[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions
On 08/05/17 14:48, Nicholas Hayden wrote: > Unfortunately, we’re running into issues with none standardized tagging in our > current systems now. Each vendor does have their own tagging formate for example: > > APT-1 > apt1 > Apt 1 > apt-1 > > When a search is done on APT-1 not all the results are returned because half the > data is tagged wth apt1. I can probably generate many more uses cases. The > question that should be ask is, do we leave the standardizing of tagging to the > working group or do we leave it with the vendors? Are we prepared to take on > that challenge? It's indeed a huge challenge and that's what we tried do this for the past 2 years with MISP taxonomies[1] and galaxy[2]. The taxonomies are there to help users to find the right the tagging (the taxonomy project started due to organisations using free tagging and formatting on their own like tlp:amber tlp-amber or tlp_amber or tlp amber). We can see nowadays that when a MISP community enables a taxonomy then they tend to be consistent with the naming as it's easier to use a existing namespace than starting your own tagging. For the threat-actor (as an example) in a cluster galaxy, we use a synonym list to support the cases where users tend to name an element with a different name: { "meta": { "synonyms": [ "Comment Panda", "PLA Unit 61398", "APT 1", "Advanced Persistent Threat 1", "Byzantine Candor", "Group 3", "TG-8223", "Comment Group" ], "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "value": "Comment Crew" } During the face-2-face meeting in Brussels, we had a small discussion to use the existing MISP taxonomy as vocabularies, marking or label. But the final conclusion was to use only label as is with the expanded namespace. In our point of view, this is a partial solution and doesn't support well more advanced use cases. As some vendors are already using our taxonomies or galaxy in their product, we won't mind to reuse this and provide a way to map those into STIX properly[3] (still an open discussion). Just my 2 cents. [1] https://github.com/MISP/misp-taxonomies https://www.misp.software/taxonomies.html https://www.misp.software/taxonomies.pdf [2] https://github.com/MISP/misp-galaxy/ https://www.misp.software/galaxy.html https://www.misp.software/galaxy.pdf [3] https://github.com/MISP/MISP/wiki/NotesMISP-STIX2 -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]