2023-08-30 07:58:26 +02:00
|
|
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
|
|
% This is included by the other .tex files.
|
|
|
|
|
|
|
|
\begin{frame}[t,plain]
|
|
|
|
\titlepage
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\section{MISP in general}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{about CIRCL and MISP}
|
|
|
|
\begin{itemize}
|
|
|
|
\item CIRCL
|
|
|
|
\begin{itemize}
|
|
|
|
\item National CERT for the private sector, communes, non-govermental entities in Luxembourg
|
|
|
|
\item Government-driven initiative, funded by the Ministry of Economy
|
2023-09-30 11:07:13 +02:00
|
|
|
\item Mission is to provide a systematic response to computer security threats and incidents
|
2023-08-30 07:58:26 +02:00
|
|
|
\item Open Source toolsmiths
|
|
|
|
\end{itemize}
|
|
|
|
\item Our relationship with MISP has two sides
|
|
|
|
\begin{itemize}
|
|
|
|
\item We {\bf lead the development} of the MISP platform
|
|
|
|
\item We are also involved with and {\bf run several communities}
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Before we start - What is MISP?}
|
|
|
|
\begin{itemize}
|
|
|
|
\item MISP is a {\bf threat information sharing} platform
|
|
|
|
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
|
|
|
|
\item Normalises, {\bf correlates}, {\bf enriches} the data
|
|
|
|
\item Allows teams and communities to {\bf collaborate}
|
|
|
|
\item {\bf Feeds} automated protective tools and analyst tools with the output
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Before we start - what is MISP?}
|
|
|
|
\begin{itemize}
|
|
|
|
\item It is also a set of {\bf open standards} implemented both by MISP and other tools
|
|
|
|
\item Additionally, it is an {\bf ecosystem} of libraries, supporting tools
|
|
|
|
\item A collection of guidance and best practice documentation by practitioners
|
|
|
|
\item All of these are free \& open source
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{What are the objectives of a modern TISP?}
|
|
|
|
\begin{itemize}
|
|
|
|
\item A tool that {\bf collects} information from partners, your analysts, your tools, sensors, feeds
|
|
|
|
\item Normalises, {\bf correlates}, {\bf enriches} the data
|
|
|
|
\item Manages your processes and automates tasks such as {\bf notifications}, {\bf data flow management}, {\bf triaging} and so on
|
|
|
|
\item Allows teams and communities to {\bf collaborate} and rapidly {\bf exchange knowledge}
|
|
|
|
\item {\bf Feeds} automated protective tools and analyst tools with the output
|
|
|
|
\item {\bf Presents} both individualised and community centric facts, trends, reports of the intelligence
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{MISP: Started from a practical use-case}
|
|
|
|
\begin{itemize}
|
|
|
|
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
|
|
|
|
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
|
|
|
|
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
|
|
|
|
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
|
|
|
|
\item MISP is now {\bf a community-driven development} supporting different intelligence communities.
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Development based on practical user feedback}
|
|
|
|
\begin{itemize}
|
|
|
|
\item There are many different types of users of an information sharing platform like MISP:
|
|
|
|
\begin{itemize}
|
|
|
|
\item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues.
|
|
|
|
\item {\bf Security analysts} searching, validating and using indicators in operational security.
|
|
|
|
\item {\bf Intelligence analysts} gathering information about specific adversary groups.
|
|
|
|
\item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
|
|
|
|
\item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
|
|
|
|
\item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds.
|
|
|
|
\item {\bf Military} sharing highly specialised information.
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Why do we develop all of this?}
|
|
|
|
\begin{itemize}
|
|
|
|
\item {\bf Main goal}: Make our own lives and the lives of our constituency easier
|
|
|
|
\begin{itemize}
|
|
|
|
\item Our central tool for ingesting, storing and disseminating information...
|
|
|
|
\item ...as well as to interact with organisations
|
|
|
|
\item By solving issues of other communities, we already have them prepared for information sharing with us when needed
|
|
|
|
\end{itemize}
|
|
|
|
\item {\bf Secondary}: Democratise threat intelligence for all
|
|
|
|
\item {\bf Stretch goal}: Build a full open-source tool-chain for CSIRTs / SoCs / etc
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Communities using MISP}
|
|
|
|
\begin{itemize}
|
|
|
|
\item Communities are groups of users sharing within a set of common objectives/values.
|
|
|
|
\item CIRCL operates multiple MISP instances with a significant user base (more than 2k organizations with close to 5k users).
|
|
|
|
\item {\bf Trust groups} running MISP communities in island mode (air gapped system) or partially connected mode.
|
|
|
|
\item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
|
|
|
|
\item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
|
2023-09-30 11:07:13 +02:00
|
|
|
\item {\bf Security vendors} running their own communities.
|
|
|
|
\item {\bf Sectorial communities} Telcoes, ISPs, Medical, ATF, ...
|
2023-08-30 07:58:26 +02:00
|
|
|
\item {\bf Topical communities} set up to tackle individual specific issues (disinformation, SIGINT, COVID-19, ...)
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Information pipeline}
|
|
|
|
\includegraphics[width=0.75\linewidth]{misp_data_flow.png}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\section{Some issues we try to tackle and their solutions}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Information quality management}
|
|
|
|
\begin{itemize}
|
2023-09-30 11:07:13 +02:00
|
|
|
\item What do we consider {\bf actionable intelligence}?
|
2023-08-30 07:58:26 +02:00
|
|
|
\begin{itemize}
|
|
|
|
\item Conflicting requirements - analyst work vs automated blocking for example
|
|
|
|
\end{itemize}
|
|
|
|
\item {\bf Filtering} both on {\bf input} and on {\bf output} separately
|
|
|
|
\begin{itemize}
|
|
|
|
\item Lax on ingestion, strict on output mantra
|
|
|
|
\item Warninglists - sanitising obviously problematic data from output
|
|
|
|
\item Indicator scoring / lifecycle management
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Information quality management}
|
|
|
|
\includegraphics[width=1.00\linewidth]{decaying-event.png}
|
|
|
|
\begin{itemize}
|
|
|
|
\item {\bf Decay score} calculated based on the enabled models
|
|
|
|
\item Score takes into account {\bf contextualisation, type, sightings}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Information quality management}
|
|
|
|
Customisable lifecycle management
|
|
|
|
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Drilling down into our data}
|
|
|
|
\begin{itemize}
|
|
|
|
\item Different use-cases require different tools.
|
|
|
|
\item {\bf Interactive interaction} with the data
|
|
|
|
\begin{itemize}
|
|
|
|
\item "Event" tabular view
|
|
|
|
\item "Event" graph view
|
|
|
|
\item Correlation graphs
|
|
|
|
\item Various search interfaces
|
|
|
|
\end{itemize}
|
|
|
|
\item {\bf Trends and overviews}
|
|
|
|
\begin {itemize}
|
|
|
|
\item Dashboarding
|
|
|
|
\item ATT\&CK and similar frameworks based heatmaps
|
|
|
|
\item Alert e-mails and periodic reporting
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Drilling down into our data}
|
|
|
|
\begin{center}
|
|
|
|
\includegraphics[width=1.05\linewidth]{dashboard-new.png}
|
|
|
|
\end{center}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Drilling down into our data}
|
|
|
|
\begin{itemize}
|
|
|
|
\item APIs
|
|
|
|
\begin{itemize}
|
|
|
|
\item Long list of {\bf filters}
|
|
|
|
\item {\bf Complex queries}
|
|
|
|
\item Infusing queries with other tools ({\bf warninglists, decaying})
|
|
|
|
\item Interactive {\bf UI query builder and tester}
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Data model management}
|
|
|
|
\begin{itemize}
|
|
|
|
\item Three tier approach to information
|
|
|
|
\item All three tiers are tightly integrated with one another
|
|
|
|
\begin{itemize}
|
|
|
|
\item {\bf Data} (Attributes, Objects, Relationships)
|
|
|
|
\item {\bf Knowledge} ("Galaxies", Labels)
|
|
|
|
\item {\bf Analyst reports} (Markdown reports)
|
|
|
|
\end{itemize}
|
|
|
|
\item Different communities have wildly different requirements - extension mechanisms
|
|
|
|
\begin{itemize}
|
|
|
|
\item {\bf Object templates}
|
|
|
|
\item Custom {\bf Galaxies}
|
|
|
|
\item {\bf Taxonomies}
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Data model management}
|
|
|
|
\includegraphics[width=0.90\linewidth]{sigint.png}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Customising MISP}
|
|
|
|
\begin{itemize}
|
|
|
|
\item Highly configurable per community need
|
|
|
|
\begin{itemize}
|
|
|
|
\item Hundreds of {\bf configuration options} to manage MISP behaviours
|
2023-09-30 11:07:13 +02:00
|
|
|
\item Hooking and modifying {\bf core funtionalities via Workflows}
|
2023-08-30 07:58:26 +02:00
|
|
|
\item Custom modules via companion system ({\bf MISP-modules})
|
|
|
|
\item {\bf Modular} parts of the {\bf codebase} (e-mail templates, dashboard elements, import/export functions)
|
|
|
|
\item If all of that is not enough - extensive {\bf Python library} support for DIY fans :)
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Customising MISP}
|
|
|
|
\includegraphics[width=1.00\linewidth]{blueprint.png}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\section{Wrapping it all up}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Community driven effort}
|
|
|
|
\begin{itemize}
|
|
|
|
\item This concludes a {\bf brief glimpse into what MISP is} and some of the key issues to tackle
|
|
|
|
\item MISP is evolving based on {\bf community efforts and needs}
|
|
|
|
\item The outcome is a highly {\bf versatile and customisable} system
|
|
|
|
\item We all have different ideas of what we'd like to be able to do in our TISP
|
|
|
|
\item {\bf Prioritisation is hard} plus there are only so many hours in a day...
|
|
|
|
\item ...{\bf Get involved}, let us know how we can make it better or at least usable for your use-case!
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|
|
|
|
|
|
|
|
\begin{frame}
|
|
|
|
\frametitle{Get in touch if you have any questions}
|
|
|
|
\begin{itemize}
|
|
|
|
\item Contact me:
|
|
|
|
\begin{itemize}
|
|
|
|
\item andras.iklody@circl.lu \url{https://twitter.com/iglocska} \url{https://infosec.exchange/@iglocska}
|
|
|
|
\end{itemize}
|
|
|
|
\item Contact us:
|
|
|
|
\begin{itemize}
|
|
|
|
\item info@circl.lu \url{https://twitter.com/circl_lu} \url{https://www.circl.lu/}
|
|
|
|
\item \url{https://github.com/MISP} \url{https://www.misp-project.org/}
|
|
|
|
\item \url{https://twitter.com/MISPProject} \url{https://misp-community.org/@misp}
|
|
|
|
\end{itemize}
|
|
|
|
\end{itemize}
|
|
|
|
\end{frame}
|
|
|
|
|