As it happens, two messages entitled “Taxonomies & Sharing mechanism” landed in my inbox this morning, from the IntelMQ dev mailing list (
http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev ). One of the people attending an ENISA/EC3 workshop in The Hague this autumn alerted the IntelMQ list that ENISA/EC3 is surveying participants about taxonomies and formats to be used in CERT-to-CERT and CERT-to-Law Enforcement information sharing. Otmar Lendl (CERT.at) wrote “IntelMQ is based on eCSIRT II, which some working-group in the ENISA/EC3/EMPACT universe has declared to be obsolete. See this monster of a report:
https://www.enisa.europa.eu/publications/information-sharing-and-common-taxonomies-between-csirts-and-law-enforcement ” The survey questions include: · Do you believe that the Common Taxonomy for the national network of CSIRT/LEA (formerly known as CERT.PT Taxonomy) is suitable for CSIRT/LEA communication? Yes / No / Other · Have you ever used one of the following? STIX / CybOX / Other sharing Mechanism · What do you think could be a suitable sharing mechanism for the Common Taxonomy for the national network of CSIRT/LEA? STIX / CybOX / Other sharing Mechanism Extract from 'Report on Information Sharing and Common Taxonomies between CSIRTs and Law Enforcement Agencies' A clear distinction should be made between a taxonomy, a sharing mechanism and a sharing platform to avoid any possible confusion. While a taxonomy is a way of describing information through classification, a sharing mechanism structures the way the information is encoded. For example, a sharing mechanism might provide rules for names and positions of XML tags to allow a file to be treated automatically. Finally, a sharing platform is a tool allowing to share information. It is not mandatory to have such a platform – files containing information structured according to a standard and classified according to a taxonomy could simply be sent by e-mail, for example. Nevertheless, the use of a sharing platform allows users to easily share information in a structured way. Another list member, Andrew Clark from CERT-AU, replied with information about MISP: … take a look at how many taxonomies [MISP] tried to accommodate:
https://github.com/MISP/misp-taxonomies/ If I'm reading the correct things, I suspect we might be lucky because the CERT.pt taxonomy looks very similar to the eCSIRT taxonomy used by IntelMQ (and supported by MISP). The CERT.pt taxonomy (from this site:
http://www.cncs.gov.pt/cert-pt-2/documents-2/ ) includes 18 "incident types" and 10 "incident classes". The ClassificationType class from IntelMQ supports 20 values, including the 18 from the CERT.pt taxonomy, plus "unknown" and "blocklist". Based on this, I don't think there is a good reason to change what IntelMQ uses now. Regarding STIX and Cybox (and TAXII), here at CERT Australia we are using them heavily. STIX includes a 'TTP' object which can be associated with Indicators. TTPs include 'behaviours' and while STIX supports the CAPEC (capec.mitre.org) taxonomy natively, it would be easy to extend to support arbitrary taxonomies. My intention in highlighting these taxonomies is to simply draw readers’ attention to the taxonomy a lot of counterpart CERTs in Europe may be adopting. Best wishes, Iain. -- Iain D. Brown Incident Response Team CERT-UK
ibrown@cert.gov.uk 07990 567 644 Duty Officer: 0207 147 4411
incidents@cert.gov.uk From:
cti@lists.oasis-open.org [mailto:
cti@lists.oasis-open.org] On Behalf Of Jerome Athias Sent: 08 August 2016 09:34 To: Patrick Maroney <
Pmaroney@specere.org> Cc: Jordan, Bret <
bret.jordan@bluecoat.com>;
cti@lists.oasis-open.org Subject: Re: [cti] Attack Motivations I concur strongly Some common taxonomies and enumerations were captured here
http://www.frhack.org/research/Information_Security_Vocabularies.xlsx My experience of developing softwares (for 15+ years) using enumerations in combo lists, etc. in a domain like cybersecurity let me think here that exhaustive "cover them all and please everybody" enumerations can't be found. An approach using a hierarchical categorization/classification (I.e. Multi steps for 1) select a general category - mandatory 2) select a more detailed category between the ones of 1) - optional) helps ensuring a minimum of coherence without "giving headaches" to those who hate (being specific) spending more than 5s finding The value in a list. E.g.: views in CWE, CAPEC On Sunday, 7 August 2016, Patrick Maroney <
Pmaroney@specere.org > wrote: I know we are on a tight timelime and want to close on these enumerations. However, I want to add a strategically focused comment here: The overarching point is to advocate for common adoption of taxonomies across standards (formal and de facto). By taking the time to identify and adopt "best of breed" taxonomies, we can then srategically do outreach and advocate for homogenization and drive convergence. So presuming we will always have a variety of CTI schemas and ontologies (e.g., VERIS, OpenIOC, CIF), the convergence and adoption of shared Taxonomies will empower easier transformations between different formats and internal data representations. If we could get all CTI TC members to submit their existing taxonomies for the categories in question, maybe we could quickly reach concurrence and homogenization. Thoughts? I know I've seen some very good Motivation Taxonomies with good descriptions. Have not found "the" one yet...@Jerome Athias: Your thoughts? Alternatively, here's some of the better ones I've found today. (1) The IBM X-Force taxonomy Since this is copyrighted material I can't provide the spacifics. One can register for the paper here:
https://www-01.ibm.com/marketing/iwm/iwm/web/signup.do?source=ibm-WW_Security_Services&S_PKG=ov47531&S_TACT=C405001W&dynform=21982&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=42640253661614409439900&cm_mc_sid_50200000=1470597188 (We would have to normalize their "Outrage Trolls" Class). (2) VERIS Taxonomy ACTOR.X.MOTIVE NA: Not Applicable (unintentional action) Espionage: Espionage or competitive advantage Fear: Fear or duress Financial: Financial or personal gain Fun: Fun, curiosity, or pride Grudge: Grudge or personal offense Ideology: Ideology or protest Convenience: Convenience of expediency Unknown: Unknown Other: Other Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email:
pmaroney@specere.org (4) NIST Couldn't find one but believe a taxonomy exists On Sun, Aug 7, 2016 at 4:13 PM -0400, "Jordan, Bret" <
bret.jordan@bluecoat.com > wrote: This Taxonomy did come from an existing well vetted solution. aka the Intel Threat Agent work. But given that work applies to general threat actors, we are trying I tailor it more specifically to the cyber space. The reason I am looking to add a few values is I have been reviewing every taxonomy I can find and make sure our terms and definitions cover everything that cerebrally exists. Bret Sent from my Commodore 64 On Aug 7, 2016, at 12:42 PM, Patrick Maroney <
Pmaroney@Specere.org > wrote: .02: Like Sophistication, we should directly adopt an existing, well vetted, Taxonomy. @Patrick/ISightPartners or @EclecticIQ: Can you provide reference? Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email:
pmaroney@specere.org On Sun, Aug 7, 2016 at 12:15 AM -0400, "Jordan, Bret" <
bret.jordan@bluecoat.com > wrote: All, Intrusion Sets and Threat Actors both use the Attack Motivations vocabulary. Right now we have the following terms in that vocab: accidental coercion dominance ideology notoriety organizational-gain personal-gain personal-satisfaction revenge unpredictable I propose that we add the following thee terms to this list, I missed them when I was putting this list together. amusement advantage (competitive, political, economic) anarchy Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." ********************************************************************** This email and any files transmitted with it are intended solely for the use of the individual(s) to whom they are addressed. If you are not the intended recipient and have received this email in error, please notify the sender and delete the email. This footnote also confirms that our email communications may be monitored to ensure the secure and effective operation of our systems and for other lawful purposes, and that this email has been swept for malware and viruses. The original of this email was scanned for viruses by the scanning service supplied by Symantec. On leaving us this email was certified virus free. Communications from and to us may be automatically logged, monitored and/or recorded for legal purposes.