Merge pull request #92 from sebix/version-1.3

Version 1.3

CHANGELOG.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## Version 1.3 (released 2021-05-26)
+
+### Taxonomy
+
+#### New entries
+- Added *System Compromise* in the taxonomy *Intrusions*.
+- Added *Leak of confidential information* in taxonomy *Information Content Security*.
+
+#### Changed entries
+- All expanded values are now in *CamelCase*:
+  - *Exploitation of known Vulnerabilities* -> *Exploitation of Known Vulnerabilities*
+  - *Login attempts* -> *Login Attempts*
+  - *New attack signature* -> *New Attack Signature*
+  - *Unauthorised access to information* -> *Unauthorised Access to Information*
+  - *Unauthorised modification of information* -> *Unauthorised Modification of Information*
+  - *Unauthorised use of resources* -> *Unauthorised Use of Resources*
+  - *DDoS amplifier* -> *DDoS Amplifier*
+  - *Potentially unwanted accessible services* -> *Potentially Unwanted Accessible Services*
+  - *Vulnerable system* -> *Vulnerable System*
+- Changed for better clarity:
+  - *Weak crypto* -> *Weak Cryptography*
+
+#### Minor changes
+- Enhanced various descriptions, for example:
+  - *Harmful Speech*: Replaced *Discretization* by *Bullying, harassment*
+  - *Malware Distribution*: Also covers exploit-kits on websites
+  - *Unauthorised modification of information*: Also covers defacements.
+  - *Vulnerable system*: Also covers XSS vulnerabilities.
+
+### RSIT 2 ATT&CK
+
+Added documentation on the relation between RSIT and the ATT&CK framework,
+as well as scripts to convert and usage documentation.
+
+### Documentation
+
+- Merged Acknowledgments and Contributing into the README.
+- Spelling fixes over the full repository
+- renamed all meeting minutes to the format `{date}-{location}`.
+- new usage document covering covering what to classify and multiple classifications
+- new document on how to get started
+- Major rewording and extension of the README.
+- Dependencies and tool mapping: updated Taxonomy users
+
+
 ## Version 1.2  (released 2019/09/15)
 
   * changed everything (hopefully) from American English to British English

working_copy/humanv1.md

@@ -14,42 +14,42 @@ Generated from [machine readable version](machinev1). Please **DO NOT** edit thi
 
 | CLASSIFICATION (1ST COLUMN)                                   | INCIDENT EXAMPLES (2ND COLUMN)        | Description / Examples |
 |---------------------------------------------------------      |------------------------------------   |------------------------|
-| Abusive Content | Spam | Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc. |
-| Abusive Content | Harmful Speech | Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals. |
-| Abusive Content | (Child) Sexual Exploitation/Sexual/Violent Content | Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc. |
-| Malicious Code | Infected System | System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server |
-| Malicious Code | C2 Server | Command-and-control server contacted by malware on infected systems. |
-| Malicious Code | Malware Distribution | URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites). |
-| Malicious Code | Malware Configuration | URI hosting a malware configuration file, e.g. web-injects for a banking trojan. |
-| Information Gathering | Scanning | Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning. |
-| Information Gathering | Sniffing | Observing and recording of network traffic (wiretapping). |
-| Information Gathering | Social Engineering | Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats). |
-| Intrusion Attempts | Exploitation of known Vulnerabilities | An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.) |
-| Intrusion Attempts | Login attempts | Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol. |
-| Intrusion Attempts | New attack signature | An attack using an unknown exploit. |
-| Intrusions | Privileged Account Compromise | Compromise of a system where the attacker gained administrative privileges. |
+| Abusive Content | Spam | Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources which make up spam infrastructure, for example, harvesters like address verification, URLs in spam emails, etc. |
+| Abusive Content | Harmful Speech | Bullying, harassment or discrimination of somebody, e.g., cyber stalking, racism or threats against one or more individuals. |
+| Abusive Content | (Child) Sexual Exploitation/Sexual/Violent Content | Child Sexual Exploitation (CSE), sexual content, glorification of violence, etc. |
+| Malicious Code | Infected System | System infected with malware, e.g., a PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed command and control server. |
+| Malicious Code | C2 Server | Command and control server contacted by malware on infected systems. |
+| Malicious Code | Malware Distribution | URI used for malware distribution, e.g., a download URL included in fake invoice malware spam or exploit kits (on websites). |
+| Malicious Code | Malware Configuration | URI hosting a malware configuration file, e.g., web injects for a banking trojan. |
+| Information Gathering | Scanning | Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. This includes fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, etc) port scanning. |
+| Information Gathering | Sniffing | Observing and recording of network traffic (i.e. wiretapping). |
+| Information Gathering | Social Engineering | Gathering information from a human being in a non-technical way (e.g., using lies, tricks, bribes, or threats). |
+| Intrusion Attempts | Exploitation of Known Vulnerabilities | An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g., using a buffer overflow, backdoor, cross site scripting) |
+| Intrusion Attempts | Login Attempts | Multiple brute-force login attempts (including guessing or cracking of passwords). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol. |
+| Intrusion Attempts | New Attack Signature | An attack using an unknown exploit. |
+| Intrusions | Privileged Account Compromise | Compromise of a system where the attacker has gained administrative privileges. |
 | Intrusions | Unprivileged Account Compromise | Compromise of a system using an unprivileged (user/service) account. |
-| Intrusions | Application Compromise | Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection. |
-| Intrusions | System Compromise | Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems. |
-| Intrusions | Burglary | Physical intrusion, e.g. into corporate building or data-centre. |
-| Availability | Denial of Service | Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down. |
-| Availability | Distributed Denial of Service | Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks. |
-| Availability | Misconfiguration | Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK. |
-| Availability | Sabotage | Physical sabotage, e.g cutting wires or malicious arson. |
-| Availability | Outage | Outage caused e.g. by air condition failure or natural disaster. |
-| Information Content Security | Unauthorised access to information | Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents. |
-| Information Content Security | Unauthorised modification of information | Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements. |
-| Information Content Security | Data Loss | Loss of data, e.g. caused by harddisk failure or physical theft. |
-| Information Content Security | Leak of confidential information | Leaked confidential information like credentials or personal data. |
-| Fraud | Unauthorised use of resources | Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes. |
-| Fraud | Copyright | Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez). |
+| Intrusions | Application Compromise | Compromise of an application by exploiting (un)known software vulnerabilities, e.g., SQL injection. |
+| Intrusions | System Compromise | Compromise of a system, e.g., unauthorised logins or commands. This includes attempts to compromise honeypot systems. |
+| Intrusions | Burglary | Physical intrusion, e.g., into a corporate building or data centre. |
+| Availability | Denial of Service | Denial of Service attack, e.g., sending specially crafted requests to a web application which causes the application to crash or slow down. |
+| Availability | Distributed Denial of Service | Distributed Denial of Service attack, e.g., SYN flood or UDP-based reflection/amplification attacks. |
+| Availability | Misconfiguration | Software misconfiguration resulting in service availability issues, e.g., DNS server with outdated DNSSEC Root Zone KSK. |
+| Availability | Sabotage | Physical sabotage, e.g., cutting wires or malicious arson. |
+| Availability | Outage | An outage caused, for example, by air conditioning failure or natural disaster. |
+| Information Content Security | Unauthorised Access to Information | Unauthorised access to information, e.g., by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents. |
+| Information Content Security | Unauthorised Modification of Information | Unauthorised modification of information, e.g., by an attacker abusing stolen login credentials for a system or application, or ransomware encrypting data. Also includes defacements. |
+| Information Content Security | Data Loss | Loss of data caused by, for example, hard disk failure or physical theft. |
+| Information Content Security | Leak of Confidential Information | Leaked confidential information, e.g., credentials or personal data. |
+| Fraud | Unauthorised Use of Resources | Using resources for unauthorised purposes including profit-making ventures, e.g., the use of email to participate in illegal profit chain letters or pyramid schemes. |
+| Fraud | Copyright | Offering or installing copies of unlicensed commercial software or other copyright protected materials (also known as Warez). |
 | Fraud | Masquerade | Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it. |
 | Fraud | Phishing | Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials. |
-| Vulnerable | Weak crypto | Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks. |
-| Vulnerable | DDoS amplifier | Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled. |
-| Vulnerable | Potentially unwanted accessible services | Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC. |
-| Vulnerable | Information disclosure | Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis. |
-| Vulnerable | Vulnerable system | A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc. |
+| Vulnerable | Weak Cryptography | Publicly accessible services offering weak cryptography, e.g., web servers susceptible to POODLE/FREAK attacks. |
+| Vulnerable | DDoS Amplifier | Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g., DNS open-resolvers or NTP servers with monlist enabled. |
+| Vulnerable | Potentially Unwanted Accessible Services | Potentially unwanted publicly accessible services, e.g., Telnet, RDP or VNC. |
+| Vulnerable | Information disclosure | Publicly accessible services potentially disclosing sensitive information, e.g., SNMP or Redis. |
+| Vulnerable | Vulnerable System | A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, or cross-site scripting vulnerabilities. |
 | Other | Uncategorised | All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised. |
 | Other | Undetermined | The categorisation of the incident is unknown/undetermined. |
 | Test | Test | Meant for testing. |