MISP galaxy format
draft-dulaunoy-misp-galaxy-format-02
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Alexandre Dulaunoy , Andras Iklody , Deborah Servili | ||
| Last updated | 2018-05-09 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-dulaunoy-misp-galaxy-format-02
"Disable Windows Script Host", "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" } Dulaunoy, et al. Expires November 10, 2018 [Page 4] Internet-Draft MISP galaxy format May 2018 country, motive MAY be used to give further information in threat- actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. Example use of the country, motive fields in the threat-actor galaxy: { "meta": { "country": "CN", "synonyms": [ "APT14", "APT 14", "QAZTeam", "ALUMINUM" ], "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], "motive": "Espionage" }, "value": "Anchor Panda", "description": "PLA Navy", "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" } encryption, extensions, ransomnotes MAY be used to give further information in ransomware galaxy. encryption is represented as a string and SHALL be present. extensions is represented as an array containing one or more strings and SHALL be present. ransomnotes is represented as an array containing one or more strings ans SHALL be present. Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy: Dulaunoy, et al. Expires November 10, 2018 [Page 5] Internet-Draft MISP galaxy format May 2018 { "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" ], "ransomnotes": [ "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", "# !!!HELP_FILE!!! #.txt" ], "encryption": "AES-256 + RSA-1024", "extensions": [ ".REVENGE" ], "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", "value": "Revenge Ransomware", "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" } source-uuid, target-uuid SHALL be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) [RFC4122] of the value reference. source-uuid and target-uuid MUST be preserved. Example use of the source-uuid, target-uuid fields in the mitre- enterprise-attack-relationship galaxy: { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" }, "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", "value": "menuPass (G0045) uses EvilGrab (S0152)" } 3. Acknowledgements The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. Dulaunoy, et al. Expires November 10, 2018 [Page 6] Internet-Draft MISP galaxy format May 2018 4. References 4.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, <https://www.rfc-editor.org/info/rfc4122>. [RFC4627] Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, DOI 10.17487/RFC4627, July 2006, <https://www.rfc-editor.org/info/rfc4627>. 4.2. Informative References [MISP-G] MISP, "MISP Galaxy -", <https://github.com/MISP/misp-galaxy>. [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform and Threat Sharing", <https://github.com/MISP>. Authors' Addresses Alexandre Dulaunoy Computer Incident Response Center Luxembourg 16, bd d'Avranches Luxembourg L-1611 Luxembourg Phone: +352 247 88444 Email: alexandre.dulaunoy@circl.lu Andras Iklody Computer Incident Response Center Luxembourg 16, bd d'Avranches Luxembourg L-1611 Luxembourg Phone: +352 247 88444 Email: andras.iklody@circl.lu Dulaunoy, et al. Expires November 10, 2018 [Page 7] Internet-Draft MISP galaxy format May 2018 Deborah Servili Computer Incident Response Center Luxembourg 16, bd d'Avranches Luxembourg L-1611 Luxembourg Phone: +352 247 88444 Email: deborah.servili@circl.lu Dulaunoy, et al. Expires November 10, 2018 [Page 8]