Skip to content

Update taxonomies to current RSIT and vice-versa #1380

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
5 of 21 tasks
ghost opened this issue Feb 15, 2019 · 2 comments
Closed
5 of 21 tasks

Update taxonomies to current RSIT and vice-versa #1380

ghost opened this issue Feb 15, 2019 · 2 comments
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Milestone
2.0.0

Comments

@ghost
Copy link

ghost commented Feb 15, 2019
edited by ghost
Loading

There are currently multiple mismatches as noted in #1350

Our taxonomies are using a space character while the enisa version uses dashes. E.g. malicious code (intelmq) vs malicious-code (enisa). A summary of our differences:

From the taxonomy expert bot code, in intelmq but in not in ENISA eCSIRT-II taxonomy

  • "dropzone": "information content security", # not in ENISA eCSIRT-II taxonomy
  • "leak": "information content security", # not in ENISA eCSIRT-II taxonomy
  • "backdoor": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "compromised": "intrusions", # not in ENISA eCSIRT-II taxonomy,
  • "defacement": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "unauthorized-command": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "unauthorized-login": "intrusions", # not in ENISA eCSIRT-II taxonomy
  • "botnet drone": "malicious code", # not in ENISA eCSIRT-II taxonomy, deprecated -> infected system
  • "dga domain": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "malware": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "ransomware": "malicious code", # not in ENISA eCSIRT-II taxonomy
  • "other": "other", # not in ENISA eCSIRT-II taxonomy
  • "proxy": "other", # not in ENISA eCSIRT-II taxonomy
  • "tor": "other", # not in ENISA eCSIRT-II taxonomy
  • "unknown": "other", # not in ENISA eCSIRT-II taxonomy
  • "vulnerable client": "vulnerable", # not in ENISA eCSIRT-II taxonomy
  • "vulnerable service": "vulnerable", # not in ENISA eCSIRT-II taxonomy

Differently named types:

  • "ids alert": "intrusion attempts", # ENISA eCSIRT-II taxonomy: 'ids-alert'
  • "c&c": "malicious code", # ENISA eCSIRT-II taxonomy: 'c2server'
  • "infected system": "malicious code", # ENISA eCSIRT-II taxonomy: 'infected-system'
  • "malware configuration": "malicious code", # ENISA eCSIRT-II taxonomy: 'malware-configuration'

From an intelmq perspective we always need to care about backwards compatibility.

cc @aaronkaplan @th-certbund

https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force
@ghost ghost added bug Indicates an unexpected problem or unintended behavior data-format labels Feb 15, 2019
@ghost ghost added this to the 2.0.0 milestone Feb 15, 2019
@aaronkaplan
Copy link
Member

so from what I get from #1350 the conclusion was to fix it in the next major release, right?

@ghost ghost self-assigned this May 14, 2019
@ghost ghost closed this as completed in e25cf7c May 14, 2019
@ghost
Copy link
Author

ghost commented May 14, 2019

Did everything we can do here, next step Taxonomy meeting, split off #1409 for this

This issue was closed.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Indicates an unexpected problem or unintended behavior data-format
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
1 participant
@aaronkaplan