I have a problem about using Application intelmq
From: intelmq-dev-request@lists.cert.at Subject: Intelmq-dev Digest, Vol 6, Issue 2 To: intelmq-dev@lists.cert.at Date: Mon, 8 Aug 2016 12:00:02 +0200
Send Intelmq-dev mailing list submissions to intelmq-dev@lists.cert.at
To subscribe or unsubscribe via the World Wide Web, visit http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev or, via email, send a message with subject or body 'help' to intelmq-dev-request@lists.cert.at
You can reach the person managing the list at intelmq-dev-owner@lists.cert.at
When replying, please edit your Subject line so it is more specific than "Re: Contents of Intelmq-dev digest..."
Today's Topics:
- Re: Taxonomies & Sharing mechanism [SEC=UNCLASSIFIED] (Clark, Andrew)
Message: 1 Date: Mon, 8 Aug 2016 05:55:55 +0000 From: "Clark, Andrew" Andrew.Clark@cert.gov.au To: Otmar Lendl lendl@cert.at, "intelmq-dev@lists.cert.at" intelmq-dev@lists.cert.at Subject: Re: [Intelmq-dev] Taxonomies & Sharing mechanism [SEC=UNCLASSIFIED] Message-ID: 454F4A633809FD40898A9D230EDFA93138B2E82B@ACTDC01MLD02V.agdnet.ag.gov.au
Content-Type: text/plain; charset="utf-8"
UNCLASSIFIED Hi Otmar,
I have never really investigated what's out there in terms of taxonomies, to any great extent.
We use MISP, and if you haven't seen it, take a look at how many taxonomies they've tried to accommodate: https://github.com/MISP/misp-taxonomies/
If I'm reading the correct things, I suspect we might be lucky because the CERT.pt taxonomy looks very similar to the eCSIRT taxonomy used by IntelMQ (and supported by MISP).
The CERT.pt taxonomy (from this site: http://www.cncs.gov.pt/cert-pt-2/documents-2/) includes 18 "incident types" and 10 "incident classes". The ClassificationType class from IntelMQ supports 20 values, including the 18 from the CERT.pt taxonomy, plus "unknown" and "blocklist". Based on this, I don't think there is a good reason to change what IntelMQ uses now.
Regarding STIX and Cybox (and TAXII), here at CERT Australia we are using them heavily. STIX includes a 'TTP' object which can be associated with Indicators. TTPs include 'behaviours' and while STIX supports the CAPEC (capec.mitre.org) taxonomy natively, it would be easy to extend to support arbitrary taxonomies.
Hope you're enjoying your vacation!
Andrew
-----Original Message----- From: Intelmq-dev [mailto:intelmq-dev-bounces@lists.cert.at] On Behalf Of Otmar Lendl Sent: Saturday, 6 August 2016 2:07 AM To: intelmq-dev@lists.cert.at Subject: [Intelmq-dev] Taxonomies & Sharing mechanism
Folks,
as I will attending the ENISA/EC3 workshop in The Hague this autumn, I got an invitation to a preparatory survey which asks questions about a consensus regarding taxonomies and information sharing formats to be used in CERT/CERT and CERT/LE information sharing.
IntelMQ is based on eCSIRT II, which some working-group in the ENISA/EC3/EMPACT universe has declared to be obsolete.
See this monster of a report: https://www.enisa.europa.eu/publications/information-sharing-and-common-taxo...
Their new shiny pony is based on the work of CERT.pt, and they want to to use the meeting this year to finalize that decision. I have no clue how big the delta to eCSIRT II is.
IMHO the IntelMQ community has to decide how to react. E.g.
a) stay with eCSIRT II framework b) adopt the new one
and
what stance to take on an inter-organisational sharing mechanism.
So what do you all think?
otmar (who will be on vacation the next weeks, don't expect me to reply soon)
The survey asks:
Do you believe that the Common Taxonomy for the national network of CSIRT/LEA (formerly known as CERT.PT Taxonomy) is suitable for CSIRT/LEA communication?
Yes / No / Other
Have you ever used one of the following?
STIX / CybOX / Other sharing Mechanism
What do you think could be a suitable sharing mechanism for the Common Taxonomy for the national network of CSIRT/LEA?
STIX / CybOX / Other sharing Mechanism
Extract from 'Report on Information Sharing and Common Taxonomies between CSIRTs and Law Enforcement Agencies'
A clear distinction should be made between a taxonomy, a sharing mechanism and a sharing platform to avoid any possible confusion. While a taxonomy is a way of describing information through classification, a sharing mechanism structures the way the information is encoded. For example, a sharing mechanism might provide rules for names and positions of XML tags to allow a file to be treated automatically. Finally, a sharing platform is a tool allowing to share information. It is not mandatory to have such a platform ? files containing information structured according to a standard and classified according to a taxonomy could simply be sent by e-mail, for example. Nevertheless, the use of a sharing platform allows users to easily share information in a structured way.
-- // Otmar Lendl lendl@cert.at - T: +43 1 5056416 711 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg
If you have received this transmission in error please notify us immediately by return e-mail and delete all copies. If this e-mail or any attachments have been sent to you in error, that error does not constitute waiver of any confidentiality, privilege or copyright in respect of information in the e-mail or attachments.
Subject: Digest Footer
Intelmq-dev mailing list Intelmq-dev@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
End of Intelmq-dev Digest, Vol 6, Issue 2
