% DO NOT COMPILE THIS FILE DIRECTLY! % This is included by the other .tex files. \begin{frame} \titlepage \end{frame} \begin{frame} \frametitle{MISP and CIRCL} \begin{center} \includegraphics[scale=0.45]{pics/circl.png} \hspace{2.5em} \includegraphics[scale=0.35]{pics/misp.pdf} \end{center} \begin{itemize} \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing} \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}. \end{itemize} \end{frame} \begin{frame} \frametitle{The aim of this presentation} \begin{itemize} \item Brief introduction to MISP \item Why is {\bf contextualisation} important? \item What options do we have in MISP? \item How can we {\bf leverage} this in the end? \end{itemize} \end{frame} \begin{frame} \frametitle{What is MISP?} \begin{itemize} \item MISP is a {\bf threat information sharing} platform that is free \& open source software \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds \item Normalises, {\bf correlates}, {\bf enriches} the data \item Allows teams and communities to {\bf collaborate} \item {\bf Feeds} automated protective tools and analyst tools with the output \end{itemize} \end{frame} \begin{frame} \frametitle{MISP Features Highlights} \begin{itemize} \item Functionalities to assist users in {\bf creating, collaborating and sharing} \begin{itemize} \item A wide range of imports \item Rest API \item Automatic correlation \item Proposals \item Granular distribution levels and sharing groups \item Advanced synchronisation mechanisms \end{itemize} \item A host of export formats \begin{itemize} \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort} \item {\bf SIEMs}: \texttt{CEF, STIX} \item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara} \item {\bf Analysis tools}: \texttt{Maltego} \item {\bf DNS policies}: \texttt{RPZ} \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Sharing Difficulties} \begin{itemize} \item Not really a technical issue, but often it's a matter of {\bf social interactions} (e.g. {\bf trust}). \item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}} \begin{itemize} \item \textit{Our legal framework doesn't allow us to share information} \item \textit{Risk of information-leak is too high and it's too risky for our organization or partners.} \end{itemize} \item Practical restriction \begin{itemize} \item \textit{We don't have information to share.} \item \textit{We don't have time to process or contribute indicators.} \item \textit{Our model of classification doesn't fit your model.} \item \textit{Tools for sharing information are tied to a specific format, we use a different one.} \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{The growing need to contextualise data} \begin{itemize} \item Contextualisation became more and more important as communities matured \begin{itemize} \item Support {\bf Diversification} of communities \item {\bf Distinguish} between information of interest and raw data \item {\bf False-positive} management, data {\bf quality} and {\bf relevance} \end{itemize} \item Classification practices need to be shared among the communities to support efficient collaboration \end{itemize} \end{frame} \section{contextualising data points} \begin{frame} \frametitle{Base level of contextualisation} {\centering Differentiation between {\bf indicators} and {\bf supporting data}} \begin{itemize} \item An IP address by itself is barely ever interesting \item Relevance of the data must be explicit \item Bare minimum context required \end{itemize} \end{frame} \begin{frame} \frametitle{More contextualisation} \begin{itemize} \item {\bf Who} can receive our data? {\bf What} can they do with it? \item {\bf Data accuracy, source reliability} \item {\bf Why} is this data relevant to us? \end{itemize} \vspace{1em} But we can go further, \pause \begin{itemize} \item {\bf Who} is behind it? What are their {\bf Motivations}? Who are the {\bf targets} \item {\bf What tools} were used? What {\bf impacts} are we dealing with? \item How can we {\bf block/detect/remediate} the attack? \end{itemize} \end{frame} \begin{frame} \frametitle{Tagging and taxonomies} \begin{itemize} \item Simple labels \item {\bf Standardising} on vocabularies \item Different community cultures require different nomenclatures \item Libraries that can easily be extended \end{itemize} \vspace{1em} \includegraphics[width=1.0\linewidth]{pics/taxonomy-workflow.png} \end{frame} \begin{frame} \frametitle{Tagging and taxonomies - The missing part} \begin{itemize} \item Taxonomy tags are often {\bf self-explanatory} \begin{itemize} \item \texttt{tlp:green} \item \texttt{workflow:state="complete"} \item \texttt{priority-level:high} \end{itemize} \end{itemize} \vspace{1em} \begin{itemize} \item For more complex classification this is ill-suited \begin{itemize} \item \texttt{APT 28} \item \texttt{Locky} \item \texttt{Mirai} \item \texttt{Mitre's Att\&ck patterns} and co \end{itemize} \item Support of synonyms, metadata, preventive measures, ... \end{itemize} \begin{center} $\rightarrow$ Something more complex is needed \end{center} \end{frame} \begin{frame} \frametitle{Enriched tags - MISP Galaxies} \begin{itemize} \item Community driven \textbf{knowledge-base libraries} \item Including {\it descriptions}, {\it links}, {\it synonyms} and other {\it meta} information \item Can be used as {\bf pivot} when performing searches \end{itemize} \begin{center} \includegraphics[scale=0.34]{pics/galaxy} \end{center} \end{frame} \begin{frame} \frametitle{MISP Galaxies benefits} \begin{itemize} \item Standardising on high-level {\bf TTPs} solved a variety of issues \item Tools producing {\bf ATT\&CK} data and {\bf kill-chain} phases in general \item Integrates into our {\bf filtering} and {\bf situational awareness} needs extremely well \item Gave rise to other, ATT\&CK-like systems tackling other concerns \end{itemize} \end{frame} \begin{frame} \frametitle{More complex data-structures for a modern age} \begin{itemize} \item Atomic data points are often useful, but can be lacking in many aspects \item {\bf MISP Objects}\footnote{\url{https://github.com/MISP/misp-objects}} system \begin{itemize} \item Simple: {\bf templating} approach to build more complex structures \item Flexible: allows users to {\bf define their own} \item {\bf Relational}: interlink data-points to tell a story \item Examples: \texttt{Domain-IP}, \texttt{File}, \texttt{VT-Report}, \texttt{Person} \end{itemize} \end{itemize} \begin{center} \includegraphics[scale=0.25]{pics/domain-ip} \end{center} \end{frame} \begin{frame} \frametitle{Graphs are worth a thousands words} \begin{itemize} \item Relationships allow to easily describe process or event \begin{itemize} \item \texttt{Word file} drops an \texttt{Hancitor} malware, that will download a \texttt{Zeus-Panda} Banker that will later connect to \texttt{IP} \end{itemize} \end{itemize} \vspace{1em} \includegraphics[width=1.0\linewidth]{pics/eventgraph} \end{frame} \begin{frame} \frametitle{False Positive Handling} \begin{itemize} \item Low quality data and false positives lead to {\bf alert fatigue} \item False positives are often obvious, thus can be encoded \begin{itemize} \item {\bf Warninglists} of well-known indicators which are obvious false positives \item RFC1918 networks, empty hashes, ... \end{itemize} \end{itemize} \vspace{1em} \begin{center} \includegraphics[width=0.49\linewidth]{pics/warning-list.png} \includegraphics[width=0.49\linewidth]{pics/warning-list-event.png} \end{center} \end{frame} \begin{frame} \frametitle{Continuous feedback loop} \begin{itemize} \item {\bf Vital component} for IoC lifecycle management \item Involves the output of detection tools to prioritise IoCs \item {\bf Sighting system} \begin{itemize} \item Community can sight indicators and convey the time of sighting or detection \item Can be used as a {\bf continuous reporting} stream between detection tools and MISP \end{itemize} \end{itemize} \begin{center} \begin{tikzpicture}[shorten >=2pt,node distance=13em,semithick, auto] \node[state] (MISP) {\includegraphics[scale=0.12]{pics/misp.pdf}}; \node[state] (IDS) [right=of MISP] {Tool}; \path[->] (MISP) edge [bend left=20] node {Push relevant IoCS} (IDS) (IDS) edge [bend left=20] node {Report Sightings} (MISP); \end{tikzpicture} \end{center} \end{frame} \begin{frame} \frametitle{Adding temporality} \begin{itemize} \item {\bf First seen} and {\bf Last seen} on data points \item Enables {\bf visualisation} and improves IoC lifecycle \end{itemize} \begin{center} \includegraphics[width=1.0\linewidth]{pics/timeline-misp-overview.png} \end{center} \end{frame} \section{Leveraging classifications} \begin{frame} \frametitle{Making use of all this context} \begin{itemize} \item Providing advanced ways of querying data \begin{itemize} \item Unified {\bf export APIs} \begin{itemize} \item \texttt{Suricata}, \texttt{Snort}, \texttt{STIX}, \texttt{Yara}, \texttt{Maltego}, ... \end{itemize} \item Incorporating all contextualisation options into {\bf API filters} \item {\bf On-demand} filters for {\bf excluding} potential false positives and expired data \item Rich set of modules to add {\bf expansions}, {\bf imports} and {\bf exports} \end{itemize} \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Example query} \begin{lstlisting} /attributes/restSearch { "returnFormat": "netfilter", "enforceWarninglist": true, "excludeDecayed": true, "tags": { "NOT": [ "tlp:white", "type:OSINT" ], "OR": [ "misp-galaxy:threat-actor=\"Sofacy\"", "misp-galaxy:sector=\"Chemical\"", ] }, "galaxy.cfr-suspected-victims": ["China", "Japan"], }\end{lstlisting} \end{frame} \begin{frame}[fragile] \frametitle{Example query to generate ATT\&CK heatmaps} \texttt{/events/restSearch} \begin{lstlisting} { "returnFormat": "attack", "tags": [ "misp-galaxy:sector=\"Chemical\"" ], "timestamp": "365d" } \end{lstlisting} \end{frame} \begin{frame} \frametitle{A sample result for the above query} \begin{center} \includegraphics[scale=0.2]{pics/attack-screenshot.png} \end{center} \end{frame} \begin{frame} \frametitle{Indicator lifecycle management} \begin{itemize} \item Built-in tool to {\bf filter out} IoCs marked as {\bf expired} by default and user-defined models \item Overwhelmingly relies on proper classifications \end{itemize} \hspace{-1.5em} \includegraphics[width=1.1\linewidth]{pics/decaying-simulation} \end{frame} \begin{frame} \frametitle{To sum it all up...} \begin{itemize} \item Massive rise in {\bf user capabilities} \item Growing need for truly {\bf actionable threat intel} \item Lessons learned: \begin{itemize} \item {\bf Context is king} - Enables better decision making \item {\bf Intelligence and situational awareness} are natural by-products of context \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Get in touch if you have any questions} \begin{itemize} \item Contact us \begin{itemize} \item \url{https://twitter.com/mokaddem_sami} \item \url{https://twitter.com/iglocska} \end{itemize} \item Contact CIRCL \begin{itemize} \item info@circl.lu \item \url{https://twitter.com/circl_lu} \item \url{https://www.circl.lu/} \end{itemize} \item Contact MISPProject \begin{itemize} \item \url{https://github.com/MISP} \item \url{https://gitter.im/MISP/MISP} \item \url{https://twitter.com/MISPProject} \end{itemize} \end{itemize} \end{frame}