Merge branch 'main' of github.com:misp/misp-taxonomies

MANIFEST.json

@@ -121,7 +121,7 @@
     {
       "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
       "name": "course-of-action",
-      "version": 2
+      "version": 3
     },
     {
       "description": "Crowdsec IP address classifications and behaviors taxonomy.",
@@ -176,7 +176,7 @@
     {
       "description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
       "name": "dark-web",
-      "version": 5
+      "version": 6
     },
     {
       "description": "Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.",
@@ -306,7 +306,7 @@
     {
       "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
       "name": "exercise",
-      "version": 10
+      "version": 11
     },
     {
       "description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf",
@@ -501,7 +501,7 @@
     {
       "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
       "name": "malware_classification",
-      "version": 2
+      "version": 3
     },
     {
       "description": "classification for the identification of type of misinformation among websites. Source:False, Misleading, Clickbait-y, and/or Satirical News Sources by Melissa Zimdars 2019",
@@ -511,7 +511,7 @@
     {
       "description": "MISP taxonomy to infer with MISP behavior or operation.",
       "name": "misp",
-      "version": 12
+      "version": 14
     },
     {
       "description": "MISP workflow taxonomy to support result of workflow execution.",
@@ -594,7 +594,7 @@
       "version": 1
     },
     {
-      "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System.",
+      "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss.",
       "name": "priority-level",
       "version": 2
     },
@@ -748,12 +748,17 @@
       "name": "vocabulaire-des-probabilites-estimatives",
       "version": 3
     },
+    {
+      "description": "A taxonomy for describing vulnerabilities (software, hardware, or social) on different scales or with additional available information.",
+      "name": "vulnerability",
+      "version": 1
+    },
     {
       "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
       "name": "workflow",
-      "version": 12
+      "version": 14
     }
   ],
   "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
-  "version": "20231122"
+  "version": "20240830"
 }

README.md

@@ -100,7 +100,7 @@ Internal taxonomy for CCCS. [Overview](https://www.misp-project.org/taxonomies.h
 ### circl
 
 [circl](https://github.com/MISP/misp-taxonomies/tree/main/circl) :
-CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_circl)
+CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection. [Overview](https://www.misp-project.org/taxonomies.html#_circl)
 
 ### cnsd
 
@@ -135,7 +135,7 @@ A Course Of Action analysis considers six potential courses of action for the de
 ### crowdsec
 
 [crowdsec](https://github.com/MISP/misp-taxonomies/tree/main/crowdsec) :
-The Crowdsec behaviors and classifications taxonomy is the [list of taxonomies used in Crowdsec](https://doc.crowdsec.net/docs/next/cti_api/taxonomy) to describe the behaviors and classifications of an IP address. The behaviors are a list of attack categories for which a given IP address was reported, where the classifications describe a list of categories associated to an IP address and, when applicable, a list of false positive categories. [Overview](https://www.misp-project.org/taxonomies.html#_crowdsec)
+Crowdsec IP address classifications and behaviors taxonomy. [Overview](https://www.misp-project.org/taxonomies.html#_crowdsec)
 
 ### cryptocurrency-threat
 
@@ -185,7 +185,7 @@ Taxonomy to describe desired actions for Cytomic Orion [Overview](https://www.mi
 ### dark-web
 
 [dark-web](https://github.com/MISP/misp-taxonomies/tree/main/dark-web) :
-Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
+Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission. [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
 
 ### data-classification
 
@@ -247,6 +247,11 @@ A subset of Information Security Marking Metadata ISM as required by Executive O
 [domain-abuse](https://github.com/MISP/misp-taxonomies/tree/main/domain-abuse) :
 Domain Name Abuse - taxonomy to tag domain names used for cybercrime. [Overview](https://www.misp-project.org/taxonomies.html#_domain_abuse)
 
+### doping-substances
+
+[doping-substances](https://github.com/MISP/misp-taxonomies/tree/main/doping-substances) :
+This taxonomy aims to list doping substances [Overview](https://www.misp-project.org/taxonomies.html#_doping_substances)
+
 ### drugs
 
 [drugs](https://github.com/MISP/misp-taxonomies/tree/main/drugs) :
@@ -427,6 +432,11 @@ How an incident is classified in its process to be resolved. The taxonomy is ins
 [infoleak](https://github.com/MISP/misp-taxonomies/tree/main/infoleak) :
 A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information. [Overview](https://www.misp-project.org/taxonomies.html#_infoleak)
 
+### information-origin
+
+[information-origin](https://github.com/MISP/misp-taxonomies/tree/main/information-origin) :
+Taxonomy for tagging information by its origin: human-generated or AI-generated. [Overview](https://www.misp-project.org/taxonomies.html#_information_origin)
+
 ### information-security-data-source
 
 [information-security-data-source](https://github.com/MISP/misp-taxonomies/tree/main/information-security-data-source) :
@@ -595,7 +605,7 @@ A political spectrum is a system to characterize and classify different politica
 ### priority-level
 
 [priority-level](https://github.com/MISP/misp-taxonomies/tree/main/priority-level) :
-After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
+After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
 
 ### pyoti
 
@@ -662,6 +672,11 @@ Threat taxonomy in the scope of securing smart airports by ENISA. https://www.en
 [social-engineering-attack-vectors](https://github.com/MISP/misp-taxonomies/tree/main/social-engineering-attack-vectors) :
 Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others. [Overview](https://www.misp-project.org/taxonomies.html#_social_engineering_attack_vectors)
 
+### srbcert
+
+[srbcert](https://github.com/MISP/misp-taxonomies/tree/main/srbcert) :
+SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_srbcert)
+
 ### state-responsibility
 
 [state-responsibility](https://github.com/MISP/misp-taxonomies/tree/main/state-responsibility) :

course-of-action/machinetag.json

@@ -2,7 +2,7 @@
   "namespace": "course-of-action",
   "expanded": "Courses of Action",
   "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
-  "version": 2,
+  "version": 3,
   "predicates": [
     {
       "value": "passive",
@@ -21,6 +21,10 @@
           "value": "discover",
           "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
         },
+        {
+          "value": "nodiscover",
+          "expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
+        },
         {
           "value": "detect",
           "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."

cryptocurrency-threat/machinetag.json

@@ -43,6 +43,10 @@
       "value": "Crypto Robbing Ransomware",
       "expanded": "Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage."
     },
+    {
+      "value": "Rag Pull",
+      "expanded": "Crypto scam that occurs when a team pumps their project’s token before disappearing with the funds, leaving their investors with a valueless asset."
+    },
     {
       "value": "Pig Butchering Scam",
       "expanded": "Cryptocurrency investment fraud that lures individuals into investing their money in seemingly legitimate and profitable ventures."

dark-web/machinetag.json

@@ -2,7 +2,7 @@
   "namespace": "dark-web",
   "expanded": "Dark Web",
   "description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
-  "version": 5,
+  "version": 6,
   "predicates": [
     {
       "value": "topic",
@@ -359,6 +359,11 @@
           "expanded": "videos",
           "description": "Videos and streaming"
         },
+        {
+          "value": "ransomware-post",
+          "expanded": "ransomwarePost",
+          "description": "Ransomware post published by a ransomware group"
+        },
         {
           "value": "unclear",
           "expanded": "unclear",
@@ -473,6 +478,31 @@
           "value": "pgp-public-key-block",
           "expanded": "pgpPublicKeyBlock",
           "description": "PGP public key block identified in the dark-web site"
+        },
+        {
+          "value": "country",
+          "expanded": "country",
+          "description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2"
+        },
+        {
+          "value": "company-name",
+          "expanded": "companyName",
+          "description": "Company name identified in a dark-web site"
+        },
+        {
+          "value": "company-link",
+          "expanded": "companyLink",
+          "description": "Company link identified in a dark-web site"
+        },
+        {
+          "value": "victim-address",
+          "expanded": "victimAddress",
+          "description": "Business address identified in a dark-web site"
+        },
+        {
+          "value": "victim-TLD",
+          "expanded": "victimTLD",
+          "description": "Business Top Level Domain (TLD) of a company identified in a dark-web site"
         }
       ]
     }

doping-substances/machinetag.json

@@ -451,9 +451,6 @@
         {
           "value": "fenoterol"
         },
-        {
-          "value": "formoterol"
-        },
         {
           "value": "higenamine"
         },
@@ -472,12 +469,6 @@
         {
           "value": "reproterol"
         },
-        {
-          "value": "salbutamol"
-        },
-        {
-          "value": "salmeterol"
-        },
         {
           "value": "terbutaline"
         },
@@ -488,9 +479,6 @@
         {
           "value": "tulobuterol"
         },
-        {
-          "value": "vilanterol"
-        },
         {
           "value": "salbutamol",
           "expanded": "inhaled salbutamol: maximum 1600 micrograms over 24 hours in divided doses not to exceed 600 micrograms over 8 hours starting from any dose"

exercise/machinetag.json

@@ -45,6 +45,11 @@
     {
       "predicate": "cyber-europe",
       "entry": [
+        {
+          "value": "2024",
+          "expanded": "2024",
+          "description": "7th pan European cyber crisis exercise: Cyber Europe 2024 (CE2024)"
+        },
         {
           "value": "2022",
           "expanded": "2022",
@@ -104,6 +109,16 @@
           "value": "2022",
           "expanded": "2022",
           "description": "Locked Shields 2022"
+        },
+        {
+          "value": "2023",
+          "expanded": "2023",
+          "description": "Locked Shields 2023"
+        },
+        {
+          "value": "2024",
+          "expanded": "2024",
+          "description": "Locked Shields 2024"
         }
       ]
     },
@@ -193,7 +208,7 @@
       ]
     }
   ],
-  "version": 10,
+  "version": 11,
   "description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
   "expanded": "Exercise",
   "namespace": "exercise"

infoleak/machinetag.json

@@ -32,7 +32,7 @@
       "exclusive": true
     }
   ],
-  "version": 7,
+  "version": 8,
   "description": "A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information.",
   "namespace": "infoleak",
   "values": [
@@ -159,6 +159,10 @@
           "value": "onion",
           "expanded": "Onion link"
         },
+        {
+          "value": "qrcode",
+          "expanded": "QR Code"
+        },
         {
           "value": "sql-injection",
           "expanded": "SQL injection"
@@ -288,6 +292,10 @@
           "value": "onion",
           "expanded": "Onion link"
         },
+        {
+          "value": "qrcode",
+          "expanded": "QR Code"
+        },
         {
           "value": "sql-injection",
           "expanded": "SQL injection"

malware_classification/machinetag.json

@@ -1,7 +1,7 @@
 {
   "namespace": "malware_classification",
   "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
-  "version": 2,
+  "version": 3,
   "predicates": [
     {
       "value": "malware-category",
@@ -52,10 +52,18 @@
           "value": "Adware",
           "expanded": "Adware"
         },
+        {
+          "value": "Stalkerware",
+          "expanded": "Stalkerware"
+        },
         {
           "value": "Spyware",
           "expanded": "Spyware"
         },
+        {
+          "value": "Zombieware",
+          "expanded": "Zombieware"
+        },
         {
           "value": "Botnet",
           "expanded": "Botnet"