From 0c53aa893a725b8c81a3fbee8dabd27dbf94ee26 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 18 Sep 2022 10:22:25 +0200
Subject: [PATCH 1/5] new: [financial] a new financial taxonomy to better
financial entity in MISP
---
MANIFEST.json | 13 +++++---
financial/machinetag.json | 65 +++++++++++++++++++++++++++++++++++++++
2 files changed, 74 insertions(+), 4 deletions(-)
create mode 100644 financial/machinetag.json
diff --git a/MANIFEST.json b/MANIFEST.json
index 99a1447..66e46bf 100644
--- a/MANIFEST.json
+++ b/MANIFEST.json
@@ -306,13 +306,18 @@
{
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
"name": "false-positive",
- "version": 5
+ "version": 7
},
{
"description": "List of known file types.",
"name": "file-type",
"version": 1
},
+ {
+ "description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
+ "name": "financial",
+ "version": 1
+ },
{
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
"name": "flesch-reading-ease",
@@ -664,9 +669,9 @@
"version": 1
},
{
- "description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four labels used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST.",
+ "description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"name": "tlp",
- "version": 6
+ "version": 7
},
{
"description": "Taxonomy to describe Tor network infrastructure",
@@ -715,5 +720,5 @@
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
- "version": "20220803"
+ "version": "20220918"
}
diff --git a/financial/machinetag.json b/financial/machinetag.json
new file mode 100644
index 0000000..7e3043d
--- /dev/null
+++ b/financial/machinetag.json
@@ -0,0 +1,65 @@
+{
+ "predicates": [
+ {
+ "description": "Categories and types of services in the financial scope. An entity can be tag with one or more categories or types of services.",
+ "expanded": "Categories and types of services",
+ "value": "categories-and-types-of-services"
+ }
+ ],
+ "values": [
+ {
+ "predicate": "categories-and-types-of-services",
+ "entry": [
+ {
+ "value": "banking",
+ "expanded": "Bamking",
+ "description": "Financial entity described or/and regulated as banking."
+ },
+ {
+ "value": "private",
+ "expanded": "Private",
+ "description": "Financial entity engaged in private banking."
+ },
+ {
+ "value": "retail",
+ "expanded": "Retail",
+ "description": "Financial entity engaged in retail banking."
+ },
+ {
+ "value": "custodian-banking",
+ "expanded": "Custodian banking",
+ "description": "Financial entity having physical possessions of clients financial assets or instruments."
+ },
+ {
+ "value": "stock-exchange",
+ "expanded": "Stock exchange",
+ "description": "Financial entity having a stock exchange where securities are exchanged."
+ },
+ {
+ "value": "fund-management",
+ "expanded": "Fund management",
+ "description": "Financial entity managing financial assets on behalf of others."
+ },
+ {
+ "value": "it-provider",
+ "expanded": "IT provider",
+ "description": "IT provider supporting financial entities and regulated in the financial legal framework (such as support PFS in Luxembourg)."
+ },
+ {
+ "value": "e-money-and-payment",
+ "expanded": "e-money and payment",
+ "description": "Financial entity managing electronic money as alternative to cash payment. (EU directive - Directive 2009/110/EC)"
+ },
+ {
+ "value": "other",
+ "expanded": "Other",
+ "description": "Other entity classified as financial entity with other activities not defined in this taxonomy."
+ }
+ ]
+ }
+ ],
+ "version": 1,
+ "description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
+ "expanded": "Financial",
+ "namespace": "financial"
+}
From f82547e72bdab4ffb1fbef3c41889e38a9def41d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 18 Sep 2022 11:16:22 +0200
Subject: [PATCH 2/5] chg: [financial] improved financial taxonomy
---
financial/machinetag.json | 67 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 66 insertions(+), 1 deletion(-)
diff --git a/financial/machinetag.json b/financial/machinetag.json
index 7e3043d..8774735 100644
--- a/financial/machinetag.json
+++ b/financial/machinetag.json
@@ -4,6 +4,16 @@
"description": "Categories and types of services in the financial scope. An entity can be tag with one or more categories or types of services.",
"expanded": "Categories and types of services",
"value": "categories-and-types-of-services"
+ },
+ {
+ "description": "Geographical footprint of the financial entity.",
+ "expanded": "Geographical footprint",
+ "value": "geographical-footprint"
+ },
+ {
+ "description": "Online presence of the financial entity.",
+ "expanded": "Online presence",
+ "value": "online-presence"
}
],
"values": [
@@ -56,9 +66,64 @@
"description": "Other entity classified as financial entity with other activities not defined in this taxonomy."
}
]
+ },
+ {
+ "predicate": "geographical-footprint",
+ "entry": [
+ {
+ "value": "client-coverage-local",
+ "expanded": "Client coverage is local",
+ "description": "Client and customer coverage is local to the financial entity (such as a country)."
+ },
+ {
+ "value": "client-coverage-eu",
+ "expanded": "Client coverage in EU",
+ "description": "Client and customer coverage is limited to the European Union."
+ },
+ {
+ "value": "client-coverage-worldwide",
+ "expanded": "Client coverage is worldwide",
+ "description": "Client and customer coverage is worldwide."
+ },
+ {
+ "value": "corporate-structure-local",
+ "expanded": "Corporate structure is local",
+ "description": "Corporate structure is local to the financial entity (such as a country)."
+ },
+ {
+ "value": "corporate-structure-eu",
+ "expanded": "Corporate structure in EU",
+ "description": "Corporate structure is located in the European Union."
+ },
+ {
+ "value": "corporate-structure-worlwide",
+ "expanded": "Corporate structure is worldwide",
+ "description": "Corporate structure is located worldwide."
+ }
+ ]
+ },
+ {
+ "predicate": "online-presence",
+ "entry": [
+ {
+ "value": "limited",
+ "expanded": "Limited",
+ "description": "Online presence of the financial entity is limited such as just a public web server and/or email services."
+ },
+ {
+ "value": "extended",
+ "expanded": "Extended",
+ "description": "Online presence of the financial entity is extended with online services for the clients and customers but still with a physical presence."
+ },
+ {
+ "value": "crucial",
+ "expanded": "Crucial",
+ "description": "Online presence of the financial entity is crucial and only includes online serices without physical presence."
+ }
+ ]
}
],
- "version": 1,
+ "version": 2,
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"expanded": "Financial",
"namespace": "financial"
From eb6e250b8c3c3f2df3d4bddd3f895ee4147bbafb Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 18 Sep 2022 11:26:17 +0200
Subject: [PATCH 3/5] chg: [financial] updated with physical presence
---
financial/machinetag.json | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/financial/machinetag.json b/financial/machinetag.json
index 8774735..17a3168 100644
--- a/financial/machinetag.json
+++ b/financial/machinetag.json
@@ -14,6 +14,11 @@
"description": "Online presence of the financial entity.",
"expanded": "Online presence",
"value": "online-presence"
+ },
+ {
+ "description": "Physical presence of the financial entity.",
+ "expanded": "Physical presence",
+ "value": "physical-presence"
}
],
"values": [
@@ -121,9 +126,24 @@
"description": "Online presence of the financial entity is crucial and only includes online serices without physical presence."
}
]
+ },
+ {
+ "predicate": "physical-presence",
+ "entry": [
+ {
+ "value": "atm",
+ "expanded": "Automated teller machines",
+ "description": "The financial entity owns and/or operates automated teller machines (ATM)."
+ },
+ {
+ "value": "pos",
+ "expanded": "Point of sale terminals",
+ "description": "The financial entity owns and/or operates point of sale terminals (POS)."
+ }
+ ]
}
],
- "version": 2,
+ "version": 3,
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"expanded": "Financial",
"namespace": "financial"
From f771941734727773327cb648f8d300c45cc01431 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 18 Sep 2022 11:26:33 +0200
Subject: [PATCH 4/5] chg: [doc] index updated
---
MANIFEST.json | 2 +-
README.md | 64 +++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 58 insertions(+), 8 deletions(-)
diff --git a/MANIFEST.json b/MANIFEST.json
index 66e46bf..b76f9a3 100644
--- a/MANIFEST.json
+++ b/MANIFEST.json
@@ -316,7 +316,7 @@
{
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"name": "financial",
- "version": 1
+ "version": 3
},
{
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
diff --git a/README.md b/README.md
index d48452d..f490975 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,11 @@ DFRLab Dichotomies of Disinformation. [Overview](https://www.misp-project.org/ta
[DML](https://github.com/MISP/misp-taxonomies/tree/main/DML) :
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. [Overview](https://www.misp-project.org/taxonomies.html#_dml)
+### GrayZone
+
+[GrayZone](https://github.com/MISP/misp-taxonomies/tree/main/GrayZone) :
+Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling. [Overview](https://www.misp-project.org/taxonomies.html#_grayzone)
+
### PAP
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
@@ -72,6 +77,11 @@ A series of assessment predicates describing the analyst capabilities to perform
[approved-category-of-action](https://github.com/MISP/misp-taxonomies/tree/main/approved-category-of-action) :
A pre-approved category of action for indicators being shared with partners (MIMIC). [Overview](https://www.misp-project.org/taxonomies.html#_approved_category_of_action)
+### artificial-satellites
+
+[artificial-satellites](https://github.com/MISP/misp-taxonomies/tree/main/artificial-satellites) :
+This taxonomy was designed to describe artificial satellites [Overview](https://www.misp-project.org/taxonomies.html#_artificial_satellites)
+
### binary-class
[binary-class](https://github.com/MISP/misp-taxonomies/tree/main/binary-class) :
@@ -87,6 +97,11 @@ Internal taxonomy for CCCS. [Overview](https://www.misp-project.org/taxonomies.h
[circl](https://github.com/MISP/misp-taxonomies/tree/main/circl) :
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_circl)
+### cnsd
+
+[cnsd](https://github.com/MISP/misp-taxonomies/tree/main/cnsd) :
+La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú. [Overview](https://www.misp-project.org/taxonomies.html#_cnsd)
+
### coa
[coa](https://github.com/MISP/misp-taxonomies/tree/main/coa) :
@@ -182,11 +197,21 @@ Distributed Denial of Service - or short: DDoS - taxonomy supports the descripti
[de-vs](https://github.com/MISP/misp-taxonomies/tree/main/de-vs) :
German (DE) Government classification markings (VS). [Overview](https://www.misp-project.org/taxonomies.html#_de_vs)
+### death-possibilities
+
+[death-possibilities](https://github.com/MISP/misp-taxonomies/tree/main/death-possibilities) :
+Taxonomy of Death Possibilities [Overview](https://www.misp-project.org/taxonomies.html#_death_possibilities)
+
### deception
[deception](https://github.com/MISP/misp-taxonomies/tree/main/deception) :
Deception is an important component of information operations, valuable for both offense and defense. [Overview](https://www.misp-project.org/taxonomies.html#_deception)
+### dga
+
+[dga](https://github.com/MISP/misp-taxonomies/tree/main/dga) :
+A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others. [Overview](https://www.misp-project.org/taxonomies.html#_dga)
+
### dhs-ciip-sectors
[dhs-ciip-sectors](https://github.com/MISP/misp-taxonomies/tree/main/dhs-ciip-sectors) :
@@ -197,6 +222,11 @@ DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors [
[diamond-model](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model) :
The Diamond Model for Intrusion Analysis establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model)
+### diamond-model-for-influence-operations
+
+[diamond-model-for-influence-operations](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model-for-influence-operations) :
+The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model_for_influence_operations)
+
### dni-ism
[dni-ism](https://github.com/MISP/misp-taxonomies/tree/main/dni-ism) :
@@ -275,7 +305,7 @@ Exercise is a taxonomy to describe if the information is part of one or more cyb
### extended-event
[extended-event](https://github.com/MISP/misp-taxonomies/tree/main/extended-event) :
-Reasons why an event has been extended. [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
+Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
### failure-mode-in-machine-learning
@@ -292,6 +322,11 @@ This taxonomy aims to ballpark the expected amount of false positives. [Overview
[file-type](https://github.com/MISP/misp-taxonomies/tree/main/file-type) :
List of known file types. [Overview](https://www.misp-project.org/taxonomies.html#_file_type)
+### financial
+
+[financial](https://github.com/MISP/misp-taxonomies/tree/main/financial) :
+Financial taxonomy to describe financial services, infrastructure and financial scope. [Overview](https://www.misp-project.org/taxonomies.html#_financial)
+
### flesch-reading-ease
[flesch-reading-ease](https://github.com/MISP/misp-taxonomies/tree/main/flesch-reading-ease) :
@@ -497,6 +532,11 @@ NATO classification markings. [Overview](https://www.misp-project.org/taxonomies
[nis](https://github.com/MISP/misp-taxonomies/tree/main/nis) :
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis)
+### nis2
+
+[nis2](https://github.com/MISP/misp-taxonomies/tree/main/nis2) :
+The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis2)
+
### open_threat
[open_threat](https://github.com/MISP/misp-taxonomies/tree/main/open_threat) :
@@ -527,6 +567,11 @@ Penetration test (pentest) classification. [Overview](https://www.misp-project.o
[phishing](https://github.com/MISP/misp-taxonomies/tree/main/phishing) :
Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status. [Overview](https://www.misp-project.org/taxonomies.html#_phishing)
+### poison-taxonomy
+
+[poison-taxonomy](https://github.com/MISP/misp-taxonomies/tree/main/poison-taxonomy) :
+Non-exhaustive taxonomy of natural poison [Overview](https://www.misp-project.org/taxonomies.html#_poison_taxonomy)
+
### political-spectrum
[political-spectrum](https://github.com/MISP/misp-taxonomies/tree/main/political-spectrum) :
@@ -537,11 +582,21 @@ A political spectrum is a system to characterize and classify different politica
[priority-level](https://github.com/MISP/misp-taxonomies/tree/main/priority-level) :
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
+### pyoti
+
+[pyoti](https://github.com/MISP/misp-taxonomies/tree/main/pyoti) :
+PyOTI automated enrichment schemes for point in time classification of indicators. [Overview](https://www.misp-project.org/taxonomies.html#_pyoti)
+
### ransomware
[ransomware](https://github.com/MISP/misp-taxonomies/tree/main/ransomware) :
Ransomware is used to define ransomware types and the elements that compose them. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware)
+### ransomware-roles
+
+[ransomware-roles](https://github.com/MISP/misp-taxonomies/tree/main/ransomware-roles) :
+The seven roles seen in most ransomware incidents. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware_roles)
+
### retention
[retention](https://github.com/MISP/misp-taxonomies/tree/main/retention) :
@@ -625,7 +680,7 @@ An overview of some of the known attacks related to DNS as described by Torabi,
### tlp
[tlp](https://github.com/MISP/misp-taxonomies/tree/main/tlp) :
-The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
+The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
### tor
@@ -672,11 +727,6 @@ Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de prob
[workflow](https://github.com/MISP/misp-taxonomies/tree/main/workflow) :
Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. [Overview](https://www.misp-project.org/taxonomies.html#_workflow)
-### workflow
-
-[workflow](https://github.com/MISP/misp-taxonomies/tree/main/workflow) :
-Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information. [Overview](https://www.misp-project.org/taxonomies.html#_workflow)
-
# Reserved Taxonomy
The following taxonomy namespaces are reserved and used internally to MISP.
From 4d42d7d619a83f51a211d2f080fe2a77df20896b Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 18 Sep 2022 16:21:28 +0200
Subject: [PATCH 5/5] fix: [financial] typo fixed
---
financial/machinetag.json | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/financial/machinetag.json b/financial/machinetag.json
index 17a3168..6ff782f 100644
--- a/financial/machinetag.json
+++ b/financial/machinetag.json
@@ -27,7 +27,7 @@
"entry": [
{
"value": "banking",
- "expanded": "Bamking",
+ "expanded": "Banking",
"description": "Financial entity described or/and regulated as banking."
},
{
@@ -101,7 +101,7 @@
"description": "Corporate structure is located in the European Union."
},
{
- "value": "corporate-structure-worlwide",
+ "value": "corporate-structure-worldwide",
"expanded": "Corporate structure is worldwide",
"description": "Corporate structure is located worldwide."
}
@@ -123,7 +123,7 @@
{
"value": "crucial",
"expanded": "Crucial",
- "description": "Online presence of the financial entity is crucial and only includes online serices without physical presence."
+ "description": "Online presence of the financial entity is crucial and only includes online services without physical presence."
}
]
},
@@ -143,7 +143,7 @@
]
}
],
- "version": 3,
+ "version": 4,
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"expanded": "Financial",
"namespace": "financial"