[Intelmq-dev] Taxonomies & Sharing mechanism [SEC=UNCLASSIFIED]

Clark, Andrew Andrew.Clark at cert.gov.au
Mon Aug 8 07:55:55 CEST 2016


UNCLASSIFIED
Hi Otmar,

I have never really investigated what's out there in terms of taxonomies, to any great extent.

We use MISP, and if you haven't seen it, take a look at how many taxonomies they've tried to accommodate: https://github.com/MISP/misp-taxonomies/

If I'm reading the correct things, I suspect we might be lucky because the CERT.pt taxonomy looks very similar to the eCSIRT taxonomy used by IntelMQ (and supported by MISP).

The CERT.pt taxonomy (from this site: http://www.cncs.gov.pt/cert-pt-2/documents-2/) includes 18 "incident types" and 10 "incident classes". The ClassificationType class from IntelMQ supports 20 values, including the 18 from the CERT.pt taxonomy, plus "unknown" and "blocklist". Based on this, I don't think there is a good reason to change what IntelMQ uses now.

Regarding STIX and Cybox (and TAXII), here at CERT Australia we are using them heavily. STIX includes a 'TTP' object which can be associated with Indicators. TTPs include 'behaviours' and while STIX supports the CAPEC (capec.mitre.org) taxonomy natively, it would be easy to extend to support arbitrary taxonomies. 

Hope you're enjoying your vacation!

Andrew

-----Original Message-----
From: Intelmq-dev [mailto:intelmq-dev-bounces at lists.cert.at] On Behalf Of Otmar Lendl
Sent: Saturday, 6 August 2016 2:07 AM
To: intelmq-dev at lists.cert.at
Subject: [Intelmq-dev] Taxonomies & Sharing mechanism


Folks,

as I will attending the ENISA/EC3 workshop in The Hague this autumn, I got an invitation to a preparatory survey which asks questions about a consensus regarding taxonomies and information sharing formats to be used in CERT/CERT and CERT/LE information sharing.

IntelMQ is based on eCSIRT II, which some working-group in the ENISA/EC3/EMPACT universe has declared to be obsolete.

See this monster of a report:
https://www.enisa.europa.eu/publications/information-sharing-and-common-taxonomies-between-csirts-and-law-enforcement

Their new shiny pony is based on the work of CERT.pt, and they want to to use the meeting this year to finalize that decision. I have no clue how big the delta to eCSIRT II is.

IMHO the IntelMQ community has to decide how to react. E.g.

a) stay with eCSIRT II framework
b) adopt the new one

and

what stance to take on an inter-organisational sharing mechanism.

So what do you all think?

otmar (who will be on vacation the next weeks, don't expect me to reply
soon)

------------------

The survey asks:

Do you believe that the Common Taxonomy for the national network of CSIRT/LEA (formerly known as CERT.PT Taxonomy) is suitable for CSIRT/LEA communication?
	
Yes / No / Other

Have you ever used one of the following?
	
STIX / CybOX / Other sharing Mechanism

What do you think could be a suitable sharing mechanism for the Common Taxonomy for the national network of CSIRT/LEA?
	
STIX / CybOX / Other sharing Mechanism

Extract from 'Report on Information Sharing and Common Taxonomies between CSIRTs and Law Enforcement Agencies'

A clear distinction should be made between a taxonomy, a sharing mechanism and a sharing platform to avoid any possible confusion. While a taxonomy is a way of describing information through classification, a sharing mechanism structures the way the information is encoded. For example, a sharing mechanism might provide rules for names and positions of XML tags to allow a file to be treated automatically. Finally, a sharing platform is a tool allowing to share information. It is not mandatory to have such a platform – files containing information structured according to a standard and classified according to a taxonomy could simply be sent by e-mail, for example. Nevertheless, the use of a sharing platform allows users to easily share information in a structured way.


--
// Otmar Lendl <lendl at cert.at> - T: +43 1 5056416 711 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg


---------------------------------------------------- 
If you have received this transmission in error please
notify us immediately by return e-mail and delete all
copies. If this e-mail or any attachments have been sent
to you in error, that error does not constitute waiver
of any confidentiality, privilege or copyright in respect
of information in the e-mail or attachments.


More information about the Intelmq-dev mailing list