Taranis

Every day, we check approximately 900 sources. Relevant news items and e-mails are analysed. Based on the information acquired, GOVCERT.NL publishes various products, to satisfy its diverse audience: advisories, End-of-Week e-mails, mails to an internal mailing list, alert e-mails and SMS messages to inform the Dutch general public. The reports of the analysis also serve as input for a number of other products that GOVCERT.NL publishes, such as fact-sheets and white-papers.

GOVCERT.NL developed its own application to collect, analyse and publish information, called Taranis. Taranis is specifically designed to fit the workflow generally seen in a CERT organization. Traceability and transparency have been constant considerations in the development of the application.

The five-phase workflow

GOVCERT.NL collects and enriches information by following a five-phase process. Through these five phases, relevant news items are transformed into products, each for its specific target audience. The five phases are:

1. Collect: Collect information from the sources
2. Assess: Determine relevance and discard if necessary
3. Analyse: Analyse relevant news-items and determine the appropriate product(s)
4. Write: Write the product(s) and apply the standard quality assurance cycle
5. Publish: Send out the product(s) to the relevant target audience

This workflow is used as the foundation of Taranis. While designing Taranis, we closely studied the way the team members work. This has resulted in an application that fully supports the streamlining of the workflow.

Elaboration of the five phases

1. The “collect” phase is used to scan the sources for new information. Taranis scans both web and e-mail sources for new messages day and night. An automated process recognizes any changes in the websites, mailboxes and RSS feeds, collects the changes and stores them in a database.
2. The collected information is displayed in a web-interface, allowing the GOVCERT.NL team to “assess” whether the collected news items are interesting and relevant for any of her target audiences.
3. Any interesting and relevant items are transferred to the “analyse” phase, allowing the researcher to further investigate the issue. Research results are recorded and time-stamped in the application, allowing colleagues to re-trace previous analyses.
4. Should a vulnerability or threat be deemed relevant for any of the target-audiences, the analysis is transferred to the “write” phase. This phase is where the GOVCERT.NL advisories, warning mails and SMS messages are written, reviewed and checked. The author of a particular product cannot transfer his own work to the “publish” phase, making quality assurance a mandatory part of the process.
5. The “publish” phase is where the written products are published to the various channels (i.e. websites, e-mail and SMS). Taranis records the recipients of each of the products.

The data that is used in the application is based on internationally accepted standards. Vulnerabilities are directly indicated with Common Vulnerabilities and Exposures (CVE) IDs. The software list is based on the Common Platform Enumeration (CPE) list. Both lists are actively maintained and developed by Mitre. The CVE list is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. Taranis contains mechanisms to keep both lists and the mapping between them up to date.

Additional functionality

In addition to the core components of Taranis, the application contains several other functionality aspects. Application management is carried out in the Taranis web-interface. This functionality allows the user to tailor all configuration options, ranging from the specifics of her constituency to the parsers that are used to scrape individual websites for new information. An elaborate authentication framework allows setting and monitoring granular user permissions. Besides the configuration options, the Taranis web interface provides access to all sorts of statistics (both external and Taranis-specific) and log files.