RectifyqRectifyq’s MISP Style Guide
Traffic Light Protocol (TLP)
| TLP | Formal Definition | Rectifyq’s audience |
|---|---|---|
| 🔴 tlp:red | For the eyes and ears of individual recipients only, no further disclosure. | Rectifyq + specific recipients |
| 🟠 tlp:amber | Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. | Rectifyq + Cyberheroes |
| 🟢 tlp:green | Limited disclosure, recipients can spread this within their community. | Rectifyq + Cyberheroes + Cybervigilantes |
| ⚪ tlp:clear | Information can be shared publicly in accordance with the law. | Everyone |
Severity definition
| Severity | Description | Example |
|---|---|---|
| High |
|
|
| Medium |
|
|
| Low |
|
|
| Undefined |
| Other articles that may still be interesting to be recorded. |
APT definition - Advanced Persistence Threat. Not only limited to State Sponsored.
Category
| Category | Descriptio |
|---|---|
| Threat | In-depth analysis of specific cyber threats. The focus is on technical details, including Indicators of Compromise (IOCs) and the Tactics, Techniques, and Procedures (TTPs) utilized by threat actors. |
| Data Breach | Articles covering confirmed or alleged incidents of unauthorized data access or exfiltration. Key content focuses on the scope of the compromised data, affected entities, or reports concerning ransomware victim claims. |
| Vulnerability | Articles that details the vulnerability's impact, and its exploitation status (e.g., availability of a Proof-of-Concept (POC) or active exploitation in the wild). |
Sub-category
| Sub-category | Description |
|---|---|
| Threat Actor Profile | A detailed report on a specific Threat Actor (who they are), how they attack, what tools they use, and all the past campaigns we think they are responsible for. |
| Tool Profile | A report that focuses on a single hacking tool (or a normal tool that hackers abuse). It explains how it works, which hacker groups use it, and how you can detect and block it. |
| Malware Analysis | Deep dive analysis of malware either static, dynamic or reverse engineer the malware sample(s) to understand how it works, capabilities, potential attributions and other intelligence requirements. |
| Intrusion Analysis (Incident Analysis) | A close-up look at one single successful attack on only against specific target (usually one). It maps out the entire story, from how the hacker first got in until they achieved their final goal (like stealing data). |
| Campaign Analysis | A report that looks at several related attacks against multiple targets. It helps connect the dots to see a bigger picture of what a hacker group is trying to achieve strategically. |
| Leaks Forum | Reports focused on illegal underground forums where hackers post and try to sell or share data they claim to have stolen from a company. |
| Leaks Infostealer | An analysis focused on finding stolen data logs (like passwords) from "Infostealer" malware that are linked to a specific company or organization. |
| Zero-day | Unpatched Exploits: High-priority indicators for vulnerabilities that have no official patch or were exploited before public awareness. |
| Branded Vulnerability | High-Profile Bugs: Vulnerabilities with marketing names/logos (e.g., Heartbleed, PwnKit) that often see rapid, mass exploitation." |
| Critical Vulnerability | High-Severity Flaws: Standard vulnerabilities that carry a high CVSS/EPSS score but may not have a brand name |
| Report | Other related cybersecurity or intelligence reports that is relevant. |
Threat Actor Category
| TA Category | Description | Example |
|---|---|---|
| APT | Highly sophisticated, long-term clandestine campaigns. These actors have significant resources and focus on stealth to maintain persistent access to a network for espionage or data theft. Can be State sponsored, can be cybercrime. | Dark Basin, Lazarus, FIN7 |
| State Sponsored | Highly-skilled hackers funded and directed by a government of certain nation. | APT28 (Fancy Bear), APT34 (OilRig), Lazarus Group |
| Cybercrime | Individuals or organized groups (Cybercriminals) whose primary motivation is financial gain. | FIN7 |
| Ransomware | An organized collective of cybercriminals that develops, distributes, and operates sophisticated ransomware strains, often employing the Ransomware-as-a-Service (RaaS) model and double extortion tactics. | LockBit, BlackCat (ALPHV), Clop |
| Hacktivist | Hackers motivated by a political, social, or ideological cause, using hacking as a form of protest. | Anonymous, LulzSec, OpIsrael |
Target
| Target | Details | |
|---|---|---|
| Broad-based |
|
|
| Targeted | Specific Target - specially crafted based on opportunity or targets Information Attack Space |
|
Target vs Victim
| Characteristics | Target | Victim |
|---|---|---|
| Inclusivity | All target is a victim | Not all victim is a target |
| Details | Must contain specific key indicators (multiple) that directs to the target. | Most of the articles with specified country etc. is victim limited to their telemetry (who is their customer) |
| Example | Based on keyword in the spear-phishing email which only relevant to the target and vulnerability exploited is opportunity TA used against the victim. | Based on the telemetry of the vendor, it is found that country X has been affected in this campaign. |
| Defined as | specifically targeting | at least |
Relevancy
| Relevancy | Example |
|---|---|
| 🔴Relevant | APT targeting Malaysian entity. |
| 🟡Somewhat Relevant | APT target Asian country. |
| 🔵Potentially Relevant | Infostealers impact globally. |
| ⚫Not Relevant | Good to know only. |
p.s. Not relevant does not mean to be ignored, it can be use to improve our security detection or prevention from the lesson learn of the incident. It is just lower priority compared to other three as the event may specifically targeting organizations that is not related to Malaysia, or targeting specific language speakers (e.g. russian language) and etc.
Rectifyq’s Workflow
| Workflow | Description |
|---|---|
| Check Date | Ensure MISP Event Date is same as the date the article was posted. |
| Review Severity | Select MISP Event severity as per above severity definition. |
| Check Producer | Ensure correct Producer is tagged in MISP Event galaxy. |
| Check Actor | Add Threat Actor tag in MISP Event Galaxy, if there is none in Galaxy, add as attribute and tag as create missing galaxy. |
| Check Target | Add Target Information and Sector tag in MISP Event Galaxy. |
| Check Tool | Add related tools tag in MISP Event Galaxy. |
| Check Malware | Add Malpedia tag in MISP Event Galaxy |
| Check TTP | Ensure MITRE ATT&CK in MISP Event Galaxy is accurate, priority goes to Malaysia related event (may need to self curate if not provided by the Producer) |
| Add IOC Context | Add comments with relevant context in each attributes. (e.g. 84c82835a5d21bbcf75a61706d8ab549 - WannaCry Ransomware) |
| Check Key Indicator | Add related attributes/objects with details that may be used for attribution such as: - username:password used by TA in the infection chain - decryption key used - mutexes - password for archives - sender email addressess - language used - etc. |
| Need sample sponsor | Require Malware sample sponsor, either upload to Malware Bazaar (preferred) or upload directly to MISP(for sample with sensitive data) |
| To Report to | To report to relevant parties such as the owner, hosting provider, MyCERT, registrar or etc. |
Topics
| Topics | Description |
|---|---|
| geopolitical | Geopolitical Related |
| ics-ot | Industrial Control System (ICS) and Operational Technology (OT) |
| mobile-attack | Mobile Attack |
| supply-chain | Supply Chain |