MISP
/
best-practices-in-threat-intelligence
mirror of https://github.com/MISP/best-practices-in-threat-intelligence
2
0
Fork 0
Code Issues Releases Wiki Activity

minor changes

pull/7/head
neok0 2018-12-09 16:09:24 +01:00
parent bbfc651c61
commit 60640f40c3
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
best-practices/intelligence-tagging.adoc
View File

@ -27,9 +27,9 @@ This data must not leave the boundaries of this virtual border of the recipient
There are multiple solutions and proposals to solve the issue of missing additional information about the shared content in form of tags.
One of these is the following list of tags which should be at least present to either the event itself or the individual attributes (in this order of importance):
. *https://github.com/MISP/misp-taxonomies/blob/master/tlp/machinetag.json[TLP-Tag]*: https://www.us-cert.gov/tlp[TLP]* utilizes a simple four color schema for indicating how intelligence can be shared.
. *https://github.com/MISP/misp-taxonomies/blob/master/veris/machinetag.json[Confidence]*/*https://github.com/MISP/misp-taxonomies/blob/master/cssa/machinetag.json[Vetting State]*: There are huge differences in the quality of data, whether it was vetted upon sharing. As this means that the author was confident that the shared data is or at least was a good indicator of compromise.
. *https://github.com/MISP/misp-taxonomies/blob/master/cssa/machinetag.json[Origin]*: Describes where the information came from, whether it was in an automated fashion or in a manual investigation. This should give an impression how value this intelligence is, as manual investigation should supersede any automatic generation of data.
. *https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json[PAP]*: An even more advanced approach of data classification is using the Permissible Actions Protocol. It indicates how the received data can be used to search for compromises within the individual company or constituency.
. *https://github.com/MISP/misp-taxonomies/blob/master/tlp/machinetag.json[TLP-Tags]*: https://www.us-cert.gov/tlp[TLP] utilizes a simple four color schema for indicating how intelligence can be shared.
. *https://github.com/MISP/misp-taxonomies/blob/master/veris/machinetag.json[Confidence-Tags]*/*https://github.com/MISP/misp-taxonomies/blob/master/cssa/machinetag.json[Vetting State]*: There are huge differences in the quality of data, whether it was vetted upon sharing. As this means that the author was confident that the shared data is or at least was a good indicator of compromise.
. *https://github.com/MISP/misp-taxonomies/blob/master/cssa/machinetag.json[Origin-Tags]*: Describes where the information came from, whether it was in an automated fashion or in a manual investigation. This should give an impression how value this intelligence is, as manual investigation should supersede any automatic generation of data.
. *https://github.com/MISP/misp-taxonomies/blob/master/PAP/machinetag.json[PAP-Tags]*: An even more advanced approach of data classification is using the Permissible Actions Protocol. It indicates how the received data can be used to search for compromises within the individual company or constituency.
TIP: The full list of available taxonomies can be found *https://github.com/MISP/misp-taxonomies[here]*.