Taxonomies used in MISP taxonomy system and can be used by other information sharing tool. https://www.circl.lu/doc/misp-taxonomies/
 
 
Go to file
Raphaël Vinot a0b0035982 fix: Incorrect merge 2020-06-03 12:04:55 +02:00
CERT-XLM
DFRLab-dichotomies-of-disinformation fix: Reorder predicates 2020-02-17 18:53:16 +01:00
DML
PAP chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
access-method new: CCCS taxonomies, first batch 2018-10-24 15:38:41 -04:00
accessnow chg: description improved of the accessnow and action-taken taxonomies 2018-11-27 08:53:26 +01:00
action-taken chg: description improved of the accessnow and action-taken taxonomies 2018-11-27 08:53:26 +01:00
admiralty-scale chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
adversary
ais-marking chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
analyst-assessment chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
approved-category-of-action new: CCCS taxonomies, first batch 2018-10-24 15:38:41 -04:00
binary-class chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
cccs new: Add all other relevant taxonomies 2018-10-24 17:50:05 -04:00
circl chg: [circl] covid-19 topic added 2020-03-23 14:08:11 +01:00
coa chg: [coa] typo fixed for deceive 2019-10-23 11:43:35 +02:00
collaborative-intelligence chg: [collaborative-intelligence] request malware config added 2019-09-03 15:53:04 +02:00
common-taxonomy chg: [common-taxonomy] version fixed 2019-04-07 21:31:45 +02:00
copine-scale chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
course-of-action Added Course of Action A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. 2019-09-05 20:39:56 +02:00
cryptocurrency-threat chg: [cryptocurrency-threat] fixing small typo 2019-02-01 18:41:04 +01:00
csirt-americas chg:minor text changes 2019-07-08 13:47:22 -07:00
csirt_case_classification
cssa fix: reorder predicates, make pytaxonomies happy 2019-11-28 14:11:08 +01:00
current-event new: [taxonomy] new current-events taxonomy covering covid-19 2020-03-24 16:39:50 +01:00
cyber-threat-framework chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
cytomic-orion chg: fix directory name 2020-03-10 11:20:26 +01:00
dark-web add: [tags] crypto, contreband, etc. 2019-07-29 09:59:31 +02:00
data-classification add: [data-classification] Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book. 2018-12-22 20:07:35 +01:00
dcso-sharing chg: [dcso-sharing] fix the namespace name 2019-03-25 20:37:38 +01:00
ddos chg: [description] fixed 2018-11-27 08:59:14 +01:00
de-vs
dhs-ciip-sectors
diamond-model Correct Diamond model taxonomy description 2019-11-04 23:40:19 -05:00
dni-ism
domain-abuse
drugs fix: Bad filename for the drugs taxonomy 2019-04-01 13:47:04 +02:00
economical-impact chg: [economical-impact] No need to bump version twice 2019-11-05 10:34:48 +01:00
ecsirt
enisa
estimative-language chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
eu-marketop-and-publicadmin
eu-nis-sector-and-subsectors
euci chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
europol-event
europol-incident
event-assessment
event-classification chg: [event-classification] event-classification renamed + description updated 2018-11-06 11:14:43 +01:00
exercise chg: [exercise] a new generic predicate added for comcheck without name 2020-05-18 10:52:34 +02:00
extended-event chg: [extended-event] description typo fixed 2020-05-26 16:12:38 +02:00
failure-mode-in-machine-learning fix: Reorder predicates 2020-02-17 18:53:16 +01:00
false-positive chg: [false-positive] missing expanded 2019-11-07 13:48:14 +01:00
file-type [fix] trim space content of value 2018-09-30 16:48:16 +01:00
flesch-reading-ease chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
fpf
fr-classif chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
gdpr
gea-nz-activities <comit> 2019-10-24 14:10:45 +02:00
gea-nz-entities <GEA-Manifest> 2019-10-24 14:05:35 +02:00
gea-nz-motivators fix: reorder predicates, make pytaxonomies happy 2019-11-28 14:11:08 +01:00
gsma-attack-category new: [gsma-attack-category] first version of Taxonomy used by GSMA for their information sharing program with telco describing the attack categories. 2018-10-30 11:15:15 +01:00
gsma-fraud fix: Typo, empty entries 2018-10-30 18:46:02 +01:00
gsma-network-technology fix: Typo, empty entries 2018-10-30 18:46:02 +01:00
honeypot-basic
ics chg: Reorder predicates in ICS 2019-09-17 22:27:28 +02:00
iep
iep2-policy chg: [iep2] MANIFEST updated, set version value to string (all are strings in taxonomies) 2020-01-09 11:35:46 +01:00
iep2-reference chg: [iep2] MANIFEST updated, set version value to string (all are strings in taxonomies) 2020-01-09 11:35:46 +01:00
ifx-vetting new: Added Manifest and Markdown generators 2019-11-05 12:00:28 +01:00
incident-disposition chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
infoleak chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
information-security-data-source fix: reorder predicates 2019-01-22 16:26:11 +01:00
information-security-indicators
interception-method new: CCCS taxonomies, first batch 2018-10-24 15:38:41 -04:00
iot chg: [IoT] put the exclusive flag on the "Data Sharing Level" 2019-11-06 08:57:00 +01:00
kill-chain
maec-delivery-vectors
maec-malware-behavior
maec-malware-capabilities chg: [maec-malware-capabilities] typo fixed - #149 fixed 2019-06-21 09:34:02 +02:00
maec-malware-obfuscation-methods
malware_classification
mapping chg: [mapping] updated to the latest version 2019-05-14 14:21:40 +02:00
misp fix: reorder predicates, make pytaxonomies happy 2019-11-28 14:11:08 +01:00
monarc-threat
ms-caro-malware
ms-caro-malware-full
mwdb chg: [mwdb] added missing expanded predicate values 2019-11-21 08:09:20 +01:00
nato chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
nis
open_threat
osint chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
pandemic chg: [pandemic] geostrategy added 2020-04-24 14:00:07 +02:00
passivetotal chg: [passivetotal] typo fixed 2019-01-16 15:30:25 +01:00
pentest chg: [description] fixed 2018-11-27 09:05:01 +01:00
phishing chg: [phishing] JSON fixed 2020-04-10 13:38:09 +02:00
priority-level chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
ransomware chg: [ransomware] jq all the things 2019-05-21 10:05:09 +02:00
retention chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
rsit fix: Typo in rsit, predicates order in misp 2019-07-18 14:31:49 +02:00
rt_event_status chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
runtime-packer
scrippsco2-fgc fix: Missing patenthesis. 2019-07-23 16:43:53 +02:00
scrippsco2-fgi fix: Missing patenthesis. 2019-07-23 16:43:53 +02:00
scrippsco2-sampling-stations new: Scripps CO2 taxonomies 2019-07-23 16:40:56 +02:00
smart-airports-threats
stealth_malware
stix-ttp
targeted-threat-index chg: [numerical_value] Incremented version of taxonomies having num_val 2019-11-05 10:31:53 +01:00
threats-to-dns new: [threats-to-dns] New taxonomy threats to DNS 2019-06-21 08:58:14 +02:00
tlp
tools chg: [tools] a quick-and-dirty script to dump missing expanded fields 2019-11-21 08:10:32 +01:00
tor
trust After running ./jq_all_the_things.sh 2020-04-13 18:30:06 -07:00
type add: [type] Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence. 2018-12-25 15:55:11 +01:00
use-case-applicability fix: Remove extra comma 2018-12-11 15:53:00 +01:00
veris
vocabulaire-des-probabilites-estimatives chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
workflow chg: [exclusive] Set `exclusive` meta for relevant taxonomies 2019-11-05 10:28:02 +01:00
.travis.yml chg: Update travis file 2020-03-10 15:18:16 +01:00
LICENSE.md chg: [licensing] 2-clause BSD added in addition to CC0 2018-12-10 12:23:11 +01:00
MANIFEST.json fix: Incorrect merge 2020-06-03 12:04:55 +02:00
README.md Change the README 2020-04-13 18:27:57 -07:00
jq_all_the_things.sh fix jq_all_the_things script 2019-01-28 16:10:11 +01:00
schema.json fix: Force non-empty strings and arrays 2018-10-31 09:20:44 +01:00
schema_mapping.json
summary.md chg: [doc] summary updated 2020-01-09 11:38:35 +01:00
validate_all.sh

README.md

MISP Taxonomies

Build Status

MISP Taxonomies is a set of common classification libraries to tag, classify and organise information. Taxonomy allows to express the same vocabulary among a distributed set of users and organisations.

Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.

Overview of the MISP taxonomies

The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools.

The following taxonomies are described:

Admiralty Scale

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

Adversary

An overview and description of the adversary infrastructure.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.

Cyber Kill Chain from Lockheed Martin

Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

Cyber Threat Framework from DNI.gov

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.

DE German (DE) Government classification markings (VS)

Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).

DHS CIIP Sectors

DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.

Diamond Model for Intrusion Analysis

The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack as described in http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.

Detection Maturity Level

The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.

Domain Name Abuse

Taxonomy to tag domain names used for cybercrime. We suggest to use europol-incident(./europol-incident) to tag abuse-activity.

eCSIRT and IntelMQ incident classification

eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

ENISA ENISA Threat Taxonomy

ENISA Threat Taxonomy - A tool for structuring threat information as published

Estimative Language Estimative Language (ICD 203)

Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)).

EU NIS Critical Infrastructure Operators

Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

EUCI classification

EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described.

Europol Incident

EUROPOL class of incident taxonomy

Europol Events

EUROPOL type of events taxonomy

FIRST CSIRT Case classification

FIRST CSIRT Case Classification.

FIRST Information Exchange Policy (IEP) framework

Information Security Indicators - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).

Information Security Marking Metadata DNI (Director of National Intelligence - US)

ISM (Information Security Marking Metadata) V13 as described by DNI.gov.

Malware classification

Malware classification based on a SANS whitepaper about malware.

ms-caro-malware Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.

NATO Classification Marking

Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

Open Threat Taxonomy v1.1

Open Threat Taxonomy v1.1 base on James Tarala of SANS ref.

STIX-TTP

STIX-TTP exposes a set classification tools that represents the behavior or modus operandi of cyber adversaries as normalized in STIX. TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.

Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.

The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. More info about TTI.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. It's a protocol/taxonomy similar to TLP informing the recipients of information what they can do with the received information.

TLP - Traffic Light Protocol

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Trust - Indicators of Trust

The Trust Taxonomy provides a way to use Indicators of Trust within MISP to get insight on data about what can be trusted. Similar to a whitelist but on steroids, leveraging MISP features one would use with Inidicators of Compromise, but to filter out what is known to be good.

Vocabulary for Event Recording and Incident Sharing VERIS

Vocabulary for Event Recording and Incident Sharing is a format created by the VERIS community.

Reserved Taxonomy

The following taxonomy namespaces are reserved and used internally to MISP.

  • galaxy mapping taxonomy with cluster:element:"value".

Documentation

A documentation of the taxonomies is generated automatically from the taxonomies description and available in PDF and HTML.

How to contribute your taxonomy?

It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like Admiralty Scale), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like MISP.

For more information, "Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP" presentation given to the last MISP training in Luxembourg.

How to add your private taxonomy to MISP

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json

Create a JSON file describing your taxonomy as triple tags.

Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.

MISP Taxonomies

Tools

machinetag.py is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.

% cd tools
% python machinetag.py
        admiralty-scale:source-reliability="a"
        admiralty-scale:source-reliability="b"
        admiralty-scale:source-reliability="c"
        admiralty-scale:source-reliability="d"
        admiralty-scale:source-reliability="e"
        admiralty-scale:source-reliability="f"
        admiralty-scale:information-credibility="1"
        admiralty-scale:information-credibility="2"
        admiralty-scale:information-credibility="3"
        admiralty-scale:information-credibility="4"
        admiralty-scale:information-credibility="5"
        admiralty-scale:information-credibility="6"
        ...

Library

  • PyTaxonomies is a Python module to use easily the MISP Taxonomies.

License

The MISP taxonomies (JSON files) are dual-licensed under:

or

 Copyright (c) 2015-2019 Alexandre Dulaunoy - a@foo.be
 Copyright (c) 2015-2019 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2015-2019 Andras Iklody
 Copyright (c) 2015-2019 Raphael Vinot
 Copyright (c) 2016-2019 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.

If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.