[Intelmq-dev] Classification of malware events

[Sebastian Wagner]

Hi,

Thanks for chiming in. I added my assumptions for a mapping below
between the quotes:

On 2018-03-12 16:56, Alexandre Dulaunoy wrote:
> adversary:infrastructure-status="unknown"
> adversary:infrastructure-status="compromised"
> adversary:infrastructure-status="own-and-operated"

We do not have equivalent fields for this kind of information.
> adversary:infrastructure-action="passive-only"
> adversary:infrastructure-action="take-down"
> adversary:infrastructure-action="monitoring-active"
> adversary:infrastructure-action="pending-law-enforcement-request"

Same here.
> adversary:infrastructure-state="unknown"
> adversary:infrastructure-state="active"
> adversary:infrastructure-state="down"

The state would match the field 'status'. We haven't specified values
for it yet.
> adversary:infrastructure-type="unknown"
> adversary:infrastructure-type="proxy"

In the ENISA taxonomies, proxies does not exist, so in intelmq that
would be other/proxy (in taxonomy/type notation)
> adversary:infrastructure-type="drop-zone"

'information content security'/dropzone
> adversary:infrastructure-type="exploit-distribution-point"

Taxonomy is 'malicious code', but not sure about the type, probably
'malware configuration' or 'c&c'
> adversary:infrastructure-type="vpn"

Not seen yet in intelmq, but that would be other/vpn
> adversary:infrastructure-type="panel"
> adversary:infrastructure-type="tds"

Also not seen in intelmq yet, but these are probably types below
'malicious code'.

Sebastian

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180315/4f8d794b/attachment.sig>