2020-01-29 22:43:17 +01:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame}
\titlepage
\end { frame}
\begin { frame}
\frametitle { MISP and CIRCL}
\begin { itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
2020-01-29 23:25:44 +01:00
\item We lead the development of the Open Source MISP TISP which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
2020-01-29 22:43:17 +01:00
\item { \bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing} .
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { The aim of this presentation}
\begin { itemize}
2020-01-30 09:18:49 +01:00
\item Why is { \bf contextualisation} important?
2020-01-29 23:25:44 +01:00
\item What options do we have in MISP?
2020-01-30 09:18:49 +01:00
\item How can we { \bf leverage} this in the end?
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { frame}
\begin { frame}
2020-01-29 23:44:38 +01:00
\frametitle { What is MISP?}
\begin { itemize}
2020-01-30 14:16:04 +01:00
\item Open source "TISP" - A TIP with a strong focus on sharing
\item Thanks to Andreas we don't have to explain what a TIP is... :)
2020-01-30 10:11:02 +01:00
\item A tool that { \bf collects} information from partners, your analysts, your tools, feeds
2020-01-29 23:44:38 +01:00
\item Normalises, correlates, enriches the data
2020-01-30 10:11:02 +01:00
\item Allows teams and communities to { \bf collaborate}
\item { \bf Feeds} automated protective tools and analyst tools with the output
2020-01-29 23:44:38 +01:00
\end { itemize}
2020-01-29 22:43:17 +01:00
\end { frame}
\begin { frame}
\frametitle { The growing need to contextualise data}
\begin { itemize}
2020-01-29 23:44:38 +01:00
\item Contextualisation became more and more important as we as a community matured
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-29 23:44:38 +01:00
\item { \bf Growth and diversification} of our communities
2020-01-29 22:43:17 +01:00
\item Distinguish between information of interest and raw data
\item { \bf False-positive} management
\item TTPs and aggregate information may be prevalent compared to raw data (risk assessment)
2020-01-30 14:16:04 +01:00
\item { \bf Increased data volumes} leads to a need to be able to prioritise
2020-01-30 11:30:30 +01:00
\end { itemize}
\item These help with filtering your TI based on your { \bf requirements} ...
2020-01-30 12:42:54 +01:00
\item ...as highlighted by Pasquale Stirparo \textit { Your Requirements Are Not My Requirements}
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { frame}
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { Different layers of context}
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-29 23:25:44 +01:00
\item Context added by analysts / tools
\item Data that tells a story
\item Encoding analyst knowledge to automatically leverage the above
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { frame}
2020-01-29 23:25:44 +01:00
\section { Context added by analysts / tools}
2020-01-29 22:43:17 +01:00
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { Expressing why data-points matter}
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-29 23:25:44 +01:00
\item An IP address by itself is barely ever interesting
\item We need to tell the recipient / machine why this is relevant
\item All data in MISP has a bare minimum required context
\item We differentiate between indicators and supporting data
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { frame}
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { Broadening the scope of what sort of context we are interested in}
\begin { itemize}
\item { \bf Who} can receive our data? { \bf What} can they do with it?
\item { \bf Data accuracy, source reliability}
\item { \bf Why} is this data relevant to us?
\item { \bf Who} do we think is behind it, { \bf what tools} were used?
\item What sort of { \bf motivations} are we dealing with? Who are the { \bf targets} ?
\item How can we { \bf block/detect/remediate} the attack?
\item What sort of { \bf impact} are we dealing with?
\end { itemize}
2020-01-29 22:43:17 +01:00
\end { frame}
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { Tagging and taxonomies}
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-29 23:25:44 +01:00
\item Simple labels
\item Standardising on vocabularies
\item Different organisational/community cultures require different nomenclatures
\item Triple tag system - taxonomies
\item JSON libraries that can easily be defined without our intervention
2020-01-29 22:43:17 +01:00
\end { itemize}
2020-01-30 09:18:49 +01:00
\includegraphics [width=1.0\linewidth] { taxonomy-workflow.png}
2020-01-29 22:43:17 +01:00
\end { frame}
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { Galaxies}
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-30 09:18:49 +01:00
\item Taxonomy tags often { \bf non self-explanatory}
\begin { itemize}
2020-01-29 22:43:17 +01:00
\item Example: universal understanding of tlp:green vs APT 28
2020-01-30 09:18:49 +01:00
\end { itemize}
2020-01-29 22:43:17 +01:00
\item For the latter, a single string was ill-suited
\item So we needed something new in addition to taxonomies - \textbf { Galaxies}
\begin { itemize}
\item Community driven \textbf { knowledge-base libraries used as tags}
\item Including descriptions, links, synonyms, meta information, etc.
\item Goal was to keep it \textbf { simple and make it reusable}
\item Internally it works the exact same way as taxonomies (stick to \textbf { JSON} )
\end { itemize}
\end { itemize}
\begin { center}
\hspace { 10em}
\includegraphics [scale=0.30] { galaxy-ransomware.png}
\end { center}
\end { frame}
\begin { frame}
2020-01-29 23:25:44 +01:00
\frametitle { The emergence of ATT\& CK and similar galaxies}
\begin { itemize}
\item Standardising on high-level { \bf TTPs} was a solution to a long list of issues
\item Adoption was rapid, tools producing ATT\& CK data, familiar interface for users
\item A much better take on kill-chain phases in general
\item Feeds into our { \bf filtering} and { \bf situational awareness} needs extremely well
\item Gave rise to other, ATT\& CK-like systems tackling other concerns
\begin { itemize}
\item { \bf attck4fraud} \footnote { \url { https://www.misp-project.org/galaxy.html\# _ attck4fraud} } by Francesco Bigarella from ING
\item { \bf Election guidelines} \footnote { \url { https://www.misp-project.org/galaxy.html\# _ election_ guidelines} } by NIS Cooperation Group
\end { itemize}
\end { itemize}
2020-01-29 22:43:17 +01:00
\end { frame}
2020-01-29 23:25:44 +01:00
\section { Data that tells a story}
2020-01-29 22:43:17 +01:00
\begin { frame}
\frametitle { More complex data-structures for a modern age}
\begin { itemize}
\item Atomic attributes were a great starting point, but lacking in many aspects
\item { \bf MISP objects} \footnote { \url { https://github.com/MISP/misp-objects} } system
\begin { itemize}
\item Simple { \bf templating} approach
\item Use templating to build more complex structures
\item Decouple it from the core, allow users to { \bf define their own} structures
\item MISP should understand the data without knowing the templates
\item Massive caveat: { \bf Building blocks have to be MISP attribute types}
\item Allow { \bf relationships} to be built between objects
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
2020-01-30 09:58:23 +01:00
\frametitle { Supporting specific datamodels}
2020-01-29 22:43:17 +01:00
\begin { center}
\includegraphics [scale=0.24] { bankaccount.png}
\end { center}
\begin { center}
\includegraphics [scale=0.18] { bankview.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Continuous feedback loop}
2020-01-30 09:58:23 +01:00
\begin { itemize}
\item Data shared was { \bf frozen in time}
\item All we had was a creation/modification timestamp
\item Improved tooling and willingness allowed us to create a { \bf feedback loop}
2020-01-29 22:43:17 +01:00
\item Lead to the introduction of the { \bf Sighting system}
2020-01-30 09:58:23 +01:00
\item Signal the fact of an indicator sighting...
\item ...as well as { \bf when} and { \bf where} it was sighted
\item Vital component for IoC { \bf lifecycle management}
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { frame}
\begin { frame}
2020-01-30 09:18:49 +01:00
\frametitle { Continuous feedback loop (2)}
2020-01-29 22:43:17 +01:00
\begin { center}
\includegraphics [scale=0.5] { sighting-n.png}
\end { center}
\begin { center}
\includegraphics [scale=0.60] { Sightings2.PNG}
\end { center}
\end { frame}
2020-01-30 09:18:49 +01:00
\begin { frame}
\frametitle { A brief history of time - Adding temporality to our data}
\begin { itemize}
2020-01-30 14:17:54 +01:00
\item As Andreas said - no time based aspect was painful
2020-01-30 09:58:23 +01:00
\item Recently introduced { \bf \texttt { first\_ seen} } and { \bf \texttt { last\_ seen} } data points
2020-01-30 09:18:49 +01:00
\item Along with a complete integration with the { \bf UI}
2020-01-30 09:58:23 +01:00
\item Enables the { \bf visualisation} and { \bf adjustment} of indicators timeframes
2020-01-30 09:18:49 +01:00
\end { itemize}
\begin { center}
\includegraphics [width=1.0\linewidth] { timeline-misp-overview.png}
\end { center}
\end { frame}
2020-01-29 23:25:44 +01:00
2020-01-30 09:58:23 +01:00
\section { The various ways of encoding analyst knowledge to automatically leverage our TI}
2020-01-29 23:25:44 +01:00
\begin { frame}
\frametitle { False positive handling}
\begin { itemize}
\item Low quality / false positive prone information being shared
\item Lead to { \bf alert-fatigue}
\item Exclude organisation xy out of the community?
2020-01-30 09:58:23 +01:00
\item FPs are often obvious - { \bf can be encoded}
2020-01-29 23:25:44 +01:00
\item { \bf Warninglist system} \footnote { \url { https://github.com/MISP/misp-warninglists} } aims to do that
\item Lists of well-known indicators which are often false-positives like RFC1918 networks, ...
\end { itemize}
\begin { center}
\includegraphics [scale=0.22] { warning-list.png}
\includegraphics [scale=0.45] { warning-list-event.png}
\end { center}
\end { frame}
2020-01-29 22:43:17 +01:00
\begin { frame}
\frametitle { Making use of all this context}
\begin { itemize}
2020-01-29 23:25:44 +01:00
\item Providing advanced ways of querying data
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-29 23:25:44 +01:00
\item Unified export APIs
\item Incorporating all contextualisation options into { \bf API filters}
\item Allowing for an { \bf on-demand} way of { \bf excluding potential false positives}
\item Allowing users to easily { \bf build their own} export modules feed their various tools
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Example query}
\texttt { /attributes/restSearch}
\begin { lstlisting}
{
"returnFormat": "netfilter",
"enforceWarninglist": 1,
"tags": {
"NOT": [
"tlp:white",
"type:OSINT"
],
"OR": [
"misp-galaxy:threat-actor=\" Sofacy\" ",
"misp-galaxy:sector=\" Chemical\" "
],
}
}
\end { lstlisting}
\end { frame}
\begin { frame} [fragile]
\frametitle { Example query to generate ATT\& CK heatmaps}
\texttt { /events/restSearch}
\begin { lstlisting}
{
"returnFormat": "attack",
"tags": [
"misp-galaxy:sector=\" Chemical\" "
],
"timestamp": "365d"
}
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { A sample result for the above query}
\begin { center}
\includegraphics [scale=0.2] { attack-screenshot.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Monitor trends outside of MISP (example: dashboard)}
\begin { center}
\includegraphics [scale=0.2] { dashboard-trendings.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Decaying of indicators}
\begin { itemize}
\item We were still missing a way to use all of these systems in combination to decay indicators
\item Move the decision making \textbf { from complex filter options to} complex \textbf { decay models}
2020-01-30 09:18:49 +01:00
\item Decay models would take into account various available { \bf context}
2020-01-29 22:43:17 +01:00
\begin { itemize}
2020-01-30 09:18:49 +01:00
\item Taxonomies
\item Sightings
\item type of each indicator
\item Creation date
\item ...
2020-01-29 22:43:17 +01:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { Event/view} }
\includegraphics [width=1.00\linewidth] { decaying-event.png}
\begin { itemize}
\item \texttt { Decay score} toggle button
\begin { itemize}
\item Shows Score for each \textit { Models} associated to the \textit { Attribute} type
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API result}
\texttt { /attributes/restSearch}
\begin { lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_ score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Fine tuning tool}
\includegraphics [width=1.00\linewidth] { decaying-tool.png}
Create, modify, visualise, perform mapping
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: simulation tool}
\includegraphics [width=1.00\linewidth] { decaying-simulation.png}
Simulate \textit { Attributes} with different \textit { Models}
\end { frame}
\begin { frame}
\frametitle { To sum it all up...}
\begin { itemize}
\item Massive rise in { \bf user capabilities}
\item Growing need for truly { \bf actionable threat intel}
\item Lessons learned:
\begin { itemize}
\item { \bf Context is king} - Enables better decision making
\item { \bf Intelligence and situational awareness} are natural by-products of context
\item Don't lock users into your { \bf workflows} , build tools that enable theirs
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Get in touch if you have any questions}
\begin { itemize}
\item Contact us
\begin { itemize}
\item \url { https://twitter.com/mokaddem_ sami}
\item \url { https://twitter.com/iglocska}
\end { itemize}
\item Contact CIRCL
\begin { itemize}
\item info@circl.lu
\item \url { https://twitter.com/circl_ lu}
\item \url { https://www.circl.lu/}
\end { itemize}
\item Contact MISPProject
\begin { itemize}
\item \url { https://github.com/MISP}
\item \url { https://gitter.im/MISP/MISP}
\item \url { https://twitter.com/MISPProject}
\end { itemize}
\end { itemize}
\end { frame}
