idnits 2.17.1 draft-dulaunoy-misp-galaxy-format-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([MISP-G]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 21, 2017) is 2408 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational D. Servili 5 Expires: March 25, 2018 CIRCL 6 September 21, 2017 8 MISP galaxy format 9 draft-dulaunoy-misp-galaxy-format-00 11 Abstract 13 This document describes the MISP galaxy format which describes a 14 simple JSON format to represent galaxies and clusters that can be 15 attached to MISP events or attributes. A public directory of MISP 16 galaxies is available and relies on the MISP galaxy format. MISP 17 galaxies are used to add further informations on a MISP event.MISP 18 galaxy is a public repository [MISP-G] of known malware, threats 19 actors and various other collections of data that can be used to 20 mark, classify or label data in threat information sharing. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 25, 2018. 39 Copyright Notice 41 Copyright (c) 2017 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 58 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 63 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. Normative References . . . . . . . . . . . . . . . . . . 4 65 4.2. Informative References . . . . . . . . . . . . . . . . . 5 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 68 1. Introduction 70 Sharing threat information became a fundamental requirements on the 71 Internet, security and intelligence community at large. Threat 72 information can include indicators of compromise, malicious file 73 indicators, financial fraud indicators or even detailed information 74 about a threat actor. Some of these informations, such as malware or 75 threat actors are common to several security events. MISP galaxy is 76 a public repository [MISP-G] of known malware, threats actors and 77 various other collections of data that can be used to mark, classify 78 or label data in threat information sharing. 80 In the MISP galaxy context, clusters help analysts to give more 81 informations about their cybersecurity events, indicators or threats. 82 MISP galaxies can be used for classification, filtering, triggering 83 actions or visualisation depending on their use in threat 84 intelligence platforms such as MISP [MISP-P]. 86 1.1. Conventions and Terminology 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in RFC 2119 [RFC2119]. 92 2. Format 94 A cluster is composed of a value (MUST), a description (OPTIONAL) and 95 metadata (OPTIONAL). 97 Clusters are represented as a JSON [RFC4627] dictionary. 99 2.1. Overview 101 The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy 102 is represented as a JSON object with meta information including the 103 following fields: name, uuid, description, version, type, authors, 104 source, values. 106 name defines the name of the galaxy. The name is represented as a 107 string and MUST be present. The uuid represents the Universally 108 Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid 109 MUST be preserved. For any updates or transfer of the same object 110 reference. UUID version 4 is RECOMMENDED when assigning it to a new 111 object reference and MUST be present. The description is represented 112 as a string and MUST be present. The uuid is represented as a string 113 and MUST be present. The version is represented as a decimal and 114 MUST be present. The source is represented as a string and MUST be 115 present. Authors are represented as an array containing one or more 116 author and MUST be present. 118 Values are represented as an array containing one or more value and 119 MUST be present. Values defines all values available in the galaxy. 121 2.2. values 123 The values array contains one or more JSON objects which represents 124 all the possible values in the galaxy. The JSON object contains 125 three fields: value description and meta. The value is represented 126 as a string and MUST be present. The description is represented as a 127 string and SHOULD be present. The meta or metadata is represented as 128 a JSON list and SHOULD be present. 130 2.3. meta 132 Meta contains a list of custom defined JSON key value pairs. Users 133 SHOULD reuse commonly used keys such as 'properties, complexity, 134 effectiveness, country, possible_issues, colour, motive, impact, 135 refs, synonyms, derivated_from, status, date, encryption, extensions, 136 ransomnotes' wherever applicable. 138 properties is used to provide clusters with additional properties. 139 Properties are represented as an array containing one or more strings 140 ans MAY be present. 142 complexity, effectiveness, impact, possible_issues MAY be used to 143 give further information in preventive-measure galaxy. complexity is 144 represented by an enumerated value from a fixed vocabulary and SHALL 145 be present. effectiveness is represented by an enumerated value from 146 a fixed vocabulary and SHALL be present. impact is represented by an 147 enumerated value from a fixed vocabulary and SHALL be present. 148 possible_issues is represented as a string and SHOULD be present. 150 country, motive MAY be used to give further information in threat- 151 actor galaxy. country is represented as a string and SHOULD be 152 present. motive is represented as a string and SHOULD be present. 154 colour fields MAY be used at predicates or values level to set a 155 specify colour that MAY be used by the implementation. The colour 156 field is described as an RGB colour fill in hexadecimal 157 representation. 159 encryption, extensions, ransomnotes MAY be used to give further 160 information in ransomware galaxy. encryption is represented as a 161 string and SHALL be present. extensions is represented as an array 162 containing one or more strings and SHALL be present. ransomnotes is 163 represented as an array containing one or more strings ans SHALL be 164 present. 166 date, status MAY be used to give time information about an cluster. 167 date is represented as a string decribing a time or period and SHALL 168 be present. status is represented as a string describing the current 169 status of the clusters. It MAY also describe a time or period and 170 SHALL be present. 172 derivated_from, refs, synonyms SHALL be used to give further 173 informations. refs is represented as an containing one or ore string 174 and SHALL be present. synonyms is represented as an containing one or 175 ore string and SHALL be present. derivated_from is represented as an 176 containing one or ore string and SHALL be present. 178 3. Acknowledgements 180 The authors wish to thank all the MISP community who are supporting 181 the creation of open standards in threat intelligence sharing. 183 4. References 185 4.1. Normative References 187 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 188 Requirement Levels", BCP 14, RFC 2119, 189 DOI 10.17487/RFC2119, March 1997, 190 . 192 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 193 Unique IDentifier (UUID) URN Namespace", RFC 4122, 194 DOI 10.17487/RFC4122, July 2005, 195 . 197 [RFC4627] Crockford, D., "The application/json Media Type for 198 JavaScript Object Notation (JSON)", RFC 4627, 199 DOI 10.17487/RFC4627, July 2006, 200 . 202 4.2. Informative References 204 [MISP-G] MISP, "MISP Galaxy -", 205 . 207 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 208 and Threat Sharing", . 210 Authors' Addresses 212 Alexandre Dulaunoy 213 Computer Incident Response Center Luxembourg 214 16, bd d'Avranches 215 Luxembourg L-1611 216 Luxembourg 218 Phone: +352 247 88444 219 Email: alexandre.dulaunoy@circl.lu 221 Andras Iklody 222 Computer Incident Response Center Luxembourg 223 16, bd d'Avranches 224 Luxembourg L-1611 225 Luxembourg 227 Phone: +352 247 88444 228 Email: andras.iklody@circl.lu 230 Deborah Servili 231 Computer Incident Response Center Luxembourg 232 16, bd d'Avranches 233 Luxembourg L-1611 234 Luxembourg 236 Phone: +352 247 88444 237 Email: deborah.servili@circl.lu