idnits 2.17.1 draft-dulaunoy-misp-galaxy-format-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 8 instances of too long lines in the document, the longest one being 591 characters in excess of 72. ** The abstract seems to contain references ([MISP-G], [MISP-G-DOC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 23, 2018) is 2072 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational D. Servili 5 Expires: February 24, 2019 CIRCL 6 August 23, 2018 8 MISP galaxy format 9 draft-dulaunoy-misp-galaxy-format-04 11 Abstract 13 This document describes the MISP galaxy format which describes a 14 simple JSON format to represent galaxies and clusters that can be 15 attached to MISP events or attributes. A public directory of MISP 16 galaxies is available and relies on the MISP galaxy format. MISP 17 galaxies are used to add further informations on a MISP event. MISP 18 galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware, 19 threats actors and various other collections of data that can be used 20 to mark, classify or label data in threat information sharing. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on February 24, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 58 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 3.1. MISP galaxy format - clusters . . . . . . . . . . . . . . 8 65 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 66 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 67 5.1. Normative References . . . . . . . . . . . . . . . . . . 12 68 5.2. Informative References . . . . . . . . . . . . . . . . . 12 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 71 1. Introduction 73 Sharing threat information became a fundamental requirements on the 74 Internet, security and intelligence community at large. Threat 75 information can include indicators of compromise, malicious file 76 indicators, financial fraud indicators or even detailed information 77 about a threat actor. Some of these informations, such as malware or 78 threat actors are common to several security events. MISP galaxy is 79 a public repository [MISP-G] of known malware, threats actors and 80 various other collections of data that can be used to mark, classify 81 or label data in threat information sharing. 83 In the MISP galaxy context, clusters help analysts to give more 84 informations about their cybersecurity events, indicators or threats. 85 MISP galaxies can be used for classification, filtering, triggering 86 actions or visualisation depending on their use in threat 87 intelligence platforms such as MISP [MISP-P]. 89 1.1. Conventions and Terminology 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 2. Format 97 A cluster is composed of a value (MUST), a description (OPTIONAL) and 98 metadata (OPTIONAL). 100 Clusters are represented as a JSON [RFC4627] dictionary. 102 2.1. Overview 104 The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy 105 is represented as a JSON object with meta information including the 106 following fields: name, uuid, description, version, type, authors, 107 source, values. 109 name defines the name of the galaxy. The name is represented as a 110 string and MUST be present. The uuid represents the Universally 111 Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid 112 MUST be preserved. For any updates or transfer of the same object 113 reference. UUID version 4 is RECOMMENDED when assigning it to a new 114 object reference and MUST be present. The description is represented 115 as a string and MUST be present. The uuid is represented as a string 116 and MUST be present. The version is represented as a decimal and 117 MUST be present. The type is represented as a string and MUST be 118 present and MUST match the name of the galaxy file. The source is 119 represented as a string and MUST be present. Authors are represented 120 as an array containing one or more authors and MUST be present. 122 Values are represented as an array containing one or more values and 123 MUST be present. Values defines all values available in the galaxy. 125 2.2. values 127 The values array contains one or more JSON objects which represent 128 all the possible values in the galaxy. The JSON object contains four 129 fields: value, description, uuid and meta. The value is represented 130 as a string and MUST be present. The description is represented as a 131 string and SHOULD be present. The meta or metadata is represented as 132 a JSON list and SHOULD be present. The uuid represents the 133 Universally Unique IDentifier (UUID) [RFC4122] of the value 134 reference. The uuid SHOULD can be present and MUST be preserved. 136 2.3. related 138 Related contains a list of JSON key value pairs which describe the 139 related values in this galaxy cluster or to other galaxy clusters. 140 The JSON object contains three fields, dest-uuid, type and tags. The 141 dest-uuid represents the target UUID which encompasses a relation of 142 some type. The dest-uuid is represented as a string and MUST be 143 present. The type is represented as a string and MUST be present and 144 SHOULD be selected from the relationship types available in MISP 145 objects [MISP-R]. The tags is a list of string which labels the 146 related relationship such as the level of similarities, level of 147 certainty, trust or confidence in the relationship, false-positive. 148 A tag is represented in machine tag format which is a string an 149 SHOULD be present. 151 "related": [ { 152 "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", 153 "type": "similar", 154 "tags": ["estimative-language:likelihood-probability=\"very-likely\""] 155 } ] 157 2.4. meta 159 Meta contains a list of custom defined JSON key value pairs. Users 160 SHOULD reuse commonly used keys such as properties, complexity, 161 effectiveness, country, possible_issues, colour, motive, impact, 162 refs, synonyms, derivated_from, status, date, encryption, extensions, 163 ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr- 164 type-of-incident, cfr-target-category wherever applicable. 166 properties is used to provide clusters with additional properties. 167 Properties are represented as an array containing one or more strings 168 ans MAY be present. 170 derivated_from, refs, synonyms SHALL be used to give further 171 informations. refs is represented as an array containing one or more 172 strings and SHALL be present. synonyms is represented as an array 173 containing one or more strings and SHALL be present. derivated_from 174 is represented as an array containing one or more strings and SHALL 175 be present. 177 date, status MAY be used to give time information about an cluster. 178 date is represented as a string describing a time or period and SHALL 179 be present. status is represented as a string describing the current 180 status of the clusters. It MAY also describe a time or period and 181 SHALL be present. 183 colour fields MAY be used at predicates or values level to set a 184 specify colour that MAY be used by the implementation. The colour 185 field is described as an RGB colour fill in hexadecimal 186 representation. 188 complexity, effectiveness, impact, possible_issues MAY be used to 189 give further information in preventive-measure galaxy. complexity is 190 represented by an enumerated value from a fixed vocabulary and SHALL 191 be present. effectiveness is represented by an enumerated value from 192 a fixed vocabulary and SHALL be present. impact is represented by an 193 enumerated value from a fixed vocabulary and SHALL be present. 194 possible_issues is represented as a string and SHOULD be present. 196 Example use of the complexity, effectiveness, impact, possible_issues 197 fields in the preventive-measure galaxy: 199 { 200 "meta": { 201 "refs": [ 202 "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" 203 ], 204 "complexity": "Low", 205 "effectiveness": "Medium", 206 "impact": "Medium", 207 "type": [ 208 "GPO" 209 ], 210 "possible_issues": "Administrative VBS scripts on Workstations" 211 }, 212 "value": "Disable WSH", 213 "description": "Disable Windows Script Host", 214 "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" 215 } 217 country, motive MAY be used to give further information in threat- 218 actor galaxy. country is represented as a string and SHOULD be 219 present. motive is represented as a string and SHOULD be present. 221 Example use of the country, motive fields in the threat-actor galaxy: 223 { 224 "meta": { 225 "country": "CN", 226 "synonyms": [ 227 "APT14", 228 "APT 14", 229 "QAZTeam", 230 "ALUMINUM" 231 ], 232 "refs": [ 233 "http://www.crowdstrike.com/blog/whois-anchor-panda/" 234 ], 235 "motive": "Espionage" 236 }, 237 "value": "Anchor Panda", 238 "description": "PLA Navy", 239 "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" 240 } 242 encryption, extensions, ransomnotes MAY be used to give further 243 information in ransomware galaxy. encryption is represented as a 244 string and SHALL be present. extensions is represented as an array 245 containing one or more strings and SHALL be present. ransomnotes is 246 represented as an array containing one or more strings ans SHALL be 247 present. 249 Example use of the encryption, extensions, ransomnotes fields in the 250 ransomware galaxy: 252 { 253 "meta": { 254 "refs": [ 255 "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", 256 "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" 257 ], 258 "ransomnotes": [ 259 "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", 260 "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", 261 "# !!!HELP_FILE!!! #.txt" 262 ], 263 "encryption": "AES-256 + RSA-1024", 264 "extensions": [ 265 ".REVENGE" 266 ], 267 "date": "March 2017" 268 }, 269 "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", 270 "value": "Revenge Ransomware", 271 "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" 272 } 274 source-uuid, target-uuid SHALL be used to describe relationships. 275 source-uuid and target-uuid represent the Universally Unique 276 IDentifier (UUID) [RFC4122] of the value reference. source-uuid and 277 target-uuid MUST be preserved. 279 Example use of the source-uuid, target-uuid fields in the mitre- 280 enterprise-attack-relationship galaxy: 282 { 283 "meta": { 284 "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", 285 "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" 286 }, 287 "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", 288 "value": "menuPass (G0045) uses EvilGrab (S0152)" 289 } 291 cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- 292 incident and cfr-target-category MAY be used to report information 293 gathered from CFR's (Council on Foreign Relations) [CFR] Cyber 294 Operations Tracker. cfr-suspected-victims is represented as an array 295 containing one or more strings and SHALL be present. cfr-suspected- 296 state-sponsor is represented as a string and SHALL be present. cfr- 297 type-of-incident is represented as a string and SHALL be present. 298 cfr-target-category is represented as an array containing one or more 299 strings ans SHALL be present. 301 Example use of the cfr-suspected-victims, cfr-suspected-state- 302 sponsor, cfr-type-of-incident, cfr-target-category fields in the 303 threat-actor galaxy: 305 { 306 "meta": { 307 "country": "CN", 308 "refs": [ 309 "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", 310 "https://www.cfr.org/interactive/cyber-operations/apt-16" 311 ], 312 "cfr-suspected-victims": [ 313 "Japan", 314 "Taiwan" 315 ], 316 "cfr-suspected-state-sponsor": "China", 317 "cfr-type-of-incident": "Espionage", 318 "cfr-target-category": [ 319 "Private sector" 320 ] 321 }, 322 "value": "APT 16", 323 "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" 324 }, 326 3. JSON Schema 328 The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy 329 formats. The main format is the MISP galaxy format used for the 330 clusters. 332 3.1. MISP galaxy format - clusters 334 { 335 "$schema": "http://json-schema.org/schema#", 336 "title": "Validator for misp-galaxies - Clusters", 337 "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", 338 "type": "object", 339 "additionalProperties": false, 340 "properties": { 341 "description": { 342 "type": "string" 343 }, 344 "type": { 345 "type": "string" 346 }, 347 "version": { 348 "type": "integer" 350 }, 351 "name": { 352 "type": "string" 353 }, 354 "uuid": { 355 "type": "string" 356 }, 357 "source": { 358 "type": "string" 359 }, 360 "values": { 361 "type": "array", 362 "uniqueItems": true, 363 "items": { 364 "type": "object", 365 "additionalProperties": false, 366 "properties": { 367 "description": { 368 "type": "string" 369 }, 370 "value": { 371 "type": "string" 372 }, 373 "uuid": { 374 "type": "string" 375 }, 376 "related": { 377 "type": "array", 378 "additionalProperties": false, 379 "items": { 380 "type": "object" 381 }, 382 "properties": { 383 "dest-uuid": { 384 "type": "string" 385 }, 386 "type": { 387 "type": "string" 388 }, 389 "tags": { 390 "type": "array", 391 "uniqueItems": true, 392 "items": { 393 "type": "string" 394 } 395 } 396 } 397 }, 398 "meta": { 399 "type": "object", 400 "additionalProperties": true, 401 "properties": { 402 "type": { 403 "type": "array", 404 "uniqueItems": true, 405 "items": { 406 "type": "string" 407 } 408 }, 409 "complexity": { 410 "type": "string" 411 }, 412 "effectiveness": { 413 "type": "string" 414 }, 415 "country": { 416 "type": "string" 417 }, 418 "possible_issues": { 419 "type": "string" 420 }, 421 "colour": { 422 "type": "string" 423 }, 424 "motive": { 425 "type": "string" 426 }, 427 "impact": { 428 "type": "string" 429 }, 430 "refs": { 431 "type": "array", 432 "uniqueItems": true, 433 "items": { 434 "type": "string" 435 } 436 }, 437 "synonyms": { 438 "type": "array", 439 "uniqueItems": true, 440 "items": { 441 "type": "string" 442 } 443 }, 444 "derivated_from": { 445 "type": "array", 446 "uniqueItems": true, 447 "items": { 448 "type": "string" 449 } 450 }, 451 "status": { 452 "type": "string" 453 }, 454 "date": { 455 "type": "string" 456 }, 457 "encryption": { 458 "type": "string" 459 }, 460 "extensions": { 461 "type": "array", 462 "uniqueItems": true, 463 "items": { 464 "type": "string" 465 } 466 }, 467 "ransomnotes": { 468 "type": "array", 469 "uniqueItems": true, 470 "items": { 471 "type": "string" 472 } 473 } 474 } 475 } 476 }, 477 "required": [ 478 "value" 479 ] 480 } 481 }, 482 "authors": { 483 "type": "array", 484 "uniqueItems": true, 485 "items": { 486 "type": "string" 487 } 488 } 489 }, 490 "required": [ 491 "description", 492 "type", 493 "version", 494 "name", 495 "uuid", 496 "values", 497 "authors", 498 "source" 499 ] 500 } 502 4. Acknowledgements 504 The authors wish to thank all the MISP community who are supporting 505 the creation of open standards in threat intelligence sharing. 507 5. References 509 5.1. Normative References 511 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 512 Requirement Levels", BCP 14, RFC 2119, 513 DOI 10.17487/RFC2119, March 1997, 514 . 516 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 517 Unique IDentifier (UUID) URN Namespace", RFC 4122, 518 DOI 10.17487/RFC4122, July 2005, 519 . 521 [RFC4627] Crockford, D., "The application/json Media Type for 522 JavaScript Object Notation (JSON)", RFC 4627, 523 DOI 10.17487/RFC4627, July 2006, 524 . 526 5.2. Informative References 528 [CFR] CFR, "Cyber Operations Tracker - Council on Foreign 529 Relations", 2018, 530 . 532 [JSON-SCHEMA] 533 "JSON Schema: A Media Type for Describing JSON Documents", 534 2016, 535 . 537 [MISP-G] MISP, "MISP Galaxy - Public Repository", 538 . 540 [MISP-G-DOC] 541 MISP, "MISP Galaxy - Documentation of the Public 542 Repository", . 544 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 545 and Threat Sharing", . 547 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 548 of relationships", . 551 Authors' Addresses 553 Alexandre Dulaunoy 554 Computer Incident Response Center Luxembourg 555 16, bd d'Avranches 556 Luxembourg L-1611 557 Luxembourg 559 Phone: +352 247 88444 560 Email: alexandre.dulaunoy@circl.lu 562 Andras Iklody 563 Computer Incident Response Center Luxembourg 564 16, bd d'Avranches 565 Luxembourg L-1611 566 Luxembourg 568 Phone: +352 247 88444 569 Email: andras.iklody@circl.lu 571 Deborah Servili 572 Computer Incident Response Center Luxembourg 573 16, bd d'Avranches 574 Luxembourg L-1611 575 Luxembourg 577 Phone: +352 247 88444 578 Email: deborah.servili@circl.lu