Merge pull request #1 from Delta-Sierra/master
Starting chapter about information classification and... WIPpull/2/head
commit
dcadf7cab6
|
@ -0,0 +1,11 @@
|
|||
=== Building a workflow
|
||||
|
||||
NOTE: Having a workflow to follow and refer to is something useful for the analyst as well as for other people reading his analysis.
|
||||
|
||||
Keeping track of the advancement of an analysis, of what is done or still need to be done, is really important in order to not forget anything or not make the same work twice. So it is essential to have a clear method to keep these information clear and concise.
|
||||
|
||||
One of the possible methodologies is to use tags to mark the information.
|
||||
|
||||
For instance the MISP Workflow Taxonomy allows the user to describe the state of an analysis, as complete or incomplete. Moreover, it can be used to clearly specify what still need to be done using the todo tags.
|
||||
|
||||
TIP: For more information on the MISP Workflow Taxonomy, please feel free to read https://www.misp-project.org/taxonomies.html#_workflow[Workflow taxonomy cheat sheet].
|
|
@ -0,0 +1,12 @@
|
|||
=== How to classify information
|
||||
|
||||
NOTE: Classifying information is something that has proven being very useful in lots of domains, including threat intelligence as it helps getting the main information very quickly. Moreover, it can help to build correlations between events or reports, allowing analysts to understand threat actors better.
|
||||
|
||||
The first tool we can use to classify information are tags and taxonomies
|
||||
. Tags can be used to describe how the information can be shared, using the tlp (Traffic Light Protocol) taxonomy, in order to prevent information leak.
|
||||
. They can also be used to describe the source where information come from.
|
||||
. Many taxonomies allow the user to explain the kind of threat the information
|
||||
--mapping--
|
||||
|
||||
- Galaxies
|
||||
- Comments
|
Loading…
Reference in New Issue