Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
806 lines (805 sloc) 24.4 KB
{
"namespace": "cccs",
"description": "Internal taxonomy for CCCS.",
"version": 2,
"expanded": "CCCS",
"predicates": [
{
"value": "event",
"expanded": "Event type",
"description": "Type of event associated to the internal reference"
},
{
"value": "disclosure-type",
"expanded": "Disclosure type",
"description": "Type of information being disclosed."
},
{
"value": "domain-category",
"expanded": "Domain category",
"description": "The Domain Category."
},
{
"value": "email-type",
"expanded": "Email type",
"description": "Type of email event."
},
{
"value": "exploitation-technique",
"expanded": "Exploitation technique",
"description": "The technique used to remotely exploit a GoC system."
},
{
"value": "ip-category",
"expanded": "Ip category",
"description": "The IP Category."
},
{
"value": "maliciousness",
"expanded": "Maliciousness",
"description": "Level of maliciousness."
},
{
"value": "malware-category",
"expanded": "Malware category",
"description": "The Malware Category."
},
{
"value": "misusage-type",
"expanded": "Misusage type",
"description": "The type of misusage."
},
{
"value": "mitigation-type",
"expanded": "Mitigation type",
"description": "The type of mitigation."
},
{
"value": "origin",
"expanded": "Origin",
"description": "Where the request originated from."
},
{
"value": "originating-organization",
"expanded": "Originating organization",
"description": "Origin of a signature."
},
{
"value": "scan-type",
"expanded": "Scan type",
"description": "The type of scan event."
},
{
"value": "severity",
"expanded": "Severity",
"description": "Severity of the event."
},
{
"value": "threat-vector",
"expanded": "Threat vector",
"description": "Specifies how the threat actor gained or attempted to gain initial access to the target GoC host."
}
],
"values": [
{
"predicate": "event",
"entry": [
{
"value": "beacon",
"expanded": "Beacon",
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
},
{
"value": "browser-based-exploitation",
"expanded": "Browser based exploitation",
"description": "A browser component is being exploited in order to infect a host."
},
{
"value": "dos",
"expanded": "Dos",
"description": "An attack in which the goal is to disrupt access to a host or resource."
},
{
"value": "email",
"expanded": "Email",
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
},
{
"value": "exfiltration",
"expanded": "Exfiltration",
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
},
{
"value": "generic-event",
"expanded": "Generic event",
"description": "Represents a collection of virtually identical events within a range of time."
},
{
"value": "improper-usage",
"expanded": "Improper usage",
"description": "Technology used in a way that compromises security or violates policy."
},
{
"value": "malware-artifacts",
"expanded": "Malware artifacts",
"description": "Signs of the presence of malware observed on a host."
},
{
"value": "malware-download",
"expanded": "Malware download",
"description": "Malware was transferred (downloaded/uploaded) to a host."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Information or credentials disclosed to a threat actor."
},
{
"value": "remote-access",
"expanded": "Remote access",
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
},
{
"value": "remote-exploitation",
"expanded": "Remote exploitation",
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
},
{
"value": "scan",
"expanded": "Scan",
"description": "A threat actor is scanning the network."
},
{
"value": "scraping",
"expanded": "Scraping",
"description": "Represents a collection of virtually identical scraping events within a range of time."
},
{
"value": "traffic-interception",
"expanded": "Traffic interception",
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
}
]
},
{
"predicate": "disclosure-type",
"entry": [
{
"value": "goc-credential-disclosure",
"expanded": "Goc credential disclosure",
"description": "Credentials for a GoC system or user were disclosed."
},
{
"value": "personal-credential-disclosure",
"expanded": "Personal credential disclosure",
"description": "Credentials not related to a GoC system or user were disclosed."
},
{
"value": "personal-information-disclosure",
"expanded": "Personal information disclosure",
"description": "Information about a person or persons was disclosed."
},
{
"value": "none",
"expanded": "None",
"description": "No information was disclosed."
},
{
"value": "other",
"expanded": "Other",
"description": "Information other than credentials and personal information was disclosed."
}
]
},
{
"predicate": "domain-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "Domain is being used as command-and-control infrastructure."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Domain is being used as a proxy."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "Domain has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "Domain is being used a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "Domain is hosted on cloud infrastructure."
},
{
"value": "name-server",
"expanded": "Name server",
"description": "Domain is a name server."
},
{
"value": "sinkholed",
"expanded": "Sinkholed",
"description": "Domain is being re-directed to a sinkhole."
}
]
},
{
"predicate": "email-type",
"entry": [
{
"value": "spam",
"expanded": "Spam",
"description": "Unsolicited or junk email named after a Monty Python sketch."
},
{
"value": "content\\-delivery\\-attack",
"expanded": "Content\\-delivery\\-attack",
"description": "Email contained malicious content or attachments."
},
{
"value": "phishing",
"expanded": "Phishing",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "baiting",
"expanded": "Baiting",
"description": "Email designed to trick the recipient into providing sensitive information."
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Type of email was unknown."
}
]
},
{
"predicate": "exploitation-technique",
"entry": [
{
"value": "sql-injection",
"expanded": "Sql injection",
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
},
{
"value": "directory-traversal",
"expanded": "Directory traversal",
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
},
{
"value": "remote-file-inclusion",
"expanded": "Remote file inclusion",
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
},
{
"value": "code-injection",
"expanded": "Code injection",
"description": "Exploitation occurred due to malicious code being injected."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "ip-category",
"entry": [
{
"value": "c2",
"expanded": "C2",
"description": "IP address is a command-and-control server."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "IP address is a proxy server."
},
{
"value": "seeded",
"expanded": "Seeded",
"description": "IP address has been seeded with malware or other malicious code."
},
{
"value": "wateringhole",
"expanded": "Wateringhole",
"description": "IP address is a wateringhole."
},
{
"value": "cloud-infrastructure",
"expanded": "Cloud infrastructure",
"description": "IP address is part of cloud infrastructure."
},
{
"value": "network-gateway",
"expanded": "Network gateway",
"description": "IP address is a network gateway."
},
{
"value": "server",
"expanded": "Server",
"description": "IP address is a server of some type."
},
{
"value": "dns-server",
"expanded": "Dns server",
"description": "IP address is a DNS server."
},
{
"value": "smtp-server",
"expanded": "Smtp server",
"description": "IP address is a mail server."
},
{
"value": "web-server",
"expanded": "Web server",
"description": "IP address is a web server."
},
{
"value": "file-server",
"expanded": "File server",
"description": "IP address is a file server."
},
{
"value": "database-server",
"expanded": "Database server",
"description": "IP address is a database server."
},
{
"value": "security-appliance",
"expanded": "Security appliance",
"description": "IP address is a security appliance of some type."
},
{
"value": "tor-node",
"expanded": "Tor node",
"description": "IP address is a node of the TOR anonymization system."
},
{
"value": "sinkhole",
"expanded": "Sinkhole",
"description": "IP address is a sinkhole."
},
{
"value": "router",
"expanded": "Router",
"description": "IP address is a router device."
}
]
},
{
"predicate": "maliciousness",
"entry": [
{
"value": "non-malicious",
"expanded": "Non-malicious",
"description": "Non-malicious is not malicious or suspicious."
},
{
"value": "suspicious",
"expanded": "Suspicious",
"description": "Suspicious is not non-malicious and not malicious."
},
{
"value": "malicious",
"expanded": "Malicious",
"description": "Malicious is not non-malicious or suspicious."
}
]
},
{
"predicate": "malware-category",
"entry": [
{
"value": "exploit-kit",
"expanded": "Exploit kit",
"description": "Toolkit used to attack vulnerabilities in systems."
},
{
"value": "first-stage",
"expanded": "First stage",
"description": "Malware used in the initial phase of an attack and commonly used to retrieve a second stage."
},
{
"value": "second-stage",
"expanded": "Second stage",
"description": "Typical more complex malware retrieved by first stage malware."
},
{
"value": "scanner",
"expanded": "Scanner",
"description": "Malware used to look for common vulnerabilities or running software."
},
{
"value": "downloader",
"expanded": "Downloader",
"description": "Malware used to retrieve additional malware or tools."
},
{
"value": "proxy",
"expanded": "Proxy",
"description": "Malware used to proxy traffic on an infected host."
},
{
"value": "reverse-proxy",
"expanded": "Reverse proxy",
"description": "If you choose this option please provide a description of what it is to the ALFRED PO."
},
{
"value": "webshell",
"expanded": "Webshell",
"description": "Malware uploaded to a web server allowing remote access to an attacker."
},
{
"value": "ransomware",
"expanded": "Ransomware",
"description": "Malware used to hold infected host's data hostage, typically through encryption until a payment is made to the attackers."
},
{
"value": "adware",
"expanded": "Adware",
"description": "Malware used to display ads to the infected host."
},
{
"value": "spyware",
"expanded": "Spyware",
"description": "Malware used to collect information from the infected host, such as credentials."
},
{
"value": "virus",
"expanded": "Virus",
"description": "Malware that propogates by inserting a copy of itself into another program."
},
{
"value": "worm",
"expanded": "Worm",
"description": "Standalone malware that propogates by copying itself.."
},
{
"value": "trojan",
"expanded": "Trojan",
"description": "Malware that looks like legitimate software but hides malicious code."
},
{
"value": "rootkit",
"expanded": "Rootkit",
"description": "Malware that can hide the existance of other malware by modifying operating system functions."
},
{
"value": "keylogger",
"expanded": "Keylogger",
"description": "Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration."
},
{
"value": "browser-hijacker",
"expanded": "Browser hijacker",
"description": "Malware that re-directs or otherwise intercepts Internet browsing by the user."
}
]
},
{
"predicate": "misusage-type",
"entry": [
{
"value": "unauthorized-usage",
"expanded": "Unauthorized usage",
"description": "Usage of the system or resource was without appropriate permission or authorization."
},
{
"value": "misconfiguration",
"expanded": "Misconfiguration",
"description": "System or resource is misconfigured."
},
{
"value": "lack-of-encryption",
"expanded": "Lack of encryption",
"description": "System or resources has insufficient encryption or no encryption."
},
{
"value": "vulnerable-software",
"expanded": "Vulnerable software",
"description": "System or resource has software with known vulnerabilities."
},
{
"value": "privilege-escalation",
"expanded": "Privilege escalation",
"description": "System or resource was exploited to gain higher privilege level."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "mitigation-type",
"entry": [
{
"value": "anti-virus",
"expanded": "Anti-virus",
"description": "Anti-Virus"
},
{
"value": "content-filtering-system",
"expanded": "Content filtering system",
"description": "Content Filtering System"
},
{
"value": "dynamic-defense",
"expanded": "Dynamic defense",
"description": "Dynamic Defense"
},
{
"value": "insufficient-privileges",
"expanded": "Insufficient privileges",
"description": "Insufficient Privileges"
},
{
"value": "ids",
"expanded": "Ids",
"description": "Intrusion Detection System"
},
{
"value": "sink-hole-/-take-down-by-third-party",
"expanded": "Sink hole / take down by third party",
"description": "Sink Hole / Take Down by Third Party"
},
{
"value": "isp",
"expanded": "Isp",
"description": "Internet Service Provider"
},
{
"value": "invalid-credentials",
"expanded": "Invalid credentials",
"description": "Invalid Credentials"
},
{
"value": "not-vulnerable",
"expanded": "Not vulnerable",
"description": "No mitigation was required because the system was not vulnerable to the attack."
},
{
"value": "other",
"expanded": "Other",
"description": "Other"
},
{
"value": "unknown",
"expanded": "Unknown",
"description": "Unknown"
},
{
"value": "user",
"expanded": "User",
"description": "User"
}
]
},
{
"predicate": "origin",
"entry": [
{
"value": "subscriber",
"expanded": "Subscriber",
"description": "Subscriber."
},
{
"value": "internet",
"expanded": "Internet",
"description": "Internet."
}
]
},
{
"predicate": "originating-organization",
"entry": [
{
"value": "cse",
"expanded": "Cse",
"description": "Communications Security Establishment."
},
{
"value": "nsa",
"expanded": "Nsa",
"description": "National Security Agency."
},
{
"value": "gchq",
"expanded": "Gchq",
"description": "Government Communications Headquarters."
},
{
"value": "asd",
"expanded": "Asd",
"description": "Australian Signals Directorate."
},
{
"value": "gcsb",
"expanded": "Gcsb",
"description": "Government Communications Security Bureau."
},
{
"value": "open-source",
"expanded": "Open source",
"description": "Originated from publically available information."
},
{
"value": "3rd-party",
"expanded": "3rd party",
"description": "Originated from a 3rd party organization."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "scan-type",
"entry": [
{
"value": "open-port",
"expanded": "Open port",
"description": "Scan was looking for open ports corresponding to common applications or protocols."
},
{
"value": "icmp",
"expanded": "Icmp",
"description": "Scan was attempting to enumerate devices through the ICMP protocol."
},
{
"value": "os-fingerprinting",
"expanded": "Os fingerprinting",
"description": "Scan was looking for operating system information through unique characteristics in responses."
},
{
"value": "web",
"expanded": "Web",
"description": "Scan was enumerating or otherwise traversing web hosts."
},
{
"value": "other",
"expanded": "Other",
"description": "Other."
}
]
},
{
"predicate": "severity",
"entry": [
{
"value": "reconnaissance",
"expanded": "Reconnaissance",
"description": "An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data."
},
{
"value": "attempted-compromise",
"expanded": "Attempted compromise",
"description": "An actor attempted affecting the confidentiality, integrity or availability of a system."
},
{
"value": "exploited",
"expanded": "Exploited",
"description": "A vulnerability was successfully exploited."
}
]
},
{
"predicate": "threat-vector",
"entry": [
{
"value": "application:cms",
"expanded": "Application:cms",
"description": "Content Management System."
},
{
"value": "application:bash",
"expanded": "Application:bash",
"description": "BASH script."
},
{
"value": "application:acrobat-reader",
"expanded": "Application:acrobat reader",
"description": "Adobe Acrobat Reader."
},
{
"value": "application:ms-excel",
"expanded": "Application:ms excel",
"description": "Microsoft Excel."
},
{
"value": "application:other",
"expanded": "Application:other",
"description": "Other Application."
},
{
"value": "language:sql",
"expanded": "Language:sql",
"description": "Structured Query Language."
},
{
"value": "language:php",
"expanded": "Language:php",
"description": "PHP: Hypertext Preprocessor."
},
{
"value": "language:javascript",
"expanded": "Language:javascript",
"description": "JavaScript."
},
{
"value": "language:other",
"expanded": "Language:other",
"description": "Other Language."
},
{
"value": "protocol:dns",
"expanded": "Protocol:dns",
"description": "Domain Name System."
},
{
"value": "protocol:ftp",
"expanded": "Protocol:ftp",
"description": "File Transfer Protocol."
},
{
"value": "protocol:http",
"expanded": "Protocol:http",
"description": "Hyper Text Transfer Protocol."
},
{
"value": "protocol:icmp",
"expanded": "Protocol:icmp",
"description": "Internet Control Message Protocol."
},
{
"value": "protocol:ntp",
"expanded": "Protocol:ntp",
"description": "Network Time Protocol."
},
{
"value": "protocol:rdp",
"expanded": "Protocol:rdp",
"description": "Remote Desktop Protocol."
},
{
"value": "protocol:smb",
"expanded": "Protocol:smb",
"description": "Server Message Block."
},
{
"value": "protocol:snmp",
"expanded": "Protocol:snmp",
"description": "Simple Network Management Protocol."
},
{
"value": "protocol:ssl",
"expanded": "Protocol:ssl",
"description": "Secure Sockets Layer."
},
{
"value": "protocol:telnet",
"expanded": "Protocol:telnet",
"description": "Network Virtual Terminal Protocol."
},
{
"value": "protocol:sip",
"expanded": "Protocol:sip",
"description": "Session Initiation Protocol."
}
]
}
]
}