I can take a stab at it - non-normative, high level....
Confidence - The trust in the data behind the intelligence / the accuracy of the intelligence
Credibility - The trust in the source providing the intelligence
Severity - The criticality level of the exploit / malware / incident / event
Relevance - How relevant the exploit / malware / incident / event is to your organization
As I said - Relevance is normally tracked internally and would rarely leave an organization boundary - however tools still need to share it via STIX in my opinion.
"Credibility" to me is murky in that it is something likely tracked internally for an organization or ISAO, and not necessarily shared back. IE I am not going to want to publicize the fact that I do not trust intelligence from source X...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Wunder,
John A." ---09/15/2016 11:34:58 AM---Can somebody provide definitions that clearly define and distinguish all of these? Also do all of th
From: "Wunder, John A." <jwunder@mitre.org>
To: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/15/2016 11:34 AM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>
Can somebody provide definitions that clearly define and distinguish all of these?
Also do all of them apply to all STIX Objects, or are some/all only applied to a subset?
John
On 9/15/16, 9:57 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:
On 15/09/16 15:48, Jordan, Bret wrote:
> Does everyone agree with these 4 properties? If so, we can then start the discussion about how to classify values for each one.
>
> 1) Confidence
> 2) Credibility
> 3) Severity
> 4) Relevance
Likelihood probability (ICD 203) is also regularly used.
https://github.com/MISP/misp-taxonomies/blob/master/estimative-language/machinetag.json
Cheers.
--
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php