diff --git a/x.8-first-cti-virtual/Sightings2.PNG b/x.8-first-cti-virtual/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/x.8-first-cti-virtual/Sightings2.PNG differ diff --git a/x.8-first-cti-virtual/attack-screenshot.png b/x.8-first-cti-virtual/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/x.8-first-cti-virtual/attack-screenshot.png differ diff --git a/x.8-first-cti-virtual/b.4-turning-data-into-actionable-intelligence-short.pdf b/x.8-first-cti-virtual/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/x.8-first-cti-virtual/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/x.8-first-cti-virtual/bankaccount.png b/x.8-first-cti-virtual/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/x.8-first-cti-virtual/bankaccount.png differ diff --git a/x.8-first-cti-virtual/bankview.png b/x.8-first-cti-virtual/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/x.8-first-cti-virtual/bankview.png differ diff --git a/x.8-first-cti-virtual/circl.png b/x.8-first-cti-virtual/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/x.8-first-cti-virtual/circl.png differ diff --git a/x.8-first-cti-virtual/content.tex b/x.8-first-cti-virtual/content.tex new file mode 100644 index 0000000..5fd898d --- /dev/null +++ b/x.8-first-cti-virtual/content.tex @@ -0,0 +1,420 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP and CIRCL} + \begin{itemize} + \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector. + \item We lead the development of the Open Source MISP TISP which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally. + \item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item What is MISP? + \item Our initial scope + \item Why is {\bf contextualisation} important? + \item What options do we have in MISP? + \item How can we {\bf leverage} this in the end? + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item Open source "TISP" - A TIP with a strong focus on sharing + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, correlates, enriches the data + \item Allows teams and communities to {\bf collaborate} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item A set of tools to manage sharing communities and interconnected MISP servers +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Development based on practical user feedback} + \begin{itemize} + \item There are many different types of users of an information sharing platform like MISP: + \begin{itemize} + \item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues. + \item {\bf Security analysts} searching, validating and using indicators in operational security. + \item {\bf Intelligence analysts} gathering information about specific adversary groups. + \item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases. + \item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences. + \item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds. + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{The initial scope of MISP} + \begin{itemize} + \item {\bf Extract information} during the analysis process + \item Store and {\bf correlate} these datapoints + \item {\bf Share} the data with partners + \item Focus on technical indicators: IP, domain, hostname, hashes, filename, pattern in file/memory/traffic + \item Generate protective signatures out of the data: snort, suricata, OpenIOC + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{The growing need to contextualise data} +\begin{itemize} + \item Contextualisation became more and more important as we as a community matured + \begin{itemize} + \item {\bf Growth and diversification} of our communities + \item Distinguish between information of interest and raw data + \item {\bf False-positive} management + \item TTPs and aggregate information may be prevalent compared to raw data (risk assessment) + \item {\bf Increased data volumes} leads to a need to be able to prioritise + \end{itemize} + \item These help with filtering your TI based on your {\bf requirements}... + \item ...as highlighted by Pasquale Stirparo \textit{Your Requirements Are Not My Requirements} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Different layers of context} +\begin{itemize} + \item Context added by analysts / tools + \item Data that tells a story + \item Encoding analyst knowledge to automatically leverage the above +\end{itemize} +\end{frame} + +\section{Context added by analysts / tools} + +\begin{frame} +\frametitle{Expressing why data-points matter} +\begin{itemize} + \item An {\bf IP address by itself is barely ever interesting} + \item We need to tell the recipient / machine why this is relevant + \item All data in MISP has a {\bf bare minimum required context} + \item We differentiate between {\bf indicators and supporting data} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Broadening the scope of what sort of context we are interested in} +\begin{itemize} + \item {\bf Who} can receive our data? {\bf What} can they do with it? + \item {\bf Data accuracy, source reliability} + \item {\bf Why} is this data relevant to us? + \item {\bf Who} do we think is behind it, {\bf what tools} were used? + \item What sort of {\bf motivations} are we dealing with? Who are the {\bf targets}? + \item How can we {\bf block/detect/remediate} the attack? + \item What sort of {\bf impact} are we dealing with? +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Tagging and taxonomies} +\begin{itemize} + \item Simple labels + \item Standardising on vocabularies + \item Different organisational/community cultures require different nomenclatures + \item Triple tag system - taxonomies + \item JSON libraries that can easily be defined without our intervention +\end{itemize} +\includegraphics[width=1.0\linewidth]{taxonomy-workflow.png} +\end{frame} + +\begin{frame} +\frametitle{Galaxies} + \begin{itemize} + \item Taxonomy tags often {\bf non self-explanatory} + \begin{itemize} + \item Example: universal understanding of tlp:green vs APT 28 + \end{itemize} + \item For the latter, a single string was ill-suited + \item So we needed something new in addition to taxonomies - \textbf{Galaxies} + \begin{itemize} + \item Community driven \textbf{knowledge-base libraries used as tags} + \item Including descriptions, links, synonyms, meta information, etc. + \item Goal was to keep it \textbf{simple and make it reusable} + \item Internally it works the exact same way as taxonomies (stick to \textbf{JSON}) + \end{itemize} + \end{itemize} + \begin{center} + \hspace{10em} + \includegraphics[scale=0.30]{galaxy-ransomware.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{The emergence of ATT\&CK and similar galaxies} + \begin{itemize} + \item Standardising on high-level {\bf TTPs} was a solution to a long list of issues + \item Adoption was rapid, tools producing ATT\&CK data, familiar interface for users + \item A much better take on kill-chain phases in general + \item Feeds into our {\bf filtering} and {\bf situational awareness} needs extremely well + \item Gave rise to other, ATT\&CK-like systems tackling other concerns + \begin{itemize} + \item {\bf attck4fraud} \footnote{\url{https://www.misp-project.org/galaxy.html\#_attck4fraud}} by Francesco Bigarella from ING + \item {\bf Election guidelines} \footnote{\url{https://www.misp-project.org/galaxy.html\#_election_guidelines}} by NIS Cooperation Group + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{False positive handling} +\begin{itemize} + \item Low quality / false positive prone information being shared + \item Lead to {\bf alert-fatigue} + \item Exclude organisation xy out of the community? + \item FPs are often obvious - {\bf can be encoded} + \item {\bf Warninglist system}\footnote{\url{https://github.com/MISP/misp-warninglists}} aims to do that + \item Lists of well-known indicators which are often false-positives like RFC1918 networks, ... +\end{itemize} +\begin{center} + \includegraphics[scale=0.22]{warning-list.png} + \includegraphics[scale=0.45]{warning-list-event.png} +\end{center} +\end{frame} + +\section{Data that tells a story} + +\begin{frame} + \frametitle{More complex data-structures for a modern age} + \begin{itemize} + \item Atomic attributes were a great starting point, but lacking in many aspects + \item {\bf MISP objects}\footnote{\url{https://github.com/MISP/misp-objects}} system + \begin{itemize} + \item Simple {\bf templating} approach + \item Use templating to build more complex structures + \item Decouple it from the core, allow users to {\bf define their own} structures + \item MISP should understand the data without knowing the templates + \item Massive caveat: {\bf Building blocks have to be MISP attribute types} + \item Allow {\bf relationships} to be built between objects + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Supporting specific datamodels} + \begin{center} + \includegraphics[scale=0.24]{bankaccount.png} + \end{center} + \begin{center} + \includegraphics[scale=0.18]{bankview.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Continuous feedback loop} + \begin{itemize} + \item Data shared was {\bf frozen in time} + \item All we had was a creation/modification timestamp + \item Improved tooling and willingness allowed us to create a {\bf feedback loop} + \item Lead to the introduction of the {\bf Sighting system} + \item Signal the fact of an indicator sighting... + \item ...as well as {\bf when} and {\bf where} it was sighted + \item Vital component for IoC {\bf lifecycle management} + \item External {\bf SightingDB} and standard - thanks to Sebastien Tricaud from Devo inc. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Continuous feedback loop (2)} + \begin{center} + \includegraphics[scale=0.5]{sighting-n.png} + \end{center} + \begin{center} + \includegraphics[scale=0.60]{Sightings2.PNG} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Continuous feedback loop (3)} + \begin{itemize} + \item Monitor uptimes of infrastructure + \item Make decisions on whether to action on an IoC + \end{itemize} + \begin{center} + \includegraphics[scale=0.18]{timeline.jpeg} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{A brief history of time - Timelines} + \begin{itemize} + \item Not having the time based aspect was painful + \item {\bf \texttt{First\_seen}} and {\bf \texttt{last\_seen}} data points + \item Along with a complete integration with the {\bf UI} + \item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{timeline-misp-overview.png} + \end{center} +\end{frame} + +\section{The various ways of encoding analyst knowledge to automatically leverage our TI} + +\begin{frame} + \frametitle{Making use of all this context} + \begin{itemize} + \item Providing advanced ways of querying data + \begin{itemize} + \item Unified export APIs + \item Incorporating all contextualisation options into {\bf API filters} + \item Allowing for an {\bf on-demand} way of {\bf excluding potential false positives} + \item Allowing users to easily {\bf build their own} export modules feed their various tools + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Example query} + \texttt{/attributes/restSearch} + \begin{lstlisting} +{ + "returnFormat": "netfilter", + "enforceWarninglist": 1, + "tags": { + "NOT": [ + "tlp:white", + "type:OSINT" + ], + "OR": [ + "misp-galaxy:threat-actor=\"Sofacy\"", + "misp-galaxy:sector=\"Chemical\"" + ], + } +} + \end{lstlisting} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Example query to generate ATT\&CK heatmaps} + \texttt{/events/restSearch} + \begin{lstlisting} +{ + "returnFormat": "attack", + "tags": [ + "misp-galaxy:sector=\"Chemical\"" + ], + "timestamp": "365d" +} + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{A sample result for the above query} + \begin{center} + \includegraphics[scale=0.2]{attack-screenshot.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Decaying of indicators} + \begin{itemize} + \item We were still missing a way to use all of these systems in combination to decay indicators + \item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models} + \item Decay models would take into account various available {\bf context} + \begin{itemize} + \item Taxonomies + \item Sightings + \item type of each indicator + \item Creation date + \item ... + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{Event/view}} + \includegraphics[width=1.00\linewidth]{decaying-event.png} + \begin{itemize} + \item \texttt{Decay score} toggle button + \begin{itemize} + \item Shows Score for each \textit{Models} associated to the \textit{Attribute} type + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Fine tuning tool} + \includegraphics[width=1.00\linewidth]{decaying-tool.png} + Create, modify, visualise, perform mapping +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: simulation tool} + \includegraphics[width=1.00\linewidth]{decaying-simulation.png} + Simulate \textit{Attributes} with different \textit{Models} +\end{frame} + +\begin{frame} + \frametitle{Monitor trends outside of MISP (example: dashboard)} + \begin{center} + \includegraphics[scale=0.18]{dashboard-trendings.png} + \end{center} +\end{frame} + + +\section{A small detour - COVID-19 MISP} + +\begin{frame} + \frametitle{COVID-19 MISP} + \begin{itemize} + \item Using the new {\bf built in dashboarding} system of MISP + \item {\bf Customising MISP} for a specific use-case + \item We are focusing on two areas of sharing: + \begin{itemize} + \item {\bf Medical} information + \item {\bf Cyber threats} related to / abusing COVID-19 + \item COVID-19 related {\bf disinformation} + \end{itemize} + \item Low barrier of entry, aiming for wide spread + \item Already a {\bf massive community} + \item Register at \url{https://covid-19.iglocska.eu} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Dashboarding and situational awareness} + \includegraphics[width=1.00\linewidth]{covid.png} + Create, modify, visualise, perform mapping +\end{frame} + +\begin{frame} + \frametitle{To sum it all up...} + \begin{itemize} + \item Massive rise in {\bf user capabilities} + \item Growing need for truly {\bf actionable threat intel} + \item Lessons learned: + \begin{itemize} + \item {\bf Context is king} - Enables better decision making + \item {\bf Intelligence and situational awareness} are natural by-products of context + \item Don't lock users into your {\bf workflows}, build tools that enable theirs + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Join the COVID-19 MISP community + \begin{itemize} + \item \url{https://covid-19.iglocska.eu} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/x.8-first-cti-virtual/covid.png b/x.8-first-cti-virtual/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/x.8-first-cti-virtual/covid.png differ diff --git a/x.8-first-cti-virtual/creativity.png b/x.8-first-cti-virtual/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/x.8-first-cti-virtual/creativity.png differ diff --git a/x.8-first-cti-virtual/dashboard-trendings.png b/x.8-first-cti-virtual/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/x.8-first-cti-virtual/dashboard-trendings.png differ diff --git a/x.8-first-cti-virtual/decaying-basescore.png b/x.8-first-cti-virtual/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/x.8-first-cti-virtual/decaying-basescore.png differ diff --git a/x.8-first-cti-virtual/decaying-event.png b/x.8-first-cti-virtual/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/x.8-first-cti-virtual/decaying-event.png differ diff --git a/x.8-first-cti-virtual/decaying-index.png b/x.8-first-cti-virtual/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/x.8-first-cti-virtual/decaying-index.png differ diff --git a/x.8-first-cti-virtual/decaying-simulation.png b/x.8-first-cti-virtual/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/x.8-first-cti-virtual/decaying-simulation.png differ diff --git a/x.8-first-cti-virtual/decaying-tool.png b/x.8-first-cti-virtual/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/x.8-first-cti-virtual/decaying-tool.png differ diff --git a/x.8-first-cti-virtual/en_cef.png b/x.8-first-cti-virtual/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/x.8-first-cti-virtual/en_cef.png differ diff --git a/x.8-first-cti-virtual/galaxy-ransomware.png b/x.8-first-cti-virtual/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/x.8-first-cti-virtual/galaxy-ransomware.png differ diff --git a/x.8-first-cti-virtual/logo-circl.pdf b/x.8-first-cti-virtual/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/x.8-first-cti-virtual/logo-circl.pdf differ diff --git a/x.8-first-cti-virtual/makefile b/x.8-first-cti-virtual/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/x.8-first-cti-virtual/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/x.8-first-cti-virtual/misp.pdf b/x.8-first-cti-virtual/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/x.8-first-cti-virtual/misp.pdf differ diff --git a/x.8-first-cti-virtual/misplogo.pdf b/x.8-first-cti-virtual/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/x.8-first-cti-virtual/misplogo.pdf differ diff --git a/x.8-first-cti-virtual/object.png b/x.8-first-cti-virtual/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/x.8-first-cti-virtual/object.png differ diff --git a/x.8-first-cti-virtual/sighting-n.png b/x.8-first-cti-virtual/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/x.8-first-cti-virtual/sighting-n.png differ diff --git a/x.8-first-cti-virtual/slide.tex b/x.8-first-cti-virtual/slide.tex new file mode 100644 index 0000000..6be0cb9 --- /dev/null +++ b/x.8-first-cti-virtual/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{Turning data into actionable intelligence} +\subtitle{advanced features in MISP supporting your analysts and tools} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/x.8-first-cti-virtual/taxonomy-workflow.png b/x.8-first-cti-virtual/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/x.8-first-cti-virtual/taxonomy-workflow.png differ diff --git a/x.8-first-cti-virtual/timeline-misp-overview.png b/x.8-first-cti-virtual/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/x.8-first-cti-virtual/timeline-misp-overview.png differ diff --git a/x.8-first-cti-virtual/timeline.jpeg b/x.8-first-cti-virtual/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/x.8-first-cti-virtual/timeline.jpeg differ diff --git a/x.8-first-cti-virtual/warning-list-event.png b/x.8-first-cti-virtual/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/x.8-first-cti-virtual/warning-list-event.png differ diff --git a/x.8-first-cti-virtual/warning-list.png b/x.8-first-cti-virtual/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/x.8-first-cti-virtual/warning-list.png differ diff --git a/x.8-first-cti-virtual/workflow_initial.png b/x.8-first-cti-virtual/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/x.8-first-cti-virtual/workflow_initial.png differ diff --git a/x.8-first-cti-virtual/workflow_initial2.png b/x.8-first-cti-virtual/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/x.8-first-cti-virtual/workflow_initial2.png differ diff --git a/x.8-first-cti-virtual/x-isac-logo.png b/x.8-first-cti-virtual/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/x.8-first-cti-virtual/x-isac-logo.png differ