2019-10-17 15:32:05 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
2019-10-21 08:33:22 +02:00
\begin { frame}
\frametitle { Outline of the presentation}
\begin { itemize}
\item Present the components used in MISP to expire IOCs
\item Present the current state of Indicators life-cycle management in MISP
\end { itemize}
\end { frame}
2019-10-17 15:32:05 +02:00
\section { Expiring IOCs: Why and How?}
\begin { frame} [fragile]
2020-09-11 10:24:46 +02:00
\frametitle { Indicators lifecycle - Problem Statement}
2019-10-17 15:32:05 +02:00
\begin { itemize}
\item { \bf Sharing information} about threats { \bf is crucial}
\item Organisations are sharing more and more
\end { itemize}
\vspace { 1em}
Contribution by { \bf unique organisation} (\texttt { Orgc.name} ) on MISPPriv:\\
\vspace { 1em}
\begin { minipage} { 0.45\textwidth }
\begin { tabular} { ll}
\hline
Date & Unique Org \\
\hline
2013 & 17 \\
2014 & 43 \\
2015 & 82 \\
2016 & 105 \\
2017 & 118 \\
2018 & 125 \\
2019-10 & 135 \\
\hline
\end { tabular}
\vspace { 0.5em}
\end { minipage}
\begin { minipage} { 0.5\textwidth }
\begin { lstlisting}
{
"distribution": [1, 2, 3]
} \end { lstlisting}
\end { minipage}
\end { frame}
\begin { frame}
2020-09-11 10:24:46 +02:00
\frametitle { Indicators lifecycle - Problem Statement}
2019-10-17 15:32:05 +02:00
\begin { itemize}
\item Various users and organisations can share data via MISP, multiple parties can be involved
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item \textbf { Trust} , \textbf { data quality} and \textbf { relevance} issues
\item Each user/organisation have \textbf { different use-cases} and interests
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item Conflicting interests: Operational security VS attribution
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { itemize}
\item [] $ \rightarrow $ Can be partially solved with \textit { Taxonomies}
\pause
\vspace { 0.5cm}
2020-09-11 10:24:46 +02:00
\item Attributes can be shared in large quantities \small { (more than 12M on \texttt { MISPPRIV} - Sept. 2020)}
2019-10-17 15:32:05 +02:00
\begin { itemize}
\item Partial info about their \textbf { freshness} (\textit { Sightings} )
2020-09-11 10:24:46 +02:00
\item Partial info about their \textbf { validity} (\textit { last\_ seen} )
2019-10-17 15:32:05 +02:00
\end { itemize}
2020-09-11 10:24:46 +02:00
\item [] $ \rightarrow $ Can be partially solved with our \textit { Data model}
2019-10-17 15:32:05 +02:00
\end { itemize}
2020-09-11 10:24:46 +02:00
\begin { center}
MISP's \textit { Decaying model} combines the two
\end { center}
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame}
\frametitle { Requirements to enjoy the decaying feature in MISP}
2020-09-11 10:24:46 +02:00
\begin { itemize}
\item Starting from \textbf { MISP 2.4.116} , the decaying feature is available
\item \textbf { Update} decay models and \textbf { enable} some
\item MISP Decaying strongly relies on \textit { Taxonomies} and \textit { Sightings} , don't forget to review their configuration
\end { itemize}
\vspace { 0.7cm}
Note: The decaying feature has no impact on the information stored in MISP, it's just an \textbf { overlay} to be used in the user-interface and API
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame}
2020-09-11 10:24:46 +02:00
\frametitle { \textit { Sightings} - Refresher (1)}
\textit { Sightings} add a \textbf { temporal context} to indicators.
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item \textit { Sightings} can be used to represent that you saw the IoC
\item \textbf { Usecase:} Continuous feedback loop MISP $ \leftrightarrow $ IDS
2019-10-17 15:32:05 +02:00
\end { itemize}
2020-09-11 10:24:46 +02:00
2019-10-17 15:32:05 +02:00
\begin { center}
\includegraphics [scale=1.00] { pics/sightings.png}
\end { center}
\end { frame}
2020-09-11 10:24:46 +02:00
\begin { frame}
\frametitle { \textit { Sightings} - Refresher (2)}
\textit { Sightings} add a \textbf { temporal context} to indicators.
\begin { itemize}
\item \textit { Sightings} give more credibility/visibility to indicators
\item This information can be used to { \bf prioritise and decay indicators}
\end { itemize}
\end { frame}
2019-10-17 15:32:05 +02:00
\begin { frame}
\frametitle { Taxonomies - Refresher (1)}
\includegraphics [width=1.00\linewidth] { pics/taxonomies.png}
\begin { itemize}
2019-10-21 08:33:22 +02:00
\item \textit { Taxonomies} are a simple way to attach a classification to an \textit { Event} or an \textit { Attribute}
\item Classification must be globally used to be efficient (or agreed on beforehand)
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (2)}
\includegraphics [width=1.00\linewidth] { pics/taxonomy-admiralty-scale.png}
\begin { center}
$ \rightarrow $ Cherry-pick allowed \textit { Tags}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (3)}
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item Some taxonomies have a \texttt { numerical\_ value}
\item Allows concepts to be used in an mathematical expression
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item [$\rightarrow$] Can be used to prioritise IoCs
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { itemize}
2019-10-21 08:33:22 +02:00
\vspace { 0.5cm}
2019-10-17 15:32:05 +02:00
\begin { footnotesize}
2020-09-11 10:24:46 +02:00
\texttt { admirality-scale} taxonomy\footnote { \url { https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json} }
\begin { columns} [T] % align columns
\begin { column} { .40\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
Reliability cannot be judged & 50\\
Deliberatly deceptive & 0\\
\hline
\end { tabular}
\end { column} %
\hfill %
\begin { column} { .48\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
Truth cannot be judged & 50\\
\hline
\end { tabular}
\end { column} %
\end { columns}
\end { footnotesize}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (3)}
\begin { footnotesize}
\texttt { admirality-scale} taxonomy\footnote { \url { https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json} }
2019-10-17 15:32:05 +02:00
\begin { columns} [T] % align columns
\begin { column} { .40\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
Reliability cannot be judged & 50 \textbf { \color { red} ?} \\
Deliberatly deceptive & 0 \textbf { \color { red} ?} \\
\hline
\end { tabular}
\end { column} %
\hfill %
\begin { column} { .48\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
Truth cannot be judged & 50 \textbf { \color { red} ?} \\
\hline
\end { tabular}
\end { column} %
\end { columns}
\end { footnotesize}
2019-10-21 08:33:22 +02:00
\vspace { 0.5cm}
2020-09-11 10:24:46 +02:00
$ \rightarrow $ Users can override tag \texttt { numerical\_ value}
2019-10-17 15:32:05 +02:00
\end { frame}
2019-10-21 08:33:22 +02:00
\begin { frame}
\frametitle { Scoring Indicators: Our solution}
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
\begin { itemize}
\item \texttt { base\_ score} (\texttt { \tiny Attribute, Model} )
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item Initial score of the \textit { Attribute} only considering the context (\textit { Attribute's type} , \textit { Tags} )
2019-10-21 08:33:22 +02:00
\end { itemize}
\vspace { 1cm}
\item \texttt { decay} (\texttt { \tiny Model, time} )
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item Function composed of the \textbf { lifetime} and \textbf { decay speed}
\item Decreases the \texttt { base\_ score} over time
2019-10-21 08:33:22 +02:00
\end { itemize}
\end { itemize}
\end { frame}
2020-09-11 10:24:46 +02:00
\begin { frame}
\frametitle { Scoring Indicators: Our solution}
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
\begin { center}
\begin { tikzpicture}
\draw [->] (-1, 0) -- (4.5, 0) node[right] { $ time $ } ;
\draw [->] (0, -1) -- (0, 4.2) node[left] { $ score $ } ;
\node at (-1, 2.6) { \footnotesize base\_ score} ;
\draw [scale=0.5, domain=0:8, smooth, variable=\y, blue] plot ({ \y } , { 5 * (1 - (\y /8)^ (3.5))} );
\end { tikzpicture}
\end { center}
\end { frame}
2019-10-17 15:32:05 +02:00
\section { Current implementation in MISP}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { Event/view} }
\includegraphics [width=1.00\linewidth] { pics/decaying-event.png}
\begin { itemize}
\item \texttt { Decay score} toggle button
\begin { itemize}
\item Shows Score for each \textit { Models} associated to the \textit { Attribute} type
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API result}
\texttt { /attributes/restSearch}
\begin { lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_ score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Objectives}
\begin { itemize}
\item \textbf { Automatic scoring} based on default values
\item \textbf { User-friendly UI} to manually set \textit { Model} configuration (lifetime, decay, etc.)
\item \textbf { Simulation} tool
\item Interaction through the \textbf { API}
2019-10-21 13:52:02 +02:00
\item Opportunity to create your \textbf { own} formula or algorithm
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Models definition}
\hspace { 190pt}
\raisebox { -1.0ex} { \Large $ \Rsh $ } { \tiny $ score = base \_ score \cdot \left ( 1 - \left ( \frac { t } { \tau } \right ) ^ { \frac { 1 } { \delta } } \right ) $ }
2020-09-11 10:24:46 +02:00
\textit { Models} are an instanciation of the formula with configurable parameters:
2019-10-17 15:32:05 +02:00
\begin { itemize}
\item Parameters: \texttt { lifetime, decay\_ rate, threshold}
2020-09-11 10:24:46 +02:00
\item \texttt { base\_ score} computation
2019-10-17 15:32:05 +02:00
\item \texttt { default base\_ score}
\item associate \textit { Attribute} types
2020-09-11 10:24:46 +02:00
\item formula
2019-10-17 15:32:05 +02:00
\item creator organisation
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Models Types}
2020-09-11 10:24:46 +02:00
Two types of model are available
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item \textbf { Default Models} : Created and shared by the community. Coming from \texttt { misp-decaying-models} repository\footnote { \url { https://github.com/MISP/misp-decaying-models.git} } .
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item [$\rightarrow$] Not editable
2019-10-17 15:32:05 +02:00
\end { itemize}
2020-09-11 10:24:46 +02:00
\vspace { 0.5cm}
\item \textbf { Organisation Models} : Created by a user on MISP
2019-10-17 15:32:05 +02:00
\begin { itemize}
2020-09-11 10:24:46 +02:00
\item Can be hidden or shared to other organisation
\item [$\rightarrow$] Editable
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Index}
\includegraphics [width=1.00\linewidth] { pics/decaying-index.png}
2020-09-11 10:24:46 +02:00
Standard CRUD operations: View, update, add, create, delete, enable, export, import
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Fine tuning tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-tool.png}
2020-09-11 10:24:46 +02:00
Configure models: Create, modify, visualise, perform mapping
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { base\_ score} tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-basescore.png}
Adjust Taxonomies relative weights
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: simulation tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-simulation.png}
2020-09-11 10:24:46 +02:00
Simulate decay on \textit { Attributes} with different \textit { Models}
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API query body}
\texttt { /attributes/restSearch}
\begin { lstlisting}
{
"includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
}
"score": 30,
}
\end { lstlisting}
\end { frame}
2019-10-21 11:56:57 +02:00
\lstset { language=PHP}
\begin { frame} [fragile]
\frametitle { Creating a new decay algorithm}
\lstset { basicstyle=\scriptsize }
\begin { lstlisting}
<?php
include_ once 'Base.php';
class Polynomial extends DecayingModelBase
{
public const DESCRIPTION = 'The description of your new decaying algorithm';
public function computeScore($ model, $ attribute, $ base _ score, $ elapsed_ time)
{
// algorithm returning a numerical score
}
public function isDecayed($ model, $ attribute, $ score )
{
// algorithm returning a boolean stating
// if the attribute is expired or not
}
}
?>
\end { lstlisting}
\end { frame}
2019-10-17 15:32:05 +02:00
\begin { frame}
\frametitle { Decaying Models 2.0}
\begin { itemize}
\item Improved support of \textit { Sightings}
\begin { itemize}
\item \texttt { False positive} \textit { Sightings} should somehow reduce the score
\item \texttt { Expiration} \textit { Sightings} should mark the attribute as decayed
\end { itemize}
\item Potential \textit { Model} improvements
\begin { itemize}
\item Instead of resetting the score to \texttt { base\_ score} once a \textit { Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf { prioritizing surges} rather than infrequent \textit { Sightings}
\item Take into account related \textit { Tags} or \textit { Correlations} when computing score
\end { itemize}
\item Increase \textit { Taxonomy} coverage
\begin { itemize}
\item Users should be able to manually override the \texttt { numerical\_ value} of \textit { Tags}
\end { itemize}
\end { itemize}
\end { frame}
