Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

["Bret Jordan (CS)" <Bret_Jordan@symantec.com>]

I am pulling all of these out of email and adding to them 2.1 Concepts document that you can find here in the Confidence section.  If you have suggestions for confidence, please start adding suggestions and comments to the document. 

https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.b5qdcxoqb22

Bret

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <jason.keirstead@ca.ibm.com>
Sent: Friday, September 16, 2016 5:46:17 AM
To: Wunder, John A.
Cc: Alexandre Dulaunoy; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

 

I can take a stab at it - non-normative, high level....

Confidence - The trust in the data behind the intelligence / the accuracy of the intelligence

Credibility - The trust in the source providing the intelligence

Severity - The criticality level of the exploit / malware / incident / event

Relevance - How relevant the exploit / malware / incident / event is to your organization

As I said - Relevance is normally tracked internally and would rarely leave an organization boundary - however tools still need to share it via STIX in my opinion.

"Credibility" to me is murky in that it is something likely tracked internally for an organization or ISAO, and not necessarily shared back. IE I am not going to want to publicize the fact that I do not trust intelligence from source X...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---09/15/2016 11:34:58 AM---Can somebody provide definitions that clearly define and distinguish all of these? Also do all of th

From: "Wunder, John A." <jwunder@mitre.org>
To: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/15/2016 11:34 AM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>

---

Can somebody provide definitions that clearly define and distinguish all of these?

Also do all of them apply to all STIX Objects, or are some/all only applied to a subset?

John

On 9/15/16, 9:57 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 15/09/16 15:48, Jordan, Bret wrote:
   > Does everyone agree with these 4 properties?  If so, we can then start the discussion about how to classify values for each one.
   >
   > 1) Confidence
   > 2) Credibility
   > 3) Severity
   > 4) Relevance
   
   Likelihood probability (ICD 203) is also regularly used.
   
   https://github.com/MISP/misp-taxonomies/blob/master/estimative-language/machinetag.json
   
   Cheers.
   
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that
   generates this mail.  Follow this link to all your TCs in OASIS at:
   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php