MISP
/
best-practices-in-threat-intelligence
mirror of https://github.com/MISP/best-practices-in-threat-intelligence
2
0
Fork 0
Code Issues Releases Wiki Activity
best-practices-in-threat-in.../best-practices/expressing-confidence.adoc

25 lines
2.3 KiB
Plaintext
Raw Blame History

=== Expressing confidence/estimative probability in an analysis
NOTE: Expressing the confidence or the lack of it in an analysis is a critical step to help a partner or a third-party to check your hypotheses and conclusions.
Analysis or reports are often shared together with technical details, but often lack the associated overall confidence level.
To ascertain this confidence level you can use for example the MISP <<MISPTaxonomies>> called https://www.misp-project.org/taxonomies.html#_admiralty_scale[admiralty-scale] and/or https://www.misp-project.org/taxonomies.html#_estimative_language[estimative-language].
This is a very human way to describe either globally an event or individual indicators of an event, with a set of easy to read human tags. (e.g: `admiralty-scale:source-reliability="a/b/c..."`, `estimative-language:likelihood-probability="almost-no-chance"`, `estimative-language:confidence-in-analytic-judgment="moderate"`).
Generally it is good practice to do this globally for the event as this will enrich the trust/value if set. If it's a specific attribute, then the confidence can be described at more granular levels.
Thus, adding confidence or estimative probability has multiple advantages such as:
- Allow receiving organisations to filter, classify and score the information in an automated way based on related tags
- Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by increased confidence level
- Support counter analyses and competitive analyses to validate hypotheses expressed in original reporting
- Expressing confidence allows the use of in the https://www.misp-project.org/2019/09/12/Decaying-Of-Indicators.html/[decaying indicators feature] in MISP to lower or increase the lifetime of an information
Complement analysis with contrary evidences is also very welcome to ensure the original analysis and the hypotheses are properly evaluated.
TIP: <<MISPTaxonomies>> contain an exhaustive list of confidence levels including words of https://www.misp-project.org/taxonomies.html#_estimative_language[estimative probability] or confidence in analytic judgment.
TIP: threat-intelligence.eu includes an overview of the https://www.threat-intelligence.eu/methodologies/[methodologies and process to support threat intelligence].
Reference in New Issue View Git Blame Copy Permalink