Associated numerical value="1"
+Associated numerical value="20"
Associated numerical value="2"
+Associated numerical value="40"
Associated numerical value="3"
+Associated numerical value="60"
Associated numerical value="4"
+Associated numerical value="80"
Associated numerical value="5"
+Associated numerical value="100"
Associated numerical value="1"
+Associated numerical value="20"
Associated numerical value="2"
+Associated numerical value="40"
Associated numerical value="3"
+Associated numerical value="60"
Associated numerical value="4"
+Associated numerical value="80"
Associated numerical value="5"
+Associated numerical value="100"
Associated numerical value="1"
+Associated numerical value="20"
Associated numerical value="2"
+Associated numerical value="40"
Associated numerical value="3"
+Associated numerical value="60"
Associated numerical value="4"
+Associated numerical value="80"
Associated numerical value="5"
+Associated numerical value="100"
Associated numerical value="1"
+Associated numerical value="20"
Associated numerical value="2"
+Associated numerical value="40"
Associated numerical value="3"
+Associated numerical value="60"
Associated numerical value="4"
+Associated numerical value="80"
Associated numerical value="5"
+Associated numerical value="100"
Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise subjected to something that implies pain; (b) Pictures where an animal is involved in some form of sexual behavior with a child
100
+Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation, or oral sex involving an adult
90
+Assault: Pictures of children being subjected to a sexual assault, involving digital touching, involving an adult
80
+Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse by child, not involving an adult
70
+Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially clothed, or fully clothed
60
+Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in sexualized or provocative poses
50
+Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the amount, context, and organization suggests sexual interest)
40
+Erotica: Surreptitiously taken photographs of children in play areas or other safe environments showing either underwear or varying degrees of nakedness
30
+Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate sources
20
+Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming costumes, and so on, from either commercial sources or family albums; pictures of children playing in normal settings, in which the context or organization of pictures by the collector indicates inappropriateness
10
+Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.
+Associated numerical value="95"
+Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.
Associated numerical value="50"
+Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.
Associated numerical value="10"
+Associated numerical value="25"
+Associated numerical value="75"
Associated numerical value="75"
+Associated numerical value="25"
+ + | ++ics namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. + | +
FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project
+Programmable Logic Controller (PLC)
+Computing device with user-programmable memory to storing instructions to operate a physical process.\n\n 2.Various PLC types for different processses
+Remote Terminal Unit (RTU)
+Data aquisitionand control unit designedto support field sites and remote stations.\n\n2. Wired and wireless communication capabilities.\n\n3. No stored program logic.
+Human-Machine Interface (HMI)
+Hardware/software that operators used to interact with control system.\n\n2. From physical control panels to a complete computer systems
+Sensors
+Pressure, Temperature, Flow, Voltage, Optical, Proximity
+Actuators
+Variable Frequency Drive, Servo Drive, Valve, Circuit Breaker
+Communications
+Modems, Routers, Serial - Ethernet Converters, Swtiches
+Supervisory Level Devices
+Control Server (Supervisory systems that hosts control software to manage lower level control devices like PLC).\n\n2. Data Historian (Centralized database for information about process, control activity and status record).\n\n3. Engineering workstations (Creating and revising control systems anbd programs, incl. project files).
+RTOS
+Please see the URL reference, there are a lot of it to be listed in here. These OS are also referred as Firmware. https://en.wikipedia.org/wiki/Comparison_of_real-time_operating_systems
+Linux Embedded Base OS
+Yocto\nBuildroot\nOpenWRT\nB & R Linux\n Scientific Linux\nRaspbian\nAndroid
+BSD
+NetBSD (NetBSD Embedded Systems)\nFreeBSD (Modified. i.e.: Orbis OS)
+Microsoft
+Windows 10 IoT Enterprise\n Windows Embedded 8.1 Industry Professional\n Windows 7 Professional/Ultimate\n Windows Embedded Standard 7\n Windows Embedded Standard 2009\n Windows CE 6.0\n
+RS-232 (comm port)
+Serial communication with an implementation comprises 2 data lines, 6 control lines and one ground.
+RS-422, RS-423 or RS-485
+RS-422 is compatible to RS-232, used in situations where long distances are required, it can drive up to 1200m at 100kbit/s, and up to 1Mbit/s over short distances. RS-422 uses a differential driver, uses a four-conductor cable, and up to ten receivers can be on a multi-dropped network or bus. RS-485 is like RS-422 but RS-422 allows just one driver with multiple receivers whereas RS-485 supports multiple drivers and receivers RS-485 also allows up to thirty two (32) multi-dropped receivers or transmitters on a multi-dropped network or bus. At 90 kbit/s, the maximum cable length is 1250 m, and at 10 Mbit/s it is 15 m. The devices are half-duplex (i.e. send or receive, but not both at the same time). For more nodes or long distances, you can use repeaters that regenerate the signals and begin a new RS-485 line.
+IEEE-488 (GPIB)
+Known as Hewlett-Packard HP-IB but was renamed as GPIB (General Purpose Interface Bus) by the IEEE-488 (1975). IEEE-488 interface comprises 8 data lines, 8 control lines and 8 ground lines. Up to 15 devices can be interconnected on one bus. Each device is assigned a unique primary address, ranging from 4-30, by setting the address switches on the device. Devices are linked in either a daisy-chain or star (or some combination) configuration with up to 20 m of shielded 24-conductor cable. A maximum separation of 4 m is specified between any two devices, and an average of 2m over the entire bus. The data transfer rate can be up to 1 Mbyte/s. Three types of devices can be connected to an IEEE-488 bus (Listeners, Talkers, and Controllers)
+IEEE-1394 (FireWire)
+The IEEE-1394 defines a serial serial interface that can use the bus cable to power devices. Firewire transmits data in packets and incurs some overhead as a result. Firewire frames are 125 msec long which means that despite a 'headline' transfer speed of 400 Mbit/s Firewire can be substantially slower in responding to instruments' service requests. Firewire uses a peer-peer protocol, similar to IEEE-488. Using standard cable, the maximum length bus comprises 16 hops of 4.5m each. Each hop connects two devices, but each physical device can contain four logical nodes. A Firewire cable contains two twisted-pairs (signals and clock) and two untwisted conductors (power and ground).
+USB (Universal Serial Bus)
+USB is the bus topology, and host-target protocol, mean that giving existing PC-based instruments a USB port not as trivial as it could be, but instruments with USB ports are coming onto the ICS market increasing numbers. USB 1.1 has many features as serial data transmission, device powering, data sent in 1 ms packets. USB offers 1.5- and 12-Mbit/s speeds. Individual devices can use the bus for a maximum of 50% of the time. In practice, the maximum rate is not more than 0.6 Mbyte/s. USB 2.0 specification was released in 2000. In addition to increasing the signaling rate from 12 MHz to 480 MHz, the specification describes a more advanced feature set and uses bandwidth more efficiently than 'Classic' USB. Version 2 of USB seems likely to prevent IEEE 1394 becoming widely adopted in instrument systems.
+Ethernet
+Instruments with ethernet interfaces have the great advantage that they can be accessed and controlled from a desktop anywhere in the world. A web-enabled ICS device behaves can be operated with standard browser. Systems with comm based on these interface can make use of existing Ethernet networks and connecting an instrument directly into the internet makes sharing of data easy. Fast data transfer is possible. However, when connected to the public internet it is difficult to secure or maintain its security and a full evaluation of the risks involved for this interface usage is very essential.
+Others
+Other communication interface not listed.
+AS-i
+BSAP
+CC-Link Industrial Networks
+CIP
+CAN bus
+ControlNet
+DF-1
+DirectNET
+EtherCAT
+Ethernet Global Data (EGD)
+Ethernet Powerlink
+EtherNet/IP
+Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)
+Factory Instrumentation Protocol
+FINS
+FOUNDATION fieldbus (H1 HSE)
+GE SRTP
+HART Protocol
+Honeywell SDS
+HostLink
+INTERBUS
+IO-Link
+MECHATROLINK
+MelsecNet
+Modbus
+Optomu
+PieP
+Ethernet Powerlink
+Profibus
+PROFINET IO
+RAPIEnet
+SERCOS interface
+SERCOS III
+Sinec H1
+SynqNet
+TTEthernet
+TCP/IP
+IEC 60870
+DNP3
+Factory Instrumentation Protocol
+IEC 61850
+IEC 62351
+Modbus
+Profibus
+1-Wire
+BACnet
+C-Bus
+CEBus
+DALI
+DSI
+DyNet
+Factory Instrumentation Protocol
+KNX
+LonTalk
+Modbus
+oBIX
+VSCP
+X10
+xAP
+xPL
+ZigBee
+MTConnect
+OPC
+DA
+OPC
+HDA
+OPC
+UA
+ANSI C12.18
+IEC 61107
+DLMS/IEC 62056
+M-Bus
+Modbus
+ZigBee
+ARINC 429
+CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)
+Factory Instrumentation Protocol
+FlexRay
+IEBus
+J1587
+J1708
+Keyword Protocol 2000
+Unified Diagnostic Services
+LIN
+MOST
+VAN
+Message Authentication
+Auth in used protocols is attacked and falsification command can be sent
+Message Integrity Checking
+Message poart of the sent protocol is maliciously tampered
+Message Encryption
+Self explanatory, i.e. Weak encryption is attacked
+Command Injection
+Either Remote Command Injection or Local. On local can be timer triggered under tampered firmware
+Replay Attack
+Self explanatory
+Man in the middle (MITM) Attack
+Self explanatory
+Undocumented instructions
+Vendor’s left several instruction used for development or trouble shooting that is finally leaked and used to performed malicious activities on the devices.
+Vendor proprietary protocols
+Internal vendor protocols used for development or trouble shooting, that is being maliciously for an attack.
++ + | ++phishing namespace available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP taxonomy. + | +
Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.
+Phishing techniques used.
+Social engineering fake website
+Adversary controls a fake website to phish for credentials or information.
+Social engineering email spoofing
+Adversary sends email with domains related to target. Adversary controls the domains used.
+Clone phishing
+Adversary clones an email to target potential victims with duplicated content.
+Voice phishing
+Adversary uses voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also known as vishing.
+Social engineering search engines abuse
+Adversary controls the search engine result to get an advantage
+SMS phishing
+Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing technique at a later stage.
+How the phishing is distributed.
+Spear phishing
+Adversary attempts targeted phishing to a user or a specific group of users based on knowledge known by the adversary.
+Bulk phishing
+Adversary attempts to target a large group of potential targets without specific knowledge of the victims.
+How the phishing information was reported.
+Manual reporting
+Phishing reported by a human (e.g. tickets, manual reporting).
+Automatic reporting
+Phishing collected by automatic reporting (e.g. phishing report tool, API).
+Origin or source of the phishing information such as tools or services.
+url-abuse
+CIRCL url-abuse service.
+lookyloo
+CIRCL lookyloo service.
+Phishtank
+Phishtank service.
+Spambee
+C-3 Spambee service.
+Action(s) taken related to the phishing tagged with this taxonomy.
+Take down
+Take down notification sent to the operator where the phishing infrastructure is hosted.
+Pending law enforcement request
+Law enforcement requests are ongoing on the phishing infrastructure.
+Pending dispute resolution
+Dispute resolution sent to competent authorities (e.g. domain authority, trademark dispute).
+State of the phishing.
+Phishing state is unknown or cannot be evaluated
+Associated numerical value="50"
+Phishing state is active and actively used by the adversary
+Associated numerical value="100"
+Phishing state is known to be down
+Quality of the phishing by its level of acceptance by the target.
+Phishing acceptance rate is unknown.
+Phishing acceptance rate is low.
+Associated numerical value="25"
+Phishing acceptance rate is medium.
+Associated numerical value="50"
+Phishing acceptance rate is high.
+Associated numerical value="75"
+The principle of persuasion used during the attack to higher psychological acceptability.
+Society trains people not to question authority so they are conditioned to respond to it. People usually follow an expert or pretense of authority and do a great deal for someone they think is an authority.
+People tend to mimic what the majority of people do or seem to be doing. People let their guard and suspicion down when everyone else appears to share the same behaviours and risks. In this way, they will not be held solely responsible for their actions.
+People prefer to abide to whom (they think) they know or like, or to whom they are similar to or familiar with, as well as attracted to.
+People feel more confident in their decision once they commit (publically) to a specific action and need to follow it through until the end. This is true whether in the workplace, or in a situation when their action is illegal. People have tendency to believe what others say and need, and they want to appear consistent in what they do, for instance, when they owe a favour. There is an automatic response of repaying a favour.
+People focus on one thing and ignore other things that may happen without them noticing; they focus attention on what they can gain, what they need, what they can lose or miss out on, or if that thing will soon be unavailable, has been censored, restricted or will be more expensive later. These distractions can heighten people’s emotional state and make them forget other logical facts to consider when making decisions.
+Not targeted, e.g. spam or financially motivated malware.
Associated numerical value="1"
+Associated numerical value="1"
+Associated numerical value="25"
Associated numerical value="2"
+Associated numerical value="50"
Associated numerical value="3"
+Associated numerical value="65"
Associated numerical value="4"
+Associated numerical value="85"
Associated numerical value="5"
+Associated numerical value="100"
Associated numerical value="1.25"
+Associated numerical value="25"
Associated numerical value="1.5"
+Associated numerical value="50"
Associated numerical value="1.75"
+Associated numerical value="75"
Associated numerical value="2"
+Associated numerical value="100"
State are the different states of the information or data being tagged.