Projects & Governance

Comparative review of cybersecurity taxonomies used by CSIRTs, CERTs, and SOCs

by  • 

Executive summary

CSIRTs, CERTs, and SOCs rely on incident and threat taxonomies to classify, analyze, and share cybersecurity information consistently. This article compares the principal taxonomies in use—eCSIRT.net, ENISA’s Reference Incident Classification Taxonomy and Threat Taxonomy, FIRST’s CSIRT case classification guidance, MISP taxonomies, VERIS, and MITRE ATT&CK—covering their origins, structure, operational uses, strengths, limitations, and interoperability. Key findings: no single taxonomy covers every need; incident-type taxonomies (e.g., ENISA/eCSIRT.net, FIRST) standardize reporting and metrics; technique-focused frameworks (e.g., ATT&CK) enable detection engineering and threat-informed defense; data models like VERIS support large-scale statistics and sharing; MISP acts as a flexible carrier for many taxonomies. Combining these complementary references—often via shared platforms and mappings—improves operational effectiveness, communication, and collective defense.

Introduction

A taxonomy in cybersecurity is a structured scheme to classify incidents, threats, and related artifacts using a common vocabulary. For CSIRTs, CERTs, and SOCs, consistent classification improves triage, prioritization, reporting, trend analysis, and inter-organizational information sharing.

Over time, several well-adopted taxonomies have emerged from public bodies, industry forums, and open-source communities.

This paper presents a neutral comparison of the most used references, focusing on their purpose, model, and practical application, along with how they interoperate in modern operations.

eCSIRT.net (incident classification)

Origin and purpose. eCSIRT.net (early 2000s; updated variants thereafter) is one of the earliest widely used incident classification schemes in the CSIRT community. It aimed to provide a pragmatic, minimal set of incident classes for day-to-day categorization across teams.

Structure. The model is hierarchical, with concise top-level classes (e.g., Abusive Content, Malicious Code, Intrusion Attempts, Intrusions, Availability, Information Content Security, Fraud) and finer sub-types. Its design emphasizes clarity and mutual exclusivity sufficient for operational ticketing and statistics.

Use cases. Many national and sector CSIRTs adopted or adapted eCSIRT.net for internal incident registers and annual statistics; it also served as the foundation for later, more harmonized efforts.

Strengths and limits. Strengths: simplicity, pragmatic coverage, ease of aggregation for metrics. Limits: coarse granularity for modern threat families (e.g., ransomware vs. other malware), minimal attention to actor/impact dimensions; requires complementing with other frameworks for deeper analysis.

Interoperability. eCSIRT.net influenced the ENISA/TF-CSIRT Reference Incident Classification Taxonomy and is available as a tagging vocabulary in sharing platforms, easing mapping across teams.

ENISA taxonomies (Threat Taxonomy and Reference Incident Classification)

Threat Taxonomy. ENISA maintains a threat taxonomy used in its Cyber Threat Landscape series. It organizes threat categories and sub-categories at a high level (e.g., malware, web attacks, availability threats, data threats, influence campaigns), providing a consistent nomenclature for strategic threat reporting.

  • Use. Strategic reporting, national/sectoral trend summaries, and harmonized terminology across EU publications.
  • Strengths/limits. Authoritative, periodically updated, broad coverage; less granular for SOC-level detection engineering and technique-specific reasoning.

Reference Incident Classification Taxonomy (RSIT). Co-developed with TF-CSIRT and partners to harmonize incident classification across CSIRTs, RSIT evolves the eCSIRT.net scheme with refined definitions and additional categories to reflect current operations.

  • Structure and use. Retains a class/type hierarchy; used for cross-team reporting and exchange (e.g., in MISP), enabling comparable statistics and shared situational awareness.
  • Strengths/limits. Community consensus, clear definitions, living governance; like any consensus taxonomy, updates require process, and organizations may keep internal sub-types, mapping outward to RSIT.

Together, ENISA’s threat-focused and incident-focused references serve complementary purposes: strategic threat naming and operational incident normalization.

FIRST CSIRT case classification (operational scheme)

Purpose. FIRST provides guidance to help CSIRTs classify and manage cases consistently, typically along three axes: incident category, criticality (priority/SLA), and sensitivity (information handling).

Structure and use. The guide proposes a canonical list of incident categories (e.g., Denial of Service, Malware, External/Insider Intrusion, Confidentiality Breach, Illegal Activity, Forensics, Policy Violation), plus criticality levels (drive response timelines and communications) and sensitivity levels (govern information access). Teams adopt or adapt the scheme for internal ticketing and reporting.

Strengths/limits. Strengths: process-oriented, integrates prioritization and handling requirements beyond pure technical type; improves managerial visibility and SLA discipline. Limits: example baseline—usually customized; not a universal external exchange standard; less technical granularity on adversary behaviors.

MISP taxonomies (sharing-oriented tagging)

Concept. MISP (Threat Sharing) implements a flexible, machine-readable tagging system (namespace:predicate=value) and curates a large library of taxonomies (e.g., ENISA RSIT, eCSIRT.net, VERIS, ATT&CK, TLP, Admiralty scale, sector codes).

Use. Events and indicators are tagged for context, filtering, access control (e.g., TLP), and analytics. Communities can agree on a common set of taxonomies and apply multiple tags per object, enabling rich, interoperable sharing.

Strengths/limits. Strengths: pluralistic, practical interop hub; community-maintained, versioned; enables automated workflows and precise filtering. Limits: potential dispersion if communities don’t converge on a shared core; requires analyst discipline and governance.

VERIS (Vocabulary for Event Recording and Incident Sharing)

Purpose. VERIS is a comprehensive schema (JSON) for encoding incidents for consistent analysis and sharing, famously used to produce Verizon’s DBIR.

Structure. The “A4” model—Actors, Actions, Assets, Attributes—augmented by victim demographics, timeline, impact, and value-chain fields. Enumerations define controlled values (e.g., Actions: Hacking, Malware, Social, Misuse, Physical, Error, Environmental) with sub-categories.

Use. Large-scale incident data collection, statistical analysis, cross-organization sharing (e.g., the VERIS Community Database), and empirical risk quantification.

Strengths/limits. Strengths: completeness, mature/open standard, excellent for macro metrics and research. Limits: heavier to implement for daily SOC operations; some ambiguity in coding without guidance; less focused on technique-level behavior than ATT&CK—best used together.

Interoperability. Existing mappings relate VERIS actions to ATT&CK techniques; VERIS vocabulary is available in sharing platforms, supporting cross-framework analytics.

MITRE ATT&CK (tactics and techniques)

Purpose. ATT&CK is a globally adopted knowledge base of adversary tactics and techniques, built from real-world observations, used for detection engineering, threat hunting, and intelligence.

Structure. Fourteen tactics (from Reconnaissance to Impact) and hundreds of techniques/sub-techniques, each with detection and mitigation guidance, software/groups relationships, and examples.

Use. Post-incident mapping (describe what an adversary did), coverage assessments (identify detection gaps), red-team planning/reporting, and common language for TTP sharing.

Strengths/limits. Strengths: high granularity, operationally actionable, de-facto common language across vendors and teams. Limits: not an incident type taxonomy; requires expertise; doesn’t encode business impact or legal/reporting categories—pair with incident taxonomies and data models like VERIS.

Interoperability. Integrated across STIX/MISP ecosystems; mappings exist to other schemes (e.g., VERIS) and phase-oriented models (e.g., Kill Chain).

Other notable frameworks

  • Cyber Kill Chain (Lockheed Martin). Seven-stage attack lifecycle used for narrative/phase structuring and control placement; often mapped to ATT&CK tactics.
  • Diamond Model. Analytical framework connecting Adversary, Infrastructure, Capability, and Victim; valuable for intelligence correlation rather than incident classification.
  • Information handling taxonomies. Traffic Light Protocol (TLP) for dissemination control; Admiralty scale for source reliability/credibility—essential complements in operational sharing.
  • CAPEC / CWE. Catalogs of attack patterns and software weaknesses; not incident taxonomies but important for technique/vulnerability classification and linkage to ATT&CK/CVE.

Interoperability and mappings

  • Reference taxonomy as pivot. ENISA/TF-CSIRT’s Reference Incident Classification serves as a common language for cross-team reporting, with governance and updates, and is widely implemented in sharing tooling.
  • Multi-taxonomy tagging. MISP enables simultaneous use of multiple controlled vocabularies per event/indicator, allowing communities to converge on a shared core while retaining local detail.
  • Cross-framework mappings. Public mappings (e.g., VERIS↔ATT&CK) help translate between behavior-centric and incident-centric views, improving analytics and operational handoffs.
  • Standards and formats. STIX 2.x accommodates both incident categories and ATT&CK objects; other structured formats (e.g., regional incident schemas) embed common taxonomies to support automated exchange.

Perfect interoperability remains challenging due to differing scopes and granularity, but the trend is toward convergence through community governance, shared tooling, and machine-readable vocabularies.

My conclusion

Effective operations require combining complementary taxonomies:

  • Incident-type taxonomies (eCSIRT.net, ENISA RSIT, FIRST) to normalize classification, reporting, and metrics.
  • Technique/TTP frameworks (ATT&CK, Kill Chain) to drive detection engineering, threat-informed defense, and clear communication of adversary behavior.
  • Comprehensive data models (VERIS) to capture end-to-end incident details for analytics and sharing.
  • Operational overlays (TLP, Admiralty) to govern dissemination and confidence.

Modern CSIRTs/CERTs/SOCs benefit from adopting a small, governed core (e.g., ENISA RSIT for incident sharing; ATT&CK for behavior) and leveraging MISP/STIX to tag and exchange data consistently. Training analysts, mapping internal categories to common references, and instituting taxonomy governance are key to realizing the efficiency and collaboration gains these taxonomies enable.

OSINT Sources