Port Six

Threat Intelligence Tagging Taxonomy

Overview

All threat indicators are tagged using a structured taxonomy with namespace prefixes. This enables precise filtering, correlation, and behavioral analysis.

Behavioral Tags

Describes what the observable does or is used for.

behavior: namespace

  • behavior:c2 - Command & Control infrastructure
  • behavior:phishing - Phishing/credential theft
  • behavior:malware-distribution - Malware hosting/distribution
  • behavior:scanning - Network scanning/reconnaissance
  • behavior:brute-force - Credential brute-force attacks
  • behavior:ddos - DDoS infrastructure/participation
  • behavior:spam - Spam/email abuse
  • behavior:cryptomining - Cryptocurrency mining
  • behavior:exfiltration - Data exfiltration
  • behavior:ransomware - Ransomware operation
  • behavior:botnet - Botnet participation
  • behavior:exploit - Exploitation activity

Example:

"tags": ["behavior:c2", "behavior:post-exploitation"]

Infrastructure Tags

Describes the technical environment or service type.

infrastructure: namespace

  • infrastructure:cloud-aws - Amazon Web Services
  • infrastructure:cloud-gcp - Google Cloud Platform
  • infrastructure:cloud-azure - Microsoft Azure
  • infrastructure:cloud-cloudflare - Cloudflare CDN
  • infrastructure:tor-exit - TOR exit node
  • infrastructure:tor-relay - TOR relay node
  • infrastructure:vpn - VPN endpoint
  • infrastructure:proxy-http - HTTP proxy
  • infrastructure:datacenter - Datacenter/colocation hosting
  • infrastructure:residential - Residential ISP
  • infrastructure:mobile - Mobile carrier

Malware Family Tags

Specific malware family or tool identification.

malware_family: namespace

  • malware_family:cobalt-strike
  • malware_family:metasploit
  • malware_family:asyncrat
  • malware_family:emotet
  • malware_family:mirai
  • malware_family:xmrig

Format rules: Lowercase with hyphens, official malware name preferred

Threat Actor Tags

Attribution to threat actors or groups (when confidence is high).

threat_actor: namespace

  • threat_actor:apt28
  • threat_actor:apt29
  • threat_actor:lazarus-group
  • threat_actor:sandworm

MITRE ATT&CK Tags

Maps to MITRE ATT&CK framework techniques.

technique: namespace

  • technique:T1566 - Phishing
  • technique:T1566.001 - Spearphishing Attachment
  • technique:T1071 - Application Layer Protocol
  • technique:T1071.001 - Web Protocols
  • technique:T1105 - Ingress Tool Transfer

Format: technique:T#### or technique:T####.### for sub-techniques

Severity & Confidence Tags

severity: namespace

  • severity:critical - Immediate action required
  • severity:high - High priority
  • severity:medium - Medium priority
  • severity:low - Low priority

confidence: namespace

  • confidence:high - 0.8-1.0 (highly reliable)
  • confidence:medium - 0.5-0.79 (generally reliable)
  • confidence:low - 0.0-0.49 (uncertain)

Tag Combination Examples

Valid Combinations

["behavior:c2", "malware_family:cobalt-strike", "severity:critical"]
["infrastructure:tor-exit", "infrastructure:datacenter"]
["behavior:phishing", "technique:T1566", "confidence:high"]