MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-taxonomies

pull/61/head
Raphaël Vinot 2017-04-02 22:07:23 +02:00
parent 8930ad0a2e 0b02703c40
commit dbcc46cd0f
28 changed files with 1496 additions and 1121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.travis.yml
View File

@ -7,26 +7,22 @@ sudo: required
dist: trusty
python:
- "2.7"
- "3.3"
- "3.4"
- "3.5"
- "3.5-dev"
- "3.6"
- "3.6-dev"
- "nightly"
install:
- git clone https://github.com/stedolan/jq.git
- pushd jq
- autoreconf -i
- ./configure --disable-maintainer-mode
- make
- sudo make install
- popd
- sudo apt-get update -qq
- sudo apt-get install -y -qq jq moreutils
- pip install jsonschema
- git clone https://github.com/MISP/PyTaxonomies.git
- pushd PyTaxonomies
- pip install .
- popd
script:
- cat */*.json | jq .
- ./validate_all.sh
- pytaxonomies -l MANIFEST.json -a

20
MANIFEST.json
View File

@ -1,5 +1,5 @@
{
"version": "20170108",
"version": "20170129",
"license": "CC-0",
"description": "Manifest file of MISP taxonomies available.",
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
@ -35,12 +35,17 @@
"name": "dhs-ciip-sectors",
"version": 2
},
{
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.",
"name": "diamond-model",
"version": 1
},
{
"description": "ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).",
"name": "dni-ism",
"version": 3
},
{
{
"description": "Taxonomy to tag domain names used for cybercrime.",
"name": "domain-abuse",
"version": 1
@ -166,9 +171,14 @@
"version": 1
},
{
"description" : "Tags for RiskIQ's passivetotal service",
"name" : "passivetotal",
"version" : 1
"description": "AccessNow Taxonomy",
"name": "accessnow",
"version": 1
},
{
"description": "Tags for RiskIQ's passivetotal service",
"name": "passivetotal",
"version": 1
}
]
}

3
PAP/machinetag.json
View File

@ -24,6 +24,5 @@
"expanded": "(PAP:WHITE) No restrictions in using this information.",
"colour": "#ffffff"
}
],
"values": null
]
}

6
README.md
View File

@ -16,6 +16,7 @@ The following taxonomies are described:
- [Cyber Kill Chain](./kill-chain) from Lockheed Martin
- DE German (DE) [Government classification markings (VS)](./de-vs)
- [DHS CIIP Sectors](./dhs-ciip-sectors)
- [Diamond Model for Intrusion Analysis](./diamond-model)
- [Domain Name Abuse](./domain-abuse)
- [eCSIRT](./ecsirt) and IntelMQ incident classification
- [ENISA](./enisa) ENISA Threat Taxonomy
@ -64,6 +65,11 @@ Taxonomy for the handling of protectively marked information in MISP with German
DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.
### [Diamond Model for Intrusion Analysis](./diamond-model)
The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack
as described in [http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf](http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf).
### [Domain Name Abuse](./domain-abuse)
Taxonomy to tag domain names used for cybercrime.

117
accessnow/machinetag.json Normal file
View File

@ -0,0 +1,117 @@
{
"namespace": "accessnow",
"description": "Access Now",
"version": 1,
"predicates": [
{
"value": "anti-corruption-transparency",
"expanded": "Anti-Corruption and transparency",
"description": "The organization campaigns, or takes other actions against corruption and transparency."
},
{
"value": "anti-war-violence",
"expanded": "Anti-War / Anti-Violence",
"description": "The organization campaigns, or takes other actions against war"
},
{
"value": "culture",
"expanded": "Culture",
"description": "The organization campaigns or acts to promote cultural events Humanitarian Aid/Need Issues: relates to improving life for individuals in the developing world (right to shelter, right to education, right to food, right to water)"
},
{
"value": "economic-change",
"expanded": "Economic Change",
"description": "Issues of economic policy, wealth distribution, etc."
},
{
"value": "education",
"expanded": "Education",
"description": "The organization is concerned with some form of education"
},
{
"value": "election-monitoring",
"expanded": "Election Monitoring",
"description": "The organization is an election monitor, or involved in election monitoring"
},
{
"value": "environment",
"expanded": "Environment",
"description": "The organization campaigns or acts to protect the environment"
},
{
"value": "freedom-expression",
"expanded": "Freedom of Expression",
"description": "The organization is concerned with freedom of speech issues"
},
{
"value": "freedom-tool-development",
"expanded": "Freedom Tool Development",
"description": "The organization develops tools for use in defending or extending digital rights"
},
{
"value": "funding",
"expanded": "Funding",
"description": " The organization is a funder of organizations or projects working with at risk users"
},
{
"value": "health",
"expanded": "Health Issues",
"description": "The organization prevents epidemic illness or acts on curing them"
},
{
"value": "human-rights",
"expanded": "Human Rights Issues",
"description": "relating to the detection, recording, exposure, or challenging of abuses of human rights"
},
{
"value": "internet-telecom",
"expanded": "Internet and Telecoms",
"description": "Issues of digital rights in electronic communications"
},
{
"value": "lgbt-gender-sexuality",
"expanded": "LGBT / Gender / Sexuality",
"description": "Issues relating to the Lesbian, Gay, Bi, Transgender community"
},
{
"value": "policy",
"expanded": "Policy",
"description": "The organization is a policy think-tank, or policy advocate"
},
{
"value": "politics",
"expanded": "Politics",
"description": "The organization takes a strong political view or is a political entity"
},
{
"value": "privacy",
"expanded": "Privacy",
"description": "Issues relating to the individual's reasonable right to privacy"
},
{
"value": "rapid-response",
"expanded": "Rapid Response",
"description": "The organization provides rapid response type capability for civil society"
},
{
"value": "refugees",
"expanded": "Refugees",
"description": "Issues relating to displaced people"
},
{
"value": "security",
"expanded": "Security",
"description": "Issues relating to physical or information security"
},
{
"value": "womens-right",
"expanded": "Women's Rights",
"description": "Issues pertaining to inequality between men and women, or issues of particular relevance to women"
},
{
"value": "youth-rights",
"expanded": "Youth Rights",
"description": "Issues of particular relevance to youth"
}
]
}

16
adversary/machinetag.json
View File

@ -38,9 +38,9 @@
}
]
},
{
"predicate": "infrastructure-action",
"entry": [
{
"predicate": "infrastructure-action",
"entry": [
{
"value": "passive-only",
"expanded": "Only passive requests shall be performed to avoid detection by the adversary"
@ -57,11 +57,11 @@
"value": "pending-law-enforcement-request",
"expanded": "Law enforcement requests are ongoing on the adversary infrastructure"
}
]
},
]
},
{
"predicate": "infrastructure-state",
"entry": [
"predicate": "infrastructure-state",
"entry": [
{
"value": "unknown",
"expanded": "Infrastructure state is unknown or cannot be evaluated"
@ -74,7 +74,7 @@
"value": "down",
"expanded": "Infrastructure state is known to be down"
}
]
]
},
{
"predicate": "infrastructure-type",

1
csirt_case_classification/machinetag.json
View File

@ -102,4 +102,3 @@
}
]
}

43
ddos/machinetag.json Normal file
View File

@ -0,0 +1,43 @@
{
"namespace": "ddos",
"expanded": " Distributed Denial of Service",
"description": " Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.",
"version": 1,
"refs": [
"https://en.wikipedia.org/wiki/Denial-of-service_attack"
],
"values": [
{
"predicate": "type",
"entry": [
{
"value": "amplification-attack",
"expanded": "Amplification attack"
},
{
"value": "reflected-spoofed-attack",
"expanded": "Reflected and Spoofed attack"
},
{
"value": "slow-read-attack",
"expanded": "Slow Read attack"
},
{
"value": "flooding-attack",
"expanded": "Flooding attack"
},
{
"value": "post-attack",
"expanded": "Large POST HTTP attack"
}
]
}
],
"predicates": [
{
"value": "type",
"expanded": "Type",
"description": "Types and techniques described the way that the attack is performed to launch the Denial of Service attacks. A combination of type values can be used to explain combined techniques and methods."
}
]
}

146
dhs-ciip-sectors/machinetag.json
View File

@ -1,64 +1,86 @@
{
"namespace": "dhs-ciip-sectors",
"description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
"version": 2,
"predicates": [{
"value": "DHS-critical-sectors",
"expanded": "DHS critical sectors"
}, {
"value": "sector",
"expanded": "Sector"
}],
"values": [{
"predicate": "DHS-critical-sectors",
"entry": [{
"value": "chemical",
"expanded": "Chemical"
}, {
"value": "commercial-facilities",
"expanded": "Commercial Facilities"
}, {
"value": "communications",
"expanded": "Communications"
}, {
"value": "critical-manufacturing",
"expanded": "Critical Manufacturing"
}, {
"value": "dams",
"expanded": "Dams"
}, {
"value": "dib",
"expanded": "Defense Industrial Base"
}, {
"value": "emergency-services",
"expanded": "Emergency services"
}, {
"value": "energy",
"expanded": "energy"
}, {
"value": "financial-services",
"expanded": "Financial Services"
}, {
"value": "food-agriculture",
"expanded": "Food and Agriculture"
}, {
"value": "government-facilities",
"expanded": "Government Facilities"
}, {
"value": "healthcare-public",
"expanded": "Healthcare and Public Health"
}, {
"value": "it",
"expanded": "Information Technology"
}, {
"value": "nuclear",
"expanded": "Nuclear"
}, {
"value": "transport",
"expanded": "Transportation Systems"
}, {
"value": "water",
"expanded": "Water and water systems"
}]
}]
"namespace": "dhs-ciip-sectors",
"description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
"version": 2,
"predicates": [
{
"value": "DHS-critical-sectors",
"expanded": "DHS critical sectors"
},
{
"value": "sector",
"expanded": "Sector"
}
],
"values": [
{
"predicate": "DHS-critical-sectors",
"entry": [
{
"value": "chemical",
"expanded": "Chemical"
},
{
"value": "commercial-facilities",
"expanded": "Commercial Facilities"
},
{
"value": "communications",
"expanded": "Communications"
},
{
"value": "critical-manufacturing",
"expanded": "Critical Manufacturing"
},
{
"value": "dams",
"expanded": "Dams"
},
{
"value": "dib",
"expanded": "Defense Industrial Base"
},
{
"value": "emergency-services",
"expanded": "Emergency services"
},
{
"value": "energy",
"expanded": "energy"
},
{
"value": "financial-services",
"expanded": "Financial Services"
},
{
"value": "food-agriculture",
"expanded": "Food and Agriculture"
},
{
"value": "government-facilities",
"expanded": "Government Facilities"
},
{
"value": "healthcare-public",
"expanded": "Healthcare and Public Health"
},
{
"value": "it",
"expanded": "Information Technology"
},
{
"value": "nuclear",
"expanded": "Nuclear"
},
{
"value": "transport",
"expanded": "Transportation Systems"
},
{
"value": "water",
"expanded": "Water and water systems"
}
]
}
]
}

7
diamond-model/machinetag.json
View File

@ -3,7 +3,9 @@
"expanded": "Diamond Model for Intrusion Analysis",
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.",
"version": 1,
"ref": ["http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"],
"refs": [
"http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"
],
"predicates": [
{
"value": "Adversary",
@ -21,6 +23,5 @@
"value": "Victim",
"expanded": "A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. A victim can be described in whichever way necessary and appropriate: organization, person, target email address, IP address, domain, etc. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions. Victim personae are useful in non-technical analysis such as cyber-victimology and social-political centered approaches whereas victim assets are associated with common technical approaches such as vulnerability analysis.."
}
],
"values": null
]
}

22
domain-abuse/machinetag.json
View File

@ -22,9 +22,9 @@
{
"value": "active",
"expanded": "Registered & active",
"description": "Domain name is registered and DNS is delegated"
"description": "Domain name is registered and DNS is delegated"
},
{
{
"value": "inactive",
"expanded": "Registered & inactive",
"description": "Domain name is registered and DNS is not delegated"
@ -34,17 +34,17 @@
"expanded": "Registered & suspended",
"description": "Domain name is registered & DNS delegation is temporarily removed by the registry"
},
{
{
"value": "not-registered",
"expanded": "Not registered",
"description": "Domain name is not registered and open for registration"
},
{
{
"value": "not-registrable",
"expanded": "Not registrable",
"description": "Domain is not registered and cannot be registered"
},
{
{
"value": "grace-period",
"expanded": "Grace period",
"description": "Domain is deleted and still reserved for previous owner"
@ -57,24 +57,24 @@
{
"value": "criminal-registration",
"expanded": "Criminal registration",
"description": "Domain name is registered for criminal purposes"
"description": "Domain name is registered for criminal purposes"
},
{
"value": "compromised-webserver",
"expanded": "Compromised webserver",
"description": "Webserver is compromised for criminal purposes"
"description": "Webserver is compromised for criminal purposes"
},
{
"value": "compromised-dns",
"expanded": "Compromised DNS",
"description": "Compromised authoritative DNS or compromised delegation"
"description": "Compromised authoritative DNS or compromised delegation"
},
{
"value": "sinkhole",
"expanded": "Sinkhole",
"description": "Domain Name is sinkholed for research, detection, LE"
"description": "Domain Name is sinkholed for research, detection, LE"
}
]
]
}
]
}
}

1067
enisa/machinetag.json
View File

File diff suppressed because it is too large Load Diff

142
eu-marketop-and-publicadmin/machinetag.json
View File

@ -1,62 +1,84 @@
{
"namespace": "eu-marketop-and-publicadmin",
"description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive",
"version": 1,
"predicates": [{
"value": "critical-infra-operators",
"expanded": "Critical Infrastructure Operators"
}, {
"value": "info-services",
"expanded": "Information Society services enablers"
}, {
"value": "public-admin",
"expanded": "Public administration"
}],
"values": [{
"predicate": "critical-infra-operators",
"entry": [{
"value": "transport",
"expanded": "Transport"
}, {
"value": "energy",
"expanded": "Energy"
}, {
"value": "health",
"expanded": "Health"
}, {
"value": "financial",
"expanded": "Financial market operators"
}, {
"value": "banking",
"expanded": "Banking"
}]
}, {
"predicate": "info-services",
"entry": [{
"value": "e-commerce",
"expanded": "e-commerce platforms"
}, {
"value": "internet-payment",
"expanded": "Internet payment"
}, {
"value": "cloud",
"expanded": "cloud computing"
}, {
"value": "search-engines",
"expanded": "search engines"
}, {
"value": "socnet",
"expanded": "social networks"
}, {
"value": "app-stores",
"expanded": "application stores"
}]
}, {
"predicate": "public-admin",
"entry": [{
"value": "public-admin",
"expanded": "Public Administrations"
}]
}]
"namespace": "eu-marketop-and-publicadmin",
"description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive",
"version": 1,
"predicates": [
{
"value": "critical-infra-operators",
"expanded": "Critical Infrastructure Operators"
},
{
"value": "info-services",
"expanded": "Information Society services enablers"
},
{
"value": "public-admin",
"expanded": "Public administration"
}
],
"values": [
{
"predicate": "critical-infra-operators",
"entry": [
{
"value": "transport",
"expanded": "Transport"
},
{
"value": "energy",
"expanded": "Energy"
},
{
"value": "health",
"expanded": "Health"
},
{
"value": "financial",
"expanded": "Financial market operators"
},
{
"value": "banking",
"expanded": "Banking"
}
]
},
{
"predicate": "info-services",
"entry": [
{
"value": "e-commerce",
"expanded": "e-commerce platforms"
},
{
"value": "internet-payment",
"expanded": "Internet payment"
},
{
"value": "cloud",
"expanded": "cloud computing"
},
{
"value": "search-engines",
"expanded": "search engines"
},
{
"value": "socnet",
"expanded": "social networks"
},
{
"value": "app-stores",
"expanded": "application stores"
}
]
},
{
"predicate": "public-admin",
"entry": [
{
"value": "public-admin",
"expanded": "Public Administrations"
}
]
}
]
}

3
euci/machinetag.json
View File

@ -23,6 +23,5 @@
"expanded": "RESTREINT UE/EU RESTRICTED",
"description": "Information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States."
}
],
"values": null
]
}

3
europol-event/machinetag.json
View File

@ -234,6 +234,5 @@
"expanded": "Undetermined",
"description": "Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning."
}
],
"values": null
]
}

362
europol-incident/machinetag.json
View File

@ -1,195 +1,195 @@
{
"version": 1,
"description": "This taxonomy was designed to describe the type of incidents by class.",
"expanded": "Europol class of incidents taxonomy",
"namespace": "europol-incident",
"predicates": [
"version": 1,
"description": "This taxonomy was designed to describe the type of incidents by class.",
"expanded": "Europol class of incidents taxonomy",
"namespace": "europol-incident",
"predicates": [
{
"value": "malware",
"expanded": "Malware"
},
{
"value": "availability",
"expanded": "Availability"
},
{
"value": "information-gathering",
"expanded": "Gathering of information"
},
{
"value": "intrusion-attempt",
"expanded": "Intrusion attempt"
},
{
"value": "intrusion",
"expanded": "Intrusion"
},
{
"value": "information-security",
"expanded": "Information security"
},
{
"value": "fraud",
"expanded": "Fraud"
},
{
"value": "abusive-content",
"expanded": "Abusive content"
},
{
"value": "other",
"expanded": "Other"
}
],
"values": [
{
"predicate": "malware",
"entry": [
{
"value": "malware",
"expanded": "Malware"
"value": "infection",
"expanded": "Infection",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "availability",
"expanded": "Availability"
"value": "distribution",
"expanded": "Distribution",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "information-gathering",
"expanded": "Gathering of information"
"value": "c&c",
"expanded": "C&C",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "intrusion-attempt",
"expanded": "Intrusion attempt"
},
{
"value": "intrusion",
"expanded": "Intrusion"
},
{
"value": "information-security",
"expanded": "Information security"
},
{
"value": "fraud",
"expanded": "Fraud"
},
{
"value": "abusive-content",
"expanded": "Abusive content"
},
{
"value": "other",
"expanded": "Other"
"value": "undetermined",
"expanded": "Undetermined"
}
],
"values": [
]
},
{
"predicate": "availability",
"entry": [
{
"predicate": "malware",
"entry": [
{
"value": "infection",
"expanded": "Infection",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "distribution",
"expanded": "Distribution",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "c&c",
"expanded": "C&C",
"description": "Infecting one or various systems with a specific type of malware."
},
{
"value": "undetermined",
"expanded": "Undetermined"
}
]
"value": "dos-ddos",
"expanded": "DoS/DDoS",
"description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative."
},
{
"predicate": "availability",
"entry": [
{
"value": "dos-ddos",
"expanded": "DoS/DDoS",
"description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative."
},
{
"value": "sabotage",
"expanded": "Sabotage",
"description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc."
}
]
},
{
"predicate": "information-gathering",
"entry": [
{
"value": "scanning",
"expanded": "Scanning",
"description": "Active and passive gathering of information on systems or networks."
},
{
"value": "sniffing",
"expanded": "Sniffing",
"description": "Unauthorised monitoring and reading of network traffic."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Attempt to gather information on a user or a system through phishing methods."
}
]
},
{
"predicate": "intrusion-attempt",
"entry": [
{
"value": "exploitation-vulnerability",
"expanded": "Exploitation of vulnerability",
"description": "Attempt to intrude by exploiting a vulnerability in a system, component or network."
},
{
"value": "login-attempt",
"expanded": "Login attempt",
"description": "Attempt to log in to services or authentication / access control mechanisms."
}
]
},
{
"predicate": "intrusion",
"entry": [
{
"value": "exploitation-vulnerability",
"expanded": "Exploitation of vulnerability",
"description": "Actual intrusion by exploiting a vulnerability in the system, component or network."
},
{
"value": "compromising-account",
"expanded": "Compromising an account",
"description": "Actual intrusion in a system, component or network by compromising a user or administrator account."
}
]
},
{
"predicate": "information-security",
"entry": [
{
"value": "unauthorized-access",
"expanded": "Unauthorised access",
"description": "Unauthorised access to a particular set of information"
},
{
"value": "unauthorized-modification",
"expanded": "Unauthorised modification/deletion",
"description": "Unauthorised change or elimination of a particular set of information"
}
]
},
{
"predicate": "fraud",
"entry": [
{
"value": "illegitimate-use-resources",
"expanded": "Misuse or unauthorised use of resources",
"description": "Use of institutional resources for purposes other than those intended."
},
{
"value": "illegitimate-use-name",
"expanded": "Illegitimate use of the name of a third party",
"description": "Use of the name of an institution without permission to do so."
}
]
},
{
"predicate": "abusive-content",
"entry": [
{
"value": "spam",
"expanded": "SPAM",
"description": " Sending SPAM messages."
},
{
"value": "copyright",
"expanded": "Copyright",
"description": "Distribution and sharing of copyright protected content."
},
{
"value": "content-forbidden-by-law",
"expanded": "Dissemination of content forbidden by law.",
"description": "Child pornography, racism and apology of violence."
}
]
},
{
"predicate": "other",
"entry": [
{
"value": "other",
"expanded": "Other",
"description": " Other type of unspecified incident"
}
]
"value": "sabotage",
"expanded": "Sabotage",
"description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc."
}
]
]
},
{
"predicate": "information-gathering",
"entry": [
{
"value": "scanning",
"expanded": "Scanning",
"description": "Active and passive gathering of information on systems or networks."
},
{
"value": "sniffing",
"expanded": "Sniffing",
"description": "Unauthorised monitoring and reading of network traffic."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Attempt to gather information on a user or a system through phishing methods."
}
]
},
{
"predicate": "intrusion-attempt",
"entry": [
{
"value": "exploitation-vulnerability",
"expanded": "Exploitation of vulnerability",
"description": "Attempt to intrude by exploiting a vulnerability in a system, component or network."
},
{
"value": "login-attempt",
"expanded": "Login attempt",
"description": "Attempt to log in to services or authentication / access control mechanisms."
}
]
},
{
"predicate": "intrusion",
"entry": [
{
"value": "exploitation-vulnerability",
"expanded": "Exploitation of vulnerability",
"description": "Actual intrusion by exploiting a vulnerability in the system, component or network."
},
{
"value": "compromising-account",
"expanded": "Compromising an account",
"description": "Actual intrusion in a system, component or network by compromising a user or administrator account."
}
]
},
{
"predicate": "information-security",
"entry": [
{
"value": "unauthorized-access",
"expanded": "Unauthorised access",
"description": "Unauthorised access to a particular set of information"
},
{
"value": "unauthorized-modification",
"expanded": "Unauthorised modification/deletion",
"description": "Unauthorised change or elimination of a particular set of information"
}
]
},
{
"predicate": "fraud",
"entry": [
{
"value": "illegitimate-use-resources",
"expanded": "Misuse or unauthorised use of resources",
"description": "Use of institutional resources for purposes other than those intended."
},
{
"value": "illegitimate-use-name",
"expanded": "Illegitimate use of the name of a third party",
"description": "Use of the name of an institution without permission to do so."
}
]
},
{
"predicate": "abusive-content",
"entry": [
{
"value": "spam",
"expanded": "SPAM",
"description": " Sending SPAM messages."
},
{
"value": "copyright",
"expanded": "Copyright",
"description": "Distribution and sharing of copyright protected content."
},
{
"value": "content-forbidden-by-law",
"expanded": "Dissemination of content forbidden by law.",
"description": "Child pornography, racism and apology of violence."
}
]
},
{
"predicate": "other",
"entry": [
{
"value": "other",
"expanded": "Other",
"description": " Other type of unspecified incident"
}
]
}
]
}

2
iep/machinetag.json
View File

@ -26,7 +26,7 @@
{
"value": "end-date",
"expanded": "POLICY END DATE",
"description": "States the UTC4 date that the IEP is effective until."
"description": "States the UTC date that the IEP is effective until."
},
{
"value": "reference",

31
information-security-indicators/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "information-security-indicators",
"description": "A full set of operational indicators for organizations to use to benchmark their security posture.",
"version": "1",
"version": 1,
"predicates": [
{
"value": "IEX",
@ -139,7 +139,8 @@
"description": "This indicator measures illicit entrance of individuals into security perimeter."
}
]
},{
},
{
"predicate": "IMF",
"entry": [
{
@ -188,7 +189,8 @@
"description": "This indicator primarily relates to Personal Identifiable Information (PII) protected by privacy laws, to information falling under the PCI-DSS regulation, to information falling under European regulation in the area of breach notification (Telcos and ISPs to begin with), and to information about electronic exchanges between employees and the exterior (electronic messaging and Internet connection). This indicator does not include possible difficulties pertaining to proof forwarding from field operations to governance (state-of-the-art unavailable). This indicator is a sub-set of indicator IMF_LOG.1, but can be identical to this one in advanced organizations."
}
]
},{
},
{
"predicate": "IDB",
"entry": [
{
@ -247,7 +249,8 @@
"description": "This event is generally decided and deployed by an administrator in order to improve performance of the system under his/her responsibility (illicit voluntary stoppage). This indicator is a reduced subset of indicator IUS_RGH.5"
}
]
},{
},
{
"predicate": "IWH",
"entry": [
{
@ -281,7 +284,8 @@
"description": "This indicator measures security incidents tied to assets (on servers) non-inventoried and not managed by appointed teams. It is a key indicator insofar as a high percentage of incidents corresponds with this indicator on average in the profession (according to some public surveys)."
}
]
},{
},
{
"predicate": "VBH",
"entry": [
{
@ -400,7 +404,8 @@
"description": "This vulnerability applies to discussions through on-line media leading to leakage of personal identifiable information (PII) or various business details to be used later (notably for identity usurpation) "
}
]
},{
},
{
"predicate": "VSW",
"entry": [
{
@ -419,7 +424,8 @@
"description": "This indicators measures software vulnerabilities detected in Web browsers running on workstations."
}
]
},{
},
{
"predicate": "VCF",
"entry": [
{
@ -473,7 +479,8 @@
"description": "This indicator measures accounts inactive for at least 2 months that have not been disabled. These accounts are not used by their users due to prolonged but not definitive absence (long term illness, maternity, etc.), with the exclusion of messaging accounts (which should remain accessible to users from their home)."
}
]
},{
},
{
"predicate": "VTC",
"entry": [
{
@ -507,7 +514,8 @@
"description": "This indicator includes access to protected internal areas. The 1st cause is the lack of effective control of users at software level. The 2nd cause is hardware breakdown of a component in the chain."
}
]
},{
},
{
"predicate": "VOR",
"entry": [
{
@ -556,7 +564,8 @@
"description": "This indicator measures the launch of new IT projects of a standard type without identification of vulnerabilities and threats and of related security measures. For these IT projects, potential implementation of a simplified risk analysis method or of pre-defined security profiles can be applied."
}
]
},{
},
{
"predicate": "IMP",
"entry": [
{
@ -582,4 +591,4 @@
]
}
]
}
}

14
jq_all_the_things.sh Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
set -e
set -x
# Seeds sponge, from moreutils
for dir in ./*/machinetag.json
do
cat ${dir} | jq . | sponge ${dir}
done
cat schema.json | jq . | sponge schema.json
cat MANIFEST.json | jq . | sponge MANIFEST.json

3
kill-chain/machinetag.json
View File

@ -32,6 +32,5 @@
"value": "Actions on Objectives",
"expanded": "Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network."
}
],
"values": null
]
}

11
malware_classification/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "malware_classification",
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
"version": 1,
"version": 2,
"predicates": [
{
"value": "malware-category",
@ -57,8 +57,8 @@
"expanded": "Spyware"
},
{
"value": "Botnet",
"expanded": "Botnet"
"value": "Botnet",
"expanded": "Botnet"
}
]
},
@ -89,10 +89,6 @@
"value": "armouring",
"expanded": "armouring"
},
{
"value": "encryption",
"expanded": "encryption"
},
{
"value": "tunneling",
"expanded": "tunneling"
@ -163,4 +159,3 @@
}
]
}

66
misp/machinetag.json
View File

@ -19,17 +19,26 @@
"predicate": "api"
},
{
"predicate": "contributor",
"entry": [
"entry": [
{
"expanded": "block",
"value": "block"
}
],
"predicate": "expansion"
},
{
"predicate": "contributor",
"entry": [
{
"expanded": "OpenPGP Fingerprint",
"value": "pgpfingerprint"
}
]
]
},
{
"predicate": "confidence-level",
"entry": [
"predicate": "confidence-level",
"entry": [
{
"expanded": "Completely confident",
"value": "completely-confident",
@ -59,36 +68,36 @@
"expanded": "Confidence cannot be evaluated",
"value": "confidence-cannot-be-evalued"
}
]
]
},
{
"predicate": "threat-level",
"entry": [
"predicate": "threat-level",
"entry": [
{
"expanded": "No risk",
"value": "no-risk",
"numerical_value": 0,
"description": "Harmless information. (CEUS threat level)"
"expanded": "No risk",
"value": "no-risk",
"numerical_value": 0,
"description": "Harmless information. (CEUS threat level)"
},
{
"expanded": "Low risk",
"value": "low-risk",
"numerical_value": 25,
"description": "Low risk which can include mass-malware. (CEUS threat level)"
"expanded": "Low risk",
"value": "low-risk",
"numerical_value": 25,
"description": "Low risk which can include mass-malware. (CEUS threat level)"
},
{
"expanded": "Medium risk",
"value": "medium-risk",
"numerical_value": 50,
"description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)"
"expanded": "Medium risk",
"value": "medium-risk",
"numerical_value": 50,
"description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)"
},
{
"expanded": "High risk",
"value": "high-risk",
"numerical_value": 100,
"description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)"
"expanded": "High risk",
"value": "high-risk",
"numerical_value": 100,
"description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)"
}
]
]
}
],
"predicates": [
@ -116,9 +125,14 @@
"description": "Event with this tag should not be synced to other MISP instances",
"expanded": "Should not sync",
"value": "should-not-sync"
},
{
"description": "Expansion tag incluencing the MISP behavior using expansion modules",
"expanded": "Expansion",
"value": "expansion"
}
],
"version": 3,
"version": 4,
"description": "MISP taxonomy to infer with MISP behavior or operation.",
"expanded": "MISP",
"namespace": "misp"

154
passivetotal/machinetag.json
View File

@ -1,86 +1,86 @@
{
"namespace" : "passivetotal",
"expanded" : "PassiveTotal",
"description": "Tags from RiskIQ's PassiveTotal service",
"version" : 1,
"predicates": [
"namespace": "passivetotal",
"expanded": "PassiveTotal",
"description": "Tags from RiskIQ's PassiveTotal service",
"version": 1,
"predicates": [
{
"value": "sinkholed",
"expanded": "Sinkhole Status"
},
{
"value": "ever-comprimised",
"expanded": "Ever Comprimised?"
},
{
"value": "class",
"expanded": "Classification"
},
{
"value": "dynamic-dns",
"expanded": "Dynamic DNS"
}
],
"values": [
{
"predicate": "sinkholed",
"entry": [
{
"value" : "sinkholed",
"expanded": "Sinkhole Status"
"value": "yes",
"expanded": "Yes"
},
{
"value" : "ever-comprimised",
"expanded" : "Ever Comprimised?"
},
{
"value" : "class",
"expanded" : "Classification"
},
{
"value" : "dynamic-dns",
"expanded": "Dynamic DNS"
"value": "no",
"expanded": "No"
}
],
"values" : [
{
"predicate" : "sinkholed",
"entry" : [
{
"value" : "yes",
"expanded": "Yes"
},
{
"value" : "no",
"expanded" : "No"
}
]
]
},
{
"predicate": "ever-comprimised",
"entry": [
{
"value": "yes",
"expanded": "Yes"
},
{
"predicate" : "ever-comprimised",
"entry" : [
{
"value" : "yes",
"expanded": "Yes"
},
{
"value" : "no",
"expanded" : "No"
}
]
},
{
"predicate" : "dynamic-dns",
"entry" : [
{
"value" : "yes",
"expanded": "Yes"
},
{
"value" : "no",
"expanded" : "No"
}
]
},
{
"predicate" : "class",
"entry" : [
{
"value" : "malicious",
"expanded" : "Malicious"
},
{
"value" : "suspicious",
"expanded": "Malicious"
},
{
"value": "non-malicious",
"expanded": "Non Malicious"
},
{
"value" : "unknown",
"expanded" : "Unknown"
}
]
"value": "no",
"expanded": "No"
}
]
]
},
{
"predicate": "dynamic-dns",
"entry": [
{
"value": "yes",
"expanded": "Yes"
},
{
"value": "no",
"expanded": "No"
}
]
},
{
"predicate": "class",
"entry": [
{
"value": "malicious",
"expanded": "Malicious"
},
{
"value": "suspicious",
"expanded": "Malicious"
},
{
"value": "non-malicious",
"expanded": "Non Malicious"
},
{
"value": "unknown",
"expanded": "Unknown"
}
]
}
]
}

2
rt_event_status/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "rt_event_status",
"description": "Status of events used in Request Tracker.",
"version": "1.0",
"version": 1,
"predicates": [
{
"value": "event-status",

113
schema.json Normal file
View File

@ -0,0 +1,113 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-taxonomies",
"id": "https://www.github.com/MISP/misp-taxonomies/schema.json",
"defs": {
"predicate": {
"type": "object",
"additionalProperties": false,
"properties": {
"value": {
"type": "string"
},
"colour": {
"type": "string"
},
"description": {
"type": "string"
},
"numerical_value": {
"type": "number"
},
"expanded": {
"type": "string"
}
},
"required": [
"value"
]
},
"entry": {
"type": "object",
"additionalProperties": false,
"properties": {
"predicate": {
"type": "string"
},
"entry": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"value": {
"type": "string"
},
"description": {
"type": "string"
},
"expanded": {
"type": "string"
},
"numerical_value": {
"type": "number"
}
},
"required": [
"value"
]
}
}
}
},
"required": [
"predicate"
]
},
"type": "object",
"additionalProperties": false,
"properties": {
"namespace": {
"type": "string"
},
"expanded": {
"type": "string"
},
"description": {
"type": "string"
},
"version": {
"type": "integer"
},
"predicates": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"$ref": "#/defs/predicate"
}
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"$ref": "#/defs/entry"
}
},
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"namespace",
"description",
"version",
"predicates"
]
}

225
stix-ttp/machinetag.json
View File

@ -1,115 +1,114 @@
{
"namespace": "stix-ttp",
"expanded": "STIX TTP",
"version": 1,
"description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.",
"refs": [
"http://stixproject.github.io/documentation/idioms/industry-sector/"
],
"predicates": [
{
"value": "victim-targeting",
"expanded": "Victim Targeting"
}
],
"values": [
{
"predicate": "victim-targeting",
"entry": [
{
"value": "business-professional-sector",
"expanded": "Business & Professional Services Sector"
},
{
"value": "retail-sector",
"expanded": "Retail Sector"
},
{
"value": "financial-sector",
"expanded": "Financial Services Sector"
},
{
"value": "media-entertainment-sector",
"expanded": "Media & Entertainment Sector"
},
{
"value": "construction-engineering-sector",
"expanded": "Construction & Engineering Sector"
},
{
"value": "government-international-organizations-sector",
"expanded": "Goverment & International Organizations"
},
{
"value": "legal-sector",
"expanded": "Legal Services"
},
{
"value": "hightech-it-sector",
"expanded": "High-Tech & IT Sector"
},
{
"value": "healthcare-sector",
"expanded": "Healthcare Sector"
},
{
"value": "transportation-sector",
"expanded": "Transportation Sector"
},
{
"value": "aerospace-defence-sector",
"expanded": "Aerospace & Defense Sector"
},
{
"value": "energy-sector",
"expanded": "Energy Sector"
},
{
"value": "food-sector",
"expanded": "Food Sector"
},
{
"value": "natural-resources-sector",
"expanded": "Natural Resources Sector"
},
{
"value": "other-sector",
"expanded": "Other Sector"
},
{
"value": "corporate-employee-information",
"expanded": "Corporate Employee Information"
},
{
"value": "customer-pii",
"expanded": "Customer PII"
},
{
"value": "email-lists-archives",
"expanded": "Email Lists/Archives"
},
{
"value": "financial-data",
"expanded": "Financial Data"
},
{
"value": "intellectual-property",
"expanded": "Intellectual Property"
},
{
"value": "mobile-phone-contacts",
"expanded": "Mobile Phone Contacts"
},
{
"value": "user-credentials",
"expanded": "User Credentials"
},
{
"value": "authentification-cookies",
"expanded": "Authentication Cookies"
}
]
}
]
"namespace": "stix-ttp",
"expanded": "STIX TTP",
"version": 1,
"description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.",
"refs": [
"http://stixproject.github.io/documentation/idioms/industry-sector/"
],
"predicates": [
{
"value": "victim-targeting",
"expanded": "Victim Targeting"
}
],
"values": [
{
"predicate": "victim-targeting",
"entry": [
{
"value": "business-professional-sector",
"expanded": "Business & Professional Services Sector"
},
{
"value": "retail-sector",
"expanded": "Retail Sector"
},
{
"value": "financial-sector",
"expanded": "Financial Services Sector"
},
{
"value": "media-entertainment-sector",
"expanded": "Media & Entertainment Sector"
},
{
"value": "construction-engineering-sector",
"expanded": "Construction & Engineering Sector"
},
{
"value": "government-international-organizations-sector",
"expanded": "Goverment & International Organizations"
},
{
"value": "legal-sector",
"expanded": "Legal Services"
},
{
"value": "hightech-it-sector",
"expanded": "High-Tech & IT Sector"
},
{
"value": "healthcare-sector",
"expanded": "Healthcare Sector"
},
{
"value": "transportation-sector",
"expanded": "Transportation Sector"
},
{
"value": "aerospace-defence-sector",
"expanded": "Aerospace & Defense Sector"
},
{
"value": "energy-sector",
"expanded": "Energy Sector"
},
{
"value": "food-sector",
"expanded": "Food Sector"
},
{
"value": "natural-resources-sector",
"expanded": "Natural Resources Sector"
},
{
"value": "other-sector",
"expanded": "Other Sector"
},
{
"value": "corporate-employee-information",
"expanded": "Corporate Employee Information"
},
{
"value": "customer-pii",
"expanded": "Customer PII"
},
{
"value": "email-lists-archives",
"expanded": "Email Lists/Archives"
},
{
"value": "financial-data",
"expanded": "Financial Data"
},
{
"value": "intellectual-property",
"expanded": "Intellectual Property"
},
{
"value": "mobile-phone-contacts",
"expanded": "Mobile Phone Contacts"
},
{
"value": "user-credentials",
"expanded": "User Credentials"
},
{
"value": "authentification-cookies",
"expanded": "Authentication Cookies"
}
]
}
]
}

1
tlp/machinetag.json
View File

@ -1,5 +1,4 @@
{
"values": null,
"predicates": [
{
"colour": "#CC0033",

21
validate_all.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -e
set -x
./jq_all_the_things.sh
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 1 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
exit 1
fi
for dir in */machinetag.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema.json
echo ''
done