fix: [threatmatch] various fixes

pull/207/head
Alexandre Dulaunoy 2021-04-13 11:04:37 +02:00
parent 1b303e30b3
commit d4fddb65e5
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 316 additions and 323 deletions

View File

@ -560,7 +560,7 @@
}, },
{ {
"description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", "description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
"name": "threatmatch", "name": "ThreatMatch",
"version": 1 "version": 1
}, },
{ {
@ -615,5 +615,5 @@
} }
], ],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
"version": "20210325" "version": "20210413"
} }

View File

@ -10,7 +10,6 @@ Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) (2.4) and ot
The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools. The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools.
### CERT-XLM ### CERT-XLM
[CERT-XLM](https://github.com/MISP/misp-taxonomies/tree/main/CERT-XLM) : [CERT-XLM](https://github.com/MISP/misp-taxonomies/tree/main/CERT-XLM) :
@ -31,6 +30,11 @@ The Detection Maturity Level (DML) model is a capability maturity model for refe
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) : [PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_PAP) The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_PAP)
### ThreatMatch
[ThreatMatch](https://github.com/MISP/misp-taxonomies/tree/main/ThreatMatch) :
The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_ThreatMatch)
### access-method ### access-method
[access-method](https://github.com/MISP/misp-taxonomies/tree/main/access-method) : [access-method](https://github.com/MISP/misp-taxonomies/tree/main/access-method) :
@ -566,26 +570,6 @@ TTPs are representations of the behavior or modus operandi of cyber adversaries.
[targeted-threat-index](https://github.com/MISP/misp-taxonomies/tree/main/targeted-threat-index) : [targeted-threat-index](https://github.com/MISP/misp-taxonomies/tree/main/targeted-threat-index) :
The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [Overview](https://www.misp-project.org/taxonomies.html#_targeted_threat_index) The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [Overview](https://www.misp-project.org/taxonomies.html#_targeted_threat_index)
### threatmatch-alert-types
[threatmatch-alert-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-alert-types) :
The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_alert_types)
### threatmatch-incident-types
[threatmatch-incident-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-incident-types) :
The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_incident_types)
### threatmatch-malware-types
[threatmatch-malware-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-malware-types) :
The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_malware_types)
### threatmatch-sectors
[threatmatch-sectors](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-sectors) :
The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_sectors)
### threats-to-dns ### threats-to-dns
[threats-to-dns](https://github.com/MISP/misp-taxonomies/tree/main/threats-to-dns) : [threats-to-dns](https://github.com/MISP/misp-taxonomies/tree/main/threats-to-dns) :

View File

@ -1,5 +1,5 @@
# Taxonomies # Taxonomies
- Generation date: 2021-03-24 - Generation date: 2021-04-13
- license: CC-0 - license: CC-0
- description: Manifest file of MISP taxonomies available. - description: Manifest file of MISP taxonomies available.
@ -180,7 +180,7 @@
- threat-vector - threat-vector
### circl ### circl
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection - description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection
- version: 4 - version: 5
- Predicates - Predicates
- incident-classification - incident-classification
- topic - topic
@ -280,6 +280,16 @@
- report - report
- origin - origin
- analyse - analyse
### cti
- description: Cyber Threat Intelligence cycle to control workflow state of your process.
- version: 1
- Predicates
- planning
- collection
- processing-and-analysis
- dissemination-done
- feedback-received
- feedback-pending
### current-event ### current-event
- description: Current events - Schemes of Classification in Incident Response and Detection - description: Current events - Schemes of Classification in Incident Response and Detection
- version: 1 - version: 1
@ -837,6 +847,11 @@
- dns - dns
- host-file - host-file
- other - other
### ioc
- description: An IOC classification to facilitate automation of malicious and non malicious artifacts
- version: 2
- Predicates
- artifact-state
### iot ### iot
- description: Internet of Things taxonomy, based on IOT UK report https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-Taxonomy-Report.pdf - description: Internet of Things taxonomy, based on IOT UK report https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-Taxonomy-Report.pdf
- version: 2 - version: 2
@ -1144,26 +1159,14 @@
- Predicates - Predicates
- targeting-sophistication-base-value - targeting-sophistication-base-value
- technical-sophistication-multiplier - technical-sophistication-multiplier
### threatmatch-alert-types ### ThreatMatch
- description: The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. - description: The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1
- Predicates
- alert_type
### threatmatch-incident-types
- description: The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1
- Predicates
- incident_type
### threatmatch-malware-types
- description: The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1
- Predicates
- malware_type
### threatmatch-sectors
- description: The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1 - version: 1
- Predicates - Predicates
- sector - sector
- incident-type
- malware-type
- alert-type
### threats-to-dns ### threats-to-dns
- description: An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 11. doi:10.1109/comst.2018.2849614 - description: An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 11. doi:10.1109/comst.2018.2849614
- version: 1 - version: 1
@ -1282,6 +1285,13 @@
- victim:revenue:iso_currency_code - victim:revenue:iso_currency_code
- attribute:availability:duration:unit - attribute:availability:duration:unit
- attribute:confidentiality:data:variety - attribute:confidentiality:data:variety
### vmray
- description: VMRay taxonomies to map VMRay Thread Identifier scores and artifacts.
- version: 1
- Predicates
- artifact
- verdict
- vti_analysis_score
### vocabulaire-des-probabilites-estimatives ### vocabulaire-des-probabilites-estimatives
- description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité - description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité
- version: 3 - version: 3

View File

@ -7,7 +7,7 @@
"https://www.secalliance.com/platform/", "https://www.secalliance.com/platform/",
"https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html"
], ],
"predicates":[ "predicates": [
{ {
"value": "sector", "value": "sector",
"expanded": "Extensive list of sector definition tags" "expanded": "Extensive list of sector definition tags"
@ -29,150 +29,150 @@
{ {
"predicate": "sector", "predicate": "sector",
"entry": [ "entry": [
{ {
"value": "Banking & Capital Markets", "value": "Banking & Capital Markets",
"expanded": "Banking & capital markets" "expanded": "Banking & capital markets"
}, },
{ {
"value": "Financial Services", "value": "Financial Services",
"expanded": "Financial Services" "expanded": "Financial Services"
}, },
{ {
"value": "Insurance", "value": "Insurance",
"expanded": "Insurance" "expanded": "Insurance"
}, },
{ {
"value": "Pension", "value": "Pension",
"expanded": "Pension" "expanded": "Pension"
}, },
{ {
"value": "Government & Public Service", "value": "Government & Public Service",
"expanded": "Government & Public Service" "expanded": "Government & Public Service"
}, },
{ {
"value": "Diplomatic Services", "value": "Diplomatic Services",
"expanded": "Diplomatic Services" "expanded": "Diplomatic Services"
}, },
{ {
"value": "Energy, Utilities & Mining", "value": "Energy, Utilities & Mining",
"expanded": "Energy, Utilities & Mining" "expanded": "Energy, Utilities & Mining"
}, },
{ {
"value": "Telecommunications", "value": "Telecommunications",
"expanded": "Telecommunications" "expanded": "Telecommunications"
}, },
{ {
"value": "Technology", "value": "Technology",
"expanded": "Technology" "expanded": "Technology"
}, },
{ {
"value": "Academic/Research Institutes", "value": "Academic/Research Institutes",
"expanded": "Academic/Research Institutes" "expanded": "Academic/Research Institutes"
}, },
{ {
"value": "Aerospace, Defence & Security", "value": "Aerospace, Defence & Security",
"expanded": "Aerospace, Defence & Security" "expanded": "Aerospace, Defence & Security"
}, },
{ {
"value": "Agriculture", "value": "Agriculture",
"expanded": "Agriculture" "expanded": "Agriculture"
}, },
{ {
"value": "Asset & Wealth Management", "value": "Asset & Wealth Management",
"expanded": "Asset & Wealth Management" "expanded": "Asset & Wealth Management"
}, },
{ {
"value": "Automotive", "value": "Automotive",
"expanded": "Automotive" "expanded": "Automotive"
}, },
{ {
"value": "Business and Professional Services", "value": "Business and Professional Services",
"expanded": "Business and Professional Services" "expanded": "Business and Professional Services"
}, },
{ {
"value": "Capital Projects & Infrastructure", "value": "Capital Projects & Infrastructure",
"expanded": "Capital Projects & Infrastructure" "expanded": "Capital Projects & Infrastructure"
}, },
{ {
"value": "Charity/Not-for-Profit", "value": "Charity/Not-for-Profit",
"expanded": "Charity/Not-for-Profit" "expanded": "Charity/Not-for-Profit"
}, },
{ {
"value": "Chemicals", "value": "Chemicals",
"expanded": "Chemicals" "expanded": "Chemicals"
}, },
{ {
"value": "Commercial Aviation", "value": "Commercial Aviation",
"expanded": "Commercial Aviation" "expanded": "Commercial Aviation"
}, },
{ {
"value": "Commodities", "value": "Commodities",
"expanded": "Commodities" "expanded": "Commodities"
}, },
{ {
"value": "Education", "value": "Education",
"expanded": "Education" "expanded": "Education"
}, },
{ {
"value": "Engineering & Construction", "value": "Engineering & Construction",
"expanded": "Engineering & Construction" "expanded": "Engineering & Construction"
}, },
{ {
"value": "Entertainment & Media", "value": "Entertainment & Media",
"expanded": "Entertainment & Media" "expanded": "Entertainment & Media"
}, },
{ {
"value": "Forest, Paper & Packaging", "value": "Forest, Paper & Packaging",
"expanded": "Forest, Paper & Packaging" "expanded": "Forest, Paper & Packaging"
}, },
{ {
"value": "Healthcare", "value": "Healthcare",
"expanded": "Healthcare" "expanded": "Healthcare"
}, },
{ {
"value": "Hospitality & Leisure", "value": "Hospitality & Leisure",
"expanded": "Hospitality & Leisure" "expanded": "Hospitality & Leisure"
}, },
{ {
"value": "Industrial Manufacturing", "value": "Industrial Manufacturing",
"expanded": "Industrial Manufacturing" "expanded": "Industrial Manufacturing"
}, },
{ {
"value": "IT Industry", "value": "IT Industry",
"expanded": "IT Industry" "expanded": "IT Industry"
}, },
{ {
"value": "Legal", "value": "Legal",
"expanded": "Legal" "expanded": "Legal"
}, },
{ {
"value": "Metals", "value": "Metals",
"expanded": "Metals" "expanded": "Metals"
}, },
{ {
"value": "Pharmaceuticals & Life Sciences", "value": "Pharmaceuticals & Life Sciences",
"expanded": "Pharmaceuticals & Life Sciences" "expanded": "Pharmaceuticals & Life Sciences"
}, },
{ {
"value": "Private Equity", "value": "Private Equity",
"expanded": "Private Equity" "expanded": "Private Equity"
}, },
{ {
"value": "Retail & Consumer", "value": "Retail & Consumer",
"expanded": "Retail & Consumer" "expanded": "Retail & Consumer"
}, },
{ {
"value": "Semiconductors", "value": "Semiconductors",
"expanded": "Semiconductors" "expanded": "Semiconductors"
}, },
{ {
"value": "Sovereign Investment Funds", "value": "Sovereign Investment Funds",
"expanded": "Sovereign Investment Funds" "expanded": "Sovereign Investment Funds"
}, },
{ {
"value": "Transport & Logistics", "value": "Transport & Logistics",
"expanded": "Transport & Logistics" "expanded": "Transport & Logistics"
} }
] ]
}, },
{ {
@ -332,184 +332,183 @@
} }
] ]
}, },
{ {
"predicate": "malware_type", "predicate": "malware_type",
"entry": [ "entry": [
{ {
"value": "Adware", "value": "Adware",
"expanded": "Adware" "expanded": "Adware"
}, },
{ {
"value": "Backdoor", "value": "Backdoor",
"expanded": "Backdoor" "expanded": "Backdoor"
}, },
{ {
"value": "Banking Trojan", "value": "Banking Trojan",
"expanded": "Banking Trojan" "expanded": "Banking Trojan"
}, },
{ {
"value": "Botnet", "value": "Botnet",
"expanded": "Botnet" "expanded": "Botnet"
}, },
{ {
"value": "Destructive", "value": "Destructive",
"expanded": "Destructive" "expanded": "Destructive"
}, },
{ {
"value": "Downloader", "value": "Downloader",
"expanded": "Downloader" "expanded": "Downloader"
}, },
{ {
"value": "Exploit Kit", "value": "Exploit Kit",
"expanded": "Exploit Kit" "expanded": "Exploit Kit"
}, },
{ {
"value": "Fileless Malware", "value": "Fileless Malware",
"expanded": "Fileless Malware" "expanded": "Fileless Malware"
}, },
{ {
"value": "Keylogger", "value": "Keylogger",
"expanded": "Keylogger" "expanded": "Keylogger"
}, },
{ {
"value": "Legitimate Tool", "value": "Legitimate Tool",
"expanded": "Legitimate Tool" "expanded": "Legitimate Tool"
}, },
{ {
"value": "Mobile Application", "value": "Mobile Application",
"expanded": "Mobile Application" "expanded": "Mobile Application"
}, },
{ {
"value": "Mobile Malware", "value": "Mobile Malware",
"expanded": "Mobile Malware" "expanded": "Mobile Malware"
}, },
{ {
"value": "Point-of-Sale (PoS)", "value": "Point-of-Sale (PoS)",
"expanded": "Point-of-Sale (PoS)" "expanded": "Point-of-Sale (PoS)"
}, },
{ {
"value": "Remote Access Trojan", "value": "Remote Access Trojan",
"expanded": "Remote Access Trojan" "expanded": "Remote Access Trojan"
}, },
{ {
"value": "Rootkit", "value": "Rootkit",
"expanded": "Rootkit" "expanded": "Rootkit"
}, },
{ {
"value": "Skimmer", "value": "Skimmer",
"expanded": "Skimmer" "expanded": "Skimmer"
}, },
{ {
"value": "Spyware", "value": "Spyware",
"expanded": "Spyware" "expanded": "Spyware"
}, },
{ {
"value": "Surveillance Tool", "value": "Surveillance Tool",
"expanded": "Surveillance Tool" "expanded": "Surveillance Tool"
}, },
{ {
"value": "Trojan", "value": "Trojan",
"expanded": "Trojan" "expanded": "Trojan"
}, },
{ {
"value": "Virus", "value": "Virus",
"expanded": "Virus " "expanded": "Virus "
}, },
{ {
"value": "Worm", "value": "Worm",
"expanded": "Worm" "expanded": "Worm"
}, },
{ {
"value": "Zero-day", "value": "Zero-day",
"expanded": "Zero-day" "expanded": "Zero-day"
}, },
{ {
"value": "Unknown", "value": "Unknown",
"expanded": "Unknown" "expanded": "Unknown"
} }
] ]
}, },
{ {
"predicate": "alert_type", "predicate": "alert_type",
"entry": [ "entry": [
{ {
"value": "Actor Campaigns", "value": "Actor Campaigns",
"expanded": "Actor Campaigns" "expanded": "Actor Campaigns"
}, },
{ {
"value": "Credential Breaches", "value": "Credential Breaches",
"expanded": "Credential Breaches" "expanded": "Credential Breaches"
}, },
{ {
"value": "DDoS", "value": "DDoS",
"expanded": "DDoS" "expanded": "DDoS"
}, },
{ {
"value": "Exploit Alert", "value": "Exploit Alert",
"expanded": "Exploit Alert" "expanded": "Exploit Alert"
}, },
{ {
"value": "General Notification", "value": "General Notification",
"expanded": "General Notification" "expanded": "General Notification"
}, },
{ {
"value": "High Impact Vulnerabilities", "value": "High Impact Vulnerabilities",
"expanded": "High Impact Vulnerabilities" "expanded": "High Impact Vulnerabilities"
}, },
{ {
"value": "Information Leakages", "value": "Information Leakages",
"expanded": "Information Leakages" "expanded": "Information Leakages"
}, },
{ {
"value": "Malware Analysis", "value": "Malware Analysis",
"expanded": "Malware Analysis" "expanded": "Malware Analysis"
}, },
{ {
"value": "Nefarious Domains", "value": "Nefarious Domains",
"expanded": "Nefarious Domains" "expanded": "Nefarious Domains"
}, },
{ {
"value": "Nefarious Forum Mention", "value": "Nefarious Forum Mention",
"expanded": "Nefarious Forum Mention" "expanded": "Nefarious Forum Mention"
}, },
{ {
"value": "Pastebin Dumps", "value": "Pastebin Dumps",
"expanded": "Pastebin Dumps" "expanded": "Pastebin Dumps"
}, },
{ {
"value": "Phishing Attempts", "value": "Phishing Attempts",
"expanded": "Phishing Attempts" "expanded": "Phishing Attempts"
}, },
{ {
"value": "PII Exposure", "value": "PII Exposure",
"expanded": "PII Exposure" "expanded": "PII Exposure"
}, },
{ {
"value": "Sensitive Information Disclosures", "value": "Sensitive Information Disclosures",
"expanded": "Sensitive Information Disclosures" "expanded": "Sensitive Information Disclosures"
}, },
{ {
"value": "Social Media Alerts", "value": "Social Media Alerts",
"expanded": "Social Media Alerts" "expanded": "Social Media Alerts"
}, },
{ {
"value": "Supply Chain Event", "value": "Supply Chain Event",
"expanded": "Supply Chain Event" "expanded": "Supply Chain Event"
}, },
{ {
"value": "Technical Exposure", "value": "Technical Exposure",
"expanded": "Technical Exposure" "expanded": "Technical Exposure"
}, },
{ {
"value": "Threat Actor Updates", "value": "Threat Actor Updates",
"expanded": "Threat Actor Updates" "expanded": "Threat Actor Updates"
}, },
{ {
"value": "Trigger Events", "value": "Trigger Events",
"expanded": "Trigger Events" "expanded": "Trigger Events"
} }
] ]
} }
] ]
} }