[Intelmq-dev] Intelmq-dev Digest, Vol 6, Issue 2

ben dosso dbm93 at live.fr
Wed Aug 10 12:30:11 CEST 2016 

I have a problem about using Application intelmq

> From: intelmq-dev-request at lists.cert.at
> Subject: Intelmq-dev Digest, Vol 6, Issue 2
> To: intelmq-dev at lists.cert.at
> Date: Mon, 8 Aug 2016 12:00:02 +0200
> 
> Send Intelmq-dev mailing list submissions to
> 	intelmq-dev at lists.cert.at
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> or, via email, send a message with subject or body 'help' to
> 	intelmq-dev-request at lists.cert.at
> 
> You can reach the person managing the list at
> 	intelmq-dev-owner at lists.cert.at
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Intelmq-dev digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Taxonomies & Sharing mechanism [SEC=UNCLASSIFIED]
>       (Clark, Andrew)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 8 Aug 2016 05:55:55 +0000
> From: "Clark, Andrew" <Andrew.Clark at cert.gov.au>
> To: Otmar Lendl <lendl at cert.at>, "intelmq-dev at lists.cert.at"
> 	<intelmq-dev at lists.cert.at>
> Subject: Re: [Intelmq-dev] Taxonomies & Sharing mechanism
> 	[SEC=UNCLASSIFIED]
> Message-ID:
> 	<454F4A633809FD40898A9D230EDFA93138B2E82B at ACTDC01MLD02V.agdnet.ag.gov.au>
> 	
> Content-Type: text/plain; charset="utf-8"
> 
> UNCLASSIFIED
> Hi Otmar,
> 
> I have never really investigated what's out there in terms of taxonomies, to any great extent.
> 
> We use MISP, and if you haven't seen it, take a look at how many taxonomies they've tried to accommodate: https://github.com/MISP/misp-taxonomies/
> 
> If I'm reading the correct things, I suspect we might be lucky because the CERT.pt taxonomy looks very similar to the eCSIRT taxonomy used by IntelMQ (and supported by MISP).
> 
> The CERT.pt taxonomy (from this site: http://www.cncs.gov.pt/cert-pt-2/documents-2/) includes 18 "incident types" and 10 "incident classes". The ClassificationType class from IntelMQ supports 20 values, including the 18 from the CERT.pt taxonomy, plus "unknown" and "blocklist". Based on this, I don't think there is a good reason to change what IntelMQ uses now.
> 
> Regarding STIX and Cybox (and TAXII), here at CERT Australia we are using them heavily. STIX includes a 'TTP' object which can be associated with Indicators. TTPs include 'behaviours' and while STIX supports the CAPEC (capec.mitre.org) taxonomy natively, it would be easy to extend to support arbitrary taxonomies. 
> 
> Hope you're enjoying your vacation!
> 
> Andrew
> 
> -----Original Message-----
> From: Intelmq-dev [mailto:intelmq-dev-bounces at lists.cert.at] On Behalf Of Otmar Lendl
> Sent: Saturday, 6 August 2016 2:07 AM
> To: intelmq-dev at lists.cert.at
> Subject: [Intelmq-dev] Taxonomies & Sharing mechanism
> 
> 
> Folks,
> 
> as I will attending the ENISA/EC3 workshop in The Hague this autumn, I got an invitation to a preparatory survey which asks questions about a consensus regarding taxonomies and information sharing formats to be used in CERT/CERT and CERT/LE information sharing.
> 
> IntelMQ is based on eCSIRT II, which some working-group in the ENISA/EC3/EMPACT universe has declared to be obsolete.
> 
> See this monster of a report:
> https://www.enisa.europa.eu/publications/information-sharing-and-common-taxonomies-between-csirts-and-law-enforcement
> 
> Their new shiny pony is based on the work of CERT.pt, and they want to to use the meeting this year to finalize that decision. I have no clue how big the delta to eCSIRT II is.
> 
> IMHO the IntelMQ community has to decide how to react. E.g.
> 
> a) stay with eCSIRT II framework
> b) adopt the new one
> 
> and
> 
> what stance to take on an inter-organisational sharing mechanism.
> 
> So what do you all think?
> 
> otmar (who will be on vacation the next weeks, don't expect me to reply
> soon)
> 
> ------------------
> 
> The survey asks:
> 
> Do you believe that the Common Taxonomy for the national network of CSIRT/LEA (formerly known as CERT.PT Taxonomy) is suitable for CSIRT/LEA communication?
> 	
> Yes / No / Other
> 
> Have you ever used one of the following?
> 	
> STIX / CybOX / Other sharing Mechanism
> 
> What do you think could be a suitable sharing mechanism for the Common Taxonomy for the national network of CSIRT/LEA?
> 	
> STIX / CybOX / Other sharing Mechanism
> 
> Extract from 'Report on Information Sharing and Common Taxonomies between CSIRTs and Law Enforcement Agencies'
> 
> A clear distinction should be made between a taxonomy, a sharing mechanism and a sharing platform to avoid any possible confusion. While a taxonomy is a way of describing information through classification, a sharing mechanism structures the way the information is encoded. For example, a sharing mechanism might provide rules for names and positions of XML tags to allow a file to be treated automatically. Finally, a sharing platform is a tool allowing to share information. It is not mandatory to have such a platform ? files containing information structured according to a standard and classified according to a taxonomy could simply be sent by e-mail, for example. Nevertheless, the use of a sharing platform allows users to easily share information in a structured way.
> 
> 
> --
> // Otmar Lendl <lendl at cert.at> - T: +43 1 5056416 711 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> ---------------------------------------------------- 
> If you have received this transmission in error please
> notify us immediately by return e-mail and delete all
> copies. If this e-mail or any attachments have been sent
> to you in error, that error does not constitute waiver
> of any confidentiality, privilege or copyright in respect
> of information in the e-mail or attachments.
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> 
> 
> ------------------------------
> 
> End of Intelmq-dev Digest, Vol 6, Issue 2
> *****************************************
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20160810/05a276ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture du 2016-08-10 10-29-06.png
Type: image/png
Size: 32294 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20160810/05a276ee/attachment-0001.png>

More information about the Intelmq-dev mailing list