MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-taxonomies

pull/61/head
Raphaël Vinot 2017-04-02 22:07:23 +02:00
parent 8930ad0a2e 0b02703c40
commit dbcc46cd0f
28 changed files with 1496 additions and 1121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.travis.yml
View File

@ -7,26 +7,22 @@ sudo: required
dist: trusty
python:
- "2.7"
- "3.3"
- "3.4"
- "3.5"
- "3.5-dev"
- "3.6"
- "3.6-dev"
- "nightly"
install:
- git clone https://github.com/stedolan/jq.git
- pushd jq
- autoreconf -i
- ./configure --disable-maintainer-mode
- make
- sudo make install
- popd
- sudo apt-get update -qq
- sudo apt-get install -y -qq jq moreutils
- pip install jsonschema
- git clone https://github.com/MISP/PyTaxonomies.git
- pushd PyTaxonomies
- pip install .
- popd
script:
- cat */*.json | jq .
- ./validate_all.sh
- pytaxonomies -l MANIFEST.json -a

12
MANIFEST.json
View File

@ -1,5 +1,5 @@
{
"version": "20170108",
"version": "20170129",
"license": "CC-0",
"description": "Manifest file of MISP taxonomies available.",
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
@ -35,6 +35,11 @@
"name": "dhs-ciip-sectors",
"version": 2
},
{
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.",
"name": "diamond-model",
"version": 1
},
{
"description": "ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).",
"name": "dni-ism",
@ -165,6 +170,11 @@
"name": "stix-ttp",
"version": 1
},
{
"description": "AccessNow Taxonomy",
"name": "accessnow",
"version": 1
},
{
"description": "Tags for RiskIQ's passivetotal service",
"name": "passivetotal",

3
PAP/machinetag.json
View File

@ -24,6 +24,5 @@
"expanded": "(PAP:WHITE) No restrictions in using this information.",
"colour": "#ffffff"
}
],
"values": null
]
}

6
README.md
View File

@ -16,6 +16,7 @@ The following taxonomies are described:
- [Cyber Kill Chain](./kill-chain) from Lockheed Martin
- DE German (DE) [Government classification markings (VS)](./de-vs)
- [DHS CIIP Sectors](./dhs-ciip-sectors)
- [Diamond Model for Intrusion Analysis](./diamond-model)
- [Domain Name Abuse](./domain-abuse)
- [eCSIRT](./ecsirt) and IntelMQ incident classification
- [ENISA](./enisa) ENISA Threat Taxonomy
@ -64,6 +65,11 @@ Taxonomy for the handling of protectively marked information in MISP with German
DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.
### [Diamond Model for Intrusion Analysis](./diamond-model)
The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack
as described in [http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf](http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf).
### [Domain Name Abuse](./domain-abuse)
Taxonomy to tag domain names used for cybercrime.

117
accessnow/machinetag.json Normal file
View File

@ -0,0 +1,117 @@
{
"namespace": "accessnow",
"description": "Access Now",
"version": 1,
"predicates": [
{
"value": "anti-corruption-transparency",
"expanded": "Anti-Corruption and transparency",
"description": "The organization campaigns, or takes other actions against corruption and transparency."
},
{
"value": "anti-war-violence",
"expanded": "Anti-War / Anti-Violence",
"description": "The organization campaigns, or takes other actions against war"
},
{
"value": "culture",
"expanded": "Culture",
"description": "The organization campaigns or acts to promote cultural events Humanitarian Aid/Need Issues: relates to improving life for individuals in the developing world (right to shelter, right to education, right to food, right to water)"
},
{
"value": "economic-change",
"expanded": "Economic Change",
"description": "Issues of economic policy, wealth distribution, etc."
},
{
"value": "education",
"expanded": "Education",
"description": "The organization is concerned with some form of education"
},
{
"value": "election-monitoring",
"expanded": "Election Monitoring",
"description": "The organization is an election monitor, or involved in election monitoring"
},
{
"value": "environment",
"expanded": "Environment",
"description": "The organization campaigns or acts to protect the environment"
},
{
"value": "freedom-expression",
"expanded": "Freedom of Expression",
"description": "The organization is concerned with freedom of speech issues"
},
{
"value": "freedom-tool-development",
"expanded": "Freedom Tool Development",
"description": "The organization develops tools for use in defending or extending digital rights"
},
{
"value": "funding",
"expanded": "Funding",
"description": " The organization is a funder of organizations or projects working with at risk users"
},
{
"value": "health",
"expanded": "Health Issues",
"description": "The organization prevents epidemic illness or acts on curing them"
},
{
"value": "human-rights",
"expanded": "Human Rights Issues",
"description": "relating to the detection, recording, exposure, or challenging of abuses of human rights"
},
{
"value": "internet-telecom",
"expanded": "Internet and Telecoms",
"description": "Issues of digital rights in electronic communications"
},
{
"value": "lgbt-gender-sexuality",
"expanded": "LGBT / Gender / Sexuality",
"description": "Issues relating to the Lesbian, Gay, Bi, Transgender community"
},
{
"value": "policy",
"expanded": "Policy",
"description": "The organization is a policy think-tank, or policy advocate"
},
{
"value": "politics",
"expanded": "Politics",
"description": "The organization takes a strong political view or is a political entity"
},
{
"value": "privacy",
"expanded": "Privacy",
"description": "Issues relating to the individual's reasonable right to privacy"
},
{
"value": "rapid-response",
"expanded": "Rapid Response",
"description": "The organization provides rapid response type capability for civil society"
},
{
"value": "refugees",
"expanded": "Refugees",
"description": "Issues relating to displaced people"
},
{
"value": "security",
"expanded": "Security",
"description": "Issues relating to physical or information security"
},
{
"value": "womens-right",
"expanded": "Women's Rights",
"description": "Issues pertaining to inequality between men and women, or issues of particular relevance to women"
},
{
"value": "youth-rights",
"expanded": "Youth Rights",
"description": "Issues of particular relevance to youth"
}
]
}

1
csirt_case_classification/machinetag.json
View File

@ -102,4 +102,3 @@
}
]
}

43
ddos/machinetag.json Normal file
View File

@ -0,0 +1,43 @@
{
"namespace": "ddos",
"expanded": " Distributed Denial of Service",
"description": " Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.",
"version": 1,
"refs": [
"https://en.wikipedia.org/wiki/Denial-of-service_attack"
],
"values": [
{
"predicate": "type",
"entry": [
{
"value": "amplification-attack",
"expanded": "Amplification attack"
},
{
"value": "reflected-spoofed-attack",
"expanded": "Reflected and Spoofed attack"
},
{
"value": "slow-read-attack",
"expanded": "Slow Read attack"
},
{
"value": "flooding-attack",
"expanded": "Flooding attack"
},
{
"value": "post-attack",
"expanded": "Large POST HTTP attack"
}
]
}
],
"predicates": [
{
"value": "type",
"expanded": "Type",
"description": "Types and techniques described the way that the attack is performed to launch the Denial of Service attacks. A combination of type values can be used to explain combined techniques and methods."
}
]
}

66
dhs-ciip-sectors/machinetag.json
View File

@ -2,63 +2,85 @@
"namespace": "dhs-ciip-sectors",
"description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
"version": 2,
"predicates": [{
"predicates": [
{
"value": "DHS-critical-sectors",
"expanded": "DHS critical sectors"
}, {
},
{
"value": "sector",
"expanded": "Sector"
}],
"values": [{
}
],
"values": [
{
"predicate": "DHS-critical-sectors",
"entry": [{
"entry": [
{
"value": "chemical",
"expanded": "Chemical"
}, {
},
{
"value": "commercial-facilities",
"expanded": "Commercial Facilities"
}, {
},
{
"value": "communications",
"expanded": "Communications"
}, {
},
{
"value": "critical-manufacturing",
"expanded": "Critical Manufacturing"
}, {
},
{
"value": "dams",
"expanded": "Dams"
}, {
},
{
"value": "dib",
"expanded": "Defense Industrial Base"
}, {
},
{
"value": "emergency-services",
"expanded": "Emergency services"
}, {
},
{
"value": "energy",
"expanded": "energy"
}, {
},
{
"value": "financial-services",
"expanded": "Financial Services"
}, {
},
{
"value": "food-agriculture",
"expanded": "Food and Agriculture"
}, {
},
{
"value": "government-facilities",
"expanded": "Government Facilities"
}, {
},
{
"value": "healthcare-public",
"expanded": "Healthcare and Public Health"
}, {
},
{
"value": "it",
"expanded": "Information Technology"
}, {
},
{
"value": "nuclear",
"expanded": "Nuclear"
}, {
},
{
"value": "transport",
"expanded": "Transportation Systems"
}, {
},
{
"value": "water",
"expanded": "Water and water systems"
}]
}]
}
]
}
]
}

7
diamond-model/machinetag.json
View File

@ -3,7 +3,9 @@
"expanded": "Diamond Model for Intrusion Analysis",
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.",
"version": 1,
"ref": ["http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"],
"refs": [
"http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf"
],
"predicates": [
{
"value": "Adversary",
@ -21,6 +23,5 @@
"value": "Victim",
"expanded": "A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. A victim can be described in whichever way necessary and appropriate: organization, person, target email address, IP address, domain, etc. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions. Victim personae are useful in non-technical analysis such as cyber-victimology and social-political centered approaches whereas victim assets are associated with common technical approaches such as vulnerability analysis.."
}
],
"values": null
]
}

1
enisa/machinetag.json
View File

@ -307,7 +307,6 @@
"value": "failure-or-disruption-of-communication-links-communication networks",
"expanded": "Failure or disruption of communication links (communication networks)",
"description": "Threat of failure or malfunction of communications links."
},
{
"value": "failure-of-cable-networks",

70
eu-marketop-and-publicadmin/machinetag.json
View File

@ -2,61 +2,83 @@
"namespace": "eu-marketop-and-publicadmin",
"description": "Market operators and public administrations that must comply to some notifications requirements under EU NIS directive",
"version": 1,
"predicates": [{
"predicates": [
{
"value": "critical-infra-operators",
"expanded": "Critical Infrastructure Operators"
}, {
},
{
"value": "info-services",
"expanded": "Information Society services enablers"
}, {
},
{
"value": "public-admin",
"expanded": "Public administration"
}],
"values": [{
}
],
"values": [
{
"predicate": "critical-infra-operators",
"entry": [{
"entry": [
{
"value": "transport",
"expanded": "Transport"
}, {
},
{
"value": "energy",
"expanded": "Energy"
}, {
},
{
"value": "health",
"expanded": "Health"
}, {
},
{
"value": "financial",
"expanded": "Financial market operators"
}, {
},
{
"value": "banking",
"expanded": "Banking"
}]
}, {
}
]
},
{
"predicate": "info-services",
"entry": [{
"entry": [
{
"value": "e-commerce",
"expanded": "e-commerce platforms"
}, {
},
{
"value": "internet-payment",
"expanded": "Internet payment"
}, {
},
{
"value": "cloud",
"expanded": "cloud computing"
}, {
},
{
"value": "search-engines",
"expanded": "search engines"
}, {
},
{
"value": "socnet",
"expanded": "social networks"
}, {
},
{
"value": "app-stores",
"expanded": "application stores"
}]
}, {
}
]
},
{
"predicate": "public-admin",
"entry": [{
"entry": [
{
"value": "public-admin",
"expanded": "Public Administrations"
}]
}]
}
]
}
]
}

3
euci/machinetag.json
View File

@ -23,6 +23,5 @@
"expanded": "RESTREINT UE/EU RESTRICTED",
"description": "Information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States."
}
],
"values": null
]
}

3
europol-event/machinetag.json
View File

@ -234,6 +234,5 @@
"expanded": "Undetermined",
"description": "Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning."
}
],
"values": null
]
}

2
iep/machinetag.json
View File

@ -26,7 +26,7 @@
{
"value": "end-date",
"expanded": "POLICY END DATE",
"description": "States the UTC4 date that the IEP is effective until."
"description": "States the UTC date that the IEP is effective until."
},
{
"value": "reference",

29
information-security-indicators/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "information-security-indicators",
"description": "A full set of operational indicators for organizations to use to benchmark their security posture.",
"version": "1",
"version": 1,
"predicates": [
{
"value": "IEX",
@ -139,7 +139,8 @@
"description": "This indicator measures illicit entrance of individuals into security perimeter."
}
]
},{
},
{
"predicate": "IMF",
"entry": [
{
@ -188,7 +189,8 @@
"description": "This indicator primarily relates to Personal Identifiable Information (PII) protected by privacy laws, to information falling under the PCI-DSS regulation, to information falling under European regulation in the area of breach notification (Telcos and ISPs to begin with), and to information about electronic exchanges between employees and the exterior (electronic messaging and Internet connection). This indicator does not include possible difficulties pertaining to proof forwarding from field operations to governance (state-of-the-art unavailable). This indicator is a sub-set of indicator IMF_LOG.1, but can be identical to this one in advanced organizations."
}
]
},{
},
{
"predicate": "IDB",
"entry": [
{
@ -247,7 +249,8 @@
"description": "This event is generally decided and deployed by an administrator in order to improve performance of the system under his/her responsibility (illicit voluntary stoppage). This indicator is a reduced subset of indicator IUS_RGH.5"
}
]
},{
},
{
"predicate": "IWH",
"entry": [
{
@ -281,7 +284,8 @@
"description": "This indicator measures security incidents tied to assets (on servers) non-inventoried and not managed by appointed teams. It is a key indicator insofar as a high percentage of incidents corresponds with this indicator on average in the profession (according to some public surveys)."
}
]
},{
},
{
"predicate": "VBH",
"entry": [
{
@ -400,7 +404,8 @@
"description": "This vulnerability applies to discussions through on-line media leading to leakage of personal identifiable information (PII) or various business details to be used later (notably for identity usurpation) "
}
]
},{
},
{
"predicate": "VSW",
"entry": [
{
@ -419,7 +424,8 @@
"description": "This indicators measures software vulnerabilities detected in Web browsers running on workstations."
}
]
},{
},
{
"predicate": "VCF",
"entry": [
{
@ -473,7 +479,8 @@
"description": "This indicator measures accounts inactive for at least 2 months that have not been disabled. These accounts are not used by their users due to prolonged but not definitive absence (long term illness, maternity, etc.), with the exclusion of messaging accounts (which should remain accessible to users from their home)."
}
]
},{
},
{
"predicate": "VTC",
"entry": [
{
@ -507,7 +514,8 @@
"description": "This indicator includes access to protected internal areas. The 1st cause is the lack of effective control of users at software level. The 2nd cause is hardware breakdown of a component in the chain."
}
]
},{
},
{
"predicate": "VOR",
"entry": [
{
@ -556,7 +564,8 @@
"description": "This indicator measures the launch of new IT projects of a standard type without identification of vulnerabilities and threats and of related security measures. For these IT projects, potential implementation of a simplified risk analysis method or of pre-defined security profiles can be applied."
}
]
},{
},
{
"predicate": "IMP",
"entry": [
{

14
jq_all_the_things.sh Executable file
View File

@ -0,0 +1,14 @@
#!/bin/bash
set -e
set -x
# Seeds sponge, from moreutils
for dir in ./*/machinetag.json
do
cat ${dir} | jq . | sponge ${dir}
done
cat schema.json | jq . | sponge schema.json
cat MANIFEST.json | jq . | sponge MANIFEST.json

3
kill-chain/machinetag.json
View File

@ -32,6 +32,5 @@
"value": "Actions on Objectives",
"expanded": "Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network."
}
],
"values": null
]
}

7
malware_classification/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "malware_classification",
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
"version": 1,
"version": 2,
"predicates": [
{
"value": "malware-category",
@ -89,10 +89,6 @@
"value": "armouring",
"expanded": "armouring"
},
{
"value": "encryption",
"expanded": "encryption"
},
{
"value": "tunneling",
"expanded": "tunneling"
@ -163,4 +159,3 @@
}
]
}

16
misp/machinetag.json
View File

@ -18,6 +18,15 @@
],
"predicate": "api"
},
{
"entry": [
{
"expanded": "block",
"value": "block"
}
],
"predicate": "expansion"
},
{
"predicate": "contributor",
"entry": [
@ -116,9 +125,14 @@
"description": "Event with this tag should not be synced to other MISP instances",
"expanded": "Should not sync",
"value": "should-not-sync"
},
{
"description": "Expansion tag incluencing the MISP behavior using expansion modules",
"expanded": "Expansion",
"value": "expansion"
}
],
"version": 3,
"version": 4,
"description": "MISP taxonomy to infer with MISP behavior or operation.",
"expanded": "MISP",
"namespace": "misp"

2
rt_event_status/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "rt_event_status",
"description": "Status of events used in Request Tracker.",
"version": "1.0",
"version": 1,
"predicates": [
{
"value": "event-status",

113
schema.json Normal file
View File

@ -0,0 +1,113 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-taxonomies",
"id": "https://www.github.com/MISP/misp-taxonomies/schema.json",
"defs": {
"predicate": {
"type": "object",
"additionalProperties": false,
"properties": {
"value": {
"type": "string"
},
"colour": {
"type": "string"
},
"description": {
"type": "string"
},
"numerical_value": {
"type": "number"
},
"expanded": {
"type": "string"
}
},
"required": [
"value"
]
},
"entry": {
"type": "object",
"additionalProperties": false,
"properties": {
"predicate": {
"type": "string"
},
"entry": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"value": {
"type": "string"
},
"description": {
"type": "string"
},
"expanded": {
"type": "string"
},
"numerical_value": {
"type": "number"
}
},
"required": [
"value"
]
}
}
}
},
"required": [
"predicate"
]
},
"type": "object",
"additionalProperties": false,
"properties": {
"namespace": {
"type": "string"
},
"expanded": {
"type": "string"
},
"description": {
"type": "string"
},
"version": {
"type": "integer"
},
"predicates": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"$ref": "#/defs/predicate"
}
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"$ref": "#/defs/entry"
}
},
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"namespace",
"description",
"version",
"predicates"
]
}

1
stix-ttp/machinetag.json
View File

@ -76,7 +76,6 @@
"value": "other-sector",
"expanded": "Other Sector"
},
{
"value": "corporate-employee-information",
"expanded": "Corporate Employee Information"

1
tlp/machinetag.json
View File

@ -1,5 +1,4 @@
{
"values": null,
"predicates": [
{
"colour": "#CC0033",

21
validate_all.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
set -e
set -x
./jq_all_the_things.sh
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 1 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
exit 1
fi
for dir in */machinetag.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema.json
echo ''
done