Building a common language to face future incidents - ENISA and European CSIRTs establish a dedicated task force
ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’.
Published on January 26, 2018
Over the past few years, there have been numerous discussions on the topic of ‘security incident classification taxonomies’. A number of initiatives even resulted in new or modified taxonomies, such as the ‘Common Taxonomy for (LE) Law Enforcement and CSIRTs’, which was set up to simplify the cooperation between CSIRTs and law enforcement agencies (LEAs). This taxonomy resulted from collaboration initiatives such as the annual ENISA/Europol’s European Cybercrime Centre (EC3) Workshop, which involved CSIRTs, LEAs, ENISA, and EC3. Other examples include the eCSIRT.net taxonomy, which was developed in 2003, and the eCSIRT.net mkVI taxonomy, an adaptation of the original version.
Creating a taxonomy is a difficult task as for instance classifying security incidents is very complex due to overlapping categories and different facets of such incidents. Organisations defining taxonomies are typically driven by their own needs, and since different CSIRTs have distinct expectations, those teams often end up developing their own incident classifications for internal use. In fact, even the ‘Common Taxonomy for LE and CSIRTs’ is an adaptation of the CERT.PT taxonomy, which in turn is based on the eCSIRT.net mkVI taxonomy. Likewise, there have been many taxonomies that are in essence only modifications of other versions.
As the need for information exchange, incident reporting and use of automation in incident response increases, it is becoming evident that developing a set of standardised guidelines is crucial. This common ground would help incident handlers in dealing with technical incidents on a daily basis. Moreover, it could assist policy decision makers by offering a standardised reference for discussing and drafting relevant policies such as the EU cyber security strategy and ‘The Directive on security of network and information systems’ (NIS Directive).
Following a discussion amongst the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play.
The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:
- Develop a reference document
- Define and develop an update and versioning mechanism
- Host the reference document
- Organise regular physical meetings with stakeholders
The next meeting will be held during the ‘53rd TF-CSIRT meeting’ (5-7 February 2018 co-located with FIRST in Hamburg, Germany) where the following topics will be addressed:
- Confirm starting point for the reference taxonomy
- Review and consolidate incident classifications and definitions of the reference taxonomy
- Define update workflow and versioning mechanism
- Decide about who will be hosting the online reference taxonomy
- Propose the next steps
It is important to note that the task force is composed of members of European CSIRT teams, the Common Taxonomy Governance Group (including representatives from ENISA and EC3), tool developers (MISP/IntelMQ, etc.), and taxonomy owners (owner of eCSIRT.net).
For more information on the status, and the next steps to come regarding the ‘Reference Security Incident Classification Taxonomy’, please refer to the document below:
https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy/
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
News items:
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RS