2017-06-14
Incident Response and Threat Intelligence ontology
Copyright 2017 Morton Swimmer
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
An ontology for classifying and analyzing Internet entities with an emphasis on computer incident response and threat intelligence processing.
This points to a PTR record that is not compliant with the RFCs but seems to be used to make MX servers compliant with the PTR requirements. What is probably happening is that it's being treated like CNAME or DNAME. In the end, it's not clear how this can even work, but it was common enough to merit it's own record.
has CNAME record
has DS record
specify that the subject refers to a domain
has domain
Latitude, Longitude and altitude of the location of the server or service referenced by this domain.
has LOC record
has MX FQDN
has nameserver
has NSEC record
has NSEC allowed record
has NSEC domain range from
has NSEC domain range to
has PTR record
has rating
has SOA MNAME
has SOA RNAME
has SRV record
the canonical hostname of the machine providing the service, ending in a dot.
has SRV target
has SSH fingerprint
has SSH fingerprint algorithm
has SSH fingerprint type
has violation
A property of a domain
has RRSIG algorithm number
has RRSIG inception expiration
has RRSIG key tag
has RRSIG labels
has RRSIG original TTL
has RRSIG signature
has RRSIG signature expiration
has RRSIG signer name
has SSH fingerprint value
Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but it is also used for DNSBLs, storing subnet masks in RFC 1101, etc.
Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
benign
Classless Inter-Domain Routing
CIDR
A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) used to specify that a domain name is an alias for another domain, the "canonical" domain. All information, including subdomains, IP addresses, etc., are defined by the canonical domain.
http://tools.ietf.org/html/rfc1035#page-12
A classful network is a network addressing architecture used in the Internet from 1981 until the introduction of Classless Inter-Domain Routing in 1993. The method divides the address space for Internet Protocol Version 4 (IPv4) into five address classes by address range. Classes A, B, C are networks of three different network sizes, i.e. number of hosts for unicast addresses. Class D is for multicast. The class E address range is reserved for future or experimental purposes. Under classful networking, the subnet mask was implied by which address range (class) the address occupied and did not need to be specified separately.
https://en.wikipedia.org/wiki/Classful_network
true
A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone.
https://en.wikipedia.org/wiki/Cryptographic_hash_function
The record used to identify the DNSSEC signing key of a delegated zone
https://tools.ietf.org/html/rfc4034
https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
A more sophisticated type of fast flux, referred to itself as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
Fully qualified domain name
FQDN
Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.
FastFlux
https://en.wikipedia.org/wiki/Fast_flux
Allows definition of the Hardware type and Operating System (OS) in use at a host. For security reasons these records are rarely used on public servers. If a space exists in the field it must be enclosed in quotes. Single space between Hardware and OS parameters.
http://www.zytrax.com/books/dns/ch8/hinfo.html
A hash function is any function that can be used to map data of arbitrary size to data of fixed size.
https://en.wikipedia.org/wiki/Hash_function
A Threat incident is any activity or event that was measured that has been deemed a threat to computer systems or users.
Threat incident
Arbitrary domain name
Domain
Some property that existed at a point in time.
A LOC record (experimental) is a means for expressing geographic location information for a domain name.
It contains WGS84 Latitude, Longitude and Altitude information together with host/subnet physical size and location accuracy.
https://tools.ietf.org/html/rfc1876
Maps a domain name to a list of message transfer agents for that domain
http://tools.ietf.org/html/rfc1035#page-12
http://tools.ietf.org/html/rfc7505
malicious
Delegates a DNS zone to use the given authoritative name servers
http://tools.ietf.org/html/rfc1035#page-12
Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.
https://tools.ietf.org/html/rfc4034
An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking
https://tools.ietf.org/html/rfc5155
Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.
http://tools.ietf.org/html/rfc1035#page-12
Non-routable address
Routable address
Information about the responsible person(s) for the domain. Usually an email address with the @ replaced by a .
Signature for a DNSSEC-secured record set. Uses the same format as the SIG record.
https://tools.ietf.org/html/rfc4034
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
rating
A DNS resolution is a mapping from a domain name to any of the DNS records that IANA defines in RFC 1035.
https://www.ietf.org/rfc/rfc1035.txt
DNS Resolution
https://www.ietf.org/rfc/rfc1035.txt
https://en.wikipedia.org/wiki/SHA-1
Start of [a zone of] authority record
http://tools.ietf.org/html/rfc1035#page-12
https://tools.ietf.org/html/rfc2308
Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged sender-addresses, so publishing and checking SPF records can be considered anti-spam techniques.
https://en.wikipedia.org/wiki/Sender_Policy_Framework
A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services.
https://tools.ietf.org/html/rfc2782
Upon connection to an SSH server, the SSH client MAY look up the
SSHFP resource record(s) for the host it is connecting to. If the
algorithm and fingerprint of the key received from the SSH server
match the algorithm and fingerprint of one of the SSHFP resource
record(s) returned from DNS, the client MAY accept the identity of
the server.
http://www.openssh.com/txt/rfc4255.txt
The simplest type of fast flux, named "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short—usually less than five minutes (300s)[2] -- TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.
suspicious
Top-level domain
Limited distribution
Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
Community wide
Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.
Personal for named recipients only
Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
Unlimited
Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate some arbitrary and unformatted text with a host or other name, such as human readable information about a server, network, data center, and other accounting information. A domain is not limited to having only one text record, any fully qualified domain may potentially have several records.
https://en.wikipedia.org/wiki/TXT_Record
Variable-Length Subnet Masking