idnits 2.17.1 draft-dulaunoy-misp-galaxy-format-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 8 instances of too long lines in the document, the longest one being 591 characters in excess of 72. ** The abstract seems to contain references ([MISP-G], [MISP-G-DOC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 27, 2018) is 2037 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational D. Servili 5 Expires: March 31, 2019 CIRCL 6 September 27, 2018 8 MISP galaxy format 9 draft-dulaunoy-misp-galaxy-format-05 11 Abstract 13 This document describes the MISP galaxy format which describes a 14 simple JSON format to represent galaxies and clusters that can be 15 attached to MISP events or attributes. A public directory of MISP 16 galaxies is available and relies on the MISP galaxy format. MISP 17 galaxies are used to add further informations on a MISP event. MISP 18 galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware, 19 threats actors and various other collections of data that can be used 20 to mark, classify or label data in threat information sharing. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 31, 2019. 39 Copyright Notice 41 Copyright (c) 2018 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 58 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 3.1. MISP galaxy format - clusters . . . . . . . . . . . . . . 8 65 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 66 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 67 5.1. Normative References . . . . . . . . . . . . . . . . . . 11 68 5.2. Informative References . . . . . . . . . . . . . . . . . 11 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 71 1. Introduction 73 Sharing threat information became a fundamental requirements on the 74 Internet, security and intelligence community at large. Threat 75 information can include indicators of compromise, malicious file 76 indicators, financial fraud indicators or even detailed information 77 about a threat actor. Some of these informations, such as malware or 78 threat actors are common to several security events. MISP galaxy is 79 a public repository [MISP-G] of known malware, threats actors and 80 various other collections of data that can be used to mark, classify 81 or label data in threat information sharing. 83 In the MISP galaxy context, clusters help analysts to give more 84 informations about their cybersecurity events, indicators or threats. 85 MISP galaxies can be used for classification, filtering, triggering 86 actions or visualisation depending on their use in threat 87 intelligence platforms such as MISP [MISP-P]. 89 1.1. Conventions and Terminology 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 2. Format 97 A cluster is composed of a value (MUST), a description (OPTIONAL) and 98 metadata (OPTIONAL). 100 Clusters are represented as a JSON [RFC4627] dictionary. 102 2.1. Overview 104 The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy 105 is represented as a JSON object with meta information including the 106 following fields: name, uuid, description, version, type, authors, 107 source, values. 109 name defines the name of the galaxy. The name is represented as a 110 string and MUST be present. The uuid represents the Universally 111 Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid 112 MUST be preserved. For any updates or transfer of the same object 113 reference. UUID version 4 is RECOMMENDED when assigning it to a new 114 object reference and MUST be present. The description is represented 115 as a string and MUST be present. The uuid is represented as a string 116 and MUST be present. The version is represented as a decimal and 117 MUST be present. The type is represented as a string and MUST be 118 present and MUST match the name of the galaxy file. The source is 119 represented as a string and MUST be present. Authors are represented 120 as an array containing one or more authors and MUST be present. 122 Values are represented as an array containing one or more values and 123 MUST be present. Values defines all values available in the galaxy. 125 2.2. values 127 The values array contains one or more JSON objects which represent 128 all the possible values in the galaxy. The JSON object contains four 129 fields: value, description, uuid and meta. The value is represented 130 as a string and MUST be present. The description is represented as a 131 string and SHOULD be present. The meta or metadata is represented as 132 a JSON list and SHOULD be present. The uuid represents the 133 Universally Unique IDentifier (UUID) [RFC4122] of the value 134 reference. The uuid SHOULD can be present and MUST be preserved. 136 2.3. related 138 Related contains a list of JSON key value pairs which describe the 139 related values in this galaxy cluster or to other galaxy clusters. 140 The JSON object contains three fields, dest-uuid, type and tags. The 141 dest-uuid represents the target UUID which encompasses a relation of 142 some type. The dest-uuid is represented as a string and MUST be 143 present. The type is represented as a string and MUST be present and 144 SHOULD be selected from the relationship types available in MISP 145 objects [MISP-R]. The tags is a list of string which labels the 146 related relationship such as the level of similarities, level of 147 certainty, trust or confidence in the relationship, false-positive. 148 A tag is represented in machine tag format which is a string an 149 SHOULD be present. 151 "related": [ { 152 "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", 153 "type": "similar", 154 "tags": ["estimative-language:likelihood-probability=\"very-likely\""] 155 } ] 157 2.4. meta 159 Meta contains a list of custom defined JSON key value pairs. Users 160 SHOULD reuse commonly used keys such as complexity, effectiveness, 161 country, possible_issues, colour, motive, impact, refs, synonyms, 162 status, date, encryption, extensions, ransomnotes, suspected-victims, 163 suspected-state-sponsor, type-of-incident, target-category, cfr- 164 suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, 165 cfr-target-category wherever applicable. 167 refs, synonyms SHALL be used to give further informations. refs is 168 represented as an array containing one or more strings and SHALL be 169 present. synonyms is represented as an array containing one or more 170 strings and SHALL be present. 172 date, status MAY be used to give time information about an cluster. 173 date is represented as a string describing a time or period and SHALL 174 be present. status is represented as a string describing the current 175 status of the clusters. It MAY also describe a time or period and 176 SHALL be present. 178 colour fields MAY be used at predicates or values level to set a 179 specify colour that MAY be used by the implementation. The colour 180 field is described as an RGB colour fill in hexadecimal 181 representation. 183 complexity, effectiveness, impact, possible_issues MAY be used to 184 give further information in preventive-measure galaxy. complexity is 185 represented by an enumerated value from a fixed vocabulary and SHALL 186 be present. effectiveness is represented by an enumerated value from 187 a fixed vocabulary and SHALL be present. impact is represented by an 188 enumerated value from a fixed vocabulary and SHALL be present. 189 possible_issues is represented as a string and SHOULD be present. 191 Example use of the complexity, effectiveness, impact, possible_issues 192 fields in the preventive-measure galaxy: 194 { 195 "meta": { 196 "refs": [ 197 "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" 198 ], 199 "complexity": "Low", 200 "effectiveness": "Medium", 201 "impact": "Medium", 202 "type": [ 203 "GPO" 204 ], 205 "possible_issues": "Administrative VBS scripts on Workstations" 206 }, 207 "value": "Disable WSH", 208 "description": "Disable Windows Script Host", 209 "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" 210 } 212 country, motive MAY be used to give further information in threat- 213 actor galaxy. country is represented as a string and SHOULD be 214 present. motive is represented as a string and SHOULD be present. 216 Example use of the country, motive fields in the threat-actor galaxy: 218 { 219 "meta": { 220 "country": "CN", 221 "synonyms": [ 222 "APT14", 223 "APT 14", 224 "QAZTeam", 225 "ALUMINUM" 226 ], 227 "refs": [ 228 "http://www.crowdstrike.com/blog/whois-anchor-panda/" 229 ], 230 "motive": "Espionage" 231 }, 232 "value": "Anchor Panda", 233 "description": "PLA Navy", 234 "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" 235 } 237 encryption, extensions, ransomnotes MAY be used to give further 238 information in ransomware galaxy. encryption is represented as a 239 string and SHALL be present. extensions is represented as an array 240 containing one or more strings and SHALL be present. ransomnotes is 241 represented as an array containing one or more strings ans SHALL be 242 present. 244 Example use of the encryption, extensions, ransomnotes fields in the 245 ransomware galaxy: 247 { 248 "meta": { 249 "refs": [ 250 "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", 251 "https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html" 252 ], 253 "ransomnotes": [ 254 "https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg", 255 "===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.", 256 "# !!!HELP_FILE!!! #.txt" 257 ], 258 "encryption": "AES-256 + RSA-1024", 259 "extensions": [ 260 ".REVENGE" 261 ], 262 "date": "March 2017" 263 }, 264 "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", 265 "value": "Revenge Ransomware", 266 "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" 267 } 269 source-uuid, target-uuid SHALL be used to describe relationships. 270 source-uuid and target-uuid represent the Universally Unique 271 IDentifier (UUID) [RFC4122] of the value reference. source-uuid and 272 target-uuid MUST be preserved. 274 Example use of the source-uuid, target-uuid fields in the mitre- 275 enterprise-attack-relationship galaxy: 277 { 278 "meta": { 279 "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", 280 "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" 281 }, 282 "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", 283 "value": "menuPass (G0045) uses EvilGrab (S0152)" 284 } 286 cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- 287 incident and cfr-target-category MAY be used to report information 288 gathered from CFR's (Council on Foreign Relations) [CFR] Cyber 289 Operations Tracker. cfr-suspected-victims is represented as an array 290 containing one or more strings and SHALL be present. cfr-suspected- 291 state-sponsor is represented as a string and SHALL be present. cfr- 292 type-of-incident is represented as a string or an array and SHALL be 293 present. RECOMMENDED but not exhaustive list of possible values for 294 cfr-type-of-incident includes "Espionage", "Denial of service", 295 "Sabotage". cfr-target-category is represented as an array containing 296 one or more strings ans SHALL be present. RECOMMENDED but not 297 exhaustive list of possible values for cfr-target-category includes 298 "Private sector", "Government", "Civil society", "Military". 300 Example use of the cfr-suspected-victims, cfr-suspected-state- 301 sponsor, cfr-type-of-incident, cfr-target-category fields in the 302 threat-actor galaxy: 304 { 305 "meta": { 306 "country": "CN", 307 "refs": [ 308 "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", 309 "https://www.cfr.org/interactive/cyber-operations/apt-16" 310 ], 311 "cfr-suspected-victims": [ 312 "Japan", 313 "Taiwan" 314 ], 315 "cfr-suspected-state-sponsor": "China", 316 "cfr-type-of-incident": "Espionage", 317 "cfr-target-category": [ 318 "Private sector" 319 ] 320 }, 321 "value": "APT 16", 322 "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" 323 }, 325 3. JSON Schema 327 The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy 328 formats. The main format is the MISP galaxy format used for the 329 clusters. 331 3.1. MISP galaxy format - clusters 333 { 334 "$schema": "http://json-schema.org/schema#", 335 "title": "Validator for misp-galaxies - Clusters", 336 "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", 337 "type": "object", 338 "additionalProperties": false, 339 "properties": { 340 "description": { 341 "type": "string" 342 }, 343 "type": { 344 "type": "string" 345 }, 346 "version": { 347 "type": "integer" 348 }, 349 "name": { 350 "type": "string" 351 }, 352 "uuid": { 353 "type": "string" 354 }, 355 "source": { 356 "type": "string" 357 }, 358 "values": { 359 "type": "array", 360 "uniqueItems": true, 361 "items": { 362 "type": "object", 363 "additionalProperties": false, 364 "properties": { 365 "description": { 366 "type": "string" 367 }, 368 "value": { 369 "type": "string" 370 }, 371 "uuid": { 372 "type": "string" 373 }, 374 "related": { 375 "type": "array", 376 "additionalProperties": false, 377 "items": { 378 "type": "object" 380 }, 381 "properties": { 382 "dest-uuid": { 383 "type": "string" 384 }, 385 "type": { 386 "type": "string" 387 }, 388 "tags": { 389 "type": "array", 390 "uniqueItems": true, 391 "items": { 392 "type": "string" 393 } 394 } 395 } 396 }, 397 "meta": { 398 "type": "object", 399 "additionalProperties": true, 400 "properties": { 401 "type": { 402 "type": "array", 403 "uniqueItems": true, 404 "items": { 405 "type": "string" 406 } 407 }, 408 "complexity": { 409 "type": "string" 410 }, 411 "effectiveness": { 412 "type": "string" 413 }, 414 "country": { 415 "type": "string" 416 }, 417 "possible_issues": { 418 "type": "string" 419 }, 420 "colour": { 421 "type": "string" 422 }, 423 "motive": { 424 "type": "string" 425 }, 426 "impact": { 427 "type": "string" 429 }, 430 "refs": { 431 "type": "array", 432 "uniqueItems": true, 433 "items": { 434 "type": "string" 435 } 436 }, 437 "synonyms": { 438 "type": "array", 439 "uniqueItems": true, 440 "items": { 441 "type": "string" 442 } 443 }, 444 "status": { 445 "type": "string" 446 }, 447 "date": { 448 "type": "string" 449 }, 450 "encryption": { 451 "type": "string" 452 }, 453 "extensions": { 454 "type": "array", 455 "uniqueItems": true, 456 "items": { 457 "type": "string" 458 } 459 }, 460 "ransomnotes": { 461 "type": "array", 462 "uniqueItems": true, 463 "items": { 464 "type": "string" 465 } 466 } 467 } 468 } 469 }, 470 "required": [ 471 "value" 472 ] 473 } 474 }, 475 "authors": { 476 "type": "array", 477 "uniqueItems": true, 478 "items": { 479 "type": "string" 480 } 481 } 482 }, 483 "required": [ 484 "description", 485 "type", 486 "version", 487 "name", 488 "uuid", 489 "values", 490 "authors", 491 "source" 492 ] 493 } 495 4. Acknowledgements 497 The authors wish to thank all the MISP community who are supporting 498 the creation of open standards in threat intelligence sharing. 500 5. References 502 5.1. Normative References 504 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 505 Requirement Levels", BCP 14, RFC 2119, 506 DOI 10.17487/RFC2119, March 1997, 507 . 509 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 510 Unique IDentifier (UUID) URN Namespace", RFC 4122, 511 DOI 10.17487/RFC4122, July 2005, 512 . 514 [RFC4627] Crockford, D., "The application/json Media Type for 515 JavaScript Object Notation (JSON)", RFC 4627, 516 DOI 10.17487/RFC4627, July 2006, 517 . 519 5.2. Informative References 521 [CFR] CFR, "Cyber Operations Tracker - Council on Foreign 522 Relations", 2018, 523 . 525 [JSON-SCHEMA] 526 "JSON Schema: A Media Type for Describing JSON Documents", 527 2016, 528 . 530 [MISP-G] MISP, "MISP Galaxy - Public Repository", 531 . 533 [MISP-G-DOC] 534 MISP, "MISP Galaxy - Documentation of the Public 535 Repository", . 537 [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform 538 and Threat Sharing", . 540 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 541 of relationships", . 544 Authors' Addresses 546 Alexandre Dulaunoy 547 Computer Incident Response Center Luxembourg 548 16, bd d'Avranches 549 Luxembourg L-1611 550 Luxembourg 552 Phone: +352 247 88444 553 Email: alexandre.dulaunoy@circl.lu 555 Andras Iklody 556 Computer Incident Response Center Luxembourg 557 16, bd d'Avranches 558 Luxembourg L-1611 559 Luxembourg 561 Phone: +352 247 88444 562 Email: andras.iklody@circl.lu 563 Deborah Servili 564 Computer Incident Response Center Luxembourg 565 16, bd d'Avranches 566 Luxembourg L-1611 567 Luxembourg 569 Phone: +352 247 88444 570 Email: deborah.servili@circl.lu