MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

new: CCCS taxonomies, first batch

pull/124/head
Raphaël Vinot 2018-10-24 15:30:30 -04:00
parent 141bc6602b
commit c63bc2e687
6 changed files with 521 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
MANIFEST.json
View File

@ -5,6 +5,11 @@
"name": "accessnow",
"description": "Access Now"
},
{
"version": 1,
"name": "access-method",
"description": "The access method used to remotely access a system."
},
{
"version": 1,
"name": "action-taken",
@ -30,11 +35,21 @@
"name": "analyst-assessment",
"description": ""
},
{
"version": 1,
"name": "approved-category-of-action",
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC)."
},
{
"version": 1,
"name": "binary-class",
"description": ""
},
{
"version": 1,
"name": "cccs",
"description": "Internal taxonomy for CCCS."
},
{
"version": 1,
"name": "CERT-XLM",
@ -150,6 +165,11 @@
"name": "information-security-indicators",
"description": "Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). ETSI GS ISI 001-1 (V1.1.2): ISI Indicators"
},
{
"version": 1,
"name": "interception-method",
"description": "The interception method used to intercept traffic."
},
{
"version": 1,
"name": "kill-chain",

48
access-method/machinetag.json Normal file
View File

@ -0,0 +1,48 @@
{
"namespace": "access-method",
"description": "The access method used to remotely access a system.",
"version": 1,
"expanded": "Access method",
"predicates": [
{
"value": "brute-force",
"expanded": "Brute force",
"description": "Access was gained through systematic trial of credentials in bulk."
},
{
"value": "password-guessing",
"expanded": "Password guessing",
"description": "Access was gained through guessing passwords through trial and error."
},
{
"value": "remote-desktop-application",
"expanded": "Remote desktop application",
"description": "Access was gained through an application designed for remote access."
},
{
"value": "stolen-credentials",
"expanded": "Stolen credentials",
"description": "Access was gained with stolen credentials."
},
{
"value": "pass-the-hash",
"expanded": "Pass the hash",
"description": "Access was gained through use of an existing known hash."
},
{
"value": "default-credentials",
"expanded": "Default credentials",
"description": "Access was gained through use of the system's default credentials."
},
{
"value": "shell",
"expanded": "Shell",
"description": "Access was gained through the use of a shell."
},
{
"value": "other",
"expanded": "Other",
"description": "Access was gained through another method."
}
]
}

38
approved-category-of-action/machinetag.json Normal file
View File

@ -0,0 +1,38 @@
{
"namespace": "approved-category-of-action",
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC).",
"version": 1,
"expanded": "Approved category of action",
"predicates": [
{
"value": "cat1",
"expanded": "Cat1",
"description": "Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator, either through adversary observation or disclosure. Usage of the indicator is restricted to passive monitoring on Government or Cleared Partner networks, or through a classified passive capability or Operation. CAT 1 actions do not interact with or affect malicious network traffic."
},
{
"value": "cat2",
"expanded": "Cat2",
"description": "Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions expose the usage of an indicator through non-disruptive collection techniques which require interactions with an adversary, within Government or Cleared Partner networks. While it is not the intent to disrupt the adversary it is possible that an adversary may discover they are subject to such techniques."
},
{
"value": "cat3",
"expanded": "Cat3",
"description": "Moderate Exposure - Government or Cleared Partner Internal Countermeasures: CAT 3 actions expose the usage of an indicator through inward-facing countermeasures. Malicious network traffic is affected in some manner, however the results are not directly observable to the adversary or external parties and is, therefore, more difficult to attribute as a deliberate action. Usage of the indicator is restricted to Government and Cleared Partner networks, or a classified capability or Operation. This implies a lower likelihood for non-approved disclosures."
},
{
"value": "cat4",
"expanded": "Cat4",
"description": "Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of an indicator through actions which occur on internet accessible networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary and other, public parties and it is possible they may be attributed as Government sanctioned actions."
},
{
"value": "cat5",
"expanded": "Cat5",
"description": "High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the usage of an indicator through the public release of information which enables internal actions on networks not owned and controlled by the Government (i.e. industry, commercial or foreign governments). These actions are official public releases and are attributable as Government sanctioned actions."
},
{
"value": "cat6",
"expanded": "Cat6",
"description": "High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an indicator through actions which occur on adversary owned networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY action."
}
]
}

235
cccs/machinetag.json Normal file
View File

@ -0,0 +1,235 @@
{
"namespace": "cccs",
"description": "Internal taxonomy for CCCS.",
"version": 1,
"expanded": "CCCS",
"predicates": [
{
"value": "event",
"expanded": "Event type",
"description": "Type of event associated to the internal reference"
},
{
"value": "disclosure-type",
"expanded": "Disclosure type",
"description": "Type of information being disclosed."
},
{
"value": "exploitation-technique",
"expanded": "Exploitation technique",
"description": "The technique used to remotely exploit a GoC system."
},
{
"value": "origin",
"expanded": "Origin",
"description": "Where the request originated from."
},
{
"value": "originating-organization",
"expanded": "Originating organization",
"description": "Origin of a signature."
}
],
"values": [
{
"predicate": "event",
"entry": [
{
"value": "beacon",
"expanded": "Beacon",
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
},
{
"value": "browser-based-exploitation",
"expanded": "Browser based exploitation",
"description": "A browser component is being exploited in order to infect a host."
},
{
"value": "dos",
"expanded": "Dos",
"description": "An attack in which the goal is to disrupt access to a host or resource."
},
{
"value": "email",
"expanded": "Email",
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
},
{
"value": "exfiltration",
"expanded": "Exfiltration",
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
},
{
"value": "generic-event",
"expanded": "Generic event",
"description": "Represents a collection of virtually identical events within a range of time."
},
{
"value": "improper-usage",
"expanded": "Improper usage",
"description": "Technology used in a way that compromises security or violates policy."
},
{
"value": "malware-artifacts",
"expanded": "Malware artifacts",
"description": "Signs of the presence of malware observed on a host."
},
{
"value": "malware-download",
"expanded": "Malware download",
"description": "Malware was transferred (downloaded/uploaded) to a host."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Information or credentials disclosed to a threat actor."
},
{
"value": "remote-access",
"expanded": "Remote access",
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
},
{
"value": "remote-exploitation",
"expanded": "Remote exploitation",
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
},
{
"value": "scan",
"expanded": "Scan",
"description": "A threat actor is scanning the network."
},
{
"value": "scraping",
"expanded": "Scraping",
"description": "Represents a collection of virtually identical scraping events within a range of time."
},
{
"value": "traffic-interception",
"expanded": "Traffic interception",
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
}
]
},
{
"predicate": "disclosure-type",
"entry": [
{
"value": "goc-credential-disclosure",
"expanded": "Goc credential disclosure",
"description": "Credentials for a GoC system or user were disclosed."
},
{
"value": "personal-credential-disclosure",
"expanded": "Personal credential disclosure",
"description": "Credentials not related to a GoC system or user were disclosed."
},
{
"value": "personal-information-disclosure",
"expanded": "Personal information disclosure",
"description": "Information about a person or persons was disclosed."
},
{
"value": "none",
"expanded": "None",
"description": "No information was disclosed."
},
{
"value": "other",
"expanded": "Other",
"description": "Information other than credentials and personal information was disclosed."
}
]
},
{
"predicate": "exploitation-technique",
"entry": [
{
"value": "sql-injection",
"expanded": "Sql injection",
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
},
{
"value": "directory-traversal",
"expanded": "Directory traversal",
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
},
{
"value": "remote-file-inclusion",
"expanded": "Remote file inclusion",
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
},
{
"value": "code-injection",
"expanded": "Code injection",
"description": "Exploitation occurred due to malicious code being injected."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "origin",
"entry": [
{
"value": "subscriber",
"expanded": "Subscriber",
"description": "Subscriber."
},
{
"value": "internet",
"expanded": "Internet",
"description": "Internet."
}
]
},
{
"predicate": "originating-organization",
"entry": [
{
"value": "cse",
"expanded": "Cse",
"description": "Communications Security Establishment."
},
{
"value": "nsa",
"expanded": "Nsa",
"description": "National Security Agency."
},
{
"value": "gchq",
"expanded": "Gchq",
"description": "Government Communications Headquarters."
},
{
"value": "asd",
"expanded": "Asd",
"description": "Australian Signals Directorate."
},
{
"value": "gcsb",
"expanded": "Gcsb",
"description": "Government Communications Security Bureau."
},
{
"value": "open-source",
"expanded": "Open source",
"description": "Originated from publically available information."
},
{
"value": "3rd-party",
"expanded": "3rd party",
"description": "Originated from a 3rd party organization."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
}
]
}

43
interception-method/machinetag.json Normal file
View File

@ -0,0 +1,43 @@
{
"namespace": "interception-method",
"description": "The interception method used to intercept traffic.",
"version": 1,
"expanded": "Interception method",
"predicates": [
{
"value": "man-in-the-middle",
"expanded": "Man-in-the-middle",
"description": "Interception where an attacker secretly relayed and possibly altered the communication between two parties."
},
{
"value": "man-on-the-side",
"expanded": "Man-on-the-side",
"description": "Interception where an attacker could read and send messages between two parties but not alter messages."
},
{
"value": "passive",
"expanded": "Passive",
"description": "Interception where an attacker could read messages between two parties."
},
{
"value": "search-result-poisoning",
"expanded": "Search result poisoning",
"description": "Interception where an attacker creates malicious websites intended to show up in search engine queries."
},
{
"value": "dns",
"expanded": "Dns",
"description": "Interception where domain name resolution is altered to re-direct traffic to a malicious IP address."
},
{
"value": "host-file",
"expanded": "Host file",
"description": "Interception where the HOSTS file is modified to re-direct traffic to a malicious IP address."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
}

137
tools/alfred_taxonomies.py Normal file
View File

@ -0,0 +1,137 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pathlib import Path
import json
from pytaxonomies import Taxonomy, Predicate, Entry
'''
Taxonomies mapping:
* disclosure-type, origin, originating-organization, exploitation-technique => part of cccs
* dos-type ~~ ddos
* report-state ~~ workflow
* malware-category ~~ malware_classification - NOPE: malware_classification has a static source @ SANS
* access-method - ack
* approved-category-of-action - ack
* cccs - ack
* interception method -> ack
* domain-category & ip-category - maybe?
* email-type - malicious email types - maybe?
* maliciousness -> maybe?
* malware-category -> yes?
* scan type: maybe?
* severity: atta&ck?
* misusage-type -> attack?
* mitigation type -> attack?
* threat-vector: languages/applications/protocols -> split
* ftp-type - request / response => object
* record type: (query/response) => part of object
* host category -> server/workstation -> part of object : network device
* method match -> HTTP request type ?!
'''
root_dir_taxonomies = Path('..')
ontology_path = Path('alfred-ontology.json')
with open(ontology_path) as f:
ontology = json.load(f)['data']
# CCCS Taxonomy
cccs = Taxonomy()
cccs.name = "cccs"
cccs.description = "Internal taxonomy for CCCS."
cccs.version = 1
cccs.expanded = "CCCS"
cccs.predicates = {}
# Tags for internal reference
predicate = Predicate()
predicate.predicate = 'event'
predicate.expanded = 'Event type'
predicate.description = 'Type of event associated to the internal reference'
predicate.entries = {}
for datatype in ontology['dataTypes']:
if 'superType' not in datatype or datatype['superType'] != 'EVENT':
continue
entry = Entry()
entry.value = datatype['name'].lower().replace('_', '-')
entry.expanded = datatype['name'].lower().replace('_', ' ').capitalize()
entry.description = datatype['description'].replace(' The value is the event ID.', '')
predicate.entries[entry.value] = entry
cccs.predicates[predicate.predicate] = predicate
predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization', 'exploitation-technique']
ignore = ['dos-type', 'report-state']
skip_for_now = ['domain-category', 'email-type', 'ftp-type', 'host-category', 'ip-category',
'maliciousness', 'malware-category', 'method-match', 'misusage-type',
'mitigation-type', 'record-type', 'scan-type', 'severity', 'threat-vector']
for propertytype in ontology['propertyTypes']:
if 'accepts' in propertytype and propertytype['accepts']['name'] != 'list':
continue
misp_name = propertytype['name'].lower().replace('_', '-').replace(' ', '-')
if misp_name in ignore or misp_name in skip_for_now:
continue
if misp_name not in predicate_of_cccs:
new_taxonomy = Taxonomy()
new_taxonomy.name = misp_name
new_taxonomy.description = propertytype['description']
new_taxonomy.version = 1
new_taxonomy.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
new_taxonomy.predicates = {}
for value in propertytype['accepts']['values']:
predicate = Predicate()
predicate.predicate = value['name'].lower().replace('_', '-').replace(' ', '-')
predicate.expanded = value['name'].lower().replace('_', ' ').capitalize()
predicate.description = value['description']
new_taxonomy.predicates[predicate.predicate] = predicate
else:
predicate = Predicate()
predicate.predicate = misp_name
predicate.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
predicate.description = propertytype['description']
predicate.entries = {}
for value in propertytype['accepts']['values']:
entry = Entry()
entry.value = value['name'].lower().replace('_', '-').replace(' ', '-')
entry.expanded = value['name'].lower().replace('_', ' ').capitalize()
entry.description = value['description']
predicate.entries[entry.value] = entry
cccs.predicates[predicate.predicate] = predicate
if not (root_dir_taxonomies / new_taxonomy.name).exists():
(root_dir_taxonomies / new_taxonomy.name).mkdir()
if (root_dir_taxonomies / new_taxonomy.name / 'machinetag.json').exists():
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json') as f:
existing_taxonomy = json.load(f)
if existing_taxonomy == new_taxonomy.to_dict():
continue
new_taxonomy.version = existing_taxonomy['version'] + 1
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json', 'w') as f:
json.dump(new_taxonomy.to_dict(), f, indent=2)
# Dump generic CCCS taxonomy
if not (root_dir_taxonomies / cccs.name).exists():
(root_dir_taxonomies / cccs.name).mkdir()
if (root_dir_taxonomies / cccs.name / 'machinetag.json').exists():
with open(root_dir_taxonomies / cccs.name / 'machinetag.json') as f:
existing_taxonomy = json.load(f)
if existing_taxonomy != cccs.to_dict():
cccs.version = existing_taxonomy['version'] + 1
with open(root_dir_taxonomies / cccs.name / 'machinetag.json', 'w') as f:
json.dump(cccs.to_dict(), f, indent=2)