MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [clean-up] some clean-up, typo and JSON forms. 

Open question: what's the original reference of the document?

Is it this one
https://cynergia.mx/wp-content/uploads/2016/12/CCHS-ActiveDefenseReportFINAL.pdf
? Some elements are missing in the taxonomy.
th3r3d-patch-1
Alexandre Dulaunoy 2022-04-29 08:28:28 +02:00
parent 92d4d18c15
commit b62e125310
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 81 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
GrayZone/machinetag.json
View File

@ -2,7 +2,6 @@
"namespace": "GrayZone", "namespace": "GrayZone",
"description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.", "description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.",
"version": 2, "version": 2,
"predicates": [ "predicates": [
{ {
"value": "Adversary Emulation", "value": "Adversary Emulation",
@ -49,33 +48,36 @@
"expanded": "" "expanded": ""
} }
], ],
"values": [{ "values": [
{
"predicate": "Adversary Emulation", "predicate": "Adversary Emulation",
"entry": [{ "entry": [
{
"value": "Threat Modeling", "value": "Threat Modeling",
"expanded": "Arch threat modeling", "expanded": "Arch threat modeling",
"description": "Modeling threat in services or/and in applications" "description": "Modeling threat in services or/and in applications"
}, },
{ {
"value": "Purple Teaming", "value": "Purple Teaming",
"expanded": "Purple team colaboration", "expanded": "Purple team collaboration",
"description": "Colaboration between red and blue team" "description": "Collaboration between red and blue team"
}, },
{ {
"value": "Blue Team", "value": "Blue Team",
"expanded": "Blue Team activities", "expanded": "Blue Team activities",
"description": "Defenders team actins, TTPs etc." "description": "Defenders team actions, TTPs etc."
}, },
{ {
"value": "Red Team", "value": "Red Team",
"expanded": "Red Team activities", "expanded": "Red Team activities",
"description": "Actionns, TTPs etc.of Red Team" "description": "Actions, TTPs etc.of Red Team"
} }
] ]
}, },
{ {
"predicate": "Beacons", "predicate": "Beacons",
"entry": [{ "entry": [
{
"value": "Inform", "value": "Inform",
"expanded": "Information from beacon", "expanded": "Information from beacon",
"description": "Provide defender with informations about beacon user, intentional or not" "description": "Provide defender with informations about beacon user, intentional or not"
@ -89,7 +91,8 @@
}, },
{ {
"predicate": "Deterrence", "predicate": "Deterrence",
"entry": [{ "entry": [
{
"value": "by Retaliation", "value": "by Retaliation",
"expanded": "Retaliation risk", "expanded": "Retaliation risk",
"description": "Adversary is threatened by retaliation if it will continue in actions" "description": "Adversary is threatened by retaliation if it will continue in actions"
@ -97,7 +100,7 @@
{ {
"value": "by Denial", "value": "by Denial",
"expanded": "Risk of Denial", "expanded": "Risk of Denial",
"description": "Deny action ever happened - example: if the atribution is important for adversary" "description": "Deny action ever happened - example: if the attribution is important for adversary"
}, },
{ {
"value": "by Entanglement", "value": "by Entanglement",
@ -108,34 +111,36 @@
}, },
{ {
"predicate": "Deception", "predicate": "Deception",
"entry": [{ "entry": [
{
"value": "Deception", "value": "Deception",
"expanded": "Deceptive actions", "expanded": "Deceptive actions",
"description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals" "description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals"
}, },
{ {
"value": "Denial", "value": "Denial",
"expanded": "Supress anything", "expanded": "Suppress anything",
"description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc." "description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc."
}, },
{ {
"value": "CounterDeception", "value": "CounterDeception",
"expanded": "Answer to deception", "expanded": "Answer to deception",
"description": "Answer to deception from adversary is counterdeception, for example: answer to phish with shadow user account to uncover next adversary actions" "description": "Answer to deception from adversary is counter-deception, for example: answer to phish with shadow user account to uncover next adversary actions"
}, },
{ {
"value": "Counter-Deception", "value": "Counter-Deception",
"expanded": "Active counterdeception", "expanded": "Active counterdeception",
"description": "Answer to adversary ddeception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)" "description": "Answer to adversary deception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)"
} }
] ]
}, },
{ {
"predicate": "Tarpits, Sandboxes and Honeypots", "predicate": "Tarpits, Sandboxes and Honeypots",
"entry": [{ "entry": [
{
"value": "Honeypots", "value": "Honeypots",
"expanded": "Honeypots", "expanded": "Honeypots",
"description": "Emulating technical resources as services or whole meachines or identities" "description": "Emulating technical resources as services or whole machines or identities"
}, },
{ {
"value": "Sandboxes", "value": "Sandboxes",
@ -151,15 +156,16 @@
}, },
{ {
"predicate": "Threat Intelligence", "predicate": "Threat Intelligence",
"entry": [{ "entry": [
{
"value": "Passive - OSINT", "value": "Passive - OSINT",
"expanded": "OpenSourceINTelligence", "expanded": "OpenSourceINTelligence",
"description": "Use of OSINT for creating of Threat Intelligence" "description": "Use of OSINT for creating of Threat Intelligence"
}, },
{ {
"value": "Pasive - platforms", "value": "Passive - platforms",
"expanded": "Platforms for TI", "expanded": "Platforms for TI",
"description": "Save, share and colaborate on threat inelligence platforms" "description": "Save, share and collaborate on threat intelligence platforms"
}, },
{ {
"value": "Counter-Intelligence public", "value": "Counter-Intelligence public",
@ -175,54 +181,63 @@
}, },
{ {
"predicate": "Threat Hunting", "predicate": "Threat Hunting",
"entry": [{ "entry": [
{
"value": "Threat Hunting", "value": "Threat Hunting",
"expanded": "Threat Hunting", "expanded": "Threat Hunting",
"description": "Threat Hunting is actovoty of active search for possible signs of adversary in environment" "description": "Threat Hunting is the activity of active search for possible signs of adversary in environment"
}] }
]
}, },
{ {
"predicate": "Adversary Takedowns", "predicate": "Adversary Takedowns",
"entry": [{ "entry": [
{
"value": "Botnet Takedowns", "value": "Botnet Takedowns",
"expanded": "Botnet Takedowns", "expanded": "Botnet Takedowns",
"description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}, },
{ {
"value": "Domain Takedowns", "value": "Domain Takedowns",
"expanded": "Domain Takedowns", "expanded": "Domain Takedowns",
"description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}, },
{ {
"value": "Infrastructure Takedowns", "value": "Infrastructure Takedowns",
"expanded": "Whole environment takedowns", "expanded": "Whole environment takedowns",
"description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
} }
] ]
}, },
{ {
"predicate": "Ransomware", "predicate": "Ransomware",
"entry": [{ "entry": [
{
"value": "Ransomware", "value": "Ransomware",
"expanded": "Ransmware by defenders", "expanded": "Ransomware by defenders",
"description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}] }
]
}, },
{ {
"predicate": "Rescue Missions", "predicate": "Rescue Missions",
"entry": [{ "entry": [
{
"value": "Rescue Missions", "value": "Rescue Missions",
"expanded": "Rescue Missions", "expanded": "Rescue Missions",
"description": "Activity with approval of legal gevernmental entities ie. courts to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}] }
]
}, },
{ {
"predicate": "Sanctions, Indictments & Trade Remedies", "predicate": "Sanctions, Indictments & Trade Remedies",
"entry": [{ "entry": [
{
"value": "Sanctions, Indictments & Trade Remedies", "value": "Sanctions, Indictments & Trade Remedies",
"expanded": "Business and diplomatic actions and counteractions", "expanded": "Business and diplomatic actions and counteractions",
"description": "Activity with approval of legal gevernmental entities ie. courts, states, governments to stop unwanted actions or prevent them" "description": "Activity with approval of legal governmental entities ie. courts, states, governments to stop unwanted actions or prevent them"
}] }
]
} }
] ]
} }