misp / misp-taxonomies Goto Github PK

Documentation and presentation about misp-taxonomies

This gives the error Could not update any of the taxonomy libraries when updating the tags. This is caused by:

2016-10-28 12:57:18 Warning: Warning (2): file_get_contents(/var/www/MISP/app/files/taxonomies/mapping/machinetag.json): failed to open stream: No such file or directory in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/File.php, line 154]

http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11088/Triantopoulou_15088.pdf?sequence=1&isAllowed=y

It looks like there's another client focus (or item from an unrelated collection) mangled into the description text of the Culture item; I believe the line should read simply The organization campaigns or acts to promote cultural events.

https://github.com/MISP/misp-taxonomies/blob/master/accessnow/machinetag.json#L19

Mapping IEP <-> PAP - @Delta-Sierra could you check to add PAP and IEP in the mapping?

Adding DML Detection Maturity Level model as taxonomy

http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html

Priority should indicate the need for urgent or immediate action, such as further distribution.

Maybe this would a good start: https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System

Extend the MISP Taxonomy Library with a method to influence the behavior of remote instances.

E.g. Event creator publishes 'without email notification'. A remote instance would still publish their users. This could be regarded - in the eyes of the creator - as a disrespect.

Adding a description field for each value

NATO classification to add

During the First / TFCsirt meeting there was a question for a taxonomy to classify vulns. Would like to take that issue as an opportunity to collect papers covering classifications etc as a baseline to start with a machine readable vuln. taxonomy.

Hope it make sense.

A

Hi folks,
are the following two taxonomy configurations possible (intended for private taxonomy)?

a) Mixture of "predicate only" and "predicate and value" structure
I receive parsing errors if I ommit the values on "predicate only" level or set the value to "null". However the a unique, not mixed structure "predicate and value" != "null" works fine.

b) Tag colour configuration on "value" level
Like on "predicate" level e. g. in https://github.com/MISP/misp-taxonomies/tree/master/tlp
Colours defined on "value" level are not interpreted in my machinetag.json

Add a version in the JSON format as requested by @iglocska while doing an update.

Not sure if relevant for MISP, but it would be relatively easy to represent: https://unstats.un.org/unsd/cr/registry/regcst.asp?Cl=27

Note that it goes 4 levels depth: https://unstats.un.org/unsd/cr/registry/regcs.asp?Cl=27&Lg=1&Co=0111

It is expected? Why do we have this empty string? Why not just removing it? It is not required by the schema.

https://github.com/MISP/misp-taxonomies/blob/master/ifx-vetting/machinetag.json#L62

https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html

100% Certainty
The General Area of Possibility
93%     give or take about 6%   Almost certain
75%     give or take about 12%  Probable
50%     give or take about 10%  Chances about even
30%     give or take about 10%  Probably not
7%  give or take about 5%   Almost certainly not
0% Impossibility

As defined in ISO/IEC 27019 The originator of an information exchange should indicate if the sensitivity of the information supplied will reduce after some external event, or the passage of time.

A taxonomy for sensitivity reduction should be created in order to cover such cases.

Same concept as the protocol names

https://bitbucket.org/clarifiednetworks/abusehelper/wiki/Data%20Harmonization%20Ontology

In draft / Release requested / Finalized

https://attack.mitre.org/wiki/Main_Page

Based from Andreas Sfakianakis mindmap:

We could provide a complete taxonomy for C2 pattern and activity.

It would be great if the veris taxonomy could be updated to the latest version from the veris project.

Hi! I've looked through this repo and I'm not sure how to propose the extension of existing taxonomies.

I think the circl:incident-classification set is very useful, but at AusCERT we've seen a lot of cryptocurrency-mining attacks and would like a standard tag for them.

Happy to make a pull request if that's the correct approach. Is the taxonomy defined elsewhere and would need some discussion?

https://github.com/cyberintelpro/NICE-Framework-Work-Roles
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf?trackDocs=NIST.SP.800-181.pdf

Hi
I want to know who determines the tag values? for example determining "Source Reliability tag" levels or
likelihood-probability?
And can we we do tagging automatically?
thanks

Binaries type might be:

• Known and good binary
• Known and malicious binary

The expanded key in the ifx-vetted taxonomy is empty. This is causing an error on the update taxonomies call. I am using Ubuntu 18.04 and PHP 7.2.

ifx-vetting could not be installed/updated. Error: {"TaxonomyPredicate":{"1":{"TaxonomyEntry":[{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]}]}}}

• releasability marking or document classification
• descriptive labels
• estimative language (information and source reliability)
• workflow

That means: uppercase, match colours, etc. But more importantly: the updated definition of TLP:AMBER. See https://www.first.org/tlp/

Covering techniques and semantic

If anyone can find a list to start with, it would be very useful to create a "targeted technology" taxonomy. This would indicate what technology a piece of malware is targeting. Like OS (windows/linux/iOs/Android/etc), browsers (Chrome, IE, Firefox, etc), middleware (Java, ActiveX, etc), etc.

https://www.us-cert.gov/sites/default/files/publications/NCCIC_Cyber_Incident_Scoring_System.pdf

OK, so I know about RTFM, but have read, re-read, re-re-read, et. al -- the documentation to determine if I was loosing it, or not.

I added a new directory under the /var/www/MISP/app/files/taxonomies directory, and clicked on 'Update Taxonomies" -- nothing. Nothing showed up.

Am I missing something here? Made it the same permissions as everything else. The taxonomy was duplicated using the TLP as its 'base' (so that should've worked). So...the question is -- what did I do wrong?

workflow:todo="global"

workflow:todo="expansion"
workflow:todo="review"
workflow:todo="review-for-false-positive"
workflow:todo="review-for-publication"

https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html

A new taxonomy might be required.

It would be nice to be able to say that some values are mutually exclusive. For example, it should not be possible to tag something as "TLP Red" and "TLP Green". This is something that would be good to be able to do for all taxonomies.

Would probably not use it a lot myself, but if someone feels like it, ETSI has a nomenclature for infosec indicators, including for incidents that could be easily ported to a taxonomy:

http://www.etsi.org/technologies-clusters/technologies/information-security-indicators
http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.01_60/gs_ISI00101v010101p.pdf

HTH

MISP seems so close to implementing true Knowledge Graph technology as provided through the Semantic Web community. See the Google Knowledge Graph, Facebook Graph, and DBpedia as examples. MISP can help by pushing the OASIS CTI to develop a true ontology for STIX, CyBOX, MAEC, etc. The ontology principles, graph DBs, and inference engines seem to be a perfect match for MISP. MISP Galaxies could be federated Knowledge Graphs / SPARQL Endpoints. The taxonomies need to move to the next level--employing actual ontologies. What needs to be done to move MISP in this direction?

http://iss-ssi.pwgsc-tpsgc.gc.ca/outils-tools/ns-sl-eng.html

It would be great if the taxonomy definitions would allow for a color code field that would be picked up by MISP. Right now whenever I enable a taxonomy on multiple MISP instances I need to synchronize the tag colors by hand.

Improve NIS taxonomy following ENISA work

Look at the attach graphic. When I renamed the taxonomy from "cipsectors" to "uscipsectors", then refreshed the URL, now 2 of the same taxonomy show up. I've made the change within the "./tools/machinetag.py", as well as the directory name, and the taxonomy name to "uscipsectors". It still shows 2 of the same thing.

Got any ideas of how to remove the erroneous taxonomy?

Add TLP classification as a taxonomy

http://apwg.org/data-logistics-blog/data_logistics

But it will only be meaningful when tags can be added to attributes since they are specific for an IOC/observable:

1. Ever Compromised?
2. Sinkhole
3. Classify:Malicious
4. Classify:Suspicious
5. Classify:Non-malicious
6. Classify:Unknown

Targeted Threat Index
(following this ticket MISP/MISP#317) it seems more appropriate to make
a taxonomy out of it.

https://citizenlab.org/2013/10/targeted-threat-index/

There's a typo in the MUST NOT value:

      "predicate": "unmodified-resale",
      "entry": [
        {
          "value": "MAY",
          "expanded": "Recipients MAY resell the information received."
        },
        {
          "value": "MUST NO",
          "expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format."

Should be:

      "predicate": "unmodified-resale",
      "entry": [
        {
          "value": "MAY",
          "expanded": "Recipients MAY resell the information received."
        },
        {
          "value": "MUST NOT",
          "expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format."