idnits 2.17.1 draft-dulaunoy-misp-galaxy-format-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 615 characters in excess of 72. ** The abstract seems to contain references ([MISP-G], [MISP-G-DOC]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 4, 2019) is 1665 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Expires: April 6, 2020 D. Servili 5 CIRCL 6 October 4, 2019 8 MISP galaxy format 9 draft-dulaunoy-misp-galaxy-format-07 11 Abstract 13 This document describes the MISP galaxy format which describes a 14 simple JSON format to represent galaxies and clusters that can be 15 attached to MISP events or attributes. A public directory of MISP 16 galaxies is available and relies on the MISP galaxy format. MISP 17 galaxies are used to add further informations on a MISP event. MISP 18 galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware, 19 threats actors and various other collections of data that can be used 20 to mark, classify or label data in threat information sharing. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on April 6, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 58 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9 65 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 10 66 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 67 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 68 5.1. Normative References . . . . . . . . . . . . . . . . . . 14 69 5.2. Informative References . . . . . . . . . . . . . . . . . 14 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 72 1. Introduction 74 Sharing threat information became a fundamental requirements on the 75 Internet, security and intelligence community at large. Threat 76 information can include indicators of compromise, malicious file 77 indicators, financial fraud indicators or even detailed information 78 about a threat actor. Some of these informations, such as malware or 79 threat actors are common to several security events. MISP galaxy is 80 a public repository [MISP-G] of known malware, threats actors and 81 various other collections of data that can be used to mark, classify 82 or label data in threat information sharing. 84 In the MISP galaxy context, clusters help analysts to give more 85 informations about their cybersecurity events, indicators or threats. 86 MISP galaxies can be used for classification, filtering, triggering 87 actions or visualisation depending on their use in threat 88 intelligence platforms such as MISP [MISP-P]. 90 1.1. Conventions and Terminology 92 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 93 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 94 document are to be interpreted as described in RFC 2119 [RFC2119]. 96 2. Format 98 A cluster is composed of a value (MUST), a description (OPTIONAL) and 99 metadata (OPTIONAL). 101 Clusters are represented as a JSON [RFC8259] dictionary. 103 2.1. Overview 105 The MISP galaxy format uses the JSON [RFC8259] format. Each galaxy 106 is represented as a JSON object with meta information including the 107 following fields: name, uuid, description, version, type, authors, 108 source, values, category. 110 name defines the name of the galaxy. The name is represented as a 111 string and MUST be present. The uuid represents the Universally 112 Unique IDentifier (UUID) [RFC4122] of the object reference. The uuid 113 MUST be preserved. For any updates or transfer of the same object 114 reference. UUID version 4 is RECOMMENDED when assigning it to a new 115 object reference and MUST be present. The description is represented 116 as a string and MUST be present. The uuid is represented as a string 117 and MUST be present. The version is represented as a decimal and 118 MUST be present. The type is represented as a string and MUST be 119 present and MUST match the name of the galaxy file. The source is 120 represented as a string and MUST be present. Authors are represented 121 as an array containing one or more authors and MUST be present. The 122 category is represented as a string and MUST be present and describes 123 the overall category of the galaxy such as tool or actor. 125 Values are represented as an array containing one or more values and 126 MUST be present. Values defines all values available in the galaxy. 128 2.2. values 130 The values array contains one or more JSON objects which represent 131 all the possible values in the galaxy. The JSON object contains four 132 fields: value, description, uuid and meta. The value is represented 133 as a string and MUST be present. The description is represented as a 134 string and SHOULD be present. The meta or metadata is represented as 135 a JSON list and SHOULD be present. The uuid represents the 136 Universally Unique IDentifier (UUID) [RFC4122] of the value 137 reference. The uuid SHOULD can be present and MUST be preserved. 139 2.3. related 141 Related contains a list of JSON key value pairs which describe the 142 related values in this galaxy cluster or to other galaxy clusters. 143 The JSON object contains three fields, dest-uuid, type and tags. The 144 dest-uuid represents the target UUID which encompasses a relation of 145 some type. The dest-uuid is represented as a string and MUST be 146 present. The type is represented as a string and MUST be present and 147 SHOULD be selected from the relationship types available in MISP 148 objects [MISP-R]. The tags is a list of string which labels the 149 related relationship such as the level of similarities, level of 150 certainty, trust or confidence in the relationship, false-positive. 151 A tag is represented in machine tag format which is a string an 152 SHOULD be present. 154 "related": [ { 155 "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", 156 "type": "similar", 157 "tags": ["estimative-language:likelihood-probability=\"very-likely\""] 158 } ] 160 2.4. meta 162 Meta contains a list of custom defined JSON key value pairs. Users 163 SHOULD reuse commonly used keys such as complexity, effectiveness, 164 country, possible_issues, colour, motive, impact, refs, synonyms, 165 status, date, encryption, extensions, ransomnotes, ransomnotes- 166 filenames, ransomnotes-refs, suspected-victims, suspected-state- 167 sponsor, type-of-incident, target-category, cfr-suspected-victims, 168 cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target- 169 category, attribution-confidence, payment-method, price wherever 170 applicable. Additional meta field MAY be added without the need to 171 be referenced or registered in advance. 173 refs, synonyms SHALL be used to give further informations. refs is 174 represented as an array containing one or more strings and SHALL be 175 present. synonyms is represented as an array containing one or more 176 strings and SHALL be present. 178 date, status MAY be used to give time information about an cluster. 179 date is represented as a string describing a time or period and SHALL 180 be present. status is represented as a string describing the current 181 status of the clusters. It MAY also describe a time or period and 182 SHALL be present. 184 colour fields MAY be used at predicates or values level to set a 185 specify colour that MAY be used by the implementation. The colour 186 field is described as an RGB colour fill in hexadecimal 187 representation. 189 complexity, effectiveness, impact, possible_issues MAY be used to 190 give further information in preventive-measure galaxy. complexity is 191 represented by an enumerated value from a fixed vocabulary and SHALL 192 be present. effectiveness is represented by an enumerated value from 193 a fixed vocabulary and SHALL be present. impact is represented by an 194 enumerated value from a fixed vocabulary and SHALL be present. 195 possible_issues is represented as a string and SHOULD be present. 197 Example use of the complexity, effectiveness, impact, possible_issues 198 fields in the preventive-measure galaxy: 200 { 201 "meta": { 202 "refs": [ 203 "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" 204 ], 205 "complexity": "Low", 206 "effectiveness": "Medium", 207 "impact": "Medium", 208 "type": [ 209 "GPO" 210 ], 211 "possible_issues": "Administrative VBS scripts on Workstations" 212 }, 213 "value": "Disable WSH", 214 "description": "Disable Windows Script Host", 215 "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" 216 } 218 country, motive MAY be used to give further information in threat- 219 actor galaxy. country is represented as a string and SHOULD be 220 present. motive is represented as a string and SHOULD be present. 222 Example use of the country, motive fields in the threat-actor galaxy: 224 { 225 "meta": { 226 "country": "CN", 227 "synonyms": [ 228 "APT14", 229 "APT 14", 230 "QAZTeam", 231 "ALUMINUM" 232 ], 233 "refs": [ 234 "http://www.crowdstrike.com/blog/whois-anchor-panda/" 235 ], 236 "motive": "Espionage", 237 "attribution-confidence": 50 238 }, 239 "value": "Anchor Panda", 240 "description": "PLA Navy", 241 "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" 242 } 244 encryption, extensions, ransomnotes, ransomnotes-filenames, 245 ransomnotes-refs, payment-method, price MAY be used to give further 246 information in ransomware galaxy. encryption is represented as a 247 string and SHALL be present. extensions is represented as an array 248 containing one or more strings and SHALL be present. ransomnotes is 249 represented as an array containing one or more strings ans SHALL be 250 present. ransomnotes-filenames is represented as an array containing 251 one or more strings ans SHALL be present. ransomnotes-refs is 252 represented as an array containing one or more strings ans SHALL be 253 present. payment-method is represented as a string and SHALL be 254 present. price is represented as a string and SHALL be present. 256 Example use of the encryption, extensions, ransomnotes fields in the 257 ransomware galaxy: 259 { 260 "description": "Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.", 261 "meta": { 262 "ransomnotes-filenames": [ 263 "RyukReadMe.txt" 264 ], 265 "ransomnotes-refs": [ 266 "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig3.png", 267 "https://www.crowdstrike.com/blog/wp-content/uploads/2019/01/RansomeNote-fig4.png" 268 ], 269 "refs": [ 270 "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" 271 ] 272 }, 273 "uuid": "f9464c80-b776-4f37-8682-ffde0cf8f718", 274 "value": "Ryuk ransomware" 275 } 277 Example use of the payment-method, price fields in the ransomware 278 galaxy: 280 { 281 "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", 282 "meta": { 283 "date": "March 2017", 284 "encryption": "AES-128", 285 "extensions": [ 286 ".enc" 287 ], 288 "payment-method": "Bitcoin", 289 "price": "0.1", 290 "ransomnotes": [ 291 "Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites." 292 ], 293 "refs": [ 294 "https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html" 295 ] 296 }, 297 "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b", 298 "value": "CryptoMeister Ransomware" 299 } 301 source-uuid, target-uuid SHALL be used to describe relationships. 302 source-uuid and target-uuid represent the Universally Unique 303 IDentifier (UUID) [RFC4122] of the value reference. source-uuid and 304 target-uuid MUST be preserved. 306 Example use of the source-uuid, target-uuid fields in the mitre- 307 enterprise-attack-relationship galaxy: 309 { 310 "meta": { 311 "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", 312 "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" 313 }, 314 "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", 315 "value": "menuPass (G0045) uses EvilGrab (S0152)" 316 } 318 cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of- 319 incident and cfr-target-category MAY be used to report information 320 gathered from CFR's (Council on Foreign Relations) [CFR] Cyber 321 Operations Tracker. cfr-suspected-victims is represented as an array 322 containing one or more strings and SHALL be present. cfr-suspected- 323 state-sponsor is represented as a string and SHALL be present. cfr- 324 type-of-incident is represented as a string or an array and SHALL be 325 present. RECOMMENDED but not exhaustive list of possible values for 326 cfr-type-of-incident includes "Espionage", "Denial of service", 327 "Sabotage". cfr-target-category is represented as an array containing 328 one or more strings ans SHALL be present. RECOMMENDED but not 329 exhaustive list of possible values for cfr-target-category includes 330 "Private sector", "Government", "Civil society", "Military". 332 Example use of the cfr-suspected-victims, cfr-suspected-state- 333 sponsor, cfr-type-of-incident, cfr-target-category fields in the 334 threat-actor galaxy: 336 { 337 "meta": { 338 "country": "CN", 339 "refs": [ 340 "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", 341 "https://www.cfr.org/interactive/cyber-operations/apt-16" 342 ], 343 "cfr-suspected-victims": [ 344 "Japan", 345 "Taiwan" 346 ], 347 "cfr-suspected-state-sponsor": "China", 348 "cfr-type-of-incident": "Espionage", 349 "cfr-target-category": [ 350 "Private sector" 351 ], 352 "attribution-confidence": 50 353 }, 354 "value": "APT 16", 355 "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" 356 }, 358 attribution-confidence MAY be used to indicate the confidence about 359 an attribution given by country or cfr-suspected-state-sponsor. 360 attribution-confidence is represented on a scale from 0 to 100, where 361 50 means "no information", the values under 50 mean "probably not, 362 almost certainly not to impossibility", the values above 50 means 363 "from probable, almost certain to certainty" and SHALL be present if 364 country or cfr-suspected-state-sponsor are present. 366 Impossibility no information Certainty 367 + 368 | 369 +-------------------+------------------> 371 0 50 100 373 3. JSON Schema 375 The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy 376 formats. The main format is the MISP galaxy format used for the 377 clusters. 379 3.1. MISP galaxy format - galaxy 380 { 381 "$schema": "http://json-schema.org/schema#", 382 "title": "Validator for misp-galaxies - Galaxies", 383 "id": "https://www.github.com/MISP/misp-galaxies/schema_galaxies.json", 384 "type": "object", 385 "additionalProperties": false, 386 "properties": { 387 "description": { 388 "type": "string" 389 }, 390 "type": { 391 "type": "string" 392 }, 393 "version": { 394 "type": "integer" 395 }, 396 "name": { 397 "type": "string" 398 }, 399 "icon": { 400 "type": "string" 401 }, 402 "uuid": { 403 "type": "string" 404 }, 405 "namespace": { 406 "type": "string" 407 }, 408 "kill_chain_order": { 409 "type": "object" 410 } 411 }, 412 "required": [ 413 "description", 414 "type", 415 "version", 416 "name", 417 "uuid" 418 ] 419 } 421 3.2. MISP galaxy format - clusters 423 { 424 "$schema": "http://json-schema.org/schema#", 425 "title": "Validator for misp-galaxies - Clusters", 426 "id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json", 427 "type": "object", 428 "additionalProperties": false, 429 "properties": { 430 "description": { 431 "type": "string" 432 }, 433 "type": { 434 "type": "string" 435 }, 436 "version": { 437 "type": "integer" 438 }, 439 "name": { 440 "type": "string" 441 }, 442 "uuid": { 443 "type": "string" 444 }, 445 "source": { 446 "type": "string" 447 }, 448 "category": { 449 "type": "string 450 }, 451 "values": { 452 "type": "array", 453 "uniqueItems": true, 454 "items": { 455 "type": "object", 456 "additionalProperties": false, 457 "properties": { 458 "description": { 459 "type": "string" 460 }, 461 "value": { 462 "type": "string" 463 }, 464 "uuid": { 465 "type": "string" 466 }, 467 "related": { 468 "type": "array", 469 "additionalProperties": false, 470 "items": { 471 "type": "object" 472 }, 473 "properties": { 474 "dest-uuid": { 475 "type": "string" 477 }, 478 "type": { 479 "type": "string" 480 }, 481 "tags": { 482 "type": "array", 483 "uniqueItems": true, 484 "items": { 485 "type": "string" 486 } 487 } 488 } 489 }, 490 "meta": { 491 "type": "object", 492 "additionalProperties": true, 493 "properties": { 494 "type": { 495 "type": "array", 496 "uniqueItems": true, 497 "items": { 498 "type": "string" 499 } 500 }, 501 "complexity": { 502 "type": "string" 503 }, 504 "effectiveness": { 505 "type": "string" 506 }, 507 "country": { 508 "type": "string" 509 }, 510 "possible_issues": { 511 "type": "string" 512 }, 513 "colour": { 514 "type": "string" 515 }, 516 "motive": { 517 "type": "string" 518 }, 519 "impact": { 520 "type": "string" 521 }, 522 "refs": { 523 "type": "array", 524 "uniqueItems": true, 525 "items": { 526 "type": "string" 527 } 528 }, 529 "synonyms": { 530 "type": "array", 531 "uniqueItems": true, 532 "items": { 533 "type": "string" 534 } 535 }, 536 "status": { 537 "type": "string" 538 }, 539 "date": { 540 "type": "string" 541 }, 542 "encryption": { 543 "type": "string" 544 }, 545 "extensions": { 546 "type": "array", 547 "uniqueItems": true, 548 "items": { 549 "type": "string" 550 } 551 }, 552 "ransomnotes": { 553 "type": "array", 554 "uniqueItems": true, 555 "items": { 556 "type": "string" 557 } 558 } 559 } 560 } 561 }, 562 "required": [ 563 "value" 564 ] 565 } 566 }, 567 "authors": { 568 "type": "array", 569 "uniqueItems": true, 570 "items": { 571 "type": "string" 572 } 574 } 575 }, 576 "required": [ 577 "description", 578 "type", 579 "version", 580 "name", 581 "uuid", 582 "values", 583 "authors", 584 "source", 585 "category 586 ] 587 } 589 4. Acknowledgements 591 The authors wish to thank all the MISP community who are supporting 592 the creation of open standards in threat intelligence sharing. 594 5. References 596 5.1. Normative References 598 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 599 Requirement Levels", BCP 14, RFC 2119, 600 DOI 10.17487/RFC2119, March 1997, 601 . 603 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 604 Unique IDentifier (UUID) URN Namespace", RFC 4122, 605 DOI 10.17487/RFC4122, July 2005, 606 . 608 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 609 Interchange Format", STD 90, RFC 8259, 610 DOI 10.17487/RFC8259, December 2017, 611 . 613 5.2. Informative References 615 [CFR] Relations, C. O. F., "Cyber Operations Tracker - Council 616 on Foreign Relations", 2018, 617 . 619 [JSON-SCHEMA] 620 Wright, A., "JSON Schema: A Media Type for Describing JSON 621 Documents", 2016, 622 . 624 [MISP-G] Community, M., "MISP Galaxy - Public Repository", 625 . 627 [MISP-G-DOC] 628 Community, M., "MISP Galaxy - Documentation of the Public 629 Repository", . 631 [MISP-P] Community, M., "MISP Project - Malware Information Sharing 632 Platform and Threat Sharing", . 634 [MISP-R] Community, M., "MISP Object Relationship Types - common 635 vocabulary of relationships", . 638 Authors' Addresses 640 Alexandre Dulaunoy 641 Computer Incident Response Center Luxembourg 642 16, bd d'Avranches 643 Luxembourg L-1611 644 Luxembourg 646 Phone: +352 247 88444 647 Email: alexandre.dulaunoy@circl.lu 649 Andras Iklody 650 Computer Incident Response Center Luxembourg 651 16, bd d'Avranches 652 Luxembourg L-1611 653 Luxembourg 655 Phone: +352 247 88444 656 Email: andras.iklody@circl.lu 657 Deborah Servili 658 Computer Incident Response Center Luxembourg 659 16, bd d'Avranches 660 Luxembourg L-1611 661 Luxembourg 663 Phone: +352 247 88444 664 Email: deborah.servili@circl.lu