Shell
Switch branches/tags
Nothing to show
Latest commit 947ef6d Jan 13, 2018 @adulau adulau Merge pull request #81 from droe/master
Set exclusive flag on misp:automation-level predicate
Permalink
Failed to load latest commit information.
DML add DML taxonomy Jun 22, 2017
PAP Add schema Feb 13, 2017
accessnow Fix #67 - typo in the description of Culture-oriented organisation. May 19, 2017
action-taken jq May 19, 2017
admiralty-scale Cannot type Today Nov 22, 2017
adversary Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
ais-marking AIS marking based on The AIS Marking Schema implementation is maintai… Nov 4, 2017
analyst-assessment type added to only allow tagging on users or organisations May 4, 2017
binary-class new: Added basic binary file taxonomy. Apr 5, 2017
circl CIRCL Taxonomy - Schemes of Classification in Incident Response and Nov 22, 2015
collaborative-intelligence request detection-signature Oct 6, 2017
csirt_case_classification JQ all the things Feb 13, 2017
cssa cssa: Version must be an integer Aug 16, 2017
ddos A first taxonomy covering DDoS attack Mar 5, 2017
de-vs Update README.md Feb 9, 2016
dhs-ciip-sectors JQ all the things Feb 13, 2017
diamond-model Update schema, fix taxonomies accordingly. Feb 13, 2017
dni-ism Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
domain-abuse Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
ecsirt eCSIRT taxonomy updated to fully support version mkVI of 31 March 201… Oct 25, 2017
enisa Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
estimative-language added: numerical value (approximation) added to estimative language n… Oct 8, 2017
eu-marketop-and-publicadmin JQ all the things Feb 13, 2017
euci Add schema Feb 13, 2017
europol-event Add schema Feb 13, 2017
europol-incident JQ all the things Feb 13, 2017
event-assessment New taxonomy event-assessment - series of assessment predicates May 4, 2017
fr-classif add: exclusive property added to express exclusivity at predicate or … Nov 29, 2017
honeypot-basic replace underscore with dash Jan 3, 2018
iep Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
information-security-indicators JQ all the things Feb 13, 2017
kill-chain Merge branch 'master' of github.com:MISP/misp-taxonomies Feb 13, 2017
malware_classification Update schema, fix taxonomies accordingly. Feb 13, 2017
mapping fix: typo fixed in JSON Oct 25, 2017
misp Set exclusive flag on automation-level predicate Jan 12, 2018
ms-caro-malware-full Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
ms-caro-malware Remove jso file Jul 5, 2016
nato NATO classification markings. (first DRAFT) Nov 29, 2015
open_threat Fix inconsistencies between MANIFEST, directory names and taxonomies Oct 5, 2016
osint fix: clarification of the certainty entry based on feedback from an a… Dec 1, 2017
passivetotal Improve consistency when lising the predicates, remove duplicates Jul 25, 2017
rt_event_status Add schema Feb 13, 2017
runtime-packer Fixed Dec 28, 2017
stealth_malware stealth_malware to match taxonomy namespace Oct 29, 2016
stix-ttp JQ all the things Feb 13, 2017
targeted-threat-index targeted-threat-index taxonomy added Dec 18, 2016
tlp add: exclusive property added to express exclusivity at predicate or … Nov 29, 2017
tools fix: exclusive flag added in documentation generation Dec 1, 2017
tor New taxonomy to describe Tor network infrastructure added May 4, 2017
veris Cleanup veris Jul 25, 2017
vocabulaire-des-probabilites-estimatives Vocabulaire des probabilités estimatives added based on the document Apr 3, 2017
workflow workflow: review credibility added Dec 11, 2017
.travis.yml Clean travis Jul 25, 2017
MANIFEST.json add: new taxonomy added Christian Seifert, Ian Welch, Peter Komisarcz… Jan 3, 2018
README.md new taxonomy runtime-packer added Dec 28, 2017
jq_all_the_things.sh Add schema for mapping Aug 31, 2017
schema.json add: exclusive property added to express exclusivity at predicate or … Nov 29, 2017
schema_mapping.json Add schema for mapping Aug 31, 2017
validate_all.sh Properly fix manifest. Aug 31, 2017

README.md

MISP Taxonomies

Build Status

Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.

Overview of the MISP taxonomies

The following taxonomies can be used in MISP (as local or distributed tags) or in other tools willing to share common taxonomies among security information sharing tools.

The following taxonomies are described:

Admiralty Scale

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

Adversary

An overview and description of the adversary infrastructure.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.

Cyber Kill Chain from Lockheed Martin

Cyber Kill Chain from Lockheed Martin as described in Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.

DE German (DE) Government classification markings (VS)

Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).

DHS CIIP Sectors

DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.

Diamond Model for Intrusion Analysis

The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack as described in http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.

Detection Maturity Level

The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program.

Domain Name Abuse

Taxonomy to tag domain names used for cybercrime. We suggest to use europol-incident(./europol-incident) to tag abuse-activity.

eCSIRT and IntelMQ incident classification

eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

ENISA ENISA Threat Taxonomy

ENISA Threat Taxonomy - A tool for structuring threat information as published

Estimative Language Estimative Language (ICD 203)

Estimative language - including likelihood or probability of event based on the Intelligence Community Directive 203 (ICD 203) (6.2.(a)).

EU NIS Critical Infrastructure Operators

Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

EUCI classification

EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described.

Europol Incident

EUROPOL class of incident taxonomy

Europol Events

EUROPOL type of events taxonomy

FIRST CSIRT Case classification

FIRST CSIRT Case Classification.

FIRST Information Exchange Policy (IEP) framework

Information Security Indicators - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework).

Information Security Marking Metadata DNI (Director of National Intelligence - US)

ISM (Information Security Marking Metadata) V13 as described by DNI.gov.

Malware classification

Malware classification based on a SANS whitepaper about malware.

ms-caro-malware Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology.

NATO Classification Marking

Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

Open Threat Taxonomy v1.1

Open Threat Taxonomy v1.1 base on James Tarala of SANS ref.

STIX-TTP

STIX-TTP exposes a set classification tools that represents the behavior or modus operandi of cyber adversaries as normalized in STIX. TTPs consist of the specific adversary behavior (attack patterns, malware, exploits) exhibited, resources leveraged (tools, infrastructure, personas), information on the victims targeted (who, what or where), relevant ExploitTargets being targeted, intended effects, relevant kill chain phases, handling guidance, source of the TTP information, etc.

Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer.

The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. More info about TTI.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.

The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. It's a protocol/taxonomy similar to TLP informing the recipients of information what they can do with the received information.

TLP - Traffic Light Protocol

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Vocabulary for Event Recording and Incident Sharing VERIS

Vocabulary for Event Recording and Incident Sharing is a format created by the VERIS community.

Reserved Taxonomy

The following taxonomy namespaces are reserved and used internally to MISP.

  • galaxy mapping taxonomy with cluster:element:"value".

Documentation

A documentation of the taxonomies is generated automatically from the taxonomies description and available in PDF and HTML.

How to contribute your taxonomy?

It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like Admiralty Scale), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like MISP.

For more information, "Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP" presentation given to the last MISP training in Luxembourg.

How to add your private taxonomy to MISP

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json

Create a JSON file Create a JSON file describing your taxonomy as triple tags.

Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.

MISP Taxonomies - tools

machinetag.py is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.

% cd tools
% python machinetag.py
        admiralty-scale:source-reliability="a"
        admiralty-scale:source-reliability="b"
        admiralty-scale:source-reliability="c"
        admiralty-scale:source-reliability="d"
        admiralty-scale:source-reliability="e"
        admiralty-scale:source-reliability="f"
        admiralty-scale:information-credibility="1"
        admiralty-scale:information-credibility="2"
        admiralty-scale:information-credibility="3"
        admiralty-scale:information-credibility="4"
        admiralty-scale:information-credibility="5"
        admiralty-scale:information-credibility="6"
        ...

License

The MISP taxonomies are licensed under CC0 1.0 Universal (CC0 1.0) - Public Domain Dedication. If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.