The main objective of this report is to provide relevant good practices in terms of taxonomies for incident detection and prevention for the CSIRT community. Additionally, it aims to provide conclusions and recommendations based on the qualitative assessment of taxonomies within the current taxonomy landscape on improvements that can be made on current taxonomies, such as what fields can be extended or added to existing taxonomies.
The methodology followed to collect and assess the information for this study included a stock taking and desk research, discussions with CSIRTs during the 11th CSIRT ENISA Workshop, interviews with the CSIRT community, a qualitative assessment of taxonomies (and other formats and schemes relevant to mention) and a validation call with CSIRTs on 22 September 2016.
Three case studies illustrate the use of taxonomies in CSIRT operational activities while taking into account the use cases established in this study. These include a case study on using taxonomies for a website for major NIS incidents occurring across the EU for the public, using taxonomies to minimise the re-categorisation of cyber incidents and using taxonomies for incident handling metrics.
Download "A good practice guide of using taxonomies in incident prevention and detection"