From 9f481f4aee1932c4365b61cdee31f5419147edd4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Nov 2023 14:09:51 +0100 Subject: [PATCH] new: [srbcert] New taxonomy for the SRB-CERT --- MANIFEST.json | 31 ++++--- srbcert/machinetag.json | 191 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+), 13 deletions(-) create mode 100644 srbcert/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 17969bc..35dd6c7 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -89,9 +89,9 @@ "version": 2 }, { - "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection", + "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.", "name": "circl", - "version": 5 + "version": 6 }, { "description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.", @@ -124,7 +124,7 @@ "version": 2 }, { - "description": "The Crowdsec behaviors and classifications taxonomy is the list of taxonomies used in Crowdsec to describe the behaviors and classifications of an IP address. The behaviors are a list of attack categories for which a given IP address was reported, where the classifications describe a list of categories associated to an IP address and, when applicable, a list of false positive categories.", + "description": "Crowdsec IP address classifications and behaviors taxonomy.", "name": "crowdsec", "version": 1 }, @@ -238,6 +238,11 @@ "name": "domain-abuse", "version": 2 }, + { + "description": "This taxonomy aims to list doping substances", + "name": "doping-substances", + "version": 2 + }, { "description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest", "name": "drugs", @@ -511,7 +516,7 @@ { "description": "MISP workflow taxonomy to support result of workflow execution.", "name": "misp-workflow", - "version": 2 + "version": 3 }, { "description": "MONARC Threats Taxonomy", @@ -626,7 +631,7 @@ { "description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.", "name": "runtime-packer", - "version": 1 + "version": 2 }, { "description": "Flags describing the sample", @@ -658,6 +663,11 @@ "name": "social-engineering-attack-vectors", "version": 1 }, + { + "description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection", + "name": "srbcert", + "version": 1 + }, { "description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.", "name": "state-responsibility", @@ -696,7 +706,7 @@ { "description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.", "name": "tlp", - "version": 7 + "version": 9 }, { "description": "Taxonomy to describe Tor network infrastructure", @@ -741,14 +751,9 @@ { "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.", "name": "workflow", - "version": 11 - }, - { - "description": "This taxonomy aims to list doping substances", - "name": "doping-substances", - "version": 2 + "version": 12 } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20230514" + "version": "20231115" } diff --git a/srbcert/machinetag.json b/srbcert/machinetag.json new file mode 100644 index 0000000..a9904f8 --- /dev/null +++ b/srbcert/machinetag.json @@ -0,0 +1,191 @@ +{ + "namespace": "srbcert", + "description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection", + "version": 1, + "predicates": [ + { + "value": "incident-type", + "expanded": "Incident Type" + }, + { + "value": "incident-criticality-level", + "expanded": "Incident Criticality Level" + } + ], + "values": [ + { + "predicate": "incident-type", + "entry": [ + { + "value": "virus", + "expanded": "Virus" + }, + { + "value": "worm", + "expanded": "Worm" + }, + { + "value": "ransomware", + "expanded": "Ransomware" + }, + { + "value": "trojan", + "expanded": "Trojan" + }, + { + "value": "spyware", + "expanded": "Spyware" + }, + { + "value": "rootkit", + "expanded": "Rootkit" + }, + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "port-scanning", + "expanded": "Port scanning" + }, + { + "value": "sniffing", + "expanded": "Sniffing" + }, + { + "value": "social-engineering", + "expanded": "Social engineering" + }, + { + "value": "data-breaches", + "expanded": "Data breaches" + }, + { + "value": "other-type-of-information-gathering", + "expanded": "Other type of information gathering" + }, + { + "value": "phishing", + "expanded": "Phishing" + }, + { + "value": "unauthorized-use-of-resources", + "expanded": "Unauthorized use of resources" + }, + { + "value": "fraud", + "expanded": "Fraud" + }, + { + "value": "exploiting-known-vulnerabilities", + "expanded": "Exploiting known vulnerabilities" + }, + { + "value": "brute-force", + "expanded": "Brute force" + }, + { + "value": "other-type-of-intrusion-attempts", + "expanded": "Other type of Intrusion Attempts" + }, + { + "value": "privilege-account-compromise", + "expanded": "Privilege account compromise" + }, + { + "value": "unprivileged-account-compromise", + "expanded": "Unprivileged account compromise" + }, + { + "value": "application-compromise", + "expanded": "Application compromise" + }, + { + "value": "botnet", + "expanded": "Botnet" + }, + { + "value": "other-type-of-intrusions", + "expanded": "Other type of intrusions" + }, + { + "value": "dos", + "expanded": "DoS" + }, + { + "value": "ddos", + "expanded": "DDoS" + }, + { + "value": "sabotage", + "expanded": "Sabotage" + }, + { + "value": "outage", + "expanded": "Outage" + }, + { + "value": "other-type-of-availability-incident", + "expanded": "Other type of Availability incident" + }, + { + "value": "unauthorized-access-to-information", + "expanded": "Unauthorized access to information" + }, + { + "value": "unauthorized-modification-of-information", + "expanded": "Unauthorized modification of information" + }, + { + "value": "cryptographic-attack", + "expanded": "Cryptographic attack" + }, + { + "value": "other-type-of-information-content-security-incident", + "expanded": "Other type of Information Content Security incident" + }, + { + "value": "hardware-errors", + "expanded": "Hardware errors" + }, + { + "value": "software-errors", + "expanded": "Software errors" + }, + { + "value": "software-errors", + "expanded": "Software errors" + }, + { + "value": "hardware-components-theft", + "expanded": "hardware-components-theft" + }, + { + "value": "other", + "expanded": "Other" + } + ] + }, + { + "predicate": "incident-criticality-level", + "entry": [ + { + "value": "low", + "expanded": "Low" + }, + { + "value": "medium", + "expanded": "Medium" + }, + { + "value": "high", + "expanded": "High" + }, + { + "value": "very-high", + "expanded": "Very High" + } + ] + } + ] +}