turning data into actionable intelligence · lessons learned: i context is king - enables better...
TRANSCRIPT
Turning data into actionable intelligenceadvanced features in MISP supporting your analysts and tools
Threat Sharing
@adulau @Iglocska
FIRST Cyber Threat Intelligence Webinar
MISP and CIRCL
CIRCL is mandated by the Ministry of Economy and acting asthe Luxembourg National CERT for private sector.We lead the development of the Open Source MISP TISPwhich is used by many military or intelligence communities,private companies, �nancial sector, National CERTs and LEAsglobally.CIRCL runs multiple large MISP communities performingactive daily threat-intelligence sharing.
1 33
The aim of this presentation
What is MISP?Our initial scopeWhy is contextualisation important?What options do we have in MISP?How can we leverage this in the end?
2 33
What is MISP?
Open source "TISP" - A TIP with a strong focus on sharingA tool that collects information from partners, your analysts,your tools, feedsNormalises, correlates, enriches the dataAllows teams and communities to collaborateFeeds automated protective tools and analyst tools with theoutputA set of tools to manage sharing communities andinterconnected MISP servers
3 33
Development based on practical user feedback
There are many di�erent types of users of an informationsharing platform like MISP:I Malware reversers willing to share indicators of analysis withrespective colleagues.
I Security analysts searching, validating and using indicatorsin operational security.
I Intelligence analysts gathering information about speci�cadversary groups.
I Law-enforcement relying on indicators to support orbootstrap their DFIR cases.
I Risk analysis teams willing to know about the new threats,likelyhood and occurences.
I Fraud analysts willing to share �nancial indicators to detect�nancial frauds.
4 33
The initial scope of MISP
Extract information during the analysis processStore and correlate these datapointsShare the data with partnersFocus on technical indicators: IP, domain, hostname, hashes,�lename, pattern in �le/memory/tra�cGenerate protective signatures out of the data: snort,suricata, OpenIOC
5 33
The growing need to contextualise data
Contextualisation became more and more important as weas a community maturedI Growth and diversi�cation of our communitiesI Distinguish between information of interest and raw dataI False-positive managementI TTPs and aggregate information may be prevalent comparedto raw data (risk assessment)
I Increased data volumes leads to a need to be able toprioritise
These help with �ltering your TI based on yourrequirements......as highlighted by a great talk from Pasquale Stirparo titledYour Requirements Are Not My Requirements
6 33
Different layers of context
Context added by analysts / toolsData that tells a storyEncoding analyst knowledge to automatically leverage theabove
7 33
Context addedby analysts / tools
Expressing why data-points matter
An IP address by itself is barely ever interestingWe need to tell the recipient / machine why this is relevantAll data in MISP has a bare minimum required contextWe di�erentiate between indicators and supporting data
8 33
Broadening the scope of what sort of contextwe are interested in
Who can receive our data? What can they do with it?Data accuracy, source reliabilityWhy is this data relevant to us?Who do we think is behind it, what tools were used?What sort of motivations are we dealing with? Who are thetargets?How can we block/detect/remediate the attack?What sort of impact are we dealing with?
9 33
Tagging and taxonomies
Simple labelsStandardising on vocabulariesDi�erent organisational/community cultures requiredi�erent nomenclaturesTriple tag system - taxonomiesJSON libraries that can easily be de�ned without ourintervention
10 33
Galaxies
Taxonomy tags often non self-explanatoryI Example: universal understanding of tlp:green vs APT 28
For the latter, a single string was ill-suitedSo we needed something new in addition to taxonomies -GalaxiesI Community driven knowledge-base libraries used as tagsI Including descriptions, links, synonyms, meta information,etc.
I Goal was to keep it simple and make it reusableI Internally it works the exact same way as taxonomies (stick toJSON)
11 33
The emergence of ATT&CK
Standardising on high-level TTPs was a solution to a longlist of issuesAdoption was rapid, tools producing ATT&CK data, familiarinterface for usersA much better take on kill-chain phases in generalFeeds into our �ltering and situational awareness needsextremely wellGave rise to other, ATT&CK-like systems tackling otherconcerns
12 33
The emergence of ATT&CK and similar galaxies
attck4fraud 1 by Francesco Bigarella from INGElection guidelines 2 by NIS Cooperation GroupAM!TT Misinformation pattern 3 by the misinfosecproject
1https://www.misp-project.org/galaxy.html#_attck4fraud2https:
//www.misp-project.org/galaxy.html#_election_guidelines3https://github.com/MISP/misp-galaxy/blob/master/
clusters/misinfosec-amitt-misinformation-pattern.json13 33
False positive handling
Low quality / false positive prone information being sharedLead to alert-fatigueExclude organisation xy out of the community?FPs are often obvious - can be encodedWarninglist system4 aims to do thatLists of well-known indicators which are oftenfalse-positives like RFC1918 networks, ...
4https://github.com/MISP/misp-warninglists14 33
Data that tells a story
More complex data-structures for a modern age
Atomic attributes were a great starting point, but lacking inmany aspectsMISP objects5 systemI Simple templating approachI Use templating to build more complex structuresI Decouple it from the core, allow users to de�ne their ownstructures
I MISP should understand the data without knowing thetemplates
I Massive caveat: Building blocks have to be MISP attributetypes
I Allow relationships to be built between objects
5https://github.com/MISP/misp-objects15 33
Supporting specific datamodels
16 33
Continuous feedback loop
Data shared was frozen in timeAll we had was a creation/modi�cation timestampImproved tooling and willingness allowed us to create afeedback loopLead to the introduction of the Sighting systemSignal the fact of an indicator sighting......as well as when and where it was sightedVital component for IoC lifecycle managementExternal SightingDB and standard - thanks to SebastienTricaud from Devo inc.
17 33
Continuous feedback loop (2)
18 33
Continuous feedback loop (3)
Monitor uptimes of infrastructureMake decisions on whether to action on an IoC
19 33
A brief history of time - Timelines
Data providers including the timing of the data has allowedus to include it directly in MISPFirst_seen and last_seen data pointsAlong with a complete integration with the UIEnables the visualisation and adjustment of indicatorstimeframes
20 33
The various ways of encodinganalyst knowledge to automati-cally leverage our TI
Making use of all this context
Providing advanced ways of querying dataI Uni�ed export APIsI Incorporating all contextualisation options into API �ltersI Allowing for an on-demand way of excluding potential falsepositives
I Allowing users to easily build their own export modules feedtheir various tools
21 33
Example query
/attributes/restSearch
{" returnFormat " : " n e t f i l t e r " ," enforceWarningl is t " : 1 ," tags " : {"NOT " : [" t lp : white " ," type : OSINT "
] ,"OR " : ["misp−galaxy : threat−actor =\" Sofacy \ " " ,"misp−galaxy : sector =\" Chemical \""
] ,}
}
22 33
Example query to generate ATT&CK heatmaps
/events/restSearch
{" returnFormat " : " attack " ," tags " : [
"misp−galaxy : sector =\" Chemical \""] ," timestamp " : "365d"
}
23 33
A sample result for the above query
24 33
Decaying of indicators
We were still missing a way to use all of these systems incombination to decay indicatorsMove the decision making from complex �lter options tocomplex decay modelsThe idea is to not modify our data, but to provide an overlayto make decisions on the �yDecay models would take into account various availablecontextI TaxonomiesI SightingsI type of each indicatorI Creation dateI ...
25 33
Implementation in MISP: Event/view
Decay score toggle buttonI Shows Score for each Models associated to the Attribute type
26 33
Implementation in MISP: Fine tuning tool
Create, modify, visualise, perform mapping
27 33
Implementation in MISP: simulation tool
Simulate Attributes with di�erent Models
28 33
Monitor trends outside of MISP (example:dashboard)
29 33
A small detour - COVID-19 MISP
COVID-19 MISP
Using the new built in dashboarding system of MISPCustomising MISP for a speci�c use-caseWe are focusing on four areas of sharing:I Medical informationI Cyber threats related to / abusing COVID-19I COVID-19 related disinformationI Geo-political events related to COVID-19
Low barrier of entry, aiming for wide spreadAlready a massive communityRegister at https://covid-19.iglocska.eu
30 33
Dashboarding and situational awareness
Create, modify, visualise, perform mapping
31 33
To sum it all up...
Massive rise in user capabilitiesGrowing need for truly actionable threat intelLessons learned:I Context is king - Enables better decision makingI Intelligence and situational awareness are naturalby-products of context
I Don’t lock users into your work�ows, build tools that enabletheirs
32 33
Get in touch if you have any questions
Contact CIRCLI [email protected] https://twitter.com/circl_luI https://www.circl.lu/
Contact MISPProjectI https://github.com/MISPI https://gitter.im/MISP/MISPI https://twitter.com/MISPProject
Join the COVID-19 MISP communityI https://covid-19.iglocska.eu
33 / 33