chg: [expressing confidence] added
parent
82e73bd657
commit
5b39bc9cd1
|
@ -0,0 +1,17 @@
|
|||
=== Expressing confidence in an analysis
|
||||
|
||||
NOTE: Expressing the confidence or the lack of in an analysis is critical step to help a partner or a third-party to check your hypotheses and conclusions.
|
||||
|
||||
Analysis or reports are often shared with technical details but often lack the overall confidence level associated.
|
||||
|
||||
Adding confidence or estimative probability have multiple advantages such as:
|
||||
|
||||
- Allowing receiving organisations to filter, classify and score the information in an automated way
|
||||
- Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by confidence level
|
||||
- Supporting counter and competitive analyses to validate hypotheses expressed in original reporting
|
||||
|
||||
Complement analysis with contrary evidences is also very welcome to ensure the original analysis and the hypotheses evaluated.
|
||||
|
||||
TIP: MISP taxonomies contain an exhaustive list of confidence levels including words of https://www.misp-project.org/taxonomies.html#_estimative_language[estimative probability] or confidence in analytic judgment.
|
||||
|
||||
TIP: threat-intelligence.eu includes an overview of the https://www.threat-intelligence.eu/methodologies/[methodologies and process to support threat intelligence].
|
|
@ -18,6 +18,11 @@ include::{sourcedir}improving-analysis.adoc[]
|
|||
include::{sourcedir}what-to-share.adoc[]
|
||||
|
||||
<<<
|
||||
|
||||
include::{sourcedir}expressing-confidence.adoc[]
|
||||
|
||||
<<<
|
||||
|
||||
== Authors and Contributors
|
||||
|
||||
- Alexandre Dulaunoy
|
||||
|
|
80
book.html
80
book.html
|
@ -446,6 +446,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
|
|||
<ul class="sectlevel2">
|
||||
<li><a href="#_improving_analysis">Improving Analysis</a></li>
|
||||
<li><a href="#_what_to_share_or_what_counts_as_valuable_information">What To Share or What Counts As Valuable Information?</a></li>
|
||||
<li><a href="#_expressing_confidence_in_an_analysis">Expressing confidence in an analysis</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#_authors_and_contributors">Authors and Contributors</a></li>
|
||||
|
@ -472,14 +473,13 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
|
|||
<i class="fa icon-note" title="Note"></i>
|
||||
</td>
|
||||
<td class="content">
|
||||
Improvement of analysis can range from simple notification of a false-positive, a typographic error up to a complete competitive or counter analysis of the original analysis.
|
||||
Improvement of the analysis process can range from a simple notification of a false-positive or the correction of a typographic error, all the way up to a complete competitive or counter analysis of the original analysis.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>A common difficulty in threat intelligence is to improve existing analysis and how to do efficiently. One of the main question is to ask what will be the target audience
|
||||
of the improved analysis and the objective:</p>
|
||||
<p>A common difficulty in threat intelligence is to improve existing analyses and especially how to do it efficiently. One of the main questions to ask is: what will be the target audience of the improved analysis and the objective thereof?</p>
|
||||
</div>
|
||||
<div class="olist arabic">
|
||||
<ol class="arabic">
|
||||
|
@ -487,18 +487,18 @@ of the improved analysis and the objective:</p>
|
|||
<p>Informing the original analyst/author (e.g. a security vendor or a CSIRT) about a specific mistake or error which needs to be corrected.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>Improving an existing analysis by performing a complementary analysis or review which will be shared and used by another group (e.g. a specific constituency, team within your organisation or member of an ISAC).</p>
|
||||
<p>Improving an existing analysis by performing a complementary analysis or review which will be shared to and used by another group (e.g. a specific constituent, or a team within your organisation or a member of an ISAC, etc).</p>
|
||||
</li>
|
||||
</ol>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>In the case number 1, MISP includes a mechanism to propose changes to the original creator. This mechanism is called proposal. By using proposal, you can propose a change in the value of an attribute (such as a typographic in an IP address, missing contextual information, type of the information, the category or the removal of an IDS flag). The proposal will be sent back to the original author who can decide to accept the proposal or discard it.</p>
|
||||
<p>In the first case, MISP includes a mechanism to propose changes to the original creator, a mechanism we refer to as proposals. By using proposals, you can propose a change to the value or the context of an attribute (such as a typographic error in an IP address, missing contextual information, type of the information, the category or the removal of an IDS flag). The proposal will be sent back to the original author who can decide to accept or discard it.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Adding proposal has some major advantages such as being very quick and there is no need to create a new event. But such approach works only if you are willing to lose control over the data. This is pretty efficient for small changes but if additional information such as galaxy or objects need to be added then the event extension is more appropriate.</p>
|
||||
<p>The advantages of using the proposal system include the lack of a need to create a new event as well as the process itself being very simple and fast. However, it assumes that the party providing the improvements is willing to lose control over the proposed data. This is pretty efficient for small changes but for more comprehensive changes, especially those that include non-attribute information such as galaxy clusters or objects, the event extension is more appropriate.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>In the case number 2, the extend event functionality is very handy. The extend event allow to create your own information into a self-contained event (which can have custom distribution rules) and reference the original analysis. The information can be shared back to the original author or kept in a limited scope such as a specific sector or trust group.</p>
|
||||
<p>Apart from being more suitable for more comprehensive changes, the second scenario is also a great fit for the extended event functionality, allowing users wanting to provide additional information or an alternate view-point with the opportunity of creating a self-contained event (which can have its own custom distribution rules) that references the original analysis. This information can be shared back to the original author or kept within a limited distribution scope such as a specific sector, a trust group or as internal information for the organisation providing the additional information.</p>
|
||||
</div>
|
||||
<div class="admonitionblock tip">
|
||||
<table>
|
||||
|
@ -507,7 +507,7 @@ of the improved analysis and the objective:</p>
|
|||
<i class="fa icon-tip" title="Tip"></i>
|
||||
</td>
|
||||
<td class="content">
|
||||
For more information about the extend event functionality in MISP, the blog post <strong><a href="http://www.misp-project.org/2018/04/19/Extended-Events-Feature.html">Introducing The New Extended Events Feature in MISP</a></strong> includes a lot of details.
|
||||
For more information about the extended event functionality in MISP, the blog post <strong><a href="http://www.misp-project.org/2018/04/19/Extended-Events-Feature.html">Introducing The New Extended Events Feature in MISP</a></strong> includes a lot of details.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
@ -582,6 +582,68 @@ When asking for the support of the community, using a specific taxonomy such as
|
|||
</div>
|
||||
<div style="page-break-after: always;"></div>
|
||||
</div>
|
||||
<div class="sect2">
|
||||
<h3 id="_expressing_confidence_in_an_analysis">Expressing confidence in an analysis</h3>
|
||||
<div class="admonitionblock note">
|
||||
<table>
|
||||
<tr>
|
||||
<td class="icon">
|
||||
<i class="fa icon-note" title="Note"></i>
|
||||
</td>
|
||||
<td class="content">
|
||||
Expressing the confidence or the lack of in an analysis is critical step to help a partner or a third-party to check your hypotheses and conclusions.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Analysis or reports are often shared with technical details but often lack the overall confidence level associated.</p>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Adding confidence or estimative probability have multiple advantages such as:</p>
|
||||
</div>
|
||||
<div class="ulist">
|
||||
<ul>
|
||||
<li>
|
||||
<p>Allowing receiving organisations to filter, classify and score the information in an automated way</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by confidence level</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>Supporting counter and competitive analyses to validate hypotheses expressed in original reporting</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>Complement analysis with contrary evidences is also very welcome to ensure the original analysis and the hypotheses evaluated.</p>
|
||||
</div>
|
||||
<div class="admonitionblock tip">
|
||||
<table>
|
||||
<tr>
|
||||
<td class="icon">
|
||||
<i class="fa icon-tip" title="Tip"></i>
|
||||
</td>
|
||||
<td class="content">
|
||||
MISP taxonomies contain an exhaustive list of confidence levels including words of <a href="https://www.misp-project.org/taxonomies.html#_estimative_language">estimative probability</a> or confidence in analytic judgment.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="admonitionblock tip">
|
||||
<table>
|
||||
<tr>
|
||||
<td class="icon">
|
||||
<i class="fa icon-tip" title="Tip"></i>
|
||||
</td>
|
||||
<td class="content">
|
||||
threat-intelligence.eu includes an overview of the <a href="https://www.threat-intelligence.eu/methodologies/">methodologies and process to support threat intelligence</a>.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div style="page-break-after: always;"></div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="sect1">
|
||||
|
@ -619,7 +681,7 @@ When asking for the support of the community, using a specific taxonomy such as
|
|||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2018-07-01 17:39:08 CEST
|
||||
Last updated 2018-09-22 21:21:07 CEST
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
|
Loading…
Reference in New Issue