Add TLP Classification Level to Artifacts, with Associated Behavior
In order to use Resilient in an MSSP environment, we would like to be able to classify the confidentiality of each artifact according to the Traffic Light Protocol, and use this classification to configure the relating functionalities of Resilient.
The classification should be used in integrations with Threat Information Platforms.
The classification should also affect how the system relates artifacts across incidents. E.g. Artifacts tagged as TLP:Red should only be related within the originating tenant while artifacts tagged as TLP:Amber may be related across multiple tenants.
-
Guest
- May 16 2018
- Future consideration
-
Please enable user logic following Artifact Enrichment Merged
We are starting to get enrichment data from Artifacts via an integration to our Threat Connect platform but would like to make more active use of risk score (plus possibly confidence level) values in the Hit, more widely in the Incident(s) that re...
0
Future consideration
-
Please add the ability to style Hits Merged
When writing a custom threat feed users comment that the formatting/styling of Hit information is very poor - just a basic 2-column table and black text in a fixed font and size on a white background. To emphasise significant elements in the h...
1
Future consideration
-
Add X-Force risk rating in threat intelligence scan results Merged
When an url is checked, sometimes it causes an HIT when that url is found on X-Force, even with a low risk rating (for example, "https://www[.]youtube[.]com" , rated "1" for risk level on X-Force, causes an HIT). It would be useful to: - have...
0
Future consideration
-
Enrich Artifacts without flagging them as HIT (red) Merged
Resilient has the Ability to enrich some artifacts with whois information. those are not flagged as hit, it's just additional data. It would be useful to add the ability for customers to add such data themselves. For example if we add a interna...
7
Future consideration
-
Artifact Type and colour Merged
Could we have an additional artefact colour, which would allow customers to validate against a custom (internal) threat source. Without this IOC being shared externally, there are a couple of use cases that spring to mind White listing Identi...
0
Future consideration
-
Possibility to change color of artifact hit Merged
Our new important customer complained about this - in case of an artifact hit, it is always marked with red color and exclamation mark. This is very confusing for some users, such as L1 SOC users. Hit can be also an information hit - e.g. computer...
0
Future consideration
Related ideas
The TLP need to be set on each IOC/Artifact. So the color of the Icon that show a hit could be the TLP color coding, (and not just the actual red).
The TLP of the IOC decide what kind of sharing can be done out of the incident, that mean that if a TLP RED is coming from an internal TI Platform, this IOC should not be check against external TI from our OTB TI list.
The TLP of the Incident is the max of the TLP of each IOC/Artifact
Attachments Open full size
We'd target doing this via "marking" objects in STIX, most likely. Are there examples of good (or bad) approaches that you would suggest we look at?
Attachments Open full size
Sample of deployment of this use case, based on rules & scripts
Attachments Open full size
More information CERT uSage of TLP: https://www.certsi.es/en/tlp
TLP is a standard evaluation in CERT SI group available in all central banks accross the globe.
How to use it
The author must check the information with appropriate color to indicate scope TLP is the dissemination of such information, usually including the text "TLP:COLOR" in the header and footer of the document, using the colors on the table above.
If the recipient needs to disseminate that information with third parties beyond the scope of the TLP designation indicated, should refer to the source of the information.
Why using it?
TLP is a simple and intuitive scheme to indicate when and how sensitive is the information on cybersecurity that will be shared, and facilitates collaboration with other entities or organizations at national and international level.
How TLP relates to other classification schemes?
TLP is not applicable to classified information, as is provided for in the Security Classification Information National Authority for the Protection of Classified Information
TLP designation is not a category or subcategory of these standards , and should only be used operationally.
Who does use TLP?
TLP is used by public and private organizations in the field of cybersecurity, both in Spain and in other countries like United States, Australia, Canada, Finland, France, Germany, Hungary, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland, and United Kingdom.
For more info about the TLP standard, please visit www.first.org/tlp
Attachments Open full size
(Copy of Ticket #9407)
Attachments Open full size