MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-taxonomies

pull/125/head
Alexandre Dulaunoy 2018-10-25 06:57:51 +02:00
parent aaeac92c5f ecb29af298
commit b487ead425
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
6 changed files with 1095 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
MANIFEST.json
View File

@ -5,6 +5,11 @@
"name": "accessnow",
"description": "Access Now"
},
{
"version": 1,
"name": "access-method",
"description": "The access method used to remotely access a system."
},
{
"version": 1,
"name": "action-taken",
@ -30,11 +35,21 @@
"name": "analyst-assessment",
"description": ""
},
{
"version": 1,
"name": "approved-category-of-action",
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC)."
},
{
"version": 1,
"name": "binary-class",
"description": ""
},
{
"version": 1,
"name": "cccs",
"description": "Internal taxonomy for CCCS."
},
{
"version": 1,
"name": "CERT-XLM",
@ -150,6 +165,11 @@
"name": "information-security-indicators",
"description": "Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). ETSI GS ISI 001-1 (V1.1.2): ISI Indicators"
},
{
"version": 1,
"name": "interception-method",
"description": "The interception method used to intercept traffic."
},
{
"version": 1,
"name": "kill-chain",

48
access-method/machinetag.json Normal file
View File

@ -0,0 +1,48 @@
{
"namespace": "access-method",
"description": "The access method used to remotely access a system.",
"version": 1,
"expanded": "Access method",
"predicates": [
{
"value": "brute-force",
"expanded": "Brute force",
"description": "Access was gained through systematic trial of credentials in bulk."
},
{
"value": "password-guessing",
"expanded": "Password guessing",
"description": "Access was gained through guessing passwords through trial and error."
},
{
"value": "remote-desktop-application",
"expanded": "Remote desktop application",
"description": "Access was gained through an application designed for remote access."
},
{
"value": "stolen-credentials",
"expanded": "Stolen credentials",
"description": "Access was gained with stolen credentials."
},
{
"value": "pass-the-hash",
"expanded": "Pass the hash",
"description": "Access was gained through use of an existing known hash."
},
{
"value": "default-credentials",
"expanded": "Default credentials",
"description": "Access was gained through use of the system's default credentials."
},
{
"value": "shell",
"expanded": "Shell",
"description": "Access was gained through the use of a shell."
},
{
"value": "other",
"expanded": "Other",
"description": "Access was gained through another method."
}
]
}

38
approved-category-of-action/machinetag.json Normal file
View File

@ -0,0 +1,38 @@
{
"namespace": "approved-category-of-action",
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC).",
"version": 1,
"expanded": "Approved category of action",
"predicates": [
{
"value": "cat1",
"expanded": "Cat1",
"description": "Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator, either through adversary observation or disclosure. Usage of the indicator is restricted to passive monitoring on Government or Cleared Partner networks, or through a classified passive capability or Operation. CAT 1 actions do not interact with or affect malicious network traffic."
},
{
"value": "cat2",
"expanded": "Cat2",
"description": "Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions expose the usage of an indicator through non-disruptive collection techniques which require interactions with an adversary, within Government or Cleared Partner networks. While it is not the intent to disrupt the adversary it is possible that an adversary may discover they are subject to such techniques."
},
{
"value": "cat3",
"expanded": "Cat3",
"description": "Moderate Exposure - Government or Cleared Partner Internal Countermeasures: CAT 3 actions expose the usage of an indicator through inward-facing countermeasures. Malicious network traffic is affected in some manner, however the results are not directly observable to the adversary or external parties and is, therefore, more difficult to attribute as a deliberate action. Usage of the indicator is restricted to Government and Cleared Partner networks, or a classified capability or Operation. This implies a lower likelihood for non-approved disclosures."
},
{
"value": "cat4",
"expanded": "Cat4",
"description": "Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of an indicator through actions which occur on internet accessible networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary and other, public parties and it is possible they may be attributed as Government sanctioned actions."
},
{
"value": "cat5",
"expanded": "Cat5",
"description": "High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the usage of an indicator through the public release of information which enables internal actions on networks not owned and controlled by the Government (i.e. industry, commercial or foreign governments). These actions are official public releases and are attributable as Government sanctioned actions."
},
{
"value": "cat6",
"expanded": "Cat6",
"description": "High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an indicator through actions which occur on adversary owned networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY action."
}
]
}

805
cccs/machinetag.json Normal file
View File

@ -0,0 +1,805 @@
{
"namespace": "cccs",
"description": "Internal taxonomy for CCCS.",
"version": 2,
"expanded": "CCCS",
"predicates": [
{
"value": "event",
"expanded": "Event type",
"description": "Type of event associated to the internal reference"
},
{
"value": "disclosure-type",
"expanded": "Disclosure type",
"description": "Type of information being disclosed."
},
{
"value": "domain-category",
"expanded": "Domain category",
"description": "The Domain Category."
},
{
"value": "email-type",
"expanded": "Email type",
"description": "Type of email event."
},
{
"value": "exploitation-technique",
"expanded": "Exploitation technique",
"description": "The technique used to remotely exploit a GoC system."
},
{
"value": "ip-category",
"expanded": "Ip category",
"description": "The IP Category."
},
{
"value": "maliciousness",
"expanded": "Maliciousness",
"description": "Level of maliciousness."
},
{
"value": "malware-category",
"expanded": "Malware category",
"description": "The Malware Category."
},
{
"value": "misusage-type",
"expanded": "Misusage type",
"description": "The type of misusage."
},
{
"value": "mitigation-type",
"expanded": "Mitigation type",
"description": "The type of mitigation."
},
{
"value": "origin",
"expanded": "Origin",
"description": "Where the request originated from."
},
{
"value": "originating-organization",
"expanded": "Originating organization",
"description": "Origin of a signature."
},
{
"value": "scan-type",
"expanded": "Scan type",
"description": "The type of scan event."
},
{
"value": "severity",
"expanded": "Severity",
"description": "Severity of the event."
},
{
"value": "threat-vector",
"expanded": "Threat vector",
"description": "Specifies how the threat actor gained or attempted to gain initial access to the target GoC host."
}
],
"values": [
{
"predicate": "event",
"entry": [
{
"value": "beacon",
"expanded": "Beacon",
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
},
{
"value": "browser-based-exploitation",
"expanded": "Browser based exploitation",
"description": "A browser component is being exploited in order to infect a host."
},
{
"value": "dos",
"expanded": "Dos",
"description": "An attack in which the goal is to disrupt access to a host or resource."
},
{
"value": "email",
"expanded": "Email",
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
},
{
"value": "exfiltration",
"expanded": "Exfiltration",
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
},
{
"value": "generic-event",
"expanded": "Generic event",
"description": "Represents a collection of virtually identical events within a range of time."
},
{
"value": "improper-usage",
"expanded": "Improper usage",
"description": "Technology used in a way that compromises security or violates policy."
},
{
"value": "malware-artifacts",
"expanded": "Malware artifacts",
"description": "Signs of the presence of malware observed on a host."
},
{
"value": "malware-download",
"expanded": "Malware download",
"description": "Malware was transferred (downloaded/uploaded) to a host."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Information or credentials disclosed to a threat actor."
},
{
"value": "remote-access",
"expanded": "Remote access",
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
},
{
"value": "remote-exploitation",
"expanded": "Remote exploitation",
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
},
{
"value": "scan",
"expanded": "Scan",
"description": "A threat actor is scanning the network."
},
{
"value": "scraping",
"expanded": "Scraping",
"description": "Represents a collection of virtually identical scraping events within a range of time."
},
{
"value": "traffic-interception",
"expanded": "Traffic interception",
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
}
]
},
{
"predicate": "disclosure-type",
"entry": [
{
"value": "goc-credential-disclosure",
"expanded": "Goc credential disclosure",
"description": "Credentials for a GoC system or user were disclosed."
},
{
"value": "personal-credential-disclosure",
"expanded": "Personal credential disclosure",
"description": "Credentials not related to a GoC system or user were disclosed."
},
{
"value": "personal-information-disclosure",
"expanded": "Personal information disclosure",
"description": "Information about a person or persons was disclosed."
},
{
"value": "none",
"expanded": "None",
"description": "No information was disclosed."
},
{
"value": "other",
"expanded": "Other",
"description": "Information other than credentials and personal information was disclosed."
}
]
},
{
"predicate": "domain-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "Domain is being used as command-and-control infrastructure."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Domain is being used as a proxy."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "Domain has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "Domain is being used a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "Domain is hosted on cloud infrastructure."
},
{
"value": "name-server",
"expanded": "Name server",
"description": "Domain is a name server."
},
{
"value": "sinkholed",
"expanded": "Sinkholed",
"description": "Domain is being re-directed to a sinkhole."
}
]
},
{
"predicate": "email-type",
"entry": [
{
"value": "spam",
"expanded": "Spam",
"description": "Unsolicited or junk email named after a Monty Python sketch."
},
{
"value": "content\\-delivery\\-attack",
"expanded": "Content\\-delivery\\-attack",
"description": "Email contained malicious content or attachments."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "baiting",
"expanded": "Baiting",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Type of email was unknown."
}
]
},
{
"predicate": "exploitation-technique",
"entry": [
{
"value": "sql-injection",
"expanded": "Sql injection",
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
},
{
"value": "directory-traversal",
"expanded": "Directory traversal",
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
},
{
"value": "remote-file-inclusion",
"expanded": "Remote file inclusion",
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
},
{
"value": "code-injection",
"expanded": "Code injection",
"description": "Exploitation occurred due to malicious code being injected."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "ip-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "IP address is a command-and-control server."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "IP address is a proxy server."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "IP address has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "IP address is a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "IP address is part of cloud infrastructure."
},
{
"value": "network-gateway",
"expanded": "Network gateway",
"description": "IP address is a network gateway."
},
{
"value": "server",
"expanded": "Server",
"description": "IP address is a server of some type."
},
{
"value": "dns-server",
"expanded": "Dns server",
"description": "IP address is a DNS server."
},
{
"value": "smtp-server",
"expanded": "Smtp server",
"description": "IP address is a mail server."
},
{
"value": "web-server",
"expanded": "Web server",
"description": "IP address is a web server."
},
{
"value": "file-server",
"expanded": "File server",
"description": "IP address is a file server."
},
{
"value": "database-server",
"expanded": "Database server",
"description": "IP address is a database server."
},
{
"value": "security-appliance",
"expanded": "Security appliance",
"description": "IP address is a security appliance of some type."
},
{
"value": "tor-node",
"expanded": "Tor node",
"description": "IP address is a node of the TOR anonymization system."
},
{
"value": "sinkhole",
"expanded": "Sinkhole",
"description": "IP address is a sinkhole."
},
{
"value": "router",
"expanded": "Router",
"description": "IP address is a router device."
}
]
},
{
"predicate": "maliciousness",
"entry": [
{
"value": "non-malicious",
"expanded": "Non-malicious",
"description": "Non-malicious is not malicious or suspicious."
},
{
"value": "suspicious",
"expanded": "Suspicious",
"description": "Suspicious is not non-malicious and not malicious."
},
{
"value": "malicious",
"expanded": "Malicious",
"description": "Malicious is not non-malicious or suspicious."
}
]
},
{
"predicate": "malware-category",
"entry": [
{
"value": "exploit-kit",
"expanded": "Exploit kit",
"description": "Toolkit used to attack vulnerabilities in systems."
},
{
"value": "first-stage",
"expanded": "First stage",
"description": "Malware used in the initial phase of an attack and commonly used to retrieve a second stage."
},
{
"value": "second-stage",
"expanded": "Second stage",
"description": "Typical more complex malware retrieved by first stage malware."
},
{
"value": "scanner",
"expanded": "Scanner",
"description": "Malware used to look for common vulnerabilities or running software."
},
{
"value": "downloader",
"expanded": "Downloader",
"description": "Malware used to retrieve additional malware or tools."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Malware used to proxy traffic on an infected host."
},
{
"value": "reverse-proxy",
"expanded": "Reverse proxy",
"description": "If you choose this option please provide a description of what it is to the ALFRED PO."
},
{
"value": "webshell",
"expanded": "Webshell",
"description": "Malware uploaded to a web server allowing remote access to an attacker."
},
{
"value": "ransomware",
"expanded": "Ransomware",
"description": "Malware used to hold infected host's data hostage, typically through encryption until a payment is made to the attackers."
},
{
"value": "adware",
"expanded": "Adware",
"description": "Malware used to display ads to the infected host."
},
{
"value": "spyware",
"expanded": "Spyware",
"description": "Malware used to collect information from the infected host, such as credentials."
},
{
"value": "virus",
"expanded": "Virus",
"description": "Malware that propogates by inserting a copy of itself into another program."
},
{
"value": "worm",
"expanded": "Worm",
"description": "Standalone malware that propogates by copying itself.."
},
{
"value": "trojan",
"expanded": "Trojan",
"description": "Malware that looks like legitimate software but hides malicious code."
},
{
"value": "rootkit",
"expanded": "Rootkit",
"description": "Malware that can hide the existance of other malware by modifying operating system functions."
},
{
"value": "keylogger",
"expanded": "Keylogger",
"description": "Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration."
},
{
"value": "browser-hijacker",
"expanded": "Browser hijacker",
"description": "Malware that re-directs or otherwise intercepts Internet browsing by the user."
}
]
},
{
"predicate": "misusage-type",
"entry": [
{
"value": "unauthorized-usage",
"expanded": "Unauthorized usage",
"description": "Usage of the system or resource was without appropriate permission or authorization."
},
{
"value": "misconfiguration",
"expanded": "Misconfiguration",
"description": "System or resource is misconfigured."
},
{
"value": "lack-of-encryption",
"expanded": "Lack of encryption",
"description": "System or resources has insufficient encryption or no encryption."
},
{
"value": "vulnerable-software",
"expanded": "Vulnerable software",
"description": "System or resource has software with known vulnerabilities."
},
{
"value": "privilege-escalation",
"expanded": "Privilege escalation",
"description": "System or resource was exploited to gain higher privilege level."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "mitigation-type",
"entry": [
{
"value": "anti-virus",
"expanded": "Anti-virus",
"description": "Anti-Virus"
},
{
"value": "content-filtering-system",
"expanded": "Content filtering system",
"description": "Content Filtering System"
},
{
"value": "dynamic-defense",
"expanded": "Dynamic defense",
"description": "Dynamic Defense"
},
{
"value": "insufficient-privileges",
"expanded": "Insufficient privileges",
"description": "Insufficient Privileges"
},
{
"value": "ids",
"expanded": "Ids",
"description": "Intrusion Detection System"
},
{
"value": "sink-hole-/-take-down-by-third-party",
"expanded": "Sink hole / take down by third party",
"description": "Sink Hole / Take Down by Third Party"
},
{
"value": "isp",
"expanded": "Isp",
"description": "Internet Service Provider"
},
{
"value": "invalid-credentials",
"expanded": "Invalid credentials",
"description": "Invalid Credentials"
},
{
"value": "not-vulnerable",
"expanded": "Not vulnerable",
"description": "No mitigation was required because the system was not vulnerable to the attack."
},
{
"value": "other",
"expanded": "Other",
"description": "Other"
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Unknown"
},
{
"value": "user",
"expanded": "User",
"description": "User"
}
]
},
{
"predicate": "origin",
"entry": [
{
"value": "subscriber",
"expanded": "Subscriber",
"description": "Subscriber."
},
{
"value": "internet",
"expanded": "Internet",
"description": "Internet."
}
]
},
{
"predicate": "originating-organization",
"entry": [
{
"value": "cse",
"expanded": "Cse",
"description": "Communications Security Establishment."
},
{
"value": "nsa",
"expanded": "Nsa",
"description": "National Security Agency."
},
{
"value": "gchq",
"expanded": "Gchq",
"description": "Government Communications Headquarters."
},
{
"value": "asd",
"expanded": "Asd",
"description": "Australian Signals Directorate."
},
{
"value": "gcsb",
"expanded": "Gcsb",
"description": "Government Communications Security Bureau."
},
{
"value": "open-source",
"expanded": "Open source",
"description": "Originated from publically available information."
},
{
"value": "3rd-party",
"expanded": "3rd party",
"description": "Originated from a 3rd party organization."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "scan-type",
"entry": [
{
"value": "open-port",
"expanded": "Open port",
"description": "Scan was looking for open ports corresponding to common applications or protocols."
},
{
"value": "icmp",
"expanded": "Icmp",
"description": "Scan was attempting to enumerate devices through the ICMP protocol."
},
{
"value": "os-fingerprinting",
"expanded": "Os fingerprinting",
"description": "Scan was looking for operating system information through unique characteristics in responses."
},
{
"value": "web",
"expanded": "Web",
"description": "Scan was enumerating or otherwise traversing web hosts."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "severity",
"entry": [
{
"value": "reconnaissance",
"expanded": "Reconnaissance",
"description": "An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data."
},
{
"value": "attempted-compromise",
"expanded": "Attempted compromise",
"description": "An actor attempted affecting the confidentiality, integrity or availability of a system."
},
{
"value": "exploited",
"expanded": "Exploited",
"description": "A vulnerability was successfully exploited."
}
]
},
{
"predicate": "threat-vector",
"entry": [
{
"value": "application:cms",
"expanded": "Application:cms",
"description": "Content Management System."
},
{
"value": "application:bash",
"expanded": "Application:bash",
"description": "BASH script."
},
{
"value": "application:acrobat-reader",
"expanded": "Application:acrobat reader",
"description": "Adobe Acrobat Reader."
},
{
"value": "application:ms-excel",
"expanded": "Application:ms excel",
"description": "Microsoft Excel."
},
{
"value": "application:other",
"expanded": "Application:other",
"description": "Other Application."
},
{
"value": "language:sql",
"expanded": "Language:sql",
"description": "Structured Query Language."
},
{
"value": "language:php",
"expanded": "Language:php",
"description": "PHP: Hypertext Preprocessor."
},
{
"value": "language:javascript",
"expanded": "Language:javascript",
"description": "JavaScript."
},
{
"value": "language:other",
"expanded": "Language:other",
"description": "Other Language."
},
{
"value": "protocol:dns",
"expanded": "Protocol:dns",
"description": "Domain Name System."
},
{
"value": "protocol:ftp",
"expanded": "Protocol:ftp",
"description": "File Transfer Protocol."
},
{
"value": "protocol:http",
"expanded": "Protocol:http",
"description": "Hyper Text Transfer Protocol."
},
{
"value": "protocol:icmp",
"expanded": "Protocol:icmp",
"description": "Internet Control Message Protocol."
},
{
"value": "protocol:ntp",
"expanded": "Protocol:ntp",
"description": "Network Time Protocol."
},
{
"value": "protocol:rdp",
"expanded": "Protocol:rdp",
"description": "Remote Desktop Protocol."
},
{
"value": "protocol:smb",
"expanded": "Protocol:smb",
"description": "Server Message Block."
},
{
"value": "protocol:snmp",
"expanded": "Protocol:snmp",
"description": "Simple Network Management Protocol."
},
{
"value": "protocol:ssl",
"expanded": "Protocol:ssl",
"description": "Secure Sockets Layer."
},
{
"value": "protocol:telnet",
"expanded": "Protocol:telnet",
"description": "Network Virtual Terminal Protocol."
},
{
"value": "protocol:sip",
"expanded": "Protocol:sip",
"description": "Session Initiation Protocol."
}
]
}
]
}

43
interception-method/machinetag.json Normal file
View File

@ -0,0 +1,43 @@
{
"namespace": "interception-method",
"description": "The interception method used to intercept traffic.",
"version": 1,
"expanded": "Interception method",
"predicates": [
{
"value": "man-in-the-middle",
"expanded": "Man-in-the-middle",
"description": "Interception where an attacker secretly relayed and possibly altered the communication between two parties."
},
{
"value": "man-on-the-side",
"expanded": "Man-on-the-side",
"description": "Interception where an attacker could read and send messages between two parties but not alter messages."
},
{
"value": "passive",
"expanded": "Passive",
"description": "Interception where an attacker could read messages between two parties."
},
{
"value": "search-result-poisoning",
"expanded": "Search result poisoning",
"description": "Interception where an attacker creates malicious websites intended to show up in search engine queries."
},
{
"value": "dns",
"expanded": "Dns",
"description": "Interception where domain name resolution is altered to re-direct traffic to a malicious IP address."
},
{
"value": "host-file",
"expanded": "Host file",
"description": "Interception where the HOSTS file is modified to re-direct traffic to a malicious IP address."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
}

141
tools/alfred_taxonomies.py Normal file
View File

@ -0,0 +1,141 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pathlib import Path
import json
from pytaxonomies import Taxonomy, Predicate, Entry
'''
Taxonomies mapping:
* disclosure-type, origin, originating-organization, exploitation-technique => part of cccs
* dos-type ~~ ddos
* report-state ~~ workflow
* malware-category ~~ malware_classification - NOPE: malware_classification has a static source @ SANS
* access-method - ack
* approved-category-of-action - ack
* cccs - ack
* interception method -> ack
* domain-category & ip-category - maybe?
* email-type - malicious email types - maybe?
* maliciousness -> maybe?
* malware-category -> yes?
* scan type: maybe?
* severity: atta&ck?
* misusage-type -> attack?
* mitigation type -> attack?
* threat-vector: languages/applications/protocols -> split
* ftp-type - request / response => object
* record type: (query/response) => part of object
* host category -> server/workstation -> part of object : network device
* method match -> HTTP request type ?!
'''
root_dir_taxonomies = Path('..')
ontology_path = Path('alfred-ontology.json')
with open(ontology_path) as f:
ontology = json.load(f)['data']
# CCCS Taxonomy
cccs = Taxonomy()
cccs.name = "cccs"
cccs.description = "Internal taxonomy for CCCS."
cccs.version = 1
cccs.expanded = "CCCS"
cccs.predicates = {}
# Tags for internal reference
predicate = Predicate()
predicate.predicate = 'event'
predicate.expanded = 'Event type'
predicate.description = 'Type of event associated to the internal reference'
predicate.entries = {}
for datatype in ontology['dataTypes']:
if 'superType' not in datatype or datatype['superType'] != 'EVENT':
continue
entry = Entry()
entry.value = datatype['name'].lower().replace('_', '-')
entry.expanded = datatype['name'].lower().replace('_', ' ').capitalize()
entry.description = datatype['description'].replace(' The value is the event ID.', '')
predicate.entries[entry.value] = entry
cccs.predicates[predicate.predicate] = predicate
predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization',
'exploitation-technique', 'domain-category', 'email-type',
'ip-category', 'maliciousness', 'malware-category', 'misusage-type',
'mitigation-type', 'scan-type', 'severity', 'threat-vector']
skip_for_now = []
ignore = ['dos-type', 'report-state', 'ftp-type', 'record-type', 'host-category',
'method-match']
for propertytype in ontology['propertyTypes']:
if 'accepts' in propertytype and propertytype['accepts']['name'] != 'list':
continue
misp_name = propertytype['name'].lower().replace('_', '-').replace(' ', '-')
if misp_name in ignore or misp_name in skip_for_now:
continue
if misp_name not in predicate_of_cccs:
new_taxonomy = Taxonomy()
new_taxonomy.name = misp_name
new_taxonomy.description = propertytype['description']
new_taxonomy.version = 1
new_taxonomy.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
new_taxonomy.predicates = {}
for value in propertytype['accepts']['values']:
predicate = Predicate()
predicate.predicate = value['name'].lower().replace('_', '-').replace(' ', '-')
predicate.expanded = value['name'].lower().replace('_', ' ').capitalize()
predicate.description = value['description']
new_taxonomy.predicates[predicate.predicate] = predicate
else:
predicate = Predicate()
predicate.predicate = misp_name
predicate.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
predicate.description = propertytype['description']
predicate.entries = {}
for value in propertytype['accepts']['values']:
entry = Entry()
entry.value = value['name'].lower().replace('_', '-').replace(' ', '-')
entry.expanded = value['name'].lower().replace('_', ' ').capitalize()
entry.description = value['description']
predicate.entries[entry.value] = entry
cccs.predicates[predicate.predicate] = predicate
if not (root_dir_taxonomies / new_taxonomy.name).exists():
(root_dir_taxonomies / new_taxonomy.name).mkdir()
if (root_dir_taxonomies / new_taxonomy.name / 'machinetag.json').exists():
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json') as f:
existing_taxonomy = json.load(f)
if existing_taxonomy == new_taxonomy.to_dict():
continue
new_taxonomy.version = existing_taxonomy['version'] + 1
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json', 'w') as f:
json.dump(new_taxonomy.to_dict(), f, indent=2)
# Dump generic CCCS taxonomy
if not (root_dir_taxonomies / cccs.name).exists():
(root_dir_taxonomies / cccs.name).mkdir()
if (root_dir_taxonomies / cccs.name / 'machinetag.json').exists():
with open(root_dir_taxonomies / cccs.name / 'machinetag.json') as f:
existing_taxonomy = json.load(f)
if existing_taxonomy != cccs.to_dict():
cccs.version = existing_taxonomy['version'] + 1
with open(root_dir_taxonomies / cccs.name / 'machinetag.json', 'w') as f:
json.dump(cccs.to_dict(), f, indent=2)