-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/03/18 16:43, Sebastian Wagner wrote:
On 2018-03-12 16:32, Thomas Hungenberg wrote:
On 12.03.2018 15:49, Sebastian Wagner wrote:
In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
+1 But needs to be fixed in various places. I think it has been used as synonym for 'infected device'.
And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually covers ransomware).
I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
It has been added 18 Jun 2015 by Dognaedis: https://github.com/certtools/intelmq/commit/b53809b8c I don't see a reasoning for this.
I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
Then we would have:
taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution <malware-name> malicious code malware configuration <malware-name>
+1 Time to clean this chaos.
The type seems quite similar to the adversary classification and especially the predicate 'infrastructure-type':
https://github.com/MISP/misp-taxonomies/blob/master/adversary/machinetag.jso...
adversary:infrastructure-status="unknown" adversary:infrastructure-status="compromised" adversary:infrastructure-status="own-and-operated" adversary:infrastructure-action="passive-only" adversary:infrastructure-action="take-down" adversary:infrastructure-action="monitoring-active" adversary:infrastructure-action="pending-law-enforcement-request" adversary:infrastructure-state="unknown" adversary:infrastructure-state="active" adversary:infrastructure-state="down" adversary:infrastructure-type="unknown" adversary:infrastructure-type="proxy" adversary:infrastructure-type="drop-zone" adversary:infrastructure-type="exploit-distribution-point" adversary:infrastructure-type="vpn" adversary:infrastructure-type="panel" adversary:infrastructure-type="tds"
If you want, we can extend the infrastructure-type to match the ones you have or plan to have. Then we can create a complete new taxonomy for IntelMQ in MISP taxonomy.
Cheers
- -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 16, bd d'Avranches L-1160 Luxembourg info@circl.lu - www.circl.lu - (+352) 247 88444