2017-06-14 Incident Response and Threat Intelligence ontology Copyright 2017 Morton Swimmer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. An ontology for classifying and analyzing Internet entities with an emphasis on computer incident response and threat intelligence processing. This points to a PTR record that is not compliant with the RFCs but seems to be used to make MX servers compliant with the PTR requirements. What is probably happening is that it's being treated like CNAME or DNAME. In the end, it's not clear how this can even work, but it was common enough to merit it's own record. has CNAME record has DS record specify that the subject refers to a domain has domain Latitude, Longitude and altitude of the location of the server or service referenced by this domain. has LOC record has MX FQDN has nameserver has NSEC record has NSEC allowed record has NSEC domain range from has NSEC domain range to has PTR record has rating has SOA MNAME has SOA RNAME has SRV record the canonical hostname of the machine providing the service, ending in a dot. has SRV target has SSH fingerprint has SSH fingerprint algorithm has SSH fingerprint type has violation A property of a domain has RRSIG algorithm number has RRSIG inception expiration has RRSIG key tag has RRSIG labels has RRSIG original TTL has RRSIG signature has RRSIG signature expiration has RRSIG signer name has SSH fingerprint value Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc. Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. benign Classless Inter-Domain Routing CIDR A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) used to specify that a domain name is an alias for another domain, the "canonical" domain. All information, including subdomains, IP addresses, etc., are defined by the canonical domain. http://tools.ietf.org/html/rfc1035#page-12 A classful network is a network addressing architecture used in the Internet from 1981 until the introduction of Classless Inter-Domain Routing in 1993. The method divides the address space for Internet Protocol Version 4 (IPv4) into five address classes by address range. Classes A, B, C are networks of three different network sizes, i.e. number of hosts for unicast addresses. Class D is for multicast. The class E address range is reserved for future or experimental purposes. Under classful networking, the subnet mask was implied by which address range (class) the address occupied and did not need to be specified separately. https://en.wikipedia.org/wiki/Classful_network true A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. https://en.wikipedia.org/wiki/Cryptographic_hash_function The record used to identify the DNSSEC signing key of a delegated zone https://tools.ietf.org/html/rfc4034 https://en.wikipedia.org/wiki/Digital_Signature_Algorithm A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network. https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm Fully qualified domain name FQDN Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. FastFlux https://en.wikipedia.org/wiki/Fast_flux Allows definition of the Hardware type and Operating System (OS) in use at a host. For security reasons these records are rarely used on public servers. If a space exists in the field it must be enclosed in quotes. Single space between Hardware and OS parameters. http://www.zytrax.com/books/dns/ch8/hinfo.html A hash function is any function that can be used to map data of arbitrary size to data of fixed size. https://en.wikipedia.org/wiki/Hash_function A Threat incident is any activity or event that was measured that has been deemed a threat to computer systems or users. Threat incident Arbitrary domain name Domain Some property that existed at a point in time. A LOC record (experimental) is a means for expressing geographic location information for a domain name. It contains WGS84 Latitude, Longitude and Altitude information together with host/subnet physical size and location accuracy. https://tools.ietf.org/html/rfc1876 Maps a domain name to a list of message transfer agents for that domain http://tools.ietf.org/html/rfc1035#page-12 http://tools.ietf.org/html/rfc7505 malicious Delegates a DNS zone to use the given authoritative name servers http://tools.ietf.org/html/rfc1035#page-12 Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record. https://tools.ietf.org/html/rfc4034 An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking https://tools.ietf.org/html/rfc5155 Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. http://tools.ietf.org/html/rfc1035#page-12 Non-routable address Routable address Information about the responsible person(s) for the domain. Usually an email address with the @ replaced by a . Signature for a DNSSEC-secured record set. Uses the same format as the SIG record. https://tools.ietf.org/html/rfc4034 https://en.wikipedia.org/wiki/RSA_(cryptosystem) rating A DNS resolution is a mapping from a domain name to any of the DNS records that IANA defines in RFC 1035. https://www.ietf.org/rfc/rfc1035.txt DNS Resolution https://www.ietf.org/rfc/rfc1035.txt https://en.wikipedia.org/wiki/SHA-1 Start of [a zone of] authority record http://tools.ietf.org/html/rfc1035#page-12 https://tools.ietf.org/html/rfc2308 Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged sender-addresses, so publishing and checking SPF records can be considered anti-spam techniques. https://en.wikipedia.org/wiki/Sender_Policy_Framework A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. https://tools.ietf.org/html/rfc2782 Upon connection to an SSH server, the SSH client MAY look up the SSHFP resource record(s) for the host it is connecting to. If the algorithm and fingerprint of the key received from the SSH server match the algorithm and fingerprint of one of the SSHFP resource record(s) returned from DNS, the client MAY accept the identity of the server. http://www.openssh.com/txt/rfc4255.txt The simplest type of fast flux, named "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short—usually less than five minutes (300s)[2] -- TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long. suspicious Top-level domain Limited distribution Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to. Community wide Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community. Personal for named recipients only Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person. Unlimited Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate some arbitrary and unformatted text with a host or other name, such as human readable information about a server, network, data center, and other accounting information. A domain is not limited to having only one text record, any fully qualified domain may potentially have several records. https://en.wikipedia.org/wiki/TXT_Record Variable-Length Subnet Masking