MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of https://github.com/syloktools/misp-taxonomies

pull/255/head
Robert Nixon 2022-09-21 11:50:32 +02:00
parent 4e96197001 5a5716bf39
commit ab2255b8f0
3 changed files with 216 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
MANIFEST.json
View File

@ -306,13 +306,18 @@
{
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
"name": "false-positive",
"version": 5
"version": 7
},
{
"description": "List of known file types.",
"name": "file-type",
"version": 1
},
{
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"name": "financial",
"version": 3
},
{
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
"name": "flesch-reading-ease",
@ -664,9 +669,9 @@
"version": 1
},
{
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four labels used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST.",
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"name": "tlp",
"version": 6
"version": 7
},
{
"description": "Taxonomy to describe Tor network infrastructure",
@ -715,5 +720,5 @@
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
"version": "20220803"
"version": "20220918"
}

64
README.md
View File

@ -27,6 +27,11 @@ DFRLab Dichotomies of Disinformation. [Overview](https://www.misp-project.org/ta
[DML](https://github.com/MISP/misp-taxonomies/tree/main/DML) :
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. [Overview](https://www.misp-project.org/taxonomies.html#_dml)
### GrayZone
[GrayZone](https://github.com/MISP/misp-taxonomies/tree/main/GrayZone) :
Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling. [Overview](https://www.misp-project.org/taxonomies.html#_grayzone)
### PAP
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
@ -72,6 +77,11 @@ A series of assessment predicates describing the analyst capabilities to perform
[approved-category-of-action](https://github.com/MISP/misp-taxonomies/tree/main/approved-category-of-action) :
A pre-approved category of action for indicators being shared with partners (MIMIC). [Overview](https://www.misp-project.org/taxonomies.html#_approved_category_of_action)
### artificial-satellites
[artificial-satellites](https://github.com/MISP/misp-taxonomies/tree/main/artificial-satellites) :
This taxonomy was designed to describe artificial satellites [Overview](https://www.misp-project.org/taxonomies.html#_artificial_satellites)
### binary-class
[binary-class](https://github.com/MISP/misp-taxonomies/tree/main/binary-class) :
@ -87,6 +97,11 @@ Internal taxonomy for CCCS. [Overview](https://www.misp-project.org/taxonomies.h
[circl](https://github.com/MISP/misp-taxonomies/tree/main/circl) :
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_circl)
### cnsd
[cnsd](https://github.com/MISP/misp-taxonomies/tree/main/cnsd) :
La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú. [Overview](https://www.misp-project.org/taxonomies.html#_cnsd)
### coa
[coa](https://github.com/MISP/misp-taxonomies/tree/main/coa) :
@ -182,11 +197,21 @@ Distributed Denial of Service - or short: DDoS - taxonomy supports the descripti
[de-vs](https://github.com/MISP/misp-taxonomies/tree/main/de-vs) :
German (DE) Government classification markings (VS). [Overview](https://www.misp-project.org/taxonomies.html#_de_vs)
### death-possibilities
[death-possibilities](https://github.com/MISP/misp-taxonomies/tree/main/death-possibilities) :
Taxonomy of Death Possibilities [Overview](https://www.misp-project.org/taxonomies.html#_death_possibilities)
### deception
[deception](https://github.com/MISP/misp-taxonomies/tree/main/deception) :
Deception is an important component of information operations, valuable for both offense and defense. [Overview](https://www.misp-project.org/taxonomies.html#_deception)
### dga
[dga](https://github.com/MISP/misp-taxonomies/tree/main/dga) :
A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others. [Overview](https://www.misp-project.org/taxonomies.html#_dga)
### dhs-ciip-sectors
[dhs-ciip-sectors](https://github.com/MISP/misp-taxonomies/tree/main/dhs-ciip-sectors) :
@ -197,6 +222,11 @@ DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors [
[diamond-model](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model) :
The Diamond Model for Intrusion Analysis establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model)
### diamond-model-for-influence-operations
[diamond-model-for-influence-operations](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model-for-influence-operations) :
The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model_for_influence_operations)
### dni-ism
[dni-ism](https://github.com/MISP/misp-taxonomies/tree/main/dni-ism) :
@ -275,7 +305,7 @@ Exercise is a taxonomy to describe if the information is part of one or more cyb
### extended-event
[extended-event](https://github.com/MISP/misp-taxonomies/tree/main/extended-event) :
Reasons why an event has been extended. [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
### failure-mode-in-machine-learning
@ -292,6 +322,11 @@ This taxonomy aims to ballpark the expected amount of false positives. [Overview
[file-type](https://github.com/MISP/misp-taxonomies/tree/main/file-type) :
List of known file types. [Overview](https://www.misp-project.org/taxonomies.html#_file_type)
### financial
[financial](https://github.com/MISP/misp-taxonomies/tree/main/financial) :
Financial taxonomy to describe financial services, infrastructure and financial scope. [Overview](https://www.misp-project.org/taxonomies.html#_financial)
### flesch-reading-ease
[flesch-reading-ease](https://github.com/MISP/misp-taxonomies/tree/main/flesch-reading-ease) :
@ -497,6 +532,11 @@ NATO classification markings. [Overview](https://www.misp-project.org/taxonomies
[nis](https://github.com/MISP/misp-taxonomies/tree/main/nis) :
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis)
### nis2
[nis2](https://github.com/MISP/misp-taxonomies/tree/main/nis2) :
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis2)
### open_threat
[open_threat](https://github.com/MISP/misp-taxonomies/tree/main/open_threat) :
@ -527,6 +567,11 @@ Penetration test (pentest) classification. [Overview](https://www.misp-project.o
[phishing](https://github.com/MISP/misp-taxonomies/tree/main/phishing) :
Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status. [Overview](https://www.misp-project.org/taxonomies.html#_phishing)
### poison-taxonomy
[poison-taxonomy](https://github.com/MISP/misp-taxonomies/tree/main/poison-taxonomy) :
Non-exhaustive taxonomy of natural poison [Overview](https://www.misp-project.org/taxonomies.html#_poison_taxonomy)
### political-spectrum
[political-spectrum](https://github.com/MISP/misp-taxonomies/tree/main/political-spectrum) :
@ -537,11 +582,21 @@ A political spectrum is a system to characterize and classify different politica
[priority-level](https://github.com/MISP/misp-taxonomies/tree/main/priority-level) :
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
### pyoti
[pyoti](https://github.com/MISP/misp-taxonomies/tree/main/pyoti) :
PyOTI automated enrichment schemes for point in time classification of indicators. [Overview](https://www.misp-project.org/taxonomies.html#_pyoti)
### ransomware
[ransomware](https://github.com/MISP/misp-taxonomies/tree/main/ransomware) :
Ransomware is used to define ransomware types and the elements that compose them. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware)
### ransomware-roles
[ransomware-roles](https://github.com/MISP/misp-taxonomies/tree/main/ransomware-roles) :
The seven roles seen in most ransomware incidents. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware_roles)
### retention
[retention](https://github.com/MISP/misp-taxonomies/tree/main/retention) :
@ -625,7 +680,7 @@ An overview of some of the known attacks related to DNS as described by Torabi,
### tlp
[tlp](https://github.com/MISP/misp-taxonomies/tree/main/tlp) :
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
### tor
@ -672,11 +727,6 @@ Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de prob
[workflow](https://github.com/MISP/misp-taxonomies/tree/main/workflow) :
Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. [Overview](https://www.misp-project.org/taxonomies.html#_workflow)
### workflow
[workflow](https://github.com/MISP/misp-taxonomies/tree/main/workflow) :
Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. [Overview](https://www.misp-project.org/taxonomies.html#_workflow)
# Reserved Taxonomy
The following taxonomy namespaces are reserved and used internally to MISP.

150
financial/machinetag.json Normal file
View File

@ -0,0 +1,150 @@
{
"predicates": [
{
"description": "Categories and types of services in the financial scope. An entity can be tag with one or more categories or types of services.",
"expanded": "Categories and types of services",
"value": "categories-and-types-of-services"
},
{
"description": "Geographical footprint of the financial entity.",
"expanded": "Geographical footprint",
"value": "geographical-footprint"
},
{
"description": "Online presence of the financial entity.",
"expanded": "Online presence",
"value": "online-presence"
},
{
"description": "Physical presence of the financial entity.",
"expanded": "Physical presence",
"value": "physical-presence"
}
],
"values": [
{
"predicate": "categories-and-types-of-services",
"entry": [
{
"value": "banking",
"expanded": "Banking",
"description": "Financial entity described or/and regulated as banking."
},
{
"value": "private",
"expanded": "Private",
"description": "Financial entity engaged in private banking."
},
{
"value": "retail",
"expanded": "Retail",
"description": "Financial entity engaged in retail banking."
},
{
"value": "custodian-banking",
"expanded": "Custodian banking",
"description": "Financial entity having physical possessions of clients financial assets or instruments."
},
{
"value": "stock-exchange",
"expanded": "Stock exchange",
"description": "Financial entity having a stock exchange where securities are exchanged."
},
{
"value": "fund-management",
"expanded": "Fund management",
"description": "Financial entity managing financial assets on behalf of others."
},
{
"value": "it-provider",
"expanded": "IT provider",
"description": "IT provider supporting financial entities and regulated in the financial legal framework (such as support PFS in Luxembourg)."
},
{
"value": "e-money-and-payment",
"expanded": "e-money and payment",
"description": "Financial entity managing electronic money as alternative to cash payment. (EU directive - Directive 2009/110/EC)"
},
{
"value": "other",
"expanded": "Other",
"description": "Other entity classified as financial entity with other activities not defined in this taxonomy."
}
]
},
{
"predicate": "geographical-footprint",
"entry": [
{
"value": "client-coverage-local",
"expanded": "Client coverage is local",
"description": "Client and customer coverage is local to the financial entity (such as a country)."
},
{
"value": "client-coverage-eu",
"expanded": "Client coverage in EU",
"description": "Client and customer coverage is limited to the European Union."
},
{
"value": "client-coverage-worldwide",
"expanded": "Client coverage is worldwide",
"description": "Client and customer coverage is worldwide."
},
{
"value": "corporate-structure-local",
"expanded": "Corporate structure is local",
"description": "Corporate structure is local to the financial entity (such as a country)."
},
{
"value": "corporate-structure-eu",
"expanded": "Corporate structure in EU",
"description": "Corporate structure is located in the European Union."
},
{
"value": "corporate-structure-worldwide",
"expanded": "Corporate structure is worldwide",
"description": "Corporate structure is located worldwide."
}
]
},
{
"predicate": "online-presence",
"entry": [
{
"value": "limited",
"expanded": "Limited",
"description": "Online presence of the financial entity is limited such as just a public web server and/or email services."
},
{
"value": "extended",
"expanded": "Extended",
"description": "Online presence of the financial entity is extended with online services for the clients and customers but still with a physical presence."
},
{
"value": "crucial",
"expanded": "Crucial",
"description": "Online presence of the financial entity is crucial and only includes online services without physical presence."
}
]
},
{
"predicate": "physical-presence",
"entry": [
{
"value": "atm",
"expanded": "Automated teller machines",
"description": "The financial entity owns and/or operates automated teller machines (ATM)."
},
{
"value": "pos",
"expanded": "Point of sale terminals",
"description": "The financial entity owns and/or operates point of sale terminals (POS)."
}
]
}
],
"version": 4,
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"expanded": "Financial",
"namespace": "financial"
}