misp-book/user-stories
E. Cleopatra 09103d861a
MISP user stories and workflows
2021-03-26 16:34:23 +01:00
..
README.md MISP user stories and workflows 2021-03-26 16:34:23 +01:00

README.md

MISP User Stories

User story Example workflow
As a lead threat intelligence analyst, I want to lead a team focused on hunting down threats so that I can prevent attacks against ICT infrastructures and organizations
  • Monitor what teams are up to in real-time using the Live Dashboard
As a threat analyst, I want to research, analyze and reverse engineer malware so that I can know how to counter it
  • Attach and download files and malware samples from events
  • Search for hashes/IPs/domains/URLs from malware events, or add malware samples hashes to an event
  • Analyse observables and malware collected during an incident (e.g. domain name, IP addresses etc.) by checking whether observables are IoCs or false positives using correlation graph and expansion modules.
  • Enrich malware events by querying data sources external to MISP using modules
  • Perform dynamic malware analysis correlations
  • Submit events with malware samples to analysis tools (e.g VirusTotal, VMRay) for further analysis, and then extend MISP with malware analysis results
As a lead threat intelligence analyst, I want to convert threat data into actionable threat intelligence so that I can improve security posture.
  • Import data from external sources
  • Add feeds
  • Contextualise events and attributes using tags, taxonomies and galaxies
As a threat analyst, I want to exchange threat information with third parties so that we can gain shared situational awareness
  • Setup different models of distribution on MISP instance
  • Sync events and attributes between instances
  • Use filtering functionalities to meet an organisation's sharing policy
  • Share information, pentest information, malware samples, vulnerabilities internally and externally
  • Use feature/achievements widget adding gamification to the information sharing
As a threat analyst, I want to monitor threats and access live data so that I can manage threats before they cause major damage
  • Import lists of indicators and check if the IOCs are present in feeds.
  • Monitor statistics and sightings using widgets
  • Show live data and stats from one or more MISP instances via the Dashboard
  • Process information in real-time when it's updated, created, or published by instances by integrating with ZMQ
  • Use sightings to notify an instance about activities related to an indicator
As a threat analyst, I want to aggregate and compare indicators from various sources so that I can connect the dots between various threats
  • Join communities and subscribe to the feeds
  • Add events and assign events to specific feeds
  • Correlate indicators using MISP's automated correlation engine
  • Link events and attributes using the correlation graph
  • Analyse and gain more information on attributes using modules
  • Link events with malware, threat actors etc using galaxies (e.g ATT&CK)
As a threat analyst, I want to have a structured database of threat data that I can use to perform lookups/queries when investigating new threats
  • Store information in a structured format using STIX
  • Import unstructured reports using the free-text import tool
  • Use MISP as a centralized hub for security and fraud threat intel. Centralize threat intel by aggregating indicators from OSINT and commercial feeds
  • Remove false positives and duplicates
  • Score indicators based on Sightings and other metrics
  • Import/integrate feeds or threat intelligence from third parties Generate, select, exchange, and collect intelligence using feeds
  • Select and import events
  • Look for correlations between events using the correlation graph
  • Build filtered subsets of the data repository for feed creation.
  • Preview and correlate feed data directly for evaluation
As a threat analyst, I want to contextualize and enrich raw threat data so that I can produce actionable intelligence
  • Understand attacker TTPs by using taxonomies to link events
  • Categorize risks and incidents using galaxies and taxonomies
  • Quickly classify information using tags collections
  • Contextualise sightings with information on the source
  • Enrich IDSes export with tags to fit your NIDS deployment
  • Decay attributes and score indicators using sightings (reported by IDSes)
  • Describe and visualise complex scenarios using MISP's richer data structure
  • Allow advanced combination of attributes using MISP objects
As a threat analyst, I want to investigate threats so that I can protect computer systems from attacks
  • Find relevant data for investigations from MISP communities. Preview new MISP events and alerts from multiple sources such as email reports, CTI providers, and SIEMs
  • Query a MISP instance for events that include a given IOC. Browse through other MISP events, attributes, objects, tags, and galaxies
  • Create events, add IoCs (attributes), and contextualise (using tags)
  • Pivot an event into its attributes, objects, tags, galaxies, and/or related Events
  • Explore further details from Galaxies and related Events
  • Categorize available related information within the ATT&CK framework.
  • Query tools (e.g Cytomic Orion API) to check if certain MISP indicators have been observed, and the import sighting details to add them to MISP events
  • Prioritize threats using Sightings collected from users, scripts and IDSes.
  • Decay/expire indicators using sightings reported by users, scripts and IDSes
  • Launch lookups from MISP against SIEMs as part of an investigation
  • Correlate network forensic flows from several tools
As a SOC team, we want to ingest, analyse, store and make connections between threat data so as to discover potential threats
  • See connections between events using the correlations graph
  • Import CVEs and vulnerabilities (e.g from MetaSploit) and contextualise them
  • Contextualise CVEs using events gotten from articles/reports
  • Convert CVE information into a feed
  • Pull shared CVE feeds
  • Combine collected data with your MISP data set for correlation
  • Share correlated info to the team using the export function or API search
  • View current threats and activity, historical, geolocalized information using MISP Dashboard
As a junior SOC analyst, I want to enrich alerts so that I can "punch above my weight" and make connections that would have otherwise required more experience
  • Create events, add/import observables
  • Use Cortex and its analyzers to gain insight
  • Leverage tags, sightings, and previously-seen observables to feed your threat intelligence
  • Export IOCs to MISP instances after investigations are complete
  • Integrate MISP with Maltego to generate visualisations of data
  • Integrate MISP with Elastic to access threat data without the complexities of the MISP interface.
  • Push attributes from MISP to Elastic and have a representation with graphs, an alternative to using MISP Dashboard.
  • Create taxonomies using the taxonomy editor.
  • Contextualise data using taxonomies, clusters and galaxies
As a SOC analyst, I want to customize risk feeds to ignore or downgrade alerts that do not match organization/ industry-specific criteria, so that I can focus on relevant alerts
  • Filter incidents based on taxonomies (e.g the veris country taxonomy to indicate countries affected by an incident)
  • Normalise external input and feeds in MISP (e.g. feed importer).
  • Compare feeds before import to find similarities and false positives.
  • Evaluate the quality of the information before importing it (warning-list lookups at feed evaluation)
As a SOC analyst, I want to share real-time information pertaining to new or existing cases/observables to team members so that we can collaborate on investigations simultaneously
  • Control threat sharing using distribution settings: sharing group, community-only, connected communities, all communities.
  • Share sensitive and confidential events using the sharing group functionality
  • Measure the impact of an incident using taxonomies based on NISD/OESs impact criteria
  • Export and share sightings in ATT&CK sightings format to give insights on TTPs and frequency of usage
As a SOC analyst, I want to rule out false positives so that I can focus on significant threats
  • Weed out false positives using warning lists
  • Crowd source data validation from community
  • Filter indicators based on specific criteria
  • Receive information on false positives using collaborative tools (proposals, sightings)
As a threat analyst, I want to remove false positives, filter and prioritize alerts so that I can focus on what really matters to my organization
  • Evaluate the quality and freshness of indicators using decaying models
  • Enforce warninglists to exclude events with certain attributes
  • Enable warninglists to alert for certain issues
  • Classify information (add/remove tags) based on their score or visibility via sightings
  • Use tags to set events or attributes for further processing by external tools (e.g. VirusTotal auto-expansion using Viper)
  • Notify an instance about activities related to an indicator via Sighting
  • Limit NIDS exports and improve rules using Sightings
  • Filter indicators based on specific criteria
  • Filter out relevant data when feeding protective tools
As a security analyst, I want to unravel the inner workings of a malicious file, phishing email or domain so that I can prevent attacks
  • Integrate MISP with a Security Incident Response Platform (e.g TheHive)
  • Import indicators from MISP into the SIRP for further analysis
As a security analyst, I want to create blacklists/whitelists (e.g of domains) so that I can protect customers from malicious activity
  • Import threat data into MISP from synced servers and label using taxonomies
  • Enable warning lists, and exclude attributes that exist on the warning lists
  • Create lists with preferred attributes and export the list in an easy accessible format as CSV
As a security analyst, I need a real-time overview of threat information so that I can quickly glance at important metrics
  • Integrate ZMQ to access a dashboard showing live data and stats
  • Monitor ongoing trends based on interests using the EventStream widget
  • Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds
  • View immediate contributions made by organisations from MISP's live dashboard
  • Find threats within your constituency using MISP Geolocalisation Dashboard
  • Get geospatial threat information from specific regions using the Geolocalisation Dashboard
As a security analyst, I want to automate repetitive tasks related to data normalization, importation, aggregation and enrichment so that I can have more time to put into threat analysis efforts
  • Automate tasks using PyMISP
  • Use PyMISP for Scripted processing of events and attributes
As a security analyst, I want to collaborate with other analysts within and out of my organizations sector so that we can support one another
  • Build or join communities to exchange specific data structures
  • Share real-time analysis of an incident
  • Propose modifications to someone else's analysis using Proposals
As a security analyst, I want to triage and prioritize alerts so as to avoid alert fatigue
  • Evaluate the quality and freshness of indicators using decaying models
  • Weed out false positives using warning lists
  • Enable warning lists to alert for critical issues
  • Filter indicators based on specific criteria
  • Score indicators based on user sightings, including negative sightings and expiration sightings.
  • Classify information (add/remove tags) based on their score or visibility via sightings
As an incident responder, I want to get an up-to-date picture of the threat landscape so that I can prepare for threats in advance
  • Describe the impact of threat using taxonomies (e.g using the veris timeline taxonomy to indicate the duration of the incident)
  • Classify data to gain insight into the threat landscape.
  • Classify data so IDSes can alert on a rule
  • Integrate ZMQ to have a dashboard showing live data and statistics.
  • Integrate ZMQ to process information in real-time when it's updated, created, or gathered in MISP.
As an incident responder, I want to identify and respond to incidents so that I can reduce the impact and severity of an attack
  • Report false or true positives using the sighting mechanism, based on an incident investigation
  • Decay indicators to guarantee the quality of the indicators
As an incident responder, I want to receive early warnings and alerts about threats/incidents so that I can retaliate before they cause any harm
  • Receive correlated threat intel from sharing groups and communities
  • Monitor MISP feeds for alerts
  • Preview new events and alerts from multiple sources
  • Automate import/export of IoCs to/from protective or detection tools like IDSes and IPSes
  • Dispatch notifications when certain events are created or modified using the alert feature
  • Create filter rules based on personalised uses. Restrict alert messaged by tags, publishing organisation or other metrics
As an incident responder, I want to store information identified during an incident investigation so that I can perform lookups/queries against the historical database during future incidents
  • Use a MISP instance as a database of events representing incidents. Store incident response data internally in a structured manner on MISP
  • Represent indicators using attributes. Attributes such as network indicators (e.g. IP address) or system indicators (e.g. a string in memory)
  • Combine OSINT and your own intelligence
  • Create events made up of indicators (attributes) and then leverage these as a threat data feed
  • Modify events representing incidents to enable monitoring over time
  • Add object types to describe incidents
  • Monitor indicators for relevancy using Sightings
  • Ensure information quality and freshness by expiring indicators depending on their personalised objectives
  • Pull events from indicator lists to perform lookups against SIEMs
  • Use indicators to check logs and verify if youre affected by a threat
  • Correlate indicators with actual incidents to get more information
  • Integrate MISP with IR tools (e.g TheHive) to (1) analyse observables during an incident, (2) import and (3) export events from MISP to TheHive and vice-versa
  • Perform large-scale bulk data/traffic analysis and correlation against your MISP database using SightingsDB
As an incident responder, I want to export and feed data between security tools so that I can enhance their functionalities
  • Export data from MISP to feed protective/detective tools and early warning systems. Export formats support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ)
  • Feed MISP using automatic tools (e.g. Sandbox Analysis, low-value information needing correlation, Analyst workbench)
  • Pull events from feeds or indicator lists to perform lookups against SIEMs
  • Subscribe to ZMQ pub-sub to get published events for use in lookup processes
  • Match attributes against SIEMs using the lookup expansion module
  • Import activities from a SIEM (e.g. Splunk lookup validation or false-positive feedback), NIDS or honeypot devices
  • Post Sightings from IDSes, IPSes, SIEMs back to MISP
  • Use sightings to improve NIDS rule-sets
  • Generate IDS and NIDS rules automatically or manually using IoCs
  • Feed data to honeypots to generate blocklists and DNS RPZ zones
  • Consume correlated results in SIEMs using the API
  • Search indicators in real-time into a SIEM using MISP ZMQ
  • Submit large sets of IoCs from MISP into SIEMs using PyMISP
  • Import indicators into MISP from other tools (SIEMs, IDSes) and be notified when those indicators appear again
As a CSIRT, we want to exchange and discuss information related to incidents and associated risks so that we can collaboratively respond to incidents
  • Build communities to exchange specific data structures
  • Discuss non-event related topics in Forums
  • Add comments to events (which may represent an incident)
  • Contact a reporter (e.g. another CSIRT) via email (encrypted, anonymously or not) to discuss commercially-sensitive information related to an incident
As a CSIRT, we want to interact with threat data in various ways during the threat investigation and incident response process
  • View events, indicators and feeds
  • Search and filter the data set
  • Classify, contextualize and correlate data
  • Download the viewed data in various formats
  • Interact with MISP data using other tools in the MISP ecosystem (e.g MISP Workbench, Viper, MISPego)
As a CSIRT, we want to coordinate with team members and other organisations so that we can avoid duplication of work
  • Create and manage sharing groups between sectors
  • Join existing communities or sharing groups
  • Create and exchange events and indicators
  • Propose changes to existing analysis or reports
  • Enhance an analysis with additional information using Extended Events
  • Report sightings as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)
  • Contribute to threat intel feeds and analyse overlapping data
As a CSIRT, we want to share incident information and discuss risks with other team members so that we can collaboratively perform incident analysis
  • Create, modify, delete and exchange events and indicators
  • Modify distribution settings to exchange individual incidents and ensure confidentiality
  • Use taxonomies and galaxies to classify data before exchange (e.g Indicate the confidentiality of incidents using the NATO classification, indicate the risk of an incident using the threat-level taxonomy)
  • Edit, visualize, and share reports using Event Report
  • Incorporate reports from information sources using the Event Report module
  • Share indicators derived during incident response
  • Correlate and enrich data derived during incidents
  • Coordinate with affected parties during incident response using MISPs collaborative tools (proposals, sightings, emails)
As a fraud analyst, I want to investigate financial threats so that I can help financial institutions and consumers prevent financial fraud
  • Join communities and receive shared IOCs
  • Subscribe to feeds and get IOCs in an easily accessible format
  • Access lists and public feeds of malicious domains (e.g phishing sites) and threats
  • Use indicators to check logs and verify if youre affected by a threat
  • Gather information related to a phishing site and create events
  • Integrate MISP with Maltego to visualise the full ATT&CK framework
As a fraud analyst, I want to blend updated threat intel with anti-fraud tools so that I can prevent fraud in real-time
  • Feed data from MISP to fraud prevention tools
  • Report sightings to MISP from fraud prevention tools
As a fraud analyst, I want to collaborate with analysts from other institutions so that we can gain shared situational awareness
  • Implement a MISP instance, and join relevant communities
  • Publish fraud perpetrators for others to see
  • Exchange events containing fraud information (e.g a bank account number)
  • Use shared fraud data to feed firewalls and blocklists
  • Warn of false positives by alerting for invalid financial indicators
  • Give more credibility to indicators by reacting to event attributes (Sightings)
  • Get feedback from the community on the quality of indicators (Sightings)
As a customs and border control agent, I want to facilitate the flow of legal immigration and goods while preventing the illegal trafficking of people and contraband so that I can ensure homeland security
  • Create or join sharing groups and communities
  • Share information (e.g travel documents / biometric information) between border control agencies using MISP
  • Categorize data using predefined types such PNR (passenger name records)
  • Share information / involve experts for the identification of smuggled goods
  • Perform anonymised lookups against exported data sets information (e.g. offline border control check)
As a law enforcement officer, I want to investigate digital crimes and threats so that I can apprehend criminals
  • Access information sharing communities
  • Get indicators and actionable information from CSIRTs/CERTs networks or researchers
  • Exchange information with other officers via sharing communities
  • Exchange and store incident information on MISP, enabling the system to act as a forensic tool over time
As a law enforcement officer, I want to collect and verify evidence of digital crimes so that I can bootstrap my DFIR cases
  • Collect indicators from shared events
  • Propose changes to existing analysis or reports
  • Enhance existing events with additional pieces of evidence using Extended Events
  • Exchange analysis and reports of digital forensic evidence
  • Correlate indicators corresponding to forensic pieces of evidence
  • Import Mactime timelines to describe forensic activities on an analysed file system
  • Describe forensic analysis cases using objects templates
  • Create, modify and visualise the timeline of events
  • Share analysis and reports of digital forensic evidence
  • Report sightings such as false-positive or true-positive (e.g. a partner/analyst has seen a similar indicator)
As a cybersecurity consultant, I want to provide structured threat intelligence to cross-sector partners with diverse requirements so that I can secure their infrastructure
  • Implement an instance and join relevant communities
  • Integrate MISP with an organisations existing solutions using the API
  • Exchange events containing indicators
  • Setup distribution levels to ensure confidentiality during threat sharing
  • Sync between untrusted and trusted networks using Feed support
  • Notify the community about activities related to an indicator using Sightings
  • Score indicators based on user sightings, including negative sightings and expiration sightings
  • Propose updates to an event owner or indicate a sighting
  • Share attacker techniques via integration with ATT&CK
  • Set an attribute for detection tools using the IDS flag
As a cybersecurity specialist, I want to anonymously publish threat intel so that I can protect the identity of people who dont want to be associated with the information
  • Pseudo-anonymously publish data using Event Delegation
As a cybersecurity specialist, I want to investigate threats so that I can remediate and prevent cyber attacks
  • Query an instance for events that include a given IOC
  • Explore more details from Galaxies and related events
  • Categorize related information within the MITRE ATT&CK framework
As a security analyst, I want to access threat data so that I can use it to support my research
  • Contextualise indicators (attributes) using categories, taxonomies and galaxies
  • Reinforce an analysis using correlation features (e.g. do other analysts have the same hypothesis?)
  • Confirm a specific aspect using correlation features (e.g. are the sinkhole IP addresses used for one campaign?)
  • Verify if a threat is new or unknown in your community using correlation features
As a security analyst, I want to access updated threat data so that I can build protection in real time
  • Monitor feeds for recent indicators
  • Monitor activity in real-time on MISP dashboard by subscribing to ZMQ feeds
  • Process information in real-time when it's updated, created or gathered using ZMQ
As a risk analyst, I want to identify and predict risks to my organization so that I can improve the organizations security posture and situational awareness
  • Use a MISP instance as a database of events representing threats
  • Classify risks using taxonomies and galaxies
  • Generate statistics from your MISP instance to deduce from incidents the current operational status, risk posture, and threats to the cyber environment
  • Monitor trends and adversary TTPs using MISP-dashboard and built-in statistics
As a risk analyst, I want to present risk data to stakeholders in various formats (depending on their technical ability), so that I can justify the need for risk-mitigating strategies
  • Show trends within the sector/geographical region using MISP dashboard and built-in statistics
  • Turn MISP data into explorable graphs or timelines representing their activity or events
  • Export data from MISP in various formats
  • Share reports along with actionable data using Events Report
As a disinformation researcher, I want to identify indicators associated with a specific operation or campaign so that I can help track and mitigate threats
  • Monitor MISP feeds for indicators
  • Find relationships between indicators using correlation
As a disinformation researcher and journalist, I want to investigate information campaigns so that I can report whether there is or isnt disinformation or misinformation
  • Compare external feeds information with already-available information
  • Analyze the connections between incident objects
  • Map data with AMITT (embedded in MISP) to understand threat actor capabilities
  • Generate events that can be shared directly, via email or MISP
  • Add object types (e.g for common social media platforms), relationship types (to make the graphs that users can traverse in MISP richer) and taxonomies (e.g DFRLabs Dichotomies of Disinformation, and a NATO-led tactical variant) to describe indicators and events
  • Generate and share information operations data in MISP JSON or STIX format for easy sharing
  • Classify events with AM!TT techniques using the inline AM!TT Navigator
  • Describe attack patterns using AMITT for the attack patterns
  • Track disinformation techniques using the AMITT galaxy
  • Integrate MISP with TheHive for case tracking
  • Describe additional disinformation cases using object templates
As a disinformation researcher, I want to connect with other researchers and responders so that we can collaboratively verify if an article/video/image contains disinformation and verify that a source (publisher, domain, etc) doesnt distribute disinformation
  • Join a disinformation community
  • Notify the community about activities related to an indicator
  • Score indicators based on users sighting
  • Corroborate a finding using correlation features (e.g. is this the same campaign?)
As a disinformation researcher, I want to collaborate with other researchers and responders so that we can collectively stop disinformation campaigns
  • Browse and Join disinformation communities (e.g CogSec Collab MISP)
  • Contextualise data using tags, taxonomies and galaxies
  • Describe information campaigns indicators and events using taxonomies (e.g DFRLab Dichotomies of Disinformation)
  • Find relationships between indicators using correlation
  • Describe misinformation tactics/techniques using the AMI!TT framework (galaxy)
  • Include relevant techniques found in a report or sighting in misinformation event data using AM!TT Navigator
As a data scientist, I want to automate tasks related to data collection, curation, analysis, and visualization so that I can reduce security analysts' workloads
  • Collect, add, update, search events/attributes/tags using PyMISP
  • Study malware samples using PyMISP
  • Write scripts to import (from other tools such as VirusTotal) additional attributes or IOC data (such as hashes) to build up knowledge on an event
  • Automatically handle indicators in third-party tools using PyMISP
  • Integrate MISP with existing infrastructure using PyMISP
  • Automate the dissemination of threat intelligence and threat data using the API
  • Generate exports to be ingested into other platforms
  • Create a range of filtered subsets of the dataset for various protective measures
  • Write scripts to disable the IDS flag based on the number of false-positive reported sightings, in order to prevent using false-positive indicators for detection or correlation actions
  • Generate data statistics and send reports via email, attached as CSV files using the API
  • Feed processed data into IDSes and 3rd party visualization using PyMISP
  • Build custom widgets to visualise/track data via the Dashboard
  • Extend MISP with Python scripts using MISP modules
  • Auto-discover new modules with their features using the API
As a data scientist, I want to collect and analyze data from various sources so that I can prioritize and predict risk
  • Aggregate indicators and sightings of all attributes/objects, useful for detecting particular security events or threats
  • Use PyMISP for Scripted processing of events and attributes
  • Collect data from open data portals using the API
  • Publish open data and create data sets
  • Investigate file hashes, malicious website URLs, IP Addresses and domain names using shared indicators
  • Aggregate data sets for security research and threat analysis
  • Analyse and select threat feeds for incorporation into other tools to hunt known indicators
  • Indicate if an attribute should be used for detection or correlation actions using the IDS flag
  • Download data in various formats for ingestion in other tools, and for training ML models