diff --git a/.travis.yml b/.travis.yml index 4ae87b0..96bf29f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,26 +7,22 @@ sudo: required dist: trusty python: - - "2.7" - - "3.3" - "3.4" - "3.5" - "3.5-dev" + - "3.6" + - "3.6-dev" - "nightly" install: - - git clone https://github.com/stedolan/jq.git - - pushd jq - - autoreconf -i - - ./configure --disable-maintainer-mode - - make - - sudo make install - - popd + - sudo apt-get update -qq + - sudo apt-get install -y -qq jq moreutils + - pip install jsonschema - git clone https://github.com/MISP/PyTaxonomies.git - pushd PyTaxonomies - pip install . - popd script: - - cat */*.json | jq . + - ./validate_all.sh - pytaxonomies -l MANIFEST.json -a diff --git a/MANIFEST.json b/MANIFEST.json index 3715d85..d11ac64 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -1,5 +1,5 @@ { - "version": "20170108", + "version": "20170129", "license": "CC-0", "description": "Manifest file of MISP taxonomies available.", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", @@ -35,12 +35,17 @@ "name": "dhs-ciip-sectors", "version": 2 }, + { + "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.", + "name": "diamond-model", + "version": 1 + }, { "description": "ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).", "name": "dni-ism", "version": 3 }, - { + { "description": "Taxonomy to tag domain names used for cybercrime.", "name": "domain-abuse", "version": 1 @@ -166,9 +171,14 @@ "version": 1 }, { - "description" : "Tags for RiskIQ's passivetotal service", - "name" : "passivetotal", - "version" : 1 + "description": "AccessNow Taxonomy", + "name": "accessnow", + "version": 1 + }, + { + "description": "Tags for RiskIQ's passivetotal service", + "name": "passivetotal", + "version": 1 } ] } diff --git a/PAP/machinetag.json b/PAP/machinetag.json index 2da266f..febab6a 100644 --- a/PAP/machinetag.json +++ b/PAP/machinetag.json @@ -24,6 +24,5 @@ "expanded": "(PAP:WHITE) No restrictions in using this information.", "colour": "#ffffff" } - ], - "values": null + ] } diff --git a/README.md b/README.md index 1aed8d6..c7f23e9 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ The following taxonomies are described: - [Cyber Kill Chain](./kill-chain) from Lockheed Martin - DE German (DE) [Government classification markings (VS)](./de-vs) - [DHS CIIP Sectors](./dhs-ciip-sectors) +- [Diamond Model for Intrusion Analysis](./diamond-model) - [Domain Name Abuse](./domain-abuse) - [eCSIRT](./ecsirt) and IntelMQ incident classification - [ENISA](./enisa) ENISA Threat Taxonomy @@ -64,6 +65,11 @@ Taxonomy for the handling of protectively marked information in MISP with German DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors. +### [Diamond Model for Intrusion Analysis](./diamond-model) + +The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack +as described in [http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf](http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf). + ### [Domain Name Abuse](./domain-abuse) Taxonomy to tag domain names used for cybercrime. diff --git a/accessnow/machinetag.json b/accessnow/machinetag.json new file mode 100644 index 0000000..28f34d6 --- /dev/null +++ b/accessnow/machinetag.json @@ -0,0 +1,117 @@ +{ + "namespace": "accessnow", + "description": "Access Now", + "version": 1, + "predicates": [ + { + "value": "anti-corruption-transparency", + "expanded": "Anti-Corruption and transparency", + "description": "The organization campaigns, or takes other actions against corruption and transparency." + }, + { + "value": "anti-war-violence", + "expanded": "Anti-War / Anti-Violence", + "description": "The organization campaigns, or takes other actions against war" + }, + { + "value": "culture", + "expanded": "Culture", + "description": "The organization campaigns or acts to promote cultural events Humanitarian Aid/Need Issues: relates to improving life for individuals in the developing world (right to shelter, right to education, right to food, right to water)" + }, + { + "value": "economic-change", + "expanded": "Economic Change", + "description": "Issues of economic policy, wealth distribution, etc." + }, + { + "value": "education", + "expanded": "Education", + "description": "The organization is concerned with some form of education" + }, + { + "value": "election-monitoring", + "expanded": "Election Monitoring", + "description": "The organization is an election monitor, or involved in election monitoring" + }, + { + "value": "environment", + "expanded": "Environment", + "description": "The organization campaigns or acts to protect the environment" + }, + { + "value": "freedom-expression", + "expanded": "Freedom of Expression", + "description": "The organization is concerned with freedom of speech issues" + }, + { + "value": "freedom-tool-development", + "expanded": "Freedom Tool Development", + "description": "The organization develops tools for use in defending or extending digital rights" + }, + { + "value": "funding", + "expanded": "Funding", + "description": " The organization is a funder of organizations or projects working with at risk users" + }, + { + "value": "health", + "expanded": "Health Issues", + "description": "The organization prevents epidemic illness or acts on curing them" + }, + { + "value": "human-rights", + "expanded": "Human Rights Issues", + "description": "relating to the detection, recording, exposure, or challenging of abuses of human rights" + }, + { + "value": "internet-telecom", + "expanded": "Internet and Telecoms", + "description": "Issues of digital rights in electronic communications" + }, + { + "value": "lgbt-gender-sexuality", + "expanded": "LGBT / Gender / Sexuality", + "description": "Issues relating to the Lesbian, Gay, Bi, Transgender community" + }, + { + "value": "policy", + "expanded": "Policy", + "description": "The organization is a policy think-tank, or policy advocate" + }, + { + "value": "politics", + "expanded": "Politics", + "description": "The organization takes a strong political view or is a political entity" + }, + { + "value": "privacy", + "expanded": "Privacy", + "description": "Issues relating to the individual's reasonable right to privacy" + }, + { + "value": "rapid-response", + "expanded": "Rapid Response", + "description": "The organization provides rapid response type capability for civil society" + }, + { + "value": "refugees", + "expanded": "Refugees", + "description": "Issues relating to displaced people" + }, + { + "value": "security", + "expanded": "Security", + "description": "Issues relating to physical or information security" + }, + { + "value": "womens-right", + "expanded": "Women's Rights", + "description": "Issues pertaining to inequality between men and women, or issues of particular relevance to women" + }, + { + "value": "youth-rights", + "expanded": "Youth Rights", + "description": "Issues of particular relevance to youth" + } + ] +} diff --git a/adversary/machinetag.json b/adversary/machinetag.json index e73b765..75c0f80 100644 --- a/adversary/machinetag.json +++ b/adversary/machinetag.json @@ -38,9 +38,9 @@ } ] }, - { - "predicate": "infrastructure-action", - "entry": [ + { + "predicate": "infrastructure-action", + "entry": [ { "value": "passive-only", "expanded": "Only passive requests shall be performed to avoid detection by the adversary" @@ -57,11 +57,11 @@ "value": "pending-law-enforcement-request", "expanded": "Law enforcement requests are ongoing on the adversary infrastructure" } - ] - }, + ] + }, { - "predicate": "infrastructure-state", - "entry": [ + "predicate": "infrastructure-state", + "entry": [ { "value": "unknown", "expanded": "Infrastructure state is unknown or cannot be evaluated" @@ -74,7 +74,7 @@ "value": "down", "expanded": "Infrastructure state is known to be down" } - ] + ] }, { "predicate": "infrastructure-type", diff --git a/csirt_case_classification/machinetag.json b/csirt_case_classification/machinetag.json index 7a13c57..6f304ef 100644 --- a/csirt_case_classification/machinetag.json +++ b/csirt_case_classification/machinetag.json @@ -102,4 +102,3 @@ } ] } - diff --git a/ddos/machinetag.json b/ddos/machinetag.json new file mode 100644 index 0000000..fef741c --- /dev/null +++ b/ddos/machinetag.json @@ -0,0 +1,43 @@ +{ + "namespace": "ddos", + "expanded": " Distributed Denial of Service", + "description": " Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.", + "version": 1, + "refs": [ + "https://en.wikipedia.org/wiki/Denial-of-service_attack" + ], + "values": [ + { + "predicate": "type", + "entry": [ + { + "value": "amplification-attack", + "expanded": "Amplification attack" + }, + { + "value": "reflected-spoofed-attack", + "expanded": "Reflected and Spoofed attack" + }, + { + "value": "slow-read-attack", + "expanded": "Slow Read attack" + }, + { + "value": "flooding-attack", + "expanded": "Flooding attack" + }, + { + "value": "post-attack", + "expanded": "Large POST HTTP attack" + } + ] + } + ], + "predicates": [ + { + "value": "type", + "expanded": "Type", + "description": "Types and techniques described the way that the attack is performed to launch the Denial of Service attacks. A combination of type values can be used to explain combined techniques and methods." + } + ] +} diff --git a/dhs-ciip-sectors/machinetag.json b/dhs-ciip-sectors/machinetag.json index cca7a2f..9e965ff 100644 --- a/dhs-ciip-sectors/machinetag.json +++ b/dhs-ciip-sectors/machinetag.json @@ -1,64 +1,86 @@ { - "namespace": "dhs-ciip-sectors", - "description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors", - "version": 2, - "predicates": [{ - "value": "DHS-critical-sectors", - "expanded": "DHS critical sectors" - }, { - "value": "sector", - "expanded": "Sector" - }], - "values": [{ - "predicate": "DHS-critical-sectors", - "entry": [{ - "value": "chemical", - "expanded": "Chemical" - }, { - "value": "commercial-facilities", - "expanded": "Commercial Facilities" - }, { - "value": "communications", - "expanded": "Communications" - }, { - "value": "critical-manufacturing", - "expanded": "Critical Manufacturing" - }, { - "value": "dams", - "expanded": "Dams" - }, { - "value": "dib", - "expanded": "Defense Industrial Base" - }, { - "value": "emergency-services", - "expanded": "Emergency services" - }, { - "value": "energy", - "expanded": "energy" - }, { - "value": "financial-services", - "expanded": "Financial Services" - }, { - "value": "food-agriculture", - "expanded": "Food and Agriculture" - }, { - "value": "government-facilities", - "expanded": "Government Facilities" - }, { - "value": "healthcare-public", - "expanded": "Healthcare and Public Health" - }, { - "value": "it", - "expanded": "Information Technology" - }, { - "value": "nuclear", - "expanded": "Nuclear" - }, { - "value": "transport", - "expanded": "Transportation Systems" - }, { - "value": "water", - "expanded": "Water and water systems" - }] - }] + "namespace": "dhs-ciip-sectors", + "description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors", + "version": 2, + "predicates": [ + { + "value": "DHS-critical-sectors", + "expanded": "DHS critical sectors" + }, + { + "value": "sector", + "expanded": "Sector" + } + ], + "values": [ + { + "predicate": "DHS-critical-sectors", + "entry": [ + { + "value": "chemical", + "expanded": "Chemical" + }, + { + "value": "commercial-facilities", + "expanded": "Commercial Facilities" + }, + { + "value": "communications", + "expanded": "Communications" + }, + { + "value": "critical-manufacturing", + "expanded": "Critical Manufacturing" + }, + { + "value": "dams", + "expanded": "Dams" + }, + { + "value": "dib", + "expanded": "Defense Industrial Base" + }, + { + "value": "emergency-services", + "expanded": "Emergency services" + }, + { + "value": "energy", + "expanded": "energy" + }, + { + "value": "financial-services", + "expanded": "Financial Services" + }, + { + "value": "food-agriculture", + "expanded": "Food and Agriculture" + }, + { + "value": "government-facilities", + "expanded": "Government Facilities" + }, + { + "value": "healthcare-public", + "expanded": "Healthcare and Public Health" + }, + { + "value": "it", + "expanded": "Information Technology" + }, + { + "value": "nuclear", + "expanded": "Nuclear" + }, + { + "value": "transport", + "expanded": "Transportation Systems" + }, + { + "value": "water", + "expanded": "Water and water systems" + } + ] + } + ] } diff --git a/diamond-model/machinetag.json b/diamond-model/machinetag.json index beeec6c..de0e9ee 100644 --- a/diamond-model/machinetag.json +++ b/diamond-model/machinetag.json @@ -3,7 +3,9 @@ "expanded": "Diamond Model for Intrusion Analysis", "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.", "version": 1, - "ref": ["http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"], + "refs": [ + "http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf" + ], "predicates": [ { "value": "Adversary", @@ -21,6 +23,5 @@ "value": "Victim", "expanded": "A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. A victim can be described in whichever way necessary and appropriate: organization, person, target email address, IP address, domain, etc. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions. Victim personae are useful in non-technical analysis such as cyber-victimology and social-political centered approaches whereas victim assets are associated with common technical approaches such as vulnerability analysis.." } - ], - "values": null + ] } diff --git a/domain-abuse/machinetag.json b/domain-abuse/machinetag.json index 1ec527d..8ea4da5 100644 --- a/domain-abuse/machinetag.json +++ b/domain-abuse/machinetag.json @@ -22,9 +22,9 @@ { "value": "active", "expanded": "Registered & active", - "description": "Domain name is registered and DNS is delegated" + "description": "Domain name is registered and DNS is delegated" }, - { + { "value": "inactive", "expanded": "Registered & inactive", "description": "Domain name is registered and DNS is not delegated" @@ -34,17 +34,17 @@ "expanded": "Registered & suspended", "description": "Domain name is registered & DNS delegation is temporarily removed by the registry" }, - { + { "value": "not-registered", "expanded": "Not registered", "description": "Domain name is not registered and open for registration" }, - { + { "value": "not-registrable", "expanded": "Not registrable", "description": "Domain is not registered and cannot be registered" }, - { + { "value": "grace-period", "expanded": "Grace period", "description": "Domain is deleted and still reserved for previous owner" @@ -57,24 +57,24 @@ { "value": "criminal-registration", "expanded": "Criminal registration", - "description": "Domain name is registered for criminal purposes" + "description": "Domain name is registered for criminal purposes" }, { "value": "compromised-webserver", "expanded": "Compromised webserver", - "description": "Webserver is compromised for criminal purposes" + "description": "Webserver is compromised for criminal purposes" }, { "value": "compromised-dns", "expanded": "Compromised DNS", - "description": "Compromised authoritative DNS or compromised delegation" + "description": "Compromised authoritative DNS or compromised delegation" }, { "value": "sinkhole", "expanded": "Sinkhole", - "description": "Domain Name is sinkholed for research, detection, LE" + "description": "Domain Name is sinkholed for research, detection, LE" } - ] + ] } ] -} \ No newline at end of file +} diff --git a/enisa/machinetag.json b/enisa/machinetag.json index 7517f39..318525c 100644 --- a/enisa/machinetag.json +++ b/enisa/machinetag.json @@ -264,7 +264,7 @@ "description": "Threat of disruption of work of IT systems due to high or low temperature." }, { - "value": "threats-from-space-or-electromagnetic-storm", + "value": "threats-from-space-or-electromagnetic-storm", "expanded": "Threats from space / Electromagnetic storm", "description": "Threats of the negative impact of solar radiation to satellites and radio wave communication systems - electromagnetic storm." }, @@ -273,617 +273,616 @@ "expanded": "Wildlife", "description": "Threat of destruction of IT assets caused by animals: mice, rats, birds." } - ] + ] }, { "predicate": "failures-malfunction", "entry": [ - { - "value": "failure-of-devices-or-systems", - "expanded": "Failure of devices or systems", - "description": "Threat of failure of IT hardware and/or software assets or its parts." - }, - { + { + "value": "failure-of-devices-or-systems", + "expanded": "Failure of devices or systems", + "description": "Threat of failure of IT hardware and/or software assets or its parts." + }, + { "value": "failure-of-data-media", "expanded": "Failure of data media", "description": "Threat of failure of data media." - }, - { + }, + { "value": "hardware-failure", "expanded": "Hardware failure", "description": "Threat of failure of IT hardware." - }, - { + }, + { "value": "failure-of-applications-and-services", "expanded": "Failure of applications and services", "description": "Threat of failure of software/applications or services." - }, - { + }, + { "value": "failure-of-parts-of-devices-connectors-plug-ins", "expanded": "Failure of parts of devices (connectors, plug-ins)", "description": "Threat of failure of IT equipment or its part." - }, - { + }, + { "value": "failure-or-disruption-of-communication-links-communication networks", "expanded": "Failure or disruption of communication links (communication networks)", "description": "Threat of failure or malfunction of communications links." - - }, - { + }, + { "value": "failure-of-cable-networks", "expanded": "Failure of cable networks", "description": "Threat of failure of communications links due to problems with cable network." - }, - { + }, + { "value": "failure-of-wireless-networks", "expanded": "Failure of wireless networks", "description": "Threat of failure of communications links due to problems with wireless networks." - }, - { + }, + { "value": "failure-of-mobile-networks", "expanded": "Failure of mobile networks", "description": "Threat of failure of communications links due to problems with mobile networks." - }, - { + }, + { "value": "failure-or-disruption-of-main-supply", "expanded": "Failure or disruption of main supply", "description": "Threat of failure or disruption of supply required for information systems." - }, - { + }, + { "value": "failure-or-disruption-of-power-supply", "expanded": "Failure or disruption of power supply", "description": "Threat of failure or malfunction of power supply." - }, - { + }, + { "value": "failure-of-cooling-infrastructure", "expanded": "Failure of cooling infrastructure", "description": "Threat of failure of IT assets due to improper work of cooling infrastructure." - }, - { + }, + { "value": "failure-or-disruption-of-service-providers-supply-chain", "expanded": "Failure or disruption of service providers (supply chain)", "description": "Threat of failure or disruption of third party services required for proper operation of information systems." - }, - { + }, + { "value": "malfunction-of-equipment-devices-or-systems", "expanded": "Malfunction of equipment (devices or systems)", "description": "Threat of malfunction of IT hardware and/or software assets or its parts (i.e. improper working parameters, jamming, rebooting)." - } - ] + } + ] }, { "predicate": "outages", "entry": [ - { + { "value": "absence-of-personnel", "expanded": "Absence of personnel", "description": "Unavailability of key personnel and their competences." - }, - { + }, + { "value": "strike", "expanded": "Strike", "description": "Unavailability of staff due to a strike (large scale absence of personnel)." - }, - { + }, + { "value": "loss-of-support-services", "expanded": "Loss of support services", "description": "Unavailability of support services required for proper operation of the information system." - }, - { + }, + { "value": "internet-outage", "expanded": "Internet outage", "description": "Unavailability of the Internet connection." - }, - { + }, + { "value": "network-outage", "expanded": "Network outage", "description": "Unavailability of communication links." - }, - { + }, + { "value": "outage-of-cable-networks", "expanded": "Outage of cable networks", "description": "Threat of lack of communications links due to problems with cable network." - }, - { + }, + { "value": "Outage-of-short-range-wireless-networks", "expanded": "Outage of short-range wireless networks", "description": "Threat of lack of communications links due to problems with wireless networks (802.11 networks, Bluetooth, NFC etc.)." - }, - { + }, + { "value": "outages-of-long-range-wireless-networks", "expanded": "Outages of long-range wireless networks", "description": "Threat of lack of communications links due to problems with mobile networks like cellular network (3G, LTE, GSM etc.) or satellite links." - } + } ] }, { - "predicate": "eavesdropping-interception-hijacking", - "entry": [ - { - "value": "war-driving", - "expanded": "War driving", - "description": "Threat of locating and possibly exploiting connection to the wireless network." - }, - { - "value": "intercepting-compromising-emissions", - "expanded": "Intercepting compromising emissions", - "description": "Threat of disclosure of transmitted information using interception and analysis of compromising emission." - }, - { - "value": "interception-of-information", - "expanded": "Interception of information", - "description": "Threat of interception of information which is improperly secured in transmission or by improper actions of staff." - }, - { - "value": "corporate-espionage", - "expanded": "Corporate espionage", - "description": "Threat of obtaining information secrets by dishonest means." - }, - { - "value": "nation-state-espionage", - "expanded": "Nation state espionage", - "description": "Threats of stealing information by nation state espionage (e.g. China based governmental espionage, NSA from USA)." - }, - { - "value": "information-leakage-due-to-unsecured-wi-fi-like-rogue-access-points", - "expanded": "Information leakage due to unsecured Wi-Fi, rogue access points", - "description": "Threat of obtaining important information by insecure network rogue access points etc." - }, - { - "value": "interfering-radiation", - "expanded": "Interfering radiation", - "description": "Threat of failure of IT hardware or transmission connection due to electromagnetic induction or electromagnetic radiation emitted by an outside source." - }, - { - "value": "replay-of-messages", - "expanded": "Replay of messages", - "description": "Threat in which valid data transmission is maliciously or fraudulently repeated or delayed." - }, - { - "value": "network-reconnaissance-network-traffic-manipulation-and-information-gathering", - "expanded": "Network Reconnaissance, Network traffic manipulation and Information gathering", - "description": "Threat of identifying information about a network to find security weaknesses." - }, - { - "value": "man-in-the-middle-session-hijacking", - "expanded": "Man in the middle/ Session hijacking", - "description": "Threats that relay or alter communication between two parties." - } - ] + "predicate": "eavesdropping-interception-hijacking", + "entry": [ + { + "value": "war-driving", + "expanded": "War driving", + "description": "Threat of locating and possibly exploiting connection to the wireless network." + }, + { + "value": "intercepting-compromising-emissions", + "expanded": "Intercepting compromising emissions", + "description": "Threat of disclosure of transmitted information using interception and analysis of compromising emission." + }, + { + "value": "interception-of-information", + "expanded": "Interception of information", + "description": "Threat of interception of information which is improperly secured in transmission or by improper actions of staff." + }, + { + "value": "corporate-espionage", + "expanded": "Corporate espionage", + "description": "Threat of obtaining information secrets by dishonest means." + }, + { + "value": "nation-state-espionage", + "expanded": "Nation state espionage", + "description": "Threats of stealing information by nation state espionage (e.g. China based governmental espionage, NSA from USA)." + }, + { + "value": "information-leakage-due-to-unsecured-wi-fi-like-rogue-access-points", + "expanded": "Information leakage due to unsecured Wi-Fi, rogue access points", + "description": "Threat of obtaining important information by insecure network rogue access points etc." + }, + { + "value": "interfering-radiation", + "expanded": "Interfering radiation", + "description": "Threat of failure of IT hardware or transmission connection due to electromagnetic induction or electromagnetic radiation emitted by an outside source." + }, + { + "value": "replay-of-messages", + "expanded": "Replay of messages", + "description": "Threat in which valid data transmission is maliciously or fraudulently repeated or delayed." + }, + { + "value": "network-reconnaissance-network-traffic-manipulation-and-information-gathering", + "expanded": "Network Reconnaissance, Network traffic manipulation and Information gathering", + "description": "Threat of identifying information about a network to find security weaknesses." + }, + { + "value": "man-in-the-middle-session-hijacking", + "expanded": "Man in the middle/ Session hijacking", + "description": "Threats that relay or alter communication between two parties." + } + ] }, { - "predicate": "legal", - "entry": [ - { - "value": "violation-of-rules-and-regulations-breach-of-legislation", - "expanded": "Violation of rules and regulations / Breach of legislation", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to violation of law or regulations." - }, - { - "value": "failure-to-meet-contractual-requirements", - "expanded": "Failure to meet contractual requirements", - "description": "Threat of financial penalty or loss of trust of customers and collaborators due to failure to meet contractual requirements." - }, - { - "value": "failure-to-meet-contractual-requirements-by-third-party", - "expanded": "Failure to meet contractual requirements by third party", - "description": "Threat of financial penalty or loss of trust of customers and collaborators due to a third party's failure to meet contractual requirements" - }, - { - "value": "unauthorized-use-of-IPR-protected-resources", - "expanded": "Unauthorized use of IPR protected resources", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of IPR protected material (IPR- Intellectual Property Rights." - }, - { - "value": "illegal-usage-of-file-sharing-services", - "expanded": "Illegal usage of File Sharing services", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of file sharing services." - }, - { - "value": "abuse-of-personal-data", - "expanded": "Abuse of personal data", - "description": "Threat of illegal use of personal data." - }, - { - "value": "judiciary-decisions-or-court-order", - "expanded": "Judiciary decisions/court order", - "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to judiciary decisions/court order." - } - ] + "predicate": "legal", + "entry": [ + { + "value": "violation-of-rules-and-regulations-breach-of-legislation", + "expanded": "Violation of rules and regulations / Breach of legislation", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to violation of law or regulations." + }, + { + "value": "failure-to-meet-contractual-requirements", + "expanded": "Failure to meet contractual requirements", + "description": "Threat of financial penalty or loss of trust of customers and collaborators due to failure to meet contractual requirements." + }, + { + "value": "failure-to-meet-contractual-requirements-by-third-party", + "expanded": "Failure to meet contractual requirements by third party", + "description": "Threat of financial penalty or loss of trust of customers and collaborators due to a third party's failure to meet contractual requirements" + }, + { + "value": "unauthorized-use-of-IPR-protected-resources", + "expanded": "Unauthorized use of IPR protected resources", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of IPR protected material (IPR- Intellectual Property Rights." + }, + { + "value": "illegal-usage-of-file-sharing-services", + "expanded": "Illegal usage of File Sharing services", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to improper/illegal use of file sharing services." + }, + { + "value": "abuse-of-personal-data", + "expanded": "Abuse of personal data", + "description": "Threat of illegal use of personal data." + }, + { + "value": "judiciary-decisions-or-court-order", + "expanded": "Judiciary decisions/court order", + "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to judiciary decisions/court order." + } + ] }, { - "predicate": "nefarious-activity-abuse", - "entry": [ - { - "value": "identity-theft-identity-fraud-account)", - "expanded": "Identity theft (Identity Fraud/ Account)", - "description": "Threat of identity theft action." - }, - { - "value": "credentials-stealing-trojans", - "expanded": "Credentials-stealing trojans", - "description": "Threat of identity theft action by malware computer programs." - }, - { - "value": "receiving-unsolicited-e-mail", - "expanded": "Receiving unsolicited E-mail", - "description": "Threat of receiving unsolicited email which affects information security and efficiency." - }, - { - "value": "spam", - "expanded": "SPAM", - "description": "Threat of receiving unsolicited, undesired, or illegal email messages." - }, - { - "value": "unsolicited-infected-e-mails", - "expanded": "Unsolicited infected e-mails", - "description": "Threat emanating from unwanted emails that may contain infected attachments or links to malicious / infected web sites." - }, - { - "value": "denial-of-service", - "expanded": "Denial of service", - "description": "Threat of service unavailability due to massive requests for services." - }, - { - "value": "distributed-denial-of-network-service-network-layer-attack", - "expanded": "Distributed denial of network service (DDoS) (network layer attack i.e. Protocol exploitation / Malformed packets / Flooding / Spoofing)", - "description": "Threat of service unavailability due to a massive number of requests for access to network services from malicious clients." - }, - { - "value": "distributed-denial-of-network-service-application-layer-attack", - "expanded": "Distributed denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS / WinNuke / HTTP Floods)", - "description": "Threat of service unavailability due to massive requests sent by multiple malicious clients." - }, - { - "value": "distributed-denial-of-network-service-amplification-reflection-attack", - "expanded": "Distributed DoS (DDoS) to both network and application services (amplification/reflection methods i.e. NTP/ DNS /.../ BitTorrent)", - "description": "Threat of creating a massive number of requests, using multiplication/amplification methods." - }, - { - "value": "malicious-code-software-activity", - "expanded": "Malicious code/ software/ activity" - }, - { - "value": "search-engine-poisoning", - "expanded": "Search Engine Poisoning", - "description": "Threat of deliberate manipulation of search engine indexes." - }, - { - "value": "exploitation-of-fake-trust-of-social-media", - "expanded": "Exploitation of fake trust of social media", - "description": "Threat of malicious activities making use of trusted social media." - }, - { - "value": "worms-trojans", - "expanded": "Worms/ Trojans", - "description": "Threat of malware computer programs (trojans/worms)." - }, - { - "value": "rootkits", - "expanded": "Rootkits", - "description": "Threat of stealthy types of malware software." - }, - { - "value": "mobile-malware", - "expanded": "Mobile malware", - "description": "Threat of mobile malware programs." - }, - { - "value": "infected-trusted-mobile-apps", - "expanded": "Infected trusted mobile apps", - "description": "Threat of using mobile malware software that is recognised as trusted one." - }, - { - "value": "elevation-of-privileges", - "expanded": "Elevation of privileges", - "description": "Threat of exploiting bugs, design flaws or configuration oversights in an operating system or software application to gain elevated access to resources." - }, - { - "value": "web-application-attacks-injection-attacks-code-injection-SQL-XSS", - "expanded": "Web application attacks / injection attacks (Code injection: SQL, XSS)", - "description": "Threat of utilizing custom web applications embedded within social media sites, which can lead to installation of malicious code onto computers to be used to gain unauthorized access." - }, - { - "value": "spyware-or-deceptive-adware", - "expanded": "Spyware or deceptive adware", - "description": "Threat of using software that aims to gather information about a person or organization without their knowledge." - }, - { - "value": "viruses", - "expanded": "Viruses", - "description": "Threat of infection by viruses." - }, - { - "value": "rogue-security-software-rogueware-scareware", - "expanded": "Rogue security software/ Rogueware / Scareware", - "description": "Threat of internet fraud or malicious software that mislead users into believing there is a virus on their computer, and manipulates them to pay money for fake removal tool." - }, - { - "value": "ransomware", - "expanded": "Ransomware", - "description": "Threat of infection of computer system or device by malware that restricts access to it and demands that the user pay a ransom to remove the restriction." - }, - { - "value": "exploits-exploit-kits", - "expanded": "Exploits/Exploit Kits", - "description": "Threat to IT assets due to the use of web available exploits or exploits software." - }, - { - "value": "social-engineering", - "expanded": "Social Engineering", - "description": "Threat of social engineering type attacks (target: manipulation of personnel behaviour)." - }, - { - "value": "phishing-attacks", - "expanded": "Phishing attacks", - "description": "Threat of an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites." - }, - { - "value": "spear-phishing-attacks", - "expanded": "Spear phishing attacks", - "description": "Spear-phishing is a targeted e-mail message that has been crafted to create fake trust and thus lure the victim to unveil some business or personal secrets that can be abused by the adversary." - }, - { - "value": "abuse-of-information-leakage", - "expanded": "Abuse of Information Leakage", - "description": "Threat of leaking important information." - }, - { - "value": "leakage-affecting-mobile-privacy-and-mobile-applications", - "expanded": "Leakage affecting mobile privacy and mobile applications", - "description": "Threat of leaking important information due to using malware mobile applications." - }, - { - "value": "leakage-affecting-web-privacy-and-web-applications", - "expanded": "Leakage affecting web privacy and web applications", - "description": "Threat of leakage important information due to using malware web applications." - }, - { - "value": "leakage-affecting-network-traffic", - "expanded": "Leakage affecting network traffic", - "description": "Threat of leaking important information in network traffic." - }, - { - "value": "leakage-affecting-cloud-computing", - "expanded": "Leakage affecting cloud computing", - "description": "Threat of leaking important information in cloud computing." - }, - { - "value": "generation-and-use-of-rogue-certificates", - "expanded": "Generation and use of rogue certificates", - "description": "Threat of use of rogue certificates." - }, - { - "value": "loss-of-integrity-of-sensitive-information", - "expanded": "Loss of (integrity of) sensitive information", - "description": "Threat of loss of sensitive information due to loss of integrity." - }, - { - "value": "man-in-the-middle-session-hijacking", - "expanded": "Man in the middle / Session hijacking", - "description": "Threat of attack consisting in the exploitation of the web session control mechanism, which is normally managed by a session token." - }, - { - "value": "social-engineering-via-signed-malware", - "expanded": "Social Engineering / signed malware", - "description": "Threat of install fake trust signed software (malware) e.g. fake OS updates." - }, - { - "value": "fake-SSL-certificates", - "expanded": "Fake SSL certificates", - "description": "Threat of attack due to malware application signed by a certificate that is typically inherently trusted by an endpoint." - }, - { - "value": "manipulation-of-hardware-and-software", - "expanded": "Manipulation of hardware and software", - "description": "Threat of unauthorised manipulation of hardware and software." - }, - { - "value": "anonymous-proxies", - "expanded": "Anonymous proxies", - "description": "Threat of unauthorised manipulation by anonymous proxies." - }, - { - "value": "abuse-of-computing-power-of-cloud-to-launch-attacks-cybercrime-as-a-service)", - "expanded": "Abuse of computing power of cloud to launch attacks (cybercrime as a service)", - "description": "Threat of using large computing powers to generate attacks on demand." - }, - { - "value": "abuse-of-vulnerabilities-0-day-vulnerabilities", - "expanded": "Abuse of vulnerabilities, 0-day vulnerabilities", - "description": "Threat of attacks using 0-day or known IT assets vulnerabilities." - }, - { - "value": "access-of-web-sites-through-chains-of-HTTP-Proxies-Obfuscation", - "expanded": "Access of web sites through chains of HTTP Proxies (Obfuscation)", - "description": "Threat of bypassing the security mechanism using HTTP proxies (bypassing the website blacklist)." - }, - { - "value": "access-to-device-software", - "expanded": "Access to device software", - "description": "Threat of unauthorised manipulation by access to device software." - }, - { - "value": "alternation-of-software", - "expanded": "Alternation of software", - "description": "Threat of unauthorized modifications to code or data, attacking its integrity." - }, - { - "value": "rogue-hardware", - "expanded": "Rogue hardware", - "description": "Threat of manipulation due to unauthorized access to hardware." - }, - { - "value": "manipulation-of-information", - "expanded": "Manipulation of information", - "description": "Threat of intentional data manipulation to mislead information systems or somebody or to cover other nefarious activities (loss of integrity of information)." - }, - { - "value": "repudiation-of-actions", - "expanded": "Repudiation of actions", - "description": "Threat of intentional data manipulation to repudiate action." - }, - { - "value": "address-space-hijacking-IP-prefixes", - "expanded": "Address space hijacking (IP prefixes)", - "description": "Threat of the illegitimate takeover of groups of IP addresses." - }, - { - "value": "routing-table-manipulation", - "expanded": "Routing table manipulation", - "description": "Threat of route packets of network to IP addresses other than that was intended via sender by unauthorised manipulation of routing table." - }, - { - "value": "DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations", - "expanded": "DNS poisoning / DNS spoofing / DNS Manipulations", - "description": "Threat of falsification of DNS information." - }, - { - "value": "falsification-of-record", - "expanded": "Falsification of record", - "description": "Threat of intentional data manipulation to falsify records." - }, - { - "value": "autonomous-system-hijacking", - "expanded": "Autonomous System hijacking", - "description": "Threat of overtaking by the attacker the ownership of a whole autonomous system and its prefixes despite origin validation." - }, - { - "value": "autonomous-system-manipulation", - "expanded": "Autonomous System manipulation", - "description": "Threat of manipulation by the attacker of a whole autonomous system in order to perform malicious actions." - }, - { - "value": "falsification-of-configurations", - "expanded": "Falsification of configurations", - "description": "Threat of intentional manipulation due to falsification of configurations." - }, - { - "value": "misuse-of-audit-tools", - "expanded": "Misuse of audit tools", - "description": "Threat of nefarious actions performed using audit tools (discovery of security weaknesses in information systems)" - }, - { - "value": "misuse-of-information-or-information systems-including-mobile-apps", - "expanded": "Misuse of information/ information systems (including mobile apps)", - "description": "Threat of nefarious action due to misuse of information / information systems." - }, - { - "value": "unauthorized-activities", - "expanded": "Unauthorized activities", - "description": "Threat of nefarious action due to unauthorised activities." - }, - { - "value": "Unauthorised-use-or-administration-of-devices-and-systems", - "expanded": "Unauthorised use or administration of devices and systems", - "description": "Threat of nefarious action due to unauthorised use of devices and systems." - }, - { - "value": "unauthorised-use-of-software", - "expanded": "Unauthorised use of software", - "description": "Threat of nefarious action due to unauthorised use of software." - }, - { - "value": "unauthorized-access-to-the-information-systems-or-networks-like-IMPI-Protocol-DNS-Registrar-Hijacking)", - "expanded": "Unauthorized access to the information systems-or-networks (IMPI Protocol / DNS Registrar Hijacking)", - "description": "Threat of unauthorised access to the information systems / network." - }, - { - "value": "network-intrusion", - "expanded": "Network Intrusion", - "description": "Threat of unauthorised access to network." - }, - { - "value": "unauthorized-changes-of-records", - "expanded": "Unauthorized changes of records", - "description": "Threat of unauthorised changes of information." - }, - { - "value": "unauthorized-installation-of-software", - "expanded": "Unauthorized installation of software", - "description": "Threat of unauthorised installation of software." - }, - { - "value": "Web-based-attacks-drive-by-download-or-malicious-URLs-or-browser-based-attacks", - "expanded": "Web based attacks (Drive-by download / malicious URLs / Browser based attacks)", - "description": "Threat of installation of unwanted malware software by misusing websites." - }, - { - "value": "compromising-confidential-information-like-data-breaches", - "expanded": "Compromising confidential information (data breaches)", - "description": "Threat of data breach." - }, - { - "value": "hoax", - "expanded": "Hoax", - "description": "Threat of loss of IT assets security due to cheating." - }, - { - "value": "false-rumour-and-or-fake-warning", - "expanded": "False rumour and/or fake warning", - "description": "Threat of disruption of work due to rumours and/or a fake warning." - }, - { - "value": "remote-activity-execution", - "expanded": "Remote activity (execution)", - "description": "Threat of nefarious action by attacker remote activity." - }, - { - "value": "remote-command-execution", - "expanded": "Remote Command Execution", - "description": "Threat of nefarious action due to remote command execution." - }, - { - "value": "remote-access-tool", - "expanded": "Remote Access Tool (RAT)", - "description": "Threat of infection of software that has a remote administration capabilities allowing an attacker to control the victim's computer." - }, - { - "value": "botnets-remote-activity", - "expanded": "Botnets / Remote activity", - "description": "Threat of penetration by software from malware distribution." - }, - { - "value": "targeted-attacks", - "expanded": "Targeted attacks (APTs etc.)", - "description": "Threat of sophisticated, targeted attack which combine many attack techniques." - }, - { - "value": "mobile-malware", - "expanded": "Mobile malware", - "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge." - }, - { - "value": "spear-phishing-attacks", - "expanded": "Spear phishing attacks", - "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords." - }, - { - "value": "installation-of-sophisticated-and-targeted-malware", - "expanded": "Installation of sophisticated and targeted malware", - "description": "Threat of malware delivered by sophisticated and targeted software." - }, - { - "value": "watering-hole-attacks", - "expanded": "Watering Hole attacks", - "description": "Threat of malware residing on the websites which a group often uses." - }, - { - "value": "failed-business-process", - "expanded": "Failed business process", - "description": "Threat of damage or loss of IT assets due to improperly executed business process." - }, - { - "value": "brute-force", - "expanded": "Brute force", - "description": "Threat of unauthorised access via systematically checking all possible keys or passwords until the correct one is found." - }, - { - "value": "abuse-of-authorizations", - "expanded": "Abuse of authorizations", - "description": "Threat of using authorised access to perform illegitimate actions." - } - ] + "predicate": "nefarious-activity-abuse", + "entry": [ + { + "value": "identity-theft-identity-fraud-account)", + "expanded": "Identity theft (Identity Fraud/ Account)", + "description": "Threat of identity theft action." + }, + { + "value": "credentials-stealing-trojans", + "expanded": "Credentials-stealing trojans", + "description": "Threat of identity theft action by malware computer programs." + }, + { + "value": "receiving-unsolicited-e-mail", + "expanded": "Receiving unsolicited E-mail", + "description": "Threat of receiving unsolicited email which affects information security and efficiency." + }, + { + "value": "spam", + "expanded": "SPAM", + "description": "Threat of receiving unsolicited, undesired, or illegal email messages." + }, + { + "value": "unsolicited-infected-e-mails", + "expanded": "Unsolicited infected e-mails", + "description": "Threat emanating from unwanted emails that may contain infected attachments or links to malicious / infected web sites." + }, + { + "value": "denial-of-service", + "expanded": "Denial of service", + "description": "Threat of service unavailability due to massive requests for services." + }, + { + "value": "distributed-denial-of-network-service-network-layer-attack", + "expanded": "Distributed denial of network service (DDoS) (network layer attack i.e. Protocol exploitation / Malformed packets / Flooding / Spoofing)", + "description": "Threat of service unavailability due to a massive number of requests for access to network services from malicious clients." + }, + { + "value": "distributed-denial-of-network-service-application-layer-attack", + "expanded": "Distributed denial of application service (DDoS) (application layer attack i.e. Ping of Death / XDoS / WinNuke / HTTP Floods)", + "description": "Threat of service unavailability due to massive requests sent by multiple malicious clients." + }, + { + "value": "distributed-denial-of-network-service-amplification-reflection-attack", + "expanded": "Distributed DoS (DDoS) to both network and application services (amplification/reflection methods i.e. NTP/ DNS /.../ BitTorrent)", + "description": "Threat of creating a massive number of requests, using multiplication/amplification methods." + }, + { + "value": "malicious-code-software-activity", + "expanded": "Malicious code/ software/ activity" + }, + { + "value": "search-engine-poisoning", + "expanded": "Search Engine Poisoning", + "description": "Threat of deliberate manipulation of search engine indexes." + }, + { + "value": "exploitation-of-fake-trust-of-social-media", + "expanded": "Exploitation of fake trust of social media", + "description": "Threat of malicious activities making use of trusted social media." + }, + { + "value": "worms-trojans", + "expanded": "Worms/ Trojans", + "description": "Threat of malware computer programs (trojans/worms)." + }, + { + "value": "rootkits", + "expanded": "Rootkits", + "description": "Threat of stealthy types of malware software." + }, + { + "value": "mobile-malware", + "expanded": "Mobile malware", + "description": "Threat of mobile malware programs." + }, + { + "value": "infected-trusted-mobile-apps", + "expanded": "Infected trusted mobile apps", + "description": "Threat of using mobile malware software that is recognised as trusted one." + }, + { + "value": "elevation-of-privileges", + "expanded": "Elevation of privileges", + "description": "Threat of exploiting bugs, design flaws or configuration oversights in an operating system or software application to gain elevated access to resources." + }, + { + "value": "web-application-attacks-injection-attacks-code-injection-SQL-XSS", + "expanded": "Web application attacks / injection attacks (Code injection: SQL, XSS)", + "description": "Threat of utilizing custom web applications embedded within social media sites, which can lead to installation of malicious code onto computers to be used to gain unauthorized access." + }, + { + "value": "spyware-or-deceptive-adware", + "expanded": "Spyware or deceptive adware", + "description": "Threat of using software that aims to gather information about a person or organization without their knowledge." + }, + { + "value": "viruses", + "expanded": "Viruses", + "description": "Threat of infection by viruses." + }, + { + "value": "rogue-security-software-rogueware-scareware", + "expanded": "Rogue security software/ Rogueware / Scareware", + "description": "Threat of internet fraud or malicious software that mislead users into believing there is a virus on their computer, and manipulates them to pay money for fake removal tool." + }, + { + "value": "ransomware", + "expanded": "Ransomware", + "description": "Threat of infection of computer system or device by malware that restricts access to it and demands that the user pay a ransom to remove the restriction." + }, + { + "value": "exploits-exploit-kits", + "expanded": "Exploits/Exploit Kits", + "description": "Threat to IT assets due to the use of web available exploits or exploits software." + }, + { + "value": "social-engineering", + "expanded": "Social Engineering", + "description": "Threat of social engineering type attacks (target: manipulation of personnel behaviour)." + }, + { + "value": "phishing-attacks", + "expanded": "Phishing attacks", + "description": "Threat of an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy websites." + }, + { + "value": "spear-phishing-attacks", + "expanded": "Spear phishing attacks", + "description": "Spear-phishing is a targeted e-mail message that has been crafted to create fake trust and thus lure the victim to unveil some business or personal secrets that can be abused by the adversary." + }, + { + "value": "abuse-of-information-leakage", + "expanded": "Abuse of Information Leakage", + "description": "Threat of leaking important information." + }, + { + "value": "leakage-affecting-mobile-privacy-and-mobile-applications", + "expanded": "Leakage affecting mobile privacy and mobile applications", + "description": "Threat of leaking important information due to using malware mobile applications." + }, + { + "value": "leakage-affecting-web-privacy-and-web-applications", + "expanded": "Leakage affecting web privacy and web applications", + "description": "Threat of leakage important information due to using malware web applications." + }, + { + "value": "leakage-affecting-network-traffic", + "expanded": "Leakage affecting network traffic", + "description": "Threat of leaking important information in network traffic." + }, + { + "value": "leakage-affecting-cloud-computing", + "expanded": "Leakage affecting cloud computing", + "description": "Threat of leaking important information in cloud computing." + }, + { + "value": "generation-and-use-of-rogue-certificates", + "expanded": "Generation and use of rogue certificates", + "description": "Threat of use of rogue certificates." + }, + { + "value": "loss-of-integrity-of-sensitive-information", + "expanded": "Loss of (integrity of) sensitive information", + "description": "Threat of loss of sensitive information due to loss of integrity." + }, + { + "value": "man-in-the-middle-session-hijacking", + "expanded": "Man in the middle / Session hijacking", + "description": "Threat of attack consisting in the exploitation of the web session control mechanism, which is normally managed by a session token." + }, + { + "value": "social-engineering-via-signed-malware", + "expanded": "Social Engineering / signed malware", + "description": "Threat of install fake trust signed software (malware) e.g. fake OS updates." + }, + { + "value": "fake-SSL-certificates", + "expanded": "Fake SSL certificates", + "description": "Threat of attack due to malware application signed by a certificate that is typically inherently trusted by an endpoint." + }, + { + "value": "manipulation-of-hardware-and-software", + "expanded": "Manipulation of hardware and software", + "description": "Threat of unauthorised manipulation of hardware and software." + }, + { + "value": "anonymous-proxies", + "expanded": "Anonymous proxies", + "description": "Threat of unauthorised manipulation by anonymous proxies." + }, + { + "value": "abuse-of-computing-power-of-cloud-to-launch-attacks-cybercrime-as-a-service)", + "expanded": "Abuse of computing power of cloud to launch attacks (cybercrime as a service)", + "description": "Threat of using large computing powers to generate attacks on demand." + }, + { + "value": "abuse-of-vulnerabilities-0-day-vulnerabilities", + "expanded": "Abuse of vulnerabilities, 0-day vulnerabilities", + "description": "Threat of attacks using 0-day or known IT assets vulnerabilities." + }, + { + "value": "access-of-web-sites-through-chains-of-HTTP-Proxies-Obfuscation", + "expanded": "Access of web sites through chains of HTTP Proxies (Obfuscation)", + "description": "Threat of bypassing the security mechanism using HTTP proxies (bypassing the website blacklist)." + }, + { + "value": "access-to-device-software", + "expanded": "Access to device software", + "description": "Threat of unauthorised manipulation by access to device software." + }, + { + "value": "alternation-of-software", + "expanded": "Alternation of software", + "description": "Threat of unauthorized modifications to code or data, attacking its integrity." + }, + { + "value": "rogue-hardware", + "expanded": "Rogue hardware", + "description": "Threat of manipulation due to unauthorized access to hardware." + }, + { + "value": "manipulation-of-information", + "expanded": "Manipulation of information", + "description": "Threat of intentional data manipulation to mislead information systems or somebody or to cover other nefarious activities (loss of integrity of information)." + }, + { + "value": "repudiation-of-actions", + "expanded": "Repudiation of actions", + "description": "Threat of intentional data manipulation to repudiate action." + }, + { + "value": "address-space-hijacking-IP-prefixes", + "expanded": "Address space hijacking (IP prefixes)", + "description": "Threat of the illegitimate takeover of groups of IP addresses." + }, + { + "value": "routing-table-manipulation", + "expanded": "Routing table manipulation", + "description": "Threat of route packets of network to IP addresses other than that was intended via sender by unauthorised manipulation of routing table." + }, + { + "value": "DNS-poisoning-or-DNS-spoofing-or-DNS-Manipulations", + "expanded": "DNS poisoning / DNS spoofing / DNS Manipulations", + "description": "Threat of falsification of DNS information." + }, + { + "value": "falsification-of-record", + "expanded": "Falsification of record", + "description": "Threat of intentional data manipulation to falsify records." + }, + { + "value": "autonomous-system-hijacking", + "expanded": "Autonomous System hijacking", + "description": "Threat of overtaking by the attacker the ownership of a whole autonomous system and its prefixes despite origin validation." + }, + { + "value": "autonomous-system-manipulation", + "expanded": "Autonomous System manipulation", + "description": "Threat of manipulation by the attacker of a whole autonomous system in order to perform malicious actions." + }, + { + "value": "falsification-of-configurations", + "expanded": "Falsification of configurations", + "description": "Threat of intentional manipulation due to falsification of configurations." + }, + { + "value": "misuse-of-audit-tools", + "expanded": "Misuse of audit tools", + "description": "Threat of nefarious actions performed using audit tools (discovery of security weaknesses in information systems)" + }, + { + "value": "misuse-of-information-or-information systems-including-mobile-apps", + "expanded": "Misuse of information/ information systems (including mobile apps)", + "description": "Threat of nefarious action due to misuse of information / information systems." + }, + { + "value": "unauthorized-activities", + "expanded": "Unauthorized activities", + "description": "Threat of nefarious action due to unauthorised activities." + }, + { + "value": "Unauthorised-use-or-administration-of-devices-and-systems", + "expanded": "Unauthorised use or administration of devices and systems", + "description": "Threat of nefarious action due to unauthorised use of devices and systems." + }, + { + "value": "unauthorised-use-of-software", + "expanded": "Unauthorised use of software", + "description": "Threat of nefarious action due to unauthorised use of software." + }, + { + "value": "unauthorized-access-to-the-information-systems-or-networks-like-IMPI-Protocol-DNS-Registrar-Hijacking)", + "expanded": "Unauthorized access to the information systems-or-networks (IMPI Protocol / DNS Registrar Hijacking)", + "description": "Threat of unauthorised access to the information systems / network." + }, + { + "value": "network-intrusion", + "expanded": "Network Intrusion", + "description": "Threat of unauthorised access to network." + }, + { + "value": "unauthorized-changes-of-records", + "expanded": "Unauthorized changes of records", + "description": "Threat of unauthorised changes of information." + }, + { + "value": "unauthorized-installation-of-software", + "expanded": "Unauthorized installation of software", + "description": "Threat of unauthorised installation of software." + }, + { + "value": "Web-based-attacks-drive-by-download-or-malicious-URLs-or-browser-based-attacks", + "expanded": "Web based attacks (Drive-by download / malicious URLs / Browser based attacks)", + "description": "Threat of installation of unwanted malware software by misusing websites." + }, + { + "value": "compromising-confidential-information-like-data-breaches", + "expanded": "Compromising confidential information (data breaches)", + "description": "Threat of data breach." + }, + { + "value": "hoax", + "expanded": "Hoax", + "description": "Threat of loss of IT assets security due to cheating." + }, + { + "value": "false-rumour-and-or-fake-warning", + "expanded": "False rumour and/or fake warning", + "description": "Threat of disruption of work due to rumours and/or a fake warning." + }, + { + "value": "remote-activity-execution", + "expanded": "Remote activity (execution)", + "description": "Threat of nefarious action by attacker remote activity." + }, + { + "value": "remote-command-execution", + "expanded": "Remote Command Execution", + "description": "Threat of nefarious action due to remote command execution." + }, + { + "value": "remote-access-tool", + "expanded": "Remote Access Tool (RAT)", + "description": "Threat of infection of software that has a remote administration capabilities allowing an attacker to control the victim's computer." + }, + { + "value": "botnets-remote-activity", + "expanded": "Botnets / Remote activity", + "description": "Threat of penetration by software from malware distribution." + }, + { + "value": "targeted-attacks", + "expanded": "Targeted attacks (APTs etc.)", + "description": "Threat of sophisticated, targeted attack which combine many attack techniques." + }, + { + "value": "mobile-malware", + "expanded": "Mobile malware", + "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge." + }, + { + "value": "spear-phishing-attacks", + "expanded": "Spear phishing attacks", + "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords." + }, + { + "value": "installation-of-sophisticated-and-targeted-malware", + "expanded": "Installation of sophisticated and targeted malware", + "description": "Threat of malware delivered by sophisticated and targeted software." + }, + { + "value": "watering-hole-attacks", + "expanded": "Watering Hole attacks", + "description": "Threat of malware residing on the websites which a group often uses." + }, + { + "value": "failed-business-process", + "expanded": "Failed business process", + "description": "Threat of damage or loss of IT assets due to improperly executed business process." + }, + { + "value": "brute-force", + "expanded": "Brute force", + "description": "Threat of unauthorised access via systematically checking all possible keys or passwords until the correct one is found." + }, + { + "value": "abuse-of-authorizations", + "expanded": "Abuse of authorizations", + "description": "Threat of using authorised access to perform illegitimate actions." + } + ] } ], "predicates": [ diff --git a/eu-marketop-and-publicadmin/machinetag.json b/eu-marketop-and-publicadmin/machinetag.json index 22f0893..59c9d25 100644 --- a/eu-marketop-and-publicadmin/machinetag.json +++ b/eu-marketop-and-publicadmin/machinetag.json @@ -1,62 +1,84 @@ { - "namespace": "eu-marketop-and-publicadmin", - "description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive", - "version": 1, - "predicates": [{ - "value": "critical-infra-operators", - "expanded": "Critical Infrastructure Operators" - }, { - "value": "info-services", - "expanded": "Information Society services enablers" - }, { - "value": "public-admin", - "expanded": "Public administration" - }], - "values": [{ - "predicate": "critical-infra-operators", - "entry": [{ - "value": "transport", - "expanded": "Transport" - }, { - "value": "energy", - "expanded": "Energy" - }, { - "value": "health", - "expanded": "Health" - }, { - "value": "financial", - "expanded": "Financial market operators" - }, { - "value": "banking", - "expanded": "Banking" - }] - }, { - "predicate": "info-services", - "entry": [{ - "value": "e-commerce", - "expanded": "e-commerce platforms" - }, { - "value": "internet-payment", - "expanded": "Internet payment" - }, { - "value": "cloud", - "expanded": "cloud computing" - }, { - "value": "search-engines", - "expanded": "search engines" - }, { - "value": "socnet", - "expanded": "social networks" - }, { - "value": "app-stores", - "expanded": "application stores" - }] - }, { - "predicate": "public-admin", - "entry": [{ - "value": "public-admin", - "expanded": "Public Administrations" - }] - }] + "namespace": "eu-marketop-and-publicadmin", + "description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive", + "version": 1, + "predicates": [ + { + "value": "critical-infra-operators", + "expanded": "Critical Infrastructure Operators" + }, + { + "value": "info-services", + "expanded": "Information Society services enablers" + }, + { + "value": "public-admin", + "expanded": "Public administration" + } + ], + "values": [ + { + "predicate": "critical-infra-operators", + "entry": [ + { + "value": "transport", + "expanded": "Transport" + }, + { + "value": "energy", + "expanded": "Energy" + }, + { + "value": "health", + "expanded": "Health" + }, + { + "value": "financial", + "expanded": "Financial market operators" + }, + { + "value": "banking", + "expanded": "Banking" + } + ] + }, + { + "predicate": "info-services", + "entry": [ + { + "value": "e-commerce", + "expanded": "e-commerce platforms" + }, + { + "value": "internet-payment", + "expanded": "Internet payment" + }, + { + "value": "cloud", + "expanded": "cloud computing" + }, + { + "value": "search-engines", + "expanded": "search engines" + }, + { + "value": "socnet", + "expanded": "social networks" + }, + { + "value": "app-stores", + "expanded": "application stores" + } + ] + }, + { + "predicate": "public-admin", + "entry": [ + { + "value": "public-admin", + "expanded": "Public Administrations" + } + ] + } + ] } - diff --git a/euci/machinetag.json b/euci/machinetag.json index b83c003..238f705 100644 --- a/euci/machinetag.json +++ b/euci/machinetag.json @@ -23,6 +23,5 @@ "expanded": "RESTREINT UE/EU RESTRICTED", "description": "Information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States." } - ], - "values": null + ] } diff --git a/europol-event/machinetag.json b/europol-event/machinetag.json index fb285a1..f74e3d1 100644 --- a/europol-event/machinetag.json +++ b/europol-event/machinetag.json @@ -234,6 +234,5 @@ "expanded": "Undetermined", "description": "Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning." } - ], - "values": null + ] } diff --git a/europol-incident/machinetag.json b/europol-incident/machinetag.json index 12101f1..823c7e8 100644 --- a/europol-incident/machinetag.json +++ b/europol-incident/machinetag.json @@ -1,195 +1,195 @@ { - "version": 1, - "description": "This taxonomy was designed to describe the type of incidents by class.", - "expanded": "Europol class of incidents taxonomy", - "namespace": "europol-incident", - "predicates": [ + "version": 1, + "description": "This taxonomy was designed to describe the type of incidents by class.", + "expanded": "Europol class of incidents taxonomy", + "namespace": "europol-incident", + "predicates": [ + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "availability", + "expanded": "Availability" + }, + { + "value": "information-gathering", + "expanded": "Gathering of information" + }, + { + "value": "intrusion-attempt", + "expanded": "Intrusion attempt" + }, + { + "value": "intrusion", + "expanded": "Intrusion" + }, + { + "value": "information-security", + "expanded": "Information security" + }, + { + "value": "fraud", + "expanded": "Fraud" + }, + { + "value": "abusive-content", + "expanded": "Abusive content" + }, + { + "value": "other", + "expanded": "Other" + } + ], + "values": [ + { + "predicate": "malware", + "entry": [ { - "value": "malware", - "expanded": "Malware" + "value": "infection", + "expanded": "Infection", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "availability", - "expanded": "Availability" + "value": "distribution", + "expanded": "Distribution", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "information-gathering", - "expanded": "Gathering of information" + "value": "c&c", + "expanded": "C&C", + "description": "Infecting one or various systems with a specific type of malware." }, { - "value": "intrusion-attempt", - "expanded": "Intrusion attempt" - }, - { - "value": "intrusion", - "expanded": "Intrusion" - }, - { - "value": "information-security", - "expanded": "Information security" - }, - { - "value": "fraud", - "expanded": "Fraud" - }, - { - "value": "abusive-content", - "expanded": "Abusive content" - }, - { - "value": "other", - "expanded": "Other" + "value": "undetermined", + "expanded": "Undetermined" } - ], - "values": [ + ] + }, + { + "predicate": "availability", + "entry": [ { - "predicate": "malware", - "entry": [ - { - "value": "infection", - "expanded": "Infection", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "distribution", - "expanded": "Distribution", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "c&c", - "expanded": "C&C", - "description": "Infecting one or various systems with a specific type of malware." - }, - { - "value": "undetermined", - "expanded": "Undetermined" - } - ] + "value": "dos-ddos", + "expanded": "DoS/DDoS", + "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative." }, { - "predicate": "availability", - "entry": [ - { - "value": "dos-ddos", - "expanded": "DoS/DDoS", - "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative." - }, - { - "value": "sabotage", - "expanded": "Sabotage", - "description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc." - } - ] - }, - { - "predicate": "information-gathering", - "entry": [ - { - "value": "scanning", - "expanded": "Scanning", - "description": "Active and passive gathering of information on systems or networks." - }, - { - "value": "sniffing", - "expanded": "Sniffing", - "description": "Unauthorised monitoring and reading of network traffic." - }, - { - "value": "phishing", - "expanded": "Phishing", - "description": "Attempt to gather information on a user or a system through phishing methods." - } - ] - }, - { - "predicate": "intrusion-attempt", - "entry": [ - { - "value": "exploitation-vulnerability", - "expanded": "Exploitation of vulnerability", - "description": "Attempt to intrude by exploiting a vulnerability in a system, component or network." - }, - { - "value": "login-attempt", - "expanded": "Login attempt", - "description": "Attempt to log in to services or authentication / access control mechanisms." - } - ] - }, - { - "predicate": "intrusion", - "entry": [ - { - "value": "exploitation-vulnerability", - "expanded": "Exploitation of vulnerability", - "description": "Actual intrusion by exploiting a vulnerability in the system, component or network." - }, - { - "value": "compromising-account", - "expanded": "Compromising an account", - "description": "Actual intrusion in a system, component or network by compromising a user or administrator account." - } - ] - }, - { - "predicate": "information-security", - "entry": [ - { - "value": "unauthorized-access", - "expanded": "Unauthorised access", - "description": "Unauthorised access to a particular set of information" - }, - { - "value": "unauthorized-modification", - "expanded": "Unauthorised modification/deletion", - "description": "Unauthorised change or elimination of a particular set of information" - } - ] - }, - { - "predicate": "fraud", - "entry": [ - { - "value": "illegitimate-use-resources", - "expanded": "Misuse or unauthorised use of resources", - "description": "Use of institutional resources for purposes other than those intended." - }, - { - "value": "illegitimate-use-name", - "expanded": "Illegitimate use of the name of a third party", - "description": "Use of the name of an institution without permission to do so." - } - ] - }, - { - "predicate": "abusive-content", - "entry": [ - { - "value": "spam", - "expanded": "SPAM", - "description": " Sending SPAM messages." - }, - { - "value": "copyright", - "expanded": "Copyright", - "description": "Distribution and sharing of copyright protected content." - }, - { - "value": "content-forbidden-by-law", - "expanded": "Dissemination of content forbidden by law.", - "description": "Child pornography, racism and apology of violence." - } - ] - }, - { - "predicate": "other", - "entry": [ - { - "value": "other", - "expanded": "Other", - "description": " Other type of unspecified incident" - } - ] + "value": "sabotage", + "expanded": "Sabotage", + "description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc." } - ] + ] + }, + { + "predicate": "information-gathering", + "entry": [ + { + "value": "scanning", + "expanded": "Scanning", + "description": "Active and passive gathering of information on systems or networks." + }, + { + "value": "sniffing", + "expanded": "Sniffing", + "description": "Unauthorised monitoring and reading of network traffic." + }, + { + "value": "phishing", + "expanded": "Phishing", + "description": "Attempt to gather information on a user or a system through phishing methods." + } + ] + }, + { + "predicate": "intrusion-attempt", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Attempt to intrude by exploiting a vulnerability in a system, component or network." + }, + { + "value": "login-attempt", + "expanded": "Login attempt", + "description": "Attempt to log in to services or authentication / access control mechanisms." + } + ] + }, + { + "predicate": "intrusion", + "entry": [ + { + "value": "exploitation-vulnerability", + "expanded": "Exploitation of vulnerability", + "description": "Actual intrusion by exploiting a vulnerability in the system, component or network." + }, + { + "value": "compromising-account", + "expanded": "Compromising an account", + "description": "Actual intrusion in a system, component or network by compromising a user or administrator account." + } + ] + }, + { + "predicate": "information-security", + "entry": [ + { + "value": "unauthorized-access", + "expanded": "Unauthorised access", + "description": "Unauthorised access to a particular set of information" + }, + { + "value": "unauthorized-modification", + "expanded": "Unauthorised modification/deletion", + "description": "Unauthorised change or elimination of a particular set of information" + } + ] + }, + { + "predicate": "fraud", + "entry": [ + { + "value": "illegitimate-use-resources", + "expanded": "Misuse or unauthorised use of resources", + "description": "Use of institutional resources for purposes other than those intended." + }, + { + "value": "illegitimate-use-name", + "expanded": "Illegitimate use of the name of a third party", + "description": "Use of the name of an institution without permission to do so." + } + ] + }, + { + "predicate": "abusive-content", + "entry": [ + { + "value": "spam", + "expanded": "SPAM", + "description": " Sending SPAM messages." + }, + { + "value": "copyright", + "expanded": "Copyright", + "description": "Distribution and sharing of copyright protected content." + }, + { + "value": "content-forbidden-by-law", + "expanded": "Dissemination of content forbidden by law.", + "description": "Child pornography, racism and apology of violence." + } + ] + }, + { + "predicate": "other", + "entry": [ + { + "value": "other", + "expanded": "Other", + "description": " Other type of unspecified incident" + } + ] + } + ] } diff --git a/iep/machinetag.json b/iep/machinetag.json index 8e90dac..ce0eba6 100644 --- a/iep/machinetag.json +++ b/iep/machinetag.json @@ -26,7 +26,7 @@ { "value": "end-date", "expanded": "POLICY END DATE", - "description": "States the UTC4 date that the IEP is effective until." + "description": "States the UTC date that the IEP is effective until." }, { "value": "reference", diff --git a/information-security-indicators/machinetag.json b/information-security-indicators/machinetag.json index 7a263cd..b3629b7 100644 --- a/information-security-indicators/machinetag.json +++ b/information-security-indicators/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "information-security-indicators", "description": "A full set of operational indicators for organizations to use to benchmark their security posture.", - "version": "1", + "version": 1, "predicates": [ { "value": "IEX", @@ -139,7 +139,8 @@ "description": "This indicator measures illicit entrance of individuals into security perimeter." } ] - },{ + }, + { "predicate": "IMF", "entry": [ { @@ -188,7 +189,8 @@ "description": "This indicator primarily relates to Personal Identifiable Information (PII) protected by privacy laws, to information falling under the PCI-DSS regulation, to information falling under European regulation in the area of breach notification (Telcos and ISPs to begin with), and to information about electronic exchanges between employees and the exterior (electronic messaging and Internet connection). This indicator does not include possible difficulties pertaining to proof forwarding from field operations to governance (state-of-the-art unavailable). This indicator is a sub-set of indicator IMF_LOG.1, but can be identical to this one in advanced organizations." } ] - },{ + }, + { "predicate": "IDB", "entry": [ { @@ -247,7 +249,8 @@ "description": "This event is generally decided and deployed by an administrator in order to improve performance of the system under his/her responsibility (illicit voluntary stoppage). This indicator is a reduced subset of indicator IUS_RGH.5" } ] - },{ + }, + { "predicate": "IWH", "entry": [ { @@ -281,7 +284,8 @@ "description": "This indicator measures security incidents tied to assets (on servers) non-inventoried and not managed by appointed teams. It is a key indicator insofar as a high percentage of incidents corresponds with this indicator on average in the profession (according to some public surveys)." } ] - },{ + }, + { "predicate": "VBH", "entry": [ { @@ -400,7 +404,8 @@ "description": "This vulnerability applies to discussions through on-line media leading to leakage of personal identifiable information (PII) or various business details to be used later (notably for identity usurpation) " } ] - },{ + }, + { "predicate": "VSW", "entry": [ { @@ -419,7 +424,8 @@ "description": "This indicators measures software vulnerabilities detected in Web browsers running on workstations." } ] - },{ + }, + { "predicate": "VCF", "entry": [ { @@ -473,7 +479,8 @@ "description": "This indicator measures accounts inactive for at least 2 months that have not been disabled. These accounts are not used by their users due to prolonged but not definitive absence (long term illness, maternity, etc.), with the exclusion of messaging accounts (which should remain accessible to users from their home)." } ] - },{ + }, + { "predicate": "VTC", "entry": [ { @@ -507,7 +514,8 @@ "description": "This indicator includes access to protected internal areas. The 1st cause is the lack of effective control of users at software level. The 2nd cause is hardware breakdown of a component in the chain." } ] - },{ + }, + { "predicate": "VOR", "entry": [ { @@ -556,7 +564,8 @@ "description": "This indicator measures the launch of new IT projects of a standard type without identification of vulnerabilities and threats and of related security measures. For these IT projects, potential implementation of a simplified risk analysis method or of pre-defined security profiles can be applied." } ] - },{ + }, + { "predicate": "IMP", "entry": [ { @@ -582,4 +591,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh new file mode 100755 index 0000000..56c816b --- /dev/null +++ b/jq_all_the_things.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e +set -x + +# Seeds sponge, from moreutils + +for dir in ./*/machinetag.json +do + cat ${dir} | jq . | sponge ${dir} +done + +cat schema.json | jq . | sponge schema.json +cat MANIFEST.json | jq . | sponge MANIFEST.json diff --git a/kill-chain/machinetag.json b/kill-chain/machinetag.json index d499cbc..19021b9 100644 --- a/kill-chain/machinetag.json +++ b/kill-chain/machinetag.json @@ -32,6 +32,5 @@ "value": "Actions on Objectives", "expanded": "Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network." } - ], - "values": null + ] } diff --git a/malware_classification/machinetag.json b/malware_classification/machinetag.json index e7b5151..64919d1 100644 --- a/malware_classification/machinetag.json +++ b/malware_classification/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "malware_classification", "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848", - "version": 1, + "version": 2, "predicates": [ { "value": "malware-category", @@ -57,8 +57,8 @@ "expanded": "Spyware" }, { - "value": "Botnet", - "expanded": "Botnet" + "value": "Botnet", + "expanded": "Botnet" } ] }, @@ -89,10 +89,6 @@ "value": "armouring", "expanded": "armouring" }, - { - "value": "encryption", - "expanded": "encryption" - }, { "value": "tunneling", "expanded": "tunneling" @@ -163,4 +159,3 @@ } ] } - diff --git a/misp/machinetag.json b/misp/machinetag.json index f078acf..621d2b8 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -19,17 +19,26 @@ "predicate": "api" }, { - "predicate": "contributor", - "entry": [ + "entry": [ + { + "expanded": "block", + "value": "block" + } + ], + "predicate": "expansion" + }, + { + "predicate": "contributor", + "entry": [ { "expanded": "OpenPGP Fingerprint", "value": "pgpfingerprint" } - ] + ] }, { - "predicate": "confidence-level", - "entry": [ + "predicate": "confidence-level", + "entry": [ { "expanded": "Completely confident", "value": "completely-confident", @@ -59,36 +68,36 @@ "expanded": "Confidence cannot be evaluated", "value": "confidence-cannot-be-evalued" } - ] + ] }, { - "predicate": "threat-level", - "entry": [ + "predicate": "threat-level", + "entry": [ { - "expanded": "No risk", - "value": "no-risk", - "numerical_value": 0, - "description": "Harmless information. (CEUS threat level)" + "expanded": "No risk", + "value": "no-risk", + "numerical_value": 0, + "description": "Harmless information. (CEUS threat level)" }, { - "expanded": "Low risk", - "value": "low-risk", - "numerical_value": 25, - "description": "Low risk which can include mass-malware. (CEUS threat level)" + "expanded": "Low risk", + "value": "low-risk", + "numerical_value": 25, + "description": "Low risk which can include mass-malware. (CEUS threat level)" }, { - "expanded": "Medium risk", - "value": "medium-risk", - "numerical_value": 50, - "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)" + "expanded": "Medium risk", + "value": "medium-risk", + "numerical_value": 50, + "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)" }, { - "expanded": "High risk", - "value": "high-risk", - "numerical_value": 100, - "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)" + "expanded": "High risk", + "value": "high-risk", + "numerical_value": 100, + "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)" } - ] + ] } ], "predicates": [ @@ -116,9 +125,14 @@ "description": "Event with this tag should not be synced to other MISP instances", "expanded": "Should not sync", "value": "should-not-sync" + }, + { + "description": "Expansion tag incluencing the MISP behavior using expansion modules", + "expanded": "Expansion", + "value": "expansion" } ], - "version": 3, + "version": 4, "description": "MISP taxonomy to infer with MISP behavior or operation.", "expanded": "MISP", "namespace": "misp" diff --git a/passivetotal/machinetag.json b/passivetotal/machinetag.json index a718f0d..fd90fc3 100644 --- a/passivetotal/machinetag.json +++ b/passivetotal/machinetag.json @@ -1,86 +1,86 @@ { - "namespace" : "passivetotal", - "expanded" : "PassiveTotal", - "description": "Tags from RiskIQ's PassiveTotal service", - "version" : 1, - "predicates": [ + "namespace": "passivetotal", + "expanded": "PassiveTotal", + "description": "Tags from RiskIQ's PassiveTotal service", + "version": 1, + "predicates": [ + { + "value": "sinkholed", + "expanded": "Sinkhole Status" + }, + { + "value": "ever-comprimised", + "expanded": "Ever Comprimised?" + }, + { + "value": "class", + "expanded": "Classification" + }, + { + "value": "dynamic-dns", + "expanded": "Dynamic DNS" + } + ], + "values": [ + { + "predicate": "sinkholed", + "entry": [ { - "value" : "sinkholed", - "expanded": "Sinkhole Status" + "value": "yes", + "expanded": "Yes" }, { - "value" : "ever-comprimised", - "expanded" : "Ever Comprimised?" - }, - { - "value" : "class", - "expanded" : "Classification" - }, - { - "value" : "dynamic-dns", - "expanded": "Dynamic DNS" + "value": "no", + "expanded": "No" } - ], - "values" : [ - { - "predicate" : "sinkholed", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] + ] + }, + { + "predicate": "ever-comprimised", + "entry": [ + { + "value": "yes", + "expanded": "Yes" }, { - "predicate" : "ever-comprimised", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] - }, - { - "predicate" : "dynamic-dns", - "entry" : [ - { - "value" : "yes", - "expanded": "Yes" - }, - { - "value" : "no", - "expanded" : "No" - } - ] - }, - { - "predicate" : "class", - "entry" : [ - { - "value" : "malicious", - "expanded" : "Malicious" - }, - { - "value" : "suspicious", - "expanded": "Malicious" - }, - { - "value": "non-malicious", - "expanded": "Non Malicious" - }, - { - "value" : "unknown", - "expanded" : "Unknown" - } - ] + "value": "no", + "expanded": "No" } - ] + ] + }, + { + "predicate": "dynamic-dns", + "entry": [ + { + "value": "yes", + "expanded": "Yes" + }, + { + "value": "no", + "expanded": "No" + } + ] + }, + { + "predicate": "class", + "entry": [ + { + "value": "malicious", + "expanded": "Malicious" + }, + { + "value": "suspicious", + "expanded": "Malicious" + }, + { + "value": "non-malicious", + "expanded": "Non Malicious" + }, + { + "value": "unknown", + "expanded": "Unknown" + } + ] + } + ] } diff --git a/rt_event_status/machinetag.json b/rt_event_status/machinetag.json index 003b84b..094c5f5 100644 --- a/rt_event_status/machinetag.json +++ b/rt_event_status/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "rt_event_status", "description": "Status of events used in Request Tracker.", - "version": "1.0", + "version": 1, "predicates": [ { "value": "event-status", diff --git a/schema.json b/schema.json new file mode 100644 index 0000000..7780811 --- /dev/null +++ b/schema.json @@ -0,0 +1,113 @@ +{ + "$schema": "http://json-schema.org/schema#", + "title": "Validator for misp-taxonomies", + "id": "https://www.github.com/MISP/misp-taxonomies/schema.json", + "defs": { + "predicate": { + "type": "object", + "additionalProperties": false, + "properties": { + "value": { + "type": "string" + }, + "colour": { + "type": "string" + }, + "description": { + "type": "string" + }, + "numerical_value": { + "type": "number" + }, + "expanded": { + "type": "string" + } + }, + "required": [ + "value" + ] + }, + "entry": { + "type": "object", + "additionalProperties": false, + "properties": { + "predicate": { + "type": "string" + }, + "entry": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "value": { + "type": "string" + }, + "description": { + "type": "string" + }, + "expanded": { + "type": "string" + }, + "numerical_value": { + "type": "number" + } + }, + "required": [ + "value" + ] + } + } + } + }, + "required": [ + "predicate" + ] + }, + "type": "object", + "additionalProperties": false, + "properties": { + "namespace": { + "type": "string" + }, + "expanded": { + "type": "string" + }, + "description": { + "type": "string" + }, + "version": { + "type": "integer" + }, + "predicates": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "$ref": "#/defs/predicate" + } + }, + "values": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "object", + "$ref": "#/defs/entry" + } + }, + "refs": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + } + }, + "required": [ + "namespace", + "description", + "version", + "predicates" + ] +} diff --git a/stix-ttp/machinetag.json b/stix-ttp/machinetag.json index 26fc525..3327e92 100644 --- a/stix-ttp/machinetag.json +++ b/stix-ttp/machinetag.json @@ -1,115 +1,114 @@ { - "namespace": "stix-ttp", - "expanded": "STIX TTP", - "version": 1, - "description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.", - "refs": [ - "http://stixproject.github.io/documentation/idioms/industry-sector/" - ], - "predicates": [ - { - "value": "victim-targeting", - "expanded": "Victim Targeting" - } - ], - "values": [ - { - "predicate": "victim-targeting", - "entry": [ - { - "value": "business-professional-sector", - "expanded": "Business & Professional Services Sector" - }, - { - "value": "retail-sector", - "expanded": "Retail Sector" - }, - { - "value": "financial-sector", - "expanded": "Financial Services Sector" - }, - { - "value": "media-entertainment-sector", - "expanded": "Media & Entertainment Sector" - }, - { - "value": "construction-engineering-sector", - "expanded": "Construction & Engineering Sector" - }, - { - "value": "government-international-organizations-sector", - "expanded": "Goverment & International Organizations" - }, - { - "value": "legal-sector", - "expanded": "Legal Services" - }, - { - "value": "hightech-it-sector", - "expanded": "High-Tech & IT Sector" - }, - { - "value": "healthcare-sector", - "expanded": "Healthcare Sector" - }, - { - "value": "transportation-sector", - "expanded": "Transportation Sector" - }, - { - "value": "aerospace-defence-sector", - "expanded": "Aerospace & Defense Sector" - }, - { - "value": "energy-sector", - "expanded": "Energy Sector" - }, - { - "value": "food-sector", - "expanded": "Food Sector" - }, - { - "value": "natural-resources-sector", - "expanded": "Natural Resources Sector" - }, - { - "value": "other-sector", - "expanded": "Other Sector" - }, - - { - "value": "corporate-employee-information", - "expanded": "Corporate Employee Information" - }, - { - "value": "customer-pii", - "expanded": "Customer PII" - }, - { - "value": "email-lists-archives", - "expanded": "Email Lists/Archives" - }, - { - "value": "financial-data", - "expanded": "Financial Data" - }, - { - "value": "intellectual-property", - "expanded": "Intellectual Property" - }, - { - "value": "mobile-phone-contacts", - "expanded": "Mobile Phone Contacts" - }, - { - "value": "user-credentials", - "expanded": "User Credentials" - }, - { - "value": "authentification-cookies", - "expanded": "Authentication Cookies" - } - ] - } - ] + "namespace": "stix-ttp", + "expanded": "STIX TTP", + "version": 1, + "description": "TTPs are representations of the behavior or modus operandi of cyber adversaries.", + "refs": [ + "http://stixproject.github.io/documentation/idioms/industry-sector/" + ], + "predicates": [ + { + "value": "victim-targeting", + "expanded": "Victim Targeting" + } + ], + "values": [ + { + "predicate": "victim-targeting", + "entry": [ + { + "value": "business-professional-sector", + "expanded": "Business & Professional Services Sector" + }, + { + "value": "retail-sector", + "expanded": "Retail Sector" + }, + { + "value": "financial-sector", + "expanded": "Financial Services Sector" + }, + { + "value": "media-entertainment-sector", + "expanded": "Media & Entertainment Sector" + }, + { + "value": "construction-engineering-sector", + "expanded": "Construction & Engineering Sector" + }, + { + "value": "government-international-organizations-sector", + "expanded": "Goverment & International Organizations" + }, + { + "value": "legal-sector", + "expanded": "Legal Services" + }, + { + "value": "hightech-it-sector", + "expanded": "High-Tech & IT Sector" + }, + { + "value": "healthcare-sector", + "expanded": "Healthcare Sector" + }, + { + "value": "transportation-sector", + "expanded": "Transportation Sector" + }, + { + "value": "aerospace-defence-sector", + "expanded": "Aerospace & Defense Sector" + }, + { + "value": "energy-sector", + "expanded": "Energy Sector" + }, + { + "value": "food-sector", + "expanded": "Food Sector" + }, + { + "value": "natural-resources-sector", + "expanded": "Natural Resources Sector" + }, + { + "value": "other-sector", + "expanded": "Other Sector" + }, + { + "value": "corporate-employee-information", + "expanded": "Corporate Employee Information" + }, + { + "value": "customer-pii", + "expanded": "Customer PII" + }, + { + "value": "email-lists-archives", + "expanded": "Email Lists/Archives" + }, + { + "value": "financial-data", + "expanded": "Financial Data" + }, + { + "value": "intellectual-property", + "expanded": "Intellectual Property" + }, + { + "value": "mobile-phone-contacts", + "expanded": "Mobile Phone Contacts" + }, + { + "value": "user-credentials", + "expanded": "User Credentials" + }, + { + "value": "authentification-cookies", + "expanded": "Authentication Cookies" + } + ] + } + ] } diff --git a/tlp/machinetag.json b/tlp/machinetag.json index 11a05a9..bb967a7 100644 --- a/tlp/machinetag.json +++ b/tlp/machinetag.json @@ -1,5 +1,4 @@ { - "values": null, "predicates": [ { "colour": "#CC0033", diff --git a/validate_all.sh b/validate_all.sh new file mode 100755 index 0000000..e68a443 --- /dev/null +++ b/validate_all.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e +set -x + +./jq_all_the_things.sh + +diffs=`git status --porcelain | wc -l` + +if ! [ $diffs -eq 1 ]; then + echo "Please make sure you run ./jq_all_the_things.sh before commiting." + exit 1 +fi + +for dir in */machinetag.json +do + echo -n "${dir}: " + jsonschema -i ${dir} schema.json + echo '' +done +