 1, + "name": "DCSO-Sharing", + "description": "DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide" + }, { "version": 2, "name": "ddos", diff --git a/README.md b/README.md index 2ac1bba..996b5ce 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ The following taxonomies are described: - [Cyber Kill Chain](./kill-chain) from Lockheed Martin - [The Cyber Threat Framework](./cyber-threat-framework) was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. - DE German (DE) [Government classification markings (VS)](./de-vs) +- [DCSO Sharing Taxonomy](./dcso-sharing) - DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide - [DHS CIIP Sectors](./dhs-ciip-sectors) - [Diamond Model for Intrusion Analysis](./diamond-model) - [Detection Maturity Level](./DML) diff --git a/dcso-sharing/machinetag.json b/dcso-sharing/machinetag.json new file mode 100644 index 0000000..c835d95 --- /dev/null +++ b/dcso-sharing/machinetag.json @@ -0,0 +1,43 @@ +{ + "namespace": "DCSO-Sharing", + "description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.", + "version": 1, + "predicates": [ + { + "value": "event-type" + } + ], + "values": [ + { + "predicate": "event-type", + "entry": [ + { + "value": "Observation", + "expanded": "This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.", + "colour": "#00233e" + }, + { + "value": "Incident", + "expanded": "This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type \"Report\" for second-hand information. Events of this type are typically created and consumed by analysts.", + "colour": "#005d81" + }, + { + "value": "Report", + "expanded": "Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type \"Incident\" instead.", + "colour": "#3f97b8" + }, + { + "value": "Analysis", + "expanded": "This event builds on \"observation\", \"incident\", and \"report\" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.", + "colour": "#5a8915" + }, + { + "value": "Collection", + "expanded": "This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.", + "colour": "#94a850" + } + ] + } + ] + } + \ No newline at end of file From 6798f9580e8dcf9672607c0833bb39eeca14f8a2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Mar 2019 20:30:18 +0100 Subject: [PATCH 011/113] chg: [dcso-sharing] fixing the path --- MANIFEST.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 0646d25..59704dd 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -77,7 +77,7 @@ }, { "version": 1, - "name": "DCSO-Sharing", + "name": "dcso-sharing", "description": "DCSO Sharing Taxonomy to classify certain types of MISP events using the DCSO Event Guide" }, { From 20bdf7255e8c829c0f587171c2892e07065bec81 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Mar 2019 20:30:45 +0100 Subject: [PATCH 012/113] chg: [dcso-sharing] jq all the things --- dcso-sharing/machinetag.json | 83 ++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/dcso-sharing/machinetag.json b/dcso-sharing/machinetag.json index c835d95..51bef47 100644 --- a/dcso-sharing/machinetag.json +++ b/dcso-sharing/machinetag.json @@ -1,43 +1,42 @@ { - "namespace": "DCSO-Sharing", - "description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.", - "version": 1, - "predicates": [ - { - "value": "event-type" - } - ], - "values": [ - { - "predicate": "event-type", - "entry": [ - { - "value": "Observation", - "expanded": "This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.", - "colour": "#00233e" - }, - { - "value": "Incident", - "expanded": "This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type \"Report\" for second-hand information. Events of this type are typically created and consumed by analysts.", - "colour": "#005d81" - }, - { - "value": "Report", - "expanded": "Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type \"Incident\" instead.", - "colour": "#3f97b8" - }, - { - "value": "Analysis", - "expanded": "This event builds on \"observation\", \"incident\", and \"report\" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.", - "colour": "#5a8915" - }, - { - "value": "Collection", - "expanded": "This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.", - "colour": "#94a850" - } - ] - } - ] - } - \ No newline at end of file + "namespace": "DCSO-Sharing", + "description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.", + "version": 1, + "predicates": [ + { + "value": "event-type" + } + ], + "values": [ + { + "predicate": "event-type", + "entry": [ + { + "value": "Observation", + "expanded": "This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.", + "colour": "#00233e" + }, + { + "value": "Incident", + "expanded": "This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type \"Report\" for second-hand information. Events of this type are typically created and consumed by analysts.", + "colour": "#005d81" + }, + { + "value": "Report", + "expanded": "Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type \"Incident\" instead.", + "colour": "#3f97b8" + }, + { + "value": "Analysis", + "expanded": "This event builds on \"observation\", \"incident\", and \"report\" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.", + "colour": "#5a8915" + }, + { + "value": "Collection", + "expanded": "This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.", + "colour": "#94a850" + } + ] + } + ] +} From 08152ad07debd1cf78972efe8431966a7012ce6b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 25 Mar 2019 20:37:38 +0100 Subject: [PATCH 013/113] chg: [dcso-sharing] fix the namespace name --- dcso-sharing/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dcso-sharing/machinetag.json b/dcso-sharing/machinetag.json index 51bef47..49a9c8c 100644 --- a/dcso-sharing/machinetag.json +++ b/dcso-sharing/machinetag.json @@ -1,5 +1,5 @@ { - "namespace": "DCSO-Sharing", + "namespace": "dcso-sharing", "description": "Taxonomy defined in the DCSO MISP Event Guide. It provides guidance for the creation and consumption of MISP events in a way that minimises the extra effort for the sending party, while enhancing the usefulness for receiving parties.", "version": 1, "predicates": [ From df1519a4b580b2e188a56ec8b9b78d3b4df6f91a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 1 Apr 2019 13:16:03 +0200 Subject: [PATCH 014/113] Add drugs taxonomy. Initial source: https://github.com/HTasselli/taxonomy_drugs --- MANIFEST.json | 5 + drugs/drugs.json | 1384 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1389 insertions(+) create mode 100644 drugs/drugs.json diff --git a/MANIFEST.json b/MANIFEST.json index 2bc7b0a..ec6f35d 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -110,6 +110,11 @@ "name": "domain-abuse", "description": "Taxonomy to tag domain names used for cybercrime." }, + { + "version": 1, + "name": "drugs", + "description": "A taxonomy based on the superclass and class of drugs, based on https://www.drugbank.ca/releases/latest" + }, { "version": 1, "name": "ecsirt", diff --git a/drugs/drugs.json b/drugs/drugs.json new file mode 100644 index 0000000..543005a --- /dev/null +++ b/drugs/drugs.json @@ -0,0 +1,1384 @@ +{ + "namespace": "taxonomy_drugs", + "description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest", + "version": 1, + "predicates": [ + { + "value": "alkaloids-and-derivatives", + "expanded": "Alkaloids and derivatives" + }, + { + "value": "benzenoids", + "expanded": "Benzenoids" + }, + { + "value": "homogeneous-metal-compounds", + "expanded": "Homogeneous metal compounds" + }, + { + "value": "homogeneous-non-metal-compounds", + "expanded": "Homogeneous non-metal compounds" + }, + { + "value": "hydrocarbons", + "expanded": "Hydrocarbons" + }, + { + "value": "hydrocarbon-derivatives", + "expanded": "Hydrocarbon derivatives" + }, + { + "value": "lignans,-neolignans-and-related-compounds", + "expanded": "Lignans, neolignans and related compounds" + }, + { + "value": "lipids-and-lipid-like-molecules", + "expanded": "Lipids and lipid-like molecules" + }, + { + "value": "mixed-metal/non-metal-compounds", + "expanded": "Mixed metal/non-metal compounds" + }, + { + "value": "nucleosides,-nucleotides,-and-analogues", + "expanded": "Nucleosides, nucleotides, and analogues" + }, + { + "value": "organic-1,3-dipolar-compounds", + "expanded": "Organic 1,3-dipolar compounds" + }, + { + "value": "organic-acids-and-derivatives", + "expanded": "Organic acids and derivatives" + }, + { + "value": "organic-acids", + "expanded": "Organic Acids" + }, + { + "value": "organic-nitrogen-compounds", + "expanded": "Organic nitrogen compounds" + }, + { + "value": "organic-oxygen-compounds", + "expanded": "Organic oxygen compounds" + }, + { + "value": "organic-polymers", + "expanded": "Organic Polymers" + }, + { + "value": "organic-salts", + "expanded": "Organic salts" + }, + { + "value": "organohalogen-compounds", + "expanded": "Organohalogen compounds" + }, + { + "value": "organoheterocyclic-compounds", + "expanded": "Organoheterocyclic compounds" + }, + { + "value": "organometallic-compounds", + "expanded": "Organometallic compounds" + }, + { + "value": "organophosphorus-compounds", + "expanded": "Organophosphorus compounds" + }, + { + "value": "organosulfur-compounds", + "expanded": "Organosulfur compounds" + }, + { + "value": "phenylpropanoids-and-polyketides", + "expanded": "Phenylpropanoids and polyketides" + } + ], + "values": [ + { + "predicate": "alkaloids-and-derivatives", + "entry": [ + { + "value": "ajmaline-sarpagine-alkaloids", + "expanded": "Ajmaline-sarpagine alkaloids" + }, + { + "value": " allocolchicine-alkaloids", + "expanded": " Allocolchicine alkaloids" + }, + { + "value": " Amaryllidaceae alkaloids", + "expanded": " Amaryllidaceae alkaloids" + }, + { + "value": "aporphines", + "expanded": "Aporphines" + }, + { + "value": "camptothecins", + "expanded": "Camptothecins" + }, + { + "value": "cephalotaxus-alkaloids", + "expanded": "Cephalotaxus alkaloids" + }, + { + "value": "cinchona-alkaloids", + "expanded": "Cinchona alkaloids" + }, + { + "value": "eburnan-type-alkaloids", + "expanded": "Eburnan-type alkaloids" + }, + { + "value": "epibatidine-analogues", + "expanded": "Epibatidine analogues" + }, + { + "value": "ergoline-and-derivatives", + "expanded": "Ergoline and derivatives" + }, + { + "value": "harmala-alkaloids", + "expanded": "Harmala alkaloids" + }, + { + "value": "ibogan-type-alkaloids", + "expanded": "Ibogan-type alkaloids" + }, + { + "value": "lupin-alkaloids", + "expanded": "Lupin alkaloids" + }, + { + "value": "morphinans", + "expanded": "Morphinans" + }, + { + "value": "phthalide-isoquinolines", + "expanded": "Phthalide isoquinolines" + }, + { + "value": "protoberberine-alkaloids-and-derivatives", + "expanded": "Protoberberine alkaloids and derivatives" + }, + { + "value": "tropane-alkaloids", + "expanded": "Tropane alkaloids" + }, + { + "value": "vinca-alkaloids", + "expanded": "Vinca alkaloids" + }, + { + "value": "yohimbine-alkaloids", + "expanded": "Yohimbine alkaloids" + } + ] + }, + { + "predicate": "benzenoids", + "entry": [ + { + "value": "anthracenes", + "expanded": "Anthracenes" + }, + { + "value": "benzene-and-substituted-derivatives", + "expanded": "Benzene and substituted derivatives" + }, + { + "value": "dibenzocycloheptenes", + "expanded": "Dibenzocycloheptenes" + }, + { + "value": "fluorenes", + "expanded": "Fluorenes" + }, + { + "value": "indanes", + "expanded": "Indanes" + }, + { + "value": "indenes-and-isoindenes", + "expanded": "Indenes and isoindenes" + }, + { + "value": "naphthacenes", + "expanded": "Naphthacenes" + }, + { + "value": "phenanthrenes-and-derivatives", + "expanded": "Phenanthrenes and derivatives" + }, + { + "value": "phenol-esters", + "expanded": "Phenol esters" + }, + { + "value": "phenol-ethers", + "expanded": "Phenol ethers" + }, + { + "value": "phenols", + "expanded": "Phenols" + }, + { + "value": "pyrenes", + "expanded": "Pyrenes" + }, + { + "value": "tetralins", + "expanded": "Tetralins" + }, + { + "value": "triphenyl-compounds", + "expanded": "Triphenyl compounds" + } + ] + }, + { + "predicate": "homogeneous-metal-compounds", + "entry": [ + { + "value": "homogeneous-actinide-compounds", + "expanded": "Homogeneous actinide compounds" + }, + { + "value": "homogeneous-alkali-metal-compounds", + "expanded": "Homogeneous alkali metal compounds" + }, + { + "value": "homogeneous-alkaline-earth-metal-compounds", + "expanded": "Homogeneous alkaline earth metal compounds" + }, + { + "value": "homogeneous-lanthanide-compounds", + "expanded": "Homogeneous lanthanide compounds" + }, + { + "value": "homogeneous-metalloid-compounds", + "expanded": "Homogeneous metalloid compounds" + }, + { + "value": "homogeneous-post-transition-metal-compounds", + "expanded": "Homogeneous post-transition metal compounds" + }, + { + "value": "homogeneous-transition-metal-compounds", + "expanded": "Homogeneous transition metal compounds" + } + ] + }, + { + "predicate": "homogeneous-non-metal-compounds", + "entry": [ + { + "value": "halogen-organides", + "expanded": "Halogen organides" + }, + { + "value": "homogeneous-halogens", + "expanded": "Homogeneous halogens" + }, + { + "value": "homogeneous-noble-gases", + "expanded": "Homogeneous noble gases" + }, + { + "value": "homogeneous-other-non-metal-compounds", + "expanded": "Homogeneous other non-metal compounds" + }, + { + "value": "non-metal-oxoanionic-compounds", + "expanded": "Non-metal oxoanionic compounds" + }, + { + "value": "other-non-metal-halides", + "expanded": "Other non-metal halides" + }, + { + "value": "other-non-metal-organides", + "expanded": "Other non-metal organides" + } + ] + }, + { + "predicate": "hydrocarbons", + "entry": [ + { + "value": "polycyclic-hydrocarbons", + "expanded": "Polycyclic hydrocarbons" + } + ] + }, + { + "predicate": "hydrocarbon-derivatives", + "entry": [ + { + "value": "tropones", + "expanded": "Tropones" + } + ] + }, + { + "predicate": "lignans,-neolignans-and-related-compounds", + "entry": [ + { + "value": "aryltetralin-lignans", + "expanded": "Aryltetralin lignans" + }, + { + "value": "dibenzylbutane-lignans", + "expanded": "Dibenzylbutane lignans" + }, + { + "value": "flavonolignans", + "expanded": "Flavonolignans" + }, + { + "value": "furanoid-lignans", + "expanded": "Furanoid lignans" + }, + { + "value": "lignan-lactones", + "expanded": "Lignan lactones" + } + ] + }, + { + "predicate": "lipids-and-lipid-like-molecules", + "entry": [ + { + "value": "fatty-acyls", + "expanded": "Fatty Acyls" + }, + { + "value": "glycero-3-dithiophosphocholines", + "expanded": "Glycero-3-dithiophosphocholines" + }, + { + "value": "glycerolipids", + "expanded": "Glycerolipids" + }, + { + "value": "glycerophospholipids", + "expanded": "Glycerophospholipids" + }, + { + "value": "prenol-lipids", + "expanded": "Prenol lipids" + }, + { + "value": "saccharolipids", + "expanded": "Saccharolipids" + }, + { + "value": "s-alkyl-coas", + "expanded": "S-alkyl-CoAs" + }, + { + "value": "sphingolipids", + "expanded": "Sphingolipids" + }, + { + "value": "steroids-and-steroid-derivatives", + "expanded": "Steroids and steroid derivatives" + } + ] + }, + { + "predicate": "mixed-metal/non-metal-compounds", + "entry": [ + { + "value": "alkali-metal-organides", + "expanded": "Alkali metal organides" + }, + { + "value": "alkali-metal-oxoanionic-compounds", + "expanded": "Alkali metal oxoanionic compounds" + }, + { + "value": "alkali-metal-salts", + "expanded": "Alkali metal salts" + }, + { + "value": "alkaline-earth-metal-organides", + "expanded": "Alkaline earth metal organides" + }, + { + "value": "alkaline-earth-metal-oxoanionic-compounds", + "expanded": "Alkaline earth metal oxoanionic compounds" + }, + { + "value": "alkaline-earth-metal-salts", + "expanded": "Alkaline earth metal salts" + }, + { + "value": "metalloid-organides", + "expanded": "Metalloid organides" + }, + { + "value": "metalloid-oxoanionic-compounds", + "expanded": "Metalloid oxoanionic compounds" + }, + { + "value": "miscellaneous-mixed-metal/non-metals", + "expanded": "Miscellaneous mixed metal/non-metals" + }, + { + "value": "other-mixed-metal/non-metal-oxoanionic-compounds", + "expanded": "Other mixed metal/non-metal oxoanionic compounds" + }, + { + "value": "post-transition-metal-organides", + "expanded": "Post-transition metal organides" + }, + { + "value": "post-transition-metal-oxoanionic-compounds", + "expanded": "Post-transition metal oxoanionic compounds" + }, + { + "value": "post-transition-metal-salts", + "expanded": "Post-transition metal salts" + }, + { + "value": "transition-metal-organides", + "expanded": "Transition metal organides" + }, + { + "value": "transition-metal-oxoanionic-compounds", + "expanded": "Transition metal oxoanionic compounds" + }, + { + "value": "transition-metal-salts", + "expanded": "Transition metal salts" + } + ] + }, + { + "predicate": "nucleosides,-nucleotides,-and-analogues", + "entry": [ + { + "value": "2',3'-dideoxy-3'-thionucleoside-monophosphates", + "expanded": "2',3'-dideoxy-3'-thionucleoside monophosphates" + }, + { + "value": "2',5'-dideoxyribonucleosides", + "expanded": "2',5'-dideoxyribonucleosides" + }, + { + "value": "(3'->5')-dinucleotides-and-analogues", + "expanded": "(3'->5')-dinucleotides and analogues" + }, + { + "value": "5'-deoxyribonucleosides", + "expanded": "5'-deoxyribonucleosides" + }, + { + "value": "(5'->5')-dinucleotides", + "expanded": "(5'->5')-dinucleotides" + }, + { + "value": "benzimidazole-ribonucleosides-and-ribonucleotides", + "expanded": "Benzimidazole ribonucleosides and ribonucleotides" + }, + { + "value": "flavin-nucleotides", + "expanded": "Flavin nucleotides" + }, + { + "value": "glycinamide-ribonucleotides", + "expanded": "Glycinamide ribonucleotides" + }, + { + "value": "imidazole[4,5-c]pyridine-ribonucleosides-and-ribonucleotides", + "expanded": "Imidazole[4,5-c]pyridine ribonucleosides and ribonucleotides" + }, + { + "value": "imidazole-ribonucleosides-and-ribonucleotides", + "expanded": "Imidazole ribonucleosides and ribonucleotides" + }, + { + "value": "molybdopterin-dinucleotides", + "expanded": "Molybdopterin dinucleotides" + }, + { + "value": "nucleoside-and-nucleotide-analogues", + "expanded": "Nucleoside and nucleotide analogues" + }, + { + "value": "purine-nucleosides", + "expanded": "Purine nucleosides" + }, + { + "value": "pyrazolo[3,4-d]pyrimidine-glycosides", + "expanded": "Pyrazolo[3,4-d]pyrimidine glycosides" + }, + { + "value": "pyridine-nucleotides", + "expanded": "Pyridine nucleotides" + }, + { + "value": "pyrimidine-nucleosides", + "expanded": "Pyrimidine nucleosides" + }, + { + "value": "pyrimidine-nucleotides", + "expanded": "Pyrimidine nucleotides" + }, + { + "value": "pyrrolopyrimidine-nucleosides-and-nucleotides", + "expanded": "Pyrrolopyrimidine nucleosides and nucleotides" + }, + { + "value": "ribonucleoside-3'-phosphates", + "expanded": "Ribonucleoside 3'-phosphates" + }, + { + "value": "triazole-ribonucleosides-and-ribonucleotides", + "expanded": "Triazole ribonucleosides and ribonucleotides" + } + ] + }, + { + "predicate": "organic-1,3-dipolar-compounds", + "entry": [ + { + "value": "allyl-type-1,3-dipolar-organic-compounds", + "expanded": "Allyl-type 1,3-dipolar organic compounds" + } + ] + }, + { + "predicate": "organic-acids-and-derivatives", + "entry": [ + { + "value": "boronic-acid-derivatives", + "expanded": "Boronic acid derivatives" + }, + { + "value": "carboximidic-acids-and-derivatives", + "expanded": "Carboximidic acids and derivatives" + }, + { + "value": "carboxylic-acids-and-derivatives", + "expanded": "Carboxylic acids and derivatives" + }, + { + "value": "hydroxy-acids-and-derivatives", + "expanded": "Hydroxy acids and derivatives" + }, + { + "value": "keto-acids-and-derivatives", + "expanded": "Keto acids and derivatives" + }, + { + "value": "organic-carbonic-acids-and-derivatives", + "expanded": "Organic carbonic acids and derivatives" + }, + { + "value": "organic-phosphonic-acids-and-derivatives", + "expanded": "Organic phosphonic acids and derivatives" + }, + { + "value": "organic-phosphoric-acids-and-derivatives", + "expanded": "Organic phosphoric acids and derivatives" + }, + { + "value": "organic-sulfonic-acids-and-derivatives", + "expanded": "Organic sulfonic acids and derivatives" + }, + { + "value": "organic-sulfuric-acids-and-derivatives", + "expanded": "Organic sulfuric acids and derivatives" + }, + { + "value": "organic-thiophosphoric-acids-and-derivatives", + "expanded": "Organic thiophosphoric acids and derivatives" + }, + { + "value": "orthocarboxylic-acid-derivatives", + "expanded": "Orthocarboxylic acid derivatives" + }, + { + "value": "peptidomimetics", + "expanded": "Peptidomimetics" + }, + { + "value": "thiosulfinic-acid-esters", + "expanded": "Thiosulfinic acid esters" + } + ] + }, + { + "predicate": "organic-acids", + "entry": [ + { + "value": "carboxylic-acids-and-derivatives", + "expanded": "Carboxylic Acids and Derivatives" + } + ] + }, + { + "predicate": "organic-nitrogen-compounds", + "entry": [ + { + "value": "organonitrogen-compounds", + "expanded": "Organonitrogen compounds" + } + ] + }, + { + "predicate": "organic-oxygen-compounds", + "entry": [ + { + "value": "organic-oxides", + "expanded": "Organic oxides" + }, + { + "value": "organic-oxoanionic-compounds", + "expanded": "Organic oxoanionic compounds" + }, + { + "value": "organooxygen-compounds", + "expanded": "Organooxygen compounds" + } + ] + }, + { + "predicate": "organic-polymers", + "entry": [ + { + "value": "phosphorothioate-polynucleotides", + "expanded": "Phosphorothioate polynucleotides" + }, + { + "value": "polypeptides", + "expanded": "Polypeptides" + }, + { + "value": "polysaccharides", + "expanded": "Polysaccharides" + } + ] + }, + { + "predicate": "organic-salts", + "entry": [ + { + "value": "organic-metal-salts", + "expanded": "Organic metal salts" + } + ] + }, + { + "predicate": "organohalogen-compounds", + "entry": [ + { + "value": "acyl-halides", + "expanded": "Acyl halides" + }, + { + "value": "alkyl-halides", + "expanded": "Alkyl halides" + }, + { + "value": "aryl-halides", + "expanded": "Aryl halides" + }, + { + "value": "halohydrins", + "expanded": "Halohydrins" + }, + { + "value": "organochlorides", + "expanded": "Organochlorides" + }, + { + "value": "organofluorides", + "expanded": "Organofluorides" + }, + { + "value": "sulfonyl-halides", + "expanded": "Sulfonyl halides" + }, + { + "value": "vinyl-halides", + "expanded": "Vinyl halides" + } + ] + }, + { + "predicate": "organoheterocyclic-compounds", + "entry": [ + { + "value": "azaspirodecane-derivatives", + "expanded": "Azaspirodecane derivatives" + }, + { + "value": "azepanes", + "expanded": "Azepanes" + }, + { + "value": "azobenzenes", + "expanded": "Azobenzenes" + }, + { + "value": "azoles", + "expanded": "Azoles" + }, + { + "value": "azolidines", + "expanded": "Azolidines" + }, + { + "value": "azolines", + "expanded": "Azolines" + }, + { + "value": "benzazepines", + "expanded": "Benzazepines" + }, + { + "value": "benzimidazoles", + "expanded": "Benzimidazoles" + }, + { + "value": "benzisoxazoles", + "expanded": "Benzisoxazoles" + }, + { + "value": "benzocycloheptapyridines", + "expanded": "Benzocycloheptapyridines" + }, + { + "value": "benzodiazepines", + "expanded": "Benzodiazepines" + }, + { + "value": "benzodioxanes", + "expanded": "Benzodioxanes" + }, + { + "value": "benzodioxoles", + "expanded": "Benzodioxoles" + }, + { + "value": "benzofurans", + "expanded": "Benzofurans" + }, + { + "value": "benzopyrans", + "expanded": "Benzopyrans" + }, + { + "value": "benzopyrazoles", + "expanded": "Benzopyrazoles" + }, + { + "value": "benzothiadiazoles", + "expanded": "Benzothiadiazoles" + }, + { + "value": "benzothiazepines", + "expanded": "Benzothiazepines" + }, + { + "value": "benzothiazines", + "expanded": "Benzothiazines" + }, + { + "value": "benzothiazoles", + "expanded": "Benzothiazoles" + }, + { + "value": "benzothiepins", + "expanded": "Benzothiepins" + }, + { + "value": "benzothiophenes", + "expanded": "Benzothiophenes" + }, + { + "value": "benzothiopyrans", + "expanded": "Benzothiopyrans" + }, + { + "value": "benzotriazoles", + "expanded": "Benzotriazoles" + }, + { + "value": "benzoxadiazoles", + "expanded": "Benzoxadiazoles" + }, + { + "value": "benzoxazepines", + "expanded": "Benzoxazepines" + }, + { + "value": "benzoxazines", + "expanded": "Benzoxazines" + }, + { + "value": "benzoxazoles", + "expanded": "Benzoxazoles" + }, + { + "value": "benzoxepines", + "expanded": "Benzoxepines" + }, + { + "value": "bi--and-oligothiophenes", + "expanded": "Bi- and oligothiophenes" + }, + { + "value": "biotin-and-derivatives", + "expanded": "Biotin and derivatives" + }, + { + "value": "coumarans", + "expanded": "Coumarans" + }, + { + "value": "cycloheptapyrans", + "expanded": "Cycloheptapyrans" + }, + { + "value": "cycloheptathiophenes", + "expanded": "Cycloheptathiophenes" + }, + { + "value": "diazanaphthalenes", + "expanded": "Diazanaphthalenes" + }, + { + "value": "diazepanes", + "expanded": "Diazepanes" + }, + { + "value": "diazinanes", + "expanded": "Diazinanes" + }, + { + "value": "diazines", + "expanded": "Diazines" + }, + { + "value": "dihydrofurans", + "expanded": "Dihydrofurans" + }, + { + "value": "dihydroisoquinolines", + "expanded": "Dihydroisoquinolines" + }, + { + "value": "dihydrothiophenes", + "expanded": "Dihydrothiophenes" + }, + { + "value": "dioxaborolanes", + "expanded": "Dioxaborolanes" + }, + { + "value": "dioxanes", + "expanded": "Dioxanes" + }, + { + "value": "dioxolopyrans", + "expanded": "Dioxolopyrans" + }, + { + "value": "dithianes", + "expanded": "Dithianes" + }, + { + "value": "dithiolanes", + "expanded": "Dithiolanes" + }, + { + "value": "epoxides", + "expanded": "Epoxides" + }, + { + "value": "furans", + "expanded": "Furans" + }, + { + "value": "furofurans", + "expanded": "Furofurans" + }, + { + "value": "furopyrans", + "expanded": "Furopyrans" + }, + { + "value": "furopyridines", + "expanded": "Furopyridines" + }, + { + "value": "furopyrroles", + "expanded": "Furopyrroles" + }, + { + "value": "heteroaromatic-compounds", + "expanded": "Heteroaromatic compounds" + }, + { + "value": "imidazo[1,5-a]pyrazines", + "expanded": "Imidazo[1,5-a]pyrazines" + }, + { + "value": "imidazodiazepines", + "expanded": "Imidazodiazepines" + }, + { + "value": "imidazopyrazines", + "expanded": "Imidazopyrazines" + }, + { + "value": "imidazopyridines", + "expanded": "Imidazopyridines" + }, + { + "value": "imidazopyrimidines", + "expanded": "Imidazopyrimidines" + }, + { + "value": "imidazotetrazines", + "expanded": "Imidazotetrazines" + }, + { + "value": "imidazothiazoles", + "expanded": "Imidazothiazoles" + }, + { + "value": "indoles-and-derivatives", + "expanded": "Indoles and derivatives" + }, + { + "value": "indolizidines", + "expanded": "Indolizidines" + }, + { + "value": "isocoumarans", + "expanded": "Isocoumarans" + }, + { + "value": "isoindoles-and-derivatives", + "expanded": "Isoindoles and derivatives" + }, + { + "value": "isoquinolines-and-derivatives", + "expanded": "Isoquinolines and derivatives" + }, + { + "value": "isoxazolopyridines", + "expanded": "Isoxazolopyridines" + }, + { + "value": "lactams", + "expanded": "Lactams" + }, + { + "value": "lactones", + "expanded": "Lactones" + }, + { + "value": "metalloheterocyclic-compounds", + "expanded": "Metalloheterocyclic compounds" + }, + { + "value": "naphthofurans", + "expanded": "Naphthofurans" + }, + { + "value": "naphthopyrans", + "expanded": "Naphthopyrans" + }, + { + "value": "oxanes", + "expanded": "Oxanes" + }, + { + "value": "oxazaphosphinanes", + "expanded": "Oxazaphosphinanes" + }, + { + "value": "oxazinanes", + "expanded": "Oxazinanes" + }, + { + "value": "oxepanes", + "expanded": "Oxepanes" + }, + { + "value": "phenanthrolines", + "expanded": "Phenanthrolines" + }, + { + "value": "piperazinoazepines", + "expanded": "Piperazinoazepines" + }, + { + "value": "piperidines", + "expanded": "Piperidines" + }, + { + "value": "pteridines-and-derivatives", + "expanded": "Pteridines and derivatives" + }, + { + "value": "pyranodioxins", + "expanded": "Pyranodioxins" + }, + { + "value": "pyranopyridines", + "expanded": "Pyranopyridines" + }, + { + "value": "pyranopyrimidines", + "expanded": "Pyranopyrimidines" + }, + { + "value": "pyrans", + "expanded": "Pyrans" + }, + { + "value": "pyrazolopyridines", + "expanded": "Pyrazolopyridines" + }, + { + "value": "pyrazolopyrimidines", + "expanded": "Pyrazolopyrimidines" + }, + { + "value": "pyrazolotriazines", + "expanded": "Pyrazolotriazines" + }, + { + "value": "pyridines-and-derivatives", + "expanded": "Pyridines and derivatives" + }, + { + "value": "pyridopyrimidines", + "expanded": "Pyridopyrimidines" + }, + { + "value": "pyrroles", + "expanded": "Pyrroles" + }, + { + "value": "pyrrolidines", + "expanded": "Pyrrolidines" + }, + { + "value": "pyrrolines", + "expanded": "Pyrrolines" + }, + { + "value": "pyrrolizines", + "expanded": "Pyrrolizines" + }, + { + "value": "pyrroloazepines", + "expanded": "Pyrroloazepines" + }, + { + "value": "pyrrolopyrazines", + "expanded": "Pyrrolopyrazines" + }, + { + "value": "pyrrolopyrazoles", + "expanded": "Pyrrolopyrazoles" + }, + { + "value": "pyrrolopyridines", + "expanded": "Pyrrolopyridines" + }, + { + "value": "pyrrolopyrimidines", + "expanded": "Pyrrolopyrimidines" + }, + { + "value": "pyrrolotriazines", + "expanded": "Pyrrolotriazines" + }, + { + "value": "quinolines-and-derivatives", + "expanded": "Quinolines and derivatives" + }, + { + "value": "quinuclidines", + "expanded": "Quinuclidines" + }, + { + "value": "selenazoles", + "expanded": "Selenazoles" + }, + { + "value": "tetrahydrofurans", + "expanded": "Tetrahydrofurans" + }, + { + "value": "tetrahydroisoquinolines", + "expanded": "Tetrahydroisoquinolines" + }, + { + "value": "tetrapyrroles-and-derivatives", + "expanded": "Tetrapyrroles and derivatives" + }, + { + "value": "thiadiazinanes", + "expanded": "Thiadiazinanes" + }, + { + "value": "thiadiazines", + "expanded": "Thiadiazines" + }, + { + "value": "thianes", + "expanded": "Thianes" + }, + { + "value": "thiazepines", + "expanded": "Thiazepines" + }, + { + "value": "thiazinanes", + "expanded": "Thiazinanes" + }, + { + "value": "thiazines", + "expanded": "Thiazines" + }, + { + "value": "thienodiazepines", + "expanded": "Thienodiazepines" + }, + { + "value": "thienoimidazolidines", + "expanded": "Thienoimidazolidines" + }, + { + "value": "thienopyridines", + "expanded": "Thienopyridines" + }, + { + "value": "thienopyrimidines", + "expanded": "Thienopyrimidines" + }, + { + "value": "thienopyrroles", + "expanded": "Thienopyrroles" + }, + { + "value": "thienothiazines", + "expanded": "Thienothiazines" + }, + { + "value": "thiochromanes", + "expanded": "Thiochromanes" + }, + { + "value": "thiochromenes", + "expanded": "Thiochromenes" + }, + { + "value": "thiolanes", + "expanded": "Thiolanes" + }, + { + "value": "thiophenes", + "expanded": "Thiophenes" + }, + { + "value": "triazinanes", + "expanded": "Triazinanes" + }, + { + "value": "triazines", + "expanded": "Triazines" + }, + { + "value": "triazolopyrazines", + "expanded": "Triazolopyrazines" + }, + { + "value": "triazolopyridines", + "expanded": "Triazolopyridines" + }, + { + "value": "triazolopyrimidines", + "expanded": "Triazolopyrimidines" + }, + { + "value": "trioxanes", + "expanded": "Trioxanes" + } + ] + }, + { + "predicate": "organometallic-compounds", + "entry": [ + { + "value": "organometalloid-compounds", + "expanded": "Organometalloid compounds" + }, + { + "value": "organo-post-transition-metal-compounds", + "expanded": "Organo-post-transition metal compounds" + } + ] + }, + { + "predicate": "organophosphorus-compounds", + "entry": [ + { + "value": "organic-phosphines-and-derivatives", + "expanded": "Organic phosphines and derivatives" + }, + { + "value": "organophosphinic-acids-and-derivatives", + "expanded": "Organophosphinic acids and derivatives" + }, + { + "value": "organothiophosphorus-compounds", + "expanded": "Organothiophosphorus compounds" + } + ] + }, + { + "predicate": "organosulfur-compounds", + "entry": [ + { + "value": "isothioureas", + "expanded": "Isothioureas" + }, + { + "value": "organic-disulfides", + "expanded": "Organic disulfides" + }, + { + "value": "sulfonyls", + "expanded": "Sulfonyls" + }, + { + "value": "sulfoxides", + "expanded": "Sulfoxides" + }, + { + "value": "thiocarbonyl-compounds", + "expanded": "Thiocarbonyl compounds" + }, + { + "value": "thioethers", + "expanded": "Thioethers" + }, + { + "value": "thiols", + "expanded": "Thiols" + }, + { + "value": "thioureas", + "expanded": "Thioureas" + } + ] + }, + { + "predicate": "phenylpropanoids-and-polyketides", + "entry": [ + { + "value": "2-arylbenzofuran-flavonoids", + "expanded": "2-arylbenzofuran flavonoids" + }, + { + "value": "anthracyclines", + "expanded": "Anthracyclines" + }, + { + "value": "aurone-flavonoids", + "expanded": "Aurone flavonoids" + }, + { + "value": "cinnamic-acids-and-derivatives", + "expanded": "Cinnamic acids and derivatives" + }, + { + "value": "cinnamyl-alcohols", + "expanded": "Cinnamyl alcohols" + }, + { + "value": "coumarins-and-derivatives", + "expanded": "Coumarins and derivatives" + }, + { + "value": "depsides-and-depsidones", + "expanded": "Depsides and depsidones" + }, + { + "value": "diarylheptanoids", + "expanded": "Diarylheptanoids" + }, + { + "value": "flavonoids", + "expanded": "Flavonoids" + }, + { + "value": "isochromanequinones", + "expanded": "Isochromanequinones" + }, + { + "value": "isocoumarins-and-derivatives", + "expanded": "Isocoumarins and derivatives" + }, + { + "value": "isoflavonoids", + "expanded": "Isoflavonoids" + }, + { + "value": "linear-1,3-diarylpropanoids", + "expanded": "Linear 1,3-diarylpropanoids" + }, + { + "value": "macrolactams", + "expanded": "Macrolactams" + }, + { + "value": "macrolide-lactams", + "expanded": "Macrolide lactams" + }, + { + "value": "macrolides-and-analogues", + "expanded": "Macrolides and analogues" + }, + { + "value": "neoflavonoids", + "expanded": "Neoflavonoids" + }, + { + "value": "phenylpropanoic-acids", + "expanded": "Phenylpropanoic acids" + }, + { + "value": "saxitoxins,-gonyautoxins,-and-derivatives", + "expanded": "Saxitoxins, gonyautoxins, and derivatives" + }, + { + "value": "stilbenes", + "expanded": "Stilbenes" + }, + { + "value": "tannins", + "expanded": "Tannins" + }, + { + "value": "tetracyclines", + "expanded": "Tetracyclines" + } + ] + } + ] +} From 5ac97e5b417e0b566cd08ccd9366e89fdb2b79ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 1 Apr 2019 13:44:09 +0200 Subject: [PATCH 015/113] fix: Wrong namespace --- drugs/drugs.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drugs/drugs.json b/drugs/drugs.json index 543005a..ca85436 100644 --- a/drugs/drugs.json +++ b/drugs/drugs.json @@ -1,7 +1,7 @@ { - "namespace": "taxonomy_drugs", + "namespace": "drugs", "description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest", - "version": 1, + "version": 2, "predicates": [ { "value": "alkaloids-and-derivatives", From c53f505b8ea6d45668c5b3987c7bb7376491e044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 1 Apr 2019 13:47:04 +0200 Subject: [PATCH 016/113] fix: Bad filename for the drugs taxonomy --- drugs/{drugs.json => machinetag.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename drugs/{drugs.json => machinetag.json} (100%) diff --git a/drugs/drugs.json b/drugs/machinetag.json similarity index 100% rename from drugs/drugs.json rename to drugs/machinetag.json From c15464aca021e4c10fa37e597945bc7aa452c842 Mon Sep 17 00:00:00 2001 From: Alvaro <49281622+agent334@users.noreply.github.com> Date: Thu, 4 Apr 2019 17:45:33 +0200 Subject: [PATCH 017/113] Common Taxonomy for LE and CSIRTs (Cybercrime) The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem. --- common-taxonomy/machinetag.json | 213 ++++++++++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 common-taxonomy/machinetag.json diff --git a/common-taxonomy/machinetag.json b/common-taxonomy/machinetag.json new file mode 100644 index 0000000..0123e82 --- /dev/null +++ b/common-taxonomy/machinetag.json @@ -0,0 +1,213 @@ +{ + "values": [ + { + "entry": [ + { + "description": "Malware detected in a system.", + "expanded": "Infection", + "value": "infection" + }, + { + "description": "Malware attached to a message or email message containing link to malicious URL or IP.", + "expanded": "Distribution", + "value": "distribution" + }, + { + "description": "System used as a command-and-control point by a botnet. Also included in this field are systems serving as a point for gathering information stolen by botnets.", + "expanded": "Command & Control (C&C)", + "value": "command-and-control" + }, + { + "description": "System attempting to gain access to a port normally linked to a specific type of malware / System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.", + "expanded": "Malicious connection", + "value": "malicious-connection" + } + ], + "predicate": "malware" + }, + { + "entry": [ + { + "description": "Single source using specially designed software to affect the normal functioning of a specific service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from one single source to a specific service, aimed at affecting its normal functioning.", + "expanded": "Denial of Service (DoS) / Distributed Denial of Service (DDoS)", + "value": "dos-ddos" + }, + { + "description": "Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect.", + "expanded": "Sabotage", + "value": "sabotage" + } + ], + "predicate": "availability" + }, + { + "entry": [ + { + "description": "Single system scan searching for open ports or services using these ports for responding / Scanning a network aimed at identifying systems which are active in the same network / Transfer of a specific DNS zone.", + "expanded": "Scanning", + "value": "scanning" + }, + { + "description": "Logical or physical interception of communications.", + "expanded": "Sniffing", + "value": "sniffing" + }, + { + "description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting web sites for phishing purposes.", + "expanded": "Phishing", + "value": "phishing" + } + ], + "predicate": "information-gathering" + }, + { + "entry": [ + { + "description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique / Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful attempt to include files in the system under attack by using file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.", + "expanded": "Exploitation of vulnerability attempt", + "value": "vulnerability-exploitation-attempt" + }, + { + "description": "Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login by using system access credentials previously loaded into a dictionary.", + "expanded": "Login attempt", + "value": "login-attempt" + } + ], + "predicate": "intrusion-attempt" + }, + { + "entry": [ + { + "description": "Unauthorised use of a tool exploiting a specific vulnerability of the system / Unauthorised manipulation or reading of information contained in a database by using the SQL injection technique / Attack performed with the use of cross-site scripting techniques / Unauthorised inclusion of files into a system under attack with the use of file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.", + "expanded": "(Successful) Exploitation of vulnerability", + "value": "vulnerability-exploitation" + }, + { + "description": "Unauthorised access to a system or component by using stolen access credentials.", + "expanded": "Compromising an account", + "value": "account-compromise" + } + ], + "predicate": "intrusion" + }, + { + "entry": [ + { + "description": "Unauthorised access to a system or component / Unauthorised access to a set of information / Unauthorised access to and sharing of a specific set of information.", + "expanded": "Unauthorised access", + "value": "unauthorised-access" + }, + { + "description": "Unauthorised changes to a specific set of information / Unauthorised deleting of a specific set of information.", + "expanded": "Unauthorised modification / deletion", + "value": "unauthorised-modification-or-deletion" + } + ], + "predicate": "information-security" + }, + { + "entry": [ + { + "description": "Use of institutional resources for purposes other than those intended.", + "expanded": "Misuse or unauthorised use of resources", + "value": "resources-misuse" + }, + { + "description": "Unauthorised use of the name of an institution.", + "expanded": "False representation", + "value": "false-representation" + } + ], + "predicate": "fraud" + }, + { + "entry": [ + { + "description": "Sending an unusually large quantity of email messages / Unsolicited or unwanted email message sent to the recipient.", + "expanded": "SPAM", + "value": "spam" + }, + { + "description": "Unauthorised distribution or sharing of content protected by Copyright and related rights.", + "expanded": "Copyright", + "value": "copyright" + }, + { + "description": "Distribution or sharing of illegal content such as child sexual exploitation material, racism, xenophobia, etc.", + "expanded": "Child Sexual Exploitation, racism or incitement to violence", + "value": "cse-racism-violence-incitement" + } + ], + "predicate": "abusive-content" + }, + { + "entry": [ + { + "description": "Incidents which do not fit the existing classification, acting as an indicator for the classification’s update.", + "expanded": "Unclassified incident", + "value": "unclassified-incident" + }, + { + "description": "Unprocessed incidents which have remained undetermined from the beginning.", + "expanded": "Undetermined incident", + "value": "undetermined-incident" + } + ], + "predicate": "other" + } + ], + "predicates": [ + { + "description": "Infection of one or various systems with a specific type of malware / Connection performed by/from/to (a) suspicious system(s)", + "expanded": "Malicious software/code", + "value": "malware" + }, + { + "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative / Premeditated action to damage a system, interrupt a process, change or delete information, etc.", + "expanded": "Availability", + "value": "availability" + }, + { + "description": "Active and passive gathering of information on systems or networks / Unauthorised monitoring and reading of network traffic / Attempt to gather information on a user or a system through phishing methods.", + "expanded": "Information Gathering", + "value": "information-gathering" + }, + { + "description": "Attempt to intrude by exploiting vulnerability in a system, component or network / Attempt to log in to services or authentication/access control mechanisms.", + "expanded": "Intrusion Attempt", + "value": "intrusion-attempt" + }, + { + "description": "Actual intrusion by exploiting vulnerability in the system, component or network / Actual intrusion in a system, component or network by compromising a user or administrator account.", + "expanded": "Intrusion", + "value": "intrusion" + }, + { + "description": "Unauthorised access to a particular set of information / Unauthorised change or elimination of a particular set of information.", + "expanded": "Information Security", + "value": "information-security" + }, + { + "description": "Loss of property caused with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.", + "expanded": "Fraud", + "value": "fraud" + }, + { + "description": "Sending SPAM messages / Distribution and sharing of copyright protected content / Dissemination of content forbidden by law.", + "expanded": "Abusive Content", + "value": "abusive-content" + }, + { + "description": "Incidents not classified in the existing classification.", + "expanded": "Other", + "value": "other" + } + ], + "version": 1.3, + "description": "Common Taxonomy for Law enforcement and CSIRTs", + "refs": [ + "https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts", + "https://www.enisa.europa.eu/publications/tools-and-methodologies-to-support-cooperation-between-csirts-and-law-enforcement" + ], + "namespace": "common-taxonomy" +} From 00fd09ac7763682985bcb9abac3024dd468f13e0 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 10:50:01 +0200 Subject: [PATCH 018/113] fix space --- workflow/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/machinetag.json b/workflow/machinetag.json index 49dd42c..bc1c7ae 100644 --- a/workflow/machinetag.json +++ b/workflow/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "workflow", "expanded": "workflow to support analysis", - "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. ", + "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.", "version": 8, "predicates": [ { From a39e0375efa2fedb6305a20de7000554460994ff Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:12:43 +0200 Subject: [PATCH 019/113] update readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ac1bba..d685ab7 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ The following taxonomies can be used in MISP (as local or distributed tags) or i The following taxonomies are described: -- [Access-now](./accessnow) +- [access-method](./access-method) - [action-taken](./action-taken) - [Admiralty Scale](./admiralty-scale) - [adversary](./adversary) - description of an adversary infrastructure @@ -47,6 +47,7 @@ The following taxonomies are described: - [NATO Classification Marking](./nato) - [Open Threat Taxonomy v1.1 (SANS)](./open_threat) - [OSINT Open Source Intelligence - Classification](./osint) +- [Ransomware](./ransomware) - [runtime-packer](./runtime-packer) - Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other o bfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. - [STIX-TTP](./stix-ttp) - Represents the behavior or modus operandi of cyber adversaries as normalized in STIX From 1a08f2c9b8a330f9ade996ef2c82d292a5bdcd71 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:13:21 +0200 Subject: [PATCH 020/113] add ransomware taxonomy WIP --- ransomware/machinetag.json | 58 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 ransomware/machinetag.json diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json new file mode 100644 index 0000000..83f18b1 --- /dev/null +++ b/ransomware/machinetag.json @@ -0,0 +1,58 @@ +{ + "namespace": "ransomware", + "expanded": "ransomware types and elements", + "description": "Ransomware is used to define ransomware types and the elements that compose them.", + "version": 1, + "predicates": [ + { + "value": "type", + "expanded": "Type", + "description": "Type is used to describe the type of a ransomware and how it works." + }, + { + "value": "element", + "expanded": "Element", + "description": "Elements that composed or are linked to a ransomware and its execution." + } + ], + "values": [ + { + "predicate": "type", + "entry": [ + { + "value": "scareware", + "expanded": "" + }, + { + "value": "locker", + "expanded": "" + }, + { + "value": "cryptolocker", + "expanded": "" + } + ], + }, + { + "predicate": "type", + "entry": [ + { + "value": "ransomnote", + "expanded": "" + }, + { + "value": "decoy", + "expanded": "" + }, + { + "value": "crypter", + "expanded": "" + }, + { + "value": "downloader", + "expanded": "" + } + ] + } + ] +} From 01894fd118ca991c706e563be14fe83683003bb3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 11:26:29 +0200 Subject: [PATCH 021/113] ransomware taxonomy : decribe some types --- ransomware/machinetag.json | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 83f18b1..55f0b9c 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -3,6 +3,9 @@ "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", "version": 1, + "refs": [ + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf" + ], "predicates": [ { "value": "type", @@ -21,15 +24,15 @@ "entry": [ { "value": "scareware", - "expanded": "" + "expanded": "Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software." }, { - "value": "locker", - "expanded": "" + "value": "locker-ransomware", + "expanded": "Locker eansomware, also called computer locker, denies access to the computer or device " }, { - "value": "cryptolocker", - "expanded": "" + "value": "crypto-ransomware", + "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } ], }, From 17c65b3d1834f96020b32b5606c5201a4b35f9bc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:06:07 +0200 Subject: [PATCH 022/113] ransomware taxonomy : decribe some elements --- ransomware/machinetag.json | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 55f0b9c..2971b07 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -41,19 +41,15 @@ "entry": [ { "value": "ransomnote", - "expanded": "" + "expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background." }, { - "value": "decoy", - "expanded": "" - }, - { - "value": "crypter", - "expanded": "" + "value": "dropper", + "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself." }, { "value": "downloader", - "expanded": "" + "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." } ] } From e2e0414f4b3c49b3920e1e66d744c4b82184e6be Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:06:54 +0200 Subject: [PATCH 023/113] ransomware taxonomy : decribe some elements --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 2971b07..7153160 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -37,7 +37,7 @@ ], }, { - "predicate": "type", + "predicate": "element", "entry": [ { "value": "ransomnote", From b5026a101be17f4e44406a71d115ae78f05d3bae Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 12:10:27 +0200 Subject: [PATCH 024/113] ##COMMA## --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 7153160..e76406d 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -34,7 +34,7 @@ "value": "crypto-ransomware", "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } - ], + ] }, { "predicate": "element", From 97df10ab9eb22352fa6edd62e3e0947805138a35 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 5 Apr 2019 16:16:03 +0200 Subject: [PATCH 025/113] add complexity level [WIP - DO NOT MERGE] --- ransomware/machinetag.json | 47 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index e76406d..fc2bb94 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -16,6 +16,11 @@ "value": "element", "expanded": "Element", "description": "Elements that composed or are linked to a ransomware and its execution." + }, + { + "value": "complexity-level", + "expanded": "Complexity level", + "description": "Level of complexity of the ransomware." } ], "values": [ @@ -52,6 +57,48 @@ "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." } ] + }, + { + "predicate": "complexity-level", + "entry": [ + { + "value": "no-actual-encryption-fake-scareware", + "expanded": "No actual encryption (fake scareware). infection merely poses as a ransomware by displaying a ransom note while not actually encrypting user files" + }, + { + "value": "display-ransomnote-before-encrypting", + "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + { + "value": "", + "expanded": "" + }, + + ] } ] } From 4106e8591e90ccabe95b38ae9e14f3f3c7a20ae6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 21:22:18 +0200 Subject: [PATCH 026/113] chg: [MANIFEST] common-taxonomy added --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index c161894..5d284ee 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -444,11 +444,16 @@ "version": 1, "name": "flesch-reading-ease", "description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)." + }, + { + "version": 1, + "name": "common-taxonomy", + "description": "The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190315" + "version": "20190407" } From 7697111df5285a537a217bcc205d614355dc2127 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 21:31:45 +0200 Subject: [PATCH 027/113] chg: [common-taxonomy] version fixed --- MANIFEST.json | 2 +- common-taxonomy/machinetag.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 5d284ee..22cf84b 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -446,7 +446,7 @@ "description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)." }, { - "version": 1, + "version": 3, "name": "common-taxonomy", "description": "The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem." } diff --git a/common-taxonomy/machinetag.json b/common-taxonomy/machinetag.json index 0123e82..ed9f324 100644 --- a/common-taxonomy/machinetag.json +++ b/common-taxonomy/machinetag.json @@ -203,7 +203,7 @@ "value": "other" } ], - "version": 1.3, + "version": 3, "description": "Common Taxonomy for Law enforcement and CSIRTs", "refs": [ "https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts", From 61a9b812cee5542fee2b3dda240bf6d970cfe46b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Apr 2019 10:29:52 +0200 Subject: [PATCH 028/113] chg: [MANIFEST] fix the EUCI description --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 22cf84b..f8b065c 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -138,7 +138,7 @@ { "version": 1, "name": "euci", - "description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013D0488&from=EN" + "description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in COUNCIL DECISION of 23 September 2013 on the security rules for protecting EU classified information" }, { "version": 2, @@ -455,5 +455,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190407" + "version": "20190408" } From c8e1b364f90a6d7bb608c07123e5f4b4897311b6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 8 Apr 2019 16:35:58 +0200 Subject: [PATCH 029/113] ransomware taxonomy [WIP] --- ransomware/machinetag.json | 43 +++++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index fc2bb94..e25156a 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -70,34 +70,61 @@ "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." }, { - "value": "", + "value": "decryption-essentials-extracted-from-binary", + "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by disassembling the ransomware binary. " + }, + { + "value": "derived-encryption-key-predicted ", + "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of the Linux.Encoder. Aransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." + }, + { + "value": "same-key used-for-each-infection", + "expanded": "Ransomware uses the same key for every victim. If the same key is used to encrypt all victims during a campaign, then one victim can share the secret key with others." + }, + { + "value": "encryption-circumvented", + "expanded": "decryption possible without key - Files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known-ciphertext attacks due to the keyreuse vulnerability and hence this is a poor implementation of the encryption algorithm." + }, + { + "value": "file-restoration-possible-using-shadow-volume-copies", + "expanded": "Files can be restored using system backups, e.g. Shadow Volume Copies on the New Technology File System (NTFS), that were neglected by the ransomware." + }, + { + "value": "key-recovered-from-file-system-or-memory", "expanded": "" }, { - "value": "", + "value": "due-diligence-prevented-ransomware-from-acquiring-key", "expanded": "" }, { - "value": "", + "value": "click-and-run-decryptor-exists", "expanded": "" }, { - "value": "", + "value": "kill-switch-exists-outside-of-attacker-s-control", "expanded": "" }, { - "value": "", + "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", "expanded": "" }, { - "value": "", + "value": "custom-encryption-algorithm-used", "expanded": "" }, { - "value": "", + "value": "decryption-key-recovered-under-specialized-lab-setting", "expanded": "" }, - + { + "value": "small-subset-of-files-left-unencrypted", + "expanded": "" + }, + { + "value": "encryption-model-is-seemingly-flawless", + "expanded": "" + } ] } ] From 7095e737f5f846152e10e029d1e79163b5b50bd2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 9 Apr 2019 11:41:24 +0200 Subject: [PATCH 030/113] ransomware taxonomy - complexity level --- ransomware/machinetag.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index e25156a..61d7a8d 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -91,39 +91,39 @@ }, { "value": "key-recovered-from-file-system-or-memory", - "expanded": "" + "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can look in the right folder to discover the decryption key." }, { "value": "due-diligence-prevented-ransomware-from-acquiring-key", - "expanded": "" + "expanded": "User can prevent ransomware from acquiring the encryption key. Ransomware belongs in this category if its encryption procedure can be interrupted or blocked by due diligence on part of the user. For example, CryptoLocker discussed above cannot commence operation until it receives a key from the C&C server. A host or border firewall can block a list of known C&C servers hence rendering ransomware ineffective." }, { "value": "click-and-run-decryptor-exists", - "expanded": "" + "expanded": "Easy ‘Click-and-run’ solution such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." }, { "value": "kill-switch-exists-outside-of-attacker-s-control", - "expanded": "" + "expanded": "There exists a kill switch outside of attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." }, { "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", - "expanded": "" + "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500, 000 victims." }, { "value": "custom-encryption-algorithm-used", - "expanded": "" + "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCoder ransomware that emerged in 2005 with weak custom encryption." }, { "value": "decryption-key-recovered-under-specialized-lab-setting", - "expanded": "" + "expanded": "Key can only be retrieved under rare, specialized laboratory settings. For example, in the case of WannaCry, a vulnerability in a cryptographic API on an unpatched Windows XP system allowed users to acquire from RAM the prime numbers used to compute private keys and hence retrieve the decryption key. However, the victim had to have been running a specific version of Windows XP and be fortunate enough that the related address space in memory has not been reallocated to another process. In another example, it is theoretically possible to reverse WannaCry encryption by exploiting a flaw in the pseudo-random-number-generator (PRNG) in an unpatched Windows XP system that reveals keys generated in the past. Naturally, these specialized conditions are not true for most victims." }, { "value": "small-subset-of-files-left-unencrypted", - "expanded": "" + "expanded": "A small subset of files left unencrypted by the ransomware for any number of reasons. Certain ransomware are known to only encrypt a file if its size exceeds a predetermined value. In addition, ransomware might decrypt a few files for free to prove decryption is possible. In such cases, a small number of victims may be lucky enough to only need these unencrypted files and can tolerate loss of the rest." }, { "value": "encryption-model-is-seemingly-flawless", - "expanded": "" + "expanded": "Encryption model is resistant to cryptographic attacks and has been implemented seemingly flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no proven way yet to decrypt the files without paying the ransom." } ] } From 68b3490d8b4a13e3ee60478c3859fc1f71828813 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 9 Apr 2019 14:25:49 +0200 Subject: [PATCH 031/113] ransomware taxonomy - purpose --- ransomware/machinetag.json | 46 +++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 61d7a8d..99a05e0 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -4,7 +4,9 @@ "description": "Ransomware is used to define ransomware types and the elements that compose them.", "version": 1, "refs": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf" + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", + "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", + "https://bartblaze.blogspot.com/p/the-purpose-of-ransomware.html" ], "predicates": [ { @@ -21,6 +23,11 @@ "value": "complexity-level", "expanded": "Complexity level", "description": "Level of complexity of the ransomware." + }, + { + "value": "purpose", + "expanded": "Purpose", + "description": "Purpose of the ransomware." } ], "values": [ @@ -126,6 +133,43 @@ "expanded": "Encryption model is resistant to cryptographic attacks and has been implemented seemingly flawlessly such that there are no known vulnerabilities in its execution. Simply put, there is no proven way yet to decrypt the files without paying the ransom." } ] + }, + { + "predicate": "purpose", + "entry": [ + { + "value": "deployed-as-ransomware-extortion", + "expanded": "This has been the traditional approach - ransomware is installed on the victim's machine, and its only purpose is to create income for the cybercriminal(s). In fact, ransomware is simple extortion, but via digital means." + }, + { + "value": "deployed-to-showcase-skills-for-fun-or-for-testing-purposes", + "expanded": "Some cybercriminals like to show off, and as such create the side-business of ransomware, or, more particularly to showcase their coding skills.\nAnother example may be to send ransomware 'as a joke' or for fun to your friends, and giving them a bad time.\nSome cybercriminals may be testing the waters by deploying ransomware in an organisation, to stress-test the defenses, or to test their own programming skills, or the lack thereof." + }, + { + "value": "deployed-as-smokescreen", + "expanded": "A very interesting occurrence indeed: ransomware is installed to hide the real purpose of whatever the cybercriminal or attacker is doing. This may be data exfiltration, lateral movement, or anything else, in theory, everything is a possible scenario... except for the ransomware itself." + }, + { + "value": "deployed-to-cause-frustration", + "expanded": "Another possible angle that goes hand in hand with the classic extortion scheme - deploying ransomware with intent of frustrating the victim. Basically, cyber bullying. While there may be a request for a monetary amount, it is not the purpose." + }, + { + "value": "deployed-out-of-frustration", + "expanded": " Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." + }, + { + "value": "deployed-as-a-cover-up", + "expanded": " This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." + }, + { + "value": "deployed-as-a-penetration-test-or-user-awareness-training", + "expanded": "Ransomware is very effective in the sense that most people know what its purpose is, and the dangers it may cause. As such, it is an excellent tool that can be used for demonstration purposes, such as a user awareness training. Another possibility is an external pentest, with same purpose." + }, + { + "value": "deployed-as-a-means-of-disruption-destruction", + "expanded": " Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." + } + ] } ] } From 4092752c2ef60eba1df4a8bfdd55dbc68db10b73 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 10 Apr 2019 12:59:38 +0200 Subject: [PATCH 032/113] chg: [MANIFEST] ransonware added in the manifest --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index f8b065c..b2185a7 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -449,11 +449,16 @@ "version": 3, "name": "common-taxonomy", "description": "The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem." + }, + { + "version": 1, + "name": "ransomware", + "description": "Ransomware is used to define ransomware types and the elements that compose them." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190408" + "version": "20190410" } From 186bf75aaa26952aacea49931000ea0c274a4dfa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Apr 2019 06:55:39 +0200 Subject: [PATCH 033/113] chg: [ransomware] spaces removed --- ransomware/machinetag.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 99a05e0..4298d3c 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -2,7 +2,7 @@ "namespace": "ransomware", "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", - "version": 1, + "version": 2, "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", @@ -155,11 +155,11 @@ }, { "value": "deployed-out-of-frustration", - "expanded": " Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." + "expanded": "Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." }, { "value": "deployed-as-a-cover-up", - "expanded": " This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." + "expanded": "This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." }, { "value": "deployed-as-a-penetration-test-or-user-awareness-training", @@ -167,7 +167,7 @@ }, { "value": "deployed-as-a-means-of-disruption-destruction", - "expanded": " Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." + "expanded": "Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." } ] } From ac6b8127fb40fd23029f59f28c804e0d8974e15e Mon Sep 17 00:00:00 2001 From: SwitHak Date: Thu, 11 Apr 2019 23:11:49 +0200 Subject: [PATCH 034/113] Update Ransomware galaxy Date: 2019-04-11 Author: SwitHak Purpose: Add 3 meta tag to be able to give specification of extensions usage: - ransomware-appended-extension -> This is the extension added by the ransomware to the files. - ransomware-encrypted-extensions", -> This is the list of extensions that will be encrypted by the ransomware. Beware to keep the order. - ransomware-excluded-extensions", -> This is the list of extensions that will not be encrypted by the ransomware. Beware to keep the order. If I missed something, tell me through the PR or via Twitter: @SwitHak --- ransomware/machinetag.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 4298d3c..7a05fbb 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -2,7 +2,7 @@ "namespace": "ransomware", "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", - "version": 2, + "version": 2.1, "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", @@ -40,7 +40,7 @@ }, { "value": "locker-ransomware", - "expanded": "Locker eansomware, also called computer locker, denies access to the computer or device " + "expanded": "Locker ransomware, also called computer locker, denies access to the computer or device " }, { "value": "crypto-ransomware", @@ -55,6 +55,18 @@ "value": "ransomnote", "expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background." }, + { + "value": "ransomware-appended-extension", + "expanded": "This is the extension added by the ransomware to the files." + }, + { + "value": "ransomware-encrypted-extensions", + "expanded": "This is the list of extensions that will be encrypted by the ransomware. Beware to keep the order." + }, + { + "value": "ransomware-excluded-extensions", + "expanded": "This is the list of extensions that will not be encrypted by the ransomware. Beware to keep the order." + }, { "value": "dropper", "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself." From 4ac6b5c4b0d6a0618c65540a597a802ca1bf65f6 Mon Sep 17 00:00:00 2001 From: SwitHak Date: Thu, 11 Apr 2019 23:27:16 +0200 Subject: [PATCH 035/113] Update Ransomware taxonomy Integer value (sic) --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 7a05fbb..52f5a30 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -2,7 +2,7 @@ "namespace": "ransomware", "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", - "version": 2.1, + "version": 3, "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", From 420322f31271ca1de8cd1423a4b2f31cb6a2e7c0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Apr 2019 15:28:11 +0200 Subject: [PATCH 036/113] chg: [misp] misp2yara related tags added --- misp/machinetag.json | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index e3e5f43..d476d88 100755 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -125,6 +125,31 @@ { "expanded": "misp2stix", "value": "misp2stix" + }, + { + "expanded": "misp2yara", + "value": "misp2yara" + } + ] + }, + { + "predicate": "misp2yara", + "entry": [ + { + "expanded": "generated", + "value": "generated" + }, + { + "expanded": "as-is", + "value": "as-is" + }, + { + "expanded": "valid", + "value": "valid" + }, + { + "expanded": "invalid", + "value": "invalid" } ] } @@ -138,6 +163,10 @@ "expanded": "API related tag influencing the MISP behavior of the API.", "value": "api" }, + { + "expanded": "misp2yara export tool", + "value": "misp2yara" + }, { "description": "Expansion tag incluencing the MISP behavior using expansion modules", "expanded": "Expansion", @@ -171,7 +200,7 @@ "value": "tool" } ], - "version": 7, + "version": 8, "description": "MISP taxonomy to infer with MISP behavior or operation.", "expanded": "MISP", "namespace": "misp" From 3d2b8b1fcf26d9a3b36bb42aec42b093713a88b2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 07:16:10 +0200 Subject: [PATCH 037/113] chg: [circl] sextortion added - #133 fixed --- circl/machinetag.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/circl/machinetag.json b/circl/machinetag.json index 291ae4d..caeb3ef 100644 --- a/circl/machinetag.json +++ b/circl/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "circl", "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection", - "version": 2, + "version": 3, "predicates": [ { "value": "incident-classification", @@ -83,6 +83,10 @@ { "value": "wiper", "expanded": "Wiper" + }, + { + "value": "sextortion", + "expanded": "sextortion" } ] }, From edaaaa5ccc6bc998a31284c89527e1c456b30d45 Mon Sep 17 00:00:00 2001 From: Michael Hamm Date: Tue, 14 May 2019 13:32:40 +0200 Subject: [PATCH 038/113] RSIT taxonomie added --- mapping/mapping.json | 48 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/mapping/mapping.json b/mapping/mapping.json index b589879..4d4b435 100644 --- a/mapping/mapping.json +++ b/mapping/mapping.json @@ -1,6 +1,12 @@ { "DDoS": { "values": [ + "rsit:availability=\"dos\"", + "rsit:availability=\"ddos\"", + "rsit:availability=\"misconfiguration\"", + "rsit:availability=\"sabotage\"", + "rsit:availability=\"outage\"", + "rsit:vulnerable=\"ddos-amplifier\"", "ecsirt:availability=\"ddos\"", "europol-incident:availability=\"dos-ddos\"", "ms-caro-malware:malware-type=\"DDoS\"", @@ -26,6 +32,13 @@ }, "exploit": { "values": [ + "rsit:intrusion-attempts=\"ids-alert\"", + "rsit:intrusion-attempts=\"exploit\"", + "rsit:intrusions=\"application-compromise\"", + "rsit:intrusions=\"burglary\"", + "rsit:vulnerable=\"weak-crypto\"", + "rsit:vulnerable=\"information-disclosure\"", + "rsit:vulnerable=\"vulnerable-system\"", "veris:action:malware:variety=\"Exploit vuln\"", "ecsirt:intrusion-attempts=\"exploit\"", "europol-event:exploit", @@ -35,12 +48,19 @@ }, "malware": { "values": [ + "rsit:malicious-code=\"infected-system\"", + "rsit:malicious-code=\"malware-distribution\"", + "rsit:malicious-code=\"malware-configuration\"", "ecsirt:malicious-code=\"malware\"", "circl:incident-classification=\"malware\"" ] }, "Remote Access Tool": { "values": [ + "rsit:information-content-security=\"unauthorised-information-access\"", + "rsit:information-content-security=\"unauthorised-information-modification\"", + "rsit:information-content-security=\"data-loss\"", + "rsit:vulnerable=\"potentially-unwanted-accessible\"", "enisa:nefarious-activity-abuse=\"remote-access-tool\"", "ms-caro-malware:malware-type=\"RemoteAccess\"" ] @@ -57,6 +77,7 @@ }, "spam": { "values": [ + "rsit:abusive-content=\"spam\"", "circl:incident-classification=\"spam\"", "ecsirt:abusive-content=\"spam\"", "enisa:nefarious-activity-abuse=\"spam\"", @@ -68,6 +89,7 @@ }, "scan": { "values": [ + "rsit:information-gathering=\"scanner\"", "circl:incident-classification=\"scan\"", "ecsirt:information-gathering=\"scanner\"", "europol-incident:information-gathering=\"scanning\"" @@ -75,6 +97,7 @@ }, "scan network": { "values": [ + "rsit:information-gathering=\"sniffing\"", "veris:action:malware:variety=\"Scan network\"", "europol-event:network-scanning" ] @@ -87,6 +110,8 @@ }, "phishing": { "values": [ + "rsit:fraud=\"phishing\"", + "rsit:information-gathering=\"social-engineering\"", "circl:incident-classification=\"phishing\"", "ecsirt:fraud=\"phishing\"", "veris:action:social:variety=\"Phishing\"", @@ -96,6 +121,7 @@ }, "brute force": { "values": [ + "rsit:intrusion-attempts=\"brute-force\"", "ecsirt:intrusion-attempts=\"brute-force\"", "veris:action:malware:variety=\"Brute force\"", "europol-event:brute-force-attempt", @@ -104,6 +130,8 @@ }, "backdoor": { "values": [ + "rsit:intrusions=\"privileged-account-compromise\"", + "rsit:intrusions=\"unprivileged-account-compromise\"", "ecsirt:intrusions=\"backdoor\"", "veris:action:malware:variety=\"Backdoor\"", "ms-caro-malware:malware-type=\"Backdoor\"" @@ -111,6 +139,7 @@ }, "c&c": { "values": [ + "rsit:malicious-code=\"c2-server\"", "ecsirt:malicious-code=\"c&c\"", "europol-incident:malware=\"c&c\"", "europol-event:c&c-server-hosting", @@ -127,6 +156,7 @@ }, "Adware": { "values": [ + "rsit:fraud=\"unauthorized-use-of-resources\"", "veris:action:malware:variety=\"Adware\"", "malware_classification:malware-category=\"Adware\"", "ms-caro-malware:malware-type=\"Adware\"" @@ -168,6 +198,24 @@ "ecsirt:malicious-code=\"worm\"" ] }, + "Content": { + "values": [ + "rsit:abusive-content=\"harmful-speech\"", + "rsit:abusive-content=\"violence\"", + "rsit:fraud=\"copyright\"", + "rsit:fraud=\"masquerade\"" + ] + }, + "other": { + "values": [ + "rsit:other=\"other\"" + ] + }, + "test": { + "values": [ + "rsit:test=\"test\"" + ] + }, "tlp-white": { "values": [ "tlp:white", From da608c6cb76b7e9b2f7cd8f2a73c2a12af7570d0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 14 May 2019 14:21:40 +0200 Subject: [PATCH 039/113] chg: [mapping] updated to the latest version --- mapping/mapping.json | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/mapping/mapping.json b/mapping/mapping.json index 4d4b435..ecf673c 100644 --- a/mapping/mapping.json +++ b/mapping/mapping.json @@ -3,9 +3,6 @@ "values": [ "rsit:availability=\"dos\"", "rsit:availability=\"ddos\"", - "rsit:availability=\"misconfiguration\"", - "rsit:availability=\"sabotage\"", - "rsit:availability=\"outage\"", "rsit:vulnerable=\"ddos-amplifier\"", "ecsirt:availability=\"ddos\"", "europol-incident:availability=\"dos-ddos\"", @@ -32,13 +29,7 @@ }, "exploit": { "values": [ - "rsit:intrusion-attempts=\"ids-alert\"", "rsit:intrusion-attempts=\"exploit\"", - "rsit:intrusions=\"application-compromise\"", - "rsit:intrusions=\"burglary\"", - "rsit:vulnerable=\"weak-crypto\"", - "rsit:vulnerable=\"information-disclosure\"", - "rsit:vulnerable=\"vulnerable-system\"", "veris:action:malware:variety=\"Exploit vuln\"", "ecsirt:intrusion-attempts=\"exploit\"", "europol-event:exploit", @@ -48,7 +39,6 @@ }, "malware": { "values": [ - "rsit:malicious-code=\"infected-system\"", "rsit:malicious-code=\"malware-distribution\"", "rsit:malicious-code=\"malware-configuration\"", "ecsirt:malicious-code=\"malware\"", @@ -57,10 +47,6 @@ }, "Remote Access Tool": { "values": [ - "rsit:information-content-security=\"unauthorised-information-access\"", - "rsit:information-content-security=\"unauthorised-information-modification\"", - "rsit:information-content-security=\"data-loss\"", - "rsit:vulnerable=\"potentially-unwanted-accessible\"", "enisa:nefarious-activity-abuse=\"remote-access-tool\"", "ms-caro-malware:malware-type=\"RemoteAccess\"" ] @@ -97,7 +83,6 @@ }, "scan network": { "values": [ - "rsit:information-gathering=\"sniffing\"", "veris:action:malware:variety=\"Scan network\"", "europol-event:network-scanning" ] @@ -111,7 +96,6 @@ "phishing": { "values": [ "rsit:fraud=\"phishing\"", - "rsit:information-gathering=\"social-engineering\"", "circl:incident-classification=\"phishing\"", "ecsirt:fraud=\"phishing\"", "veris:action:social:variety=\"Phishing\"", @@ -130,8 +114,6 @@ }, "backdoor": { "values": [ - "rsit:intrusions=\"privileged-account-compromise\"", - "rsit:intrusions=\"unprivileged-account-compromise\"", "ecsirt:intrusions=\"backdoor\"", "veris:action:malware:variety=\"Backdoor\"", "ms-caro-malware:malware-type=\"Backdoor\"" @@ -156,7 +138,6 @@ }, "Adware": { "values": [ - "rsit:fraud=\"unauthorized-use-of-resources\"", "veris:action:malware:variety=\"Adware\"", "malware_classification:malware-category=\"Adware\"", "ms-caro-malware:malware-type=\"Adware\"" @@ -198,7 +179,7 @@ "ecsirt:malicious-code=\"worm\"" ] }, - "Content": { + "content": { "values": [ "rsit:abusive-content=\"harmful-speech\"", "rsit:abusive-content=\"violence\"", From 112005898d81ac22005215b308b0a11a71e75ac9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 14 May 2019 16:09:26 +0200 Subject: [PATCH 040/113] chg: [rsit] updated to the latest version --- rsit/machinetag.json | 135 +++++++++++++++++++++++++------------------ 1 file changed, 80 insertions(+), 55 deletions(-) diff --git a/rsit/machinetag.json b/rsit/machinetag.json index 75e4d10..d7b212e 100644 --- a/rsit/machinetag.json +++ b/rsit/machinetag.json @@ -4,17 +4,17 @@ "entry": [ { "description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.", - "expanded": "spam", + "expanded": "Spam", "value": "spam" }, { - "description": "Discreditation or discrimination of somebody e.g. cyber stalking, racism and threats against one or more individuals).", + "description": "Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", "expanded": "Harmful Speech", "value": "harmful-speech" }, { - "description": "Child Pornography, glorification of violence, ...", - "expanded": "Child/Sexual/Violence/...", + "description": "Child pornography, glorification of violence, etc.", + "expanded": "Child Porn/Sexual/Violent Content", "value": "violence" } ], @@ -23,34 +23,24 @@ { "entry": [ { - "description": "Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.", - "expanded": "Virus", - "value": "virus" + "description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit.", + "expanded": "Infected System", + "value": "infected-system" }, { - "description": "see 'virus'", - "expanded": "Worm", - "value": "worm" + "description": "Command-and-control server contacted by malware on infected systems.", + "expanded": "C2 Server", + "value": "c2-server" }, { - "description": "see 'virus'", - "expanded": "Trojan", - "value": "trojan" + "description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.", + "expanded": "Malware Distribution", + "value": "malware-distribution" }, { - "description": "see 'virus'", - "expanded": "Spyware", - "value": "spyware" - }, - { - "description": "see 'virus'", - "expanded": "Dialer", - "value": "dialer" - }, - { - "description": "see 'virus'", - "expanded": "Rootkit", - "value": "rootkit" + "description": "URI hosting a malware configuration file, e.g. webinjects for a banking trojan.", + "expanded": "Malware Configuration", + "value": "malware-configuration" } ], "predicate": "malicious-code" @@ -58,7 +48,7 @@ { "entry": [ { - "description": "Attacks that send requests to a system to discover weak points. This includes also some kind of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", + "description": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", "expanded": "Scanning", "value": "scanner" }, @@ -78,8 +68,8 @@ { "entry": [ { - "description": "An attempt to compromise a system or to disrupt any service by exploiting vunerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", - "expanded": "Exploiting of known Vulnerabilities", + "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", + "expanded": "Exploitation of known Vulnerabilities", "value": "ids-alert" }, { @@ -88,7 +78,7 @@ "value": "brute-force" }, { - "description": "An attempt using an unknown exploit.", + "description": "An attack using an unknown exploit.", "expanded": "New attack signature", "value": "exploit" } @@ -98,24 +88,24 @@ { "entry": [ { - "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. Also includes being part of a botnet.", + "description": "Compromise of a system where the attacker gained administrative privileges.", "expanded": "Privileged Account Compromise", "value": "privileged-account-compromise" }, { - "description": "see 'Privileged Account Compromise'", + "description": "Compromise of a system using an unprivileged (user/service) account.", "expanded": "Unprivileged Account Compromise", "value": "unprivileged-account-compromise" }, { - "description": "see 'Privileged Account Compromise'", + "description": "Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.", "expanded": "Application Compromise", "value": "application-compromise" }, { - "description": "see 'Privileged Account Compromise'", - "expanded": "Bot", - "value": "bot" + "description": "Physical intrusion, e.g. into corporate building or data center.", + "expanded": "Burglary", + "value": "burglary" } ], "predicate": "intrusions" @@ -123,23 +113,28 @@ { "entry": [ { - "description": "Denial of Service.", - "expanded": "DoS", + "description": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.", + "expanded": "Denial of Service", "value": "dos" }, { - "description": "Distributed Denial of Service.", - "expanded": "DDoS", + "description": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.", + "expanded": "Distributed Denial of Service", "value": "ddos" }, { - "description": "Sabotage.", + "description": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.", + "expanded": "Misconfiguration", + "value": "misconfiguration" + }, + { + "description": "Physical sabotage, e.g cutting wires or malicious arson.", "expanded": "Sabotage", "value": "sabotage" }, { - "description": "Outage (no malice).", - "expanded": "Outage (no malice)", + "description": "Outage caused e.g. by air condition failure or natural disaster.", + "expanded": "Outage", "value": "outage" } ], @@ -148,14 +143,19 @@ { "entry": [ { - "description": "Besides local abuse of data and systems, the security of information can be endangered by successful compromise of an account or application. In addition, attacks that intercept and access information during transmission (wiretapping, spoofing or hijacking) are possible. Human/configuration/software error can also be the cause.", + "description": "Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", "expanded": "Unauthorised access to information", - "value": "Unauthorised-information-access" + "value": "unauthorised-information-access" }, { - "description": "see 'Unauthorised access to information'", + "description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.", "expanded": "Unauthorised modification of information", - "value": "Unauthorised-information-modification" + "value": "unauthorised-information-modification" + }, + { + "description": "Loss of data, e.g. caused by harddisk failure or physical theft.", + "expanded": "Data Loss", + "value": "data-loss" } ], "predicate": "information-content-security" @@ -163,7 +163,7 @@ { "entry": [ { - "description": "Using resources for unauthorized purposes including profit-making ventures (E.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes).", + "description": "Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", "expanded": "Unauthorized use of resources", "value": "unauthorized-use-of-resources" }, @@ -173,12 +173,12 @@ "value": "copyright" }, { - "description": "Type of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.", + "description": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.", "expanded": "Masquerade", "value": "masquerade" }, { - "description": "Masquerading as another entity in order to persuade the user to reveal a private credential.", + "description": "Masquerading as another entity in order to persuade the user to reveal private credentials.", "expanded": "Phishing", "value": "phishing" } @@ -188,9 +188,34 @@ { "entry": [ { - "description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc.", - "expanded": "Open for abuse", - "value": "vulnerable-service" + "description": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.", + "expanded": "Weak crypto", + "value": "weak-crypto" + }, + { + "description": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.", + "expanded": "DDoS amplifier", + "value": "ddos-amplifier" + }, + { + "description": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.", + "expanded": "Potentially unwanted accessible services", + "value": "potentially-unwanted-accessible" + }, + { + "description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", + "expanded": "Information disclosure", + "value": "information-disclosure" + } + ], + "predicate": "vulnerable" + }, + { + "entry": [ + { + "description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.", + "expanded": "Vulnerable system", + "value": "vulnerable-system" } ], "predicate": "vulnerable" @@ -199,7 +224,7 @@ "entry": [ { "description": "All incidents which don't fit in one of the given categories should be put into this class.", - "expanded": "other", + "expanded": "Other", "value": "other" } ], @@ -273,7 +298,7 @@ "value": "test" } ], - "version": 1, + "version": 2, "description": "Reference Security Incident Classification Taxonomy", "namespace": "rsit" } From 46b8c68cda231cd746281d97749232c4a50d0d35 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 17 May 2019 16:33:22 +0200 Subject: [PATCH 041/113] add: [dark-web] Criminal motivation on the dark web: A categorisation model for law enforcement Ref: Criminal motivation on the dark web: A categorisation model for law enforcement Janis Dalins, Campbell Wilson, Mark Carman --- MANIFEST.json | 7 +- dark-web/machinetag.json | 140 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 dark-web/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index b2185a7..05408de 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -454,11 +454,16 @@ "version": 1, "name": "ransomware", "description": "Ransomware is used to define ransomware types and the elements that compose them." + }, + { + "version": 1, + "name": "dark-web", + "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190410" + "version": "20190517" } diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json new file mode 100644 index 0000000..6a9ab48 --- /dev/null +++ b/dark-web/machinetag.json @@ -0,0 +1,140 @@ +{ + "namespace": "dark-web", + "expanded": "Dark Web", + "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project", + "version": 1, + "predicates": [ + { + "value": "topic", + "description": "Topic associated with the materials tagged", + "expanded": "Topic" + }, + { + "value": "motivation", + "description": "Motivation with the materials tagged", + "expanded": "Motivation" + } + ], + "values": [ + { + "predicate": "topic", + "entry": [ + { + "value": "drugs-narcotics", + "expanded": "Drugs/Narcotics", + "description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)." + }, + { + "value": "extremism", + "expanded": "Extremism", + "description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes." + }, + { + "value": "finance", + "expanded": "Finance", + "description": "Any monetary/currency/exchangeable materials. Includes carding, Bitcoin, Litecoin etc." + }, + { + "value": "hacking", + "expanded": "Hacking", + "description": "Materials relating to the illegal access to or alteration of data and/or electronic services." + }, + { + "value": "identification-credentials", + "expanded": "Identification/Credentials", + "description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials." + }, + { + "value": "intellectual-property-copyright-materials", + "expanded": "Intellectual Property/Copyright Materials", + "description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders." + }, + { + "value": "pornography-adult", + "expanded": "Pornography - Adult", + "description": "Lawful, ethical pornography (i.e. involving only consenting adults)." + }, + { + "value": "pornography-child-exploitation", + "expanded": "Pornography - Child (Child Exploitation)", + "description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities" + }, + { + "value": "pornography-illicit-or-illegal", + "expanded": "Pornography - Illicit or Illegal", + "description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc." + }, + { + "value": "search-engine-index", + "expanded": "Search Engine/Index", + "description": "Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish topic of material." + }, + { + "value": "violence", + "expanded": "Violence", + "description": "Materials relating to violence against persons or property." + }, + { + "value": "weapons", + "expanded": "Weapons", + "description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients." + }, + { + "value": "other-not-illegal", + "expanded": "Other not illegal", + "description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors." + } + ] + }, + { + "predicate": "motivation", + "entry": [ + { + "value": "education-training", + "expanded": "Education & Training", + "description": "Materials providing instruction - e.g. ‘how to’ guides" + }, + { + "value": "file-sharing", + "expanded": "File Sharing", + "description": "General file sharing, typically (but not limited to) movie/image sharing" + }, + { + "value": "forum", + "expanded": "Forum", + "description": "Sites specifically designed for multiple users to communicate as peers" + }, + { + "value": "general", + "expanded": "General", + "description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites." + }, + { + "value": "information-sharing-reportage", + "expanded": "Information Sharing/Reportage", + "description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy." + }, + { + "value": "marketplace-for-sale", + "expanded": "Marketplace/For Sale", + "description": "Services/goods for sale, regardless of means of payment." + }, + { + "value": "recruitment-advocacy", + "expanded": "Recruitment/Advocacy", + "description": "Propaganda" + }, + { + "value": "system-placeholder", + "expanded": "System/Placeholder", + "description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2" + } + ] + } + ] +} From e0cd87bdc37910dcb079275347fe371309de0bb3 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Mon, 20 May 2019 10:06:30 +0200 Subject: [PATCH 042/113] chg: [infoleak] add pgp-public-key-block, pgp-signature --- infoleak/machinetag.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/infoleak/machinetag.json b/infoleak/machinetag.json index d1b70f5..1c1a6ce 100644 --- a/infoleak/machinetag.json +++ b/infoleak/machinetag.json @@ -33,7 +33,7 @@ "expanded": "Test" } ], - "version": 3, + "version": 4, "description": "A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information.", "namespace": "infoleak", "values": [ @@ -96,6 +96,14 @@ "value": "pgp-message", "expanded": "PGP message" }, + { + "value": "pgp-public-key-block", + "expanded": "PGP public key block" + }, + { + "value": "pgp-signature", + "expanded": "PGP signature" + }, { "value": "pgp-private-key", "expanded": "PGP private key" @@ -209,6 +217,14 @@ "value": "pgp-message", "expanded": "PGP message" }, + { + "value": "pgp-public-key-block", + "expanded": "PGP public key block" + }, + { + "value": "pgp-signature", + "expanded": "PGP signature" + }, { "value": "pgp-private-key", "expanded": "PGP private key" From 8f2f8d696e0361c4c56a2b18edea9fcb5dc89021 Mon Sep 17 00:00:00 2001 From: Bart Date: Mon, 20 May 2019 20:09:27 +0100 Subject: [PATCH 043/113] Update machinetag.json Made several edits and additions. --- ransomware/machinetag.json | 40 +++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 52f5a30..09bb06e 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -2,7 +2,7 @@ "namespace": "ransomware", "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", - "version": 3, + "version": 4, "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", @@ -40,11 +40,11 @@ }, { "value": "locker-ransomware", - "expanded": "Locker ransomware, also called computer locker, denies access to the computer or device " + "expanded": "Locker ransomware, also called screen locker, denies access to the browser, computer or device." }, { "value": "crypto-ransomware", - "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." + "expanded": "Crypto ransomware, also called data locker or cryptoware, prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } ] }, @@ -53,7 +53,7 @@ "entry": [ { "value": "ransomnote", - "expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background." + "expanded": "A ransomnote is the message left by the attacker to threaten their victim and ask for a ransom. It is usually seen as a text or HTML file, or a picture set as background." }, { "value": "ransomware-appended-extension", @@ -69,11 +69,11 @@ }, { "value": "dropper", - "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself." + "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks, often by containing the malware inside of itself." }, { "value": "downloader", - "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." + "expanded": "A downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of containing it." } ] }, @@ -81,20 +81,20 @@ "predicate": "complexity-level", "entry": [ { - "value": "no-actual-encryption-fake-scareware", - "expanded": "No actual encryption (fake scareware). infection merely poses as a ransomware by displaying a ransom note while not actually encrypting user files" + "value": "no-actual-encryption-scareware", + "expanded": "No actual encryption (scareware). Infection merely poses as a ransomware by displaying a ransom note or message while not actually encrypting user files." }, { "value": "display-ransomnote-before-encrypting", - "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." + "expanded": "Displaying the ransom note before the encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." }, { "value": "decryption-essentials-extracted-from-binary", - "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by disassembling the ransomware binary. " + "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user's system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by reverse engineering the ransomware binary. " }, { "value": "derived-encryption-key-predicted ", - "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of the Linux.Encoder. Aransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." + "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of Linux.Encoder, a type of ransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." }, { "value": "same-key used-for-each-infection", @@ -102,15 +102,19 @@ }, { "value": "encryption-circumvented", - "expanded": "decryption possible without key - Files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known-ciphertext attacks due to the keyreuse vulnerability and hence this is a poor implementation of the encryption algorithm." + "expanded": "Decryption possible without key - files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known ciphertext attacks due to key reuse and hence this is a poor implementation of an encryption algorithm." }, { "value": "file-restoration-possible-using-shadow-volume-copies", - "expanded": "Files can be restored using system backups, e.g. Shadow Volume Copies on the New Technology File System (NTFS), that were neglected by the ransomware." + "expanded": "Files can be restored using Shadow Volume Copies (“Previous Versions”) on the New Technology File System (NTFS), that were neglected to be deleted by the ransomware." + }, + { + "value": "file-restoration-possible-using-backups", + "expanded": "Files can be restored using a System State backup, System Image backup or other means of backup mechanisms (such as third-party backup software) that will render the ransomware's extortion attempt unsuccessful." }, { "value": "key-recovered-from-file-system-or-memory", - "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can look in the right folder to discover the decryption key." + "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can examine the right file or folder to discover the decryption key." }, { "value": "due-diligence-prevented-ransomware-from-acquiring-key", @@ -118,19 +122,19 @@ }, { "value": "click-and-run-decryptor-exists", - "expanded": "Easy ‘Click-and-run’ solution such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." + "expanded": "Easy “Click-and-run” solutions such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." }, { "value": "kill-switch-exists-outside-of-attacker-s-control", - "expanded": "There exists a kill switch outside of attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." + "expanded": "There exists a kill switch outside of an attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." }, { "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", - "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500, 000 victims." + "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500,000 victims." }, { "value": "custom-encryption-algorithm-used", - "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCoder ransomware that emerged in 2005 with weak custom encryption." + "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCode ransomware that emerged in 2005 with weak custom encryption." }, { "value": "decryption-key-recovered-under-specialized-lab-setting", From 80e44b1b7d0cfa271fd0d2648064666317636e23 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 May 2019 10:05:09 +0200 Subject: [PATCH 044/113] chg: [ransomware] jq all the things --- ransomware/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 09bb06e..0ac0b1b 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -108,7 +108,7 @@ "value": "file-restoration-possible-using-shadow-volume-copies", "expanded": "Files can be restored using Shadow Volume Copies (“Previous Versions”) on the New Technology File System (NTFS), that were neglected to be deleted by the ransomware." }, - { + { "value": "file-restoration-possible-using-backups", "expanded": "Files can be restored using a System State backup, System Image backup or other means of backup mechanisms (such as third-party backup software) that will render the ransomware's extortion attempt unsuccessful." }, From 7be9709062915d6d5cbf7f9d2740f3c974559685 Mon Sep 17 00:00:00 2001 From: Jop van der Lelie Date: Tue, 21 May 2019 10:31:00 +0200 Subject: [PATCH 045/113] Add retention taxonomy --- retention/machinetag.json | 62 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 retention/machinetag.json diff --git a/retention/machinetag.json b/retention/machinetag.json new file mode 100644 index 0000000..5c83f0e --- /dev/null +++ b/retention/machinetag.json @@ -0,0 +1,62 @@ +{ + "namespace": "retention", + "expanded": "retention", + "description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.", + "version": 1, + "refs": [ + "https://en.wikipedia.org/wiki/Retention_period" + ], + "predicates": [ + { + "value": "expired", + "expanded": "Set when the retention period has expired", + "numerical_value": 0, + "hide_tag": true + }, + { + "value": "1d", + "expanded": "1 day", + "numerical_value": 1 + }, + { + "value": "2d", + "expanded": "2 days", + "numerical_value": 2 + }, + { + "value": "7d", + "expanded": "7 days", + "numerical_value": 7 + }, + { + "value": "2w", + "expanded": "2 weeks", + "numerical_value": 14 + }, + { + "value": "1m", + "expanded": "1 month", + "numerical_value": 30 + }, + { + "value": "2m", + "expanded": "2 months", + "numerical_value": 60 + }, + { + "value": "3m", + "expanded": "3 months", + "numerical_value": 90 + }, + { + "value": "6m", + "expanded": "6 months", + "numerical_value": 180 + }, + { + "value": "1y", + "expanded": "1 year", + "numerical_value": 365 + } + ] +} From 7675d98902e378a641eb91b79800b9768caa9176 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 May 2019 13:34:46 +0200 Subject: [PATCH 046/113] chg: [MANIFEST] retention taxonomy added --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 05408de..fb9c43b 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -459,11 +459,16 @@ "version": 1, "name": "dark-web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." + }, + { + "version": 1, + "name": "retention", + "description": "Retention taxonomy to describe the retention period of the tagged information." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190517" + "version": "20190521" } From b82ab8bfd5e3b8e29b7b147053935cfc2d5868bc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 May 2019 13:42:57 +0200 Subject: [PATCH 047/113] chg: [retention] hide_tag removed to validate current schema Maybe we could improve the format to include it by default to taxonomy format to trigger the MISP hide tag functionality directly. {'value': 'expired', 'expanded': 'Set when the retention period has expired', 'numerical_value': 0, 'hide_tag': True}: Additional properties are not allowed ('hide_tag' was unexpected) --- retention/machinetag.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/retention/machinetag.json b/retention/machinetag.json index 5c83f0e..80ebb7f 100644 --- a/retention/machinetag.json +++ b/retention/machinetag.json @@ -10,8 +10,7 @@ { "value": "expired", "expanded": "Set when the retention period has expired", - "numerical_value": 0, - "hide_tag": true + "numerical_value": 0 }, { "value": "1d", From 6effdc3cd2d8b4bfe7c02657febb0fea2555210e Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Fri, 14 Jun 2019 15:13:15 +0200 Subject: [PATCH 048/113] add: [core] darkweb structures and fixing previous motivations and topics --- dark-web/machinetag.json | 95 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 92 insertions(+), 3 deletions(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 6a9ab48..9813e0c 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -2,7 +2,7 @@ "namespace": "dark-web", "expanded": "Dark Web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project", - "version": 1, + "version": 1.1, "predicates": [ { "value": "topic", @@ -13,6 +13,11 @@ "value": "motivation", "description": "Motivation with the materials tagged", "expanded": "Motivation" + }, + { + "value": "structure", + "description": "Structure of the materials tagged", + "expanded": "Structure" } ], "values": [ @@ -34,6 +39,16 @@ "expanded": "Finance", "description": "Any monetary/currency/exchangeable materials. Includes carding, Bitcoin, Litecoin etc." }, + { + "value": "cash-in", + "expanded": "Cash-in", + "description": "_" + }, + { + "value": "cash-out", + "expanded": "Cash-out", + "description": "_" + }, { "value": "hacking", "expanded": "Hacking", @@ -84,10 +99,45 @@ "expanded": "Weapons", "description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients." }, + { + "value": "credit-card", + "expanded": "Credit-Card", + "description": "Credit cards and payments materials" + }, + { + "value": "counteir-feit-materials", + "expanded": "Counter-feit materials", + "description": "Fake identification papers." + }, + { + "value": "gambling", + "expanded": "Gambling", + "description": "Games involving money" + }, + { + "value": "library", + "expanded": "Library", + "description": "Library or list of books" + }, { "value": "other-not-illegal", "expanded": "Other not illegal", "description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors." + }, + { + "value": "legitimate", + "expanded": "Legitimate", + "description": "Legitimate websites" + }, + { + "value": "chat", + "expanded": "Chats platforms", + "description": "Chats space or equivalent, which are not forums" + }, + { + "value": "mixer", + "expanded": "_", + "description": "_" } ] }, @@ -109,6 +159,16 @@ "expanded": "Forum", "description": "Sites specifically designed for multiple users to communicate as peers" }, + { + "value": "wiki", + "expanded": "Wiki", + "description": "Wiki pages and information display" + }, + { + "value": "hosting", + "expanded": "Hosting", + "description": "Hosting providers" + }, { "value": "general", "expanded": "General", @@ -135,6 +195,35 @@ "description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2" } ] + }, + { + "predicate": "structure", + "entry": [ + { + "value": "incomplete", + "expanded": "Imcomplete websites or information", + "description": "Websites and pages that are unable to load completely properly" + }, + { + "value": "captcha", + "expanded": "Captcha and Solvers", + "description": "Captchas and solvers elements" + }, + { + "value": "LoginForms", + "expanded": "Logins forms and gates", + "description": "Authentification pages, login page, login forms that block access to an internal part of a website." + }, + { + "value": "police-notice", + "expanded": "Police Notice", + "description": "Closed websites, with police-equivalent banners" + }, + { + "value": "test", + "expanded": "Test", + "description": "Test websites without any real consequences or effects" + } + ] } - ] -} + } \ No newline at end of file From 08d0094ceaf027f0798b992d2542d376b3ce051e Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Fri, 14 Jun 2019 15:20:31 +0200 Subject: [PATCH 049/113] add: [core] darkweb structures and fixing previous motivations and topics --- dark-web/machinetag.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 9813e0c..f8826f4 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -226,4 +226,5 @@ } ] } - } \ No newline at end of file + ] +} \ No newline at end of file From 0f77d07a0c50e8781d128a3b0c3a0263b68e18c9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2019 20:33:58 +0200 Subject: [PATCH 050/113] chg: [dark-web] json fixed --- dark-web/machinetag.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index f8826f4..943f486 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -226,5 +226,5 @@ } ] } - ] -} \ No newline at end of file + ] +} From ee8a67f1114b539eaa2e263cf49685af9458ce41 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2019 20:37:40 +0200 Subject: [PATCH 051/113] chg: [darkweb] updated to the latest version --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index fb9c43b..480195b 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -456,7 +456,7 @@ "description": "Ransomware is used to define ransomware types and the elements that compose them." }, { - "version": 1, + "version": 2, "name": "dark-web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." }, @@ -470,5 +470,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190521" + "version": "20190614" } From d87aed1ded8ce61dfba74efdf58e54a185d25232 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2019 20:39:52 +0200 Subject: [PATCH 052/113] chg: [darkweb] version updated --- dark-web/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 943f486..5178274 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -2,7 +2,7 @@ "namespace": "dark-web", "expanded": "Dark Web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project", - "version": 1.1, + "version": 2, "predicates": [ { "value": "topic", From ffcf7be20b8ddfe9a589f8a47692fe60d72b9d02 Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Mon, 17 Jun 2019 08:20:35 +0200 Subject: [PATCH 053/113] add: [core] darkweb improvement : scame, softwares, escrow, ... --- dark-web/machinetag.json | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index f8826f4..4123706 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -42,12 +42,17 @@ { "value": "cash-in", "expanded": "Cash-in", - "description": "_" + "description": "Buying parts of assets, conversion from liquid assets, currency, etc." }, { "value": "cash-out", "expanded": "Cash-out", - "description": "_" + "description": "Selling parts of assets, conversion to liquid assets, currency, etc." + }, + { + "value": "escrow", + "expanded": "Escrow", + "description": "Third party keeping assets in behalf of two other parties making a transactions." }, { "value": "hacking", @@ -99,6 +104,11 @@ "expanded": "Weapons", "description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients." }, + { + "value": "softwares", + "expanded": "Softwares", + "description": "Illegal or armful software distribution" + }, { "value": "credit-card", "expanded": "Credit-Card", @@ -136,8 +146,8 @@ }, { "value": "mixer", - "expanded": "_", - "description": "_" + "expanded": "Mixer", + "description": "Anonymization tools for crypto-currencies transactions" } ] }, @@ -162,12 +172,12 @@ { "value": "wiki", "expanded": "Wiki", - "description": "Wiki pages and information display" + "description": "Wiki pages, documentation and information display" }, { "value": "hosting", "expanded": "Hosting", - "description": "Hosting providers" + "description": "Hosting providers, e-mails, websites, file-storage etc." }, { "value": "general", @@ -179,6 +189,11 @@ "expanded": "Information Sharing/Reportage", "description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy." }, + { + "value": "scam", + "expanded": "Scam", + "description": "Intentional confidence trick to fraud people or group of people" + }, { "value": "marketplace-for-sale", "expanded": "Marketplace/For Sale", From 8650ff0c05882d992355c0d0193375441836a6cf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Jun 2019 09:09:43 +0200 Subject: [PATCH 054/113] chg: [dark-web] taxonomy version updated --- MANIFEST.json | 4 ++-- dark-web/machinetag.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 480195b..e72457e 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -456,7 +456,7 @@ "description": "Ransomware is used to define ransomware types and the elements that compose them." }, { - "version": 2, + "version": 3, "name": "dark-web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." }, @@ -470,5 +470,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190614" + "version": "20190617" } diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index a81d3fb..3ef75be 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -2,7 +2,7 @@ "namespace": "dark-web", "expanded": "Dark Web", "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project", - "version": 2, + "version": 3, "predicates": [ { "value": "topic", From 00c06dc0de76f003008680768ea34350e6ceb281 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Jun 2019 08:58:14 +0200 Subject: [PATCH 055/113] new: [threats-to-dns] New taxonomy threats to DNS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614 As seen during FIRSTCON19 --- MANIFEST.json | 7 +- threats-to-dns/machinetag.json | 129 +++++++++++++++++++++++++++++++++ 2 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 threats-to-dns/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index e72457e..6a652f1 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -464,11 +464,16 @@ "version": 1, "name": "retention", "description": "Retention taxonomy to describe the retention period of the tagged information." + }, + { + "version": 1, + "name": "threats-to-dns", + "description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614" } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190617" + "version": "20190621" } diff --git a/threats-to-dns/machinetag.json b/threats-to-dns/machinetag.json new file mode 100644 index 0000000..85f9ce3 --- /dev/null +++ b/threats-to-dns/machinetag.json @@ -0,0 +1,129 @@ +{ + "namespace": "threats-to-dns", + "expanded": "Threats to DNS", + "description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614", + "version": 1, + "predicates": [ + { + "value": "dns-protocol-attacks", + "description": "DNS protocol attacks", + "expanded": "DNS protocol attacks" + }, + { + "value": "dns-server-attacks", + "description": "DNS server attacks", + "expanded": "DNS server attacks" + }, + { + "value": "dns-abuse-or-misuse", + "description": "DNS abuse/misuse" + } + ], + "values": [ + { + "predicate": "dns-protocol-attacks", + "entry": [ + { + "value": "man-in-the-middle-attack", + "expanded": "Man-in-the-middle attack", + "description": "Man-in-the-middle attack" + }, + { + "value": "dns-spoofing", + "expanded": "DNS spoofing", + "description": "DNS spoofing" + }, + { + "value": "dns-rebinding", + "expanded": "DNS rebinding", + "description": "DNS rebinding" + } + ] + }, + { + "predicate": "dns-server-attacks", + "entry": [ + { + "value": "server-dos-and-ddos", + "expanded": "Server DoS & DDoS", + "description": "Server DoS & DDoS" + }, + { + "value": "server-hijacking", + "expanded": "Server hijacking", + "description": "Server hijacking" + }, + { + "value": "cache-poisoning", + "expanded": "Cache poisoning", + "description": "Cache poisoning" + } + ] + }, + { + "predicate": "dns-abuse-or-misuse", + "entry": [ + { + "value": "domain-name-registration-abuse-cybersquatting", + "expanded": "Domain name registration abuse such as cybersquatting", + "description": "Domain name registration abuse such as cybersquatting" + }, + { + "value": "domain-name-registration-abuse-typosquatting", + "expanded": "Domain name registration abuse such as typosquatting", + "description": "Domain name registration abuse such as typosquatting" + }, + { + "value": "domain-name-registration-abuse-domain-reputation-and-re-registration", + "expanded": "Domain name registration abuse as domain reputation and re-registration", + "description": "Domain name registration abuse as domain reputation and re-gistration" + }, + { + "value": "dns-reflection-dns-amplification", + "expanded": "DNS reflection - DNS amplification", + "description": "DNS reflection - DNS amplification" + }, + { + "value": "malicious-or-compromised-domains-ips-malicious-botnets-c2", + "expanded": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)", + "description": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)" + }, + { + "value": "malicious-or-compromised-domains-ips-fast-flux-domains", + "expanded": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks", + "description": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks" + }, + { + "value": "malicious-or-compromised-domains-ips-malicious-dgas", + "expanded": "Malicious or compromised domains/IPs - Malicious DGAs", + "description": "Malicious or compromised domains/IPs - Malicious DGAs" + }, + { + "value": "covert-channels-malicious-dns-tunneling", + "expanded": "Covert channels - Malicious DNS tunneling", + "description": "Covert channels - Malicious DNS tunneling" + }, + { + "value": "covert-channels-malicious-payload-distribution", + "expanded": "Covert channels - Malicious DNS tunneling", + "description": "Covert channels - Malicious DNS tunneling" + }, + { + "value": "benign-services-applications-malicious-dns-resolvers", + "expanded": "Benign services and applications - Malicious DNS resolvers", + "description": "Benign services and applications - Malicious DNS resolvers" + }, + { + "value": "benign-services-applications-malicious-scanners", + "expanded": "Benign services and applications - Malicious scanners", + "description": "Benign services and applications - Malicious scanners" + }, + { + "value": "benign-services-applications-url-shorteners", + "expanded": "Benign services and applications - URL shorteners", + "description": "Benign services and applications - URL shorteners" + } + ] + } + ] +} From 788371461432499007d558fc7acb4477c3d9a898 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Jun 2019 09:34:02 +0200 Subject: [PATCH 056/113] chg: [maec-malware-capabilities] typo fixed - #149 fixed --- maec-malware-capabilities/machinetag.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/maec-malware-capabilities/machinetag.json b/maec-malware-capabilities/machinetag.json index e61ba2f..6848883 100644 --- a/maec-malware-capabilities/machinetag.json +++ b/maec-malware-capabilities/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "maec-malware-capabilities", "description": "Malware Capabilities based on MAEC 5.0", - "version": 1, + "version": 2, "predicates": [ { "value": "maec-malware-capability", @@ -66,7 +66,7 @@ }, { "value": "integrity-violation", - "expanded": "integrity-violationk" + "expanded": "integrity-violation" }, { "value": "machine-access-control", @@ -130,7 +130,7 @@ }, { "value": "communicate-with-c2-server", - "expanded": "communicate-with-c2-servern" + "expanded": "communicate-with-c2-server" }, { "value": "compromise-data-availability", From 35cae49d0c2ab0daf1c40315ffbb5f38fab4795c Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Tue, 25 Jun 2019 11:55:18 +0200 Subject: [PATCH 057/113] add: [darkweb] tags for mailprovider, mysterybox, vpn provider, conspirationist, ... --- dark-web/machinetag.json | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 3ef75be..fce1451 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -148,6 +148,26 @@ "value": "mixer", "expanded": "Mixer", "description": "Anonymization tools for crypto-currencies transactions" + }, + { + "value": "mystery-box", + "expanded": "Mystery-Box", + "description": "Mystery Box seller" + }, + { + "value": "anonymizer", + "expanded": "Anonymizer", + "description": "Anonymization tools" + }, + { + "value": "vpn-provider", + "expanded": "VPN-Provider", + "description": "Provides VPN services and related" + }, + { + "value": "email-provider", + "expanded": "EMail-Provider", + "description": "Provides e-mail services and related" } ] }, @@ -194,6 +214,11 @@ "expanded": "Scam", "description": "Intentional confidence trick to fraud people or group of people" }, + { + "value": "conspirationist", + "expanded": "Conspirationist", + "description": "Conspirationist content, fake news, etc." + }, { "value": "marketplace-for-sale", "expanded": "Marketplace/For Sale", From 02f8456192a147ede104017ac4adca7a0dad0ae0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 25 Jun 2019 12:18:27 +0200 Subject: [PATCH 058/113] chg: [misp-taxonomies] make numerical values consistent based on Sami feedback --- misp/machinetag.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index d476d88..e95c60f 100755 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -66,7 +66,8 @@ }, { "expanded": "Confidence cannot be evaluated", - "value": "confidence-cannot-be-evalued" + "value": "confidence-cannot-be-evalued", + "numerical_value": 50 } ] }, @@ -105,7 +106,7 @@ { "expanded": "Generated automatically without human verification", "value": "unsupervised", - "numerical_value": 100 + "numerical_value": 0 }, { "expanded": "Generated automatically but verified by a human", @@ -115,7 +116,7 @@ { "expanded": "Output of human analysis", "value": "manual", - "numerical_value": 0 + "numerical_value": 100 } ] }, @@ -200,7 +201,7 @@ "value": "tool" } ], - "version": 8, + "version": 9, "description": "MISP taxonomy to infer with MISP behavior or operation.", "expanded": "MISP", "namespace": "misp" From 94ec6b6bfa06e2413d909b6dfbbede72707e39b8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 25 Jun 2019 12:38:47 +0200 Subject: [PATCH 059/113] chg: [all] Sami request to have "numerical values" for the decaying indicators project --- MANIFEST.json | 8 +-- economical-impact/machinetag.json | 56 ++++++++++++------- estimative-language/machinetag.json | 11 ++-- .../machinetag.json | 17 ++++-- 4 files changed, 59 insertions(+), 33 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 6a652f1..067f298 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -191,7 +191,7 @@ "description": "Malware classification based on a SANS whitepaper about malware." }, { - "version": 5, + "version": 9, "name": "misp", "description": "Internal MISP taxonomy." }, @@ -271,7 +271,7 @@ "description": "Vocabulary for Event Recording and Incident Sharing (VERIS)." }, { - "version": 1, + "version": 2, "name": "vocabulaire-des-probabilites-estimatives", "description": "Vocabulaire des probabilités estimatives" }, @@ -311,7 +311,7 @@ "description": "Sectors and sub sectors as identified by the NIS Directive." }, { - "version": 2, + "version": 3, "name": "economical-impact", "description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information." }, @@ -475,5 +475,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190621" + "version": "20190625" } diff --git a/economical-impact/machinetag.json b/economical-impact/machinetag.json index 2150dc8..3acbc1f 100644 --- a/economical-impact/machinetag.json +++ b/economical-impact/machinetag.json @@ -2,7 +2,7 @@ "namespace": "economical-impact", "expanded": " Economical Impact", "description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).", - "version": 2, + "version": 3, "refs": [ "https://www.misp-project.org/" ], @@ -12,39 +12,48 @@ "entry": [ { "value": "none", - "expanded": "No loss" + "expanded": "No loss", + "numerical_value": 0 }, { "value": "less-than-25k-eur", - "expanded": "Less than 25K EUR" + "expanded": "Less than 25K EUR", + "numerical_value": 10 }, { "value": "less-than-50k-euro", - "expanded": "Less than 50K EUR" + "expanded": "Less than 50K EUR", + "numerical_value": 20 }, { "value": "less-than-100k-euro", - "expanded": "Less than 100K EUR" + "expanded": "Less than 100K EUR", + "numerical_value": 30 }, { "value": "less-than-1M-euro", - "expanded": "Less than 1 million EUR" + "expanded": "Less than 1 million EUR", + "numerical_value": 40 }, { "value": "less-than-10M-euro", - "expanded": "Less than 10 million EUR" + "expanded": "Less than 10 million EUR", + "numerical_value": 50 }, { "value": "less-than-100M-euro", - "expanded": "Less than 100 million EUR" + "expanded": "Less than 100 million EUR", + "numerical_value": 60 }, { "value": "less-than-1B-euro", - "expanded": "Less than 1 billion EUR" + "expanded": "Less than 1 billion EUR", + "numerical_value": 70 }, { "value": "more-than-1B-euro", - "expanded": "More than 1 billion EUR" + "expanded": "More than 1 billion EUR", + "numerical_value": 80 } ] }, @@ -53,39 +62,48 @@ "entry": [ { "value": "none", - "expanded": "No gain" + "expanded": "No gain", + "numerical_value": 0 }, { "value": "less-than-25k-eur", - "expanded": "Less than 25K EUR" + "expanded": "Less than 25K EUR", + "numerical_value": 10 }, { "value": "less-than-50k-euro", - "expanded": "Less than 50K EUR" + "expanded": "Less than 50K EUR", + "numerical_value": 20 }, { "value": "less-than-100k-euro", - "expanded": "Less than 100K EUR" + "expanded": "Less than 100K EUR", + "numerical_value": 30 }, { "value": "less-than-1M-euro", - "expanded": "Less than 1 million EUR" + "expanded": "Less than 1 million EUR", + "numerical_value": 40 }, { "value": "less-than-10M-euro", - "expanded": "Less than 10 million EUR" + "expanded": "Less than 10 million EUR", + "numerical_value": 50 }, { "value": "less-than-100M-euro", - "expanded": "Less than 100 million EUR" + "expanded": "Less than 100 million EUR", + "numerical_value": 60 }, { "value": "less-than-1B-euro", - "expanded": "Less than 1 billion EUR" + "expanded": "Less than 1 billion EUR", + "numerical_value": 70 }, { "value": "more-than-1B-euro", - "expanded": "More than 1 billion EUR" + "expanded": "More than 1 billion EUR", + "numerical_value": 80 } ] } diff --git a/estimative-language/machinetag.json b/estimative-language/machinetag.json index 16445ac..8a65673 100644 --- a/estimative-language/machinetag.json +++ b/estimative-language/machinetag.json @@ -2,7 +2,7 @@ "namespace": "estimative-language", "expanded": "Estimative languages", "description": "Estimative language to describe quality and credibility of underlying sources, data, and methodologies based Intelligence Community Directive 203 (ICD 203) and JP 2-0, Joint Intelligence", - "version": 3, + "version": 4, "predicates": [ { "value": "likelihood-probability", @@ -62,17 +62,20 @@ { "value": "low", "expanded": "Low", - "description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'" + "description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'", + "numerical_value": 0 }, { "value": "moderate", "expanded": "Moderate", - "description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'." + "description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'.", + "numerical_value": 55 }, { "value": "high", "expanded": "High", - "description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'." + "description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'.", + "numerical_value": 95 } ] } diff --git a/vocabulaire-des-probabilites-estimatives/machinetag.json b/vocabulaire-des-probabilites-estimatives/machinetag.json index 81b4e03..87086b9 100644 --- a/vocabulaire-des-probabilites-estimatives/machinetag.json +++ b/vocabulaire-des-probabilites-estimatives/machinetag.json @@ -4,23 +4,28 @@ "entry": [ { "expanded": "Presque aucune chance - Quasi impossible Presque impossible Minces chances Très douteux Très peu probable Très improbable Improbable Peu de chances - 7 % (marge d’erreur d’environ 5 %)", - "value": "presque-aucune-chance" + "value": "presque-aucune-chance", + "numerical_value": 7 }, { "expanded": "Probablement pas - Invraisemblable Peu probable - 30 % (marge d’erreur d’environ 10 %)", - "value": "probablement-pas" + "value": "probablement-pas", + "numerical_value": 30 }, { "expanded": "Chances à peu près égales - une chance sur deux - 50% (marge d’erreur d’environ 10 %)", - "value": "chances-à-peu-près-egales" + "value": "chances-à-peu-près-egales", + "numerical_value": 50 }, { "expanded": "Probable - Vraisemblable Probable - 75 % (marge d’erreur d’environ 12 %)", - "value": "probable" + "value": "probable", + "numerical_value": 75 }, { "expanded": "Quasi certaine - Certain Presque certain Très probable - 93% (marge d’erreur d’environ 6 %)", - "value": "quasi-certaine" + "value": "quasi-certaine", + "numerical_value": 93 } ], "predicate": "degré-de-probabilité" @@ -33,7 +38,7 @@ "value": "degré-de-probabilité" } ], - "version": 1, + "version": 2, "description": "Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité", "expanded": "Vocabulaire des probabilités estimatives", "namespace": "vocabulaire-des-probabilites-estimatives", From 7221d62bc3e8c5cd9faa1b5b0c3a76fae540c102 Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Tue, 25 Jun 2019 14:19:29 +0200 Subject: [PATCH 060/113] add: [darkweb] tags for hate-speech, religious, privacypolicy --- dark-web/machinetag.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index fce1451..41bf880 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -219,6 +219,16 @@ "expanded": "Conspirationist", "description": "Conspirationist content, fake news, etc." }, + { + "value": "hate-speech", + "expanded": "Hate-Speech", + "description": "Racism, violent, hate... speech." + }, + { + "value": "religious", + "expanded": "Religious", + "description": "Religious, faith, doctrinal related content." + }, { "value": "marketplace-for-sale", "expanded": "Marketplace/For Sale", @@ -259,6 +269,11 @@ "expanded": "Police Notice", "description": "Closed websites, with police-equivalent banners" }, + { + "value": "legal-statement", + "expanded": "Legal-Statement", + "description": "RGPD statement, Privacy-policy, ..." + }, { "value": "test", "expanded": "Test", From 5698b5cf77da058a72d01c6de2e4ac738228919e Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Tue, 25 Jun 2019 15:40:24 +0200 Subject: [PATCH 061/113] fix [darkweb] videos and ponies --- dark-web/machinetag.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 41bf880..cb77b61 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -168,6 +168,11 @@ "value": "email-provider", "expanded": "EMail-Provider", "description": "Provides e-mail services and related" + }, + { + "value": "ponies", + "expanded": "Ponies", + "description": "self-explanatory. It's ponies" } ] }, @@ -278,6 +283,11 @@ "value": "test", "expanded": "Test", "description": "Test websites without any real consequences or effects" + }, + { + "value": "videos", + "expanded": "Videos", + "description": "Videos and streaming" } ] } From 22d0ec9a4c3136d12daab45c70702dde6df978bf Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Fri, 28 Jun 2019 10:43:24 +0200 Subject: [PATCH 062/113] add: [darkweb] ddos services, politics, whistleblower, ... --- dark-web/machinetag.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index cb77b61..87fa861 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -173,6 +173,11 @@ "value": "ponies", "expanded": "Ponies", "description": "self-explanatory. It's ponies" + }, + { + "value": "whistleblower", + "expanded": "Whistleblower", + "description": "Exposition and sharing of confidential information with protection of the witness in mind" } ] }, @@ -204,6 +209,11 @@ "expanded": "Hosting", "description": "Hosting providers, e-mails, websites, file-storage etc." }, + { + "value": "ddos-services", + "expanded": "DDoS-Services", + "description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc." + }, { "value": "general", "expanded": "General", @@ -229,6 +239,11 @@ "expanded": "Hate-Speech", "description": "Racism, violent, hate... speech." }, + { + "value": "political-speech", + "expanded": "Political-Speech", + "description": "Political, activism, without extremism." + }, { "value": "religious", "expanded": "Religious", From 5e85f462caf442bb03c6c447d3161b4a94d74f2b Mon Sep 17 00:00:00 2001 From: itAtcsirtamericasDotOrg Date: Thu, 4 Jul 2019 13:17:13 -0700 Subject: [PATCH 063/113] Adding first version of CSIRTAmericas.org Taxonomy --- CSIRTAmericas.org/machinetag.json | 63 +++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 CSIRTAmericas.org/machinetag.json diff --git a/CSIRTAmericas.org/machinetag.json b/CSIRTAmericas.org/machinetag.json new file mode 100644 index 0000000..677276d --- /dev/null +++ b/CSIRTAmericas.org/machinetag.json @@ -0,0 +1,63 @@ +{ + "namespace": "csirt-americas", + "description": "Taxonomia CSIRT Americas.", + "version": 1, + "predicates": [ + { + "value": "defacement", + "expanded": "Defacement" + }, + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "ddos", + "expanded": "DDoS" + }, + { + "value": "phishing", + "expanded": "Phishing" + }, + { + "value": "spam", + "expanded": "Spam" + }, + { + "value": "botnet", + "expanded": "Botnet" + }, + { + "value": "fastflux", + "expanded": "Fastflux" + }, + { + "value": "cryptojacking", + "expanded": "Cryptojacking" + }, + { + "value": "xss", + "expanded": "XSS" + }, + { + "value": "sqli", + "expanded": "SQL Injection" + }, + { + "value": "vulnerability", + "expanded": "Vulnerability" + }, + { + "value": "infoleak", + "expanded": "Information leak" + }, + { + "value": "compromise", + "expanded": "System compromise" + }, + { + "value": "other", + "expanded": "Other" + } + ] +} From 7bb05bbe203e035ab65ce029c24b496dc1452db1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jul 2019 07:17:42 +0200 Subject: [PATCH 064/113] chg: [CSIRTamericas] updated --- CSIRTAmericas.org/machinetag.json | 56 +++++++++++++++---------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/CSIRTAmericas.org/machinetag.json b/CSIRTAmericas.org/machinetag.json index 677276d..3f1faa9 100644 --- a/CSIRTAmericas.org/machinetag.json +++ b/CSIRTAmericas.org/machinetag.json @@ -4,60 +4,60 @@ "version": 1, "predicates": [ { - "value": "defacement", - "expanded": "Defacement" + "value": "defacement", + "expanded": "Defacement" }, { - "value": "malware", - "expanded": "Malware" + "value": "malware", + "expanded": "Malware" }, { - "value": "ddos", - "expanded": "DDoS" + "value": "ddos", + "expanded": "DDoS" }, { - "value": "phishing", - "expanded": "Phishing" + "value": "phishing", + "expanded": "Phishing" }, { - "value": "spam", - "expanded": "Spam" + "value": "spam", + "expanded": "Spam" }, { - "value": "botnet", - "expanded": "Botnet" + "value": "botnet", + "expanded": "Botnet" }, { - "value": "fastflux", - "expanded": "Fastflux" + "value": "fastflux", + "expanded": "Fastflux" }, { - "value": "cryptojacking", - "expanded": "Cryptojacking" + "value": "cryptojacking", + "expanded": "Cryptojacking" }, { - "value": "xss", - "expanded": "XSS" + "value": "xss", + "expanded": "XSS" }, { - "value": "sqli", - "expanded": "SQL Injection" + "value": "sqli", + "expanded": "SQL Injection" }, { - "value": "vulnerability", - "expanded": "Vulnerability" + "value": "vulnerability", + "expanded": "Vulnerability" }, { - "value": "infoleak", - "expanded": "Information leak" + "value": "infoleak", + "expanded": "Information leak" }, { - "value": "compromise", - "expanded": "System compromise" + "value": "compromise", + "expanded": "System compromise" }, { - "value": "other", - "expanded": "Other" + "value": "other", + "expanded": "Other" } ] } From a943ac3e936b34dc7a62be0cb78a6baf3c5b4690 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jul 2019 07:24:20 +0200 Subject: [PATCH 065/113] chg: [csirt-americas] updated directory --- csirt-americas/machinetag.json | 63 ++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 csirt-americas/machinetag.json diff --git a/csirt-americas/machinetag.json b/csirt-americas/machinetag.json new file mode 100644 index 0000000..3f1faa9 --- /dev/null +++ b/csirt-americas/machinetag.json @@ -0,0 +1,63 @@ +{ + "namespace": "csirt-americas", + "description": "Taxonomia CSIRT Americas.", + "version": 1, + "predicates": [ + { + "value": "defacement", + "expanded": "Defacement" + }, + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "ddos", + "expanded": "DDoS" + }, + { + "value": "phishing", + "expanded": "Phishing" + }, + { + "value": "spam", + "expanded": "Spam" + }, + { + "value": "botnet", + "expanded": "Botnet" + }, + { + "value": "fastflux", + "expanded": "Fastflux" + }, + { + "value": "cryptojacking", + "expanded": "Cryptojacking" + }, + { + "value": "xss", + "expanded": "XSS" + }, + { + "value": "sqli", + "expanded": "SQL Injection" + }, + { + "value": "vulnerability", + "expanded": "Vulnerability" + }, + { + "value": "infoleak", + "expanded": "Information leak" + }, + { + "value": "compromise", + "expanded": "System compromise" + }, + { + "value": "other", + "expanded": "Other" + } + ] +} From 1da9c71de12488a1ce4fbd1dcf1fc3053b2b8335 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jul 2019 07:26:02 +0200 Subject: [PATCH 066/113] new: [csirt-americas] taxonomy updated --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 067f298..da915b6 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -469,11 +469,16 @@ "version": 1, "name": "threats-to-dns", "description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614" + }, + { + "version": 1, + "name": "csirt-americas", + "description": "Taxonomy from CSIRTAmericas.org." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190625" + "version": "20190705" } From dfc3a694e8fd361887bc657175341a449dd201ec Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jul 2019 07:31:22 +0200 Subject: [PATCH 067/113] chg: [remove] old directory --- CSIRTAmericas.org/machinetag.json | 63 ------------------------------- 1 file changed, 63 deletions(-) delete mode 100644 CSIRTAmericas.org/machinetag.json diff --git a/CSIRTAmericas.org/machinetag.json b/CSIRTAmericas.org/machinetag.json deleted file mode 100644 index 3f1faa9..0000000 --- a/CSIRTAmericas.org/machinetag.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "namespace": "csirt-americas", - "description": "Taxonomia CSIRT Americas.", - "version": 1, - "predicates": [ - { - "value": "defacement", - "expanded": "Defacement" - }, - { - "value": "malware", - "expanded": "Malware" - }, - { - "value": "ddos", - "expanded": "DDoS" - }, - { - "value": "phishing", - "expanded": "Phishing" - }, - { - "value": "spam", - "expanded": "Spam" - }, - { - "value": "botnet", - "expanded": "Botnet" - }, - { - "value": "fastflux", - "expanded": "Fastflux" - }, - { - "value": "cryptojacking", - "expanded": "Cryptojacking" - }, - { - "value": "xss", - "expanded": "XSS" - }, - { - "value": "sqli", - "expanded": "SQL Injection" - }, - { - "value": "vulnerability", - "expanded": "Vulnerability" - }, - { - "value": "infoleak", - "expanded": "Information leak" - }, - { - "value": "compromise", - "expanded": "System compromise" - }, - { - "value": "other", - "expanded": "Other" - } - ] -} From 1cf8901196a5b4c0e71c196a5c38ac5e2bfeb92e Mon Sep 17 00:00:00 2001 From: itAtcsirtamericasDotOrg Date: Mon, 8 Jul 2019 13:47:22 -0700 Subject: [PATCH 068/113] chg:minor text changes --- csirt-americas/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csirt-americas/machinetag.json b/csirt-americas/machinetag.json index 3f1faa9..995a234 100644 --- a/csirt-americas/machinetag.json +++ b/csirt-americas/machinetag.json @@ -1,6 +1,6 @@ { "namespace": "csirt-americas", - "description": "Taxonomia CSIRT Americas.", + "description": "Taxonomía CSIRT Américas.", "version": 1, "predicates": [ { From fb574ff35bec27dffab7b4facc984a71e5ad4bea Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jul 2019 10:49:48 +0200 Subject: [PATCH 069/113] chg: [workflow] updated to the new OSINT acquisition process --- workflow/machinetag.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/workflow/machinetag.json b/workflow/machinetag.json index bc1c7ae..6c9f503 100644 --- a/workflow/machinetag.json +++ b/workflow/machinetag.json @@ -2,7 +2,7 @@ "namespace": "workflow", "expanded": "workflow to support analysis", "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.", - "version": 8, + "version": 9, "predicates": [ { "value": "todo", @@ -55,10 +55,18 @@ "value": "create-missing-misp-galaxy-cluster", "expanded": "Create missing MISP galaxy cluster about the information tagged" }, + { + "value": "create-missing-misp-galaxy-cluster-relationship", + "expanded": "create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)" + }, { "value": "create-missing-misp-galaxy", "expanded": "Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware or activity)" }, + { + "value": "create-missing-relationship", + "exapanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)" + }, { "value": "add-context", "expanded": "Add contextual information about the information tagged" @@ -90,6 +98,14 @@ { "value": "additional-task", "expanded": "Used to point an additional task that can not be describe by the rest of the taxonomy and need to be done" + }, + { + "value": "create-event", + "expanded": "A new MISP event need to be created from the tag reference" + }, + { + "value": "preserve-evidence", + "expanded": "Preseve evidence mentioned in the information tagged" } ] }, @@ -107,6 +123,10 @@ { "value": "draft", "expanded": "Draft means the information tagged can be released as a preliminary version or outline" + }, + { + "value": "ongoing", + "expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst." } ] } From a3ef5ddc9945b2e5ffa5a813c9d62f98269b07f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 18 Jul 2019 14:07:52 +0200 Subject: [PATCH 070/113] fix: Typo in last commit --- workflow/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/machinetag.json b/workflow/machinetag.json index 6c9f503..a4c8c3b 100644 --- a/workflow/machinetag.json +++ b/workflow/machinetag.json @@ -65,7 +65,7 @@ }, { "value": "create-missing-relationship", - "exapanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)" + "expanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)" }, { "value": "add-context", From 51aa26ca384d96088df58e7f7d08c5a03c21ffad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 18 Jul 2019 14:31:49 +0200 Subject: [PATCH 071/113] fix: Typo in rsit, predicates order in misp --- misp/machinetag.json | 8 ++++---- rsit/machinetag.json | 9 ++------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index e95c60f..5a61033 100755 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -164,10 +164,6 @@ "expanded": "API related tag influencing the MISP behavior of the API.", "value": "api" }, - { - "expanded": "misp2yara export tool", - "value": "misp2yara" - }, { "description": "Expansion tag incluencing the MISP behavior using expansion modules", "expanded": "Expansion", @@ -199,6 +195,10 @@ "description": "Tool associated with the information taggged", "expanded": "Tool", "value": "tool" + }, + { + "expanded": "misp2yara export tool", + "value": "misp2yara" } ], "version": 9, diff --git a/rsit/machinetag.json b/rsit/machinetag.json index d7b212e..c74d3fc 100644 --- a/rsit/machinetag.json +++ b/rsit/machinetag.json @@ -206,12 +206,7 @@ "description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", "expanded": "Information disclosure", "value": "information-disclosure" - } - ], - "predicate": "vulnerable" - }, - { - "entry": [ + }, { "description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.", "expanded": "Vulnerable system", @@ -298,7 +293,7 @@ "value": "test" } ], - "version": 2, + "version": 3, "description": "Reference Security Incident Classification Taxonomy", "namespace": "rsit" } From 24719cabd0665fafc2fd7fc2803489dcdf986b63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Sun, 21 Jul 2019 23:00:14 +0200 Subject: [PATCH 072/113] new: Flags used by scrippsco2 Source: http://scrippsco2.ucsd.edu/data/atmospheric_co2/sampling_stations --- scrippsco2-flags/machinetag.json | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 scrippsco2-flags/machinetag.json diff --git a/scrippsco2-flags/machinetag.json b/scrippsco2-flags/machinetag.json new file mode 100644 index 0000000..821dabf --- /dev/null +++ b/scrippsco2-flags/machinetag.json @@ -0,0 +1,56 @@ +{ + "predicates": [ + { + "description": "Potentially Suspect Data Accepted", + "expanded": "accepted-suspect", + "value": "-3" + }, + "description": "Accepted value from continuous analyzer replacing flask data", + "expanded": "accepted-continuous-analyzer", + "value": "-2" + }, + "description": "Acepted Value retained although individual measurements deviated by more than selected tolerance", + "expanded": "accepted-deviated-tolerance", + "value": "-1" + }, + "description": "Accepted Value", + "expanded": "accepted", + "value": "0" + }, + "description": "Rejected during analysis", + "expanded": "rejected-during-analysis", + "value": "1" + }, + "description": "Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at MLO between Dec 1962 and Sep 1968)", + "expanded": "rejected-legacy-difference-night-mlo", + "value": "2" + }, + "description": "Rejected flask measurement; used continuous data instead", + "expanded": "rejected-continuous-data", + "value": "3" + }, + "description": "Rejected Replicates do not agree to selected tolerance or single flask", + "expanded": "rejected-tolerance-single-flask", + "value": "4" + }, + "description": "Rejected Daily average deviates from fit by more than 3 standard deviations", + "expanded": "rejected-derivation", + "value": "5" + }, + "description": "Rejected to improve local distribution of data such as too many data of generally poor quality (used only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)", + "expanded": "rejected-legacy-poor-quality-kum-ljo", + "value": "6" + }, + "description": "Rejected Unsteady air at site (La Jolla only)", + "expanded": "rejected-unsteady-ljo", + "value": "7" + }, + "description": "Rejected manually (see input/flag_flasks.csv)", + "expanded": "rejected-manual", + "value": "8" + } + ], + "version": 1, + "description": "Flags describing the sample", + "namespace": "scrippsco2-flags" +} From 6c646cb25f952cf1fd295311411d75c7cc9ab10f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jul 2019 16:40:56 +0200 Subject: [PATCH 073/113] new: Scripps CO2 taxonomies --- .../machinetag.json | 2 +- scrippsco2-fgi/machinetag.json | 36 +++++++++++ scrippsco2-sampling-stations/machinetag.json | 59 +++++++++++++++++++ 3 files changed, 96 insertions(+), 1 deletion(-) rename {scrippsco2-flags => scrippsco2-fgc}/machinetag.json (98%) create mode 100644 scrippsco2-fgi/machinetag.json create mode 100644 scrippsco2-sampling-stations/machinetag.json diff --git a/scrippsco2-flags/machinetag.json b/scrippsco2-fgc/machinetag.json similarity index 98% rename from scrippsco2-flags/machinetag.json rename to scrippsco2-fgc/machinetag.json index 821dabf..6f543a9 100644 --- a/scrippsco2-flags/machinetag.json +++ b/scrippsco2-fgc/machinetag.json @@ -52,5 +52,5 @@ ], "version": 1, "description": "Flags describing the sample", - "namespace": "scrippsco2-flags" + "namespace": "scrippsco2-fgc" } diff --git a/scrippsco2-fgi/machinetag.json b/scrippsco2-fgi/machinetag.json new file mode 100644 index 0000000..e2e3535 --- /dev/null +++ b/scrippsco2-fgi/machinetag.json @@ -0,0 +1,36 @@ +{ + "predicates": [ + { + "description": "Suspect but accepted isotopic measurement", + "expanded": "accepted-suspect", + "value": "-3" + }, + "description": "Accepted isotopic measurement", + "expanded": "accepted", + "value": "0" + }, + "description": "Rejected", + "expanded": "rejected", + "value": "3" + }, + "description": "Outlier from fit", + "expanded": "outlier", + "value": "5" + }, + "description": "Other rejected, older data", + "expanded": "rejected-old-data", + "value": "6" + }, + "description": "Flask extracted but not analyzed yet", + "expanded": "extracted-not-analyzed", + "value": "8" + }, + "description": "Flask not extracted", + "expanded": "not-extracted", + "value": "9" + } + ], + "version": 1, + "description": "Flags describing the sample for isotopic data (C14, O18)", + "namespace": "scrippsco2-fgi" +} diff --git a/scrippsco2-sampling-stations/machinetag.json b/scrippsco2-sampling-stations/machinetag.json new file mode 100644 index 0000000..c50c65b --- /dev/null +++ b/scrippsco2-sampling-stations/machinetag.json @@ -0,0 +1,59 @@ +{ + "predicates": [ + { + "expanded": "Alert, NWT, Canada", + "value": "ALT" + }, + { + "expanded": "Point Barrow, Alaska", + "value": "PTB" + }, + { + "expanded": "Station P", + "value": "STP" + }, + { + "expanded": "La Jolla Pier, California", + "value": "LJO" + }, + { + "expanded": "Baja California Sur, Mexico", + "value": "BCS" + }, + { + "expanded": "Mauna Loa Observatory, Hawaii", + "value": "MLO" + }, + { + "expanded": "Cape Kumukahi, Hawaii ", + "value": "KUM" + }, + { + "expanded": "Christmas Island, Fanning Island", + "value": "CHR" + }, + { + "expanded": "American Samoa", + "value": "SAM" + }, + { + "expanded": "Kermadec Islands, Raoul Island", + "value": "KER" + }, + { + "expanded": "Baring Head, New Zealand", + "value": "NZD" + }, + { + "expanded": "Palmer Station, Antarctica", + "value": "PSA" + }, + { + "expanded": "South Pole", + "value": "SPO" + } + ], + "version": 1, + "description": "Sampling stations of the Scripps CO2 Program", + "namespace": "scrippsco2-sampling-stations" +} From 1a5ef3aa345931f0671699c38bf08aedba779206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jul 2019 16:43:53 +0200 Subject: [PATCH 074/113] fix: Missing patenthesis. --- scrippsco2-fgc/machinetag.json | 11 +++++++++++ scrippsco2-fgi/machinetag.json | 6 ++++++ 2 files changed, 17 insertions(+) diff --git a/scrippsco2-fgc/machinetag.json b/scrippsco2-fgc/machinetag.json index 6f543a9..e212c93 100644 --- a/scrippsco2-fgc/machinetag.json +++ b/scrippsco2-fgc/machinetag.json @@ -5,46 +5,57 @@ "expanded": "accepted-suspect", "value": "-3" }, + { "description": "Accepted value from continuous analyzer replacing flask data", "expanded": "accepted-continuous-analyzer", "value": "-2" }, + { "description": "Acepted Value retained although individual measurements deviated by more than selected tolerance", "expanded": "accepted-deviated-tolerance", "value": "-1" }, + { "description": "Accepted Value", "expanded": "accepted", "value": "0" }, + { "description": "Rejected during analysis", "expanded": "rejected-during-analysis", "value": "1" }, + { "description": "Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at MLO between Dec 1962 and Sep 1968)", "expanded": "rejected-legacy-difference-night-mlo", "value": "2" }, + { "description": "Rejected flask measurement; used continuous data instead", "expanded": "rejected-continuous-data", "value": "3" }, + { "description": "Rejected Replicates do not agree to selected tolerance or single flask", "expanded": "rejected-tolerance-single-flask", "value": "4" }, + { "description": "Rejected Daily average deviates from fit by more than 3 standard deviations", "expanded": "rejected-derivation", "value": "5" }, + { "description": "Rejected to improve local distribution of data such as too many data of generally poor quality (used only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)", "expanded": "rejected-legacy-poor-quality-kum-ljo", "value": "6" }, + { "description": "Rejected Unsteady air at site (La Jolla only)", "expanded": "rejected-unsteady-ljo", "value": "7" }, + { "description": "Rejected manually (see input/flag_flasks.csv)", "expanded": "rejected-manual", "value": "8" diff --git a/scrippsco2-fgi/machinetag.json b/scrippsco2-fgi/machinetag.json index e2e3535..cc4b6b4 100644 --- a/scrippsco2-fgi/machinetag.json +++ b/scrippsco2-fgi/machinetag.json @@ -5,26 +5,32 @@ "expanded": "accepted-suspect", "value": "-3" }, + { "description": "Accepted isotopic measurement", "expanded": "accepted", "value": "0" }, + { "description": "Rejected", "expanded": "rejected", "value": "3" }, + { "description": "Outlier from fit", "expanded": "outlier", "value": "5" }, + { "description": "Other rejected, older data", "expanded": "rejected-old-data", "value": "6" }, + { "description": "Flask extracted but not analyzed yet", "expanded": "extracted-not-analyzed", "value": "8" }, + { "description": "Flask not extracted", "expanded": "not-extracted", "value": "9" From 9e1059eb451f061f2fa3e531a23dd8962941c276 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jul 2019 18:30:35 +0200 Subject: [PATCH 075/113] chg: Bump Manifest --- MANIFEST.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/MANIFEST.json b/MANIFEST.json index da915b6..63b745b 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -474,7 +474,23 @@ "version": 1, "name": "csirt-americas", "description": "Taxonomy from CSIRTAmericas.org." + }, + { + "version": 1, + "name": "scrippsco2-fgc", + "description": "Flags describing the sample" + }, + { + "version": 1, + "name": "scrippsco2-fgi", + "description": "Flags describing the sample for isotopic data (C14, O18)" + }, + { + "version": 1, + "name": "scrippsco2-sampling-stations", + "description": "Sampling stations of the Scripps CO2 Program" } + ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", From 86e83ecab5a2942173092f7af8d03f9a8774b4cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jul 2019 18:33:25 +0200 Subject: [PATCH 076/113] fix: Broken json --- MANIFEST.json | 1 - 1 file changed, 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 63b745b..43fbb38 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -490,7 +490,6 @@ "name": "scrippsco2-sampling-stations", "description": "Sampling stations of the Scripps CO2 Program" } - ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", From bcb539988d35c548b2e469c6465cc3d0ef81ff62 Mon Sep 17 00:00:00 2001 From: Vincent-CIRCL Date: Mon, 29 Jul 2019 09:59:31 +0200 Subject: [PATCH 077/113] add: [tags] crypto, contreband, etc. --- dark-web/machinetag.json | 93 +++++++++++++++++++++++++++++----------- 1 file changed, 69 insertions(+), 24 deletions(-) diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json index 87fa861..a13404e 100644 --- a/dark-web/machinetag.json +++ b/dark-web/machinetag.json @@ -30,14 +30,24 @@ "description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)." }, { - "value": "extremism", - "expanded": "Extremism", - "description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes." + "value": "electronics", + "expanded": "Electronics", + "description": "Electronics and high tech materials, described or to sell for example." }, { "value": "finance", "expanded": "Finance", - "description": "Any monetary/currency/exchangeable materials. Includes carding, Bitcoin, Litecoin etc." + "description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc." + }, + { + "value": "finance-crypto", + "expanded": "CryptoFinance", + "description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc." + }, + { + "value": "credit-card", + "expanded": "Credit-Card", + "description": "Credit cards and payments materials" }, { "value": "cash-in", @@ -94,6 +104,11 @@ "expanded": "Unclear", "description": "Unable to completely establish topic of material." }, + { + "value": "extremism", + "expanded": "Extremism", + "description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes." + }, { "value": "violence", "expanded": "Violence", @@ -109,11 +124,6 @@ "expanded": "Softwares", "description": "Illegal or armful software distribution" }, - { - "value": "credit-card", - "expanded": "Credit-Card", - "description": "Credit cards and payments materials" - }, { "value": "counteir-feit-materials", "expanded": "Counter-feit materials", @@ -174,6 +184,16 @@ "expanded": "Ponies", "description": "self-explanatory. It's ponies" }, + { + "value": "games", + "expanded": "Games", + "description": "Flash or online games" + }, + { + "value": "parody", + "expanded": "Parody or Joke", + "description": "Meme, Parody, Jokes, Trolling, ..." + }, { "value": "whistleblower", "expanded": "Whistleblower", @@ -190,9 +210,9 @@ "description": "Materials providing instruction - e.g. ‘how to’ guides" }, { - "value": "file-sharing", - "expanded": "File Sharing", - "description": "General file sharing, typically (but not limited to) movie/image sharing" + "value": "wiki", + "expanded": "Wiki", + "description": "Wiki pages, documentation and information display" }, { "value": "forum", @@ -200,9 +220,9 @@ "description": "Sites specifically designed for multiple users to communicate as peers" }, { - "value": "wiki", - "expanded": "Wiki", - "description": "Wiki pages, documentation and information display" + "value": "file-sharing", + "expanded": "File Sharing", + "description": "General file sharing, typically (but not limited to) movie/image sharing" }, { "value": "hosting", @@ -229,6 +249,11 @@ "expanded": "Scam", "description": "Intentional confidence trick to fraud people or group of people" }, + { + "value": "political-speech", + "expanded": "Political-Speech", + "description": "Political, activism, without extremism." + }, { "value": "conspirationist", "expanded": "Conspirationist", @@ -239,11 +264,6 @@ "expanded": "Hate-Speech", "description": "Racism, violent, hate... speech." }, - { - "value": "political-speech", - "expanded": "Political-Speech", - "description": "Political, activism, without extremism." - }, { "value": "religious", "expanded": "Religious", @@ -254,6 +274,11 @@ "expanded": "Marketplace/For Sale", "description": "Services/goods for sale, regardless of means of payment." }, + { + "value": "smuggling", + "expanded": "Smuggling", + "description": "Information or trading of wild animals, prohibited goods, ... " + }, { "value": "recruitment-advocacy", "expanded": "Recruitment/Advocacy", @@ -263,6 +288,11 @@ "value": "system-placeholder", "expanded": "System/Placeholder", "description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish motivation of material." } ] }, @@ -271,7 +301,7 @@ "entry": [ { "value": "incomplete", - "expanded": "Imcomplete websites or information", + "expanded": "Incomplete websites or information", "description": "Websites and pages that are unable to load completely properly" }, { @@ -280,9 +310,19 @@ "description": "Captchas and solvers elements" }, { - "value": "LoginForms", + "value": "login-forms", "expanded": "Logins forms and gates", - "description": "Authentification pages, login page, login forms that block access to an internal part of a website." + "description": "Authentication pages, login page, login forms that block access to an internal part of a website." + }, + { + "value": "contact-forms", + "expanded": "Contact forms and gates", + "description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..." + }, + { + "value": "encryption-keys", + "expanded": "Encryption and decryption keys", + "description": "e.g. PGP Keys, passwords, ..." }, { "value": "police-notice", @@ -292,7 +332,7 @@ { "value": "legal-statement", "expanded": "Legal-Statement", - "description": "RGPD statement, Privacy-policy, ..." + "description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..." }, { "value": "test", @@ -303,6 +343,11 @@ "value": "videos", "expanded": "Videos", "description": "Videos and streaming" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish structure of material." } ] } From 39f5ed87cedac344ccf77b4733d6e8485c08386f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 20 Aug 2019 15:40:11 +0200 Subject: [PATCH 078/113] new: [phishing] Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status. --- phishing/machinetag.json | 152 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 phishing/machinetag.json diff --git a/phishing/machinetag.json b/phishing/machinetag.json new file mode 100644 index 0000000..4e4ec3d --- /dev/null +++ b/phishing/machinetag.json @@ -0,0 +1,152 @@ +{ + "namespace": "phishing", + "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.", + "version": 1, + "predicates": [ + { + "value": "techniques", + "expanded": "Techniques", + "description": "Phishing techniques used." + }, + { + "value": "reported", + "expanded": "Reported", + "description": "How the phishing information was reported." + }, + { + "value": "origin", + "expanded": "Origin", + "description": "Origin or source of the phishing information such as tools or services." + }, + { + "value": "action", + "expanded": "Action", + "description": "Action(s) taken related to the phishing tagged with this taxonomy." + }, + { + "value": "state", + "expanded": "State", + "description": "State of the phishing." + } + ], + "values": [ + { + "predicate": "techniques", + "entry": [ + { + "value": "fake-website", + "expanded": "Social engineering fake website", + "description": "Adversary controls a fake website to phish for credentials or information." + }, + { + "value": "email-spoofing", + "expanded": "Social engineering email spoofing", + "description": "Adversary sends email with domains related to target. Adversary controls the domains used." + }, + { + "value": "clone-phishing", + "expanded": "Clone phishing", + "description": "Adversary clones an email to target potential victims with duplicated content." + }, + { + "value": "voice-phishing", + "expanded": "Voice phishing", + "description": "Adversary use voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also named as vishing." + }, + { + "value": "search-engines-abuse", + "expanded": "Social engineering search engines abuse", + "description": "Adversary controls the search engine result to get an advantage" + }, + { + "value": "spear-phishing", + "expanded": "Spear phishing", + "description": "Adversary attempts targeted phishing to a user or a specific group of users based on knowledge known by the adversary." + }, + { + "value": "bulk-phishing", + "expanded": "Bulk phishing", + "description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims." + }, + { + "value": "sms-phishing", + "expanded": "SMS phishing", + "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing techniques at a later stage." + } + ] + }, + { + "predicate": "reported", + "entry": [ + { + "value": "manual-reporting", + "expanded": "Manual reporting", + "description": "Phishing reported by a human (e.g. tickets, manual reporting)." + }, + { + "value": "automatic-reporting", + "expanded": "Automatic reporting", + "description": "Phishing collected by automatic reporting (e.g. phishing report tool, API)." + } + ] + }, + { + "predicate": "origin", + "entry": [ + { + "value": "url-abuse", + "expanded": "url-abuse", + "description": "CIRCL url-abuse service." + }, + { + "value": "lookyloo", + "expanded": "lookyloo", + "description": "CIRCL lookyloo service." + }, + { + "value": "phishtank", + "expanded": "Phishtank", + "description": "Phishtank service." + }, + { + "value": "spambee", + "expanded": "Spambee", + "description": "C-3 Spambee service." + } + ] + }, + { + "predicate": "action", + "entry": [ + { + "value": "take-down", + "description": "Take down notification sent to the operator where the phishing infrastructure is hosted." + }, + { + "value": "pending-law-enforcement-request", + "description": "Law enforcement requests are ongoing on the phishing infrastructure." + } + ] + }, + { + "predicate": "state", + "entry": [ + { + "value": "unknown", + "expanded": "Phishing state is unknown or cannot be evaluated", + "numerical_value": 50 + }, + { + "value": "active", + "expanded": "Phishing state is active and actively used by the adversary", + "numerical_value": 100 + }, + { + "value": "down", + "expanded": "Phishing state is known to be down", + "numerical_value": 0 + } + ] + } + ] +} From 59a5e4610badd9993ec403fae315b1dd5123be56 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 20 Aug 2019 15:41:10 +0200 Subject: [PATCH 079/113] chg: [MANIFEST] phishing taxonomy added --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 43fbb38..df497b8 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -489,11 +489,16 @@ "version": 1, "name": "scrippsco2-sampling-stations", "description": "Sampling stations of the Scripps CO2 Program" + }, + { + "version": 1, + "name": "phishing", + "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status." } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190705" + "version": "20190820" } From 51db2dc10213f39ac8b2d9f2bfe8d992bd0b2251 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 20 Aug 2019 15:46:03 +0200 Subject: [PATCH 080/113] chg: [phishing] dispute resolution added --- phishing/machinetag.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 4e4ec3d..e2ded82 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -125,6 +125,10 @@ { "value": "pending-law-enforcement-request", "description": "Law enforcement requests are ongoing on the phishing infrastructure." + }, + { + "value": "pending-dispute-resolution", + "description": "Dispute resolution sent to competent authorities (e.g. domain authority, trademark dispute)." } ] }, From e1db95845ce17531b05490cc903ea690ca73391c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 20 Aug 2019 19:03:27 +0200 Subject: [PATCH 081/113] chg: [phishing] fix the missing expanded --- phishing/machinetag.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index e2ded82..90fbf98 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -120,14 +120,17 @@ "entry": [ { "value": "take-down", + "expanded": "Take down", "description": "Take down notification sent to the operator where the phishing infrastructure is hosted." }, { "value": "pending-law-enforcement-request", + "expanded": "Pending law enforcement request", "description": "Law enforcement requests are ongoing on the phishing infrastructure." }, { "value": "pending-dispute-resolution", + "expanded": "Pending dispute resolution", "description": "Dispute resolution sent to competent authorities (e.g. domain authority, trademark dispute)." } ] From 736f6e2a8d36e25a79a31d1d800905bdd30e2e01 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 21 Aug 2019 16:04:32 +0200 Subject: [PATCH 082/113] chg: [copine] numerical values added --- copine-scale/machinetag.json | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/copine-scale/machinetag.json b/copine-scale/machinetag.json index b339587..840df7c 100644 --- a/copine-scale/machinetag.json +++ b/copine-scale/machinetag.json @@ -2,50 +2,60 @@ "predicates": [ { "expanded": "Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise subjected to something that implies pain; (b) Pictures where an animal is involved in some form of sexual behavior with a child", - "value": "level-10" + "value": "level-10", + "numerical_value": 100 }, { "expanded": "Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation, or oral sex involving an adult", - "value": "level-9" + "value": "level-9", + "numerical_value": 90 }, { "expanded": "Assault: Pictures of children being subjected to a sexual assault, involving digital touching, involving an adult", - "value": "level-8" + "value": "level-8", + "numerical_value": 80 }, { "expanded": "Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse by child, not involving an adult", - "value": "level-7" + "value": "level-7", + "numerical_value": 70 }, { "expanded": "Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially clothed, or fully clothed", - "value": "level-6" + "value": "level-6", + "numerical_value": 60 }, { "expanded": "Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in sexualized or provocative poses", - "value": "level-5" + "value": "level-5", + "numerical_value": 50 }, { "expanded": "Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the amount, context, and organization suggests sexual interest)", - "value": "level-4" + "value": "level-4", + "numerical_value": 40 }, { "expanded": "Erotica: Surreptitiously taken photographs of children in play areas or other safe environments showing either underwear or varying degrees of nakedness", - "value": "level-3" + "value": "level-3", + "numerical_value": 30 }, { "expanded": "Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate sources", - "value": "level-2" + "value": "level-2", + "numerical_value": 20 }, { "expanded": "Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming costumes, and so on, from either commercial sources or family albums; pictures of children playing in normal settings, in which the context or organization of pictures by the collector indicates inappropriateness", - "value": "level-1" + "value": "level-1", + "numerical_value": 10 } ], "refs": [ "https://en.wikipedia.org/wiki/COPINE_scale", "http://journals.sagepub.com/doi/pdf/10.1177/1079063217724768" ], - "version": 1, + "version": 2, "description": "The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to categorise the severity of images of child sex abuse. The scale was developed by staff at the COPINE (Combating Paedophile Information Networks in Europe) project. The COPINE Project was founded in 1997, and is based in the Department of Applied Psychology, University College Cork, Ireland.", "expanded": "COPINE Scale", "namespace": "copine-scale", From b9c8106353c755f58ec2f5fa171a00ea184301b2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 21 Aug 2019 16:14:44 +0200 Subject: [PATCH 083/113] chg: [analyst-assessment] numerical_value fixed to match new model --- analyst-assessment/machinetag.json | 42 +++++++++++++++--------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/analyst-assessment/machinetag.json b/analyst-assessment/machinetag.json index 0371a9f..7a4573b 100644 --- a/analyst-assessment/machinetag.json +++ b/analyst-assessment/machinetag.json @@ -5,27 +5,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "experience" @@ -56,27 +56,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "binary-reversing-experience" @@ -132,27 +132,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "web-experience" @@ -162,27 +162,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "crypto-experience" @@ -229,7 +229,7 @@ "org", "user" ], - "version": 2, + "version": 3, "description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.", "expanded": "Analyst (Self) Assessment", "namespace": "analyst-assessment" From fe5f95c3844ea3e8ac0a9e7e58d7fea916cffc48 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 21 Aug 2019 16:29:56 +0200 Subject: [PATCH 084/113] chg: numerical values added --- cssa/machinetag.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/cssa/machinetag.json b/cssa/machinetag.json index eb1a425..78bbabe 100644 --- a/cssa/machinetag.json +++ b/cssa/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "cssa", "description": "The CSSA agreed sharing taxonomy.", - "version": 4, + "version": 6, "predicates": [ { "value": "sharing-class", @@ -24,17 +24,20 @@ { "value": "high_profile", "expanded": "Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.", - "colour": "#007695" + "colour": "#007695", + "numerical_value": 95 }, { "value": "vetted", "expanded": "Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.", - "colour": "#008aaf" + "colour": "#008aaf", + "numerical_value": 50 }, { "value": "unvetted", "expanded": "Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.", - "colour": "#00b3e2" + "colour": "#00b3e2", + "numerical_value": 10 } ] }, From 4de846cb600a34983aa17a34776f2abac4325115 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Aug 2019 14:36:30 +0200 Subject: [PATCH 085/113] chg: [phishing] various updates and clarification - psychological-acceptability predicate added to define the social acceptance of a phishing attack - report-type and report-origin replaced ambiguous type/report - distribution predicate added to move distribution out of techniques Thanks to Bertrand Lathoud and Sascha Rommelfangen for the feedback :sparkles: --- phishing/machinetag.json | 63 ++++++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 12 deletions(-) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 90fbf98..979fbc8 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "phishing", "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.", - "version": 1, + "version": 2, "predicates": [ { "value": "techniques", @@ -9,13 +9,18 @@ "description": "Phishing techniques used." }, { - "value": "reported", - "expanded": "Reported", + "value": "distribution", + "expanded": "Distribution", + "description": "How the phishing is distributed." + }, + { + "value": "report-type", + "expanded": "Report type", "description": "How the phishing information was reported." }, { - "value": "origin", - "expanded": "Origin", + "value": "report-origin", + "expanded": "Report origin", "description": "Origin or source of the phishing information such as tools or services." }, { @@ -27,6 +32,11 @@ "value": "state", "expanded": "State", "description": "State of the phishing." + }, + { + "value": "psychological-acceptability", + "expanded": "Psychological acceptability", + "description": "Quality of the phishing by its level of acceptance by the target." } ], "values": [ @@ -58,6 +68,16 @@ "expanded": "Social engineering search engines abuse", "description": "Adversary controls the search engine result to get an advantage" }, + { + "value": "sms-phishing", + "expanded": "SMS phishing", + "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing techniques at a later stage." + } + ] + }, + { + "predicate": "distribution", + "entry": [ { "value": "spear-phishing", "expanded": "Spear phishing", @@ -67,16 +87,11 @@ "value": "bulk-phishing", "expanded": "Bulk phishing", "description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims." - }, - { - "value": "sms-phishing", - "expanded": "SMS phishing", - "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing techniques at a later stage." } ] }, { - "predicate": "reported", + "predicate": "report-type", "entry": [ { "value": "manual-reporting", @@ -91,7 +106,7 @@ ] }, { - "predicate": "origin", + "predicate": "report-origin", "entry": [ { "value": "url-abuse", @@ -154,6 +169,30 @@ "numerical_value": 0 } ] + }, + { + "predicate": "psychological-acceptability", + "entry": [ + { + "value": "unknown", + "expanded": "Phishing acceptance rate is unknown." + }, + { + "value": "low", + "expanded": "Phishing acceptance rate is low.", + "numerical_value": 25 + }, + { + "value": "medium", + "expanded": "Phishing acceptance rate is medium.", + "numerical_value": 50 + }, + { + "value": "high", + "expanded": "Phishing acceptance rate is high.", + "numerical_value": 75 + } + ] } ] } From ef4b0fc30e537e1c93be96b10079a1d0d0ec74a2 Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Thu, 22 Aug 2019 15:38:06 +0200 Subject: [PATCH 086/113] chg: [phishing] add principles of persuasions - based on: - Cialdini's principal of influence, - Graggs's psychological triggers, - Stajano's principles of scams, - see associated paper: Ferreira & al. DOI: 10.1007/978-3-319-20376-8_4 --- phishing/machinetag.json | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 979fbc8..658b68b 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -37,6 +37,11 @@ "value": "psychological-acceptability", "expanded": "Psychological acceptability", "description": "Quality of the phishing by its level of acceptance by the target." + }, + { + "value": "principle-of-persuasion", + "expanded": "Principle of Persuasion", + "description": "The principle of persuasion used durin the attack to higher psychological acceptability." } ], "values": [ @@ -193,6 +198,31 @@ "numerical_value": 75 } ] + }, + { + "predicate": "principle-of-persuasion", + "entry": [ + { + "value": "authority", + "expanded": "Society trains people not to question authority so they are conditioned to respond to it. People usually follow an expert or pretense of authority and do a great deal for someone they think is an authority." + }, + { + "value": "social-proof", + "expanded": "People tend to mimic what the majority of people do or seem to be doing. People let their guard and suspicion down when everyone else appears to share the same behaviours and risks. In this way, they will not be held solely responsible for their actions." + }, + { + "value": "liking-similarity-deception", + "expanded": "People prefer to abide to whom (they think) they know or like, or to whom they are similar to or familiar with, as well as attracted to." + }, + { + "value": "commitment-reciprocation-consistency", + "expanded": "People feel more confident in their decision once they commit (publically) to a specific action and need to follow it through until the end. This is true whether in the workplace, or in a situation when their action is illegal. People have tendency to believe what others say and need, and they want to appear consistent in what they do, for instance, when they owe a favour. There is an automatic response of repaying a favour." + }, + { + "value": "distraction", + "expanded": "People focus on one thing and ignore other things that may happen without them noticing; they focus attention on what they can gain, what they need, what they can lose or miss out on, or if that thing will soon be unavailable, has been censored, restricted or will be more expensive later. These distractions can heighten people’s emotional state and make them forget other logical facts to consider when making decisions." + } + ] } ] } From cbdcd6e1367d829e57d0d2b2d7ec2cd55996a599 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Aug 2019 15:50:58 +0200 Subject: [PATCH 087/113] chg: [phishing] Fix #157 --- phishing/machinetag.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 658b68b..8a29780 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "phishing", "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.", - "version": 2, + "version": 3, "predicates": [ { "value": "techniques", @@ -66,7 +66,7 @@ { "value": "voice-phishing", "expanded": "Voice phishing", - "description": "Adversary use voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also named as vishing." + "description": "Adversary uses voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also known as vishing." }, { "value": "search-engines-abuse", @@ -76,7 +76,7 @@ { "value": "sms-phishing", "expanded": "SMS phishing", - "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing techniques at a later stage." + "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing technique at a later stage." } ] }, From f9d4fa09d3746aa022e9049756d0679db88b41b6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Aug 2019 15:54:39 +0200 Subject: [PATCH 088/113] chg: [MANIFEST] phishing taxonomy updated --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index df497b8..472ef34 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -491,7 +491,7 @@ "description": "Sampling stations of the Scripps CO2 Program" }, { - "version": 1, + "version": 4, "name": "phishing", "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status." } @@ -500,5 +500,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190820" + "version": "20190822" } From 30204266a0ae9d7a9556853cd8f02096396818a0 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Fri, 23 Aug 2019 08:41:36 +0200 Subject: [PATCH 089/113] Typo --- phishing/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phishing/machinetag.json b/phishing/machinetag.json index 8a29780..a9d6df6 100644 --- a/phishing/machinetag.json +++ b/phishing/machinetag.json @@ -41,7 +41,7 @@ { "value": "principle-of-persuasion", "expanded": "Principle of Persuasion", - "description": "The principle of persuasion used durin the attack to higher psychological acceptability." + "description": "The principle of persuasion used during the attack to higher psychological acceptability." } ], "values": [ From b722672554eaa8ddd0d5d16c275ae1a13ba644b7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Aug 2019 14:50:09 +0200 Subject: [PATCH 090/113] new: [ics] FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project (WiP) --- MANIFEST.json | 7 +++++- ics/machinetag.json | 58 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 ics/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 472ef34..425d1cf 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -494,11 +494,16 @@ "version": 4, "name": "phishing", "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status." + }, + { + "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", + "version": 1, + "name": "ics" } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190822" + "version": "20190826" } diff --git a/ics/machinetag.json b/ics/machinetag.json new file mode 100644 index 0000000..507950d --- /dev/null +++ b/ics/machinetag.json @@ -0,0 +1,58 @@ +{ + "predicates": [ + { + "colour": "#d208f4", + "expanded": "OT Components Category", + "value": "ot-components-category" + } + ], + "values": [ + { + "predicate": "ot-components-category", + "entry": [ + { + "value": "programmable-logic-controller", + "expanded": "Programmable Logic Controller (PLC)", + "description": "1. Computing device with user-programmable memory to storing instructions to operate a physical process.\\n\\n 2.Various PLC types for different processses" + }, + { + "value": "remote-terminal-unit", + "expanded": "Remote Terminal Unit (RTU)", + "description": "1. Data aquisitionand control unit designedto support field sites and remote stations.\\n\\n2. Wired and wireless communication capabilities.\\n\\n3. No stored program logic." + }, + { + "value": "human-machine-interface", + "expanded": "Human-Machine Interface (HMI)", + "description": "1. Hardware/software that operators used to interact with control system.\\n\\n2. From physical control panels to a complete computer systems" + }, + { + "value": "sensors", + "expanded": "Sensors", + "description": "Pressure, Temperature, Flow, Voltage, Optical, Proximity" + }, + { + "value": "actuators", + "expanded": "Actuators", + "description": "Variable Frequency Drive, Servo Drive, Valve, Circuit Breaker" + }, + { + "value": "communications", + "expanded": "Communications", + "description": "Modems, Routers, Serial - Ethernet Converters, Swtiches" + }, + { + "value": "supervisory-level-devices", + "expanded": "Supervisory Level Devices", + "description": "1. Control Server (Supervisory systems that hosts control software to manage lower level control devices like PLC).\\n\\n2. Data Historian (Centralized database for information about process, control activity and status record).\\n\\n3. Engineering workstations (Creating and revising control systems anbd programs, incl. project files)." + } + ] + } + ], + "refs": [ + "https://www.first.org/global/sigs/cti/" + ], + "version": 1, + "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", + "expanded": "Industrial Control System (ICS)", + "namespace": "ics" +} From d6432287ef321d33a1acb8c4d7526d8d03dbf399 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Aug 2019 16:49:52 +0200 Subject: [PATCH 091/113] chg: [ics] new RTOS added --- ics/machinetag.json | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/ics/machinetag.json b/ics/machinetag.json index 507950d..91fc313 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -1,12 +1,40 @@ { "predicates": [ { - "colour": "#d208f4", "expanded": "OT Components Category", "value": "ot-components-category" + }, + { + "expanded": "OT Operating Systems", + "value": "ot-operating-systems" } ], "values": [ + { + "predicate": "ot-operating-systems", + "entry": [ + { + "value": "rtos", + "expanded": "RTOS", + "description": "Please see the URL reference, there are a lot of it to be listed in here. These OS are also referred as Firmware. https://en.wikipedia.org/wiki/Comparison_of_real-time_operating_systems" + }, + { + "value": "linux-embedded-base-os", + "expanded": "Linux Embedded Base OS", + "description": "Yocto\\nBuildroot\\nOpenWRT\\nB & R Linux\\n Scientific Linux\\nRaspbian\\nAndroid" + }, + { + "value": "bsd", + "expanded": "BSD", + "description": "NetBSD (NetBSD Embedded Systems)\\nFreeBSD (Modified. i.e.: Orbis OS)" + }, + { + "value": "microsoft", + "expanded": "Microsoft", + "description": "Windows 10 IoT Enterprise\\n Windows Embedded 8.1 Industry Professional\\n Windows 7 Professional/Ultimate\\n Windows Embedded Standard 7\\n Windows Embedded Standard 2009\\n Windows CE 6.0\\n" + } + ] + }, { "predicate": "ot-components-category", "entry": [ From dd7e6e09425bc4acf823cdfdf085ab47e868443b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 08:15:40 +0200 Subject: [PATCH 092/113] chg: [targeted-threat-index] set MISP numerical_value range TODO: Improve taxonomy format to add original_numerical_value to get the original value of the taxonomy author --- targeted-threat-index/machinetag.json | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/targeted-threat-index/machinetag.json b/targeted-threat-index/machinetag.json index ad172c6..7139263 100644 --- a/targeted-threat-index/machinetag.json +++ b/targeted-threat-index/machinetag.json @@ -5,32 +5,32 @@ { "expanded": "Not targeted, e.g. spam or financially motivated malware.", "value": "not-targeted", - "numerical_value": 0 + "numerical_value": 1 }, { "expanded": "Targeted but not customized. Sent with a message that is obviously false with little to no validation required.", "value": "targeted-but-not-customized", - "numerical_value": 1 + "numerical_value": 25 }, { "expanded": "Targeted and poorly customized. Content is generally relevant to the target. May look questionable.", "value": "targeted-and-poorly-customized", - "numerical_value": 2 + "numerical_value": 50 }, { "expanded": "Targeted and customized. May use a real person/organization or content to convince the target the message is legitimate. Content is specifically relevant to the target and looks legitimate.", "value": "targeted-and-customized", - "numerical_value": 3 + "numerical_value": 65 }, { "expanded": "Targeted and well-customized. Uses a real person/organization and content to convince the target the message is legitimate. Probably directly addressing the recipient. Content is specifically relevant to the target, looks legitimate, and can be externally referenced (e.g. by a website). May be sent from a hacked account.", "value": "targeted-and-well-customized", - "numerical_value": 4 + "numerical_value": 85 }, { "expanded": "Targeted and highly customized using sensitive data. Individually targeted and customized, likely using inside/sensitive information that is directly relevant to the target.", "value": "targeted-and-highly-customized-using-sensitive-data", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "targeting-sophistication-base-value" @@ -45,22 +45,22 @@ { "expanded": "The sample contains a simple method of protection, such as one of the following: code protection using publicly available tools where the reverse method is available, such as UPX packing; simple anti-reversing techniques such as not using import tables, or a call to IsDebuggerPresent(); self-disabling in the presence of AV software.", "value": "the-sample-contains-a-simple-method-of-protection", - "numerical_value": 1.25 + "numerical_value": 25 }, { "expanded": "The sample contains multiple minor code protection techniques (anti-reversing tricks, packing, VM / reversing tools detection) that require some low-level knowledge. This level includes malware where code that contains the core functionality of the program is decrypted only in memory.", "value": "the-sample-contains-multiple-minor-code-protection-techniques", - "numerical_value": 1.5 + "numerical_value": 50 }, { "expanded": "The sample contains minor code protection techniques along with at least one advanced protection method such as rootkit functionality or a custom virtualized packer.", "value": "the-sample-contains-minor-code-protection-techniques-plus-one-advanced", - "numerical_value": 1.75 + "numerical_value": 75 }, { "expanded": "The sample contains multiple advanced protection techniques, e.g. rootkit capability, virtualized packer, multiple anti-reversing techniques, and is clearly designed by a professional software engineering team.", "value": "the-sample-contains-multiple-advanced-protection-techniques", - "numerical_value": 2 + "numerical_value": 100 } ], "predicate": "technical-sophistication-multiplier" @@ -78,9 +78,10 @@ "value": "technical-sophistication-multiplier" } ], - "version": 1, + "version": 2, "refs": [ - "https://citizenlab.org/2013/10/targeted-threat-index/" + "https://citizenlab.org/2013/10/targeted-threat-index/", + "https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf" ], "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman.", "namespace": "targeted-threat-index" From 022562ec89f0a69be753ebb830d7cac22c7edeae Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 08:16:55 +0200 Subject: [PATCH 093/113] chg: [MANIFEST] updated targeted-threat-index --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 425d1cf..4b4e525 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -251,7 +251,7 @@ "description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX" }, { - "version": 1, + "version": 2, "name": "targeted-threat-index", "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman." }, @@ -505,5 +505,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190826" + "version": "20190827" } From 306a22836bff64d18b4656d9e22e343619f5c57e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 08:18:48 +0200 Subject: [PATCH 094/113] chg: [false-positive] reorder the logic behind the numerical_value (to be consistent with the decaying model) --- MANIFEST.json | 2 +- false-positive/machinetag.json | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 4b4e525..d2f6c2b 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -361,7 +361,7 @@ "version": 1 }, { - "version": 1, + "version": 2, "name": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives." }, diff --git a/false-positive/machinetag.json b/false-positive/machinetag.json index 3e15d4a..6a2b153 100644 --- a/false-positive/machinetag.json +++ b/false-positive/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives.", - "version": 1, + "version": 2, "expanded": "False positive", "predicates": [ { @@ -18,7 +18,7 @@ "value": "low", "expanded": "Low", "description": "The risk of having false positives in the tagged value is low.", - "numerical_value": 25 + "numerical_value": 75 }, { "value": "medium", @@ -30,7 +30,7 @@ "value": "high", "expanded": "High", "description": "The risk of having false positives in the tagged value is high.", - "numerical_value": 75 + "numerical_value": 25 } ] } From 95951b32d941da02e83e69ee1d0d62ee4ea200d5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 10:40:26 +0200 Subject: [PATCH 095/113] chg: [ics] OT IR Communication Interface added --- ics/machinetag.json | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/ics/machinetag.json b/ics/machinetag.json index 91fc313..3240d98 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -7,9 +7,53 @@ { "expanded": "OT Operating Systems", "value": "ot-operating-systems" + }, + { + "expanded": "OT IR Communication Interface", + "value": "ot-communication-interface" } ], "values": [ + { + "predicate": "ot-communication-interface", + "entry": [ + { + "value": "rs-232", + "expanded": "RS-232 (comm port)", + "description": "Serial communication with an implementation comprises 2 data lines, 6 control lines and one ground." + }, + { + "value": "rs-422, rs-423 or rs-485", + "expanded": "RS-422, RS-423 or RS-485", + "description": "RS-422 is compatible to RS-232, used in situations where long distances are required, it can drive up to 1200m at 100kbit/s, and up to 1Mbit/s over short distances. RS-422 uses a differential driver, uses a four-conductor cable, and up to ten receivers can be on a multi-dropped network or bus. RS-485 is like RS-422 but RS-422 allows just one driver with multiple receivers whereas RS-485 supports multiple drivers and receivers RS-485 also allows up to thirty two (32) multi-dropped receivers or transmitters on a multi-dropped network or bus. At 90 kbit/s, the maximum cable length is 1250 m, and at 10 Mbit/s it is 15 m. The devices are half-duplex (i.e. send or receive, but not both at the same time). For more nodes or long distances, you can use repeaters that regenerate the signals and begin a new RS-485 line. " + }, + { + "value": "ieee-488-gpib", + "expanded": "IEEE-488 (GPIB)", + "description": "Known as Hewlett-Packard HP-IB but was renamed as GPIB (General Purpose Interface Bus) by the IEEE-488 (1975). IEEE-488 interface comprises 8 data lines, 8 control lines and 8 ground lines. Up to 15 devices can be interconnected on one bus. Each device is assigned a unique primary address, ranging from 4-30, by setting the address switches on the device. Devices are linked in either a daisy-chain or star (or some combination) configuration with up to 20 m of shielded 24-conductor cable. A maximum separation of 4 m is specified between any two devices, and an average of 2m over the entire bus. The data transfer rate can be up to 1 Mbyte/s. Three types of devices can be connected to an IEEE-488 bus (Listeners, Talkers, and Controllers)" + }, + { + "value": "ieee-1394-firewire", + "expanded": "IEEE-1394 (FireWire)", + "description": "The IEEE-1394 defines a serial serial interface that can use the bus cable to power devices. Firewire transmits data in packets and incurs some overhead as a result. Firewire frames are 125 msec long which means that despite a 'headline' transfer speed of 400 Mbit/s Firewire can be substantially slower in responding to instruments' service requests. Firewire uses a peer-peer protocol, similar to IEEE-488. Using standard cable, the maximum length bus comprises 16 hops of 4.5m each. Each hop connects two devices, but each physical device can contain four logical nodes. A Firewire cable contains two twisted-pairs (signals and clock) and two untwisted conductors (power and ground)." + }, + { + "value": "usb-universal-serial-bus", + "expanded": "USB (Universal Serial Bus)", + "description": "USB is the bus topology, and host-target protocol, mean that giving existing PC-based instruments a USB port not as trivial as it could be, but instruments with USB ports are coming onto the ICS market increasing numbers. USB 1.1 has many features as serial data transmission, device powering, data sent in 1 ms packets. USB offers 1.5- and 12-Mbit/s speeds. Individual devices can use the bus for a maximum of 50% of the time. In practice, the maximum rate is not more than 0.6 Mbyte/s. USB 2.0 specification was released in 2000. In addition to increasing the signaling rate from 12 MHz to 480 MHz, the specification describes a more advanced feature set and uses bandwidth more efficiently than 'Classic' USB. Version 2 of USB seems likely to prevent IEEE 1394 becoming widely adopted in instrument systems." + }, + { + "value": "ethernet", + "expanded": "Ethernet", + "description": "Instruments with ethernet interfaces have the great advantage that they can be accessed and controlled from a desktop anywhere in the world. A web-enabled ICS device behaves can be operated with standard browser. Systems with comm based on these interface can make use of existing Ethernet networks and connecting an instrument directly into the internet makes sharing of data easy. Fast data transfer is possible. However, when connected to the public internet it is difficult to secure or maintain its security and a full evaluation of the risks involved for this interface usage is very essential." + }, + { + "value": "others", + "expanded": "Others", + "description": "Other communication interface not listed." + } + ] + }, { "predicate": "ot-operating-systems", "entry": [ From 4dfd8a66f23a7a91a437e402a151fc6c096735f4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 13:52:51 +0200 Subject: [PATCH 096/113] chg: [ics] more data transmission protocols --- ics/machinetag.json | 398 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 398 insertions(+) diff --git a/ics/machinetag.json b/ics/machinetag.json index 3240d98..c8bd8e0 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -11,9 +11,407 @@ { "expanded": "OT IR Communication Interface", "value": "ot-communication-interface" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Process Automation", + "value": "ot-network-data-transmission-protocols-process-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Power System Automation", + "value": "ot-network-data-transmission-protocols-power-system-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Building Automation", + "value": "ot-network-data-transmission-protocols-building-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Industrial Control System", + "value": "ot-network-data-transmission-protocols-industrial-control-system" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Automatic Meter Reading", + "value": "ot-network-data-transmission-protocols-automatic-meter-reading" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Automobile / Vehicle / Aviation", + "value": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation" } ], "values": [ + { + "predicate": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation", + "entry": [ + { + "value": "ARINC 429", + "expanded": "ARINC 429" + }, + { + "value": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)", + "expanded": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "FlexRay", + "expanded": "FlexRay" + }, + { + "value": "IEBus", + "expanded": "IEBus" + }, + { + "value": "J1587", + "expanded": "J1587" + }, + { + "value": "J1708", + "expanded": "J1708" + }, + { + "value": "Keyword Protocol 2000", + "expanded": "Keyword Protocol 2000" + }, + { + "value": "Unified Diagnostic Services", + "expanded": "Unified Diagnostic Services" + }, + { + "value": "LIN", + "expanded": "LIN" + }, + { + "value": "MOST", + "expanded": "MOST" + }, + { + "value": "VAN", + "expanded": "VAN" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-automatic-meter-reading", + "entry": [ + { + "value": "ANSI C12.18", + "expanded": "ANSI C12.18" + }, + { + "value": "IEC 61107", + "expanded": "IEC 61107" + }, + { + "value": "DLMS/IEC 62056", + "expanded": "DLMS/IEC 62056" + }, + { + "value": "M-Bus", + "expanded": "M-Bus" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "ZigBee", + "expanded": "ZigBee" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-industrial-control-system", + "entry": [ + { + "value": "MTConnect", + "expanded": "MTConnect" + }, + { + "value": "OPC", + "expanded": "OPC" + }, + { + "value": "DA", + "expanded": "DA" + }, + { + "value": "OPC", + "expanded": "OPC" + }, + { + "value": "HDA", + "expanded": "HDA" + }, + { + "value": "OPC", + "expanded": "OPC" + }, + { + "value": "UA", + "expanded": "UA" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-building-automation", + "entry": [ + { + "value": "1-Wire", + "expanded": "1-Wire" + }, + { + "value": "BACnet", + "expanded": "BACnet" + }, + { + "value": "C-Bus", + "expanded": "C-Bus" + }, + { + "value": "CEBus", + "expanded": "CEBus" + }, + { + "value": "DALI", + "expanded": "DALI" + }, + { + "value": "DSI", + "expanded": "DSI" + }, + { + "value": "DyNet", + "expanded": "DyNet" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "KNX", + "expanded": "KNX" + }, + { + "value": "LonTalk", + "expanded": "LonTalk" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "oBIX", + "expanded": "oBIX" + }, + { + "value": "VSCP", + "expanded": "VSCP" + }, + { + "value": "X10", + "expanded": "X10" + }, + { + "value": "xAP", + "expanded": "xAP" + }, + { + "value": "xPL", + "expanded": "xPL" + }, + { + "value": "ZigBee", + "expanded": "ZigBee" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-power-system-automation", + "entry": [ + { + "value": "IEC 60870", + "expanded": "IEC 60870" + }, + { + "value": "DNP3", + "expanded": "DNP3" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "IEC 61850", + "expanded": "IEC 61850" + }, + { + "value": "IEC 62351", + "expanded": "IEC 62351" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "Profibus", + "expanded": "Profibus" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-process-automation", + "entry": [ + { + "value": "AS-i", + "expanded": "AS-i" + }, + { + "value": "BSAP", + "expanded": "BSAP" + }, + { + "value": "CC-Link Industrial Networks", + "expanded": "CC-Link Industrial Networks" + }, + { + "value": "CIP", + "expanded": "CIP" + }, + { + "value": "CAN bus", + "expanded": "CAN bus" + }, + { + "value": "ControlNet", + "expanded": "ControlNet" + }, + { + "value": "DF-1", + "expanded": "DF-1" + }, + { + "value": "DirectNET", + "expanded": "DirectNET" + }, + { + "value": "EtherCAT", + "expanded": "EtherCAT" + }, + { + "value": "Ethernet Global Data (EGD)", + "expanded": "Ethernet Global Data (EGD)" + }, + { + "value": "Ethernet Powerlink", + "expanded": "Ethernet Powerlink" + }, + { + "value": "EtherNet/IP", + "expanded": "EtherNet/IP" + }, + { + "value": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)", + "expanded": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "FINS", + "expanded": "FINS" + }, + { + "value": "FOUNDATION fieldbus (H1 HSE)", + "expanded": "FOUNDATION fieldbus (H1 HSE)" + }, + { + "value": "GE SRTP", + "expanded": "GE SRTP" + }, + { + "value": "HART Protocol", + "expanded": "HART Protocol" + }, + { + "value": "Honeywell SDS", + "expanded": "Honeywell SDS" + }, + { + "value": "HostLink", + "expanded": "HostLink" + }, + { + "value": "INTERBUS", + "expanded": "INTERBUS" + }, + { + "value": "IO-Link", + "expanded": "IO-Link" + }, + { + "value": "MECHATROLINK", + "expanded": "MECHATROLINK" + }, + { + "value": "MelsecNet", + "expanded": "MelsecNet" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "Optomu", + "expanded": "Optomu" + }, + { + "value": "PieP", + "expanded": "PieP" + }, + { + "value": "Ethernet Powerlink", + "expanded": "Ethernet Powerlink" + }, + { + "value": "Profibus", + "expanded": "Profibus" + }, + { + "value": "PROFINET IO", + "expanded": "PROFINET IO" + }, + { + "value": "RAPIEnet", + "expanded": "RAPIEnet" + }, + { + "value": "SERCOS interface", + "expanded": "SERCOS interface" + }, + { + "value": "SERCOS III", + "expanded": "SERCOS III" + }, + { + "value": "Sinec H1", + "expanded": "Sinec H1" + }, + { + "value": "SynqNet", + "expanded": "SynqNet" + }, + { + "value": "TTEthernet", + "expanded": "TTEthernet" + }, + { + "value": "TCP/IP", + "expanded": "TCP/IP" + } + ] + }, { "predicate": "ot-communication-interface", "entry": [ From b6be976eeda72929e1c89010eaffb24d301ea1d8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 14:31:55 +0200 Subject: [PATCH 097/113] chg: [ics] OT IR Security Issues added --- ics/machinetag.json | 49 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/ics/machinetag.json b/ics/machinetag.json index c8bd8e0..a36a4c9 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -35,9 +35,58 @@ { "expanded": "OT Network/Data Transmission Protocols in Automobile / Vehicle / Aviation", "value": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation" + }, + { + "value": "ot-security-issues", + "expanded": "OT IR Security Issues" } ], "values": [ + { + "predicate": "ot-security-issues", + "entry": [ + { + "value": "Message Authentication", + "expanded": "Message Authentication", + "description": "Auth in used protocols is attacked and falsification command can be sent" + }, + { + "value": "Message Integrity Checking", + "expanded": "Message Integrity Checking", + "description": "Message poart of the sent protocol is maliciously tampered" + }, + { + "value": "Message Encryption", + "expanded": "Message Encryption", + "description": "Self explanatory, i.e. Weak encryption is attacked" + }, + { + "value": "Command Injection", + "expanded": "Command Injection", + "description": "Either Remote Command Injection or Local. On local can be timer triggered under tampered firmware" + }, + { + "value": "Replay Attack", + "expanded": "Replay Attack", + "description": "Self explanatory" + }, + { + "value": "Man in the middle (MITM) Attack", + "expanded": "Man in the middle (MITM) Attack", + "description": "Self explanatory" + }, + { + "value": "Undocumented instructions", + "expanded": "Undocumented instructions", + "description": "Vendor's left several instruction used for development or trouble shooting that is finally leaked and used to performed malicious activities on the devices." + }, + { + "value": "Vendor proprietary protocols", + "expanded": "Vendor proprietary protocols", + "description": "Internal vendor protocols used for development or trouble shooting, that is being maliciously for an attack." + } + ] + }, { "predicate": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation", "entry": [ From faf1c6fc850b35aa9e67fb490d08944434e9fa88 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 14:53:06 +0200 Subject: [PATCH 098/113] chg: [ics] references added --- ics/machinetag.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ics/machinetag.json b/ics/machinetag.json index a36a4c9..035d237 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -568,7 +568,9 @@ } ], "refs": [ - "https://www.first.org/global/sigs/cti/" + "https://www.first.org/global/sigs/cti/", + "https://www.isa.org/isa99/", + "https://www.isa.org/intech/201810standards/" ], "version": 1, "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", From 69a8ce29165b9e55e137379b2ef7aa42fb598a0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Aug 2019 15:07:22 +0200 Subject: [PATCH 099/113] chg: [ics] remove duplicate value entries --- ics/machinetag.json | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/ics/machinetag.json b/ics/machinetag.json index 035d237..ee918d3 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -184,18 +184,10 @@ "value": "DA", "expanded": "DA" }, - { - "value": "OPC", - "expanded": "OPC" - }, { "value": "HDA", "expanded": "HDA" }, - { - "value": "OPC", - "expanded": "OPC" - }, { "value": "UA", "expanded": "UA" @@ -419,10 +411,6 @@ "value": "PieP", "expanded": "PieP" }, - { - "value": "Ethernet Powerlink", - "expanded": "Ethernet Powerlink" - }, { "value": "Profibus", "expanded": "Profibus" From e726c1a8c0ad67799ec0619e99544fa83815ccc6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 3 Sep 2019 15:53:04 +0200 Subject: [PATCH 100/113] chg: [collaborative-intelligence] request malware config added Following feedback during a workshop session at a bank. --- MANIFEST.json | 2 +- collaborative-intelligence/machinetag.json | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index d2f6c2b..862b361 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -61,7 +61,7 @@ "description": "CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place." }, { - "version": 2, + "version": 3, "name": "collaborative-intelligence", "description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP." }, diff --git a/collaborative-intelligence/machinetag.json b/collaborative-intelligence/machinetag.json index d33aa22..b67abd8 100644 --- a/collaborative-intelligence/machinetag.json +++ b/collaborative-intelligence/machinetag.json @@ -2,7 +2,7 @@ "namespace": "collaborative-intelligence", "expanded": "collaborative intelligence support language", "description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP. The objective of this language is to advance collaborative analysis and to share earlier than later.", - "version": 2, + "version": 3, "predicates": [ { "value": "request", @@ -18,6 +18,11 @@ "value": "sample", "expanded": "Request a binary sample" }, + { + "value": "extracted-malware-config", + "expanded": "Extracted malware config", + "description": "Request of the malware configuration extracted from the malware sample tagged." + }, { "value": "deobfuscated-sample", "expanded": "Request a deobfuscated sample of the shared sample" From 5e52a0aee3924ad714ec0593a4103a6df9edc609 Mon Sep 17 00:00:00 2001 From: Dennis Rand Date: Thu, 5 Sep 2019 20:38:24 +0200 Subject: [PATCH 101/113] Added Course of Action A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 862b361..61c5428 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -499,11 +499,16 @@ "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", "version": 1, "name": "ics" + }, + { + "name": "course-of-action", + "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", + "version": 1 } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190827" + "version": "20190905" } From 5a1bf6e9be040b5a67451a6af3b4bfa72bf686fa Mon Sep 17 00:00:00 2001 From: Dennis Rand Date: Thu, 5 Sep 2019 20:39:56 +0200 Subject: [PATCH 102/113] Added Course of Action A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. --- course-of-action/machinetag.json | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 course-of-action/machinetag.json diff --git a/course-of-action/machinetag.json b/course-of-action/machinetag.json new file mode 100644 index 0000000..0f62b8d --- /dev/null +++ b/course-of-action/machinetag.json @@ -0,0 +1,56 @@ +{ + "namespace": "course-of-action", + "expanded": "Courses of Action", + "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", + "version": 1, + "predicates": [ + { + "value": "passive", + "expanded": "Passive actions have no influence of the adversarys doing." + }, + { + "value": "active", + "expanded": "Active actions can impact the adversary doing." + } + ], + "values": [ + { + "predicate": "passive", + "entry": [ + { + "value": "discover", + "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past." + }, + { + "value": "detect", + "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered." + } + ] + }, + { + "predicate": "active", + "entry": [ + { + "value": "deny", + "expanded": "The deny action prevents the event from taking place. Common examples include a firewall block or a proxy filter." + }, + { + "value": "disrupt", + "expanded": "Disruption makes the event fail as it is occurring. Examples include quarantining or memory protection measures." + }, + { + "value": "degrade", + "expanded": "Degrading will not immediately fail an event, but it will slow down the further actions of the attacker. This tactic allows you to catch up during an incident response process, but you have to consider that the attackers may eventually succeed in achieving their objectives. Throttling bandwidth is one way to degrade an intrusion." + }, + { + "value": "decieve", + "expanded": "Deception allows you to learn more about the intentions of the attacker by making them think the action was successful. One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot." + }, + { + "value": "destroy", + "expanded": "The destroy action is rarely for 'usual' defenders, as this is an offensive action against the attacker. These actions, including physical destructive actions and arresting the attackers, are usually left to law enforcement agencies." + } + ] + } + ] +} From 206c70ddf9a1141cc30835322e27eeaa5e1bb3b0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Sep 2019 09:49:52 +0200 Subject: [PATCH 103/113] chg: [false-positive] confirmed predicate added --- false-positive/machinetag.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/false-positive/machinetag.json b/false-positive/machinetag.json index 6a2b153..23420dc 100644 --- a/false-positive/machinetag.json +++ b/false-positive/machinetag.json @@ -1,13 +1,18 @@ { "namespace": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives.", - "version": 2, + "version": 3, "expanded": "False positive", "predicates": [ { "value": "risk", "expanded": "Risk", "description": "Risk of having false positives in the tagged value." + }, + { + "value": "confirmed", + "expanded": "Confirmed", + "description": "Confirmed false positives in the tagged value." } ], "values": [ From 025497be515494703f008bc4aec8cbde742c12a3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Sep 2019 09:52:29 +0200 Subject: [PATCH 104/113] chg: [MANIFEST] updated to the latest version --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 862b361..ee7f5b0 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -361,7 +361,7 @@ "version": 1 }, { - "version": 2, + "version": 3, "name": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives." }, @@ -505,5 +505,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190827" + "version": "20190909" } From 633d640c9f819490a8fd9206aa082801ad520251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 17 Sep 2019 22:27:28 +0200 Subject: [PATCH 105/113] chg: Reorder predicates in ICS --- ics/machinetag.json | 64 ++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/ics/machinetag.json b/ics/machinetag.json index ee918d3..54d60b2 100644 --- a/ics/machinetag.json +++ b/ics/machinetag.json @@ -1,44 +1,44 @@ { "predicates": [ { - "expanded": "OT Components Category", - "value": "ot-components-category" - }, - { - "expanded": "OT Operating Systems", - "value": "ot-operating-systems" - }, - { - "expanded": "OT IR Communication Interface", - "value": "ot-communication-interface" - }, - { - "expanded": "OT Network/Data Transmission Protocols in Process Automation", - "value": "ot-network-data-transmission-protocols-process-automation" - }, - { - "expanded": "OT Network/Data Transmission Protocols in Power System Automation", - "value": "ot-network-data-transmission-protocols-power-system-automation" - }, - { - "expanded": "OT Network/Data Transmission Protocols in Building Automation", - "value": "ot-network-data-transmission-protocols-building-automation" - }, - { - "expanded": "OT Network/Data Transmission Protocols in Industrial Control System", - "value": "ot-network-data-transmission-protocols-industrial-control-system" - }, - { - "expanded": "OT Network/Data Transmission Protocols in Automatic Meter Reading", - "value": "ot-network-data-transmission-protocols-automatic-meter-reading" + "value": "ot-security-issues", + "expanded": "OT IR Security Issues" }, { "expanded": "OT Network/Data Transmission Protocols in Automobile / Vehicle / Aviation", "value": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation" }, { - "value": "ot-security-issues", - "expanded": "OT IR Security Issues" + "expanded": "OT Network/Data Transmission Protocols in Automatic Meter Reading", + "value": "ot-network-data-transmission-protocols-automatic-meter-reading" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Industrial Control System", + "value": "ot-network-data-transmission-protocols-industrial-control-system" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Building Automation", + "value": "ot-network-data-transmission-protocols-building-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Power System Automation", + "value": "ot-network-data-transmission-protocols-power-system-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Process Automation", + "value": "ot-network-data-transmission-protocols-process-automation" + }, + { + "expanded": "OT IR Communication Interface", + "value": "ot-communication-interface" + }, + { + "expanded": "OT Operating Systems", + "value": "ot-operating-systems" + }, + { + "expanded": "OT Components Category", + "value": "ot-components-category" } ], "values": [ From 4edc8fa63d11e2a5b6d92b85f0c1d4992402ccd3 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Mon, 23 Sep 2019 15:19:21 +0200 Subject: [PATCH 106/113] chg: [infoleak] Added IP address tag value --- infoleak/machinetag.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/infoleak/machinetag.json b/infoleak/machinetag.json index 1c1a6ce..c86ace2 100644 --- a/infoleak/machinetag.json +++ b/infoleak/machinetag.json @@ -33,7 +33,7 @@ "expanded": "Test" } ], - "version": 4, + "version": 5, "description": "A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information.", "namespace": "infoleak", "values": [ @@ -52,6 +52,10 @@ "value": "iban", "expanded": "IBAN" }, + { + "value": "ip", + "expanded": "IP address" + }, { "value": "mail", "expanded": "Mail" @@ -173,6 +177,10 @@ "value": "iban", "expanded": "IBAN" }, + { + "value": "ip", + "expanded": "IP address" + }, { "value": "mail", "expanded": "Mail" From c6390b57719a5498349f6bc38e9f214c44a3326c Mon Sep 17 00:00:00 2001 From: yannw Date: Tue, 1 Oct 2019 16:22:04 +0200 Subject: [PATCH 107/113] add report --- cssa/machinetag.json | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/cssa/machinetag.json b/cssa/machinetag.json index 78bbabe..1c8b2b9 100644 --- a/cssa/machinetag.json +++ b/cssa/machinetag.json @@ -11,6 +11,10 @@ "value": "origin", "expanded": "Origin" }, + { + "value": "report", + "expanded": "Report" + }, { "value": "analyse", "expanded": "Please analyse sample", @@ -41,6 +45,26 @@ } ] }, + { + "predicate": "report", + "entry": [ + { + "value": "details", + "expanded": "Description of the incidence.", + "colour": "#fbc166" + }, + { + "value": "link", + "expanded": "Link to the original report location.", + "colour": "#fbcb7f" + }, + { + "value": "attached", + "expanded": "Attached report.", + "colour": "#fcd597" + } + ] + }, { "predicate": "origin", "entry": [ @@ -62,13 +86,18 @@ { "value": "email", "expanded": "Information coming out of email infrastructure.", - "colour": "#3cb08a" + "colour": "#3db08a" }, { "value": "3rd-party", "expanded": "Information from outside the company.", "colour": "#46c098" }, + { + "value": "report", + "expanded": "Information coming from a report.", + "colour": "#22644e" + }, { "value": "other", "expanded": "If none of the other origins applies.", From df75c655c4a7542e11b1ef4eeed6c34c8d1e1cc9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 18 Oct 2019 14:37:02 +0200 Subject: [PATCH 108/113] chg: [expiration] 10 years expiration --- retention/machinetag.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/retention/machinetag.json b/retention/machinetag.json index 80ebb7f..1f2bfea 100644 --- a/retention/machinetag.json +++ b/retention/machinetag.json @@ -2,7 +2,7 @@ "namespace": "retention", "expanded": "retention", "description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.", - "version": 1, + "version": 2, "refs": [ "https://en.wikipedia.org/wiki/Retention_period" ], @@ -56,6 +56,11 @@ "value": "1y", "expanded": "1 year", "numerical_value": 365 + }, + { + "value": "10y", + "expanded": "10 year", + "numerical_value": 3650 } ] } From 9a205bbf41f802f6a8d2bcc8b91531876bb0fd1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 18 Oct 2019 14:38:33 +0200 Subject: [PATCH 109/113] chg: [MANIFEST] updated to the latest version --- MANIFEST.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index bd1d8eb..d4019b2 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -461,7 +461,7 @@ "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." }, { - "version": 1, + "version": 2, "name": "retention", "description": "Retention taxonomy to describe the retention period of the tagged information." }, @@ -510,5 +510,5 @@ "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190909" + "version": "20191018" } From 44ba78a0adf00182d3993f48f8051ae9694bba7c Mon Sep 17 00:00:00 2001 From: yannw Date: Tue, 22 Oct 2019 02:46:06 +0200 Subject: [PATCH 110/113] coa taxonomie to describe aktion taken --- coa/machinetag.json | 377 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 377 insertions(+) create mode 100644 coa/machinetag.json diff --git a/coa/machinetag.json b/coa/machinetag.json new file mode 100644 index 0000000..0a10cc9 --- /dev/null +++ b/coa/machinetag.json @@ -0,0 +1,377 @@ +{ + "namespace": "coa", + "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.", + "version": 1, + "predicates": [ + { + "value": "discover", + "expanded": "Search historical data for an indicator." + }, + { + "value": "detect", + "expanded": "Set up a detection rule for an indicator for future alerting." + }, + { + "value": "deny", + "expanded": "Prevent an event from taking place." + }, + { + "value": "disrupt", + "expanded": "Make an event fail when it is taking place." + }, + { + "value": "degrade", + "expanded": "Slow down attacker activity; reduce attacker efficiency." + }, + { + "value": "deceive", + "expanded": "Pretend only that an action was successful or provide misinformation to the attacker." + }, + { + "value": "destroy", + "expanded": "Offensive action against the attacker." + } + ], + "values": [ + { + "predicate": "discover", + "entry": [ + { + "value": "proxy", + "expanded": "Searched historical proxy logs.", + "colour": "#005065" + }, + { + "value": "ids", + "expanded": "Searched historical IDS logs.", + "colour": "#00586f" + }, + { + "value": "firewall", + "expanded": "Searched historical firewall logs.", + "colour": "#005f78" + }, + { + "value": "pcap", + "expanded": "Discovered in packet-capture logs", + "colour": "#006681" + }, + { + "value": "remote-access", + "expanded": "Searched historical remote access logs.", + "colour": "#006e8b" + }, + { + "value": "authentication", + "expanded": "Searched historical authentication logs.", + "colour": "#007594" + }, + { + "value": "honeypot", + "expanded": "Searched historical honeypot data.", + "colour": "#007c9d" + }, + { + "value": "syslog", + "expanded": "Searched historical system logs.", + "colour": "#0084a6" + }, + { + "value": "web", + "expanded": "Searched historical WAF and web application logs.", + "colour": "#008bb0" + }, + { + "value": "database", + "expanded": "Searched historcial database logs.", + "colour": "#0092b9" + }, + { + "value": "mail", + "expanded": "Searched historical mail logs.", + "colour": "#009ac2" + }, + { + "value": "antivirus", + "expanded": "Searched historical antivirus alerts.", + "colour": "#00a1cb" + }, + { + "value": "malware-collection", + "expanded": "Retro hunted in a malware collection.", + "colour": "#00a8d5" + }, + { + "value": "other", + "expanded": "Searched other historical data.", + "colour": "#00b0de" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#00b7e7" + } + ] + }, + { + "predicate": "detect", + "entry": [ + { + "value": "proxy", + "expanded": "Detect by Proxy infrastructure", + "colour": "#0abdeb" + }, + { + "value": "nids", + "expanded": "Detect by Network Intrusion detection system.", + "colour": "#13c5f4" + }, + { + "value": "hids", + "expanded": "Detect by Host Intrusion detection system.", + "colour": "#24c9f5" + }, + { + "value": "other", + "expanded": "Detect by other tools.", + "colour": "#35cef5" + }, + { + "value": "syslog", + "expanded": "Detect in system logs.", + "colour": "#45d2f6" + }, + { + "value": "firewall", + "expanded": "Detect by firewall.", + "colour": "#56d6f7" + }, + { + "value": "email", + "expanded": "Detect by MTA.", + "colour": "#67daf8" + }, + { + "value": "web", + "expanded": "Detect by web infrastructure including WAF.", + "colour": "#78def8" + }, + { + "value": "database", + "expanded": "Detect in database.", + "colour": "#89e2f9" + }, + { + "value": "remote-access", + "expanded": "Detect in remote-access logs.", + "colour": "#9ae6fa" + }, + { + "value": "malware-collection", + "expanded": "Detect in malware-collection.", + "colour": "#aaeafb" + }, + { + "value": "antivirus", + "expanded": "Detect with antivirus.", + "colour": "#bbeefb" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#ccf2fc" + } + ] + }, + { + "predicate": "deny", + "entry": [ + { + "value": "proxy", + "expanded": "Implemented a proxy filter.", + "colour": "#f09105" + }, + { + "value": "firewall", + "expanded": "Implemented a block rule on a firewall.", + "colour": "#f99a0e" + }, + { + "value": "waf", + "expanded": "Implemented a block rule on a web application firewall.", + "colour": "#f9a11f" + }, + { + "value": "email", + "expanded": "Implemented a filter on a mail transfer agent.", + "colour": "#faa830" + }, + { + "value": "chroot", + "expanded": "Implemented a chroot jail.", + "colour": "#faaf41" + }, + { + "value": "remote-access", + "expanded": "Blocked an account for remote access.", + "colour": "#fbb653" + }, + { + "value": "other", + "expanded": "Denied an action by other means.", + "colour": "#fbbe64" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#fbc575" + } + ] + }, + { + "predicate": "disrupt", + "entry": [ + { + "value": "nips", + "expanded": "Implemented a rule on a network IPS.", + "colour": "#660389" + }, + { + "value": "hips", + "expanded": "Implemented a rule on a host-based IPS.", + "colour": "#73039a" + }, + { + "value": "other", + "expanded": "Disrupted an action by other means.", + "colour": "#8003ab" + }, + { + "value": "email", + "expanded": "Quarantined an email.", + "colour": "#8d04bd" + }, + { + "value": "memory-protection", + "expanded": "Implemented memory protection like DEP and/or ASLR.", + "colour": "#9a04ce" + }, + { + "value": "sandboxing", + "expanded": "Exploded in a sandbox.", + "colour": "#a605df" + }, + { + "value": "antivirus", + "expanded": "Activated an antivirus signature.", + "colour": "#b305f0" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#bc0ef9" + } + ] + }, + { + "predicate": "degrade", + "entry": [ + { + "value": "bandwidth", + "expanded": "Throttled the bandwidth.", + "colour": "#0421ce" + }, + { + "value": "tarpit", + "expanded": "Implement a network tarpit.", + "colour": "#0523df" + }, + { + "value": "other", + "expanded": "Degraded an action by other means.", + "colour": "#0526f0" + }, + { + "value": "email", + "expanded": "Queued an email.", + "colour": "#0e2ff9" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#1f3ef9" + } + ] + }, + { + "predicate": "decieve", + "entry": [ + { + "value": "honeypot", + "expanded": "Implemented an interactive honeypot.", + "colour": "#0eb274" + }, + { + "value": "DNS", + "expanded": "Implemented DNS redirects, e.g. a response policy zone.", + "colour": "#10c37f" + }, + { + "value": "other", + "expanded": "Deceived the attacker with other technology.", + "colour": "#11d389" + }, + { + "value": "email", + "expanded": "Implemented email redirection.", + "colour": "#12e394" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#1bec9d" + } + ] + }, + { + "predicate": "destroy", + "entry": [ + { + "value": "arrest", + "expanded": "Arrested the threat actor.", + "colour": "#c33210" + }, + { + "value": "seize", + "expanded": "Seized attacker infrastructure.", + "colour": "#d33611" + }, + { + "value": "physical", + "expanded": "Physically destroyed attacker hardware.", + "colour": "#e33b12" + }, + { + "value": "dos", + "expanded": "Performed a denial-of-service attack against attacker infrastructure.", + "colour": "#ec441b" + }, + { + "value": "hack-back", + "expanded": "Hack back against the threat actor.", + "colour": "#ed512b" + }, + { + "value": "other", + "expanded": "Carried out other offensive actions against the attacker.", + "colour": "#ee5e3b" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#f06c4c" + } + ] + } + ] +} From 6714b04f011c18e33bcfc0f1e129f7ad951cfb4a Mon Sep 17 00:00:00 2001 From: yannw Date: Tue, 22 Oct 2019 03:13:08 +0200 Subject: [PATCH 111/113] Update MANIFEST.json --- MANIFEST.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MANIFEST.json b/MANIFEST.json index bd1d8eb..4672424 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -60,6 +60,11 @@ "name": "circl", "description": "CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place." }, + { + "version": 1, + "name": "coa", + "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack." + }, { "version": 3, "name": "collaborative-intelligence", From 81179ad7c30c8db31d363575f51b90106b17b7f1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 23 Oct 2019 11:18:57 +0200 Subject: [PATCH 112/113] chg: [MANIFEST] jq all the things --- MANIFEST.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 862a198..ce44525 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -63,7 +63,7 @@ { "version": 1, "name": "coa", - "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack." + "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack." }, { "version": 3, From 47a4080c14bb0100e00ccd45d564505f06c5ac20 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 23 Oct 2019 11:43:35 +0200 Subject: [PATCH 113/113] chg: [coa] typo fixed for deceive --- MANIFEST.json | 4 ++-- coa/machinetag.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index ce44525..ba0624a 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -508,12 +508,12 @@ { "name": "course-of-action", "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", - "version": 1 + "version": 2 } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20191018" + "version": "20191023" } diff --git a/coa/machinetag.json b/coa/machinetag.json index 0a10cc9..8ac2e39 100644 --- a/coa/machinetag.json +++ b/coa/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "coa", "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.", - "version": 1, + "version": 2, "predicates": [ { "value": "discover", @@ -304,7 +304,7 @@ ] }, { - "predicate": "decieve", + "predicate": "deceive", "entry": [ { "value": "honeypot",