diff --git a/b.1-best-practices-in-threat-intelligence/content.tex b/b.1-best-practices-in-threat-intelligence/content.tex index fdc23f7..6c8ad04 100755 --- a/b.1-best-practices-in-threat-intelligence/content.tex +++ b/b.1-best-practices-in-threat-intelligence/content.tex @@ -8,21 +8,26 @@ \begin{frame} \frametitle{Objectives} \begin{itemize} - \item Learning how to use MISP to support common OSINT gathering use-cases as often used by SOC, CSIRTs and CERTs - \item By using a list of practical exercise\footnote{\url{https://gist.github.com/adulau/8c1de48060e259799d3397b83b0eec4f}} - \item The exercises are {\bf practical recent cases to model and structure intelligence} using the MISP standard - \item Improving the data models available in MISP by exchanging live improvements and ideas - \item Being able to share the results to the community at the end of this session + \item Learn how to use MISP to support common OSINT gathering use-cases often used by SOC, CSIRTs and CERTs + \begin{itemize} + \item Use practical exercise examples\footnote{\url{https://gist.github.com/adulau/8c1de48060e259799d3397b83b0eec4f}} + \item The exercises are based on {\bf practical recent cases to model and structure intelligence} using the MISP standard + \end{itemize} + \item Improve the data models available in MISP by exchanging live improvements and ideas + \item Be able to share the results to the community at the end of this session \end{itemize} \end{frame} \begin{frame} \frametitle{(Threat) Intelligence} \begin{itemize} - \item {\bf Cyber threat intelligence (CTI) is a vast concept} which includes different fields such as intelligence as defined in the military community or in the financial sector or the intelligence community - \item {\bf MISP project doesn't want to lock an organisation or an user into a specific model}. Each model is useful depending of the objectives from an organisation - \item A set of pre-defined knowledge base or data-models are available and organisation can select (or create) what they need - \item During this session, an overview of the most used taxonomies, galaxies and objects will be described + \item {\bf Cyber threat intelligence (CTI) is a vast concept} which includes different concepts, methods, and workflows + \begin{itemize} + \item Intelligence is defined differently in the military than in the financial sector than in the intelligence community + \end{itemize} + \item {\bf MISP project doesn't want to lock an organisation or a user into a specific model}. Each model is useful depending on the objectives of an organisation + \item A set of pre-defined knowledge base or data-models are available and organisations can select (or create) what they need + \item During this session, an overview of the most used taxonomies, galaxies, and objects will be described \end{itemize} \end{frame} @@ -35,37 +40,37 @@ \frametitle{Meta information and contextualisation 1/2} \begin{itemize} \item Quality of indicators/attributes are important but {\bf tagging and classification are also critical to ensure actionable information} - \item Tagging intelligence is done by using tags in MISP which are often originating from MISP taxonomy libraries - \item The scope can be classification ({\it tlp, PAP}), type ({\it osint, type, veris}), state ({\it workflow}), collaboration ({\it collaborative-intelligence}) and many other fields - \item MISP taxonomies documentation is available\footnote{\url{https://www.misp-project.org/taxonomies.html}} - \item {\bf Review existing practices of tagging in your sharing community, reuse practices and improve context} + \item Organizing intelligence is done in MISP by using tags, which often originate from MISP taxonomy libraries + \item The scope can be classification ({\it tlp, PAP}), type ({\it osint, type, veris}), state ({\it workflow}), collaboration ({\it collaborative-intelligence}), or many other fields + \item MISP taxonomy documentation is readily available\footnote{\url{https://www.misp-project.org/taxonomies.html}} + \item {\bf Review existing practices of tagging in your sharing community, reuse practices, and improve context} \end{itemize} \end{frame} \begin{frame} \frametitle{Meta information and contextualisation 2/2} \begin{itemize} - \item {\bf When information cannot be expressed in triple tags format} ({\it namespace:predicate=value}), MISP provides the galaxies - \item Galaxies contain a huge set of common libraries\footnote{\url{https://www.misp-project.org/galaxy.html}} such as threat actors, malicious tools, RAT, Ransomware, target information and many more - \item When tagging or adding a galaxy cluster, don't forget that tagging at event level is for the whole event (including attributes and objects). While tagging at attribute level, it's often a more specific context + \item {\bf When information cannot be expressed in triple tags format} ({\it namespace:predicate=value}), MISP use Galaxies + \item {\bf Galaxies} contain a huge set of common libraries\footnote{\url{https://www.misp-project.org/galaxy.html}} such as threat actors, malicious tools, tactics, target information, mitigations, and more + \item When tagging or adding a Galaxy cluster, tagging at the event level is for the whole event (including attributes and objects). Tagging at the attribute level is for a more specific context \end{itemize} \end{frame} \begin{frame} \frametitle{Estimative Probability} \begin{itemize} - \item {\bf Words of Estimative Probability}\footnote{\url{https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html}} proposes clear wording while estimating probability of occurence from an event. - \item A MISP taxonomy called {\bf estimative-language}\footnote{\url{https://www.misp-project.org/taxonomies.html}} proposes an applied model to tag information. + \item {\bf Words of Estimative Probability}\footnote{\url{https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html}} propose clear wording while estimating probability of occurence from an event + \item A MISP taxonomy called {\bf estimative-language}\footnote{\url{https://www.misp-project.org/taxonomies.html}} proposes an applied model to tag information in accordance with the concepts of Estimative Probability \end{itemize} \end{frame} \begin{frame} - \frametitle{Reliability, credibility and confidence} + \frametitle{Reliability, credibility, and confidence} \begin{itemize} - \item The {\bf Admiralty Scale}\footnote{\url{https://www.ijlter.org/index.php/ijlter/article/download/494/234}, {\it US Army Field Manual 2-22.3, 2006}} (also called the NATO System) is used to rank the reliability of a source and the credibility of an information - \item A MISP taxonomy called admiralty-scale\footnote{\url{https://www.misp-project.org/taxonomies.html}} - \item In {\bf JP 2-0, Joint Intelligence}\footnote{\url{http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2\_0.pdf} page 114} (page 114) includes an appendix to express confidence in analytic judgments - \item A MISP predicate in estimative-language called confidence-in-analytic-judgment\footnote{\url{https://www.misp-project.org/taxonomies.html}} + \item The {\bf Admiralty Scale}\footnote{\url{https://www.ijlter.org/index.php/ijlter/article/download/494/234}, {\it US Army Field Manual 2-22.3, 2006}} (also called the {\bf NATO System}) is used to rank the reliability of a source and the credibility of information + \item A MISP taxonomy called admiralty-scale\footnote{\url{https://www.misp-project.org/taxonomies.html}} is available + \item US DoD {\bf JP 2-0, Joint Intelligence}\footnote{\url{http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2\_0.pdf}, page 114} includes an appendix to express confidence in analytic judgments + \item A MISP predicate in estimative-language called confidence-in-analytic-judgment\footnote{\url{https://www.misp-project.org/taxonomies.html}} is available \end{itemize} \end{frame} @@ -75,17 +80,17 @@ \begin{itemize} \item If the information is a {\bf single atomic element}, using a single attribute is preferred \begin{itemize} - \item Choosing an attribute type is critical as this defines the automation/export rule (e.g. url versus link or ip-src/ip-dst?) - \item Enabling the IDS (automation) flag is also important. When you are in doubt, don't set the IDS flag + \item Choosing an attribute type is critical as this defines the automation/export rule (e.g. {\it url} versus {\it link} or ip-src/ip-dst?) + \item Enabling the IDS (automation) flag is also important, but {\it when you are in doubt}, don't set the IDS flag \end{itemize} - \item If the information is {\bf composite} (ip/port, filename/hash, bank account/BIC), using a object is strongly recommended + \item If the information is {\bf composite} (ip/port, filename/hash, bank account/BIC), using an object is strongly recommended \end{itemize} \end{frame} \begin{frame} \frametitle{How to select the right object?} - There are more than 150 MISP objects\footnote{\url{https://www.misp-project.org/objects.html}} templates.\\ + There are more than 150 MISP object\footnote{\url{https://www.misp-project.org/objects.html}} templates.\\ As an example, at CIRCL, we regularly use the following object templates {\it file}, {\it microblog}, {\it domain-ip}, {\it ip-port}, {\it coin-address}, {\it virustotal-report}, {\it paste}, {\it person}, {\it ail-leak}, {\it pe}, {\it pe-section}, {\it registry-key}.\\ \end{frame} @@ -93,12 +98,12 @@ \frametitle{microblog object} \begin{columns}[totalwidth=\textwidth] \column{0.49\textwidth}\underline{Use case}\\ -A serie of OSINT tweets from a security researcher. -To structure the thread, the information -and keep an history.\\ +A series of OSINT tweets from a security researcher. +To structure the thread, the information, +and keep a history.\\ \includegraphics[scale=0.15]{emotet.png} \column{0.49\textwidth}\underline{Object to use}\\ - The microblog object can be used for Tweet or any microblog post (e.g. Facebook). Then object can be linked using {\it followed-by} to describe a serie of post.\\ + The microblog object can be used for Tweets or any microblog post (e.g. Facebook). The object can be linked using {\it followed-by} to describe a series of post.\\ \includegraphics[scale=0.15]{microblog.png} \end{columns} \end{frame} @@ -109,9 +114,9 @@ and keep an history.\\ \begin{columns}[totalwidth=\textwidth] \column{0.49\textwidth}\underline{Use case}\\ \begin{itemize} - \item A file sample was received by email or extracted from VirusTotal. - \item A list of file hashes were included in a report. - \item A hash value was mentioned in a blog post. + \item A file sample was received by email or extracted from VirusTotal + \item A list of file hashes were included in a report + \item A hash value was mentioned in a blog post \end{itemize} \column{0.49\textwidth}\underline{Object to use}\\ The file object can be used to describe file. It's usual to have partial meta information such as a single hash and a filename.\\ @@ -122,10 +127,10 @@ and keep an history.\\ \begin{frame} \frametitle{References} \begin{itemize} - \item Graphical overview of OSINT collection using MISP \url{https://github.com/adulau/misp-osint-collection} - \item MISP objects documentation \url{https://www.misp-project.org/objects.html} - \item MISP taxonomies documentation \url{https://www.misp-project.org/taxonomies.html} - \item MISP galaxy documentation \url{https://www.misp-project.org/galaxy.html} + \item Graphical overview of OSINT collection using MISP \url{{\ithttps://github.com/adulau/misp-osint-collection}} + \item MISP objects documentation \url{{\ithttps://www.misp-project.org/objects.html}} + \item MISP taxonomies documentation \url{{\ithttps://www.misp-project.org/taxonomies.html}} + \item MISP galaxy documentation \url{{\ithttps://www.misp-project.org/galaxy.html}} \end{itemize} \end{frame}