GB/T 36643—2018 信息安全技術 網絡安全威脅信息格式規范附 錄 A (資料性附錄) 威脅信息組件格式參考
本附錄以表格形式給出威脅信息表達模型中各威脅信息組件的字段描述,以及JSON格式的威脅信息組件示例。
A.1 可觀測數據(Observation)
表A.1可觀測數據(Observation)對象字段描述
表A.2 DNS記錄
表A.3 電子郵件基本記錄
表A.4 文件下載基本記錄
表A.5 文件信息基本記錄
表A.6 進程信息基本記錄
表A.7 網址訪問基本記錄
表A.8 注冊表信息
表A.9 用戶信息基本記錄
表A.10 系統信息基本記錄
可觀測數據的 JSON格式數據樣例:
{
"id":"observation-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title":"Poison Ivy惡意程序的可觀測數據",
"description":"Poison Ivy惡意程序的可觀測數據",
"short_description":"",
"object":[
{
"relationship":"or",
"value":[
{
"constraint":"equal",
"object_type":"dns",
"name_server":"NS1.NAMESERVER.COM",
"record":"123.56.1.34",
"dns_type":"A"
},{
"constraint":"equal",
"object_type":"dns",
"name_server":" NS1.NAMESERVER.COM ",
"record":"123.56.1.35",
"dns_type":"A"
}
]
}
]
}
A.2 攻擊指標(Indicator)
表A.11攻擊指標(Indicator)描述
攻擊指標的JSON格式數據樣例:
{
"id":"indicator-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title:"Poison Ivy惡意程序的攻擊指標",
"type":"malware",
"aliases":"",
"description":"Poison Ivy惡意程序的攻擊指標",
"short_description":"",
"valid_from":"2016-12-09T08:58:33Z",
"valid_to":"2017-12-09T08:58:33Z",
"observable":"observation-a5f6f606bd5540c4a5185245d382c1e7",
"composite_indicator_expression":[
{
"value": "3773a88f65a5e780c8dff9cdc3a056f3",
"source_ref": "provider",
"type": "md5",
"created_time": "2016-12-09T08:58:33Z"
},
{
"value": "0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03",
"source_ref": "provider",
"type": "sha256",
"created_time": "2016-12-09T08:58:33Z"
}
],
"indicated_TTP":["ttp-a5f6f606bd5540c4a5185245d382c1e7"],
"test_mechanisms":"",
"likely_impact":"",
"suggested_of_coa":["coa-a5f6f606bd5540c4a5185245d382c1e7"],
"confidence":"89",
"related_indicators":[],
"information_source ":"provider"
}A.3 安全事件(Incident)
表A.12 安全事件(Incident)字段描述
| 字段 | 描述 | 預定義值 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| url | 位置連接 | 無 | 可選項 |
| title | 名稱 | 無 | 可選項 |
| external_id | 外部標識號 | 無 | 可選項 |
| valid_from | 有效時間(起始) | 無 | 可選項 |
| valid_to | 有效時間(結束) | 無 | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| categories | 類別 | 無 | 可選項 |
| participator | 關系者 | 無 | 可選項 |
| affected_assets | 影響資產 | 無 | 可選項 |
| impact_assessment | 影響評估 | 無 | 可選項 |
| status | 狀態 | 無 | 可選項 |
| related_indicators | 相關指標 | 無 | 可選項 |
| intended_effect | 預期效果 | Account TakeoverAdvantageAdvantage - EconomicAdvantage - MilitaryAdvantage - PoliticalBrand DamageCompetitive AdvantageDegradation of ServiceDenial and DeceptionDestructionDisruptionEmbarrassmentExposureExtortionFraudHarassmentICS ControlTheftTheft -Credential TheftTheft - Identity TheftTheft-Intellectual PropertyTheft-Theft of Proprietary InformationTraffic DiversionUnauthorized Access | 可選項 |
| security_compromise | 獲取權限 | 無 | 可選項 |
| discovery_method | 發現方法 | 無 | 可選項 |
| COA_requested | 待執行應對措施 | 無 | 可選項 |
| credibility | 可信度 | 無 | 可選項 |
| contact | 聯系人 | 無 | 可選項 |
| history | 歷史 | 無 | 可選項 |
| info_source | 信息來源 | 無 | 可選項 |
安全事件的JSON格式數據樣例:
{
"id":"incident-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"url":"https://sfds.cn/act",
"title":" Poison Ivy安全事件",
"external_id":"",
"valid_from":"2016-12-09T08:58:33Z",
"valid_to":"2017-12-09T08:58:33Z",
"description":" Poison Ivy 安全事件的描述",
"short_description":"",
"categories":["病毒木馬","APT情報"],
"participator":[{
"reporter":"reporter",
"responder":["responder1","responder2"],
"coordinator":["coordinator1","coordinator2"],
"victim":["victim1"]
}],
"affected_assets":"Microsoft Windows",
"impact_assessment":"",
"status":"Open",
"related_indicators":["indicator-a5f6f606bd5540c4a5185245d382c1e7","ttp-a5f6f606bd5540c4a5185245d382c1e7","threatactor-a5f6f606bd5540c4a5185245d382c1e7"],
"intended_effect":"Credential Theft",
"security_compromise":"Yes",
"discovery_method":"IT Audit",
"related_incidents":[],
"COA_requested":["coa-a5f6f606bd5540c4a5185245d382c1e7"],
"credibility":"high",
"contact":["4000810710"],
"history":["Patched on 2010-10-10"],
"info_source":"provider"
}A.4 攻擊活動(Campaign)
表A.13攻擊活動(Campaign)字段格式描述
| 字段 | 描述 | 預定義值 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| title | 名稱 | 無 | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| aliases | 命名 | 無 | 可選項 |
| intended_effect | 預期效果 | Account TakeoverAdvantageAdvantage - EconomicAdvantage - MilitaryAdvantage - PoliticalBrand DamageCompetitive AdvantageDegradation of ServiceDenial and DeceptionDestructionDisruptionEmbarrassmentExposureExtortionFraudHarassmentICS ControlTheftTheft -Credential TheftTheft - Identity TheftTheft-Intellectual PropertyTheft - Theft of Proprietary InformationTraffic DiversionUnauthorized Access | 可選項 |
| status | 狀態 | OngoingHistoricFuture | 可選項 |
| related_incidents | 相關安全事件 | 無 | 可選項 |
| attributed_to | 相關威脅主體 | 無 | 可選項 |
| Related_TTPs | 相關攻擊方法 | 無 | 可選項 |
| associated_campaigns | 相關的其它攻擊活動 | 無 | 可選項 |
| confidence | 可信度 | 無 | 可選項 |
| activity | 相關活動 | 無 | 可選項 |
| information_source | 信息來源 | 無 | 可選項 |
攻擊活動的JSON數據樣例:
{
"id":"campaign-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title":" Poison Ivy惡意程序的攻擊活動",
"description":" Poison Ivy 攻擊活動的描述",
"short_description":"",
"aliases":"",
"intended_effect":"Credential Theft",
"status":"Ongoing",
"related_incidents":["incident-b5565607b6574054a4185245d382c1e7"],
"attributed_to":["threatactor-a5f6f606bd5540c4a5185245d382c1e7"],
"related_TTPs":["TTPs-98f9f6078d7590cea6185640d7827180"],
"associated_campaigns":[],
"confidence":"89",
"activity":"",
"information_source ":"provider"
}A.5 攻擊方法(TTP)
表A.14攻擊方法(TTP)字段描述
| 字段 | 描述 | 預定義值 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| title | 名稱 | 無 | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| intended_effect | 預期效果 | Account TakeoverAdvantageAdvantage - EconomicAdvantage - MilitaryAdvantage - PoliticalBrand DamageCompetitive AdvantageDegradation of ServiceDenial and DeceptionDestructionDisruptionEmbarrassmentExposureExtortionFraudHarassmentICS ControlTheftTheft- Credential TheftTheft - Identity TheftTheft - Intellectual PropertyTheft - Theft of Proprietary InformationTraffic DiversionUnauthorized Access | 可選項 |
| behavior | 攻擊行為 | 無 | 可選項 |
| resources | 攻擊資源 | 無 | 可選項 |
| victim_targeting | 攻擊目標 | 無 | 可選項 |
| exploit_targets | 相關攻擊目標 | 無 | 可選項 |
| related_TTPs | 相關攻擊方法 | 無 | 可選項 |
| kill_chain_phases | 攻擊階段 | reconnaissanceweaponizationdeliveryexploitationinstallationcommand&controlactionsonobjectives | 可選項 |
| information_source | 信息來源 | 無 | 可選項 |
| kill_chains | 攻擊鏈 | 無 | 可選項 |
攻擊方法的JSON數據樣例:
{
"id":"ttp-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title":" Poison Ivy惡意程序的攻擊方法",
"description":" Poison Ivy 攻擊活動的攻擊方法的描述",
"short_description":"",
"intended_effect":"Credential Theft",
"behavior":"使用Poison Ivy進行攻擊",
"resources":["Poison Ivy"],
"victim_targeting":"Financial or Economic ",
"exploit_targets":["target-a5f6f606bd5540c4a5185245d382c1e7"],
"related_TTPs":[],
"kill_chain_phases":"",
"information_source ":"provider",
"kill_chains":""
}A.6 應對措施(Course Of Action)
表A.15應對措施(Course Of Action)字段描述
| 字段 | 描述 | 無 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| title | 名稱 | 無 | 可選項 |
| stage | 階段 | RemedyResponse | 可選項 |
| type | 類型 | Diplomatic ActionsEradicationHardeningInternal BlockingLogical Access RestrictionsMonitoringOtherPatchingPerimeter BlockingPhysical Access RestrictionsPolicy ActionsPublic DisclosureRebuildingRedirectionRedirection (Honey Pot)Training | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| objective | 對象 | 無 | 可選項 |
| parameter_observables | 參數 | 無 | 可選項 |
| structured_COA | 結構化描述 | 無 | 可選項 |
| impact | 影響 | 無 | 可選項 |
| cost | 成本 | 無 | 可選項 |
| efficacy | 效果 | 無 | 可選項 |
| information_source | 信息來源 | 無 | 可選項 |
| related_COAs | 相關應對措施 | 無 | 可選項 |
應對措施的JSON數據樣例:
{
"id":"coa-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title":" Poison Ivy惡意程序的應對措施",
"stage":"Remedy",
"type": ["Physical Access Restrictions","Eradication", "Patching"],
"description":" Poison Ivy 攻擊活動的應對措施的描述",
"short_description":"",
"objective":["3773a88f65a5e780c8dff9cdc3a056f3"],
"parameter_observables":"audit",
"structured_COA":"",
"impact":"",
"cost":"",
"efficacy":"",
"information_source":"provider",
"related_COAs":[]
}A.7 威脅主體(Threat Actor)
表A.16威脅主體(Threat Actor)字段描述
| 字段 | 描述 | 預定義值 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| title | 名稱 | 無 | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| identity | 身份 | 無 | 可選項 |
| type | 類型 | 無 | 可選項 |
| motivation | 動機 | IdeologicalIdeological - Anti-CorruptionIdeological - Anti-EstablishmentIdeological - EnvironmentalIdeological - Ethnic / NationalistIdeological - Information FreedomIdeological - ReligiousIdeological - Security AwarenessIdeological - Human RightsEgoFinancial or EconomicMilitaryOpportunisticPolitical | 可選項 |
| sophistication | 經驗 | Cyber Espionage OperationsHackerHacker - White hatHacker - Gray hatHacker - Black hatHacktivistState Actor / AgencyeCrime Actor - Credential Theft Botnet OperatoreCrime Actor - Credential Theft Botnet ServiceeCrime Actor - Malware DevelopereCrime Actor - Money Laundering NetworkeCrime Actor - Organized Crime ActoreCrime Actor - Spam ServiceeCrime Actor - Traffic ServiceeCrime Actor - Underground Call ServiceInsider ThreatDisgruntled Customer / User | 可選項 |
| intended_effect | 預期效果 | Account TakeoverAdvantageAdvantage - EconomicAdvantage - MilitaryAdvantage - PoliticalBrand DamageCompetitive AdvantageDegradation of ServiceDenial and DeceptionDestructionDisruptionEmbarrassmentExposureExtortionFraudHarassmentICS ControlTheftTheft - Credential TheftTheft - Identity TheftTheft - Intellectual PropertyTheft - Theft of Proprietary InformationTraffic DiversionUnauthorized Access | 可選項 |
| planning_and_operational_support | 計劃支持 | Data ExploitationData Exploitation - Analytic SupportData Exploitation - Translation SupportFinancial ResourcesFinancial Resources - AcademicFinancial Resources - CommercialFinancial Resources - GovernmentFinancial Resources - Hacktivist or GrassrootFinancial Resources - Non-Attributable FinancePlanningPlanning - Open-Source Intelligence (OSINT) GatheringPlanning - Operational Cover PlanPlanning - Pre-Operational Surveillance and ReconnaissancePlanning - Target SelectionSkill Development / RecruitmentSkill Development / Recruitment - Contracting and HiringSkill Development / Recruitment - Document Exploitation (DOCEX) TrainingSkill Development / Recruitment - Internal TrainingSkill Development / Recruitment - Military ProgramsSkill Development / Recruitment - Security / Hacker ConferencesSkill Development / Recruitment - Underground ForumsSkill Development / Recruitment - University Programs | 可選項 |
| observed_TTPs | 相關攻擊方法 | 無 | 可選項 |
| associated_campaigns | 相關攻擊活動 | 無 | 可選項 |
| associated_actors | 相關威脅主體 | 無 | 可選項 |
| confidence | 可信度 | 無 | 可選項 |
| information_source | 信息來源 | 無 | 可選項 |
威脅主體的JSON數據樣例:
{
“id”:”threatactor-a5f6f606bd5540c4a5185245d382c1e7”,
“idref”:””,
“timestamp”:”2016-12-09T08:58:33Z”,
“version”:”1.0”,
“title”:” Poison Ivy惡意程序的威脅主體”,
“description”:” Poison Ivy惡意程序的威脅主體的描述”,
“short_description”:””,
“identity”:”APT28”,
“type”:[“organization”],
“motivation”:”Financial or Economic”,
“sophistication”:”Hacker”,
“intended_effect”:”Theft”,
“planning_and_operational_support”:”Hacktivist or Grassroot”,
“observed_TTPs”:[“ttp-a5f6f606bd5540c4a5185245d382c1e7”],
“associated_campaigns”:[“campaign-a5f6f606bd5540c4a5185245d382c1e7”],
“associated_actors”:[],
“confidence”:”90”,
“information_source”:”provider”
}
A.8 攻擊目標(Exploi tTarget)
表A.17攻擊目標(Exploit Target)字段描述
| 字段 | 描述 | 預定義值 | 字段必要性 |
|---|---|---|---|
| id | 標識號 | 無 | 必須項 |
| idref | 引用標識號 | 無 | 可選項 |
| timestamp | 時間戳 | 無 | 可選項 |
| version | 版本 | 無 | 必須項 |
| title | 名稱 | 無 | 可選項 |
| description | 描述 | 無 | 可選項 |
| short_description | 簡要描述 | 無 | 可選項 |
| vulnerability | 漏洞列表 | 無 | 可選項 |
| weakness | 弱點類型 | 無 | 可選項 |
| potential_COAs | 相關應對措施 | 無 | 可選項 |
| information_source | 信息來源 | 無 | 可選項 |
| related_exploit_targets | 相關攻擊目標 | 無 | 可選項 |
攻擊目標的JSON數據樣例:
{
"id":"target-a5f6f606bd5540c4a5185245d382c1e7",
"idref":"",
"timestamp":"2016-12-09T08:58:33Z",
"version":"1.0",
"title":" Poison Ivy惡意程序的攻擊目標",
"description":" Poison Ivy惡意程序的攻擊目標的描述",
"short_description":"",
"vulnerability":["CVE-2017-0143","CVE-2017-0144","CVE-2017-0145","CVE-2017-0146","CVE-2017-0147", "CVE-2017-0148"],
"weakness":" Unauthorized access",
"potential_COAs":["coa-a5f6f606bd5540c4a5185245d382c1e7"],
"information_source":"provider",
"related_exploit_targets":[]
}