2020-12-16 11:52:49 +01:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
\begin { frame}
\frametitle { Content of the presentation}
\begin { itemize}
\item Data sharing in MISP
\item Data models for the Data layer
\item Data models for the Context layer
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Layers of data model}
\begin { itemize}
\item Data layer
\begin { itemize}
\item The raw data itself as well as element to link them together
\item Indicators, Observables and means to contextually link them
\item MISP terminology: Event, Attributes, misp-objects, ...
\end { itemize}
\vspace { 1em}
\item Context layer
\begin { itemize}
\item As important as the data layer, allow triage, false-positive management, risk-assessment and prioritisation
\item Latches on the data layer, usually referencing threat intelligence, concepts, knowledge base and vocabularies
\item Tags, Taxonomies, Galaxies, ...
\end { itemize}
\end { itemize}
\end { frame}
\section { Data sharing in MISP}
\begin { frame}
\frametitle { Sharing in MISP: Distribution}
MISP offers granulars distribution settings:
\begin { itemize}
\item \texttt { Organisation only}
\item \texttt { This community}
\item \texttt { Connected communities}
\item \texttt { All communities}
\item Distribution lists - aka \texttt { \bf Sharing groups}
\end { itemize}
\begin { center}
\includegraphics [scale=0.2] { screenshots/sg-example.png}
\end { center}
At multiple levels: { \bf Events} , { \bf Attributes} , { \bf Objects} (and their { \bf Attributes} ) and { \bf Galaxy-clusters}
\end { frame}
\begin { frame}
\frametitle { Sharing in MISP: Distribution}
\begin { center}
\includegraphics [width=1.0\linewidth] { screenshots/misp-distribution.png}
\end { center}
\end { frame}
\section { Data layer}
\begin { frame}
\frametitle { Data layer: Naming conventions}
\begin { itemize}
\item Data layer
\begin { itemize}
\item { \bf Events} are encapsulations for contextually linked information
\item { \bf Attributes} are individual data points, which can be indicators or supporting data.
\item { \bf Objects} are custom templated Attribute compositions
2020-12-16 12:15:38 +01:00
\item { \bf Object references} are the relationships between individual building blocks
2020-12-16 11:52:49 +01:00
\item { \bf Shadow Attributes} /{ \bf Proposal} are suggestions made by users to modify an existing { \it attribute}
2020-12-16 12:15:38 +01:00
\item { \bf Sightings} are a means to convey that a data point has been seen
\item { \bf Event reports} are supporting materials for analysts to describe { \it events} , { \it processes} , etc
2020-12-16 11:52:49 +01:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Data layer: Events}
{ \bf Events} are encapsulations for contextually linked information
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Group datapoints and context together. Acting as an envelop, it allows setting distribution and sharing rules for itself and its children.
\item [] \textbf { Usecase} : Encode incidents / events / reports / ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
2022-02-10 16:27:31 +01:00
\includegraphics [width=0.7\linewidth] { screenshots/ui-event.png}
2020-12-16 11:52:49 +01:00
\end { center}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Base}
\begin { center}
\includegraphics [scale=0.33] { screenshots/event-building-blocks/event.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\begin { frame} [fragile]
\frametitle { Data layer: Events}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"date": "2019-02-20",
"info": "IoT malware - Gafgyt.Gen28 (active)",
"uuid": "5c6d21e5-bb60-47b7-b892-42e6950d2111",
"analysis": "2",
"timestamp": "1602315388",
"distribution": "3",
"sharing_ group_ id": "0",
"threat_ level_ id": "3",
"extends_ uuid": "",
"Attribute": [...],
"Object": [...],
"EventReport": [...],
"Tag": [...],
"Galaxy": [...]
}
\end { lstlisting}
\end { frame}
\begin { frame} [fragile]
\frametitle { Data layer: Attributes}
{ \bf Attributes} are individual data points, indicators or supporting data
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Individual data point. Can be an indicator or supporting data.
\item [] \textbf { Usecase} : Domain, IP, link, sha1, attachment, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
\includegraphics [width=1.0\linewidth] { screenshots/enrichment4.png}
\end { center}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Raw data}
\begin { center}
\includegraphics [scale=0.33] { screenshots/event-building-blocks/event-attribute.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\begin { frame} [fragile]
\frametitle { Data layer: Attributes}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"type": "url",
"category": "Network activity",
"to_ ids": true,
"uuid": "5c6d24bd-d094-4dd6-a1b6-4fa3950d2111",
"event_ id": "178",
"distribution": "5",
"sharing_ group_ id": "0",
"timestamp": "1550656701",
"comment": "Delivery point for the malware",
"object_ id": "0",
"object_ relation": null,
"first_ seen": null,
"last_ seen": null,
"value": "ftp://185.135.80.163/",
"Tag": [...]
"Galaxy": [...]
}
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Data layer: MISP Objects}
{ \bf Objects} are custom templated Attribute compositions
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Groups Attributes that are intrinsically linked together
\item [] \textbf { Usecase} : File, person, credit-card, x509, device, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
\includegraphics [width=1.0\linewidth] { object.png}
\end { center}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Data composition}
\begin { center}
\includegraphics [scale=0.33] { screenshots/event-building-blocks/event-attribute-object.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\begin { frame} [fragile]
\frametitle { Data layer: MISP Objects}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"name": "elf-section",
"meta-category": "file",
"description": "Object describing a sect...",
"template_ uuid": "ca271f32-1234-4e87-b240-6b6e882de5de",
"template_ version": "4",
"uuid": "ab5f0c85-5623-424c-bc03-d79841700d74",
"timestamp": "1550655984",
"distribution": "5",
"sharing_ group_ id": "0",
"comment": "",
"first_ seen": null,
"last_ seen": null,
"ObjectReference": [],
"Attribute": [...]
}
\end { lstlisting}
\end { frame}
\begin { frame} [fragile]
\frametitle { Data layer: Object references}
2020-12-16 12:15:38 +01:00
{ \bf Object references} are the relationships between individual building blocks
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Allows to create relationships between entities, thus creating a graph where they are the edges and entities are the nodes.
\item [] \textbf { Usecase} : Represent behaviours, similarities, affiliation, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
2022-02-10 16:27:31 +01:00
\includegraphics [width=0.9\linewidth] { screenshots/eventgraph.png}
2020-12-16 11:52:49 +01:00
\end { center}
\end { frame}
\begin { frame} [fragile]
\frametitle { Data layer: Object references}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"uuid": "5c6d21f9-0384-4bd2-b256-40de950d2111",
"timestamp": "1602318569",
"object_ id": "1024",
"source_ uuid": "23275e05-c202-460e-aadf-819c417fb326",
"referenced_ uuid": "ab5f0c85-5623-424c-bc03-d79841700d74",
"referenced_ type": "1",
"relationship_ type": "included-in",
"comment": "Section 0 of ELF"
}
\end { lstlisting}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Context}
\begin { center}
\includegraphics [scale=0.33] { screenshots/event-building-blocks/event-attribute-object-context.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\begin { frame} [fragile]
\frametitle { Data layer: Sightings}
2020-12-16 12:15:38 +01:00
{ \bf Sightings} are a means to convey that a data point has been seen
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Allows to add temporality to the data.
\item [] \textbf { Usecase} : Record activity or occurence, perform IoC expiration, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
2022-02-10 16:27:31 +01:00
\includegraphics [width=0.7\linewidth] { screenshots/sighting-n.png}
2020-12-16 11:52:49 +01:00
\end { center}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"org_ id": "1",
"date_ sighting": "1573722432",
"uuid": "5dcd1940-5de8-4462-93dd-12a2a5e38e14",
"source": "",
"type": "0",
"attribute_ uuid": "5da97b59-9650-4be2-9443-2194a5e38e14"
}
\end { lstlisting}
\end { frame}
\begin { frame} [fragile]
\frametitle { Data layer: Event reports}
{ \bf Event reports} are supporting data for analysis to describe { \bf events} , { \bf processes} , ect
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Supporting data point to describe events or processes
\item [] \textbf { Usecase} : Encode reports, provide more information about the Event, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
2022-02-10 16:27:31 +01:00
\includegraphics [width=0.7\linewidth] { screenshots/event-report.png}
2020-12-16 11:52:49 +01:00
\end { center}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Collaboration \& intelligence}
\begin { center}
\includegraphics [scale=0.33] { screenshots/event-building-blocks/event-attribute-object-proposal.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\begin { frame} [fragile]
\frametitle { Data layer: Event reports}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"uuid": "076e240b-5a76-4a8b-9eab-cfff551993dd",
"event_ id": "2127",
"name": "Event report (1607362986)",
"content": "...",
"distribution": "5",
"sharing_ group_ id": "0",
"timestamp": "1607362986"
}
\end { lstlisting}
\end { frame}
2021-02-02 11:39:43 +01:00
\begin { frame}
\frametitle { Data layer: Event building blocks - Full}
\begin { center}
\includegraphics [scale=0.30] { screenshots/event-building-blocks/full.png}
\end { center}
\end { frame}
2020-12-16 11:52:49 +01:00
\section { Context layer}
\begin { frame}
\frametitle { Context layer: Naming conventions}
\begin { itemize}
\item Context layer
\begin { itemize}
\item { \bf Tags} are free-text labels attached to events/attributes and can come from { \bf Taxonomies}
\begin { itemize}
\item \texttt { Android Malware} , \texttt { C2} , ...
\end { itemize}
\item { \bf Taxonomies} are a set of common classification allowing to express the same vocabulary among a distributed set of users and organisations
\begin { itemize}
\item \texttt { tlp:green} , \texttt { false-positive:risk="high"} , \texttt { admiralty-scale:information-credibility="2"}
\end { itemize}
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Context layer: Naming conventions}
\begin { itemize}
\item Context layer
\begin { itemize}
\item { \bf Galaxies} are container copmosed of { \bf Galaxy-clusters} that belongs to the same family
\begin { itemize}
\item Similar to what { \bf Events} are to { \bf Attributes}
\item \texttt { Country} , \texttt { Threat actors} , \texttt { Botnet} , ...
\end { itemize}
\item { \bf Galaxy-clusters} are knowledge base items coming from { \bf Galaxies} .
\begin { itemize}
\item Basically a taxonomy with additional meta-information
\item \texttt { misp-galaxy:threat-actor="APT 29"} , \texttt { misp-galaxy:country="luxembourg"}
\end { itemize}
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Context layer: Tags}
Simple free-text labels
\begin { center}
\includegraphics [scale=0.45] { screenshots/creativity.png}
\end { center}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"name": "Android malware",
"colour": "#22681c",
"exportable": true,
"numerical_ value": null,
}
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Context layer: Taxonomies}
Simple label standardised on common set of vocabularies
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Enable efficent classification globally understood, easing consumption and automation.
\item [] \textbf { Usecase} : Provide classification such as: TLP, Confidence, Source, Workflows, Event type, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\vspace { 1em}
\begin { center}
\includegraphics [width=1.0\linewidth] { taxonomy-workflow.png}
\end { center}
\end { frame}
\begin { frame} [fragile]
\frametitle { Context layer: Taxonomies}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"Taxonomy": {
"namespace": "admiralty-scale",
"description": "The Admiralty Scale or Ranking (also called the NATO System)...",
"version": "6",
"exclusive": false,
} ,
"entries": [
{
"tag": "admiralty-scale:information-credibility=\" 1\" ",
"expanded": "Information Credibility: Confirmed by other sources",
"numerical_ value": 100,
"exclusive_ predicate": true,
} ,
...
]
}
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Context layer: Galaxies}
Collections of { \bf galaxy clusters}
\begin { center}
\includegraphics [width=1.0\linewidth] { screenshots/galaxy.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Context layer: Galaxy clusters}
2020-12-16 12:15:38 +01:00
Kownledge base items including a description, links, synonyms, meta-information and relationships
2022-02-10 16:27:31 +01:00
\begin { itemize}
\item [] \textbf { Purpose} : Enable description of complex high-level information for classification
\item [] \textbf { Usecase} : Extensively describe elements such as threat actors, countries, technique used, ...
\end { itemize}
2020-12-16 11:52:49 +01:00
\begin { center}
2022-02-10 16:27:31 +01:00
\includegraphics [width=0.65\linewidth] { screenshots/cluster-view.png}
2020-12-16 11:52:49 +01:00
\end { center}
\end { frame}
\begin { frame}
\frametitle { Context layer: Galaxy clusters}
{ \bf Galaxy cluster elements} : Tabular view
\begin { center}
\includegraphics [width=1.0\linewidth] { screenshots/cluster-elements-tab.png}
\end { center}
\vspace { 1em}
{ \bf Galaxy cluster elements} : JSON view
\begin { center}
\includegraphics [width=1.0\linewidth] { screenshots/cluster-elements-json.png}
\end { center}
\end { frame}
\begin { frame} [fragile]
\frametitle { Context layer: Galaxy clusters}
\begin { lstlisting} [language=javascript,firstnumber=1]
{
"uuid": "5eda0a53-1d98-4d01-ae06-40da0a00020f",
"type": "fellowship-characters",
"value": "Aragorn wielding Anduril",
"tag_ name": "misp-galaxy:fellowship-characters=\" c3fe907a-6a36-4cd1-9456-dcdf35c3f907\" ",
"description": "The Aragorn character wielding Anduril",
"source": "Middle-earth universe by J. R. R. Tolkien",
"authors": null,
"version": "1591347795",
"distribution": "0",
"sharing_ group_ id": null,
"default": false,
"extends_ uuid": "5eda0117-1e14-4b0a-9e26-34aff331dc3b",
"extends_ version": "1591345431",
"GalaxyElement": [...],
"GalaxyClusterRelation": [...]
}
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Context layer: Galaxies \& Galaxy clusters}
\begin { itemize}
\item MISP integrates MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\& CK) and similar { \bf Galaxy Matrix}
\item MISP terminology of these matrixes: { \bf Galaxy Matrix}
\end { itemize}
\includegraphics [scale=0.2] { screenshots/attack-screenshot.png}
\end { frame}
\begin { frame} [fragile]
\frametitle { Galaxy JSON matrix-like}
\begin { adjustbox} { keepaspectratio}
%\lstset{emph={kill_chain_order},emphstyle=\textbf}
\begin { lstlisting} [language=javascript,firstnumber=1,escapechar=@]
{
"description": "Universal Development and Security Guidelines as Applicable to Election Technology.",
"icon": "map",
@\textbf { \color { red} "kill\_ chain\_ order": \{ } @ @\textbf { \color { black} \textbackslash \textbackslash Tab in the matrix} @
@\textbf { \color { red} "example-of-threats": [} @ @\textbf { \color { black} \textbackslash \textbackslash Column in the matrix} @
@\textbf { \color { red} "setup | party/candidate-registration",} @
@\textbf { \color { red} "setup | electoral-rolls",} @
@\textbf { \color { red} "campaign | campaign-IT",} @
@\textbf { \color { red} "all-phases | governement-IT",} @
@\textbf { \color { red} "voting | election-technology",} @
@\textbf { \color { red} "campaign/public-communication | media/press"} @
@\textbf { \color { red} ]} @
@\textbf { \color { red} \} ,} @
"name": "Election guidelines",
"namespace": "misp",
"type": "guidelines",
"uuid": "c1dc03b2-89b3-42a5-9d41-782ef726435a",
"version": 1
}
\end { lstlisting}
\end { adjustbox}
\end { frame}
\begin { frame} [fragile]
\frametitle { Cluster JSON matrix-like}
\begin { adjustbox} { keepaspectratio}
\begin { lstlisting} [language=javascript,firstnumber=1,escapechar=@]
{
"description": "DoS or overload of party/campaign registration, causing them to miss the deadline",
"meta": {
"date": "March 2018.",
@\textbf { \color { red} "kill\_ chain": [} @ @\textbf { \color { black} \textbackslash \textbackslash Define in which column the cluster should be placed} @
@\textbf { \color { red} "example-of-threats:setup | party/candidate-registration"} @
@\textbf { \color { red} ],} @
"refs": [
"https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_ security_ of_ election_ technology.pdf"
]
} ,
"uuid": "154c6186-a007-4460-a029-ea23163448fe",
"value": "DoS or overload of party/campaign registration, causing them to miss the deadline"
}
\end { lstlisting}
\end { adjustbox}
\end { frame}
\begin { frame} [fragile]
\frametitle { Expressing relation between clusters}
\begin { itemize}
\item Cluster can be related to one or more clusters using default relationships from MISP objects and a list of tags to classify the relation.
\end { itemize}
\begin { lstlisting} [language=javascript,firstnumber=1]
"related": [
{
"dest-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"tags": [
"estimative-language:likelihood-probability=\" likely\" "
],
"type": "similar"
}
],
"uuid": "0ca45163-e223-4167-b1af-f088ed14a93d",
"value": "Putter Panda"
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Acknowledgements}
\begin { itemize}
\item Supported by the grant \texttt { 2018-LU-IA-0148}
\end { itemize}
\begin { center}
\includegraphics [scale=0.7] { en_ cef.png}
\end { center}
\end { frame}
