Taxonomies used in MISP taxonomy system and can be used by other information sharing tool. https://www.circl.lu/doc/misp-taxonomies/

classification information-exchange malware misp taxonomies taxonomy

Go to file

jenter8 9d2284f772 Add files via upload		2016-08-01 13:45:39 +02:00
PAP	Add files via upload	2016-08-01 13:45:39 +02:00
admiralty-scale	Added a version number in the JSON - Fix #2	2015-11-22 07:56:48 +01:00
adversary	action added to the adversary name space	2016-02-16 21:19:19 +01:00
circl	CIRCL Taxonomy - Schemes of Classification in Incident Response and	2015-11-22 09:52:57 +01:00
csirt_case_classification	Added versions to manifest and some directory name changes	2016-07-24 11:32:09 +02:00
de-vs	Update README.md	2016-02-09 11:27:10 +01:00
dhs-ciip-sectors	Typo fixed	2016-03-03 23:04:11 +01:00
dni-ism	Missing atomicEnergyMarkings added	2015-11-28 18:11:09 +01:00
ecsirt	added Incident Classification by the ecsirt.net project WP4 clearinghouse policy and updated by IntelMQ.	2015-11-25 15:32:12 +01:00
enisa	Complete ENISA Threat Taxonomy added	2016-06-10 20:11:48 +02:00
estimative-language	Fixed JSON format	2016-07-01 18:49:15 +02:00
eu-critical-sectors	Include #16	2016-03-03 15:47:47 +01:00
euci	Update machinetag.json	2016-03-23 15:10:48 +01:00
europol-events	Add Europol types of events taxonomy	2016-06-03 15:33:56 +02:00
europol-incident	Add Europol types of events taxonomy	2016-06-03 15:33:56 +02:00
fr-classif	Added versions to manifest and some directory name changes	2016-07-24 11:32:09 +02:00
iep	Expanded values for the variable string	2016-06-21 07:45:39 +02:00
information-security-indicators	Add the Information Security Indicators taxonomy	2016-07-11 11:11:46 +02:00
kill-chain	Updated the kill chain explanations to reflect the meaning of the kil chain phase instead of the remedy	2016-06-14 08:22:23 +02:00
malware_classification	Added versions to manifest and some directory name changes	2016-07-24 11:32:09 +02:00
misp	misp contibutor predicate	2016-06-12 05:20:26 +02:00
ms-caro-malware	Remove jso file	2016-07-05 21:44:02 +02:00
ms-caro-malware-full	Microsoft's Computer Antivirus Research Organization (CARO) implementation including malware families. This taxonomy is large and and difficult to work with without a search feature. Instead, use ms-caro-malware	2016-07-06 01:17:38 +03:00
nato	NATO classification markings. (first DRAFT)	2015-11-29 10:23:14 +01:00
open-threat	Add Open Threat Taxonomy	2016-07-21 22:31:24 +03:00
osint	Certainty scale added	2016-01-21 22:56:22 +01:00
tlp	Colour added to the TLP taxonomy (fix #21 )	2016-05-31 16:39:17 +02:00
tools	Open Threat Taxonomy added	2016-07-21 23:22:04 +02:00
veris	Added missing version	2015-11-24 10:57:19 +01:00
.travis.yml	Add test with PyTaxonomies	2016-07-27 15:24:33 +02:00
MANIFEST.json	Update version	2016-07-25 14:41:07 +02:00
README.md	Directory names fixed	2016-07-24 19:55:54 +02:00

README.md

MISP Taxonomies

Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.

The following taxonomies can be used in MISP (as local or distributed tags) or in other tools willing to share common taxonomies among security information sharing tools.

The following taxonomies are described:

Admiralty Scale
adversary - description of an adversary infrastructure
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection
Cyber Kill Chain from Lockheed Martin
DE German (DE) Government classification markings (VS)
DHS CIIP Sectors
eCSIRT and IntelMQ incident classification
ENISA ENISA Threat Taxonomy
Estimative Language Estimative Language (ICD 203)
EU critical sectors - EU critical sectors
EUCI - EU classified information marking
Europol Incident - Europol class of incident taxonomy
Europol Events - Europol type of events taxonomy
FIRST CSIRT Case classification
Information Security Indicators - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators
Information Security Marking Metadata from DNI (Director of National Intelligence - US)
Malware classification based on a SANS document
ms-caro-malware Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.
NATO Classification Marking
Open Threat Taxonomy v1.1 (SANS)
OSINT Open Source Intelligence - Classification
TLP - Traffic Light Protocol
Vocabulary for Event Recording and Incident Sharing VERIS

Admiralty Scale

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

Adversary

An overview and description of the adversary infrastructure.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.

Cyber Kill Chain from Lockheed Martin

Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

DE German (DE) Government classification markings (VS)

Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).

DHS CIIP Sectors

DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.

eCSIRT and IntelMQ incident classification

eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

ENISA ENISA Threat Taxonomy

ENISA Threat Taxonomy - A tool for structuring threat information as published

Estimative Language Estimative Language (ICD 203)

Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)).

EU Critical Sectors

Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

EUCI classification

EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described.

Europol Incident

EUROPOL class of incident taxonomy

Europol Events

EUROPOL type of events taxonomy

FIRST CSIRT Case classification

FIRST CSIRT Case Classification.

Information Security Indicators - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).

Information Security Marking Metadata DNI (Director of National Intelligence - US)

ISM (Information Security Marking Metadata) V13 as described by DNI.gov.

Malware classification

Malware classification based on a SANS whitepaper about malware.

ms-caro-malware Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.

NATO Classification Marking

Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

Open Threat Taxonomy v1.1

Open Threat Taxonomy v1.1 base on James Tarala of SANS ref.

TLP - Traffic Light Protocol

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Vocabulary for Event Recording and Incident Sharing is a format created by the VERIS community.

How to contribute your taxonomy?

It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like Admiralty Scale), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like MISP.

For more information, "Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP" presentation given to the last MISP training in Luxembourg.

How to add your private taxonomy to MISP

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json

Create a JSON file Create a JSON file describing your taxonomy as triple tags.

Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.

MISP Taxonomies - tools

machinetag.py is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.

% cd tools
% python machinetag.py
        admiralty-scale:source-reliability="a"
        admiralty-scale:source-reliability="b"
        admiralty-scale:source-reliability="c"
        admiralty-scale:source-reliability="d"
        admiralty-scale:source-reliability="e"
        admiralty-scale:source-reliability="f"
        admiralty-scale:information-credibility="1"
        admiralty-scale:information-credibility="2"
        admiralty-scale:information-credibility="3"
        admiralty-scale:information-credibility="4"
        admiralty-scale:information-credibility="5"
        admiralty-scale:information-credibility="6"
        ...