[Intelmq-dev] Classification of malware events
Alexandre Dulaunoy
Alexandre.Dulaunoy at circl.lu
Mon Mar 12 16:56:08 CET 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/03/18 16:43, Sebastian Wagner wrote:
> On 2018-03-12 16:32, Thomas Hungenberg wrote:
>> On 12.03.2018 15:49, Sebastian Wagner wrote:
>>> In intelmq we currently have 3 types for malicious code infections: malware botnet drone ransomware
>> According to the description, 'malware' does not refer to an infection but to malware _distribution_. So maybe we should better rename this to "malware distribution"?
>
> +1 But needs to be fixed in various places. I think it has been used as synonym for 'infected device'.
>>> And in practice, which of the terms is used for classification (in the parser bots) is kind of random. But ransomware is not used at all (but it can be and should be, as some data actually
>>> covers ransomware).
>> I'd suggest dropping 'ransomware'. Why use a specific classification type only for this kind of malware but not for 'spambot', 'banking trojan', 'rootkit' and others?
>
> It has been added 18 Jun 2015 by Dognaedis: https://github.com/certtools/intelmq/commit/b53809b8c I don't see a reasoning for this.
>> I'd prefer using "infected system" as the classification type for malware infections as this fits with the classification level of other malicious code events.
>>
>> Then we would have:
>>
>> taxonomy type identifier malicious code infected system <malware-name> malicious code c&c <malware-name> malicious code dga domain <malware-name> malicious code malware distribution
>> <malware-name> malicious code malware configuration <malware-name>
>
> +1 Time to clean this chaos.
The type seems quite similar to the adversary classification and especially the predicate 'infrastructure-type':
https://github.com/MISP/misp-taxonomies/blob/master/adversary/machinetag.json#L80
adversary:infrastructure-status="unknown"
adversary:infrastructure-status="compromised"
adversary:infrastructure-status="own-and-operated"
adversary:infrastructure-action="passive-only"
adversary:infrastructure-action="take-down"
adversary:infrastructure-action="monitoring-active"
adversary:infrastructure-action="pending-law-enforcement-request"
adversary:infrastructure-state="unknown"
adversary:infrastructure-state="active"
adversary:infrastructure-state="down"
adversary:infrastructure-type="unknown"
adversary:infrastructure-type="proxy"
adversary:infrastructure-type="drop-zone"
adversary:infrastructure-type="exploit-distribution-point"
adversary:infrastructure-type="vpn"
adversary:infrastructure-type="panel"
adversary:infrastructure-type="tds"
If you want, we can extend the infrastructure-type to match the ones you have or plan to have. Then we can create
a complete new taxonomy for IntelMQ in MISP taxonomy.
Cheers
- --
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
16, bd d'Avranches L-1160 Luxembourg
info at circl.lu - www.circl.lu - (+352) 247 88444
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlqmoxgACgkQCeLNSUTmy83uKACfeHqgaE/mwkwfgPKqBCBEai5E
j9wAn3DFlYAERaZbsflrl0dbIE5+6xgT
=kGsB
-----END PGP SIGNATURE-----
More information about the Intelmq-dev
mailing list