idnits 2.17.1 draft-dulaunoy-misp-galaxy-format-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([MISP-G]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 1, 2018) is 2246 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational D. Servili 5 Expires: September 2, 2018 CIRCL 6 March 1, 2018 8 MISP galaxy format 9 draft-dulaunoy-misp-galaxy-format-01 11 Abstract 13 This document describes the MISP galaxy format which describes a 14 simple JSON format to represent galaxies and clusters that can be 15 attached to MISP events or attributes. A public directory of MISP 16 galaxies is available and relies on the MISP galaxy format. MISP 17 galaxies are used to add further informations on a MISP event. MISP 18 galaxy is a public repository [MISP-G] of known malware, threats 19 actors and various other collections of data that can be used to 20 mark, classify or label data in threat information sharing. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 2, 2018. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 58 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 63 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. Normative References . . . . . . . . . . . . . . . . . . 4 65 4.2. Informative References . . . . . . . . . . . . . . . . . 5 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 68 1. Introduction 70 Sharing threat information became a fundamental requirements on the 71 Internet, security and intelligence community at large. Threat 72 information can include indicators of compromise, malicious file 73 indicators, financial fraud indicators or even detailed information 74 about a threat actor. Some of these informations, such as malware or 75 threat actors are common to several security events. MISP galaxy is 76 a public repository [MISP-G] of known malware, threats actors and 77 various other collections of data that can be used to mark, classify 78 or label data in threat information sharing. 80 In the MISP galaxy context, clusters help analysts to give more 81 informations about their cybersecurity events, indicators or threats. 82 MISP galaxies can be used for classification, filtering, triggering 83 actions or visualisation depending on their use in threat 84 intelligence platforms such as MISP [MISP-P]. 86 1.1. Conventions and Terminology 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in RFC 2119 [RFC2119]. 92 2. Format 94 A cluster is composed of a value (MUST), a description (OPTIONAL) and 95 metadata (OPTIONAL). 97 Clusters are represented as a JSON [RFC4627] dictionary. 99 2.1. Overview 101 The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy 102 is represented as a JSON object with meta information including the 103 following fields: name, uuid, description, version, type, authors, 104 source, values. 106 name defines the name of the galaxy. The name is represented as a 107 string and MUST be present. The uuid represents the Universally 108 Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid 109 MUST be preserved. For any updates or transfer of the same object 110 reference. UUID version 4 is RECOMMENDED when assigning it to a new 111 object reference and MUST be present. The description is represented 112 as a string and MUST be present. The uuid is represented as a string 113 and MUST be present. The version is represented as a decimal and 114 MUST be present. The source is represented as a string and MUST be 115 present. Authors are represented as an array containing one or more 116 author and MUST be present. 118 Values are represented as an array containing one or more value and 119 MUST be present. Values defines all values available in the galaxy. 121 2.2. values 123 The values array contains one or more JSON objects which represents 124 all the possible values in the galaxy. The JSON object contains four 125 fields: value, description, uuid and meta. The value is represented 126 as a string and MUST be present. The description is represented as a 127 string and SHOULD be present. The meta or metadata is represented as 128 a JSON list and SHOULD be present. The uuid represents the 129 Universally Unique IDentifier (UUID) [RFC4122] of the value 130 reference. The uuid SHOULD can be present and MUST be preserved. 132 2.3. meta 134 Meta contains a list of custom defined JSON key value pairs. Users 135 SHOULD reuse commonly used keys such as 'properties, complexity, 136 effectiveness, country, possible_issues, colour, motive, impact, 137 refs, synonyms, derivated_from, status, date, encryption, extensions, 138 ransomnotes' wherever applicable. 140 properties is used to provide clusters with additional properties. 141 Properties are represented as an array containing one or more strings 142 ans MAY be present. 144 complexity, effectiveness, impact, possible_issues MAY be used to 145 give further information in preventive-measure galaxy. complexity is 146 represented by an enumerated value from a fixed vocabulary and SHALL 147 be present. effectiveness is represented by an enumerated value from 148 a fixed vocabulary and SHALL be present. impact is represented by an 149 enumerated value from a fixed vocabulary and SHALL be present. 150 possible_issues is represented as a string and SHOULD be present. 152 country, motive MAY be used to give further information in threat- 153 actor galaxy. country is represented as a string and SHOULD be 154 present. motive is represented as a string and SHOULD be present. 156 colour fields MAY be used at predicates or values level to set a 157 specify colour that MAY be used by the implementation. The colour 158 field is described as an RGB colour fill in hexadecimal 159 representation. 161 encryption, extensions, ransomnotes MAY be used to give further 162 information in ransomware galaxy. encryption is represented as a 163 string and SHALL be present. extensions is represented as an array 164 containing one or more strings and SHALL be present. ransomnotes is 165 represented as an array containing one or more strings ans SHALL be 166 present. 168 date, status MAY be used to give time information about an cluster. 169 date is represented as a string describing a time or period and SHALL 170 be present. status is represented as a string describing the current 171 status of the clusters. It MAY also describe a time or period and 172 SHALL be present. 174 derivated_from, refs, synonyms SHALL be used to give further 175 informations. refs is represented as an containing one or ore string 176 and SHALL be present. synonyms is represented as an containing one or 177 ore string and SHALL be present. derivated_from is represented as an 178 containing one or ore string and SHALL be present. 180 3. Acknowledgements 182 The authors wish to thank all the MISP community who are supporting 183 the creation of open standards in threat intelligence sharing. 185 4. References 187 4.1. Normative References 189 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 190 Requirement Levels", BCP 14, RFC 2119, 191 DOI 10.17487/RFC2119, March 1997, 192 . 194 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 195 Unique IDentifier (UUID) URN Namespace", RFC 4122, 196 DOI 10.17487/RFC4122, July 2005, 197 . 199 [RFC4627] Crockford, D., "The application/json Media Type for 200 JavaScript Object Notation (JSON)", RFC 4627, 201 DOI 10.17487/RFC4627, July 2006, 202 . 204 4.2. Informative References 206 [MISP-G] MISP, "MISP Galaxy -", 207 . 209 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 210 and Threat Sharing", . 212 Authors' Addresses 214 Alexandre Dulaunoy 215 Computer Incident Response Center Luxembourg 216 16, bd d'Avranches 217 Luxembourg L-1611 218 Luxembourg 220 Phone: +352 247 88444 221 Email: alexandre.dulaunoy@circl.lu 223 Andras Iklody 224 Computer Incident Response Center Luxembourg 225 16, bd d'Avranches 226 Luxembourg L-1611 227 Luxembourg 229 Phone: +352 247 88444 230 Email: andras.iklody@circl.lu 231 Deborah Servili 232 Computer Incident Response Center Luxembourg 233 16, bd d'Avranches 234 Luxembourg L-1611 235 Luxembourg 237 Phone: +352 247 88444 238 Email: deborah.servili@circl.lu