turning data into actionable intelligence · lessons learned: i context is king - enables better...

Turning data into actionable intelligenceadvanced features in MISP supporting your analysts and tools

Threat Sharing

@adulau @Iglocska

FIRST Cyber Threat Intelligence Webinar

MISP and CIRCL

CIRCL is mandated by the Ministry of Economy and acting asthe Luxembourg National CERT for private sector.We lead the development of the Open Source MISP TISPwhich is used by many military or intelligence communities,private companies, �nancial sector, National CERTs and LEAsglobally.CIRCL runs multiple large MISP communities performingactive daily threat-intelligence sharing.

1 33

The aim of this presentation

What is MISP?Our initial scopeWhy is contextualisation important?What options do we have in MISP?How can we leverage this in the end?

2 33

What is MISP?

Open source "TISP" - A TIP with a strong focus on sharingA tool that collects information from partners, your analysts,your tools, feedsNormalises, correlates, enriches the dataAllows teams and communities to collaborateFeeds automated protective tools and analyst tools with theoutputA set of tools to manage sharing communities andinterconnected MISP servers

3 33

Development based on practical user feedback

There are many di�erent types of users of an informationsharing platform like MISP:I Malware reversers willing to share indicators of analysis withrespective colleagues.

I Security analysts searching, validating and using indicatorsin operational security.

I Intelligence analysts gathering information about speci�cadversary groups.

I Law-enforcement relying on indicators to support orbootstrap their DFIR cases.

I Risk analysis teams willing to know about the new threats,likelyhood and occurences.

I Fraud analysts willing to share �nancial indicators to detect�nancial frauds.

4 33

The initial scope of MISP

Extract information during the analysis processStore and correlate these datapointsShare the data with partnersFocus on technical indicators: IP, domain, hostname, hashes,�lename, pattern in �le/memory/tra�cGenerate protective signatures out of the data: snort,suricata, OpenIOC

5 33

The growing need to contextualise data

Contextualisation became more and more important as weas a community maturedI Growth and diversi�cation of our communitiesI Distinguish between information of interest and raw dataI False-positive managementI TTPs and aggregate information may be prevalent comparedto raw data (risk assessment)

I Increased data volumes leads to a need to be able toprioritise

These help with �ltering your TI based on yourrequirements......as highlighted by a great talk from Pasquale Stirparo titledYour Requirements Are Not My Requirements

6 33

Different layers of context

Context added by analysts / toolsData that tells a storyEncoding analyst knowledge to automatically leverage theabove

7 33

Context addedby analysts / tools

Expressing why data-points matter

An IP address by itself is barely ever interestingWe need to tell the recipient / machine why this is relevantAll data in MISP has a bare minimum required contextWe di�erentiate between indicators and supporting data

8 33

Broadening the scope of what sort of contextwe are interested in

Who can receive our data? What can they do with it?Data accuracy, source reliabilityWhy is this data relevant to us?Who do we think is behind it, what tools were used?What sort of motivations are we dealing with? Who are thetargets?How can we block/detect/remediate the attack?What sort of impact are we dealing with?

9 33

Tagging and taxonomies

Simple labelsStandardising on vocabulariesDi�erent organisational/community cultures requiredi�erent nomenclaturesTriple tag system - taxonomiesJSON libraries that can easily be de�ned without ourintervention

10 33

Galaxies

Taxonomy tags often non self-explanatoryI Example: universal understanding of tlp:green vs APT 28

For the latter, a single string was ill-suitedSo we needed something new in addition to taxonomies -GalaxiesI Community driven knowledge-base libraries used as tagsI Including descriptions, links, synonyms, meta information,etc.

I Goal was to keep it simple and make it reusableI Internally it works the exact same way as taxonomies (stick toJSON)

11 33

The emergence of ATT&CK

Standardising on high-level TTPs was a solution to a longlist of issuesAdoption was rapid, tools producing ATT&CK data, familiarinterface for usersA much better take on kill-chain phases in generalFeeds into our �ltering and situational awareness needsextremely wellGave rise to other, ATT&CK-like systems tackling otherconcerns

12 33

The emergence of ATT&CK and similar galaxies

attck4fraud 1 by Francesco Bigarella from INGElection guidelines 2 by NIS Cooperation GroupAM!TT Misinformation pattern 3 by the misinfosecproject

1https://www.misp-project.org/galaxy.html#_attck4fraud2https:

//www.misp-project.org/galaxy.html#_election_guidelines3https://github.com/MISP/misp-galaxy/blob/master/

clusters/misinfosec-amitt-misinformation-pattern.json13 33

False positive handling

Low quality / false positive prone information being sharedLead to alert-fatigueExclude organisation xy out of the community?FPs are often obvious - can be encodedWarninglist system4 aims to do thatLists of well-known indicators which are oftenfalse-positives like RFC1918 networks, ...

4https://github.com/MISP/misp-warninglists14 33

Data that tells a story

More complex data-structures for a modern age

Atomic attributes were a great starting point, but lacking inmany aspectsMISP objects5 systemI Simple templating approachI Use templating to build more complex structuresI Decouple it from the core, allow users to de�ne their ownstructures

I MISP should understand the data without knowing thetemplates

I Massive caveat: Building blocks have to be MISP attributetypes

I Allow relationships to be built between objects

5https://github.com/MISP/misp-objects15 33

Supporting specific datamodels

16 33

Continuous feedback loop

Data shared was frozen in timeAll we had was a creation/modi�cation timestampImproved tooling and willingness allowed us to create afeedback loopLead to the introduction of the Sighting systemSignal the fact of an indicator sighting......as well as when and where it was sightedVital component for IoC lifecycle managementExternal SightingDB and standard - thanks to SebastienTricaud from Devo inc.

17 33

Continuous feedback loop (2)

18 33

Continuous feedback loop (3)

Monitor uptimes of infrastructureMake decisions on whether to action on an IoC

19 33

A brief history of time - Timelines

Data providers including the timing of the data has allowedus to include it directly in MISPFirst_seen and last_seen data pointsAlong with a complete integration with the UIEnables the visualisation and adjustment of indicatorstimeframes

20 33

The various ways of encodinganalyst knowledge to automati-cally leverage our TI

Making use of all this context

Providing advanced ways of querying dataI Uni�ed export APIsI Incorporating all contextualisation options into API �ltersI Allowing for an on-demand way of excluding potential falsepositives

I Allowing users to easily build their own export modules feedtheir various tools

21 33

Example query

/attributes/restSearch

{" returnFormat " : " n e t f i l t e r " ," enforceWarningl is t " : 1 ," tags " : {"NOT " : [" t lp : white " ," type : OSINT "

] ,"OR " : ["misp−galaxy : threat−actor =\" Sofacy \ " " ,"misp−galaxy : sector =\" Chemical \""

] ,}

}

22 33

Example query to generate ATT&CK heatmaps

/events/restSearch

{" returnFormat " : " attack " ," tags " : [

"misp−galaxy : sector =\" Chemical \""] ," timestamp " : "365d"

}

23 33

A sample result for the above query

24 33

Decaying of indicators

We were still missing a way to use all of these systems incombination to decay indicatorsMove the decision making from complex �lter options tocomplex decay modelsThe idea is to not modify our data, but to provide an overlayto make decisions on the �yDecay models would take into account various availablecontextI TaxonomiesI SightingsI type of each indicatorI Creation dateI ...

25 33

Implementation in MISP: Event/view

Decay score toggle buttonI Shows Score for each Models associated to the Attribute type

26 33

Implementation in MISP: Fine tuning tool

Create, modify, visualise, perform mapping

27 33

Implementation in MISP: simulation tool

Simulate Attributes with di�erent Models

28 33

Monitor trends outside of MISP (example:dashboard)

29 33

A small detour - COVID-19 MISP

COVID-19 MISP

Using the new built in dashboarding system of MISPCustomising MISP for a speci�c use-caseWe are focusing on four areas of sharing:I Medical informationI Cyber threats related to / abusing COVID-19I COVID-19 related disinformationI Geo-political events related to COVID-19

Low barrier of entry, aiming for wide spreadAlready a massive communityRegister at https://covid-19.iglocska.eu

30 33

Dashboarding and situational awareness

Create, modify, visualise, perform mapping

31 33

To sum it all up...

Massive rise in user capabilitiesGrowing need for truly actionable threat intelLessons learned:I Context is king - Enables better decision makingI Intelligence and situational awareness are naturalby-products of context

I Don’t lock users into your work�ows, build tools that enabletheirs

32 33

Get in touch if you have any questions

Contact CIRCLI info@circl.luI https://twitter.com/circl_luI https://www.circl.lu/

Contact MISPProjectI https://github.com/MISPI https://gitter.im/MISP/MISPI https://twitter.com/MISPProject

Join the COVID-19 MISP communityI https://covid-19.iglocska.eu

33 / 33