ENISA publishes a study on taxonomies used for incident detection and prevention, taking into account input received from the CSIRT community and previous ENISA studies.
The study i) performs a qualitative assessment on an indicative taxonomy landscape, ii) identifies use cases that would benefit from the use of taxonomies iii) provides a comparison among a variety of related and unrelated taxonomies in order to identify commonalities and differences iv) analyses the complexity of taxonomies in terms of malware incidents in order to illustrate the different ways of describing the same context available in the current landscape.
In particular, for each use case a requirement that a taxonomy should fulfil was identified. These use cases include: i) recording events from different sources, ii) automatic de-duplication, iii) ability to export in other taxonomies, iv) ability to aggregate and search events in the data, v) ability to exchange data with other CSIRTs, vi) feeding threat intelligence and vii) incident report management.
Good practices and recommendations
A set of good practices which take into account the shortcomings of taxonomies, as identified by CSIRTs during the study, highlight that:
- the top level categorisation of a taxonomy should be simple
- the categories within a taxonomy should be mutually exclusive
- taxonomies should support performance measurement
- taxonomies should have an appropriate level of ease of use
Key recommendations include:
•A centralised repository for hosting all relevant taxonomies along with their versions should be set up by ENISA. This would be a great benefit to the CSIRTs community as it would not only allow the selection of appropriate taxonomies for specific use cases, but it may also provide a general overview of what taxonomies or variations thereof are used by CSIRTs, which may be particularly useful in keeping statistics.
•A small set of common taxonomies should be agreed upon by CSIRTs at the EU level for specific use cases. This would provide examples of taxonomies based on the requirements of the CSIRTs network, which can be either implemented or used to implement a modified version of the taxonomy, saving time and effort that would be spent into researching taxonomies.
• “Other” or “Unknown”, “Tag” field should be used by the owners of taxonomies as an indicator to revise taxonomies, or if there is an increase in that category with incidents or events of the same type. For example, in a case involving ransomware, it is relevant that it should be categorised as ransomware, but also the type of ransomware (such as crypto locker, etc.), if the same tag is repeatedly used then it might also indicate the need for a new field.
•A roadmap towards standardised exchange formats in the CSIRTs community should be established at the EU level by the CSIRTs network. Such a roadmap should at least consider having CSIRTs agree use cases, definitions and concepts from an operational point of view for each use case; perform quantitative assessment (in addition to the qualitative assessment in this study) on the taxonomies used, a centralised repository for taxonomies, and a list of tags/values that can apply across taxonomies.
Key conclusions of the study, highly relevant for CSIRTs, indicate that:
- Taxonomies currently lack terms to properly handle the following: the impact of an incident, incidents with no malice intended, explicit fields for ransomware, whether the incident is confirmed, and the differentiation between intrusion attempts and intrusions.
The identified areas for potential improvement of existing taxonomies are based on the complexity, contextual information, mutual exclusivity or ambiguity, performance measurement, impact, sensitivity, confidentiality, and purpose of taxonomies
- There is currently no consensus on concepts and definitions related to taxonomies. Clear definitions reflecting the operational interpretation of the CSIRTs should be considered as a key success factor towards increasing cooperation between EU Member States.
Full report available online
For interviews and press enquiries please contact press@enisa.europa.eu Tel. +302814409576