214 lines
9.7 KiB
JSON
214 lines
9.7 KiB
JSON
{
|
||
"values": [
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Malware detected in a system.",
|
||
"expanded": "Infection",
|
||
"value": "infection"
|
||
},
|
||
{
|
||
"description": "Malware attached to a message or email message containing link to malicious URL or IP.",
|
||
"expanded": "Distribution",
|
||
"value": "distribution"
|
||
},
|
||
{
|
||
"description": "System used as a command-and-control point by a botnet. Also included in this field are systems serving as a point for gathering information stolen by botnets.",
|
||
"expanded": "Command & Control (C&C)",
|
||
"value": "command-and-control"
|
||
},
|
||
{
|
||
"description": "System attempting to gain access to a port normally linked to a specific type of malware / System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.",
|
||
"expanded": "Malicious connection",
|
||
"value": "malicious-connection"
|
||
}
|
||
],
|
||
"predicate": "malware"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Single source using specially designed software to affect the normal functioning of a specific service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from one single source to a specific service, aimed at affecting its normal functioning.",
|
||
"expanded": "Denial of Service (DoS) / Distributed Denial of Service (DDoS)",
|
||
"value": "dos-ddos"
|
||
},
|
||
{
|
||
"description": "Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect.",
|
||
"expanded": "Sabotage",
|
||
"value": "sabotage"
|
||
}
|
||
],
|
||
"predicate": "availability"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Single system scan searching for open ports or services using these ports for responding / Scanning a network aimed at identifying systems which are active in the same network / Transfer of a specific DNS zone.",
|
||
"expanded": "Scanning",
|
||
"value": "scanning"
|
||
},
|
||
{
|
||
"description": "Logical or physical interception of communications.",
|
||
"expanded": "Sniffing",
|
||
"value": "sniffing"
|
||
},
|
||
{
|
||
"description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting web sites for phishing purposes.",
|
||
"expanded": "Phishing",
|
||
"value": "phishing"
|
||
}
|
||
],
|
||
"predicate": "information-gathering"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique / Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful attempt to include files in the system under attack by using file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.",
|
||
"expanded": "Exploitation of vulnerability attempt",
|
||
"value": "vulnerability-exploitation-attempt"
|
||
},
|
||
{
|
||
"description": "Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login by using system access credentials previously loaded into a dictionary.",
|
||
"expanded": "Login attempt",
|
||
"value": "login-attempt"
|
||
}
|
||
],
|
||
"predicate": "intrusion-attempt"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Unauthorised use of a tool exploiting a specific vulnerability of the system / Unauthorised manipulation or reading of information contained in a database by using the SQL injection technique / Attack performed with the use of cross-site scripting techniques / Unauthorised inclusion of files into a system under attack with the use of file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.",
|
||
"expanded": "(Successful) Exploitation of vulnerability",
|
||
"value": "vulnerability-exploitation"
|
||
},
|
||
{
|
||
"description": "Unauthorised access to a system or component by using stolen access credentials.",
|
||
"expanded": "Compromising an account",
|
||
"value": "account-compromise"
|
||
}
|
||
],
|
||
"predicate": "intrusion"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Unauthorised access to a system or component / Unauthorised access to a set of information / Unauthorised access to and sharing of a specific set of information.",
|
||
"expanded": "Unauthorised access",
|
||
"value": "unauthorised-access"
|
||
},
|
||
{
|
||
"description": "Unauthorised changes to a specific set of information / Unauthorised deleting of a specific set of information.",
|
||
"expanded": "Unauthorised modification / deletion",
|
||
"value": "unauthorised-modification-or-deletion"
|
||
}
|
||
],
|
||
"predicate": "information-security"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Use of institutional resources for purposes other than those intended.",
|
||
"expanded": "Misuse or unauthorised use of resources",
|
||
"value": "resources-misuse"
|
||
},
|
||
{
|
||
"description": "Unauthorised use of the name of an institution.",
|
||
"expanded": "False representation",
|
||
"value": "false-representation"
|
||
}
|
||
],
|
||
"predicate": "fraud"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Sending an unusually large quantity of email messages / Unsolicited or unwanted email message sent to the recipient.",
|
||
"expanded": "SPAM",
|
||
"value": "spam"
|
||
},
|
||
{
|
||
"description": "Unauthorised distribution or sharing of content protected by Copyright and related rights.",
|
||
"expanded": "Copyright",
|
||
"value": "copyright"
|
||
},
|
||
{
|
||
"description": "Distribution or sharing of illegal content such as child sexual exploitation material, racism, xenophobia, etc.",
|
||
"expanded": "Child Sexual Exploitation, racism or incitement to violence",
|
||
"value": "cse-racism-violence-incitement"
|
||
}
|
||
],
|
||
"predicate": "abusive-content"
|
||
},
|
||
{
|
||
"entry": [
|
||
{
|
||
"description": "Incidents which do not fit the existing classification, acting as an indicator for the classification’s update.",
|
||
"expanded": "Unclassified incident",
|
||
"value": "unclassified-incident"
|
||
},
|
||
{
|
||
"description": "Unprocessed incidents which have remained undetermined from the beginning.",
|
||
"expanded": "Undetermined incident",
|
||
"value": "undetermined-incident"
|
||
}
|
||
],
|
||
"predicate": "other"
|
||
}
|
||
],
|
||
"predicates": [
|
||
{
|
||
"description": "Infection of one or various systems with a specific type of malware / Connection performed by/from/to (a) suspicious system(s)",
|
||
"expanded": "Malicious software/code",
|
||
"value": "malware"
|
||
},
|
||
{
|
||
"description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative / Premeditated action to damage a system, interrupt a process, change or delete information, etc.",
|
||
"expanded": "Availability",
|
||
"value": "availability"
|
||
},
|
||
{
|
||
"description": "Active and passive gathering of information on systems or networks / Unauthorised monitoring and reading of network traffic / Attempt to gather information on a user or a system through phishing methods.",
|
||
"expanded": "Information Gathering",
|
||
"value": "information-gathering"
|
||
},
|
||
{
|
||
"description": "Attempt to intrude by exploiting vulnerability in a system, component or network / Attempt to log in to services or authentication/access control mechanisms.",
|
||
"expanded": "Intrusion Attempt",
|
||
"value": "intrusion-attempt"
|
||
},
|
||
{
|
||
"description": "Actual intrusion by exploiting vulnerability in the system, component or network / Actual intrusion in a system, component or network by compromising a user or administrator account.",
|
||
"expanded": "Intrusion",
|
||
"value": "intrusion"
|
||
},
|
||
{
|
||
"description": "Unauthorised access to a particular set of information / Unauthorised change or elimination of a particular set of information.",
|
||
"expanded": "Information Security",
|
||
"value": "information-security"
|
||
},
|
||
{
|
||
"description": "Loss of property caused with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.",
|
||
"expanded": "Fraud",
|
||
"value": "fraud"
|
||
},
|
||
{
|
||
"description": "Sending SPAM messages / Distribution and sharing of copyright protected content / Dissemination of content forbidden by law.",
|
||
"expanded": "Abusive Content",
|
||
"value": "abusive-content"
|
||
},
|
||
{
|
||
"description": "Incidents not classified in the existing classification.",
|
||
"expanded": "Other",
|
||
"value": "other"
|
||
}
|
||
],
|
||
"version": 3,
|
||
"description": "Common Taxonomy for Law enforcement and CSIRTs",
|
||
"refs": [
|
||
"https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts",
|
||
"https://www.enisa.europa.eu/publications/tools-and-methodologies-to-support-cooperation-between-csirts-and-law-enforcement"
|
||
],
|
||
"namespace": "common-taxonomy"
|
||
}
|