Merge branch 'master' of github.com:MISP/misp-taxonomies

2016-12-07 06:57:49 +01:00 · 2016-12-07 06:57:49 +01:00 · fe78b3e4a3
parent cc4ee55fa5 a20227462b
commit fe78b3e4a3
3 changed files with 55 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -20,21 +20,21 @@ The following taxonomies are described:
 - [eCSIRT](./ecsirt) and IntelMQ incident classification
 - [ENISA](./enisa) ENISA Threat Taxonomy
 - [Estimative Language](./estimative-language) Estimative Language (ICD 203)
- [EU critical sectors](./eu-critical-sectors) - EU critical sectors
+- [EU NIS Critical Infrastructure Operators](./eu-marketop-and-publicadmin) - EU NIS Critical Infrastructure Operators 
 - [EUCI](./euci) - EU classified information marking
 - [Europol Incident](./europol-incident) - Europol class of incident taxonomy
- [Europol Events](./europol-events) - Europol type of events taxonomy
+- [Europol Events](./europol-event) - Europol type of events taxonomy
 - [FIRST CSIRT Case](./csirt_case_classification) classification
 - [FIRST Information Exchange Policy (IEP)](./iep) framework
 - [Information Security Indicators](./information-security-indicators) -  ETSI GS ISI 001-1 (V1.1.2): ISI Indicators 
 - [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US)
- [Malware](./malware) classification based on a SANS document
+- [Malware](./malware_classification) classification based on a SANS document
 - [ms-caro-malware](./ms-caro-malware) Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.
 - [NATO Classification Marking](./nato)
- [Open Threat Taxonomy v1.1 (SANS)](./open-threat)
+- [Open Threat Taxonomy v1.1 (SANS)](./open_threat)
 - [OSINT Open Source Intelligence - Classification](./osint)
 - [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware)
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap)
+- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
 - [TLP - Traffic Light Protocol](./tlp)
 - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)

@ -79,7 +79,7 @@ ENISA Threat Taxonomy - A tool for structuring threat information [as published]

 Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)).

-### [EU Critical Sectors](./eu-critical-sectors)
+### [EU NIS Critical Infrastructure Operators](./eu-marketop-and-publicadmin)

 Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

@ -91,7 +91,7 @@ EU classified information (EUCI) means any information or material designated by

 EUROPOL class of incident taxonomy

-### [Europol Events](./europol-events)
+### [Europol Events](./europol-event)

 EUROPOL type of events taxonomy

@ -109,7 +109,7 @@ Information security indicators have been standardized by the [ETSI Industrial S

 ISM (Information Security Marking Metadata) [V13](http://www.dni.gov/index.php/about/organization/chief-information-officer/information-security-marking-metadata) as described by DNI.gov.

-### [Malware](./malware) classification
+### [Malware](./malware_classification) classification

 Malware classification based on a [SANS whitepaper about malware](https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848).

@ -119,11 +119,11 @@ Malware classification based on a [SANS whitepaper about malware](https://www.sa

 Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

-### [Open Threat Taxonomy v1.1](./open-threat)
+### [Open Threat Taxonomy v1.1](./open_threat)

 Open Threat Taxonomy v1.1 base on James Tarala of SANS [ref](http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf).

-### [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap)
+### [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)

 The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. It's a protocol/taxonomy similar to TLP informing the recipients of information what they can do with the received information.

--- a/diamond-model/machinetag.json
+++ b/diamond-model/machinetag.json
@ -0,0 +1,25 @@
+{
+  "namespace": "diamond-model",
+  "expanded": "Diamond Model for Intrusion Analysis",
+  "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack.",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "Adversary",
+      "expanded": "An adversary is the actor/organization responsible for utilizing a capability against the victim to achieve their intent."
+    },
+    {
+      "value": "Capability",
+      "expanded": "The capability describes the tools and/or techniques of the adversary used in the event. It includes all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual password guessing) to the most sophisticated automated techniques."
+    },
+    {
+      "value": "Infrastructure",
+      "expanded": "The infrastructure feature describes the physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (e.g., commandand-control/C2), and effect results from the victim (e.g., exfiltrate data). As with the other features, the infrastructure can be as specific or broad as necessary. Examples include: Internet Protocol (IP) addresses, domain names, e-mail addresses, Morse code flashes from a phone’s voice-mail light watched from across a street, USB devices found in a parking lot and inserted into a workstation, or the compromising emanations from hardware (e.g., Van Eck Phreaking) being collected by a nearby listening post."
+    },
+    {
+      "value": "Victim",
+      "expanded": "A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. A victim can be described in whichever way necessary and appropriate: organization, person, target email address, IP address, domain, etc. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions. Victim personae are useful in non-technical analysis such as cyber-victimology and social-political centered approaches whereas victim assets are associated with common technical approaches such as vulnerability analysis.."
+    }
+  ],
+  "values": null
+}
--- a/misp-galaxy/machinetag.json
+++ b/misp-galaxy/machinetag.json
@ -681,6 +681,21 @@
                    "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ",
                    "expanded": "Explosive",
                    "value": "Explosive"
+                },
+                {
+                    "description": "The actors used a new version of \u201cKeyBoy,\u201d a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data",
+                    "expanded": "KeyBoy",
+                    "value": "KeyBoy"
+                },
+                {
+                    "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...",
+                    "expanded": "Yahoyah",
+                    "value": "Yahoyah"
+                },
+                {
+                    "description": "Delphi RAT used by Sofacy.",
+                    "expanded": "Tartine",
+                    "value": "Tartine"
                }
            ],
            "predicate": "tool"
@ -776,6 +791,10 @@
                    "expanded": "Wekby",
                    "value": "Wekby"
                },
+                {
+                    "expanded": "Tropic Trooper",
+                    "value": "Tropic Trooper"
+                },
                {
                    "expanded": "Axiom",
                    "value": "Axiom"
@ -1131,5 +1150,5 @@
            "predicate": "threat-actor"
        }
    ],
-    "version": 4
+    "version": 5
 }