\item{\bf Cyber threat intelligence (CTI) is a vast concept} which includes different fields such as intelligence as defined in the military community or in the financial sector or the intelligence community
\item{\bf MISP project doesn't want to lock an organisation or an user into a specific model}. Each model is useful depending of the objectives from an organisation
\item A set of pre-defined knowledge base or data-models are available and organisation can select (or create) what they need
\item During this session, an overview of the most used taxonomies, galaxies and objects will be described
\item The scope can be classification ({\it tlp, PAP}), type ({\it osint, type, veris}), state ({\it workflow}), collaboration ({\it collaborative-intelligence}) and many other fields
\item MISP taxonomies documentation is available\footnote{\url{https://www.misp-project.org/taxonomies.html}}
\item{\bf Review existing practices of tagging in your sharing community, reuse practices and improve context}
\frametitle{Meta information and contextualisation 2/2}
\begin{itemize}
\item{\bf When information cannot be expressed in triple tags format} ({\it namespace:predicate=value}), MISP provides the galaxies
\item Galaxies contain a huge set of common libraries\footnote{\url{https://www.misp-project.org/galaxy.html}} such as threat actors, malicious tools, RAT, Ransomware, target information and many more
\item When tagging or adding a galaxy cluster, don't forget that tagging at event level is for the whole event (including attributes and objects). While tagging at attribute level, it's often a more specific context
\item{\bf Words of Estimative Probability}\footnote{\url{https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html}} proposes clear wording while estimating probability of occurence from an event.
\item A MISP taxonomy called {\bf estimative-language}\footnote{\url{https://www.misp-project.org/taxonomies.html}} proposes an applied model to tag information.
\frametitle{Reliability, credibility and confidence}
\begin{itemize}
\item The {\bf Admiralty Scale}\footnote{\url{https://www.ijlter.org/index.php/ijlter/article/download/494/234}, {\it US Army Field Manual 2-22.3, 2006}} (also called the NATO System) is used to rank the reliability of a source and the credibility of an information
\item A MISP taxonomy called admiralty-scale\footnote{\url{https://www.misp-project.org/taxonomies.html}}
\item In {\bf JP 2-0, Joint Intelligence}\footnote{\url{http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2\_0.pdf} page 114} (page 114) includes an appendix to express confidence in analytic judgments
\item A MISP predicate in estimative-language called confidence-in-analytic-judgment\footnote{\url{https://www.misp-project.org/taxonomies.html}}
There are more than 150 MISP objects\footnote{\url{https://www.misp-project.org/objects.html}} templates.\\
As an example, at CIRCL, we regularly use the following object templates {\it file}, {\it microblog}, {\it domain-ip}, {\it ip-port}, {\it coin-address}, {\it virustotal-report}, {\it paste}, {\it person}, {\it ail-leak}, {\it pe}, {\it pe-section}, {\it registry-key}.\\
A serie of OSINT tweets from a security researcher.
To structure the thread, the information
and keep an history.\\
\includegraphics[scale=0.15]{emotet.png}
\column{0.49\textwidth}\underline{Object to use}\\
The microblog object can be used for Tweet or any microblog post (e.g. Facebook). Then object can be linked using {\it followed-by} to describe a serie of post.\\
