{ "namespace": "adversary", "description": "An overview and description of the adversary infrastructure", "version": 5, "predicates": [ { "value": "infrastructure-status", "expanded": "Infrastructure Status" }, { "value": "infrastructure-action", "expanded": "Infrastructure Action" }, { "value": "infrastructure-state", "expanded": "Infrastructure State" }, { "value": "infrastructure-type", "expanded": "Infrastructure Type" } ], "values": [ { "predicate": "infrastructure-status", "entry": [ { "value": "unknown", "expanded": "Infrastructure ownership and status is unknown" }, { "value": "compromised", "expanded": "Infrastructure compromised by or in the benefit of the adversary" }, { "value": "own-and-operated", "expanded": "Infrastructure own and operated by the adversary" } ] }, { "predicate": "infrastructure-action", "entry": [ { "value": "passive-only", "expanded": "Only passive requests shall be performed to avoid detection by the adversary" }, { "value": "take-down", "expanded": "Take down requests can be performed in order to deactivate the adversary infrastructure" }, { "value": "monitoring-active", "expanded": "Monitoring requests are ongoing on the adversary infrastructure" }, { "value": "pending-law-enforcement-request", "expanded": "Law enforcement requests are ongoing on the adversary infrastructure" }, { "value": "sinkholed", "expanded": "Infrastructure of the adversary is sinkholed and information is collected" } ] }, { "predicate": "infrastructure-state", "entry": [ { "value": "unknown", "expanded": "Infrastructure state is unknown or cannot be evaluated" }, { "value": "active", "expanded": "Infrastructure state is active and actively used by the adversary" }, { "value": "down", "expanded": "Infrastructure state is known to be down" } ] }, { "predicate": "infrastructure-type", "entry": [ { "value": "unknown", "expanded": "Infrastructure usage by the adversary is unknown" }, { "value": "proxy", "expanded": "Infrastructure used as proxy between the target and the adversary" }, { "value": "drop-zone", "expanded": "Infrastructure used by the adversary to store information related to his campaigns" }, { "value": "exploit-distribution-point", "expanded": "Infrastructure used to distribute exploit towards target(s)" }, { "value": "vpn", "expanded": "Infrastructure used by the adversary as Virtual Private Network to hide activities and reduce the traffic analysis surface" }, { "value": "panel", "expanded": "Panel used by the adversary to control or maintain his infrastructure" }, { "value": "tds", "expanded": "Traffic Distribution Systems including exploit delivery or/and web monetization channels" } ] } ] }