spam

Spam or ‘unsolicited bulk e-mail’, meaning that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having identical content.

Harmful Speech

Discretization or discrimination of somebody (e.g. cyber stalking, racism and threats against one or more individuals) May be found on a forum, email, tweet etc…

Child/Sexual/Violence/…​

Any Child pornography, glorification of violence, may be found on a website, forum, email, tweet etc…

Virus

Malicious code that replicate itself and infects the computer and files;

Worm

Malware that self-replicates and spread itself to other computers in the network without any user interaction;

Ransomware

Ransomware is a type of malicious software from cryptovirology that blocks access to the victim’s data or threatens to publish it until a ransom is paid.

Trojan/Malware

This category regroups many common malware types (Banking, POS, Mining malware).

Spyware/Rat

This category regroups malware types and tools that may have a bigger impact on the breached infrastructure and usually need further investigations (Common Spyware/Rat, State sponsored malwares, StealersHacking tool).

Dialer

Computer program used to identify the phone numbers that can successfully make a connection with a computer modem. Use this category to classify overpriced SMS sent by malicious mobile application.

Rootkit

Malware, which alter the standard functionality of an operating system in order to do its malicious actions in a stealthy way. In practice, Rootkits hijacks systems functions in order to alter the returning values to hide themselves from simple analysis tools.

Scanning

Attacks that send requests to a system to discover weak points. This also includes some kinds of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT,).

Sniffing

Observing and recording network traffic (wiretapping).

Social Engineering

Gathering information from a human being in a non-technical way (eg, lies, tricks, bribes, or threats).

Exploiting known vulnerabilities

An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (eg, buffer overflow, backdoors, cross side scripting, etc).

Login attempts

Multiple login attempts (guessing / cracking of passwords, brute force).

New attack signature

An attempt using an unknown exploit.

Privileged Account Compromise

A successful full compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access.

Unprivileged Account Compromise

A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. The intruded did not achieve to escale his privileges locally.

Botnet member

The compromised asset is also being part of a botnet. This is reserved mainly for public web servers. See malicious code in priority for workstations or internal server’s compromise. For example, phpmailer, etc…

Domain Compromise

The whole domain is compromised; this is commonly used for active directory and detected by a “pass the ticket” attack or a discovery of “ad dumps” files.

Application Compromise

An application is compromised; the attacker possess an uncontrolled access to data, server, and assets used by this application (CMDB, DB, Backend services, etc.).

DoS

An attacker attempts to prevent legitimate users from accessing information or services.

DDoS

Form of electronic attack involving multiple computers, which send repeated requests (HTTP requests, pings, TCP or UDP Flood) to a server to load it down and render the service inaccessible for a period of time.

Sabotage

Deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.

Outage (no malice)

Unavailability of the system but done with no malice.

Unauthorised access to information

Any access to unauthorized data. It may be access of data on improperly restricted server share or database exfiltered by using a SQLi.

Unauthorised modification of information

Unauthorized tampering of data on files, documents or database.

Copyright

Selling or installing copies of unlicensed commercial software or other copyright protected materials (Warez).

Masquerade

Types of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it. This attack may be used for president fraud requesting transactions.

Phishing

Masquerading as another entity in order to persuade the user to reveal a private credential.

Open for abuse

Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc. This includes for example default SNMP community or default password on any application.

Regulator

All lack about regulator rules (CSSF, GDPR, etc.).

Standard

All lack about standards certification of the company (ISO27000, NIS, ISAE3402, etc.).

Security policy

All lack about the internal security policy of the company.

Other

All lack that do not fit in one of previous categories should be put on this class.

other

All incidents that do not fit in one of the given categories should be put into this class. If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.

Andorra

United Arab Emirates

Afghanistan

Antigua and Barbuda

Anguilla

Albania

Armenia

Angola

Antarctica

Argentina

American Samoa

Austria

Australia

Aruba

Aland Islands

Azerbaijan

Bosnia and Herzegovina

Barbados

Bangladesh

Belgium

Burkina Faso

Bulgaria

Bahrain

Burundi

Benin

Saint-Barthelemy

Bermuda

Brunei Darussalam

Bolivia

Bonaire, Saint Eustatius and Saba

Brazil

Bahamas

Bhutan

Bouvet Island

Botswana

Belarus

Belize

Canada

Cocos (Keeling) Islands

Congo, Democratic Republic of the

Central African Republic

Congo

Switzerland

Cote d’Ivoire

Cook Islands

Chile

Cameroon

China

Colombia

Costa Rica

Cuba

Cape Verde

Curacao

Christmas Island

Cyprus

Czech Republic

Germany

Djibouti

Denmark

Dominica

Dominican Republic

Algeria

Ecuador

Estonia

Egypt

Western Sahara

Eritrea

Spain

Ethiopia

Finland

Fiji

Faeroe Islands

Micronesia (Federated States of)

Falkland Islands (Malvinas)

France

Gabon

United Kingdom

Grenada

Georgia

French Guiana

Guernsey

Ghana

Gibraltar

Greenland

Gambia

Guinea

Guadeloupe

Equatorial Guinea

Greece

South Georgia and the South Sandwich Islands

Guatemala

Guam

Guinea-Bissau

Guyana

Hong Kong

Heard Island and McDonal Islands

Honduras

Croatia

Haiti

Hungary

Indonesia

Ireland

Israel

Isle of Man

India

British Virgin Islands

Iraq

Iran (Islamic Republic of)

Iceland

Italy

Jersey

Jamaica

Jordan

Japan

Kenya

Kyrgyzstan

Cambodia

Kiribati

Comoros

Saint Kitts and Nevis

Korea, Democratic People’s Republic of

Korea, Republic of

Kuwait

Cayman Islands

Kazakhstan

Lao People’s Democratic Republic

Lebanon

Saint Lucia

Liechtenstein

Sri Lanka

Liberia

Lesotho

Lithuania

Luxembourg

Latvia

Libya

Morocco

Monaco

Moldova, Republic of

Montenegro

Saint Martin (French part)

Madagascar

Marshall Islands

Macedonia, The former Yugoslav Republic of

Mali

Myanmar

Mongolia

Macao

Northern Mariana Islands

Martinique

Mauritania

Montserrat

Malta

Mauritius

Maldives

Malawi

Mexico

Malaysia

Mozambique

Namibia

New Caledonia

Niger

Norfolk Island

Nigeria

Nicaragua

Netherlands

Norway

Nepal

Nauru

Niue

New Zealand

Oman

Other

Panama

Peru

French Polynesia

Papua New Guinea

Philippines

Pakistan

Poland

Saint Pierre and Miquelon

Pitcairn

Puerto Rico

Palestinian Territory, Occupied

Portugal

Palau

Paraguay

Qatar

Reunion

Romania

Serbia

Russian Federation

Rwanda

Saudi Arabia

Solomon Islands

Seychelles

Sudan

Sweden

Singapore

Saint Helena

Slovenia

Svalbard and Jan Mayen Islands

Slovakia

Sierra Leone

San Marino

Senegal

Somalia

Suriname

South Sudan

Sao Tome and Principe

El Salvador

Sint Maarten (Dutch part)

Syrian Arab Republic

Swaziland

Turks and Caicos Islands

Chad

French Southern Territories

Togo

Thailand

Tajikistan

Tokelau

Timor-Leste

Turkmenistan

Tunisia

Tonga

Turkey

Trinidad and Tobago

Tuvalu

Taiwan, Province of China

Tanzania, United Republic of

Ukraine

Uganda

United States Minor Outlying Islands

United States of America

Uruguay

Uzbekistan

Unknown

Holy See

Saint Vincent and the Grenadines

Venezuela (Bolivarian Republic of)

British Virgin Islands

United States Virgin Islands

Viet Nam

Vanuatu

Wallis and Futuna Islands

Samoa

Yemen

Mayotte

South Africa

Zambia

Zimbabwe

Andorra

United Arab Emirates

Afghanistan

Antigua and Barbuda

Anguilla

Albania

Armenia

Angola

Antarctica

Argentina

American Samoa

Austria

Australia

Aruba

Aland Islands

Azerbaijan

Bosnia and Herzegovina

Barbados

Bangladesh

Belgium

Burkina Faso

Bulgaria

Bahrain

Burundi

Benin

Saint-Barthelemy

Bermuda

Brunei Darussalam

Bolivia

Bonaire, Saint Eustatius and Saba

Brazil

Bahamas

Bhutan

Bouvet Island

Botswana

Belarus

Belize

Canada

Cocos (Keeling) Islands

Congo, Democratic Republic of the

Central African Republic

Congo

Switzerland

Cote d’Ivoire

Cook Islands

Chile

Cameroon

China

Colombia

Costa Rica

Cuba

Cape Verde

Curacao

Christmas Island

Cyprus

Czech Republic

Germany

Djibouti

Denmark

Dominica

Dominican Republic

Algeria

Ecuador

Estonia

Egypt

Western Sahara

Eritrea

Spain

Ethiopia

Finland

Fiji

Faeroe Islands

Micronesia (Federated States of)

Falkland Islands (Malvinas)

France

Gabon

United Kingdom

Grenada

Georgia

French Guiana

Guernsey

Ghana

Gibraltar

Greenland

Gambia

Guinea

Guadeloupe

Equatorial Guinea

Greece

South Georgia and the South Sandwich Islands

Guatemala

Guam

Guinea-Bissau

Guyana

Hong Kong

Heard Island and McDonal Islands

Honduras

Croatia

Haiti

Hungary

Indonesia

Ireland

Israel

Isle of Man

India

British Virgin Islands

Iraq

Iran (Islamic Republic of)

Iceland

Italy

Jersey

Jamaica

Jordan

Japan

Kenya

Kyrgyzstan

Cambodia

Kiribati

Comoros

Saint Kitts and Nevis

Korea, Democratic People’s Republic of

Korea, Republic of

Kuwait

Cayman Islands

Kazakhstan

Lao People’s Democratic Republic

Lebanon

Saint Lucia

Liechtenstein

Sri Lanka

Liberia

Lesotho

Lithuania

Luxembourg

Latvia

Libya

Morocco

Monaco

Moldova, Republic of

Montenegro

Saint Martin (French part)

Madagascar

Marshall Islands

Macedonia, The former Yugoslav Republic of

Mali

Myanmar

Mongolia

Macao

Northern Mariana Islands

Martinique

Mauritania

Montserrat

Malta

Mauritius

Maldives

Malawi

Mexico

Malaysia

Mozambique

Namibia

New Caledonia

Niger

Norfolk Island

Nigeria

Nicaragua

Netherlands

Norway

Nepal

Nauru

Niue

New Zealand

Oman

Other

Panama

Peru

French Polynesia

Papua New Guinea

Philippines

Pakistan

Poland

Saint Pierre and Miquelon

Pitcairn

Puerto Rico

Palestinian Territory, Occupied

Portugal

Palau

Paraguay

Qatar

Reunion

Romania

Serbia

Russian Federation

Rwanda

Saudi Arabia

Solomon Islands

Seychelles

Sudan

Sweden

Singapore

Saint Helena

Slovenia

Svalbard and Jan Mayen Islands

Slovakia

Sierra Leone

San Marino

Senegal

Somalia

Suriname

South Sudan

Sao Tome and Principe

El Salvador

Sint Maarten (Dutch part)

Syrian Arab Republic

Swaziland

Turks and Caicos Islands

Chad

French Southern Territories

Togo

Thailand

Tajikistan

Tokelau

Timor-Leste

Turkmenistan

Tunisia

Tonga

Turkey

Trinidad and Tobago

Tuvalu

Taiwan, Province of China

Tanzania, United Republic of

Ukraine

Uganda

United States Minor Outlying Islands

United States of America

Uruguay

Uzbekistan

Unknown

Holy See

Saint Vincent and the Grenadines

Venezuela (Bolivarian Republic of)

British Virgin Islands

United States Virgin Islands

Viet Nam

Vanuatu

Wallis and Futuna Islands

Samoa

Yemen

Mayotte

South Africa

Zambia

Zimbabwe

Government: Civilian

The governing body and functions of a state, including national leaders, institutions, and non-military departments and agencies. Includes incumbent politicians running for re-election.

Government: Military

Military departments and agencies which enjoy the sanctioned use of force

Political Party

Organized competitors for political power who can obtain or wield power directly. Includes politicians currently in office, as well as non-incumbent politicians running for office who are associated with a political party. Can also be an individual working for a party.

Non-State Political Actor

Organized competitors for political power who can obtain or wield power, even if indirectly; not necessarily enfranchised. Non-state political actors are formally organized, coordinated, and cohesive. e.g. Greenpeace, the NRA, or the KKK.

Business

Includes groups that contract out to the government, individuals looking for financial gain, and mercenaries.

Influential Individuals

Individuals who are influential but who do not belong to a ruling government coalition. Includes groups of individuals who are not formally organized but work together. e.g. journalists, former politicians, or organized 4channers. For individuals who operate their own charitable foundations (and thus could be placed in Non-State Political Actor), coding depends on whether or not the disinformation is foremost targeting the individual, their foundation, or both.

Electorate

The enfranchised population in a specific country or within a demarcated boundary.

Racial

A specific minority/majority group.

Ethnic

A specific minority/majority group.

Sexual Identity Group

A specific minority/majority group.

Religious

A specific minority/majority group.

Inter-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Extra-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before.

Intra-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Non-State War

War in non-state territory or across state borders. Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Federal Election

Includes elections at province, municipality, administrative region, department, prefecture, and local levels.

State Election

Includes elections at province, municipality, administrative region, department, prefecture, and local levels.

State Media

Includes “state-adjacent” media, operated by government proxies or otherwise beholden to the state.

Independent Media

Media institutions that are not beholden to the government and can be reasonably assessed to score > 60 by the NewsGuard rating process.

Junk News Websites

A website that trafficks in deceptive headlines, fails to correct errors, avoids disclosure of funding sources, and avoids labeling advertisements. One that can be reasonably assessed to score < 60 by the NewsGuard rating process.

Facebook

Social media accounts created by the disinformants for deceptive purposes.

Instagram

Social media accounts created by the disinformants for deceptive purposes.

Twitter

Social media accounts created by the disinformants for deceptive purposes.

YouTube

Social media accounts created by the disinformants for deceptive purposes.

LinkedIn

Social media accounts created by the disinformants for deceptive purposes.

Reddit

Social media accounts created by the disinformants for deceptive purposes.

VK

Social media accounts created by the disinformants for deceptive purposes.

Forum

Social media accounts created by the disinformants for deceptive purposes.

Other

Social media accounts created by the disinformants for deceptive purposes.

WhatsApp

Messaging platforms used by the disinformants for deceptive purposes.

Telegram

Messaging platforms used by the disinformants for deceptive purposes.

Signal

Messaging platforms used by the disinformants for deceptive purposes.

Line

Messaging platforms used by the disinformants for deceptive purposes.

WeChat

Messaging platforms used by the disinformants for deceptive purposes.

SMS

Messaging platforms used by the disinformants for deceptive purposes.

Other

Messaging platforms used by the disinformants for deceptive purposes.

Advertisement

Advertisements purchased by disinformants to disseminate a message of disinformation. Includes ads on social media and the open web.

Email

Email used by the disinformants for deceptive purposes.

Other

Other platforms used by the disinformants for deceptive purposes.

English

The language of the disinformation.

Russian

The language of the disinformation.

French

The language of the disinformation.

Chinese

The language of the disinformation.

German

The language of the disinformation.

Spanish

The language of the disinformation.

Hindi

The language of the disinformation.

Portuguese

The language of the disinformation.

Bengali

The language of the disinformation.

Japanese

The language of the disinformation.

Turkish

The language of the disinformation.

Polish

The language of the disinformation.

Ukrainian

The language of the disinformation.

Arabic

The language of the disinformation.

iranian-persian

The language of the disinformation.

Government

Subject evident in the campaign.

Mility

Subject evident in the campaign.

Political Party

Subject evident in the campaign.

Elections

Subject evident in the campaign.

Non-State Political Actor

Subject evident in the campaign.

Business

Subject evident in the campaign.

Influential Individuals

Subject evident in the campaign.

Racial

Subject evident in the campaign.

Ethnic

Subject evident in the campaign.

Religious

Subject evident in the campaign.

Sexual Identity Group

Subject evident in the campaign.

Terrorism

Subject evident in the campaign.

Immigration

Subject evident in the campaign.

Economic Issue

Subject evident in the campaign.

Other

Subject evident in the campaign.

Brigading

Patriotic trolls or organic coordination in which disinformants seemingly operate under their real identities. A concentrated effort by one online group to manipulate another, e.g. through mass-commenting a certain message.

Sockpuppets

Inauthentic social media accounts used for the purpose of deception which evidence a high likelihood of human operation. This includes catfishing and other highly tailored operations conducted under inauthentic personas.

Botnets

Inauthentic social media accounts used for the purpose of deception which evidence a high likelihood of automation. These accounts evidence no sustained human intervention beyond the effort necessary to program them initially. They often form large networks for the purpose of inauthentic amplification. This includes both fresh and repurposed accounts.

Search Engine Manipulation

Undermining search engine optimization techniques with the intention of creating an inorganic correlation of search queries and results. Often realized by way of cooperative efforts by online communities. e.g. “Google Bombing.” May also include typosquatting with the intention to mislead or redirect to another URL.

Hacking: DDos

Distributed denial-of-service. Malicious attempt to disrupt server traffic. In the context of political disinformation campaigns, this is intended to make it more difficult for the target to launch an effective counter-messaging effort.

Hacking: Data Exfiltration

The unauthorized movement of data. In the context of political disinformation campaigns, this is the acquisition of sensitive information through spearphishing or similar techniques that can be subsequently released by the disinformant to boost their messaging effort.

Deceptive Content Manipulation: Deep Learning Processes

Any content that has been deceptively edited by use of Photoshop or similar software. This includes the deceptive co-option and re-use of extant media branding and style guides. This does not include the use of deep learning processes.

Other

Inauthentic social media accounts used for the purpose of deception which evidence a high likelihood of human operation. This includes catfishing and other highly tailored operations conducted under inauthentic personas.

Constructive: Activate

Bandwagon, pander, ignite. e.g., “If you love Mr. Trump, RT this.”

Constructive: Astroturf

Artificial consensus-building, inflation, or amplification. Also called a “Potemkin Village.” e.g., “The #1 trending hashtag can’t be wrong.”

Destructive: Suppress

Harass, intimidate, exhaust. Often targets influential individuals.

Destructive: Discredit

Libel, leak, tarnish. Often targets government, political parties, elections, or other institutions.

Oblique: Troll

Confusion by way of discourse infiltration and targeted distraction. Conscious efforts by disinformants to derail political movements through tailored engagement.

Oblique: Flood

Confusion by way of hashtag invasion and mass noise generation. The hijacking of an online political movement through appropriation of an existing hashtag and addition of large quantity of unrelated material.

Government: Direct Attribution

Public, definitive attribution to a national government by a social media platform or trusted government entity. These entities have access to signals intelligence and other publicly unavailable information.

Government: Proxy/Inferred Attribution

Informed attribution to a government or government-adjacent proxy in which definitive proof is absent. Such attribution is based on open-source data and inference. This includes attribution to political parties, non-state political actors, businesses, and influential individuals who are suspected to be working at the government’s direction.

Political Party

Organized competitors for political power who can obtain or wield power directly. Includes politicians currently in office, as well as non-incumbent politicians running for office who are associated with a political party. Can also be an individual working for a party.

Non-State Political Actor

Organized competitors for political power who can obtain or wield power, even if indirectly; not necessarily enfranchised. Non-state political actors are formally organized, coordinated, and cohesive. e.g. Greenpeace, the NRA, or the KKK.

Business

Includes groups that contract out to the government, individuals looking for financial gain, and mercenaries.

Influential Individuals

Individuals who are influential but who do not belong to a ruling government coalition. Includes groups of individuals who are not formally organized but work together. e.g. journalists, former politicians, or organized 4channers. For individuals who operate their own charitable foundations (and thus could be placed in Non-State Political Actor), coding depends on whether or not the disinformation is foremost targeting the individual, their foundation, or both.

Electorate

The enfranchised population in a specific country or within a demarcated boundary.

Racial

A specific minority/majority group.

Ethnic

A specific minority/majority group.

Sexual Identity Group

A specific minority/majority group.

Religious

A specific minority/majority group.

Inter-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Extra-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before.

Intra-State War

Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Non-State War

War in non-state territory or across state borders. Threshold is 1,000 conflict deaths. Use COW data for 2007 and before. 2008 and after, supplement with research.

Federal Election

Includes elections at province, municipality, administrative region, department, prefecture, and local levels.

State Election

Includes elections at province, municipality, administrative region, department, prefecture, and local levels.

Civil

To include electoral interference, policy change.

Social

To include marginalization of majority/minority groups and general social fissure.

Economic

To include suppression of economic activity, destruction of capital.

Military

To include complement to offensive military campaign, or information paralysis of an adversary’s military institutions.

Goals

If the actor is part of a larger organized operation they may be receiving their goals from a higher level source or handler. Depending on how organized and sophisticated the adversary’s campaigns are, these goals may not even be shared with the operator(s) themselves. In cases of non-targeted threat actors, this may be much less organized or distributed. Goals are nearly impossible to detect (directly) but they’re almost always the toughest question C-level leaders ask about post-breach. "Who was it and why?" These kinds of questions can never truthfully be answered unless you’re operating at Detection Maturity Level 8 against your adversary and can prove reliably that you know what their goals are. Short of that, it’s guessing at what the adversary’s true intentions were based on behavioral observations made at lower DMLs (e.g. data stolen, directories listed, employees or programs targeted, etc). I anticipate less than a handful of organizations truly operate at this level, consistently, against the threat actors they face because it’s nearly impossible to detect based on goals alone.

Strategy

Tactics

To successfully operate at DML-6, one must be able to reliably detect a tactic being employed regardless of the Technique or Procedure used by the adversary, the Tools they chose to use, or the Artifacts and Atomic Indicators left behind as a result of employing the tactic. While this may sound impossible on the surface, it absolutely is possible. In nearly all cases, tactics are not detected directly by a single indicator or artifact serving as the smoking gun, or a single detection signature or analytic technique. Tactics become known only after observation of multiple activities in aggregate, with respect to time and circumstance. As a result, detection of tactics are usually done by skilled analysts, rather than technical correlation or analytics systems.

Techniques

From a maturity perspective, being able to detect an adversary’s techniques is superior to being able to detect their procedures. The primary difference being techniques are specific to an individual. So when respecting this distinction, the ability to detect a specific actor operating within your environment by technique exclusively is an advantage. The best analogy to this is a rifled barrel, which leaves uniquely identifiable characteristics in the side of a bullet. Because of this, ballistics specialists can forensically match a spent round to the exact weapon from which it was fired with a high degree of certainty. Not just any weapon by calibur or model, but the exact weapon used to fire that specific round. Human beings are creatures of habit, and most adversaries aren’t aware of the fact that every time they attack they’re leaving evidence of their personal techniques behind for us to find. The same applies for the tool builders writing the tools these adversaries use. It’s our obligation to find these distinctions and ensure we’re looking for them. It’s personal behavior and habits that are the hardest for humans to change, so put the hurt on your adversaries by finding creative ways to detect their behaviors and habits in your environment.

Procedures

Given today’s detection technology, and readily available correlation and analytics techniques, it’s amazing that more organizations haven’t reached Detection Maturity Level 4 for most of their adversaries. Procedures are one of the most effective ways of detecting adversary activity and can really inflict the most pain against lesser experienced "B-teams". In it’s most simple form, detecting a procedure is as simple as detecting a sequence of two or more of the individual steps employed by the actor. The goal here is to isolate activities that the adversary appears to perform methodically, two or more times during an incident.

Tools

Being able to detect at DML-3 means you can reliably detect the adversary’s tools, regardless of minor functionality changes to the tool, or the Artifacts or Atomic Indicators it may leave behind. Detecting tools falls into two main areas. The first is detecting the transfer and presence of the tool. This includes being able to observe the tool being transferred over the network, being able to locate it sitting at rest on a file system, or being able to identify it loaded in memory. The second, and more important area of tool detection, is detecting the tool reliably by functionality. For example, let’s take a given webshell that has 25 functions. If we want to claim DML-3 level detection for this webshell we have to exercise each of those 25 functions and understand what each of them do. What do they look like at the host, network, and event log level when they are exercised? We then aim to build detections for as many of those 25 functions across those data domains as we possibly can, reliably, balancing false positives and other constraints. The reason behind this is simple, we want to be able to detect this version of the tool and as many future variants of the tool as we can by function that it performs. If the adversary decides to change up 5 of the 25 functions for which we have detections, we’re still detecting the entire tool. In order for the adversary to use this tool completely undetected in our environment, they’ll be forced to change every one of those functions; or at least the ones that we were able to reliably build detections against.

Host & Network Artifacts

DML-2 is where most organizations spend too much of their resources; attempting to collect what they call "threat intelligence" in the form of Host & Network Artifacts. The reality is, these are merely just indicators that are observed either during or after the attack. They’re like symptoms of the flu but not the flu itself. I often use the analogy "chasing the vapor trail" when I think of DML-2 because chasing after Host & Network Artifacts is much like chasing the vapor trail behind an aircraft. We know the enemy aircraft is up there in front of us somewhere, if we just keep chasing this vapor trial we’ll eventually catch up to the aircraft and find our enemy right? Wrong. Having a mature detection and response program means your operating above DML-2 and you’re actually locked onto the aircraft itself. You know how it operates, you know what it’s capabilities are, you know the Tactics, Techniques, and Procedures of it’s pilot and you can almost predict what it’s next moves might be. This is precisely why good Cyber Intelligence Analysts will almost never attribute activity to a specific threat actor, group, or country based on just Host & Network Artifacts alone; they understand this DML concept and realize when they’re likely just staring at the vapor trail. They understand that in reality the vapor trail (indicators) could be from any number of aircraft (tools), with any number of pilots (actors) behind the stick.

Atomic IOCs

These are the atomic particles that make up Host & Network artifacts. If you’re detecting at Detection Maturity Level 1, it means you are probably taking "feeds of intel" from various sharing organizations and vendors in the form of lists, like domains and IP addresses, and feeding them into your detection technologies. Let me be clear on my position here. There are a few, and I mean a very precious few, circumstances where this makes sense and can be done reliably. These are edge cases where specific atomic indicators have a high enough "shelf life" where it makes sense to go ahead and create detection capabilities from them. Examples of this include unique strings found inside a binary, or perhaps an adversary is foolish enough to sit on the same recon, delivery, C2, or exfiltration infrastructure allowing you to detect reliably on their domain names or IP addresses. These might be viable cases where detecting on atomic indicator alone makes sense. Unfortunately, for the remaining 99% of the time, attempting to detect on this kind of data is suboptimal, for a number of reasons.

None or Unknown

For organizations who either don’t operate at DML-1 or higher, or they don’t even know where they operate on this scale, we have Detection Maturity Level - 0. Instead of pointing out all the negative things associated with this level, I’ll take the high road and lend a bit of positive encouragement. Congratulations, you are at ground zero. It can only get better from here.

(PAP:RED) Non-detectable actions only. Recipients may not use PAP:RED information on the network. Only passive actions on logs, that are not detectable from the outside.

(PAP:AMBER) Passive cross check. Recipients may use PAP:AMBER information for conducting online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring honeypot.

(PAP:GREEN) Active actions allowed. Recipients may use PAP:GREEN information to ping the target, block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact with the target.

(PAP:WHITE) No restrictions in using this information.

Brute force

Access was gained through systematic trial of credentials in bulk.

Password guessing

Access was gained through guessing passwords through trial and error.

Remote desktop application

Access was gained through an application designed for remote access.

Stolen credentials

Access was gained with stolen credentials.

Pass the hash

Access was gained through use of an existing known hash.

Default credentials

Access was gained through use of the system’s default credentials.

Shell

Access was gained through the use of a shell.

Other

Access was gained through another method.

Anti-Corruption and transparency

The organization campaigns, or takes other actions against corruption and transparency.

Anti-War / Anti-Violence

The organization campaigns, or takes other actions against war

Culture

The organization campaigns or acts to promote cultural events

Economic Change

Issues of economic policy, wealth distribution, etc.

Education

The organization is concerned with some form of education

Election Monitoring

The organization is an election monitor, or involved in election monitoring

Environment

The organization campaigns or acts to protect the environment

Freedom of Expression

The organization is concerned with freedom of speech issues

Freedom Tool Development

The organization develops tools for use in defending or extending digital rights

Funding

Health Issues

The organization prevents epidemic illness or acts on curing them

Human Rights Issues

relating to the detection, recording, exposure, or challenging of abuses of human rights

Internet and Telecoms

Issues of digital rights in electronic communications

LGBT / Gender / Sexuality

Issues relating to the Lesbian, Gay, Bi, Transgender community

Policy

The organization is a policy think-tank, or policy advocate

Politics

The organization takes a strong political view or is a political entity

Privacy

Issues relating to the individual’s reasonable right to privacy

Rapid Response

The organization provides rapid response type capability for civil society

Refugees

Issues relating to displaced people

Security

Issues relating to physical or information security

Women’s Rights

Issues pertaining to inequality between men and women, or issues of particular relevance to women

Youth Rights

Issues of particular relevance to youth

Informed ISP/Hosting Service Provider

Informed Registrar

Informed Registrant

Informed abuse-contact (domain)

Informed abuse-contact (IP)

Informed legal department

Completely reliable

No doubt of authenticity, trustworthiness, or competency; has a history of complete reliability

Associated numerical value="100"

Usually reliable

Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information most of the time

Associated numerical value="75"

Fairly reliable

Doubt of authenticity, trustworthiness, or competency but has provided valid information in the past

Associated numerical value="50"

Not usually reliable

Significant doubt about authenticity, trustworthiness, or co mpetency but has provided valid information in the past

Associated numerical value="25"

Unreliable

Lacking in authenticity, trustworthiness, and competency; history of invalid information

Reliability cannot be judged

No basis exists for evaluating the reliability of the source

Associated numerical value="50"

Deliberatly deceptive

Confirmed by other sources

Confirmed by other independent sources; logical in itself; Consistent with other information on the subject

Associated numerical value="100"

Probably true

Not confirmed; logical in itself; consistent with other information on the subject

Associated numerical value="75"

Possibly true

Not confirmed; reasonably logical in itself; agrees with some other information on the subject

Associated numerical value="50"

Doubtful

Not confirmed; possible but not logical ; no other information on the subject

Associated numerical value="25"

Improbable

Not confirmed; not logical in itself; contradicted by other information on the subject

Truth cannot be judged

No basis exists for evaluating the validity of the information

Associated numerical value="50"

Infrastructure ownership and status is unknown

Infrastructure compromised by or in the benefit of the adversary

Infrastructure own and operated by the adversary

Only passive requests shall be performed to avoid detection by the adversary

Take down requests can be performed in order to deactivate the adversary infrastructure

Monitoring requests are ongoing on the adversary infrastructure

Law enforcement requests are ongoing on the adversary infrastructure

Infrastructure of the adversary is sinkholed and information is collected

Infrastructure state is unknown or cannot be evaluated

Infrastructure state is active and actively used by the adversary

Infrastructure state is known to be down

Infrastructure usage by the adversary is unknown

Infrastructure used as proxy between the target and the adversary

Infrastructure used by the adversary to store information related to his campaigns

Infrastructure used to distribute exploit towards target(s)

Infrastructure used by the adversary as Virtual Private Network to hide activities and reduce the traffic analysis surface

Panel used by the adversary to control or maintain his infrastructure

Traffic Distribution Systems including exploit delivery or/and web monetization channels

C2 infrastructure without known specific type.

WHITE

GREEN

AMBER

EVERYONE

USG

NONE

true

false

Is_Proprietary

Not_Proprietary

Less than 1 year

Associated numerical value="20"

Between 1 and 5 years

Associated numerical value="40"

Between 5 and 10 years

Associated numerical value="60"

Between 10 and 20 years

Associated numerical value="80"

More than 20 years

Associated numerical value="100"

x86-32 & x86-64

ARM & ARM-64

mips & mips-64

PowerPC

Less than 1 year

Associated numerical value="20"

Between 1 and 5 years

Associated numerical value="40"

Between 5 and 10 years

Associated numerical value="60"

Between 10 and 20 years

Associated numerical value="80"

More than 20 years

Associated numerical value="100"

Current Microsoft Windows system

GNU/linux derivative OS

Current IOS

Current Apple OS

Current Android OS

BSD

Inter-protocol exploitations

Common vulnerabilities as SQL injections, CSRF, XSS, CSP bypasses, etc.

De-obfuscation of Javascript payloads

Less than 1 year

Associated numerical value="20"

Between 1 and 5 years

Associated numerical value="40"

Between 5 and 10 years

Associated numerical value="60"

Between 10 and 20 years

Associated numerical value="80"

More than 20 years

Associated numerical value="100"

Less than 1 year

Associated numerical value="20"

Between 1 and 5 years

Associated numerical value="40"

Between 5 and 10 years

Associated numerical value="60"

Between 10 and 20 years

Associated numerical value="80"

More than 20 years

Associated numerical value="100"

Cat1

Minimal Exposure - Passive Collection: CAT 1 actions provide the least exposure of an indicator, either through adversary observation or disclosure. Usage of the indicator is restricted to passive monitoring on Government or Cleared Partner networks, or through a classified passive capability or Operation. CAT 1 actions do not interact with or affect malicious network traffic.

Cat2

Moderate Exposure - Government or Cleared Partner Internal Active Collection: CAT 2 actions expose the usage of an indicator through non-disruptive collection techniques which require interactions with an adversary, within Government or Cleared Partner networks. While it is not the intent to disrupt the adversary it is possible that an adversary may discover they are subject to such techniques.

Cat3

Moderate Exposure - Government or Cleared Partner Internal Countermeasures: CAT 3 actions expose the usage of an indicator through inward-facing countermeasures. Malicious network traffic is affected in some manner, however the results are not directly observable to the adversary or external parties and is, therefore, more difficult to attribute as a deliberate action. Usage of the indicator is restricted to Government and Cleared Partner networks, or a classified capability or Operation. This implies a lower likelihood for non-approved disclosures.

Cat4

Moderate Exposure - Government Actions on External Networks: CAT 4 actions expose the usage of an indicator through actions which occur on internet accessible networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary and other, public parties and it is possible they may be attributed as Government sanctioned actions.

Cat5

High Exposure - Public Actions Which Enable Internal Countermeasures: CAT 5 actions expose the usage of an indicator through the public release of information which enables internal actions on networks not owned and controlled by the Government (i.e. industry, commercial or foreign governments). These actions are official public releases and are attributable as Government sanctioned actions.

Cat6

High Exposure - Actions on Adversary Infrastructure: CAT 6 actions expose the usage of an indicator through actions which occur on adversary owned networks, without the authorization of the network or information owner. Such actions are conducted as classified Operations under the auspices of national legislative and compliance provisions. Action consequences are observable to the adversary, and possibly other public parties, and it is possible they may deduce this as FVEY action.

Known Good/Safe

Known Bad/Malicious

Not yet known

Beacon

A host infected with malware is connecting to threat actor owned infrastructure.

Browser based exploitation

A browser component is being exploited in order to infect a host.

Dos

An attack in which the goal is to disrupt access to a host or resource.

Email

Malicious emails sent to a department (baiting, content delivery, phishing).

Exfiltration

Unauthorized transfer of data from a target’s network to a location a threat actor controls.

Generic event

Represents a collection of virtually identical events within a range of time.

Improper usage

Technology used in a way that compromises security or violates policy.

Malware artifacts

Signs of the presence of malware observed on a host.

Malware download

Malware was transferred (downloaded/uploaded) to a host.

Phishing

Information or credentials disclosed to a threat actor.

Remote access

A threat actor is attempting to or succeeding in remotely logging in to a host.

Remote exploitation

A threat actor is attempting to exploit vulnerabilities remotely.

Scan

A threat actor is scanning the network.

Scraping

Represents a collection of virtually identical scraping events within a range of time.

Traffic interception

Represents a collection of virtually identical traffic interception events within a range of time.

Goc credential disclosure

Credentials for a GoC system or user were disclosed.

Personal credential disclosure

Credentials not related to a GoC system or user were disclosed.

Personal information disclosure

Information about a person or persons was disclosed.

None

No information was disclosed.

Other

Information other than credentials and personal information was disclosed.

C2

Domain is being used as command-and-control infrastructure.

Proxy

Domain is being used as a proxy.

Seeded

Domain has been seeded with malware or other malicious code.

Wateringhole

Domain is being used a wateringhole.

Cloud infrastructure

Domain is hosted on cloud infrastructure.

Name server

Domain is a name server.

Sinkholed

Domain is being re-directed to a sinkhole.

Spam

Unsolicited or junk email named after a Monty Python sketch.

Content\-delivery\-attack

Email contained malicious content or attachments.

Phishing

Email designed to trick the recipient into providing sensitive information.

Baiting

Email designed to trick the recipient into providing sensitive information.

Unknown

Type of email was unknown.

Sql injection

Exploitation occurred due to malicious SQL queries being executed against a database.

Directory traversal

Exploitation occurred through a directory traversal attack allowing access to a restricted directory.

Remote file inclusion

Exploitation occurred due to vulnerabilities allowing malicious files to be sent.

Code injection

Exploitation occurred due to malicious code being injected.

Other

Other.

C2

IP address is a command-and-control server.

Proxy

IP address is a proxy server.

Seeded

IP address has been seeded with malware or other malicious code.

Wateringhole

IP address is a wateringhole.

Cloud infrastructure

IP address is part of cloud infrastructure.

Network gateway

IP address is a network gateway.

Server

IP address is a server of some type.

Dns server

IP address is a DNS server.

Smtp server

IP address is a mail server.

Web server

IP address is a web server.

File server

IP address is a file server.

Database server

IP address is a database server.

Security appliance

IP address is a security appliance of some type.

Tor node

IP address is a node of the TOR anonymization system.

Sinkhole

IP address is a sinkhole.

Router

IP address is a router device.

Non-malicious

Non-malicious is not malicious or suspicious.

Suspicious

Suspicious is not non-malicious and not malicious.

Malicious

Malicious is not non-malicious or suspicious.

Exploit kit

Toolkit used to attack vulnerabilities in systems.

First stage

Malware used in the initial phase of an attack and commonly used to retrieve a second stage.

Second stage

Typical more complex malware retrieved by first stage malware.

Scanner

Malware used to look for common vulnerabilities or running software.

Downloader

Malware used to retrieve additional malware or tools.

Proxy

Malware used to proxy traffic on an infected host.

Reverse proxy

If you choose this option please provide a description of what it is to the ALFRED PO.

Webshell

Malware uploaded to a web server allowing remote access to an attacker.

Ransomware

Malware used to hold infected host’s data hostage, typically through encryption until a payment is made to the attackers.

Adware

Malware used to display ads to the infected host.

Spyware

Malware used to collect information from the infected host, such as credentials.

Virus

Malware that propogates by inserting a copy of itself into another program.

Worm

Standalone malware that propogates by copying itself..

Trojan

Malware that looks like legitimate software but hides malicious code.

Rootkit

Malware that can hide the existance of other malware by modifying operating system functions.

Keylogger

Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration.

Browser hijacker

Malware that re-directs or otherwise intercepts Internet browsing by the user.

Unauthorized usage

Usage of the system or resource was without appropriate permission or authorization.

Misconfiguration

System or resource is misconfigured.

Lack of encryption

System or resources has insufficient encryption or no encryption.

Vulnerable software

System or resource has software with known vulnerabilities.

Privilege escalation

System or resource was exploited to gain higher privilege level.

Other

Other.

Anti-virus

Anti-Virus

Content filtering system

Content Filtering System

Dynamic defense

Dynamic Defense

Insufficient privileges

Insufficient Privileges

Ids

Intrusion Detection System

Sink hole / take down by third party

Sink Hole / Take Down by Third Party

Isp

Internet Service Provider

Invalid credentials

Invalid Credentials

Not vulnerable

No mitigation was required because the system was not vulnerable to the attack.

Other

Other

Unknown

Unknown

User

User

Subscriber

Subscriber.

Internet

Internet.

Cse

Communications Security Establishment.

Nsa

National Security Agency.

Gchq

Government Communications Headquarters.

Asd

Australian Signals Directorate.

Gcsb

Government Communications Security Bureau.

Open source

Originated from publically available information.

3rd party

Originated from a 3rd party organization.

Other

Other.

Open port

Scan was looking for open ports corresponding to common applications or protocols.

Icmp

Scan was attempting to enumerate devices through the ICMP protocol.

Os fingerprinting

Scan was looking for operating system information through unique characteristics in responses.

Web

Scan was enumerating or otherwise traversing web hosts.

Other

Other.

Reconnaissance

An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data.

Attempted compromise

An actor attempted affecting the confidentiality, integrity or availability of a system.

Exploited

A vulnerability was successfully exploited.

Application:cms

Content Management System.

Application:bash

BASH script.

Application:acrobat reader

Adobe Acrobat Reader.

Application:ms excel

Microsoft Excel.

Application:other

Other Application.

Language:sql

Structured Query Language.

Language:php

PHP: Hypertext Preprocessor.

Language:javascript

JavaScript.

Language:other

Other Language.

Protocol:dns

Domain Name System.

Protocol:ftp

File Transfer Protocol.

Protocol:http

Hyper Text Transfer Protocol.

Protocol:icmp

Internet Control Message Protocol.

Protocol:ntp

Network Time Protocol.

Protocol:rdp

Remote Desktop Protocol.

Protocol:smb

Server Message Block.

Protocol:snmp

Simple Network Management Protocol.

Protocol:ssl

Secure Sockets Layer.

Protocol:telnet

Network Virtual Terminal Protocol.

Protocol:sip

Session Initiation Protocol.

Spam

System compromise

Sabotage

Privacy violation

Scan

Denial of Service

Copyright issue

Phishing

Whaling

SMS Phishing

Malware

XSS

Vulnerability

Fastflux

Domain Fronting

SQL Injection

Information leak

Scam

Cryptojacking

Locker

Screenlocker

Wiper

ransomware

sextortion

Social Engineering

GDPR Violation

covid-19

Finance

ICT

Individual

Industry

Medical

Services

Undefined

Searched historical proxy logs.

Searched historical IDS logs.

Searched historical firewall logs.

Discovered in packet-capture logs

Searched historical remote access logs.

Searched historical authentication logs.

Searched historical honeypot data.

Searched historical system logs.

Searched historical WAF and web application logs.

Searched historcial database logs.

Searched historical mail logs.

Searched historical antivirus alerts.

Retro hunted in a malware collection.

Searched other historical data.

Unspecified information.

Detect by Proxy infrastructure

Detect by Network Intrusion detection system.

Detect by Host Intrusion detection system.

Detect by other tools.

Detect in system logs.

Detect by firewall.

Detect by MTA.

Detect by web infrastructure including WAF.

Detect in database.

Detect in remote-access logs.

Detect in malware-collection.

Detect with antivirus.

Unspecified information.

Implemented a proxy filter.

Implemented a block rule on a firewall.

Implemented a block rule on a web application firewall.

Implemented a filter on a mail transfer agent.

Implemented a chroot jail.

Blocked an account for remote access.

Denied an action by other means.

Unspecified information.

Implemented a rule on a network IPS.

Implemented a rule on a host-based IPS.

Disrupted an action by other means.

Quarantined an email.

Implemented memory protection like DEP and/or ASLR.

Exploded in a sandbox.

Activated an antivirus signature.

Unspecified information.

Throttled the bandwidth.

Implement a network tarpit.

Degraded an action by other means.

Queued an email.

Unspecified information.

Implemented an interactive honeypot.

Implemented DNS redirects, e.g. a response policy zone.

Deceived the attacker with other technology.

Implemented email redirection.

Unspecified information.

Arrested the threat actor.

Seized attacker infrastructure.

Physically destroyed attacker hardware.

Performed a denial-of-service attack against attacker infrastructure.

Hack back against the threat actor.

Carried out other offensive actions against the attacker.

Unspecified information.

Request a binary sample

Extracted malware config

Request of the malware configuration extracted from the malware sample tagged.

Request a deobfuscated sample of the shared sample

Request additional samples compared to the original analysis to build a competitive analysis on the reversing aspect

Request related samples required for further analysis

Request additional static analysis or reversing on the information shared

Request detection signature from

Request more contextual information

Request an abuse contact to report to

Request more historical information from

Request complementary validation

Request about the target(s) including field of activities or companies

Request further technical or tactical analysis

Request for generic additional information

Infection

Malware detected in a system.

Distribution

Malware attached to a message or email message containing link to malicious URL or IP.

Command & Control (C&C)

System used as a command-and-control point by a botnet. Also included in this field are systems serving as a point for gathering information stolen by botnets.

Malicious connection

System attempting to gain access to a port normally linked to a specific type of malware / System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.

Denial of Service (DoS) / Distributed Denial of Service (DDoS)

Single source using specially designed software to affect the normal functioning of a specific service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from one single source to a specific service, aimed at affecting its normal functioning.

Sabotage

Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect.

Scanning

Single system scan searching for open ports or services using these ports for responding / Scanning a network aimed at identifying systems which are active in the same network / Transfer of a specific DNS zone.

Sniffing

Logical or physical interception of communications.

Phishing

Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting web sites for phishing purposes.

Exploitation of vulnerability attempt

Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique / Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful attempt to include files in the system under attack by using file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.

Login attempt

Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login by using system access credentials previously loaded into a dictionary.

(Successful) Exploitation of vulnerability

Unauthorised use of a tool exploiting a specific vulnerability of the system / Unauthorised manipulation or reading of information contained in a database by using the SQL injection technique / Attack performed with the use of cross-site scripting techniques / Unauthorised inclusion of files into a system under attack with the use of file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.

Compromising an account

Unauthorised access to a system or component by using stolen access credentials.

Unauthorised access

Unauthorised access to a system or component / Unauthorised access to a set of information / Unauthorised access to and sharing of a specific set of information.

Unauthorised modification / deletion

Unauthorised changes to a specific set of information / Unauthorised deleting of a specific set of information.

Misuse or unauthorised use of resources

Use of institutional resources for purposes other than those intended.

False representation

Unauthorised use of the name of an institution.

SPAM

Sending an unusually large quantity of email messages / Unsolicited or unwanted email message sent to the recipient.

Copyright

Unauthorised distribution or sharing of content protected by Copyright and related rights.

Child Sexual Exploitation, racism or incitement to violence

Distribution or sharing of illegal content such as child sexual exploitation material, racism, xenophobia, etc.

Unclassified incident

Incidents which do not fit the existing classification, acting as an indicator for the classification’s update.

Undetermined incident

Unprocessed incidents which have remained undetermined from the beginning.

Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise subjected to something that implies pain; (b) Pictures where an animal is involved in some form of sexual behavior with a child

100

Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation, or oral sex involving an adult

90

Assault: Pictures of children being subjected to a sexual assault, involving digital touching, involving an adult

80

Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse by child, not involving an adult

70

Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially clothed, or fully clothed

60

Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in sexualized or provocative poses

50

Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the amount, context, and organization suggests sexual interest)

40

Erotica: Surreptitiously taken photographs of children in play areas or other safe environments showing either underwear or varying degrees of nakedness

30

Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate sources

20

Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming costumes, and so on, from either commercial sources or family albums; pictures of children playing in normal settings, in which the context or organization of pictures by the collector indicates inappropriateness

10

The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past.

The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered.

The deny action prevents the event from taking place. Common examples include a firewall block or a proxy filter.

Disruption makes the event fail as it is occurring. Examples include quarantining or memory protection measures.

Degrading will not immediately fail an event, but it will slow down the further actions of the attacker. This tactic allows you to catch up during an incident response process, but you have to consider that the attackers may eventually succeed in achieving their objectives. Throttling bandwidth is one way to degrade an intrusion.

Deception allows you to learn more about the intentions of the attacker by making them think the action was successful. One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot.

The destroy action is rarely for 'usual' defenders, as this is an offensive action against the attacker. These actions, including physical destructive actions and arresting the attackers, are usually left to law enforcement agencies.

An identity theft technique that takes over a victim’s mobile device to steal credentials and break into wallets or exchange accounts to steal cryptocurrency.

A new form of blockchain spam that erodes the recipient’s reputation by sending cryptocurrency from known money mixers.

Nation states using cryptocurrencies has been promoted by the Iranian and Venezuelan governments.

Money laundering services that promise to exchange tainted tokens for freshly mined crypto, but in reality, cleanse cryptocurrency through exchanges.

Unlicensed Money Service Businesses (MSBs) banking cryptocurrency without the knowledge of host financial institutions, and thus exposing banks to unknown risk.

Takeover attacks that mine for cryptocurrency at a massive scale have been discovered in datacenters, including AWS.

Enable anonymous bitcoin transactions by going "off-chain," and cannow scale to $2,150,000.

Stabilized tokens that can be designed for use as private coins.

Cyber-extortionists stepped up mass-customized phishing emails campaigns using old passwords and spouse names in 2018. Bomb threat extortion scams demanding bitcoin spiked in December.

Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage.

Defacement

Malware

DDoS

Phishing

Spam

Botnet

Fastflux

Cryptojacking

XSS

SQL Injection

Vulnerability

Information leak

System compromise

Other

Denial of service / Distributed Denial of service

Forensics work

Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property

Compromised host (root account, Trojan, rootkit), network device, application, user account.

Theft / Fraud / Human Safety / Child Porn

Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware

Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware.

A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that are being actively controlled by an attacker via a backdoor or Trojan.

Spoofed email, SPAM, and other email security-related events.

Security consulting unrelated to any confirmed incident

Violation of various policies

Incident affecting critical systems or information with potential to be revenue or customer impacting.

Incident affecting non-critical systems or information, not revenue or customer impacting. Employee investigations that are time sensitive should typically be classified at this level.

Possible incident, non-critical systems. Incident or employee investigations that are not time sensitive. Long-term investigations involving extensive research and/or detailed forensic work.

Extremely Sensitive

Sensitive

Not Sensitive

Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.

Associated numerical value="95"

Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.

Associated numerical value="50"

Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.

Associated numerical value="10"

Description of the incidence.

Link to the original report location.

Attached report.

Information gathered by an analyst/incident responder/forensic expert/etc.

Information coming out of honeypots.

Information coming out of sandboxes.

Information coming out of email infrastructure.

Information from outside the company.

Information coming from a report.

If none of the other origins applies.

Origin of the data unknown.

Phase

CTI requirementes being generated.

Phase

Data collection initiated.

Phase

Data is being processed and analyzed

Phase

CTI product created and delivered to stakeholders.

Phase

Feedback received by stakeholders.

Phase

Feedback pending by stakeholders.

SARS-CoV 2003

COVID-19

European Parliament election, 2019

United States Presidential election, 2020

Plan activity

Associated numerical value="10"

Conduct research & analysis

Associated numerical value="11"

Develop resources & capabilities

Associated numerical value="12"

Acquire victim & specific knowledge

Associated numerical value="13"

Complete preparations

Associated numerical value="14"

Deploy capability

Associated numerical value="20"

Interact with intended victim

Associated numerical value="21"

Exploit vulnerabilities

Associated numerical value="22"

Deliver malicious capabilities

Associated numerical value="23"

Establish controlled access

Associated numerical value="30"

Hide

Associated numerical value="31"

Expand presence

Associated numerical value="32"

Refine focus of activity

Associated numerical value="33"

Establish persistence

Associated numerical value="34"

Enable other operations

Associated numerical value="40"

Deny access

Associated numerical value="41"

Extract data

Associated numerical value="42"

Alter data and/or computer, network or system behavior

Associated numerical value="43"

Destroy HW/SW/data

Associated numerical value="44"

Tool

Open source or proprietary tool used in cybersecurity.

Playbook

Playbook, such as a defined set of rules with one or more actions triggered by different events to respond to, orchestrate or automate cybersecurity related actions.

Taxonomy

Cybersecurity taxonomy is a set of labels used to classify (in both terms - arrange in classes or/and design to national classification) cybersecurity related information.

Rule

Detection rule or set of detection rules used in the cybersecurity field. Rulesets can be in different formats for (N/L)IDS/SIEM (such as Snort, Suricata, Zeek, SIGMA or YARA) or any other tool capable of parsing them.

Notebook

Interactive document to code, experiment, train or visualize cybersecurity-related information. A notebook can be transcribed in a format such as Jupyter Notebooks, Apache Zeppelin, Pluton or Google Colab.

Vulnerability

Public or non-public information about a security vulnerability in a specific software, hardware or service.

Proof-of-concept

Code to validate a known vulnerability.

Fingerprint

Code to uniquely identify specific cybersecurity-relevant patterns. Fingerprints can be expressed in different formats such as ja3, ja3s, hassh, jarm or favicon-mmh3.

Mitigation

Mitigating control to prevent unwanted activity from happening, like a specific configuration of the operating system/tools or an implementation policy.

Dataset

Dataset for validation of detections and tool stacks,

Identify

Protect

Detect

Respond

Recover

Exploit

Investigate

Train

Test

upload

Upload IOC to Cytomic Orion

delete

Delete IOC from Cytomic Orion

Drugs/Narcotics

Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility).

Electronics

Electronics and high tech materials, described or to sell for example.

Finance

Any monetary/currency/exchangeable materials. Includes carding, Paypal etc.

CryptoFinance

Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc.

Credit-Card

Credit cards and payments materials

Cash-in

Buying parts of assets, conversion from liquid assets, currency, etc.

Cash-out

Selling parts of assets, conversion to liquid assets, currency, etc.

Escrow

Third party keeping assets in behalf of two other parties making a transactions.

Hacking

Materials relating to the illegal access to or alteration of data and/or electronic services.

Identification/Credentials

Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials.

Intellectual Property/Copyright Materials

Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders.

Pornography - Adult

Lawful, ethical pornography (i.e. involving only consenting adults).

Pornography - Child (Child Exploitation)

Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities

Pornography - Illicit or Illegal

Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc.

Search Engine/Index

Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)

Unclear

Unable to completely establish topic of material.

Extremism

Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes.

Violence

Materials relating to violence against persons or property.

Weapons

Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients.

Softwares

Illegal or armful software distribution

Counter-feit materials

Fake identification papers.

Gambling

Games involving money

Library

Library or list of books

Other not illegal

Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors.

Legitimate

Legitimate websites

Chats platforms

Chats space or equivalent, which are not forums

Mixer

Anonymization tools for crypto-currencies transactions

Mystery-Box

Mystery Box seller

Anonymizer

Anonymization tools

VPN-Provider

Provides VPN services and related

EMail-Provider

Provides e-mail services and related

Ponies

self-explanatory. It’s ponies

Games

Flash or online games

Parody or Joke

Meme, Parody, Jokes, Trolling, …​

Whistleblower

Exposition and sharing of confidential information with protection of the witness in mind

Ransomware Group

Ransomware group PR or leak website

Education & Training

Materials providing instruction - e.g. ‘how to’ guides

Wiki

Wiki pages, documentation and information display

Forum

Sites specifically designed for multiple users to communicate as peers

File Sharing

General file sharing, typically (but not limited to) movie/image sharing

Hosting

Hosting providers, e-mails, websites, file-storage etc.

DDoS-Services

Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc.

General

Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites.

Information Sharing/Reportage

Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy.

Scam

Intentional confidence trick to fraud people or group of people

Political-Speech

Political, activism, without extremism.

Conspirationist

Conspirationist content, fake news, etc.

Hate-Speech

Racism, violent, hate…​ speech.

Religious

Religious, faith, doctrinal related content.

Marketplace/For Sale

Services/goods for sale, regardless of means of payment.

Smuggling

Information or trading of wild animals, prohibited goods, …​

Recruitment/Advocacy

Propaganda

System/Placeholder

Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2

Unclear

Unable to completely establish motivation of material.

Incomplete websites or information

Websites and pages that are unable to load completely properly

Captcha and Solvers

Captchas and solvers elements

Logins forms and gates

Authentication pages, login page, login forms that block access to an internal part of a website.

Contact forms and gates

Forms to perform a contact request, send an e-mail, fill information, enter a password, …​

Encryption and decryption keys

e.g. PGP Keys, passwords, …​

Police Notice

Closed websites, with police-equivalent banners

Legal-Statement

RGPD statement, Privacy-policy, guidelines of a websites or forum…​

Test

Test websites without any real consequences or effects

Videos

Videos and streaming

Unclear

Unable to completely establish structure of material.

Regulated data

Data which is regulated under a specific regulation or law such as PII, SPD, PCI or PHI.

Commercially confidential information (CCI)

Data which represents a specific commercial value and is confidential to an organisation such as trade secrets, customer accounts.

Financially sensitive information (FSI)

Data which represents a specific financial value to an organisation such as payroll, investment information.

Valuation sensitive information (VSI)

Data which is sensitive to the valuation of an organisation such as inside information (as defined by a Financial Services Authority).

Sensitive information

Data which is sensitive such as email or letters.

This event describes traits and indicators closely related to a single entity, like an email campaign or sighting of a reference sample on VirusTotal. Events of this type are typically created by CSOC staff and may be verified by analysts. Observed and verified indicators would be consumed by automated filtering systems in order to support near-time threat prevention. In retrospect, observations could be correlated with reports and analysis events in order to help understand the motivation for an attack and to reassess the associated risk.

This event describes traits and indicators related to a security incident. As such, the event may refer to multiple entities like organizations, bank account numbers, files, and URLs. Events of this type contain first-hand information, that is, the reporting organization took part in the analysis of the incident. Use event type "Report" for second-hand information. Events of this type are typically created and consumed by analysts.

Traceability of indicators can be essential to document compliance of processes with legal obligations or company regulations. This event preserves a report to document the origin and context of indicators. Events of this type need to be checked by a human to ensure correct reproduction of indicators and context. Intended consumers are automated processes. Events may also serve as a basis for analysis reports or to justify preventive measures. If your organization is or was directly involved in an incident and you want to provide a first-hand account, then please use event type "Incident" instead.

This event builds on "observation", "incident", and "report" events; adds enrichments; and provides context. Events of this type will be created by analysts with support by automated tools. Analysts are also the main consumers.

This event collects unrelated IoCs. For example, an event could combine all network IoCs that were learned of during a day or a week from events of other types.

Amplification attack

Reflected and Spoofed attack

Slow Read attack

Flooding attack

Large POST HTTP attack

STRENG GEHEIM

Kenntnisnahme durch Unbefugte kann den Bestand oder lebenswichtige Interessen der Bundesrepublik Deutschland oder eines ihrer Länder gefährden.

GEHEIM

Kenntnisnahme durch Unbefugte kann die Sicherheit der Bundesrepublik Deutschland oder eines ihrer Länder gefährden oder ihren Interessen schweren Schaden zufügen.

VS-VERTRAULICH

Kenntnisnahme durch Unbefugte kann für die Interessen der Bundesrepublik Deutschland oder eines ihrer Länder schädlich sein.

VS-NUR FÜR DEN DIENSTGEBRAUCH

Kenntnisnahme durch Unbefugte kann für die Interessen der Bundesrepublik Deutschland oder eines ihrer Länder nachteilig sein.

Dummy

Platzhalter.

Chemical

Commercial Facilities

Communications

Critical Manufacturing

Dams

Defense Industrial Base

Emergency services

energy

Financial Services

Food and Agriculture

Government Facilities

Healthcare and Public Health

Information Technology

Nuclear

Transportation Systems

Water and water systems

An adversary is the actor/organization responsible for utilizing a capability against the victim to achieve their intent.

The capability describes the tools and/or techniques of the adversary used in the event. It includes all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual password guessing) to the most sophisticated automated techniques.

The infrastructure feature describes the physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (e.g., commandand-control/C2), and effect results from the victim (e.g., exfiltrate data). As with the other features, the infrastructure can be as specific or broad as necessary. Examples include: Internet Protocol (IP) addresses, domain names, e-mail addresses, Morse code flashes from a phone’s voice-mail light watched from across a street, USB devices found in a parking lot and inserted into a workstation, or the compromising emanations from hardware (e.g., Van Eck Phreaking) being collected by a nearby listening post.

A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used. A victim can be described in whichever way necessary and appropriate: organization, person, target email address, IP address, domain, etc. However, it is useful to define the victim persona and their assets separately as they serve different analytic functions. Victim personae are useful in non-technical analysis such as cyber-victimology and social-political centered approaches whereas victim assets are associated with common technical approaches such as vulnerability analysis..

RESTRICTED

CONFIDENTIAL

SECRET

TOP SECRET

UNCLASSIFIED

CONFIDENTIAL

SECRET

TOP SECRET

UNCLASSIFIED

ENDSEAL

ECRU

NONBOOK

HCS

HCS-O

HCS-P

KLONDIKE

KDK BLUEFISH

KDK IDITAROD

KDK KANDIK

RESERVE

SPECIAL INTELLIGENCE

SI-GAMMA

TALENT KEYHOLE

Document claims compliance with all rules encoded in ISM for documents produced by the US Federal Government. This is the minimum set of rules for US documents to adhere to, and all US documents should claim compliance with USGov.

Document claims compliance with all rules encoded in ISM for documents produced by the US Intelligence Community. Documents that claim compliance with USIC MUST also claim compliance with USGov.

Document claims compliance with all rules encoded in ISM for documents produced by the US Department of Defense. Documents that claim compliance with USDOD MUST also claim compliance with USGov.

Document claims compliance with an authority other than the USGov, USIC, or USDOD.

RESTRICTED DATA

RD-CRITICAL NUCLEAR WEAPON DESIGN INFORMATION

FORMERLY RESTRICTED DATA

DoD CONTROLLED NUCLEAR INFORMATION

DoE CONTROLLED NUCLEAR INFORMATION

TRANSCLASSIFIED FOREIGN NUCLEAR INFORMATION

FISA Warning statement

IMCON Warning statement

Controled Nuclear Weapon Design Information Warning statement

RD Warning statement

FRD Warning statement

LIMDIS caveat

LES Notice

LES-NF Notice

DSEN Notice

DoD Distribution statement A from DoD Directive 5230.24

DoD Distribution statement B from DoD Directive 5230.24

DoD Distribution statement C from DoD Directive 5230.24

DoD Distribution statement D from DoD Directive 5230.24

DoD Distribution statement E from DoD Directive 5230.24

DoD Distribution statement F from DoD Directive 5230.24

DoD Distribution statement X from DoD Directive 5230.24

US Person info Notice

Indicates that an instance document must abide by rules pertaining to ORIGINATOR CONTROLLED data issued prior to Executive Order 13526.

Indicates that the contents of this notice specify the contact information for a required point-of-contact.

COMSEC Notice

NAVAL NUCLEAR PROPULSION INFORMATION

LIMITED DISTRIBUTION

EXCLUSIVE DISTRIBUTION

NO DISTRIBUTION

SENSITIVE BUT UNCLASSIFIED

SENSITIVE BUT UNCLASSIFIED NOFORN

LAW ENFORCEMENT SENSITIVE

LAW ENFORCEMENT SENSITIVE NOFORN

SENSITIVE SECURITY INFORMATION

NATO Atomal mark

NATO Bohemia mark

NATO Balk mark

RISK SENSITIVE

FOR OFFICIAL USE ONLY

ORIGINATOR CONTROLLED

ORIGINATOR CONTROLLED US GOVERNMENT

CONTROLLED IMAGERY

NOT RELEASABLE TO FOREIGN NATIONALS

CAUTION-PROPRIETARY INFORMATION INVOLVED

AUTHORIZED FOR RELEASE TO

RELEASABLE BY INFORMATION DISCLOSURE OFFICIAL

DEA SENSITIVE

FOREIGN INTELLIGENCE SURVEILLANCE ACT

AUTHORIZED FOR DISPLAY BUT NOT RELEASE TO