OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions

On 08/05/17 14:48, Nicholas Hayden wrote:
> Unfortunately, we’re running into issues with none standardized tagging in our 
> current systems now.  Each vendor does have their own tagging formate for example:
> 
> APT-1
> apt1
> Apt 1
> apt-1
> 
> When a search is done on APT-1 not all the results are returned because half the 
> data is tagged wth apt1.  I can probably generate many more uses cases.  The 
> question that should be ask is, do we leave the standardizing of tagging to the 
> working group or do we leave it with the vendors?  Are we prepared to take on 
> that challenge?

It's indeed a huge challenge and that's what we tried do this for the past 2 years
with MISP taxonomies[1] and galaxy[2].

The taxonomies are there to help users to find the right the tagging (the taxonomy
project started due to organisations using free tagging and formatting on their own like
tlp:amber tlp-amber or tlp_amber or tlp amber).

We can see nowadays that when a MISP community enables a taxonomy then they tend
to be consistent with the naming as it's easier to use a existing namespace than
starting your own tagging.

For the threat-actor (as an example) in a cluster galaxy, we use a synonym list
to support the cases where users tend to name an element with a different name:

{
      "meta": {
        "synonyms": [
          "Comment Panda",
          "PLA Unit 61398",
          "APT 1",
          "Advanced Persistent Threat 1",
          "Byzantine Candor",
          "Group 3",
          "TG-8223",
          "Comment Group"
        ],
        "country": "CN",
        "refs": [
          "https://en.wikipedia.org/wiki/PLA_Unit_61398";,
          "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf";
        ]
      },
      "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been
alleged to be a source of Chinese computer hacking attacks",
      "value": "Comment Crew"
}

During the face-2-face meeting in Brussels, we had a small discussion to use
the existing MISP taxonomy as vocabularies, marking or label. But the final conclusion
was to use only label as is with the expanded namespace. In our point of view, this
is a partial solution and doesn't support well more advanced use cases.

As some vendors are already using our taxonomies or galaxy in their product, we won't mind
to reuse this and provide a way to map those into STIX properly[3] (still an open discussion).

Just my 2 cents.



[1] https://github.com/MISP/misp-taxonomies
    https://www.misp.software/taxonomies.html
    https://www.misp.software/taxonomies.pdf

[2] https://github.com/MISP/misp-galaxy/
    https://www.misp.software/galaxy.html
    https://www.misp.software/galaxy.pdf

[3] https://github.com/MISP/MISP/wiki/NotesMISP-STIX2



-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]