Deception allows you to learn more about the intentions of the attacker by making them think the action was successful. One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot.
Ransomware Group
+Ransomware group PR or leak website
+Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity
+Domain Name Abuse - taxonomy to tag domain names used for cybercrime.
Compromised domain name registrar
+Domain name is compromised due to an incident at the registrar
+Compromised domain name registry
+Domain name is compromised due to an incident at the registry
++ + | ++interactive-cyber-training-audience namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. + | +
Describes the target of cyber training and education.
+The sector from which the audience comes determines the nature of the training.
+Academic - School
+The focus is on the principles underlying cybersecurity, ranging from theoretical to applied, at school level.
+Academic - University
+The focus is on the principles underlying cybersecurity, ranging from theoretical to applied, at university level.
+Public - Government
+In public sector such as government, Cybersecurity is seen as tool to protect the public interest. Hence, it emphasizes on developing policies and systems to implement laws and regulations.
+Public - Authorities
+In public sector such as authorities, Cybersecurity is seen as tool to protect the public interest. Hence, it emphasizes on developing policies and systems to implement laws and regulations.
+Public - NGO
+In public sector such as NGO, Cybersecurity is seen as tool to protect the public interest. Hence, it emphasizes on developing policies and systems to implement laws and regulations.
+Public - Military
+In public sector such as military sector, Cybersecurity is seen as tool to protect the public interest. Hence, it emphasizes on developing policies and systems to implement laws and regulations.
+Private
+The private sector and industry focuses more on protecting its investments. The effectiveness of security mechanisms and people are more important than principles they embody.
+Purpose answered the question for which reason trainings should be used.
+Awareness
+This training should be used to raise the awareness in multiple and different security threats.
+Skills
+This training should be used to recognize the different skill levels of the participants so that can they be improved in a targeted manner.
+Collaboration
+This training should be used to improve the cooperation within a team or beyond.
+Communication
+This training should be used to increase the efficiency of internal and external communication in case of an incident.
+Leadership
+This training should be used to improve the management and coordination of the responsible entities.
+Proficiency describes the knowledge of users and what they are able to do.
+Beginner
+The lowest level. Beginner are limited in abilities and knowledge. They have the possibility to use foundational conceptual and procedural knowledge in a controlled and limited environment. Beginners cannot solve critical tasks and need significant supervision. They are able to perform daily processing tasks. The focus is on learning.
+Professional
+The mid level. Professionals have deeper knowledge and understanding in specific sectors. For these sectors they are able to complete tasks as requested. Sometimes supervision is needed but usually they perform independently. The focus is on enhancing and applying existing knowledge.
+Expert
+The highest level. Experts have deeper knowledge and understanding in different sectors. They complete tasks self-dependent and have the possibilities to achieve goals in the most effective and efficient way. Experts have comprehensive understanding and abilities to lead and train others. The focus is on strategic action.
+Target audience describes the audience, which is targeted by the training.
+Student/Trainee
+Student and trainees have little to none practical knowledge. Training can be used for students and trainees, to enhance their knowledge and to practice theoretical courses.
+IT User
+IT users use the IT but have little to none knowledge about IT security. Users can get trained to understand principles of IT security and to grow awareness.
+IT Professional
+Professionals have little to medium knowledge about IT security. Their professional focus is in specific sectors, therefore, they receive IT security knowledge for their sectors.
+IT Specialist
+Specialists already have a comprehensive knowledge in IT security. Therefore, the training is focussed on specific aspects.
+Management
+Management has little knowledge about IT security, but a broad overview. By the training, management can understand changed settings better.
++ + | ++interactive-cyber-training-technical-setup namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. + | +
The technical setup consists of environment structure, deployment, and orchestration.
+The environment structure refers to the basic characteristic of the event.
+Tabletop Style
+A session that involves the movement of counters or other objects round a board or on a flat surface
+Online Platform - Collaboration Platform
+The environment allows organizations to incorporate real-time communication capabilities and providing remote access to other systems. This includes the exchange of files and messages in text, audio, and video formats between different computers or users.
+Online Platform - E-Learning Platform
+A software application for the administration, documentation, tracking, reporting, and delivery of educational courses, training programs, or learning and development programs.
+Hosting
+A cyber training based on single hosts uses primarily a personal computer to providing tasks and challenges for a user. It allows a direct interaction with the systems.
+Network Infrastruture - Simulated
+Dependent of the realization type, a network-based environment consists of servers and clients, which are connected to each other in a local area network (LAN) or wide area network (WAN). A simulation copies the network components from the real world into a virtual environment. It provides an idea about how something works. It simulates the basic behavior but does not necessarily abide to all the rules of the real systems.
+Network Infrastruture - Emulated
+Dependent of the realization type, a network-based environment consists of servers and clients, which are connected to each other in a local area network (LAN) or wide area network (WAN). An emulator duplicates things exactly as they exist in real life. The emulation is effectively a complete imitation of the real thing. It operates in a virtual environment instead of the real world.
+Network Infrastruture - Real
+Dependent of the realization type, a network-based environment consists of servers and clients, which are connected to each other in a local area network (LAN) or wide area network (WAN). In a real network infrastructure, physical components are used to connect the systems and to setup a scenario.
+The environment of cyber training can either be deployed on premise or on cloud infrastructures
+On Premise - Physical
+The environment for the training run on physical machines. The data is stored locally and not on cloud; nor is a third party involved. The advantages of on premise solutions are the physical accessibility, which makes it possible to use the complete range of cyber challenges.
+On Premise - Virtual
+The environment for the training run virtual machines. The data is stored locally and not on cloud; nor is a third party involved. The benefit of virtual machines is the maximum of configurability. The advantages of on premise solutions are the physical accessibility, which makes it possible to use the complete range of cyber challenges.
+Cloud
+Training setup deployed in the cloud has on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. In contrast to on premise setups, cloud solutions are rapid elastic on request. So the training can be adapted flexible on a large amount of users and is easily usable world wide.
+The composition of parts and components of a pool of tasks. The goal is to setup a holistic scenario and integrate cyber training session. Furthermore, it includes a declarative description of the overall process in the form of a composite and harmonic collaboration.
+None Automation
+Specifies the automation of processes and the amount of human interaction with the system to maintain and administrate, especially for repetitive exercise; Here none automation is present.
+Partially Automation
+Specifies the automation of processes and the amount of human interaction with the system to maintain and administrate, especially for repetitive exercise; Here partially automated.
+Complete Automation
+Specifies the automation of processes and the amount of human interaction with the system to maintain and administrate, especially for repetitive exercise; Here full-automated.
+Portability - Miscellaneous
+Miscellaneous approaches are used to ensure the possibility to exchange data, challenges, or entire scenarios to other environments or locations.
+Portability - Exchangenable Format
+Common data format (YALM, XML, JSON, …) is used to ensure the possibility to exchange data, challenges, or entire scenarios to other environments or locations.
+Maintability - Modifiability
+Maintainability represents effectiveness and efficiency with which a session can be modified or adapted to changes.
+Maintability - Modularity
+A modular concept has advantages in reusability and combinability.
+Compatibility
+The Compatibility deals with the technical interaction possibilities via interfaces to other applications, data, and protocols.
+Malicious
+Not Malicious
+Confidence cannot be evaluated
force
-Force the IDS flag to be the one from the tag.
-true
-Overwrite the current IDS flag of the information tag by IDS true.
-false
-Overwrite the current IDS flag of the information tag by IDS false.
-force
+Force the IDS flag to be the one from the tag.
+true
+Overwrite the current IDS flag of the information tag by IDS true.
+false
+Overwrite the current IDS flag of the information tag by IDS false.
+Business Email Compromise
+Adversary sends an email containing a malicious artefact from a legitimate business email address which has connections to you as an individual or your organisation.
+Purpose of the ransomware.
Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.
+Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources which make up spam infrastructure, for example, harvesters like address verification, URLs in spam emails, etc.
Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.
+Bullying, harassment or discrimination of somebody, e.g., cyber stalking, racism or threats against one or more individuals.
Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.
+Child Sexual Exploitation (CSE), sexual content, glorification of violence, etc.
System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server
+System infected with malware, e.g., a PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed command and control server.
Command-and-control server contacted by malware on infected systems.
+Command and control server contacted by malware on infected systems.
URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).
+URI used for malware distribution, e.g., a download URL included in fake invoice malware spam or exploit kits (on websites).
URI hosting a malware configuration file, e.g. web-injects for a banking trojan.
+URI hosting a malware configuration file, e.g., web injects for a banking trojan.
Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …), port scanning.
+Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. This includes fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, etc) port scanning.
Observing and recording of network traffic (wiretapping).
+Observing and recording of network traffic (i.e. wiretapping).
Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).
+Gathering information from a human being in a non-technical way (e.g., using lies, tricks, bribes, or threats).
Exploitation of known Vulnerabilities
+Exploitation of Known Vulnerabilities
An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)
+An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g., using a buffer overflow, backdoor, cross site scripting)
Login attempts
+Login Attempts
Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.
+Multiple brute-force login attempts (including guessing or cracking of passwords). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.
New attack signature
+New Attack Signature
An attack using an unknown exploit.
@@ -39297,7 +39768,7 @@ rsit namespace available in JSON format at -Compromise of a system where the attacker gained administrative privileges.
+Compromise of a system where the attacker has gained administrative privileges.
Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.
+Compromise of an application by exploiting (un)known software vulnerabilities, e.g., SQL injection.
Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.
+Compromise of a system, e.g., unauthorised logins or commands. This includes attempts to compromise honeypot systems.
Physical intrusion, e.g. into corporate building or data-centre.
+Physical intrusion, e.g., into a corporate building or data centre.
Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.
+Denial of Service attack, e.g., sending specially crafted requests to a web application which causes the application to crash or slow down.
Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.
+Distributed Denial of Service attack, e.g., SYN flood or UDP-based reflection/amplification attacks.
Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.
+Software misconfiguration resulting in service availability issues, e.g., DNS server with outdated DNSSEC Root Zone KSK.
Physical sabotage, e.g cutting wires or malicious arson.
+Physical sabotage, e.g., cutting wires or malicious arson.
Outage caused e.g. by air condition failure or natural disaster.
+An outage caused, for example, by air conditioning failure or natural disaster.
Unauthorised access to information
+Unauthorised Access to Information
Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.
+Unauthorised access to information, e.g., by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.
Unauthorised modification of information
+Unauthorised Modification of Information
Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.
+Unauthorised modification of information, e.g., by an attacker abusing stolen login credentials for a system or application, or ransomware encrypting data. Also includes defacements.
Loss of data, e.g. caused by harddisk failure or physical theft.
+Loss of data caused by, for example, hard disk failure or physical theft.
Leak of confidential information
+Leak of Confidential Information
Leaked confidential information like credentials or personal data.
+Leaked confidential information, e.g., credentials or personal data.
Unauthorised use of resources
+Unauthorised Use of Resources
Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.
+Using resources for unauthorised purposes including profit-making ventures, e.g., the use of email to participate in illegal profit chain letters or pyramid schemes.
Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).
+Offering or installing copies of unlicensed commercial software or other copyright protected materials (also known as Warez).
Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus signatures not up-to-date, etc
+Open resolvers, world-readable printers, vulnerabilities apparent from scans, anti-virus signatures not up-to-date, etc.
Weak crypto
+Weak Cryptography
Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.
+Publicly accessible services offering weak cryptography, e.g., web servers susceptible to POODLE/FREAK attacks.
DDoS amplifier
+DDoS Amplifier
Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.
+Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g., DNS open-resolvers or NTP servers with monlist enabled.
Potentially unwanted accessible services
+Potentially Unwanted Accessible Services
Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.
+Potentially unwanted publicly accessible services, e.g., Telnet, RDP or VNC.
Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.
+Publicly accessible services potentially disclosing sensitive information, e.g., SNMP or Redis.
Vulnerable system
+Vulnerable System
A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.
+A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, or cross-site scripting vulnerabilities.
All incidents which don’t fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised
+All incidents which don’t fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.
-threatmatch-alert-types namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. +thales_group namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. |
The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
+Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.
+ + | ++Exclusive flag set which means the values or predicate below must be set exclusively. + | +
Actor Campaigns
+Use it when you want to keep the Event on your Organization ONLY. Distribution: Your organisation only
+This TAG will insure you that this Event will be kept on your side. This Event will NOT be shared to the Thales Group community. Distribution: Your organisation only
Credential Breaches
+Use it when you want to share to the Thales Group Community ONLY. Distribution: All communities
+This TAG will insure you to share ONLY to the Thales Group Community. Distribution: All communities
+Associated numerical value="1"
DDoS
+Use it when you want to share to the Thales Group External Alliances (MinArm, ACN, InterCERT-FR). Distribution: All communities
+This TAG will insure you to share to the Thales Group External Alliances. Distribution: All communities
+Associated numerical value="2"
Exploit Alert
+Use it when you want to share to the Thales Group Customers. Distribution: All communities
+This TAG will insure you to share to the Thales Group Customers. Distribution: All communities
+Associated numerical value="3"
+This TAG will insure you that these Event Attributes will be blocked on the Thales DIS Proxy (More to come). Distribution: All communities
+This TAG will insure you to share ONLY to the Thales Group MinArm alliance. Distribution: All communities
+This TAG will insure you to share ONLY to the Thales Group ACN alliance. Distribution: All communities
+This TAG will insure you to share ONLY to the Thales Group Sigpart alliance. Distribution: All communities
+Distribution: All communities
++ + | ++Exclusive flag set which means the values or predicate below must be set exclusively. + | +
High
+Associated numerical value="8"
General Notification
+Medium
+Associated numerical value="9"
High Impact Vulnerabilities
+Low
Information Leakages
+Associated numerical value="10"
Malware Analysis
+Distribution: Restricted Sharing Group
Nefarious Domains
-Nefarious Forum Mention
-Pastebin Dumps
-Phishing Attempts
-PII Exposure
-Sensitive Information Disclosures
-Social Media Alerts
-Supply Chain Event
-Technical Exposure
-Threat Actor Updates
-Trigger Events
-Distribution: All communities
-threatmatch-incident-types namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. +threatmatch namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. |
The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
+The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
ATM Attacks
-ATM Breach
-Attempted Exploitation
-Botnet Activity
-Business Email Compromise
-Crypto Mining
-Data Breach/Compromise
-Data Dump
-Data Leakage
-DDoS
-Defacement Activity
-Denial of Service (DoS)
-Disruption Activity
-Espionage
-Espionage Activity
-Exec Targeting
-Exposure of Data
-Extortion Activity
-Fraud Activity
-General Notification
-Hacktivism Activity
-Malicious Insider
-Malware Infection
-Man in the Middle Attacks
-MFA Attack
-Mobile Malware
-Phishing Activity
-Ransomware Activity
-Social Engineering Activity
-Social Media Compromise
-Spear-phishing Activity
-Spyware
-SQL Injection Activity
-Supply Chain Compromise
-Trojanised Software
-Vishing
-Website Attack (Other)
-Unknown
-- - | --threatmatch-malware-types namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. - | -
The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
-Adware
-Backdoor
-Banking Trojan
-Botnet
-Destructive
-Downloader
-Exploit Kit
-Fileless Malware
-Keylogger
-Legitimate Tool
-Mobile Application
-Mobile Malware
-Point-of-Sale (PoS)
-Remote Access Trojan
-Rootkit
-Skimmer
-Spyware
-Surveillance Tool
-Trojan
-Virus
-Worm
-Zero-day
-Unknown
-- - | --threatmatch-sectors namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. - | -
The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
-Banking & capital markets
Financial Services
Insurance
Pension
Government & Public Service
Diplomatic Services
Energy, Utilities & Mining
Telecommunications
Technology
Academic/Research Institutes
Aerospace, Defence & Security
Agriculture
Asset & Wealth Management
Automotive
Business and Professional Services
Capital Projects & Infrastructure
Charity/Not-for-Profit
Chemicals
Commercial Aviation
Commodities
Education
Engineering & Construction
Entertainment & Media
Forest, Paper & Packaging
Healthcare
Hospitality & Leisure
Industrial Manufacturing
IT Industry
Legal
Metals
Pharmaceuticals & Life Sciences
Private Equity
Retail & Consumer
Semiconductors
Sovereign Investment Funds
Transport & Logistics
ATM Attacks
+ATM Breach
+Attempted Exploitation
+Botnet Activity
+Business Email Compromise
+Crypto Mining
+Data Breach/Compromise
+Data Dump
+Data Leakage
+DDoS
+Defacement Activity
+Denial of Service (DoS)
+Disruption Activity
+Espionage
+Espionage Activity
+Exec Targeting
+Exposure of Data
+Extortion Activity
+Fraud Activity
+General Notification
+Hacktivism Activity
+Malicious Insider
+Malware Infection
+Man in the Middle Attacks
+MFA Attack
+Mobile Malware
+Phishing Activity
+Ransomware Activity
+Social Engineering Activity
+Social Media Compromise
+Spear-phishing Activity
+Spyware
+SQL Injection Activity
+Supply Chain Compromise
+Trojanised Software
+Vishing
+Website Attack (Other)
+Unknown
+Adware
+Backdoor
+Banking Trojan
+Botnet
+Destructive
+Downloader
+Exploit Kit
+Fileless Malware
+Keylogger
+Legitimate Tool
+Mobile Application
+Mobile Malware
+Point-of-Sale (PoS)
+Remote Access Trojan
+Rootkit
+Skimmer
+Spyware
+Surveillance Tool
+Trojan
+Virus
+Worm
+Zero-day
+Unknown
+Actor Campaigns
+Credential Breaches
+DDoS
+Exploit Alert
+General Notification
+High Impact Vulnerabilities
+Information Leakages
+Malware Analysis
+Nefarious Domains
+Nefarious Forum Mention
+Pastebin Dumps
+Phishing Attempts
+PII Exposure
+Sensitive Information Disclosures
+Social Media Alerts
+Supply Chain Event
+Technical Exposure
+Threat Actor Updates
+Trigger Events
+is IOC
-is IOC
+