Skip to content

Add SCOR TENs galaxy + Galaxy 2.0 related[] edges on scor-attack-paths#1217

Merged
adulau merged 1 commit into
MISP:mainfrom
h4ck32n4u75:scor-tens-phase2
May 25, 2026
Merged

Add SCOR TENs galaxy + Galaxy 2.0 related[] edges on scor-attack-paths#1217
adulau merged 1 commit into
MISP:mainfrom
h4ck32n4u75:scor-tens-phase2

Conversation

@h4ck32n4u75
Copy link
Copy Markdown
Contributor

@h4ck32n4u75 h4ck32n4u75 commented May 24, 2026

Add SCOR TENs galaxy + Galaxy 2.0 related[] edges on scor-attack-paths

Builds on #1216 (SCOR Attack Paths galaxy, already merged). This PR adds the stable Taxonomic Element Nomenclature (TEN) templates per the METEORSTORM data model, and wires the existing 4 attack-path values to those templates via Galaxy 2.0 related[] arrays. Result: MISP's Network View renders the SCOR-compliant relationship graph natively.

What's added

clusters/scor-tens.json (new) — 30 cluster values, one per METEORSTORM TEN:

  • 5 PCE (Terrestrial, Aquatic, Aerial, Orbital, Deep Space)
  • 10 SEG (Launch, Link, Ground, User, Aquatic, Low Altitude, High Altitude, Near Space, Space, Deep Space)
  • 3 SVC (Control Plane, Data Plane, Hybrid)
  • 6 AST (Hardware, Firmware, Software, Data, Signal, Hybrid)
  • 6 AN (Indicator of Compromise, Indicator of Attack, Attack Path, Threat, Detection Signature, Resilience Measure)

Each value carries a stable UUID, layer/tag/label/doc_section meta, and the canonical definition from METEORSTORM Quick Guide §8.

galaxies/scor-tens.json (new) — minimal galaxy descriptor. No kill_chain_order (TENs aren't a matrix).

What's modified

clusters/scor-attack-paths.json (modified) — added related[] arrays to all 4 existing attack-path values (Viasat AcidRain, Gatwick UAS, Fengyun-1C ASAT, Yacht GPS Spoofing). Each related[] entry references a TEN cluster value by UUID:

Relation type Purpose Count across 4 paths
TOE Per §6.2, points the attack path at each structural TEN (PCE/SEG/SVC/AST) the scenario's enumeration consumed 31
instance-of Declares the attack-path value as an enumerated instance of the AN-ATT-Attack Path TEN 4
Total 35

The per-scenario ETEN string is preserved on each relation's tags array as scor-eten:"LAYER:TAG:LABEL:ORDINAL", so the ordinal context isn't lost when traversing the graph.

Conceptual model

Per METEORSTORM Quick Guide §4–§5:

  • TEN = LAYER-TAG-LABEL (hyphen-delimited). The stable type template, defined by the taxonomy.
  • ETEN = LAYER:TAG:LABEL:ORDINAL (colon-delimited). What an analyst produces from a TEN during enumeration on a specific platform.

This PR makes the TENs first-class MISP cluster values so Galaxy 2.0 related[] arrays can point at them by UUID. The ETEN strings continue to live in the attack-path's meta as the per-scenario enumeration outputs.

What this enables

Once merged, MISP's Galaxy 2.0 Network View renders the SCOR-compliant relationship graph:

  • Attack-path nodes (Viasat, Gatwick, Fengyun-1C, Yacht) connected by TOE edges to the TEN templates each scenario's enumeration consumed.
  • Bidirectional pivoting: open a TEN template (e.g., PCE-OR-Orbital) and see every attack path that has ever consumed it during enumeration.
  • The per-scenario ETEN identifiers (with ordinals) remain visible on each edge's tags.

Validation

  • Both new files pass jsonschema validation against schema_clusters.json / schema_galaxies.json.
  • The modified scor-attack-paths.json still validates.
  • All 35 related[] dest-uuid references resolve to values in scor-tens.json (cross-checked programmatically).
  • All UUIDs unique across the SCOR namespace.
  • tools/chk_empty_strings clean.
  • All files in jq --sort-keys canonical form.
  • tools/update_README_with_index.py regenerated README.md to include the new scor-tens entry.

Steward

scor namespace steward: H4CK32N4U75®. Contact: william.o.ferguson@ethicallyhacking.space.

@h4ck32n4u75
Add SCOR TENs galaxy + Galaxy 2.0 related[] edges on scor-attack-paths
34e6342 
Adds the stable Taxonomic Element Nomenclature (TEN) template cluster
per METEORSTORM Quick Guide §4-§5: the 30 type templates (5 PCE +
10 SEG + 3 SVC + 6 AST + 6 AN) that analysts consume during the
enumeration process to produce ETENs on specific platforms.

- clusters/scor-tens.json: 30 cluster values, one per TEN. Each has
  stable UUID, layer/tag/label/doc_section meta, and definition from
  the doc's §8 Full Data Model.
- galaxies/scor-tens.json: minimal galaxy descriptor (no kill_chain_order;
  TENs aren't a matrix).

Adds related[] arrays to the 4 existing scor-attack-paths values
linking back to the TENs each scenario's enumeration consumed:

- TOE relations (per §6.2) point from attack-path values at the
  structural TENs (PCE/SEG/SVC/AST) the path enumerated.
- instance-of relation points each attack-path value at AN-ATT-Attack
  Path, declaring the value as an enumerated instance of that template.
- The per-scenario ETEN string is preserved on each relation's 'tags'
  array (scor-eten:"LAYER:TAG:LABEL:ORDINAL") so the ordinal context
  isn't lost when traversing the graph.

Total: 35 typed relations across 4 attack paths. All dest-uuid
references resolve to scor-tens values; schema validates.

Enables MISP Galaxy 2.0 Network View to render the SCOR-compliant
relationship graph: attack-path nodes connected by TOE edges to TEN
template nodes, with bidirectional pivoting between scenarios and
templates.

Steward: H4CK32N4U75 (william.o.ferguson@ethicallyhacking.space).
@adulau adulau merged commit 09ac90b into MISP:main May 25, 2026
3 checks passed
@h4ck32n4u75 h4ck32n4u75 deleted the scor-tens-phase2 branch May 25, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h4ck32n4u75 @adulau