Skip to content

Commit

Permalink
chg: [galaxy] attribution-confidence added to the examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@adulau
adulau committed Mar 11, 2019
1 parent 7327d0d commit 091eada
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 73 deletions.
6 changes: 4 additions & 2 deletions misp-galaxy-format/raw.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,8 @@ Example use of the country, motive fields in the threat-actor galaxy:
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"motive": "Espionage"
"motive": "Espionage",
"attribution-confidence": 50
},
"value": "Anchor Panda",
"description": "PLA Navy",
Expand Down Expand Up @@ -219,7 +220,8 @@ Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
],
"attribution-confidence": 50
},
"value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
Expand Down
142 changes: 71 additions & 71 deletions misp-galaxy-format/raw.md.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Table of Contents
2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 8
3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9
3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
Expand Down Expand Up @@ -256,6 +256,32 @@ Internet-Draft MISP galaxy format September 2018

Example use of the country, motive fields in the threat-actor galaxy:






















Dulaunoy, et al. Expires March 24, 2019 [Page 5]

Internet-Draft MISP galaxy format September 2018


{
"meta": {
"country": "CN",
Expand All @@ -268,20 +294,14 @@ Internet-Draft MISP galaxy format September 2018
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"motive": "Espionage"
"motive": "Espionage",
"attribution-confidence": 50
},
"value": "Anchor Panda",
"description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
}



Dulaunoy, et al. Expires March 24, 2019 [Page 5]

Internet-Draft MISP galaxy format September 2018


encryption, extensions, ransomnotes, ransomnotes-filenames,
ransomnotes-refs MAY be used to give further information in
ransomware galaxy. encryption is represented as a string and SHALL be
Expand All @@ -295,6 +315,29 @@ Internet-Draft MISP galaxy format September 2018
Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy:



















Dulaunoy, et al. Expires March 24, 2019 [Page 6]

Internet-Draft MISP galaxy format September 2018


{
"description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.",
"meta": {
Expand Down Expand Up @@ -330,14 +373,6 @@ Internet-Draft MISP galaxy format September 2018
"value": "menuPass (G0045) uses EvilGrab (S0152)"
}




Dulaunoy, et al. Expires March 24, 2019 [Page 6]

Internet-Draft MISP galaxy format September 2018


cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
incident and cfr-target-category MAY be used to report information
gathered from CFR's (Council on Foreign Relations) [CFR] Cyber
Expand All @@ -352,6 +387,13 @@ Internet-Draft MISP galaxy format September 2018
exhaustive list of possible values for cfr-target-category includes
"Private sector", "Government", "Civil society", "Military".



Dulaunoy, et al. Expires March 24, 2019 [Page 7]

Internet-Draft MISP galaxy format September 2018


Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy:
Expand All @@ -371,7 +413,8 @@ Internet-Draft MISP galaxy format September 2018
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
],
"attribution-confidence": 50
},
"value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
Expand All @@ -385,15 +428,6 @@ Internet-Draft MISP galaxy format September 2018
"from probable, almost certain to certainty" and SHALL be present if
country or cfr-suspected-state-sponsor are present.





Dulaunoy, et al. Expires March 24, 2019 [Page 7]

Internet-Draft MISP galaxy format September 2018


Impossibility no information Certainty
+
|
Expand All @@ -406,40 +440,6 @@ Internet-Draft MISP galaxy format September 2018
The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy
formats. The main format is the MISP galaxy format used for the
clusters.

3.1. MISP galaxy format - galaxy



































Expand All @@ -450,6 +450,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 8]
Internet-Draft MISP galaxy format September 2018


3.1. MISP galaxy format - galaxy

{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Galaxies",
Expand Down Expand Up @@ -496,8 +498,6 @@ Internet-Draft MISP galaxy format September 2018
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",



Expand All @@ -506,6 +506,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 9]
Internet-Draft MISP galaxy format September 2018


"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
Expand Down Expand Up @@ -552,8 +554,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "object"
},
"properties": {
"dest-uuid": {
"type": "string"



Expand All @@ -562,6 +562,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 10]
Internet-Draft MISP galaxy format September 2018


"dest-uuid": {
"type": "string"
},
"type": {
"type": "string"
Expand Down Expand Up @@ -608,8 +610,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,



Expand All @@ -618,6 +618,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 11]
Internet-Draft MISP galaxy format September 2018


"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
Expand Down Expand Up @@ -664,8 +666,6 @@ Internet-Draft MISP galaxy format September 2018
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}



Expand All @@ -674,6 +674,8 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 12]
Internet-Draft MISP galaxy format September 2018


"type": "string"
}
}
},
"required": [
Expand Down Expand Up @@ -723,8 +725,6 @@ Internet-Draft MISP galaxy format September 2018





Dulaunoy, et al. Expires March 24, 2019 [Page 13]

Internet-Draft MISP galaxy format September 2018
Expand Down

0 comments on commit 091eada

Please sign in to comment.