236 lines
7.3 KiB
JSON
236 lines
7.3 KiB
JSON
{
|
|
"namespace": "cccs",
|
|
"description": "Internal taxonomy for CCCS.",
|
|
"version": 1,
|
|
"expanded": "CCCS",
|
|
"predicates": [
|
|
{
|
|
"value": "event",
|
|
"expanded": "Event type",
|
|
"description": "Type of event associated to the internal reference"
|
|
},
|
|
{
|
|
"value": "disclosure-type",
|
|
"expanded": "Disclosure type",
|
|
"description": "Type of information being disclosed."
|
|
},
|
|
{
|
|
"value": "exploitation-technique",
|
|
"expanded": "Exploitation technique",
|
|
"description": "The technique used to remotely exploit a GoC system."
|
|
},
|
|
{
|
|
"value": "origin",
|
|
"expanded": "Origin",
|
|
"description": "Where the request originated from."
|
|
},
|
|
{
|
|
"value": "originating-organization",
|
|
"expanded": "Originating organization",
|
|
"description": "Origin of a signature."
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "event",
|
|
"entry": [
|
|
{
|
|
"value": "beacon",
|
|
"expanded": "Beacon",
|
|
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
|
|
},
|
|
{
|
|
"value": "browser-based-exploitation",
|
|
"expanded": "Browser based exploitation",
|
|
"description": "A browser component is being exploited in order to infect a host."
|
|
},
|
|
{
|
|
"value": "dos",
|
|
"expanded": "Dos",
|
|
"description": "An attack in which the goal is to disrupt access to a host or resource."
|
|
},
|
|
{
|
|
"value": "email",
|
|
"expanded": "Email",
|
|
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
|
|
},
|
|
{
|
|
"value": "exfiltration",
|
|
"expanded": "Exfiltration",
|
|
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
|
|
},
|
|
{
|
|
"value": "generic-event",
|
|
"expanded": "Generic event",
|
|
"description": "Represents a collection of virtually identical events within a range of time."
|
|
},
|
|
{
|
|
"value": "improper-usage",
|
|
"expanded": "Improper usage",
|
|
"description": "Technology used in a way that compromises security or violates policy."
|
|
},
|
|
{
|
|
"value": "malware-artifacts",
|
|
"expanded": "Malware artifacts",
|
|
"description": "Signs of the presence of malware observed on a host."
|
|
},
|
|
{
|
|
"value": "malware-download",
|
|
"expanded": "Malware download",
|
|
"description": "Malware was transferred (downloaded/uploaded) to a host."
|
|
},
|
|
{
|
|
"value": "phishing",
|
|
"expanded": "Phishing",
|
|
"description": "Information or credentials disclosed to a threat actor."
|
|
},
|
|
{
|
|
"value": "remote-access",
|
|
"expanded": "Remote access",
|
|
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
|
|
},
|
|
{
|
|
"value": "remote-exploitation",
|
|
"expanded": "Remote exploitation",
|
|
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
|
|
},
|
|
{
|
|
"value": "scan",
|
|
"expanded": "Scan",
|
|
"description": "A threat actor is scanning the network."
|
|
},
|
|
{
|
|
"value": "scraping",
|
|
"expanded": "Scraping",
|
|
"description": "Represents a collection of virtually identical scraping events within a range of time."
|
|
},
|
|
{
|
|
"value": "traffic-interception",
|
|
"expanded": "Traffic interception",
|
|
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "disclosure-type",
|
|
"entry": [
|
|
{
|
|
"value": "goc-credential-disclosure",
|
|
"expanded": "Goc credential disclosure",
|
|
"description": "Credentials for a GoC system or user were disclosed."
|
|
},
|
|
{
|
|
"value": "personal-credential-disclosure",
|
|
"expanded": "Personal credential disclosure",
|
|
"description": "Credentials not related to a GoC system or user were disclosed."
|
|
},
|
|
{
|
|
"value": "personal-information-disclosure",
|
|
"expanded": "Personal information disclosure",
|
|
"description": "Information about a person or persons was disclosed."
|
|
},
|
|
{
|
|
"value": "none",
|
|
"expanded": "None",
|
|
"description": "No information was disclosed."
|
|
},
|
|
{
|
|
"value": "other",
|
|
"expanded": "Other",
|
|
"description": "Information other than credentials and personal information was disclosed."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "exploitation-technique",
|
|
"entry": [
|
|
{
|
|
"value": "sql-injection",
|
|
"expanded": "Sql injection",
|
|
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
|
|
},
|
|
{
|
|
"value": "directory-traversal",
|
|
"expanded": "Directory traversal",
|
|
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
|
|
},
|
|
{
|
|
"value": "remote-file-inclusion",
|
|
"expanded": "Remote file inclusion",
|
|
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
|
|
},
|
|
{
|
|
"value": "code-injection",
|
|
"expanded": "Code injection",
|
|
"description": "Exploitation occurred due to malicious code being injected."
|
|
},
|
|
{
|
|
"value": "other",
|
|
"expanded": "Other",
|
|
"description": "Other."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "origin",
|
|
"entry": [
|
|
{
|
|
"value": "subscriber",
|
|
"expanded": "Subscriber",
|
|
"description": "Subscriber."
|
|
},
|
|
{
|
|
"value": "internet",
|
|
"expanded": "Internet",
|
|
"description": "Internet."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "originating-organization",
|
|
"entry": [
|
|
{
|
|
"value": "cse",
|
|
"expanded": "Cse",
|
|
"description": "Communications Security Establishment."
|
|
},
|
|
{
|
|
"value": "nsa",
|
|
"expanded": "Nsa",
|
|
"description": "National Security Agency."
|
|
},
|
|
{
|
|
"value": "gchq",
|
|
"expanded": "Gchq",
|
|
"description": "Government Communications Headquarters."
|
|
},
|
|
{
|
|
"value": "asd",
|
|
"expanded": "Asd",
|
|
"description": "Australian Signals Directorate."
|
|
},
|
|
{
|
|
"value": "gcsb",
|
|
"expanded": "Gcsb",
|
|
"description": "Government Communications Security Bureau."
|
|
},
|
|
{
|
|
"value": "open-source",
|
|
"expanded": "Open source",
|
|
"description": "Originated from publically available information."
|
|
},
|
|
{
|
|
"value": "3rd-party",
|
|
"expanded": "3rd party",
|
|
"description": "Originated from a 3rd party organization."
|
|
},
|
|
{
|
|
"value": "other",
|
|
"expanded": "Other",
|
|
"description": "Other."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|