new: CCCS taxonomies, first batch
parent
141bc6602b
commit
c63bc2e687
|
@ -5,6 +5,11 @@
|
|||
"name": "accessnow",
|
||||
"description": "Access Now"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "access-method",
|
||||
"description": "The access method used to remotely access a system."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "action-taken",
|
||||
|
@ -30,11 +35,21 @@
|
|||
"name": "analyst-assessment",
|
||||
"description": ""
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "approved-category-of-action",
|
||||
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC)."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "binary-class",
|
||||
"description": ""
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "cccs",
|
||||
"description": "Internal taxonomy for CCCS."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "CERT-XLM",
|
||||
|
@ -150,6 +165,11 @@
|
|||
"name": "information-security-indicators",
|
||||
"description": "Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). ETSI GS ISI 001-1 (V1.1.2): ISI Indicators"
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "interception-method",
|
||||
"description": "The interception method used to intercept traffic."
|
||||
},
|
||||
{
|
||||
"version": 1,
|
||||
"name": "kill-chain",
|
||||
|
|
|
@ -0,0 +1,48 @@
|
|||
{
|
||||
"namespace": "access-method",
|
||||
"description": "The access method used to remotely access a system.",
|
||||
"version": 1,
|
||||
"expanded": "Access method",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "brute-force",
|
||||
"expanded": "Brute force",
|
||||
"description": "Access was gained through systematic trial of credentials in bulk."
|
||||
},
|
||||
{
|
||||
"value": "password-guessing",
|
||||
"expanded": "Password guessing",
|
||||
"description": "Access was gained through guessing passwords through trial and error."
|
||||
},
|
||||
{
|
||||
"value": "remote-desktop-application",
|
||||
"expanded": "Remote desktop application",
|
||||
"description": "Access was gained through an application designed for remote access."
|
||||
},
|
||||
{
|
||||
"value": "stolen-credentials",
|
||||
"expanded": "Stolen credentials",
|
||||
"description": "Access was gained with stolen credentials."
|
||||
},
|
||||
{
|
||||
"value": "pass-the-hash",
|
||||
"expanded": "Pass the hash",
|
||||
"description": "Access was gained through use of an existing known hash."
|
||||
},
|
||||
{
|
||||
"value": "default-credentials",
|
||||
"expanded": "Default credentials",
|
||||
"description": "Access was gained through use of the system's default credentials."
|
||||
},
|
||||
{
|
||||
"value": "shell",
|
||||
"expanded": "Shell",
|
||||
"description": "Access was gained through the use of a shell."
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Access was gained through another method."
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"namespace": "approved-category-of-action",
|
||||
"description": "A pre-approved category of action for indicators being shared with partners (MIMIC).",
|
||||
"version": 1,
|
||||
"expanded": "Approved category of action",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "cat1",
|
||||
"expanded": "Cat1",
|
||||
"description": "Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator, either through adversary observation or disclosure. Usage of the indicator is restricted to passive monitoring on Government or Cleared Partner networks, or through a classified passive capability or Operation. CAT 1 actions do not interact with or affect malicious network traffic."
|
||||
},
|
||||
{
|
||||
"value": "cat2",
|
||||
"expanded": "Cat2",
|
||||
"description": "Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions expose the usage of an indicator through non-disruptive collection techniques which require interactions with an adversary, within Government or Cleared Partner networks. While it is not the intent to disrupt the adversary it is possible that an adversary may discover they are subject to such techniques."
|
||||
},
|
||||
{
|
||||
"value": "cat3",
|
||||
"expanded": "Cat3",
|
||||
"description": "Moderate Exposure - Government or Cleared Partner Internal Countermeasures: CAT 3 actions expose the usage of an indicator through inward-facing countermeasures. Malicious network traffic is affected in some manner, however the results are not directly observable to the adversary or external parties and is, therefore, more difficult to attribute as a deliberate action. Usage of the indicator is restricted to Government and Cleared Partner networks, or a classified capability or Operation. This implies a lower likelihood for non-approved disclosures."
|
||||
},
|
||||
{
|
||||
"value": "cat4",
|
||||
"expanded": "Cat4",
|
||||
"description": "Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of an indicator through actions which occur on internet accessible networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary and other, public parties and it is possible they may be attributed as Government sanctioned actions."
|
||||
},
|
||||
{
|
||||
"value": "cat5",
|
||||
"expanded": "Cat5",
|
||||
"description": "High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the usage of an indicator through the public release of information which enables internal actions on networks not owned and controlled by the Government (i.e. industry, commercial or foreign governments). These actions are official public releases and are attributable as Government sanctioned actions."
|
||||
},
|
||||
{
|
||||
"value": "cat6",
|
||||
"expanded": "Cat6",
|
||||
"description": "High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an indicator through actions which occur on adversary owned networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY action."
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,235 @@
|
|||
{
|
||||
"namespace": "cccs",
|
||||
"description": "Internal taxonomy for CCCS.",
|
||||
"version": 1,
|
||||
"expanded": "CCCS",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "event",
|
||||
"expanded": "Event type",
|
||||
"description": "Type of event associated to the internal reference"
|
||||
},
|
||||
{
|
||||
"value": "disclosure-type",
|
||||
"expanded": "Disclosure type",
|
||||
"description": "Type of information being disclosed."
|
||||
},
|
||||
{
|
||||
"value": "exploitation-technique",
|
||||
"expanded": "Exploitation technique",
|
||||
"description": "The technique used to remotely exploit a GoC system."
|
||||
},
|
||||
{
|
||||
"value": "origin",
|
||||
"expanded": "Origin",
|
||||
"description": "Where the request originated from."
|
||||
},
|
||||
{
|
||||
"value": "originating-organization",
|
||||
"expanded": "Originating organization",
|
||||
"description": "Origin of a signature."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "event",
|
||||
"entry": [
|
||||
{
|
||||
"value": "beacon",
|
||||
"expanded": "Beacon",
|
||||
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
|
||||
},
|
||||
{
|
||||
"value": "browser-based-exploitation",
|
||||
"expanded": "Browser based exploitation",
|
||||
"description": "A browser component is being exploited in order to infect a host."
|
||||
},
|
||||
{
|
||||
"value": "dos",
|
||||
"expanded": "Dos",
|
||||
"description": "An attack in which the goal is to disrupt access to a host or resource."
|
||||
},
|
||||
{
|
||||
"value": "email",
|
||||
"expanded": "Email",
|
||||
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
|
||||
},
|
||||
{
|
||||
"value": "exfiltration",
|
||||
"expanded": "Exfiltration",
|
||||
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
|
||||
},
|
||||
{
|
||||
"value": "generic-event",
|
||||
"expanded": "Generic event",
|
||||
"description": "Represents a collection of virtually identical events within a range of time."
|
||||
},
|
||||
{
|
||||
"value": "improper-usage",
|
||||
"expanded": "Improper usage",
|
||||
"description": "Technology used in a way that compromises security or violates policy."
|
||||
},
|
||||
{
|
||||
"value": "malware-artifacts",
|
||||
"expanded": "Malware artifacts",
|
||||
"description": "Signs of the presence of malware observed on a host."
|
||||
},
|
||||
{
|
||||
"value": "malware-download",
|
||||
"expanded": "Malware download",
|
||||
"description": "Malware was transferred (downloaded/uploaded) to a host."
|
||||
},
|
||||
{
|
||||
"value": "phishing",
|
||||
"expanded": "Phishing",
|
||||
"description": "Information or credentials disclosed to a threat actor."
|
||||
},
|
||||
{
|
||||
"value": "remote-access",
|
||||
"expanded": "Remote access",
|
||||
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
|
||||
},
|
||||
{
|
||||
"value": "remote-exploitation",
|
||||
"expanded": "Remote exploitation",
|
||||
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
|
||||
},
|
||||
{
|
||||
"value": "scan",
|
||||
"expanded": "Scan",
|
||||
"description": "A threat actor is scanning the network."
|
||||
},
|
||||
{
|
||||
"value": "scraping",
|
||||
"expanded": "Scraping",
|
||||
"description": "Represents a collection of virtually identical scraping events within a range of time."
|
||||
},
|
||||
{
|
||||
"value": "traffic-interception",
|
||||
"expanded": "Traffic interception",
|
||||
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "disclosure-type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "goc-credential-disclosure",
|
||||
"expanded": "Goc credential disclosure",
|
||||
"description": "Credentials for a GoC system or user were disclosed."
|
||||
},
|
||||
{
|
||||
"value": "personal-credential-disclosure",
|
||||
"expanded": "Personal credential disclosure",
|
||||
"description": "Credentials not related to a GoC system or user were disclosed."
|
||||
},
|
||||
{
|
||||
"value": "personal-information-disclosure",
|
||||
"expanded": "Personal information disclosure",
|
||||
"description": "Information about a person or persons was disclosed."
|
||||
},
|
||||
{
|
||||
"value": "none",
|
||||
"expanded": "None",
|
||||
"description": "No information was disclosed."
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Information other than credentials and personal information was disclosed."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "exploitation-technique",
|
||||
"entry": [
|
||||
{
|
||||
"value": "sql-injection",
|
||||
"expanded": "Sql injection",
|
||||
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
|
||||
},
|
||||
{
|
||||
"value": "directory-traversal",
|
||||
"expanded": "Directory traversal",
|
||||
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
|
||||
},
|
||||
{
|
||||
"value": "remote-file-inclusion",
|
||||
"expanded": "Remote file inclusion",
|
||||
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
|
||||
},
|
||||
{
|
||||
"value": "code-injection",
|
||||
"expanded": "Code injection",
|
||||
"description": "Exploitation occurred due to malicious code being injected."
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Other."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "origin",
|
||||
"entry": [
|
||||
{
|
||||
"value": "subscriber",
|
||||
"expanded": "Subscriber",
|
||||
"description": "Subscriber."
|
||||
},
|
||||
{
|
||||
"value": "internet",
|
||||
"expanded": "Internet",
|
||||
"description": "Internet."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "originating-organization",
|
||||
"entry": [
|
||||
{
|
||||
"value": "cse",
|
||||
"expanded": "Cse",
|
||||
"description": "Communications Security Establishment."
|
||||
},
|
||||
{
|
||||
"value": "nsa",
|
||||
"expanded": "Nsa",
|
||||
"description": "National Security Agency."
|
||||
},
|
||||
{
|
||||
"value": "gchq",
|
||||
"expanded": "Gchq",
|
||||
"description": "Government Communications Headquarters."
|
||||
},
|
||||
{
|
||||
"value": "asd",
|
||||
"expanded": "Asd",
|
||||
"description": "Australian Signals Directorate."
|
||||
},
|
||||
{
|
||||
"value": "gcsb",
|
||||
"expanded": "Gcsb",
|
||||
"description": "Government Communications Security Bureau."
|
||||
},
|
||||
{
|
||||
"value": "open-source",
|
||||
"expanded": "Open source",
|
||||
"description": "Originated from publically available information."
|
||||
},
|
||||
{
|
||||
"value": "3rd-party",
|
||||
"expanded": "3rd party",
|
||||
"description": "Originated from a 3rd party organization."
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Other."
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
{
|
||||
"namespace": "interception-method",
|
||||
"description": "The interception method used to intercept traffic.",
|
||||
"version": 1,
|
||||
"expanded": "Interception method",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "man-in-the-middle",
|
||||
"expanded": "Man-in-the-middle",
|
||||
"description": "Interception where an attacker secretly relayed and possibly altered the communication between two parties."
|
||||
},
|
||||
{
|
||||
"value": "man-on-the-side",
|
||||
"expanded": "Man-on-the-side",
|
||||
"description": "Interception where an attacker could read and send messages between two parties but not alter messages."
|
||||
},
|
||||
{
|
||||
"value": "passive",
|
||||
"expanded": "Passive",
|
||||
"description": "Interception where an attacker could read messages between two parties."
|
||||
},
|
||||
{
|
||||
"value": "search-result-poisoning",
|
||||
"expanded": "Search result poisoning",
|
||||
"description": "Interception where an attacker creates malicious websites intended to show up in search engine queries."
|
||||
},
|
||||
{
|
||||
"value": "dns",
|
||||
"expanded": "Dns",
|
||||
"description": "Interception where domain name resolution is altered to re-direct traffic to a malicious IP address."
|
||||
},
|
||||
{
|
||||
"value": "host-file",
|
||||
"expanded": "Host file",
|
||||
"description": "Interception where the HOSTS file is modified to re-direct traffic to a malicious IP address."
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Other."
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,137 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
from pathlib import Path
|
||||
import json
|
||||
from pytaxonomies import Taxonomy, Predicate, Entry
|
||||
|
||||
'''
|
||||
Taxonomies mapping:
|
||||
* disclosure-type, origin, originating-organization, exploitation-technique => part of cccs
|
||||
* dos-type ~~ ddos
|
||||
* report-state ~~ workflow
|
||||
* malware-category ~~ malware_classification - NOPE: malware_classification has a static source @ SANS
|
||||
|
||||
* access-method - ack
|
||||
* approved-category-of-action - ack
|
||||
* cccs - ack
|
||||
* interception method -> ack
|
||||
|
||||
* domain-category & ip-category - maybe?
|
||||
* email-type - malicious email types - maybe?
|
||||
* maliciousness -> maybe?
|
||||
* malware-category -> yes?
|
||||
* scan type: maybe?
|
||||
|
||||
* severity: atta&ck?
|
||||
* misusage-type -> attack?
|
||||
* mitigation type -> attack?
|
||||
|
||||
* threat-vector: languages/applications/protocols -> split
|
||||
|
||||
* ftp-type - request / response => object
|
||||
* record type: (query/response) => part of object
|
||||
|
||||
* host category -> server/workstation -> part of object : network device
|
||||
|
||||
* method match -> HTTP request type ?!
|
||||
'''
|
||||
|
||||
root_dir_taxonomies = Path('..')
|
||||
|
||||
ontology_path = Path('alfred-ontology.json')
|
||||
|
||||
with open(ontology_path) as f:
|
||||
ontology = json.load(f)['data']
|
||||
|
||||
# CCCS Taxonomy
|
||||
cccs = Taxonomy()
|
||||
cccs.name = "cccs"
|
||||
cccs.description = "Internal taxonomy for CCCS."
|
||||
cccs.version = 1
|
||||
cccs.expanded = "CCCS"
|
||||
cccs.predicates = {}
|
||||
|
||||
# Tags for internal reference
|
||||
predicate = Predicate()
|
||||
predicate.predicate = 'event'
|
||||
predicate.expanded = 'Event type'
|
||||
predicate.description = 'Type of event associated to the internal reference'
|
||||
predicate.entries = {}
|
||||
|
||||
for datatype in ontology['dataTypes']:
|
||||
if 'superType' not in datatype or datatype['superType'] != 'EVENT':
|
||||
continue
|
||||
entry = Entry()
|
||||
entry.value = datatype['name'].lower().replace('_', '-')
|
||||
entry.expanded = datatype['name'].lower().replace('_', ' ').capitalize()
|
||||
entry.description = datatype['description'].replace(' The value is the event ID.', '')
|
||||
predicate.entries[entry.value] = entry
|
||||
|
||||
cccs.predicates[predicate.predicate] = predicate
|
||||
|
||||
predicate_of_cccs = ['disclosure-type', 'origin', 'originating-organization', 'exploitation-technique']
|
||||
ignore = ['dos-type', 'report-state']
|
||||
skip_for_now = ['domain-category', 'email-type', 'ftp-type', 'host-category', 'ip-category',
|
||||
'maliciousness', 'malware-category', 'method-match', 'misusage-type',
|
||||
'mitigation-type', 'record-type', 'scan-type', 'severity', 'threat-vector']
|
||||
|
||||
for propertytype in ontology['propertyTypes']:
|
||||
if 'accepts' in propertytype and propertytype['accepts']['name'] != 'list':
|
||||
continue
|
||||
misp_name = propertytype['name'].lower().replace('_', '-').replace(' ', '-')
|
||||
if misp_name in ignore or misp_name in skip_for_now:
|
||||
continue
|
||||
if misp_name not in predicate_of_cccs:
|
||||
new_taxonomy = Taxonomy()
|
||||
new_taxonomy.name = misp_name
|
||||
new_taxonomy.description = propertytype['description']
|
||||
new_taxonomy.version = 1
|
||||
new_taxonomy.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
|
||||
new_taxonomy.predicates = {}
|
||||
for value in propertytype['accepts']['values']:
|
||||
predicate = Predicate()
|
||||
predicate.predicate = value['name'].lower().replace('_', '-').replace(' ', '-')
|
||||
predicate.expanded = value['name'].lower().replace('_', ' ').capitalize()
|
||||
predicate.description = value['description']
|
||||
new_taxonomy.predicates[predicate.predicate] = predicate
|
||||
else:
|
||||
predicate = Predicate()
|
||||
predicate.predicate = misp_name
|
||||
predicate.expanded = propertytype['name'].lower().replace('_', ' ').capitalize()
|
||||
predicate.description = propertytype['description']
|
||||
predicate.entries = {}
|
||||
for value in propertytype['accepts']['values']:
|
||||
entry = Entry()
|
||||
entry.value = value['name'].lower().replace('_', '-').replace(' ', '-')
|
||||
entry.expanded = value['name'].lower().replace('_', ' ').capitalize()
|
||||
entry.description = value['description']
|
||||
predicate.entries[entry.value] = entry
|
||||
cccs.predicates[predicate.predicate] = predicate
|
||||
|
||||
if not (root_dir_taxonomies / new_taxonomy.name).exists():
|
||||
(root_dir_taxonomies / new_taxonomy.name).mkdir()
|
||||
|
||||
if (root_dir_taxonomies / new_taxonomy.name / 'machinetag.json').exists():
|
||||
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json') as f:
|
||||
existing_taxonomy = json.load(f)
|
||||
if existing_taxonomy == new_taxonomy.to_dict():
|
||||
continue
|
||||
new_taxonomy.version = existing_taxonomy['version'] + 1
|
||||
with open(root_dir_taxonomies / new_taxonomy.name / 'machinetag.json', 'w') as f:
|
||||
json.dump(new_taxonomy.to_dict(), f, indent=2)
|
||||
|
||||
|
||||
# Dump generic CCCS taxonomy
|
||||
|
||||
if not (root_dir_taxonomies / cccs.name).exists():
|
||||
(root_dir_taxonomies / cccs.name).mkdir()
|
||||
|
||||
if (root_dir_taxonomies / cccs.name / 'machinetag.json').exists():
|
||||
with open(root_dir_taxonomies / cccs.name / 'machinetag.json') as f:
|
||||
existing_taxonomy = json.load(f)
|
||||
if existing_taxonomy != cccs.to_dict():
|
||||
cccs.version = existing_taxonomy['version'] + 1
|
||||
|
||||
with open(root_dir_taxonomies / cccs.name / 'machinetag.json', 'w') as f:
|
||||
json.dump(cccs.to_dict(), f, indent=2)
|
Loading…
Reference in New Issue