Introduce a new layer of informational elements to describe the outcome of analyses

[iglocska]

Analysis object, attachable to attributes/objects/events.

We had an interesting discussion about having complex analytical processes on individual indicators with their outcome being the equivalent of a ground truth for the given organisation. The idea is to have something that:

1. Is more verbose than a sighting, being able to describe both the outcome as well as the reason why that outcome was reached.
2. Make sure that it is actionable in a sense that it should act as an override for the automation systems (unlike false positives via sightings)
3. Take into account existing outcome labels coming from the community (feedback welcome on what is being used).

Some additional points to keep in mind: This is a concern that should be co-ordinated with the Hive.

[cgi1]

Thanks for the discussion!

Link to The Hive issue: https://github.com/TheHive-Project/TheHive/issues/886 - The feature request has not been discussed as closely as we did it today. So maybe its better to start from scratch.

Regarding point 3) a proposal: There should be an attribute-type-dependent and attribute-type-independen taxonomy for the outcome.

attribute-type-dependent

ip

• is_multihoster / is_ip_of_a_cdn: The alerted IP is holding a lot of domains. The (user-)traffic has been analyzed and the domain which has been accessed is not malicious

• is_ip_of_well_known_website: The alerted IP is delivering a well-known domain which is getting accessed often (e.g. a news site). The (user-)traffic has been analyzed and the domain which has been accessed is not malicious.

domain

• is_parking_site: The alerted domain is delivering a parking page. The (user-)traffic has been analyzed and the transmitted traffic doesnt contain any malicious data

attribute-type-in-dependent

File not found

• The link to the file is outdated / is not delivering any data

Downloaded file is not malicious

• The downloaded file has been analyzed using sandbox / reverse engineering techniques. No malicious actions could be observed.

IoC is detecting the wrong threat / has the wrong threat level

• The IoC should have a alert a particular threat (e.g. Cryptominer; Ransomware; C2 of a particular malware...). The alerted traffic doesnt contain any of those malicious activities, but instead transmitting some other suspicious activities (e.g. typo-domains; porn).

General challanges

There will always be situations in which preventive policies of the respective network have avoided an infection. The result of this particular alarm is then a false positive for the company, although the actual IoC has delivered a malicious file. Example: The malware-download of a macro loader getting detected, but the code can never be executed due to preventive restrictions on the workstations within the network. The result for the company would be: False-Positive in this concret case; No further action required. Should this IoC be marked as False-Positive in MISP? Absolutely not. This is not rocket since, but we need to keep in mind that the incident classification depends on the circumstances in the respective company.