From 23778666bab2cdf17c5efa4202c387a271efe9e6 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Thu, 28 Jan 2021 10:03:12 +0100 Subject: [PATCH] RSIT Galaxy/Cluster --- clusters/rsit.json | 648 +++++++++++++++++++++++++++++++++++++++++++++ galaxies/rsit.json | 24 ++ 2 files changed, 672 insertions(+) create mode 100644 clusters/rsit.json create mode 100644 galaxies/rsit.json diff --git a/clusters/rsit.json b/clusters/rsit.json new file mode 100644 index 0000000..1afaac1 --- /dev/null +++ b/clusters/rsit.json @@ -0,0 +1,648 @@ +{ + "authors": [ + "Koen Van Impe" + ], + "category": "rsit", + "description": "rsit", + "name": "rsit", + "source": "https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force", + "type": "rsit", + "uuid": "ed3f9269-8f08-4f78-8aee-ce0028f41b61", + "values": [ + { + "cfr-type-of-incident": "Spam", + "description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.", + "meta": { + "kill_chain": [ + "RSIT:Abusive Content" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "b81d1a4a-c71d-457b-9e02-7ea885a56564", + "value": "Abusive Content:Spam" + }, + { + "cfr-type-of-incident": "Harmful Speech", + "description": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", + "meta": { + "kill_chain": [ + "RSIT:Abusive Content" + ] + }, + "uuid": "a5fb0564-7bb6-4478-9713-9c23085df32e", + "value": "Abusive Content:Harmful Speech" + }, + { + "cfr-type-of-incident": "(Child) Sexual Exploitation/Sexual/Violent Content", + "description": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.", + "meta": { + "kill_chain": [ + "RSIT:Abusive Content" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "abfbf4ae-a10a-43aa-9ef2-0dbbaac3c789", + "value": "Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content" + }, + { + "cfr-type-of-incident": "Infected System", + "description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server", + "meta": { + "kill_chain": [ + "RSIT:Malicious Code" + ] + }, + "uuid": "e841c237-e39c-4804-a780-f6fc4a2e6371", + "value": "Malicious Code:Infected System" + }, + { + "cfr-type-of-incident": "C2 Server", + "description": "Command-and-control server contacted by malware on infected systems.", + "meta": { + "kill_chain": [ + "RSIT:Malicious Code" + ] + }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "9c1bbe1b-8f51-4edc-8974-eb049617d6d1", + "value": "Malicious Code:C2 Server" + }, + { + "cfr-type-of-incident": "Malware Distribution", + "description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).", + "meta": { + "kill_chain": [ + "RSIT:Malicious Code" + ] + }, + "uuid": "4eb23762-69e1-45fb-9e4a-700e0c183ac5", + "value": "Malicious Code:Malware Distribution" + }, + { + "cfr-type-of-incident": "Malware Configuration", + "description": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.", + "meta": { + "kill_chain": [ + "RSIT:Malicious Code" + ] + }, + "uuid": "c6eb8e72-40cc-4fc6-b2ca-dc8ba88c8fa3", + "value": "Malicious Code:Malware Configuration" + }, + { + "cfr-type-of-incident": "Scanning", + "description": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", + "meta": { + "kill_chain": [ + "RSIT:Information Gathering" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "1f09c97b-fee4-4376-b525-809bb61de579", + "value": "Information Gathering:Scanning" + }, + { + "cfr-type-of-incident": "Sniffing", + "description": "Observing and recording of network traffic (wiretapping).", + "meta": { + "kill_chain": [ + "RSIT:Information Gathering" + ] + }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "4958bdb2-8d0d-4bc7-8762-5a967a92868b", + "value": "Information Gathering:Sniffing" + }, + { + "cfr-type-of-incident": "Social Engineering", + "description": "Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).", + "meta": { + "kill_chain": [ + "RSIT:Information Gathering" + ] + }, + "uuid": "a7d12859-b60f-4536-b356-fcaaf8234403", + "value": "Information Gathering:Social Engineering" + }, + { + "cfr-type-of-incident": "Exploitation of known Vulnerabilities", + "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", + "meta": { + "kill_chain": [ + "RSIT:Intrusion Attempts" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "b0e536ba-dce3-430d-a7f6-bcf99ca6de44", + "value": "Intrusion Attempts:Exploitation of known Vulnerabilities" + }, + { + "cfr-type-of-incident": "Login attempts", + "description": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.", + "meta": { + "kill_chain": [ + "RSIT:Intrusion Attempts" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "f4b8f7d6-bccb-49ef-b478-66a77e2c2238", + "value": "Intrusion Attempts:Login attempts" + }, + { + "cfr-type-of-incident": "New attack signature", + "description": "An attack using an unknown exploit.", + "meta": { + "kill_chain": [ + "RSIT:Intrusion Attempts" + ] + }, + "uuid": "a2687bac-9a4f-4e90-a094-8b2f481ceaef", + "value": "Intrusion Attempts:New attack signature" + }, + { + "cfr-type-of-incident": "Privileged Account Compromise", + "description": "Compromise of a system where the attacker gained administrative privileges.", + "meta": { + "kill_chain": [ + "RSIT:Intrusions" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "68cf72aa-0125-445e-adf8-de0efe4a664c", + "value": "Intrusions:Privileged Account Compromise" + }, + { + "cfr-type-of-incident": "Unprivileged Account Compromise", + "description": "Compromise of a system using an unprivileged (user/service) account.", + "meta": { + "kill_chain": [ + "RSIT:Intrusions" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "bc82f61e-7a39-4d2f-bc86-4f8ec886af01", + "value": "Intrusions:Unprivileged Account Compromise" + }, + { + "cfr-type-of-incident": "Application Compromise", + "description": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.", + "meta": { + "kill_chain": [ + "RSIT:Intrusions" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "d12415bd-d965-4afe-94a3-e56e16c78004", + "value": "Intrusions:Application Compromise" + }, + { + "cfr-type-of-incident": "System Compromise", + "description": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.", + "meta": { + "kill_chain": [ + "RSIT:Intrusions" + ] + }, + "uuid": "995f7028-9b13-4519-80f1-1b22f36aefb4", + "value": "Intrusions:System Compromise" + }, + { + "cfr-type-of-incident": "Burglary", + "description": "Physical intrusion, e.g. into corporate building or data-centre.", + "meta": { + "kill_chain": [ + "RSIT:Intrusions" + ] + }, + "uuid": "2720eeb7-4611-4330-b3da-2d3c9c5e6667", + "value": "Intrusions:Burglary" + }, + { + "cfr-type-of-incident": "Denial of Service", + "description": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.", + "meta": { + "kill_chain": [ + "RSIT:Availability" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "28883628-32cc-4bc6-8142-c1fc2c01bd9e", + "value": "Availability:Denial of Service" + }, + { + "cfr-type-of-incident": "Distributed Denial of Service", + "description": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.", + "meta": { + "kill_chain": [ + "RSIT:Availability" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "ff14d9d0-c952-4995-9871-5aea332002c9", + "value": "Availability:Distributed Denial of Service" + }, + { + "cfr-type-of-incident": "Misconfiguration", + "description": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.", + "meta": { + "kill_chain": [ + "RSIT:Availability" + ] + }, + "uuid": "8e9f1fa4-e657-4311-a362-a80fdd0b7f33", + "value": "Availability:Misconfiguration" + }, + { + "cfr-type-of-incident": "Sabotage", + "description": "Physical sabotage, e.g cutting wires or malicious arson.", + "meta": { + "kill_chain": [ + "RSIT:Availability" + ] + }, + "uuid": "c63fcb56-69bb-4b35-a1ea-13d8f3272ae0", + "value": "Availability:Sabotage" + }, + { + "cfr-type-of-incident": "Outage", + "description": "Outage caused e.g. by air condition failure or natural disaster.", + "meta": { + "kill_chain": [ + "RSIT:Availability" + ] + }, + "uuid": "934a52bd-da26-4f62-9ec7-d21c01db2802", + "value": "Availability:Outage" + }, + { + "cfr-type-of-incident": "Unauthorised access to information", + "description": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", + "meta": { + "kill_chain": [ + "RSIT:Information Content Security" + ] + }, + "uuid": "ddbaedeb-dc34-4f6b-a3b1-6337270cb175", + "value": "Information Content Security:Unauthorised access to information" + }, + { + "cfr-type-of-incident": "Unauthorised modification of information", + "description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.", + "meta": { + "kill_chain": [ + "RSIT:Information Content Security" + ] + }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "b6f82050-4732-46b4-b110-d582c553ed0f", + "value": "Information Content Security:Unauthorised modification of information" + }, + { + "cfr-type-of-incident": "Data Loss", + "description": "Loss of data, e.g. caused by harddisk failure or physical theft.", + "meta": { + "kill_chain": [ + "RSIT:Information Content Security" + ] + }, + "uuid": "d9c04af1-deb8-44a8-9085-7857d5a2015d", + "value": "Information Content Security:Data Loss" + }, + { + "cfr-type-of-incident": "Leak of confidential information", + "description": "Leaked confidential information like credentials or personal data.", + "meta": { + "kill_chain": [ + "RSIT:Information Content Security" + ] + }, + "uuid": "a49fcb43-c94e-4a13-b39e-ed34bfbe2633", + "value": "Information Content Security:Leak of confidential information" + }, + { + "cfr-type-of-incident": "Unauthorised use of resources", + "description": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", + "meta": { + "kill_chain": [ + "RSIT:Fraud" + ] + }, + "uuid": "38f58cf2-e72c-4d8e-ac1f-9a5180aaad99", + "value": "Fraud:Unauthorised use of resources" + }, + { + "cfr-type-of-incident": "Copyright", + "description": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).", + "meta": { + "kill_chain": [ + "RSIT:Fraud" + ] + }, + "uuid": "99b749d8-f9c6-445b-82d5-3722f0d664dd", + "value": "Fraud:Copyright" + }, + { + "cfr-type-of-incident": "Masquerade", + "description": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.", + "meta": { + "kill_chain": [ + "RSIT:Fraud" + ] + }, + "uuid": "1057ec33-5932-4696-80b0-ad3ce26d6c23", + "value": "Fraud:Masquerade" + }, + { + "cfr-type-of-incident": "Phishing", + "description": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.", + "meta": { + "kill_chain": [ + "RSIT:Fraud" + ] + }, + "related": [ + { + "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "9c16409a-2029-470e-8579-77d953b2c6d3", + "value": "Fraud:Phishing" + }, + { + "cfr-type-of-incident": "Weak crypto", + "description": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.", + "meta": { + "kill_chain": [ + "RSIT:Vulnerable" + ] + }, + "uuid": "c8ca2965-f8df-4a74-92b3-4a473608ef90", + "value": "Vulnerable:Weak crypto" + }, + { + "cfr-type-of-incident": "DDoS amplifier", + "description": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.", + "meta": { + "kill_chain": [ + "RSIT:Vulnerable" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "41ee48e3-92e0-4f0c-b2f0-461325e149bc", + "value": "Vulnerable:DDoS amplifier" + }, + { + "cfr-type-of-incident": "Potentially unwanted accessible services", + "description": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.", + "meta": { + "kill_chain": [ + "RSIT:Vulnerable" + ] + }, + "uuid": "a2dbfb66-dc27-41e0-976f-4888dcab0cb3", + "value": "Vulnerable:Potentially unwanted accessible services" + }, + { + "cfr-type-of-incident": "Information disclosure", + "description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", + "meta": { + "kill_chain": [ + "RSIT:Vulnerable" + ] + }, + "uuid": "609449a3-5951-42b4-a4cd-196e09a3120f", + "value": "Vulnerable:Information disclosure" + }, + { + "cfr-type-of-incident": "Vulnerable system", + "description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.", + "meta": { + "kill_chain": [ + "RSIT:Vulnerable" + ] + }, + "uuid": "4d1c5a5e-1244-457b-9e33-c0b1695d5e51", + "value": "Vulnerable:Vulnerable system" + }, + { + "cfr-type-of-incident": "Uncategorised", + "description": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.", + "meta": { + "kill_chain": [ + "RSIT:Other" + ] + }, + "uuid": "88e0d210-0b5a-405d-a979-5375f6cb2d01", + "value": "Other:Uncategorised" + }, + { + "cfr-type-of-incident": "Undetermined", + "description": "The categorisation of the incident is unknown/undetermined.", + "meta": { + "kill_chain": [ + "RSIT:Other" + ] + }, + "uuid": "6bdbec29-d198-4031-a15e-33e8973c5f05", + "value": "Other:Undetermined" + }, + { + "cfr-type-of-incident": "Test", + "description": "Meant for testing.", + "meta": { + "kill_chain": [ + "RSIT:Test" + ] + }, + "uuid": "bdeb2700-cc42-4ccc-a3bc-950c6c495102", + "value": "Test:Test" + } + ], + "version": 1 +} diff --git a/galaxies/rsit.json b/galaxies/rsit.json new file mode 100644 index 0000000..bbef760 --- /dev/null +++ b/galaxies/rsit.json @@ -0,0 +1,24 @@ +{ + "description": "Reference Security Incident Classification Taxonomy", + "icon": "map", + "kill_chain_order": { + "RSIT": [ + "Abusive Content", + "Malicious Code", + "Information Gathering", + "Intrusion Attempts", + "Intrusions", + "Availability", + "Information Content Security", + "Fraud", + "Vulnerable", + "Other", + "Test" + ] + }, + "name": "Reference Security Incident Classification Taxonomy", + "namespace": "RSIT", + "type": "rsit", + "uuid": "97eb5924-b784-437a-9110-6ed07d587fc4", + "version": 1 +}