1 00:00:00,880 --> 00:00:04,719 and I'll pass over the mic all right 2 00:00:02,638 --> 00:00:07,278 thank you 3 00:00:04,719 --> 00:00:09,599 yeah great, good morning good afternoon 4 00:00:07,278 --> 00:00:12,719 and even good evening for some of you 5 00:00:09,599 --> 00:00:14,879 um so um i'm really glad and uh 6 00:00:12,718 --> 00:00:16,480 we are glad to present about MISP today 7 00:00:14,880 --> 00:00:18,719 and so it's a 8 00:00:16,480 --> 00:00:20,240 double series of workshops so we start 9 00:00:18,719 --> 00:00:20,799 with a workshop of the introduction and 10 00:00:20,239 --> 00:00:22,799 we go 11 00:00:20,800 --> 00:00:23,839 more deeper tomorrow in that second 12 00:00:22,800 --> 00:00:26,160 workshop 13 00:00:23,839 --> 00:00:27,359 um i'm alexander noah I do work for 14 00:00:26,160 --> 00:00:30,640 CIRCL and 15 00:00:27,359 --> 00:00:34,800 i work in the MISP {inaudible} 16 00:00:30,640 --> 00:00:37,520 so today uh the agenda is the following 17 00:00:34,799 --> 00:00:38,78 uh we will do a quick introduction to 18 00:00:37,520 --> 00:00:41,920 MISP 19 00:00:38,79 --> 00:00:43,679 a kind of of one-hour sessions with 20 00:00:41,920 --> 00:00:46,239 all the detail about MISP and then a 21 00:00:43,679 --> 00:00:49,359 more like kind of usage deep dive 22 00:00:46,238 --> 00:00:52,558 of one hour where we do hands-on together 23 00:00:49,359 --> 00:00:55,519 um for the logistic aspect um 24 00:00:52,558 --> 00:00:55,839 in the chat room we will share with you 25 00:00:55,520 --> 00:00:57,520 uh 26 00:00:55,840 --> 00:00:59,520 all the details how to access the MISP 27 00:00:57,520 --> 00:01:00,399 instance so during the sessions in the 28 00:00:59,520 --> 00:01:02,239 workshop 29 00:01:00,399 --> 00:01:03,840 you can connect to a dedicated MISP 30 00:01:02,238 --> 00:01:05,840 system that we set up for you 31 00:01:03,840 --> 00:01:07,680 and this one will be used for all the 32 00:01:05,840 --> 00:01:10,79 hands-on that we will 33 00:01:07,680 --> 00:01:12,240 we do as I just mentioned we have a 34 00:01:10,79 --> 00:01:14,158 small short break of 15 minutes 35 00:01:12,239 --> 00:01:15,679 and then we will continue in the end 36 00:01:14,159 --> 00:01:18,960 {inaudible} 37 00:01:15,680 --> 00:01:20,880 depending of how far we are today uh 38 00:01:18,959 --> 00:01:22,959 we will maybe talk about the community 39 00:01:20,879 --> 00:01:24,719 building aspect but this is a topic for 40 00:01:22,959 --> 00:01:26,239 tomorrow obviously 41 00:01:24,719 --> 00:01:28,640 but if we have some time remaining we 42 00:01:26,239 --> 00:01:29,280 might uh talk about this and then we 43 00:01:28,640 --> 00:01:31,920 have a 44 00:01:29,280 --> 00:01:33,280 q&a sessions uh to discuss about the 45 00:01:31,920 --> 00:01:35,359 different {inaudible} and so on 46 00:01:33,280 --> 00:01:37,439 so don't hesitate to to put your 47 00:01:35,359 --> 00:01:39,438 question to zoom 48 00:01:37,438 --> 00:01:42,319 uh directly and we will try to answer live 50 00:01:40,799 --> 00:01:45,600 all those questions that you are asking 51 00:01:42,319 --> 00:01:45,599 during uh during this session 52 00:01:46,319 --> 00:01:50,239 so first of all welcome all as well from 53 00:01:48,478 --> 00:01:53,519 me so i'm Andras Iklody i'm 54 00:01:50,239 --> 00:01:56,798 also working at CIRCL working on MISP 55 00:01:53,519 --> 00:01:57,280 um to just kick things off um I think 56 00:01:56,799 --> 00:01:58,719 it's a good 57 00:01:57,280 --> 00:02:00,79 good moment to start a little bit about 58 00:01:58,718 --> 00:02:02,78 the history of how this whole thing 59 00:02:00,78 --> 00:02:04,879 started how MISP came about 60 00:02:02,78 --> 00:02:06,839 so just a quick introduction of where we 61 00:02:04,879 --> 00:02:09,519 came from and where where we are 62 00:02:06,840 --> 00:02:10,399 nowadays uh initially this whole thing 63 00:02:09,520 --> 00:02:13,520 for us with MISP 64 00:02:10,399 --> 00:02:14,959 started as part of a of a series of 65 00:02:13,520 --> 00:02:17,360 incidents that we had in 66 00:02:14,959 --> 00:02:19,759 back in 2012 between national and 67 00:02:17,360 --> 00:02:22,480 military CSIRTS at the time 68 00:02:19,759 --> 00:02:24,799 where we were basically investigating umattacks 70 00:02:23,520 --> 00:02:27,120 that were hitting several of the 71 00:02:24,800 --> 00:02:28,319 institutions at the at the time 72 00:02:27,120 --> 00:02:30,400 and one of the interesting things that 73 00:02:28,318 --> 00:02:31,759 we found was that even though we had 74 00:02:30,400 --> 00:02:33,519 something called the malware analysis 75 00:02:31,759 --> 00:02:35,120 working group which was this which is a 76 00:02:33,519 --> 00:02:37,360 group that was regularly meeting and 77 00:02:35,120 --> 00:02:39,680 discussing ongoing incidents 78 00:02:37,360 --> 00:02:40,720 we still had a massive gap in between 79 00:02:39,680 --> 00:02:42,80 those meetings 80 00:02:40,719 --> 00:02:44,318 where everyone was working in their own 81 00:02:42,80 --> 00:02:45,920 silo on basically the same attack and 82 00:02:44,318 --> 00:02:47,759 and doing reverse engineering of the 83 00:02:45,919 --> 00:02:50,0 165.92 --> 170 same attacks without 84 00:02:47,759 --> 00:02:53,439 having the ways, the means or the processes 86 00:02:51,120 --> 00:02:55,39 to directly share with our peers so we 87 00:02:53,439 --> 00:02:55,919 ended up with a lot of duplication of 88 00:02:55,39 --> 00:02:57,759 work which ended 89 00:02:55,919 --> 00:02:59,199 which was obviously frustrating from uh 90 00:02:57,759 --> 00:03:01,439 for many of us 91 00:02:59,199 --> 00:03:03,598 so Christophe Vandeplas at the time he 92 00:03:01,439 --> 00:03:06,318 was working at the belgian 93 00:03:03,598 --> 00:03:08,399 ministry of defense um in his free time 94 00:03:06,318 --> 00:03:10,318 wrote a platform called {inaudible} 95 00:03:08,400 --> 00:03:11,519 that later on ended up becoming MISP so 96 00:03:10,318 --> 00:03:13,280 the initial idea was 97 00:03:11,519 --> 00:03:14,800 really for reverse engineers to share 98 00:03:13,280 --> 00:03:15,439 the output of their work directly with 99 00:03:14,800 --> 00:03:18,719 their peers 100 00:03:15,439 --> 00:03:22,158 in a hosted platform and since then 101 00:03:18,719 --> 00:03:24,158 obviously MISP has evolved and changed 102 00:03:22,158 --> 00:03:25,840 the scope of what we were nowadays doing 103 00:03:24,158 --> 00:03:26,798 with MISP and what sort of information 104 00:03:25,840 --> 00:03:28,640 we're sharing 105 00:03:26,799 --> 00:03:30,159 but it all started with this and since 106 00:03:28,639 --> 00:03:30,878 then it has been an ongoing effort 107 00:03:30,158 --> 00:03:33,199 basically by 108 00:03:30,878 --> 00:03:35,199 a large community of different 109 00:03:33,199 --> 00:03:37,359 requirements and different needs 110 00:03:35,199 --> 00:03:39,359 and that has been building both the 111 00:03:37,360 --> 00:03:42,159 ideas that go into MISP as well as the 112 00:03:39,360 --> 00:03:42,159 software itself 113 00:03:43,919 --> 00:03:47,839 next slide please 114 00:03:48,479 --> 00:03:51,919 yeah so what is the background and why 115 00:03:51,199 --> 00:03:53,839 we are doing 116 00:03:51,919 --> 00:03:56,79 MISP it uh I think like Andras 117 00:03:53,840 --> 00:03:56,640 mentioned it started from a with a kind 118 00:03:56,80 --> 00:03:59,40 of 119 00:03:56,639 --> 00:04:00,479 {inaudible} project for a small set of 120 00:03:59,39 --> 00:04:03,598 CIRCL 121 00:04:00,479 --> 00:04:04,959 CIRCL is nowadays 122 00:04:03,598 --> 00:04:07,359 the CERT for the private sector, the 123 00:04:04,959 --> 00:04:08,959 community {inaudible} in luxembourg 124 00:04:07,360 --> 00:04:11,200 and we basically deal with the 125 00:04:08,959 --> 00:04:12,158 development of MISP not only for our use 126 00:04:11,199 --> 00:04:15,359 case but for many 127 00:04:12,158 --> 00:04:18,319 different users so we are called as 128 00:04:15,360 --> 00:04:19,439 a CERT we basically operate the 129 00:04:18,319 --> 00:04:22,478 development and we operate 130 00:04:19,439 --> 00:04:22,478 {inaudible} communities 131 00:04:23,600 --> 00:04:26,960 so a little bit about our involvement 132 00:04:26,639 --> 00:04:28,478 and 133 00:04:26,959 --> 00:04:30,79 why we're doing this in the first place 134 00:04:28,478 --> 00:04:32,560 so we as CIRCL we're funded by the 135 00:04:30,79 --> 00:04:35,680 Ministry of Economy to basically build 136 00:04:32,560 --> 00:04:37,600 security for the private sector uh and a 137 00:04:35,680 --> 00:04:39,199 lot of what we do involves uh open 138 00:04:37,600 --> 00:04:39,840 source software development so we're 139 00:04:39,199 --> 00:04:42,160 basically 140 00:04:39,839 --> 00:04:44,79 the funding that we get for the uh for 141 00:04:42,160 --> 00:04:45,199 activities also cover our development 142 00:04:44,79 --> 00:04:47,918 focus 143 00:04:45,199 --> 00:04:49,360 we're also uh besides just building the 144 00:04:47,918 --> 00:04:50,159 tools like {inaudible} mentioned we're 145 00:04:49,360 --> 00:04:52,479 also 146 00:04:50,160 --> 00:04:53,919 basically involved in a lot of sharing 147 00:04:52,478 --> 00:04:55,839 activities as well as our day-to-day 148 00:04:53,918 --> 00:04:58,399 operations we're users of the 149 00:04:55,839 --> 00:05:00,478 tool primarily as well we basically host 150 00:04:58,399 --> 00:05:02,719 a bunch of different communities for the 151 00:05:00,478 --> 00:05:05,439 uh national C-Certs for the 152 00:05:02,720 --> 00:05:07,919 luxembourgish private sector community 153 00:05:05,439 --> 00:05:09,680 for law enforcement uh organizations 154 00:05:07,918 --> 00:05:10,959 financial institutions and so on and so 155 00:05:09,680 --> 00:05:14,319 forth 156 00:05:10,959 --> 00:05:16,239 so so we're kind of uh 157 00:05:14,319 --> 00:05:18,240 in the game on both sides so to say that 158 00:05:16,240 --> 00:05:21,120 both as a 159 00:05:18,240 --> 00:05:22,0 318.24 --> 322 producer and as a consumer, also and the 160 00:05:21,120 --> 00:05:24,79 project was 161 00:05:22,0 --> 00:05:25,759 322 --> 325.759 co-financed by the European Union 162 00:05:24,79 --> 00:05:29,120 under the CEF project 163 00:05:25,759 --> 00:05:30,400 uh so this is also one of the sources of 164 00:05:29,120 --> 00:05:33,120 the income that we got basically to 165 00:05:30,399 --> 00:05:34,560 build the tool and as a FIRST member you 166 00:05:33,120 --> 00:05:36,79 have access to a MISP instance that is 167 00:05:34,560 --> 00:05:38,478 operated and 168 00:05:36,79 --> 00:05:40,0 336.08 --> 340 co-maintained by FIRST and CIRCL that 169 00:05:38,478 --> 00:05:41,680 you can get access to 170 00:05:40,0 --> 00:05:43,519 340 --> 343.52 so you just need to to use your 171 00:05:41,680 --> 00:05:45,680 traditional credential or 172 00:05:43,519 --> 00:05:47,359 access at first and you get access to 173 00:05:45,680 --> 00:05:49,600 this instance with information 174 00:05:47,360 --> 00:05:51,439 that you can use and so on we will talk 175 00:05:49,600 --> 00:05:54,160 about that later on 176 00:05:51,439 --> 00:05:55,600 so the main question and I think it's 177 00:05:54,160 --> 00:05:58,80 coming from this story uh 178 00:05:55,600 --> 00:05:59,600 as Andras mentioned from the early days 179 00:05:58,79 --> 00:06:01,758 MISP was 180 00:05:59,600 --> 00:06:03,840 focusing from a very specific aspect 181 00:06:01,759 --> 00:06:07,120 which was malware reversing and so on 182 00:06:03,839 --> 00:06:08,799 nowadays it's a threat intelligence sharing platforms we 183 00:06:07,120 --> 00:06:11,38 are basically sharing any kind of 184 00:06:08,800 --> 00:06:13,38 intelligence through uh through MISP 185 00:06:11,38 --> 00:06:14,478 um because we had an evolution of the 186 00:06:13,38 --> 00:06:16,399 time for the different things so 187 00:06:14,478 --> 00:06:18,879 and our main goals and that's very 188 00:06:16,399 --> 00:06:21,439 important for us it's an open source 189 00:06:18,879 --> 00:06:23,120 software so that means MISP will always 190 00:06:21,439 --> 00:06:23,519 remain an open source project we even 191 00:06:23,120 --> 00:06:26,0 383.12 --> 386 take 192 00:06:23,519 --> 00:06:26,879 some decisions within the project to 193 00:06:26,0 --> 00:06:29,120 386 --> 389.12 keep it as 194 00:06:26,879 --> 00:06:30,639 open source and that's that's really a 195 00:06:29,120 --> 00:06:32,720 key for us so it's really uh 196 00:06:30,639 --> 00:06:34,800 something that you can download yourself 197 00:06:32,720 --> 00:06:37,39 run on your infrastructure and so on 198 00:06:34,800 --> 00:06:38,240 you can really have the full control on 199 00:06:37,38 --> 00:06:40,639 the software stack 200 00:06:38,240 --> 00:06:42,0 398.24 --> 402 when you are using MISP and one of the 201 00:06:40,639 --> 00:06:43,38 goals of the software itself is to 202 00:06:42,0 --> 00:06:46,240 402 --> 406.24 collect information 203 00:06:43,38 --> 00:06:48,159 from other partners, from in the {inaudible} 204 00:06:46,240 --> 00:06:49,280 from automatic tools from different 205 00:06:48,160 --> 00:06:50,800 fields and so on 206 00:06:49,279 --> 00:06:53,198 that was really one of the initial goal 207 00:06:50,800 --> 00:06:55,680 of MISP is like being able to collect 208 00:06:53,199 --> 00:06:57,360 to get all this information into 209 00:06:55,680 --> 00:06:59,38 one place 210 00:06:57,360 --> 00:07:00,560 and then afterwards what you can do with 211 00:06:59,38 --> 00:07:02,719 it is to normalize 212 00:07:00,560 --> 00:07:03,839 correlate this information, extend the 213 00:07:02,720 --> 00:07:06,560 information and enrich 214 00:07:03,839 --> 00:07:08,879 information with more information and then 216 00:07:07,199 --> 00:07:10,800 really benefit from the sharing aspect 217 00:07:08,879 --> 00:07:13,120 of MISP and you can allow 218 00:07:10,800 --> 00:07:13,840 teams and community to collaborate 219 00:07:13,120 --> 00:07:16,478 and we have 220 00:07:13,839 --> 00:07:18,318 seen MISP for example use not only 221 00:07:16,478 --> 00:07:20,159 within different organizations but even 222 00:07:18,319 --> 00:07:21,759 within a single organization you can, for 223 00:07:20,160 --> 00:07:24,240 example run multiple MISP 224 00:07:21,759 --> 00:07:25,120 to collaborate directly on different 225 00:07:24,240 --> 00:07:28,79 investigations 226 00:07:25,120 --> 00:07:29,519 incidents and cases and obviously when 227 00:07:28,79 --> 00:07:31,279 you have all this information and all 228 00:07:29,519 --> 00:07:33,758 these analytic platform into MISP 229 00:07:31,279 --> 00:07:34,638 you are ready to use this information to 230 00:07:33,759 --> 00:07:36,960 for example 231 00:07:34,639 --> 00:07:39,840 feed your automatic protective tools 232 00:07:36,959 --> 00:07:42,0 456.96 --> 462 like intrusion detection systems, 233 00:07:39,839 --> 00:07:43,279 firewalls whatever and to feed 234 00:07:42,0 --> 00:07:45,598 462 --> 465.599 automatically those 235 00:07:43,279 --> 00:07:46,799 information to basically make protective 236 00:07:45,598 --> 00:07:50,319 measures 237 00:07:46,800 --> 00:07:50,319 in your environment 238 00:07:51,199 --> 00:07:55,840 so, start from the starting point that we 239 00:07:54,478 --> 00:07:57,680 already mentioned basically how we 240 00:07:55,839 --> 00:08:00,638 started out with MISP 241 00:07:57,680 --> 00:08:02,800 let's have a quick look at how uh the 242 00:08:00,639 --> 00:08:04,400 user base of MISP evolved in terms of 243 00:08:02,800 --> 00:08:06,0 482.8 --> 486 the different types of stakeholders 244 00:08:04,399 --> 00:08:08,560 within our own organizations and other organizations 246 00:08:07,120 --> 00:08:10,319 the reason for that is obviously that 247 00:08:08,560 --> 00:08:12,560 this drives the development process as well 249 00:08:10,800 --> 00:08:14,400 so the way MISP grows over time really 250 00:08:12,560 --> 00:08:14,800 depends on the type of users that are using 252 00:08:16,478 --> 00:08:18,319 the type of users that are requesting new 253 00:08:16,478 --> 00:08:20,159 features or that are providing pull 254 00:08:18,319 --> 00:08:22,639 requests on the project and providing code 256 00:08:20,720 --> 00:08:23,759 for the project so I said before 257 00:08:22,639 --> 00:08:26,160 initially 258 00:08:23,759 --> 00:08:27,759 the scope of MISP was very limited it 259 00:08:26,160 --> 00:08:29,360 was basically just the output of malware 260 00:08:27,759 --> 00:08:31,199 reversers which meant 261 00:08:29,360 --> 00:08:32,479 raw indicators that we were extracting 262 00:08:31,199 --> 00:08:34,560 during the process and that we're 263 00:08:32,479 --> 00:08:36,639 sharing directly 264 00:08:34,559 --> 00:08:38,79 with our partners, this meant very little 265 00:08:36,639 --> 00:08:39,519 analysis was done on each of these 266 00:08:38,80 --> 00:08:41,599 individual indicators there was very 267 00:08:39,519 --> 00:08:43,440 little information in terms of 268 00:08:41,599 --> 00:08:45,200 of why those data points are relevant in 269 00:08:43,440 --> 00:08:47,360 the long term how they are meant to be used 271 00:08:45,759 --> 00:08:49,519 from detection perspective they were 272 00:08:47,360 --> 00:08:52,480 really just the raw output 273 00:08:49,519 --> 00:08:54,0 529.519 --> 534 from the analysis process or the 274 00:08:52,480 --> 00:08:56,80 reversing process 275 00:08:54,0 --> 00:08:57,519 534 --> 537.519 now one of the side effects of this when 276 00:08:56,80 --> 00:08:59,440 you start building a collection within 277 00:08:57,519 --> 00:09:01,360 your organization of this information 278 00:08:59,440 --> 00:09:02,880 the security analysts are feeding your 279 00:09:01,360 --> 00:09:04,320 various protective tools become 280 00:09:02,879 --> 00:09:05,838 interested in that data set 281 00:09:04,320 --> 00:09:08,0 544.32 --> 548 because obviously whatever is targeting 282 00:09:05,839 --> 00:09:10,160 your organization or your direct peers 283 00:09:08,0 --> 00:09:11,360 548 --> 551.36 are probably the most relevant piece of 284 00:09:10,159 --> 00:09:13,39 information that you can use for 285 00:09:11,360 --> 00:09:16,159 detection 286 00:09:13,39 --> 00:09:19,39 so one of the first steps that we opened 288 00:09:16,958 --> 00:09:20,479 up to was basically involving our own 289 00:09:19,39 --> 00:09:23,278 security analyst with our 290 00:09:20,480 --> 00:09:24,320 own organizations so they can hook 291 00:09:23,278 --> 00:09:27,360 the output of 292 00:09:24,320 --> 00:09:30,80 of the reverse engineering team 293 00:09:27,360 --> 00:09:31,360 up to their SIEMs to their IDSs to 294 00:09:30,80 --> 00:09:33,360 their firewalls 295 00:09:31,360 --> 00:09:35,440 and to feed this data directly into 296 00:09:33,360 --> 00:09:36,720 their protective measures 297 00:09:35,440 --> 00:09:38,720 now one of the interesting things when 298 00:09:36,720 --> 00:09:40,800 you start doing that though is that you 299 00:09:38,720 --> 00:09:42,560 generate a new type of output which is 300 00:09:40,799 --> 00:09:44,559 timeliness for the data, freshness for 301 00:09:42,559 --> 00:09:45,838 the data as well as feedback on how 302 00:09:44,559 --> 00:09:47,838 useful the data was 303 00:09:45,839 --> 00:09:50,240 so we're very often when you're 304 00:09:47,839 --> 00:09:53,40 extracting information 305 00:09:50,240 --> 00:09:55,360 by sandboxing for example a lot of the 306 00:09:53,39 --> 00:09:57,679 data generated will be noise in the end 307 00:09:55,360 --> 00:09:59,759 and this noise will generate false 308 00:09:57,679 --> 00:10:02,159 positive alerts for example 309 00:09:59,759 --> 00:10:04,319 in your detection tools. Now feeding this 310 00:10:02,159 --> 00:10:06,559 information back 311 00:10:04,320 --> 00:10:10,559 to data gave it a whole new type of value 313 00:10:07,519 --> 00:10:12,159 we had freshness so if an older 314 00:10:10,559 --> 00:10:14,159 indicator was reused 315 00:10:12,159 --> 00:10:15,439 over time we saw that that is still 316 00:10:14,159 --> 00:10:18,160 something that is actively to be monitored 318 00:10:16,559 --> 00:10:19,838 and if we saw that something turned out 319 00:10:18,159 --> 00:10:21,199 to be a cleaned up host 320 00:10:19,839 --> 00:10:23,440 in the meanwhile or something was a 321 00:10:21,200 --> 00:10:25,200 false positive from the get-go 322 00:10:23,440 --> 00:10:28,399 we could feed that information back as well 324 00:10:27,399 --> 00:10:31,759 so suddenly once you have timeliness as 325 00:10:28,399 --> 00:10:33,759 well as the the raw data itself 326 00:10:31,759 --> 00:10:35,278 you get the intelligence analyst 327 00:10:33,759 --> 00:10:36,399 interested that are tracking the 328 00:10:35,278 --> 00:10:42,0 movements and the changes of how attackers operate 330 00:10:39,519 --> 00:10:42,639 uh over time so that means that usually 332 00:10:45,360 --> 00:10:47,199 back then especially in 2012 in most of our 333 00:10:45,360 --> 00:10:48,560 organizations the people that are doing 334 00:10:47,200 --> 00:10:50,560 intelligence and the people that were 335 00:10:48,559 --> 00:10:52,239 doing operations and security for the 336 00:10:50,559 --> 00:10:55,680 operations were usually working in their own silos 338 00:10:53,440 --> 00:10:57,40 so while there was obviously interaction 339 00:10:55,679 --> 00:10:58,958 between the teams, it was not as 340 00:10:57,39 --> 00:11:01,919 ingrained to work together 341 00:10:58,958 --> 00:11:03,599 between those type of roles but this 342 00:11:01,919 --> 00:11:04,0 661.92 --> 664 changed over time and one of the changes 344 00:11:04,0 --> 00:11:08,78 664 --> 668.079 that we saw happened was that the output 345 00:11:06,240 --> 00:11:10,240 of what the security analysts 346 00:11:08,78 --> 00:11:12,159 and the reversers and the analysts were 347 00:11:10,240 --> 00:11:14,480 outputting basically from the operation side 349 00:11:12,879 --> 00:11:16,399 became more and more interesting for the 350 00:11:14,480 --> 00:11:17,839 intelligence analysts that meant that 351 00:11:16,399 --> 00:11:19,919 if they were tracking a certain threat 352 00:11:17,839 --> 00:11:21,600 actor and they could attribute certain 353 00:11:19,919 --> 00:11:23,439 actions that they were seen in the 354 00:11:21,600 --> 00:11:25,519 network of the organization 355 00:11:23,440 --> 00:11:26,959 to the certain threat actor they could 356 00:11:25,519 --> 00:11:29,278 monitor for example how 357 00:11:26,958 --> 00:11:30,879 the given actor was changing how fast 358 00:11:29,278 --> 00:11:32,78 they were changing infrastructure 359 00:11:30,879 --> 00:11:34,0 690.88 --> 694 whether they were switching up their 360 00:11:32,78 --> 00:11:36,78 methodology and this 361 00:11:34,0 --> 00:11:37,519 694 --> 697.519 gave them a lot of idea of useful data 362 00:11:36,78 --> 00:11:39,199 of improving their libraries of the 363 00:11:37,519 --> 00:11:40,799 threat actors that they were tracking 364 00:11:39,200 --> 00:11:41,920 so suddenly we got this group interests 365 00:11:40,799 --> 00:11:43,838 as well and they were obviously 366 00:11:41,919 --> 00:11:44,879 producing data as well so nowadays if 367 00:11:43,839 --> 00:11:47,279 you look at MISP 368 00:11:44,879 --> 00:11:49,200 going from a raw indicator sharing platform 369 00:11:47,278 --> 00:11:50,399 that MISP was initially 370 00:11:49,200 --> 00:11:52,160 nowadays you have a lot of the high 371 00:11:50,399 --> 00:11:53,759 level threat intel information included 372 00:11:52,159 --> 00:11:56,720 with the data as well so you will see threat reports 374 00:11:54,879 --> 00:11:58,720 you will see interconnected information 375 00:11:56,720 --> 00:12:04,399 about threat actors modus operandi 377 00:12:01,839 --> 00:12:06,79 infrastructure impact and so on so forth 378 00:12:04,399 --> 00:12:07,360 these extra layers of information that 379 00:12:06,78 --> 00:12:08,719 we were missing initially 380 00:12:07,360 --> 00:12:10,0 727.36 --> 730 so this was the biggest change that we 381 00:12:08,720 --> 00:12:11,440 had over time within our own 382 00:12:10,0 --> 00:12:13,919 730 --> 733.92 organizations but 383 00:12:11,440 --> 00:12:15,519 obviously as a CSIRT that has 384 00:12:13,919 --> 00:12:17,199 different constituencies 385 00:12:15,519 --> 00:12:18,799 we're also interacting with the security 386 00:12:17,200 --> 00:12:20,720 teams of other organizations and one of 387 00:12:18,799 --> 00:12:22,319 the things we noticed early on was 388 00:12:20,720 --> 00:12:24,160 there's a lot of the issues that other 389 00:12:22,320 --> 00:12:25,600 types of organizations had internally 390 00:12:24,159 --> 00:12:28,800 with information sharing are very similar to ours 392 00:12:26,879 --> 00:12:30,958 so initially the first use case that we 393 00:12:28,799 --> 00:12:32,799 got that was different and from our 394 00:12:30,958 --> 00:12:36,719 normal security use case 395 00:12:32,799 --> 00:12:38,399 was basically the various financial 396 00:12:36,720 --> 00:12:39,920 organizations reaching out to us saying 397 00:12:38,399 --> 00:12:41,759 that their fraud teams were 398 00:12:39,919 --> 00:12:43,599 running into similar sort of issues with 399 00:12:41,759 --> 00:12:45,759 sharing between their teams, 400 00:12:43,600 --> 00:12:47,839 sharing with other partner teams, 401 00:12:45,759 --> 00:12:50,319 information about mule accounts and 402 00:12:47,839 --> 00:12:51,519 about other fraud related information 403 00:12:50,320 --> 00:12:53,680 so they reached out to us and 404 00:12:51,519 --> 00:12:54,480 basically their security teams reached 405 00:12:53,679 --> 00:12:57,199 out to us and said 406 00:12:54,480 --> 00:12:58,639 can't we just try to help them also 407 00:12:57,200 --> 00:13:00,0 777.2 --> 780 to share that sort of information 408 00:12:58,639 --> 00:13:01,759 through MISP directly, I mean we already 409 00:13:00,0 --> 00:13:03,200 780 --> 783.2 had the tooling in place 410 00:13:01,759 --> 00:13:05,200 it was just a question of changing the data model 412 00:13:05,200 --> 00:13:08,639 so we we started doing that for uh together 413 00:13:07,120 --> 00:13:10,480 with the financial sector initially 414 00:13:08,639 --> 00:13:12,0 788.639 --> 792 where we expanded the data model of MISP 415 00:13:10,480 --> 00:13:13,519 when we allowed for modeling of new 416 00:13:12,0 --> 00:13:15,919 792 --> 795.92 custom data types 417 00:13:13,519 --> 00:13:17,679 and it's even surprising to us at the 418 00:13:15,919 --> 00:13:20,319 time turned into a success 419 00:13:17,679 --> 00:13:21,599 very rapidly so nowadays we're involved 420 00:13:20,320 --> 00:13:22,959 with quite a few different types of 421 00:13:21,600 --> 00:13:25,519 organizations out there 422 00:13:22,958 --> 00:13:26,879 replicating the same scenario where for 423 00:13:25,519 --> 00:13:30,320 example law enforcement, where we initially had 425 00:13:28,320 --> 00:13:32,79 mostly contact with their security teams 426 00:13:30,320 --> 00:13:36,240 and helping them build data sets for bootstrapping their forensic 429 00:13:34,399 --> 00:13:38,480 investigations nowadays we have all 430 00:13:36,240 --> 00:13:40,959 sorts of information sharing involving 431 00:13:38,480 --> 00:13:45,278 uh for example uh seized goods information sharing from 433 00:13:42,639 --> 00:13:48,799 border control agencies uh law enforcement agencies 435 00:13:46,879 --> 00:13:51,120 sharing information about passenger information 436 00:13:48,799 --> 00:13:53,359 so a lot of the type of data 437 00:13:51,120 --> 00:13:55,360 sharing that was very unusual for us as 438 00:13:53,360 --> 00:13:58,79 a CSIRT initially 439 00:13:55,360 --> 00:13:58,879 now once you get all this data in a 440 00:13:58,78 --> 00:14:01,39 system and you 441 00:13:58,879 --> 00:14:04,399 started building a data set from your community 443 00:14:02,480 --> 00:14:06,79 you start to see trends in the data set 444 00:14:04,399 --> 00:14:07,839 and this is what gets 445 00:14:06,78 --> 00:14:09,759 for example our risk analysis team 446 00:14:07,839 --> 00:14:11,440 interested in it the moment that you're 447 00:14:09,759 --> 00:14:12,639 seeing how attackers are changing their 448 00:14:11,440 --> 00:14:15,199 trends over time 449 00:14:12,639 --> 00:14:18,719 you can better advise your constituency your customers and so on 451 00:14:17,360 --> 00:14:22,160 about the different risks that they might be facing and the 453 00:14:20,958 --> 00:14:24,879 different risks that they should be preparing for 455 00:14:23,278 --> 00:14:26,958 and preparing the organizations for 456 00:14:24,879 --> 00:14:29,519 based on what the same sector is facing 457 00:14:26,958 --> 00:14:31,359 perhaps in the same geographic location 458 00:14:29,519 --> 00:14:33,120 so suddenly you get a lot of knowledge 459 00:14:31,360 --> 00:14:35,120 out of the collected data as long as 460 00:14:33,120 --> 00:14:36,720 data is well contextualized and I think 461 00:14:35,120 --> 00:14:38,78 this will be one of the main topics that 462 00:14:36,720 --> 00:14:41,519 we're going to be talking about quite a bit today and tomorrow 464 00:14:39,679 --> 00:14:43,599 is contextualizing the information and 465 00:14:41,519 --> 00:14:47,600 making the information actually usable 466 00:14:43,600 --> 00:14:47,600 and turning data really into knowledge 467 00:14:49,600 --> 00:14:55,40 yeah so like Andras mentioned 468 00:14:52,639 --> 00:14:56,240 we have a pretty large set of different 469 00:14:55,39 --> 00:15:00,0 895.04 --> 900 communities using MISP 470 00:14:56,240 --> 00:15:02,159 and over the time it became I think more 471 00:15:00,0 --> 00:15:03,759 900 --> 903.76 complicated to handle all those requests 472 00:15:02,159 --> 00:15:07,120 from different organizations 473 00:15:03,759 --> 00:15:10,0 903.76 --> 910 um so we came with a model of governance 474 00:15:07,120 --> 00:15:12,240 even if it's a very lightweight one we 475 00:15:10,0 --> 00:15:13,839 910 --> 913.839 decided to have this kind of models to 476 00:15:12,240 --> 00:15:15,680 still benefit from the open source 477 00:15:13,839 --> 00:15:17,199 community model and then 478 00:15:15,679 --> 00:15:19,278 bring all the experience from a 479 00:15:17,198 --> 00:15:21,198 different community into systems where 480 00:15:19,278 --> 00:15:22,720 it allows us to develop and extend the 481 00:15:21,198 --> 00:15:24,958 software so we decided to 482 00:15:22,720 --> 00:15:26,240 create this kind of models where we 483 00:15:24,958 --> 00:15:28,879 basically 484 00:15:26,240 --> 00:15:30,320 take care of all the features and 485 00:15:28,879 --> 00:15:33,679 requests that we receive from different organizations 487 00:15:31,679 --> 00:15:36,599 so we use this kind of priority list of different features 489 00:15:35,600 --> 00:15:38,720 and we get that feedback from {inaudible} 491 00:15:38,720 --> 00:15:42,879 one of the {inaudible} one I would say is 492 00:15:40,639 --> 00:15:44,480 Github so we get the feed from 493 00:15:42,879 --> 00:15:46,399 the different issue that we receive from 494 00:15:44,480 --> 00:15:48,639 Github I mean on the if you look at on 495 00:15:46,399 --> 00:15:50,320 Github you'll see that we have a 496 00:15:48,639 --> 00:15:52,320 significant number of issues and those 497 00:15:50,320 --> 00:15:54,800 issue are usually for us a way to track down 499 00:15:52,799 --> 00:15:56,879 all the different requests of features 500 00:15:54,639 --> 00:15:59,120 in MISP and that's one way to get it. 501 00:15:56,879 --> 00:16:02,639 Another way and this one is a quite a common one 503 00:16:00,639 --> 00:16:05,39 is basically a training or session like 504 00:16:02,399 --> 00:16:06,799 this where people are providing feedback, 505 00:16:05,39 --> 00:16:09,39 bug reports, future requests and so on 506 00:16:06,799 --> 00:16:10,879 directly during the training and for us 507 00:16:09,39 --> 00:16:12,958 uh I think really practical and we can 508 00:16:10,879 --> 00:16:15,39 get all this information needed for us 509 00:16:12,958 --> 00:16:16,0 972.959 --> 976 to improve the software. Another thing 510 00:16:15,39 --> 00:16:17,759 that we do and 511 00:16:16,0 --> 00:16:19,839 976 --> 979.839 that's maybe for the audience some 512 00:16:17,759 --> 00:16:21,39 people are interested in that one 513 00:16:19,839 --> 00:16:22,560 we know that there are plenty of 514 00:16:21,39 --> 00:16:24,399 different MISP of groups that we don't 515 00:16:22,559 --> 00:16:28,319 control and that we don't manage that's 516 00:16:24,399 --> 00:16:29,679 great we have for example ISACs, ISAO 517 00:16:28,320 --> 00:16:31,360 doing really those kind of things where 518 00:16:29,679 --> 00:16:33,838 you have those kind of user groups 519 00:16:31,360 --> 00:16:35,600 and what we do we participate on a 520 00:16:33,839 --> 00:16:37,279 regular basis to one of those groups for 521 00:16:35,600 --> 00:16:39,0 995.6 --> 998 example on a quarterly basis on a yearly basis 523 00:16:38,0 --> 00:16:41,759 998 --> 1001.759 and we do a collection of requirements 524 00:16:40,240 --> 00:16:44,240 from those different groups 525 00:16:41,759 --> 00:16:46,720 during one session and that's really 527 00:16:44,958 --> 00:16:48,799 i think useful for us because it's a way 528 00:16:46,720 --> 00:16:50,720 to to gather information so for example 529 00:16:48,799 --> 00:16:52,78 Andras mentioned those 530 00:16:50,720 --> 00:16:53,519 financial groups where people are 531 00:16:52,78 --> 00:16:54,559 sharing information about bank account 532 00:16:53,519 --> 00:16:56,480 detail and so on 533 00:16:54,559 --> 00:16:57,919 and that's where we basically gather all 534 00:16:56,480 --> 00:16:59,278 those requirements 535 00:16:57,919 --> 00:17:01,39 so if you are setting up a group 536 00:16:59,278 --> 00:17:03,278 somewhere in US or 537 00:17:01,39 --> 00:17:04,318 in the world about sharing information 538 00:17:03,278 --> 00:17:06,0 1023.279 --> 1026 and so on and you want to 539 00:17:04,318 --> 00:17:07,759 invite us at some point in time it's a 540 00:17:06,0 --> 00:17:12,160 1026 --> 1028.959 way for us to gather those kind of requirements 542 00:17:08,959 --> 00:17:13,759 we do a summit which is a yearly event 543 00:17:12,160 --> 00:17:15,600 usually it was physical but nowadays 544 00:17:13,759 --> 00:17:18,0 1033.76 --> 1038 it's virtual trainings 545 00:17:15,599 --> 00:17:19,918 so it's basically every user or 546 00:17:18,0 --> 00:17:21,199 1038 --> 1041.199 organizations using MISP presenting what 547 00:17:19,919 --> 00:17:22,959 they are doing 548 00:17:21,199 --> 00:17:24,558 it's a way for us to to see the 549 00:17:22,959 --> 00:17:26,480 interactions and see what 550 00:17:24,558 --> 00:17:28,480 can be improved in MISP and see {inaudible} 551 00:17:26,480 --> 00:17:29,759 in the community behind 552 00:17:28,480 --> 00:17:31,839 and then we have a kind of 20% 553 00:17:29,759 --> 00:17:35,200 project around in MISP 554 00:17:31,839 --> 00:17:38,558 1051.84 --> 1056 where we design new functionalities and we test 556 00:17:36,0 --> 00:17:39,919 1056 --> 1059.919 them out for example one of those is the 557 00:17:38,558 --> 00:17:41,200 detailing of indicators 558 00:17:39,919 --> 00:17:42,400 which was a request from different 559 00:17:41,200 --> 00:17:43,919 organizations but it was kind of 560 00:17:42,400 --> 00:17:45,919 difficult to design 561 00:17:43,919 --> 00:17:48,240 and with this kind of models where we 562 00:17:45,919 --> 00:17:50,480 designed first as a kind of prototype 563 00:17:48,240 --> 00:17:52,558 multiple iterations uh we did a multiple 564 00:17:50,480 --> 00:17:56,0 1070.48 --> 1076 research paper on that and then finally 565 00:17:52,558 --> 00:17:57,918 this become part of the MISP core software 566 00:17:56,0 --> 00:17:59,679 1076 --> 1079.679 we will show that later on but so we 567 00:17:57,919 --> 00:18:01,679 have a lightweight governance model 568 00:17:59,679 --> 00:18:03,840 but really the goal is to gather as 569 00:18:01,679 --> 00:18:05,280 much feedback from the user so don't 570 00:18:03,839 --> 00:18:08,599 hesitate if you have any bug reports, ideas and so on 571 00:18:05,279 --> 00:18:09,319 either open an issue, 573 00:18:08,319 --> 00:18:11,918 get in touch with us. 575 00:18:11,919 --> 00:18:16,400 You are more than welcome to basically 576 00:18:13,279 --> 00:18:16,399 share such kind of information. 577 00:18:17,119 --> 00:18:22,719 Yeah, now addressing the elephant in the room 579 00:18:20,720 --> 00:18:24,160 when you bring so many different 580 00:18:22,160 --> 00:18:25,759 organizations together and build a large 581 00:18:24,160 --> 00:18:27,200 community of sharing with different 582 00:18:25,759 --> 00:18:28,558 needs and requirements 583 00:18:27,200 --> 00:18:31,200 you're obviously going to have to run 584 00:18:28,558 --> 00:18:32,720 into conflicting requirements as well 585 00:18:31,200 --> 00:18:34,240 so one of the most obvious ones that 586 00:18:32,720 --> 00:18:36,640 that we're dealing with very often with 587 00:18:34,240 --> 00:18:38,720 information sharing and something that 588 00:18:36,640 --> 00:18:39,840 that we're working on tackling , 590 00:18:38,839 --> 00:18:43,599 basically since we started with MISP, is dealing 591 00:18:42,79 --> 00:18:45,279 with a different requirement of 592 00:18:43,599 --> 00:18:46,879 of what you count as valuable 593 00:18:45,279 --> 00:18:47,519 information depending on your use case 594 00:18:46,880 --> 00:18:51,599 so this is different also within 596 00:18:50,400 --> 00:18:53,360 different analysts, different roles 597 00:18:51,599 --> 00:18:56,79 within the same organization as 598 00:18:53,359 --> 00:18:58,720 well so for example, for us as a CSIRT in general 600 00:18:57,38 --> 00:19:00,240 uh detection is the most important 601 00:18:58,720 --> 00:19:04,640 matter so we're interested 602 00:19:00,240 --> 00:19:08,880 in in using indicators to detect if our constituency 604 00:19:06,880 --> 00:19:10,0 1146.88 --> 1150 is affected by something that the 605 00:19:08,880 --> 00:19:12,880 information is being 606 00:19:10,0 --> 00:19:14,160 1150 --> 1154.16 shared about or whether uh any of the 607 00:19:12,880 --> 00:19:17,200 the infrastructure that we're 608 00:19:14,160 --> 00:19:17,840 responsible for is infected 609 00:19:17,200 --> 00:19:22,639 on the other hand if you're talking to an isp 611 00:19:19,919 --> 00:19:22,640 one of the large 612 00:19:22,720 --> 00:19:26,720 requirements from an isp basically will 613 00:19:24,640 --> 00:19:29,38 be able to protect their users 614 00:19:26,720 --> 00:19:30,79 from potential harm so that means that 616 00:19:30,79 --> 00:19:34,480 if there are any urls, websites, and so on 618 00:19:34,480 --> 00:19:38,480 that they should block for their users they 619 00:19:36,880 --> 00:19:39,679 need to be able to generate a block list 620 00:19:38,480 --> 00:19:41,440 out of the data 621 00:19:39,679 --> 00:19:43,600 that is considered to be malicious 622 00:19:41,440 --> 00:19:45,360 enough now if you compare these two use cases 623 00:19:43,599 --> 00:19:48,240 with each other detection versus blocking 625 00:19:46,240 --> 00:19:49,359 you will immediately see that the effect 627 00:19:49,359 --> 00:19:53,359 of having a false positive in the data 628 00:19:51,200 --> 00:19:56,160 set or data that is no longer fresh 629 00:19:53,359 --> 00:19:57,119 has a completely different impact 630 00:19:56,160 --> 00:19:58,960 sure for us when 631 00:19:57,119 --> 00:20:00,719 that are mostly in the detection game 632 00:19:58,960 --> 00:20:02,400 it's annoying we get a false positive 633 00:20:00,720 --> 00:20:04,400 alert it has to be handled 634 00:20:02,400 --> 00:20:05,759 and it takes time and effort it also 635 00:20:04,400 --> 00:20:07,200 introduces something called alert fatigue 636 00:20:05,759 --> 00:20:09,319 that i'm sure many of you are familiar with 638 00:20:08,319 --> 00:20:12,79 if you're getting a lot of false 639 00:20:09,440 --> 00:20:15,120 positive alerts you're more likely to ignore the 641 00:20:13,119 --> 00:20:16,798 next alert that you get but besides that 642 00:20:15,679 --> 00:20:20,879 it has no real operational impact on us 644 00:20:19,119 --> 00:20:22,879 on the other hand for an isp that ends up blocking 645 00:20:20,880 --> 00:20:24,880 something that is uh 646 00:20:22,880 --> 00:20:27,400 potentially a false positive might have a catastrophic impact 648 00:20:26,400 --> 00:20:33,600 imagine if someone accidentally, for example shares 650 00:20:29,599 --> 00:20:35,759 facebook.com as an indicator that might 651 00:20:33,279 --> 00:20:39,119 basically cause a riot with their users or it might {inaudible} 653 00:20:37,279 --> 00:20:41,519 but it's a different story 654 00:20:39,119 --> 00:20:44,479 but with that in mind, you see that these 655 00:20:41,519 --> 00:20:47,679 two use cases are already conflicting 656 00:20:44,480 --> 00:20:49,360 now if you also take the perspective of 657 00:20:47,679 --> 00:20:52,400 intelligence analysts that are tracking 658 00:20:49,359 --> 00:20:52,798 threat actor movements in to account 660 00:20:52,798 --> 00:20:56,400 that's an even more lax use case 662 00:20:56,400 --> 00:21:02,159 where you care about whether something is a fresh indicator still or not 664 00:21:00,79 --> 00:21:03,439 even less than the other two groups. 665 00:21:02,159 --> 00:21:04,880 The reason for that is you're interested in 666 00:21:03,440 --> 00:21:07,120 the historical movements of a threat actor, for example. 668 00:21:07,119 --> 00:21:11,439 So even if something is no longer 669 00:21:08,240 --> 00:21:13,38 an indicator because and an infected 670 00:21:11,440 --> 00:21:14,960 website was cleaned up 671 00:21:13,38 --> 00:21:17,38 since the time when the indicator was 672 00:21:14,960 --> 00:21:18,880 shared they still want to see 673 00:21:17,38 --> 00:21:20,558 how long, for example a threat actor was 674 00:21:18,880 --> 00:21:22,80 using that infrastructure, 675 00:21:20,558 --> 00:21:25,119 how quickly they changed to something 676 00:21:22,79 --> 00:21:27,519 else and what methods they used 677 00:21:25,119 --> 00:21:28,239 back when they were exploiting it. 679 00:21:27,240 --> 00:21:31,839 So if you bring these different requirements on board on 680 00:21:30,480 --> 00:21:36,959 the same platform is difficult and there are some 682 00:21:35,200 --> 00:21:38,960 things that we can do to alleviate these 683 00:21:36,960 --> 00:21:40,720 issues. For example what we do with 684 00:21:38,960 --> 00:21:42,798 MISP 685 00:21:40,720 --> 00:21:44,480 we have a system called warning list 686 00:21:42,798 --> 00:21:46,480 system that allows us to filter out 687 00:21:44,480 --> 00:21:50,640 obvious false positives 688 00:21:46,480 --> 00:21:54,798 so we maintain these lists of 689 00:21:50,640 --> 00:21:56,720 most common websites, empty hash lists, 690 00:21:54,798 --> 00:21:58,319 public dns resolvers and all these 691 00:21:56,720 --> 00:22:00,558 typical things that end up in 692 00:21:58,319 --> 00:22:04,399 the sets while doing automatic extraction for example 694 00:22:02,400 --> 00:22:06,80 that end up being false positives but 695 00:22:04,400 --> 00:22:07,720 with that said this is just one part of the story 697 00:22:06,720 --> 00:22:10,79 So if you're looking at the different 698 00:22:08,480 --> 00:22:12,880 use cases up there that doesn't solve our issue 700 00:22:10,880 --> 00:22:15,600 of having different requirements 701 00:22:14,0 --> 00:22:17,558 1334 --> 1336.559 from the data set based on what you do with it 703 00:22:16,558 --> 00:22:20,319 and this is where contextualization 704 00:22:18,558 --> 00:22:22,158 becomes more important again 705 00:22:20,319 --> 00:22:24,0 1340.32 --> 1344 if we can supply the information together with the data, 707 00:22:23,0 --> 00:22:26,880 1344 --> 1346.88 why this data is relevant and what context you're 708 00:22:25,440 --> 00:22:28,640 supposed to be using it 709 00:22:26,880 --> 00:22:30,480 then the consumers of the data can make 710 00:22:28,640 --> 00:22:33,440 those decisions for themselves based on 711 00:22:30,480 --> 00:22:35,279 whatever they want to use 712 00:22:33,440 --> 00:22:38,640 the data for in any of those different use cases 714 00:22:36,640 --> 00:22:42,720 so one of our main efforts with MISP has been 716 00:22:40,720 --> 00:22:44,0 1360.72 --> 1364 to be able to provide these different 717 00:22:42,400 --> 00:22:47,519 structures together with the data and to 718 00:22:44,0 --> 00:22:48,519 1364 --> 1367.52 be able to label data well enough. Back to you. 720 00:22:48,880 --> 00:22:54,720 Yeah so and that's iI think important regarding the 721 00:22:52,960 --> 00:22:56,720 different kind of use cases and so on 722 00:22:54,720 --> 00:22:59,360 and we try to support those different use cases and 725 00:22:59,759 --> 00:23:03,679 that's sometimes challenging for us but luckily 726 00:23:01,679 --> 00:23:06,320 we are at the same time 727 00:23:03,679 --> 00:23:07,840 part of various community so we can see 728 00:23:06,319 --> 00:23:09,279 the different use cases, especially 729 00:23:07,839 --> 00:23:13,480 regarding the handling of false positive which is 731 00:23:12,480 --> 00:23:16,558 an ongoing challenge but we will show 732 00:23:14,880 --> 00:23:17,840 you how to handle that 733 00:23:16,558 --> 00:23:20,0 1396.559 --> 1400 and at the same time we basically 734 00:23:17,839 --> 00:23:22,79 operate those different communities. 735 00:23:20,0 --> 00:23:24,159 1400 --> 1404.159 So for example we operate a pretty large 736 00:23:22,79 --> 00:23:26,798 one for the private sector 737 00:23:24,159 --> 00:23:30,559 where we have a lot of organizations, 739 00:23:28,558 --> 00:23:32,158 more than 1200 organizations are basically connected there. 740 00:23:30,880 --> 00:23:35,440 It's pretty large and we see an active 742 00:23:35,440 --> 00:23:38,400 community sharing information and 743 00:23:36,798 --> 00:23:40,400 there is plenty of different communities 744 00:23:38,400 --> 00:23:41,840 some that we don't know even about 745 00:23:40,400 --> 00:23:43,278 because you can even run your own 746 00:23:41,839 --> 00:23:44,558 private communities without telling anyone, that's fine. 748 00:23:44,558 --> 00:23:49,759 That's part of the system but if you want to have different kind of communities 750 00:23:48,759 --> 00:23:55,839 you can connect those automatically then you have I would say 753 00:23:54,240 --> 00:23:57,798 different kind of model you have those kind of 755 00:23:56,798 --> 00:24:00,480 fully island mode communities. 756 00:23:58,798 --> 00:24:01,679 Those kind of trusted groups so for example for the 758 00:24:00,679 --> 00:24:05,519 intelligence community it's very common for them to run MISP 759 00:24:03,759 --> 00:24:09,759 in an island mode so having air gap system and so on 761 00:24:07,759 --> 00:24:11,919 sometimes they are partially connected 762 00:24:09,759 --> 00:24:13,599 with third parties to share partial 763 00:24:11,919 --> 00:24:15,400 information so for example we know some organizations 765 00:24:14,400 --> 00:24:18,640 or for example border controls or customs 767 00:24:18,640 --> 00:24:21,919 are using MISP but they still need to 768 00:24:20,79 --> 00:24:24,319 share some small information and that 770 00:24:22,319 --> 00:24:24,158 partially connected system. 771 00:24:23,319 --> 00:24:28,0 1464.32 --> 1468 MISP freely supports those kind of models 772 00:24:26,159 --> 00:24:29,679 and then you have community that are 773 00:24:28,0 --> 00:24:31,359 1468 --> 1471.36 more broad and more large 774 00:24:29,679 --> 00:24:33,278 for example in the financial sector and 775 00:24:31,359 --> 00:24:35,240 I think the CSIRT Luxembourg has some banks 777 00:24:34,240 --> 00:24:39,599 we are involved in various sharing communities 779 00:24:37,599 --> 00:24:41,519 at European level and worldwide level 780 00:24:40,480 --> 00:24:45,759 where for example we know some ISACs that are dedicated to 782 00:24:43,759 --> 00:24:48,200 the financial sector are using it as a sharing mechanism 784 00:24:47,200 --> 00:24:51,278 you have some organizations that are really 785 00:24:49,38 --> 00:24:52,480 dedicated to a payment processing system 786 00:24:51,278 --> 00:24:54,519 that are using this to share automatically 788 00:24:53,519 --> 00:24:57,519 information and so on or analysis 790 00:24:57,519 --> 00:25:01,519 One of the I would say pretty large community too is 791 00:24:59,278 --> 00:25:04,960 with the military organization and international organizations 793 00:25:02,960 --> 00:25:06,720 FIRST for example, you have a lot of FIRST members using 794 00:25:05,359 --> 00:25:08,639 MISP for sharing their information 796 00:25:08,640 --> 00:25:13,759 but there are plenty of networks, national governmental networks 798 00:25:11,759 --> 00:25:15,278 a military one intelligence, one or even NATO for example are using 800 00:25:15,278 --> 00:25:19,599 using MISP so maybe some of you are eligible to access those ones 802 00:25:19,599 --> 00:25:23,399 so we have on the MISP an interface a way to connect to those 804 00:25:22,400 --> 00:25:26,240 community and you can reach out to the 805 00:25:24,319 --> 00:25:27,200 different community by asking for access for example 807 00:25:27,200 --> 00:25:30,319 then you have very specific communities 808 00:25:28,960 --> 00:25:33,720 that are set up by security vendors it's not uncommon 810 00:25:32,720 --> 00:25:35,759 tp see for example a security vendor 811 00:25:34,0 --> 00:25:37,359 1534 --> 1537.36 services their own MISP 812 00:25:35,759 --> 00:25:39,119 we have seen for example some 813 00:25:37,359 --> 00:25:41,319 {inaudible} agents vendors running a dedicated MISP 815 00:25:40,319 --> 00:25:44,480 or even some operators of specific cloud 816 00:25:42,798 --> 00:25:46,400 services running a MISP instance 817 00:25:44,480 --> 00:25:49,360 to share information amongst 818 00:25:46,400 --> 00:25:49,320 their different customers. 819 00:25:49,359 --> 00:25:52,798 Then you have communities that are 820 00:25:50,319 --> 00:25:55,38 i would say very specific on the topic 821 00:25:52,798 --> 00:25:59,79 for example you have about sick information uh false news 823 00:25:58,79 --> 00:26:02,278 and stuff like that you have communities doing that 825 00:26:01,278 --> 00:26:04,720 for example we cooperate one called the COVID-19 MISP 827 00:26:04,720 --> 00:26:09,839 which is really targeting COVID-19 as a topic 828 00:26:07,919 --> 00:26:10,720 and then you have 10 different subtopics like 829 00:26:09,839 --> 00:26:12,399 cyber security, health related topics and so on. 831 00:26:12,400 --> 00:26:15,679 So you can see that MISP can be really used on 832 00:26:13,919 --> 00:26:17,440 different model of communities 833 00:26:15,679 --> 00:26:19,440 you can bridge those communities, 834 00:26:17,440 --> 00:26:21,360 you can interconnect those with together, 835 00:26:19,440 --> 00:26:23,759 you can keep it for yourself, so it's 836 00:26:21,359 --> 00:26:25,839 really a matter of models. 837 00:26:23,759 --> 00:26:27,759 Worldwide there are I would say a lot of 838 00:26:25,839 --> 00:26:31,199 communities that we are not aware of 839 00:26:27,759 --> 00:26:33,599 but we as CIRCL operates 840 00:26:31,200 --> 00:26:35,120 around 20 communities nowadays, that you 841 00:26:33,599 --> 00:26:37,839 can basically get access 842 00:26:35,119 --> 00:26:39,839 and Andras just sharing in the chat the 843 00:26:37,839 --> 00:26:42,439 access to the COVID-19 MISP and if you want to get access to 845 00:26:41,440 --> 00:26:46,320 that one you can connect on the main page and self-register and 847 00:26:46,319 --> 00:26:49,519 you can request access to that community 849 00:26:48,519 --> 00:26:53,38 so you see that MISP has different groups different communities 851 00:26:53,38 --> 00:26:56,640 and it's up to you at the end to decide 852 00:26:55,359 --> 00:26:58,879 which kind of community you want to {inaudiable either be/visit} 854 00:27:01,38 --> 00:27:04,798 So, a little bit besides all the technical things 856 00:27:04,798 --> 00:27:06,839 that we talked about, that we do with MISP, 857 00:27:06,480 --> 00:27:09,919 and that we try to solve with it. 858 00:27:07,839 --> 00:27:11,278 In terms of sharing, there are obviously 859 00:27:09,919 --> 00:27:12,720 going to be other hurdles that you have 860 00:27:11,278 --> 00:27:14,159 to overcome whenever it comes to information sharing 862 00:27:14,159 --> 00:27:17,679 one of the the toughest things to 863 00:27:16,0 --> 00:27:18,880 1636 --> 1638.88 overcome and this is where no tool can really help you 865 00:27:18,880 --> 00:27:23,679 is to get enough trust in a community to 866 00:27:22,79 --> 00:27:24,319 be able to share your information with them 868 00:27:24,319 --> 00:27:27,918 So the only way to facilitate this is really social interactions 870 00:27:27,919 --> 00:27:32,0 1647.919 --> 1652 so sadly though we're living in times 871 00:27:30,398 --> 00:27:33,278 where social interactions are tougher than usual 873 00:27:33,278 --> 00:27:37,440 but for example events like FIRST conferences 874 00:27:35,679 --> 00:27:38,880 are great ways to get to know your community and to 876 00:27:38,880 --> 00:27:43,200 build this trust and build those 877 00:27:41,440 --> 00:27:44,159 social relationships that you need 879 00:27:44,159 --> 00:27:47,679 to be able to really exchange meaningful 880 00:27:45,839 --> 00:27:49,918 information with the community 881 00:27:47,679 --> 00:27:52,0 1667.679 --> 1672 so I really encourage everyone that 882 00:27:49,919 --> 00:27:53,360 wants to partake in information sharing communities 884 00:27:53,359 --> 00:27:57,278 to be social, to reach out, and to get to know your community 886 00:27:57,278 --> 00:28:00,79 because that's the biggest facilitator for sharing in the first place. 888 00:28:00,79 --> 00:28:03,599 Other than that, there are obviously some 889 00:28:01,919 --> 00:28:05,360 legal restrictions that you have 890 00:28:03,599 --> 00:28:06,398 that might come up in the entire process. 891 00:28:05,359 --> 00:28:08,79 We see this very often with organizations where the first 893 00:28:08,79 --> 00:28:10,918 questions that they ask us when they join 895 00:28:09,919 --> 00:28:16,240 in our communities okay how does this 896 00:28:13,38 --> 00:28:18,558 fit into GDPR for example. 897 00:28:16,240 --> 00:28:21,38 If my legal team asks me why I am sharing 898 00:28:18,558 --> 00:28:22,720 an information out what can i 899 00:28:21,38 --> 00:28:24,798 give them as an explanation of why i'm 900 00:28:22,720 --> 00:28:25,159 supposed to or allowed to do this. 901 00:28:25,198 --> 00:28:28,319 So if you need any help with that we 902 00:28:26,159 --> 00:28:29,840 have a bunch of compliance documentation 903 00:28:28,319 --> 00:28:33,240 and that we've been working on together with a bunch of partners 905 00:28:32,240 --> 00:28:36,798 and so we have descriptions for how 906 00:28:34,640 --> 00:28:37,919 MISP fits into the GDPR, the NIS directive 908 00:28:37,919 --> 00:28:41,360 and some other frameworks so just 909 00:28:40,79 --> 00:28:43,119 have a look there and if you have any 910 00:28:41,359 --> 00:28:44,0 1721.36 --> 1724 questions or if you feel that anything is not covered 912 00:28:44,0 --> 00:28:47,599 1724 --> 1727.6 let us know and we keep updating our documentation 914 00:28:47,599 --> 00:28:51,519 based on on feedback of what's missing 915 00:28:49,679 --> 00:28:52,559 or ideas that we should be incorporating in there 917 00:28:52,558 --> 00:29:00,640 but generally , once your legal team is more 919 00:28:58,880 --> 00:29:01,360 familiar with the process and why this 920 00:29:00,640 --> 00:29:02,80 is {inaudible done/tied} 921 00:29:01,359 --> 00:29:05,759 why ensuring security for your 922 00:29:04,79 --> 00:29:06,798 organization and for the data that you 923 00:29:05,759 --> 00:29:08,960 have to secure is important then it's seen more as a 925 00:29:08,960 --> 00:29:13,360 benefit than a hurdle really 926 00:29:10,640 --> 00:29:15,278 but it obviously takes time to get 927 00:29:13,359 --> 00:29:16,240 this into your processes to define why you're 929 00:29:16,240 --> 00:29:19,679 doing what you're doing 930 00:29:18,398 --> 00:29:21,199 your retention periods, 931 00:29:19,679 --> 00:29:22,960 describing how you're going to handle data and so on 933 00:29:22,960 --> 00:29:26,399 so this obviously has some ramp up time 935 00:29:26,398 --> 00:29:29,439 but we have a lot of documentation that will help you with that. 937 00:29:29,440 --> 00:29:32,558 There are also some practical restrictions that we hear from 938 00:29:30,960 --> 00:29:34,79 organizations so very often when 939 00:29:32,558 --> 00:29:35,440 organizations reach out to us 940 00:29:34,79 --> 00:29:37,199 the first thing they say is we don't 941 00:29:35,440 --> 00:29:39,120 really have any information to share, 942 00:29:37,200 --> 00:29:40,880 we don't have the capability for example 943 00:29:39,119 --> 00:29:42,639 to build those highly vetted threat reports that we're so used to 945 00:29:42,640 --> 00:29:46,960 from feed providers and obviously very few organizations do. 947 00:29:46,960 --> 00:29:51,200 With that said information sharing comes 948 00:29:49,919 --> 00:29:54,600 in many different shapes and sizes for example going back 950 00:29:53,599 --> 00:29:58,558 to the initial use case about 951 00:29:55,200 --> 00:30:00,0 1795.2 --> 1800 providing feedback from your analysts 952 00:29:58,558 --> 00:30:02,240 about the data that you receive from 953 00:30:00,0 --> 00:30:03,839 1800 --> 1803.84 your community is already valuable 954 00:30:02,240 --> 00:30:05,599 information sharing so if someone for 955 00:30:03,839 --> 00:30:07,278 example provides sightings 956 00:30:05,599 --> 00:30:09,839 I've also seen this indicator at this given time 958 00:30:09,839 --> 00:30:13,359 that can already help you tune the data set 960 00:30:13,359 --> 00:30:16,879 for what goes into your working data 961 00:30:15,119 --> 00:30:18,319 sets for detection and blocking and so on. 963 00:30:18,319 --> 00:30:22,960 Also providing information on false 964 00:30:20,839 --> 00:30:24,319 positives and some information that 965 00:30:22,960 --> 00:30:26,640 you provided to the community turns out to be false 967 00:30:26,640 --> 00:30:30,960 or something that is no longer relevant 968 00:30:28,880 --> 00:30:33,39 getting information that is valid as 969 00:30:30,960 --> 00:30:35,278 well so pretty much everyone has 970 00:30:33,38 --> 00:30:36,398 information to share by just using the information and running 972 00:30:36,398 --> 00:30:44,0 1836.399 --> 1844 into frustration with the data by itself. 973 00:30:40,720 --> 00:30:44,640 Also besides not having information to share 975 00:30:44,640 --> 00:30:50,399 there comes also the issue of time. 976 00:30:48,398 --> 00:30:51,759 Most of us are overburdened with 977 00:30:50,398 --> 00:30:52,798 the different tasks that we are facing nowadays 979 00:30:52,798 --> 00:30:57,599 so taking extra time out of the day to 981 00:30:57,599 --> 00:31:02,38 encode information and to share it out in the community 983 00:31:01,38 --> 00:31:04,558 is obviously going to be an extra burden 984 00:31:02,640 --> 00:31:05,600 there is no way around it. 985 00:31:03,558 --> 00:31:07,440 What we try to do with MISP 986 00:31:05,599 --> 00:31:09,38 is to make this process as minimal as 987 00:31:07,440 --> 00:31:11,0 1867.44 --> 1870 possible but it is going to be a time investment in the end, after all 989 00:31:10,0 --> 00:31:13,839 1870 --> 1873.84 especially if you want to vet the data if you want to ensure that 992 00:31:13,839 --> 00:31:19,240 the right data reaches the right recipients 994 00:31:18,240 --> 00:31:26,240 This always has a time drain on you as well but in return this 996 00:31:24,480 --> 00:31:29,79 is offset by what you gain by sharing that information we're 998 00:31:28,79 --> 00:31:31,359 going to talk about this a little bit 999 00:31:29,440 --> 00:31:33,759 more during the community building part 1000 00:31:31,359 --> 00:31:35,278 about what effects you're going to see 1001 00:31:33,759 --> 00:31:36,640 if you're sharing information and why it is relevant for you 1003 00:31:36,640 --> 00:31:41,120 but to basically sum it up in one sentence 1005 00:31:41,119 --> 00:31:44,239 and whatever affects your organization 1006 00:31:42,960 --> 00:31:45,679 is probably the most important information for you and if you get 1008 00:31:45,679 --> 00:31:49,759 feedback on that, what you're seeing in your network 1010 00:31:49,759 --> 00:31:52,398 and more eyes on it, more perspectives 1013 00:31:52,398 --> 00:31:58,159 and perhaps more sophisticated methods of 1014 00:31:56,79 --> 00:31:59,519 research from other organizations 1015 00:31:58,159 --> 00:32:01,600 then that will probably just improve 1016 00:31:59,519 --> 00:32:03,519 your own security posture the best way it can. 1018 00:32:03,519 --> 00:32:08,880 Now, besides timeliness and basically having information to share 1020 00:32:07,519 --> 00:32:10,960 there's also the issue of different 1021 00:32:08,880 --> 00:32:12,240 classification models so classification 1022 00:32:10,960 --> 00:32:16,159 not just in a sense of of deciding who we share information with 1025 00:32:16,159 --> 00:32:19,278 but how we classify information really 1026 00:32:18,79 --> 00:32:22,798 in terms of contextualizating it we are all used 1029 00:32:22,798 --> 00:32:28,159 to naming things a certain way in our organizations in 1030 00:32:26,319 --> 00:32:31,38 our communities and we've probably 1031 00:32:28,159 --> 00:32:35,839 been doing it for longer than digital information systems exist 1034 00:32:34,558 --> 00:32:37,599 so we're probably using a lot of those 1035 00:32:35,839 --> 00:32:38,639 vocabularies that we've been using for decades 1037 00:32:38,640 --> 00:32:43,600 and what one of the things that we 1038 00:32:41,119 --> 00:32:45,678 wanted to avoid with MISP is to 1039 00:32:43,599 --> 00:32:46,639 get these communities to switch to a 1041 00:32:46,640 --> 00:32:51,360 different way of describing things so if you already 1042 00:32:49,119 --> 00:32:52,959 have your set methods, your set processes 1043 00:32:51,359 --> 00:32:54,479 how you define things, we don't want to alter that so one of 1045 00:32:54,480 --> 00:32:57,278 the things that we do with MISP and we are 1046 00:32:55,839 --> 00:32:58,798 going to talk a fair bit about, tomorrow mostly 1048 00:32:58,798 --> 00:33:03,679 is that you have ways to describe your 1049 00:33:01,519 --> 00:33:06,0 1981.519 --> 1986 own taxonomies and your own vocabularies 1050 00:33:03,679 --> 00:33:07,120 to use those in your community so very 1051 00:33:06,0 --> 00:33:08,558 1986 --> 1988.559 often when you're spinning up a 1052 00:33:07,119 --> 00:33:09,199 community and when you're starting out 1053 00:33:08,558 --> 00:33:10,879 with the sharing community, 1055 00:33:10,880 --> 00:33:14,320 a national sharing community, sectorial one, whatever 1056 00:33:12,480 --> 00:33:16,399 then one of the first tasks is basically 1057 00:33:14,319 --> 00:33:18,720 defining those common vocabularies 1058 00:33:16,398 --> 00:33:20,639 that you're going to be using 1059 00:33:18,720 --> 00:33:22,319 now apart from the vocabularies 1060 00:33:20,640 --> 00:33:25,38 themselves there is also the issue of 1061 00:33:22,319 --> 00:33:25,839 of us speaking many different languages 1063 00:33:25,839 --> 00:33:29,519 in terms of of our tools using different formats 1065 00:33:28,640 --> 00:33:33,919 so that means even within our own organization which is 1066 00:33:32,79 --> 00:33:34,639 rather small we have a set of different tools 1068 00:33:34,640 --> 00:33:38,559 that will ingest data in different formats 1070 00:33:38,558 --> 00:33:42,240 or will prefer to ingest data in given 1071 00:33:40,558 --> 00:33:43,119 format so one of the things we also try to do with MISP 1073 00:33:43,119 --> 00:33:46,798 is to act as a hub for all your different tools 1075 00:33:46,798 --> 00:33:51,519 that will get their data translated into 1076 00:33:49,200 --> 00:33:52,960 the format that they can best ingest. 1077 00:33:51,519 --> 00:33:55,839 Obviously this is something where we cannot be completely 1079 00:33:55,839 --> 00:34:01,519 100 percent covering all the other 1080 00:33:59,119 --> 00:34:02,879 things that exist out there. 1081 00:34:01,519 --> 00:34:04,558 So one of the things we try to do with MISP 1082 00:34:02,880 --> 00:34:06,399 is make it as modular as possible and 1083 00:34:04,558 --> 00:34:07,278 it's easy to encode your own formats as possible. 1085 00:34:07,278 --> 00:34:13,440 We're not going to go deeply into how to do this during the training 1087 00:34:11,358 --> 00:34:15,39 but if anyone is interested about that just 1089 00:34:15,39 --> 00:34:17,599 let us know and we'll point you in the 1090 00:34:16,398 --> 00:34:19,598 right direction where you can find 1091 00:34:17,599 --> 00:34:20,159 documentation on how to modularize and 1093 00:34:19,599 --> 00:34:24,159 how to build import and export in MISP. 1094 00:34:26,760 --> 00:34:30,560 So just one side note, all the training 1095 00:34:28,639 --> 00:34:32,320 materials are available online 1096 00:34:30,559 --> 00:34:33,599 like {inaudible} mentioned we have a Github 1097 00:34:32,320 --> 00:34:35,599 repository with a pretty extensive README files with all 1099 00:34:35,599 --> 00:34:41,39 the material that we provide, there is a MISP book too which includes a 1101 00:34:41,39 --> 00:34:45,838 lot of reference to MISP as you know MISP has a 1103 00:34:45,838 --> 00:34:50,159 pretty large topic coming from technical aspect and 1105 00:34:50,159 --> 00:34:54,480 you will see that in a minute about the project overview. 1107 00:34:54,480 --> 00:34:57,519 So don't hesitate to go there on the MISP training 1109 00:34:57,519 --> 00:35:00,639 page on Github this one is a good 1110 00:34:59,358 --> 00:35:02,639 reference because it's really pointing 1111 00:35:00,639 --> 00:35:05,920 to the different elements 1112 00:35:02,639 --> 00:35:06,239 that we have. We have a huge slide deck of 1114 00:35:06,239 --> 00:35:10,559 close to 500 pages of slide deck on the 1115 00:35:08,559 --> 00:35:11,679 MISP book we have close to 500 pages. I 1116 00:35:10,559 --> 00:35:13,440 would not mention the number of pages 1117 00:35:11,679 --> 00:35:14,719 for taxonomies, galaxies and so on. It's quite large too 1119 00:35:14,719 --> 00:35:19,39 but really look at this as a kind of way 1120 00:35:17,519 --> 00:35:22,239 to shape it to what you like. 1121 00:35:19,39 --> 00:35:23,519 So it's really there to help you and if 1122 00:35:22,239 --> 00:35:25,439 you see something missing 1123 00:35:23,519 --> 00:35:26,800 let us know but we have slides, 1125 00:35:26,800 --> 00:35:31,200 for example system requirements, things like 1126 00:35:29,838 --> 00:35:32,960 for example building community that 1127 00:35:31,199 --> 00:35:35,439 we'll talk tomorrow, that's 1128 00:35:32,960 --> 00:35:37,599 part of it but for more the 1129 00:35:35,440 --> 00:35:40,320 programmatic aspect, API 1130 00:35:37,599 --> 00:35:41,200 how to integrate with MISP {inaudible JSON/taxono}, 1131 00:35:40,320 --> 00:35:43,39 how to extend it too 1132 00:35:41,199 --> 00:35:44,799 there are plenty of slides regarding that 1133 00:35:43,39 --> 00:35:46,800 so it's really a good reference 1134 00:35:44,800 --> 00:35:48,560 and thanks to {inaudible} to share this 1135 00:35:46,800 --> 00:35:50,800 information on the chat 1136 00:35:48,559 --> 00:35:52,719 so to just give a quick overview of the MISP project and really to show that 1138 00:35:52,719 --> 00:35:56,399 the project is quite large nowadays 1139 00:35:55,199 --> 00:35:59,838 we basically have like four pillars of things in MISP 1141 00:35:59,838 --> 00:36:03,199 one is obviously the open software itself 1143 00:36:03,199 --> 00:36:08,78 so the initial version in {inaudible} it was 1144 00:36:06,239 --> 00:36:10,239 the small first small block there 1145 00:36:08,79 --> 00:36:11,440 the MISP core software which is like just the software 1147 00:36:11,440 --> 00:36:16,400 mainly for the LMAP aspect where 1148 00:36:14,800 --> 00:36:17,920 you have the backend, the web interface, 1149 00:36:16,400 --> 00:36:19,760 and so on but over the time the project extended 1151 00:36:19,760 --> 00:36:23,40 with multiple things so if you look on the Github 1152 00:36:20,960 --> 00:36:24,800 repository of mid project we have around 50 repositories so 1154 00:36:24,800 --> 00:36:28,720 it's pretty large. Just to summarize what 1155 00:36:27,519 --> 00:36:31,119 are the different one 1156 00:36:28,719 --> 00:36:31,919 we have for example the MISP modules um 1158 00:36:31,920 --> 00:36:35,119 which is an easy way to extend MISP so the behavior of MISP 1160 00:36:35,119 --> 00:36:40,880 on the expansion side on the import, export and so on by just writing 1162 00:36:40,880 --> 00:36:44,480 python modules it's super easy to develop and use 1164 00:36:44,480 --> 00:36:47,920 and the idea behind is obviously to 1165 00:36:46,0 --> 00:36:50,960 2206 --> 2210.96 extend MISP without knowing 1166 00:36:47,920 --> 00:36:51,440 the core details about the system 1167 00:36:50,960 --> 00:36:55,358 then we have a library called PyMISP and this 1168 00:36:53,440 --> 00:36:58,639 PyMISP library is basically a 1169 00:36:55,358 --> 00:37:02,319 python library to expose the new MISP platform API 1171 00:37:02,320 --> 00:37:07,39 so MISP has a large REST api this one can be quite large but 1173 00:37:05,199 --> 00:37:11,679 by MISP is really helping you to for example {inaudible jest/Get} events 1174 00:37:09,599 --> 00:37:13,200 create feeds and stuff like that so it's 1175 00:37:11,679 --> 00:37:15,358 really important if you want to 1176 00:37:13,199 --> 00:37:17,39 extend MISP to have a look at PyMISP that 1177 00:37:15,358 --> 00:37:18,480 is not the only library for extending 1179 00:37:18,480 --> 00:37:23,440 MISP some in golang you have some 1180 00:37:21,519 --> 00:37:24,639 other in python too, you have others in java and so on 1182 00:37:24,639 --> 00:37:28,0 2244.64 --> 2248 but the PyMISP one is the one that 1183 00:37:26,400 --> 00:37:31,199 is maintained by the author of MISP so it is maintained by us 1186 00:37:31,199 --> 00:37:34,399 and you can have a look at this one it's 1187 00:37:32,480 --> 00:37:36,0 2252.48 --> 2256 really the one that's up to date it's 1188 00:37:34,400 --> 00:37:38,0 2254.4 --> 2258 really core and part of the system too 1189 00:37:36,0 --> 00:37:40,400 2256 --> 2260.4 because we use it for our own tests 1190 00:37:38,0 --> 00:37:42,320 2258 --> 2262.32 within MISP then we have different 1191 00:37:40,400 --> 00:37:43,358 repository I will just mention one which is 1193 00:37:43,358 --> 00:37:46,559 dashboard, the dashboard is an extension module 1195 00:37:46,559 --> 00:37:51,838 in MISP using what we call the ZeroMQ feed in MISP 1196 00:37:49,838 --> 00:37:54,159 so we have a kind of way to have kind of a real-time feed 1198 00:37:54,159 --> 00:37:58,799 in MISP you can {inaudible} and 1199 00:37:56,400 --> 00:38:00,639 so on but we wanted to show an example 1200 00:37:58,800 --> 00:38:02,240 application for that and the MISP 1201 00:38:00,639 --> 00:38:04,879 dashboard is exactly that 1202 00:38:02,239 --> 00:38:06,559 is a way to really get all the 1203 00:38:04,880 --> 00:38:08,960 information that you have in MISP 1204 00:38:06,559 --> 00:38:09,920 into a very nice dashboard and so on 1205 00:38:08,960 --> 00:38:11,760 this is really to have a good example of what you can do 1207 00:38:11,760 --> 00:38:14,240 with information within MISP and how you can use it 1209 00:38:14,239 --> 00:38:17,519 so that's the main pillar you have 1210 00:38:15,519 --> 00:38:18,79 plenty of other projects but those one are the main ones 1212 00:38:18,79 --> 00:38:22,400 on top of that you have 1213 00:38:20,880 --> 00:38:23,358 what we call the intelligent and knowledge database of 1215 00:38:23,358 --> 00:38:27,119 MISP and just mentioned about the difficulty 1217 00:38:27,119 --> 00:38:31,280 sometimes in some organizations to use a 1218 00:38:29,199 --> 00:38:33,519 {inaudible proper/corporate} classification and so on 1219 00:38:31,280 --> 00:38:35,40 and we try to ease this in this 1220 00:38:33,519 --> 00:38:36,639 different organization by having a kind 1221 00:38:35,39 --> 00:38:37,279 of library of all the taxonomies that exist 1223 00:38:37,280 --> 00:38:41,519 so we started as a very simple one where 1224 00:38:39,679 --> 00:38:43,358 it was just including for example a 1225 00:38:41,519 --> 00:38:45,440 taxonomy like the traffic light protocol one, FIRST is using it 1227 00:38:45,440 --> 00:38:49,119 and it's a commonly used classification but over 1228 00:38:47,838 --> 00:38:50,320 the time we have seen that many 1229 00:38:49,119 --> 00:38:52,720 organizations have different 1230 00:38:50,320 --> 00:38:54,320 classification and so on. So we already 1231 00:38:52,719 --> 00:38:55,838 in advance we prepare all those taxonomies in 1233 00:38:55,838 --> 00:38:59,599 possible information {inaudible} expose MISP 1234 00:38:58,159 --> 00:39:02,399 and you can enable the one that you want 1235 00:38:59,599 --> 00:39:05,39 so we have around 150 libraries now 1236 00:39:02,400 --> 00:39:05,680 ranging from classifications, specific one for 1238 00:39:05,679 --> 00:39:10,559 intelligence communities and some 1239 00:39:08,159 --> 00:39:12,399 other activities so this one is our 1240 00:39:10,559 --> 00:39:13,440 really useful label and you can just 1241 00:39:12,400 --> 00:39:15,39 {inaudible share/pick} the one that you want and we maintain those one 1243 00:39:15,39 --> 00:39:18,880 so we have some that are coming from 1244 00:39:16,960 --> 00:39:21,39 third party, some that we are collecting 1245 00:39:18,880 --> 00:39:23,39 as each projects are creating. 1246 00:39:21,39 --> 00:39:24,719 It's really usually a good source to see 1247 00:39:23,39 --> 00:39:26,838 how other communities are using 1248 00:39:24,719 --> 00:39:28,639 classifying and contextualizing the 1249 00:39:26,838 --> 00:39:30,480 information, there nevertheless the 1250 00:39:28,639 --> 00:39:35,759 taxonomy itself was like kind of labels, those labels were quite small 1253 00:39:33,519 --> 00:39:36,960 so it was not like completely extensive information so 1255 00:39:36,960 --> 00:39:41,39 over the time we maintain a kind of more extensive one called the galaxy 1257 00:39:41,39 --> 00:39:47,279 you will hear the term very often 1258 00:39:44,79 --> 00:39:49,200 those galaxies are defining many things 1259 00:39:47,280 --> 00:39:51,40 for example one of the most common one is the threat actor 1261 00:39:50,39 --> 00:39:54,400 we have a huge database of threat actors but a lot of 1262 00:39:52,800 --> 00:39:56,400 times it was extended 1263 00:39:54,400 --> 00:39:58,320 for example, Microsoft is not using 1264 00:39:56,400 --> 00:39:59,358 threat actors for example there is this activity group is part of the 1266 00:39:59,358 --> 00:40:05,119 galaxy, it's really one that we 1267 00:40:02,400 --> 00:40:05,760 use for different and you can represent whatever 1269 00:40:05,760 --> 00:40:09,280 galaxy you want so you have a predefined 1270 00:40:07,358 --> 00:40:10,960 set of existing one but you can create your own 1272 00:40:10,960 --> 00:40:14,400 so if you have your own threat actor database 1273 00:40:12,880 --> 00:40:16,480 you can create your own from scratch or 1274 00:40:14,400 --> 00:40:17,280 you can reuse and fork existing ones so 1275 00:40:16,480 --> 00:40:18,480 that's really those kind of things that we manage in 1277 00:40:18,480 --> 00:40:21,920 the project is not only code and software 1278 00:40:20,318 --> 00:40:23,39 we manage those kind of knowledge base 1280 00:40:23,39 --> 00:40:27,759 for intelligent {inaudible} organization 1281 00:40:26,79 --> 00:40:29,200 we have some specific one like the notice list 1283 00:40:28,899 --> 00:40:32,480 this one is a pretty small one that you use for the GDPR aspect 1285 00:40:32,480 --> 00:40:36,480 but this one can be used for anything you want, 1287 00:40:35,480 --> 00:40:40,960 It's for informing the analyst or the user of MISP when he 1288 00:40:39,358 --> 00:40:41,440 touched some specific information in MISP 1290 00:40:41,440 --> 00:40:45,280 that could impact for example the legal framework and so on 1292 00:40:44,280 --> 00:40:49,280 it's actively use in the intelligence community, 1293 00:40:47,119 --> 00:40:50,960 law enforcement and so on maybe less in 1294 00:40:49,280 --> 00:40:52,880 security operation center but it's 1295 00:40:50,960 --> 00:40:54,880 coming more and more due to the legal 1296 00:40:52,880 --> 00:40:56,240 side of information sharing and 1297 00:40:54,880 --> 00:40:58,480 especially storing information that might contain personal information 1299 00:40:58,480 --> 00:41:02,480 then we have another one called the 1300 00:40:59,679 --> 00:41:08,159 warning list and Andras quickly mentioned this kind of recurring problems or false positives 1303 00:41:06,559 --> 00:41:12,719 and the one in MISP are basically list of existing potential false positives 1305 1306 00:41:12,719 --> 00:41:17,439 for example we have lists of well-known IP addresses from Microsoft, for example. 1308 00:41:17,440 --> 00:41:20,800 We have list of things like domain names used by Google and so on 1310 00:41:20,800 --> 00:41:25,599 that's already helping users to find out 1311 00:41:23,519 --> 00:41:27,119 if something might be a false positive 1312 00:41:25,599 --> 00:41:28,559 and we do that automatically and we 1313 00:41:27,119 --> 00:41:30,800 maintain those libraries because one {inaudible MISP/reason} they're automatically updated regularly 1315 00:41:30,800 --> 00:41:34,79 I think we have around 50 lists nowadays 1318 00:41:34,79 --> 00:41:38,160 It's really useful when you do on a day-to-day basis and creating events and 1320 00:41:38,159 --> 00:41:41,838 so on you can really find and spot things that might be a false positive in advance 1323 00:41:41,838 --> 00:41:48,0 2503.119 --> 2508 by having those warning lists enabled 1324 00:41:45,280 --> 00:41:49,839 and again it's up to the user to select 1325 00:41:48,0 --> 00:41:53,39 2508 --> 2511.04 one {inaudible} warning list or to enable everything depending on the different use case 1328 00:41:52,800 --> 00:41:55,920 so that's one of those {inaudible} pillar 1329 00:41:54,480 --> 00:41:57,519 knowledge base I mean a lot of 1330 00:41:55,920 --> 00:41:57,519 contributions coming from threat parties 1332 00:41:57,519 --> 00:42:02,480 are coming from that aspect so it's not really programmers 1333 00:42:00,719 --> 00:42:03,679 or coders that are contributing there 1334 00:42:02,480 --> 00:42:05,599 but it's more analysts and people doing really threat intelligence 1336 00:42:05,599 --> 00:42:10,160 or classification and so on 1337 00:42:08,318 --> 00:42:12,79 is really something that is useful for everyone 1338 00:42:10,159 --> 00:42:14,159 without being your direct contributions on the code 1340 00:42:14,159 --> 00:42:18,719 then over the times we we we became a kind of de facto standard and 1342 00:42:18,719 --> 00:42:22,480 uh nowadays is even more than a de facto standard, is a standard 1344 00:42:22,480 --> 00:42:27,199 We published as an interesting engineering task force draft 1346 00:42:27,199 --> 00:42:31,439 all those documents especially the core format 1348 00:42:31,440 --> 00:42:35,200 and to ease that for the development of external tools 1350 00:42:35,199 --> 00:42:39,279 integration and so on. 1351 00:42:38,0 --> 00:42:40,119 2558 --> 2561.119 So if you're interested you can go to the 1352 00:42:39,280 --> 00:42:42,319 MISP platform website where we describe the different standards that we 1354 00:42:42,318 --> 00:42:47,199 published. We even co-host standards that are for people 1356 00:42:47,199 --> 00:42:51,598 integrating with MISP 1357 00:42:50,480 --> 00:42:53,599 and we have specific standards for example for the object template 1359 00:42:53,599 --> 00:42:56,800 and that's something that we will talkabout but that's something that was 1360 00:42:54,800 --> 00:42:58,79 1361 00:42:56,800 --> 00:42:59,839 really a need for us from the early beginning of MISP 1363 00:42:59,838 --> 00:43:02,799 a lot of organizations want to have their own structure of information 1365 00:43:02,800 --> 00:43:06,880 about objects and so on and we have a flexible model in MISP to 1367 00:43:06,880 --> 00:43:11,358 really create your own data models and this one is standardized too 1369 00:43:11,358 --> 00:43:15,358 and it's really helping sharing communities to 1371 00:43:15,358 --> 00:43:20,318 extend MISP as they wish and their models without breaking the 1373 00:43:20,318 --> 00:43:24,79 the standards itself so that's really interesting for for showing you new models 1376 00:43:24,79 --> 00:43:28,79 and then next to that we will do everything possible to help community 1378 00:43:28,79 --> 00:43:31,359 and Andras just mentioned the question of the 1380 00:43:31,358 --> 00:43:35,679 legal aspect and I think maybe some of 1381 00:43:33,599 --> 00:43:38,640 you already have this order to 1382 00:43:35,679 --> 00:43:40,399 seek legal team about the information sharing policies and so on 1384 00:43:40,400 --> 00:43:44,880 we try to make it easier so we publish this kind of compliance document 1386 00:43:44,880 --> 00:43:48,160 and so on it's part of the MISP project 1387 00:43:46,719 --> 00:43:50,879 everything is open source again so everything we do is open source and 1389 00:43:50,880 --> 00:43:55,760 on open access. You can reuse it and so on. We have for example a specific 1391 00:43:55,760 --> 00:44:01,679 document about building communities which is something that we do within the X-ISAC project 1394 00:44:01,679 --> 00:44:08,960 and it's containing kind of best practices what are kind of agreement that you can 1397 00:44:08,960 --> 00:44:11,119 use when doing a setup of sharing communities. 1399 00:44:11,119 --> 00:44:15,440 Up to things about how to do contextualization and so on 1400 00:44:13,280 --> 00:44:17,40 so that's that's maybe something that 1401 00:44:15,440 --> 00:44:17,519 for an organization that wants to boost up an ISAC or sharing communities they can 1404 00:44:19,760 --> 00:44:23,760 look at those documents and so on so it's again a thing that we try to help 1406 00:44:23,760 --> 00:44:30,800 for example we produce kind of OSINT feeds of existing reports and so on to 1408 00:44:30,800 --> 00:44:36,880 not only have software ready but to have some content and to show what kind of 1411 00:44:36,880 --> 00:44:42,559 information can be shared within different MISP communities. 1413 00:44:42,559 --> 00:44:48,880 So let us some get some of the naming conventions out of the way 1415 00:44:48,880 --> 00:44:52,880 before we start with the hands-on stuff and 1416 00:44:50,400 --> 00:44:58,719 just a quick explanation of the different uh data points and uh and naming conventions 1419 00:44:57,119 --> 00:45:00,400 that we use for them so it's a bit easier afterwards 1421 00:45:00,400 --> 00:45:08,0 this can be a bit overwhelming, don't worry we'll go through everything step by step also 1424 00:45:04,639 --> during the hands-on part 1426 00:45:05,519 --> 00:45:13,440 So basically all the data that goes into MISP, we separate into two main layers 1427 00:45:11,358 --> 00:45:14,880 one we call data layer which is really everything it has to do with 1429 00:45:14,880 --> 00:45:22,0 individual data points their compositioning and so on 1432 00:45:20,400 --> 00:45:23,358 So everything that we share in MISP in general in this regard 1433 00:45:22,0 --> 00:45:25,199 2722 --> 2725.2 starts with something that we call an event, these are our general 1435 00:45:25,199 --> 00:45:28,559 envelopes for information so that means that 1437 00:45:28,559 --> 00:45:32,960 whenever we're describing an incident, we're describing a threat report 1439 00:45:32,960 --> 00:45:36,0 2732.96 --> 2736 we're describing a watch list that we recurringly update 1441 00:45:36,0 --> 00:45:40,400 2736 --> 2740.4 and they will all be grouped into something that we call an event 1443 00:45:40,400 --> 00:45:45,680 So the name is a little bit controversial at times, we try to pick a name 1445 00:45:45,679 --> 00:45:49,519 that is the least amount of a loaded term that we could find 1448 00:45:51,440 --> 00:45:56,240 but obviously even with that there it can be a bit confusing but just consider 1450 00:45:56,239 --> it as a generic container for data that has some contextual linking 1453 00:45:59,39 --> 00:46:06,318 then each of these events is populated with lists of attributes. 1455 00:46:05,318 --> 00:46:09,838 So attributes are the most basic data points in MISP 1457 00:46:09,838 --> 00:46:13,279 an attribute can describe for example an IP address 1459 00:46:13,280 --> 00:46:21,199 you can describe a file hash or it can describe a car plate number for example 1462 00:46:21,199 --> 00:46:27,759 It's basically just an individual data point with some basic context around it 1465 00:46:27,760 --> 00:46:30,800 such as describing in what context this was seen in 1467 00:46:30,800 --> 00:46:32,960 what type we're using to describe the attribute, 1469 00:46:32,960 --> 00:46:39,679 for example that we're using an MD5 hash to describe the hash of a file 1471 00:46:39,679 --> 00:46:44,318 would be one of those descriptions, hopefully not used as much these days 1473 00:46:44,318 --> 00:46:51,920 but that's just an example and then we can take these individual attributes 1476 00:46:49,599 --> 00:46:55,318 and composite them into what we call objects that are describing multifaceted concepts. 1478 00:46:54,318 --> 00:46:59,440 For example, a file object would be described by a list of attributes 1480 00:46:59,440 --> 00:47:05,760 including a file name, different file hashes, maybe file entropy and so on and so forth. 1484 00:47:05,760 --> 00:47:11,440 Each of these individual objects and attributes can then be further interlinked by what we call references. 1487 00:47:11,440 --> 00:47:15,119 So that means that most of the time when we're describing data in MISP 1489 00:47:15,119 --> 00:47:20,0 we're trying to tell a story so we're thinking graphs instead of individual data points 1492 00:47:20,0 --> 00:47:24,559 2840 --> 2844.559 that means that we can for example, describe the entire flow of an attack 1494 00:47:24,559 --> 00:47:28,79 from the initial attack vector all the way to the exploitation 1496 00:47:28,79 --> 00:47:33,599 using the interconnected graphs using these references so we could say 1498 00:47:33,599 --> 00:47:36,960 initially it all started with an email that was received 1500 00:47:36,960 --> 00:47:40,559 that contained for example a malicious sample which then had to send this effect 1503 00:47:42,480 --> 00:47:45,838 in our infrastructure so all of these different steps can be then described 1506 00:47:45,0 --> 00:47:53,519 2868 --> 2873.52 via different references there then to aggregate this information 1508 00:47:53,519 --> 00:47:58,79 into and aggregate the sightings of this information via structure 1510 00:47:58,79 --> 00:48:02,280 that basically captures sightings from our different information sources 1512 00:48:01,280 --> 00:48:05,760 that means if you have an IDS that is generating alerts 1514 00:48:05,760 --> 00:48:10,640 you can feed information back on when individual attributes were seen 1516 00:48:10,639 --> 00:48:16,159 in your network, in your premises or at your partners and so on 1518 00:48:16,159 --> 00:48:21,920 so this is basically it for the data layer, these are our main building blocks for that. 1521 00:48:21,920 --> 00:48:27,599 now in order to contextualize this information, we have different tools at our disposal. 1523 00:48:27,599 --> 00:48:32,160 The most simple one is what we call tags these are basic text labels that 1525 00:48:31,159 --> 00:48:35,598 we attach on individual data points or entire events 1527 00:48:35,599 --> 00:48:39,440 and these can either be created freely or most commonly they come from what we call taxonomies. 1530 00:48:41,519 --> 00:48:46,400 They're basically standardized vocabularies and that are either shared 1532 00:48:46,400 --> 00:48:54,880 by us so the MISP project at large or by individual communities to their members so 1535 00:48:53,119 --> 00:48:57,39 these vocabularies can include anything from for example something is simple and 1537 00:48:57,39 --> 00:49:01,279 and commonly used as TLP to national classifications 1540 00:49:01,279 --> 00:49:08,719 to various different sectoral classifications and so on 1541 00:49:06,318 --> 00:49:12,79 now if you wanted to provide more high-level information instead of just simple 1544 00:49:12,559 --> 00:49:16,640 labels for the information we can use what we call galaxy clusters 1546 00:49:16,639 --> 00:49:20,400 so galaxy cluster is basically a knowledge based element that we use as a label 1549 00:49:21,199 --> 00:49:24,879 these can be either coming from standard libraries 1551 00:49:24,880 --> 00:49:28,480 such as the ones that we maintain or you can create them ad-hoc in MISP. 1553 00:49:28,480 --> 00:49:30,0 That means if you're describing a threat actor 1555 00:49:30,0 --> 00:49:35,358 you could create create a threat actor galaxy cluster that describes the various metadata 1557 00:49:35,358 --> 00:49:38,558 about the threat actor and then use this to label your data whenever you think 1560 00:49:38,880 --> 00:49:42,160 that whatever you're describing is associated with a threat actor 1562 00:49:42,159 --> 00:49:46,480 you can also create for example a galaxy cluster describing the different 1564 00:49:46,480 --> 00:49:53,760 target sectors and then interlink using cluster relationships 1566 00:49:53,760 --> 00:50:04,559 the threat actor galaxy clusters with target sectors with exploited TTP and so on and so forth 1569 00:50:03,440 --> 00:50:07,39 So these are the high level structures that you can put on top of your data 1572 00:50:06,719 --> 00:50:14,838 basically to further contextualize it. Alex 1574 00:50:15,119 --> 00:50:21,39 Yeah, so just to summarize it and that's always a lot of people are asking about it 1577 00:50:21,199 --> 00:50:26,319 how do you summarize it about, for example in easy way you have to see really 1580 00:50:26,318 --> 00:50:29,838 MISP {inaudible environment/development} as an envelope and then you 1581 00:50:28,79 --> 00:50:32,318 have information inside and then what Andras describe is basically 1583 00:50:32,318 --> 00:50:34,800 different component that you have within that envelope and then you have 1586 00:50:35,760 --> 00:50:42,480 contextual layers on that envelope and relationship that are basically based on on that. 1589 00:50:42,880 --> 00:50:50,400 So, another thing that is very often and I think it is good to explain it, is about the 1592 00:50:48,960 --> 00:50:53,119 terminology between indicators, attributes, and so on that is 1594 00:50:53,119 --> 00:50:57,358 a different especially indicator of compromise and so on 1596 00:50:57,358 --> 00:51:01,440 In MISP, an attribute is close to an indicator 1598 00:51:01,440 --> 00:51:05,599 and we have this kind of flexible models where 1600 00:51:05,599 --> 00:51:09,200 maybe some of you are familiar with observables in MISP 1602 00:51:09,199 --> 00:51:13,440 we call it attributes and those observables are basically depending on the type 1605 00:51:13,440 --> 00:51:20,0 So, we have a specific flag in attributes which is basically defining 1608 00:51:20,0 --> 00:51:23,599 3080 --> 3083.599 if information can be used automatically for detection 1610 00:51:23,599 --> 00:51:29,960 and that's I think one of the most important aspects when we talk about attribute in MISP 1613 00:51:28,880 --> 00:51:34,119 an attribute can become an observable or become an indicator of compromise 1615 00:51:33,119 --> 00:51:37,880 depending on the simple flag and this is quite important because 1618 00:51:37,280 --> 00:51:43,599 a lot of analysis and so on will depend on that and especially all you will use that afterwards 1621 00:51:43,599 --> 00:51:48,39 if you plan for example to use the data into a protective systems and so on 1624 00:51:48,39 --> 00:51:54,79 the IDS flags need to be set so the thing is if I take an example 1626 00:51:54,79 --> 00:51:56,480 you reverse the malware and this malware is connected to google.com for testing the connectivity 1629 00:51:59,519 --> 00:52:04,79 obviously you will have an attribute for example www.google.com 1632 00:52:03,79 --> 00:52:09,440 and this one is an interesting indicator for information for the analyst 1634 00:52:09,440 --> 00:52:14,0 so like that you can for example maybe cluster those kind of malware together as in this kind of behavior 1637 00:52:14,0 --> 00:52:19,279 3134 --> 3136.64 nevertheless you are not really interested in that information as an indicator of compromise 1641 00:52:19,280 --> 00:52:23,480 because it will generate a huge amount of false positive 1644 00:52:23,480 --> 00:52:28,640 but if for example at some point you have an IP address that is really dedicated to that malware 1646 00:52:28,639 --> 00:52:39,719 then you will set the IDS flag, so the thing is when you define in MISP these flags 1649 00:52:38,760 --> 00:52:41,599 and we will show you later on it's very important because it will define what you can do 1652 00:52:41,599 --> 00:52:48,639 3164 --> 3166.64 with information later on if you're going to automate and so on like 1655 00:52:48,159 --> 00:52:52,239 In MISP, what we try to do too instead of having just indicators 1657 00:52:52,239 --> 00:52:57,280 it's very common and I think many of you know about it you might see for example 1660 00:52:57,280 --> 00:53:01,599 a list of hashes so like for example MD5 hashes without any context 1662 00:53:01,599 --> 00:53:05,280 and sometimes it's difficult to know exactly what we are talking about 1664 00:53:05,280 --> 00:53:11,599 Are we talking about MD5 of malicious sample, are we talking about md5 of legitimate software, 1667 00:53:11,599 --> 00:53:17,39 are we talking about the MD5 value of the X.509 certificate, 1669 00:53:17,39 --> 00:53:29,719 are we talking about an MD5 as a mutex in memory 1670 00:53:19,679 --> 00:53:25,759 we have plenty of way of seeing those kind of MD5 so we try in MISP to have what we call the 1673 00:53:25,759 --> 00:53:30,318 kind of I would not say {inaudible keep shine/kill shine} but at least contextualization a category that 1675 00:53:30,318 --> 00:53:35,279 help to see in which context this has been seen 1677 00:53:35,280 --> 00:53:41,119 and as for example if 1 MD5 might have a payload delivery, telling that in which scope this has been set 1680 00:53:40,559 --> 00:53:45,440 So that means in MISP we have always and complementary type 1682 00:53:45,440 --> 00:53:52,639 so for example for an MD5 files you can say that this one is from a file or is an md5 of a fingerprint thing 1686 00:53:52,639 --> 00:53:59,679 So that means, always in MISP try to have as an indicator all those three information together 1689 00:53:59,679 --> 00:54:06,639 so it is giving at least more context and if you cannot set this context MISP will try to automatically set it. 1692 00:54:05,639 --> 00:54:12,239 So attributes are equal to indicators but with a bit more of information which is useful for you 1695 00:54:12,239 --> 00:54:19,358 At least being in a way to understand what is in a position to understand what you have in front of you 1699 00:54:19,358 --> 00:54:28,400 when you have to treat those attributes. 1700 00:54:25,358 --> 00:54:29,920 So this is just a brief view of what this looks like. 1702 00:54:29,920 --> 00:54:36,239 We're going to see this more in practice basically the idea is that all the data that we have in MISP 1705 00:54:36,239 --> 00:54:43,798 if it's well defined allows us to draw a graph out of the data and allows us to tell a story more easily 1708 00:54:42,880 --> 00:54:55,798 So here we see a simple example that basically shows the bank account that is associated with the threat actor 1712 00:54:54,480 --> 00:55:00,679 With all the various different data points with it and then we can basically relate these 1715 00:54:59,280 --> 00:55:03,200 different data points to each other and give the relationship a term as well 1718 00:55:04,880 --> 00:55:08,160 So in this case we see from the chart immediately there that that person is the owner of that 1720 00:55:08,159 --> 00:55:13,119 bank account with all those different data points for us as humans it's it's generally much more 1724 00:55:13,119 --> 00:55:18,839 easily understood if we look at a graph like that and tell the story that way 1727 00:55:17,839 --> 00:55:22,480 then if we look at a tabularized view of the data. 1728 00:55:20,798 --> 00:55:24,239 So one of the goals and something that we hope that we get out of 1731 00:55:24,239 --> 00:55:32,480 going through trainings like these is to really convert also the participants 1732 00:55:29,679 --> 00:55:38,558 to to see the value of producing data in that way instead of just sharing raw indicator lists for example. 1735 00:55:40,0 --> 00:55:45,199 3340 --> 3343.2 And that's again what we think that's really important is the contextualization again. 1738 00:55:45,280 --> 00:55:50,480 So I mentioned we have the galaxies in MISP and we have plenty of representation 1741 00:55:50,318 --> 00:55:55,838 threat actors and so on and obviously one that is quite important is the MITRE Attack one 1744 00:55:54,719 --> 00:55:57,759 so MITRE Attack is {inaudible stored/performed} as a galaxy 1746 00:55:57,760 --> 00:56:01,520 and we have this flexible {inaudible mosaic/table} in MISP that you can represent those kind of 748 00:56:01,519 --> 00:56:07,39 matrix-like model which is a case for Attack which is a very convenient way of representing the 1752 00:56:07,679 --> 00:56:14,480 different techniques in a progressive way used by the attackers and that's exactly what we can do in MISP. 1755 00:56:14,159 --> 00:56:22,79 So you have this kind of model and we have different model formats so again we have an advanced 1758 00:56:22,79 --> 00:56:30,838 i would say integration with Attack but you can extend it with multiple different kinds of galaxies which are 1762 00:56:30,0 --> 00:56:33,838 3390 --> 3393.839 similar to Attack or complementary for example we have the Industrial Control System of Attack, 1765 00:56:34,400 --> 00:56:39,440 it's a separated galaxy, you can even create a custom one directly in the system 1768 00:56:39,440 --> 00:56:46,519 and then you can filter out your data and so on and that's exactly the thing why we are I would say 1771 00:56:46,880 --> 00:56:51,480 in bracket pushing people to do more contextualization, it would be useful forthem at the end 1774 00:56:51,599 --> 00:56:58,960 because this kind of information is really showing you for example your gap in your defense 1778 00:56:58,960 --> 00:57:02,720 your specific things that the techniques that are not used by an attacker 1780 00:57:02,719 --> 00:57:05,279 you might ask why, maybe because you are missing a specific detection point that you cannot 1783 00:57:05,279 --> 00:57:12,239 detect this kind of attacks or things like that so it's really actively using the data 1786 00:57:12,239 --> 00:57:15,759 to show something meaningful with it and I think Attack is one of the way 1788 00:57:15,760 --> 00:57:19,119 but if you can combine this with additional information like site links, 1789 00:57:19,119 --> 00:57:22,239 contextualization of the relationship between different objects and so on 1792 00:57:22,239 --> 00:57:26,558 basically everything in hand to improve your posture and secure it. 1794 00:57:26,559 --> 00:57:29,0 Yeah perhaps something to add to this as well, 1796 00:57:29,0 --> 00:57:33,838 some of the additional advantages is the moment that you encode all this information along 1798 00:57:33,838 --> 00:57:39,39 with the data you can start asking those those questions from your tool basically 1800 00:57:39,39 --> 00:57:47,838 for example show me what sort of threats my constituency is facing over the past year 1804 00:57:45,760 --> 00:57:49,760 and overlayed over how what sort of threats it was facing a year ago 1806 00:57:49,760 --> 00:57:52,319 what are the trends that have evolved since then 1808 00:57:52,318 --> 00:57:58,960 the other thing that it really helps with is it also gives you a high level overview of individual reports 1811 00:57:56,400 --> 00:58:06,78 that means if I'm looking at an event in MISP and it has 800 different attributes described in there 1815 00:58:06,79 --> 00:58:10,719 making any sense out of that quickly is very difficult, but getting a high level overview using MITRE Attack 1818 00:58:10,719 --> 00:58:16,239 where you say oh okay this has to deal with spearphishing, it has to deal with information exfiltration, 1821 00:58:16,239 --> 00:58:22,79 so these immediately tell me the story of what i'm dealing with without having to dig deeper into the data itself 1825 00:58:22,79 --> 00:58:27,480 so it is incredibly useful for an analyst that is trying to make sense of the data that you're sharing. 1828 00:58:27,480 --> 00:58:36,0 Also, as for the sharing itself I mean one of the main goals with MISP is obviously to share information, 1831 00:58:36,0 --> 00:58:43,280 We haven't really talked about the sharing mechanisms yet, we basically have a bunch of different functionalities in MISP 1834 00:58:42,880 --> 00:58:48,639 that we're going to see over the next two days the deal with distributing the information. 1838 00:58:48,639 --> 00:58:55,280 One of the most obvious ones to tackle is basically who is to be the recipient of information that we're sharing 1842 00:58:55,280 --> 00:59:04,400 so basically MISP, we can basically set the distribution settings for each individual data point individually 1846 00:59:04,400 --> 00:59:10,760 or for entire collections of data in one shot so that means if we create an event we can decide who we share the event with 1849 00:59:09,760 --> 00:59:15,160 but we can further restrict individual attributes or objects further. 1854 00:59:14,838 --> 00:59:26,79 Now, who we share the information with gets decided on using one of two different means, 1857 00:59:25,79 --> 00:59:29,39 one of them is a simple system where we tell MISP you are allowed to distribute it to everyone 1858 00:59:28,440 --> 00:59:31,280 that has access to this community, for example. 1860 00:59:31,280 --> 00:59:39,440 Or to everyone that is directly connected to my community but you can also define more strict distribution lists 1863 00:59:37,838 --> 00:59:44,400 what we call sharing groups where you individually name the organizations that are to be the recipients. 1868 00:59:44,400 --> 00:59:52,159 Now on top of that, one of the things that we often struggle with is especially if you're in some of those communities 1872 00:59:51,159 --> 01:00:01,39 or you're taking part or assisting some of the communities where sharing any information might lead to reputation or financial loss. 1876 01:00:01,39 --> 01:00:04,318 For example in the financial sector we have these worries very often 1878 01:00:04,318 --> 01:00:08,318 where if a financial organization were to share any information out 1880 01:00:08,318 --> 01:00:11,838 it could be misconstrued as a successful attack against them. 1882 01:00:11,838 --> 01:00:15,719 So instead, they choose to basically even if it was something completely benign 1884 01:00:14,719 --> 01:00:20,239 that they caught in their sandboxes, in their honeypots, whatever 1887 01:00:19,199 --> 01:00:24,399 and they decide not to share it out of fear of incurring this reputation loss. 1889 01:00:24,399 --> 01:00:29,440 So one of the things that we have in MISP is this system called Delegation 1891 01:00:29,440 --> 01:00:31,920 where you can, for example appoint your ISAC, 1892 01:00:29,679 --> 01:00:38,558 your central authority for a community, a national CSIRT, whatever 1893 01:00:38,558 --> 01:00:41,599 with the responsibility of taking over the data that you produce 1898 01:00:41,599 --> 01:00:43,480 and to share it out in their name 1900 01:00:43,480 --> 01:00:48,838 so that way, it's basically a semi anonymized information sharing 1901 01:00:48,559 --> 01:00:50,880 where you are completely removed from the data that is shared out 1903 01:00:50,880 --> 01:00:55,500 so the only two parties that will know who the originator of the data is you 1904 01:00:55,500 --> 01:01:01,500 and whoever is taking over the data and taking over responsibility for the data. 1909 01:01:02,0 --> 01:01:05,280 On top of that, one of the things that we wanted to achieve with MISP 1911 01:01:05,280 --> 01:01:08,720 was basically to build a collaboration with our different partners 1913 01:01:08,719 --> 01:01:11,519 so it means that whenever we're sharing information we don't want it to 1915 01:01:11,519 --> 01:01:14,358 be a one-way communication, so we don't want to have 1916 01:01:13,358 --> 01:01:17,500 this whole feed, provider and consumers relationship 1919 01:01:17,500 --> 01:01:20,798 but we want everyone to be able to chip in with their ideas 1920 01:01:20,798 --> 01:01:24,559 so while anything that you produce in MISP will only be tied and editable 1921 01:01:24,559 --> 01:01:28,719 by your organization, others can make proposals or counter analysis to it. 1924 01:01:28,719 --> 01:01:32,919 So proposals are a system where you can basically flag information 1926 01:01:32,919 --> 01:01:37,0 as incorrect and provide feedback on how to improve it 1928 01:01:37,0 --> 01:01:40,0 or how you can add your own perspective to an event, 1930 01:01:40,0 --> 01:01:42,0 so if you receive an event from a third party you can say 1931 01:01:42,0 --> 01:01:44,400 oh I can improve it and {inaudible listen/discern} this way 1932 01:01:44,400 --> 01:01:46,8 please incorporate these changes in the event 1933 01:01:46,318 --> 01:01:49,500 and then the original producer can make the decision 1935 01:01:48,500 --> 01:01:51,519 whether to incorporate it or discard your changes. 1936 01:01:51,519 --> 01:01:55,358 As for counter analysis, this is what we call extend events. 1938 01:01:55,358 --> 01:01:59,358 You can basically create an event that latches onto an original 1940 01:01:59,358 --> 01:02:03,38 shared by a third party and provide your own perspective of it. 1942 01:02:03,0 --> 01:02:06,160 and then you keep full control of the data and you become the owner 1945 01:02:06,160 --> 01:02:09,440 of whatever the extension is that you produce to the original event. 1946 01:02:09,440 --> 01:02:17,280 This happens very often for us, for example when a vendor shares out a report. 1949 01:02:17,280 --> 01:02:21,0 For example, we get a report from say kaspersky and we have additional information 1951 01:02:20,0 --> 01:02:25,519 or we have a different opinion on something, 1954 01:02:25,519 --> 01:02:29,960 then we might create an extended event that we share out to our constituency 1957 01:02:28,960 --> 01:02:33,358 which if they have access to the original report will latch onto it 1958 01:02:33,358 --> 01:02:37,0 and it will show our perspective on top of the original. 1960 01:02:37,519 --> 01:02:41,440 Now as for the exchange itself, every organization is free to host their own 1962 01:02:41,440 --> 01:02:44,960 MISP instance and then they can decide who they want to interconnect with 1964 01:02:44,960 --> 01:02:48,240 if both parties agree, a synchronization link is established 1966 01:02:48,239 --> 01:02:51,838 between the two MISP instance and sharing can start flowing between them. 1968 01:02:51,838 --> 01:02:55,0 Now this sharing is still governed by those distribution lists 1970 01:02:54,500 --> 01:02:59,199 and by some other mechanism that we'll talk about more tomorrow 1972 01:02:59,199 --> 01:03:04,0 but basically MISP exchanges information between the individual nodes 1974 01:03:02,798 --> 01:03:06,880 in kind of a mesh network way. 1976 01:03:06,880 --> 01:03:10,0 We also have feed system that allows us to generate feeds 1977 01:03:10,0 --> 01:03:11,960 and to share those feeds with larger communities. 1979 01:03:11,960 --> 01:03:15,559 So we as CIRCL we provide another SIEM feed, for example 1980 01:03:15,280 --> 01:03:20,0 that we make freely available in our infrastructure 1981 01:03:20,0 --> 01:03:22,440 anyone can just point their MISP to it and adjust the data 1983 01:03:22,440 --> 01:03:26,119 and keep it updated using the feed system, this is also great 1985 01:03:26,119 --> 01:03:30,0 if you have ever have the need of sharing information between air gap systems. 1986 01:03:29,559 --> 01:03:37,0 You can just generate a feed based on certain filter rules and basically 1989 01:03:37,0 --> 01:03:43,0 share it through say a flash drive or something like that, with an internal system 1993 01:03:44,0 --> 01:03:48,720 Now all of these filtering options are basically user defined 1994 01:03:48,0 --> 01:03:50,880 and they rely heavily also on the contextualization 1997 01:03:50,880 --> 01:03:54,0 so very often what we're doing and especially 1998 01:03:53,639 --> 01:03:57,0 if you were ever signing up for the COVID instance that I mentioned before 2000 01:03:57,0 --> 01:04:00,559 is you can also make those decisions based on the context, 2002 01:04:00,559 --> 01:04:02,960 what data you're interested in, what date you're interested in sharing out. 2004 01:04:02,960 --> 01:04:06,400 For example, if you connect to COVID instance, we categorize all of the 2006 01:04:06,400 --> 01:04:10,79 information into three categories, health related information 2008 01:04:9,79 --> 01:04:12,720 so basically information about the spread of the pandemic, 2010 01:04:12,719 --> 01:04:16,399 information about misinformation targeting COVID, 2012 01:04:16,400 --> 01:04:22,0 and also cyber security threats that are targeting, that are now basically 2014 01:04:21,0 --> 01:04:27,0 abusing the whole COVID situation with remote work and so on. 2016 01:04:27,0 --> 01:04:30,0 so if you're only interested in one or two of these three different topics, 2019 01:04:30,0 --> 01:04:36,0 then you can set up your filters to only ingest data coming from a subset of the data set 2021 01:04:36,0 --> 01:04:39,0 Very often what we do as well is we have these internal MISP clusters 2023 01:04:38,480 --> 01:04:44,0 in our own organization as well, where we collect information from different sources 2026 01:04:43,798 --> 01:04:48,798 so we have a dedicated MISP instance where we purely collect spam information for example 2029 01:04:48,798 --> 01:04:52,0 So for a constituency, anyone can forward their spam to us 2031 01:04:52,0 --> 01:04:55,358 and we'll just generate events out of those in that MISP. 2032 01:04:55,358 --> 01:04:56,38 Generally this information 2033 01:04:56,38 --> 01:05:00,480 is really not interesting for a day-to-day detection use, for example. 2036 01:05:00,480 --> 01:05:03,679 But what we do is we cache this information and we can cross-correlate 2038 01:05:03,679 --> 01:05:05,759 this information with our operational instance 2040 01:05:05,760 --> 01:05:11,839 that means if we start the analysis process and we start an investigation 2042 01:05:11,839 --> 01:05:14,239 then we immediately see the moment we start encoding data points 2044 01:05:14,239 --> 01:05:18,598 oh this is something that was already flagged once in our spam instance 2046 01:05:18,598 --> 01:05:210,359 this information that that instance knows about, 2048 01:05:210,359 --> 01:05:24,840 then we can pivot over to that instance and fetch the information 2049 01:05:24,840 --> 01:05:28,400 related to that same data point that we're also seeing in our current incident 2052 01:05:28,400 --> 01:05:32,0 and perhaps get more information that is relevant for us from there. 2054 01:05:32,0 --> 01:05:35,79 3932 --> 3936.079 So basically very often we have these multi MISP internal enclaves 2057 01:05:35,79 --> 01:05:42,0 that help us basically to separate different concerns and 2058 01:05:41,0 --> 01:05:44,0 different collection mechanisms into their own instances. 2060 01:05:45,440 --> 01:05:49,39 Just in that scope and I think is linked to the question that we had 2062 01:05:49,39 --> 01:05:52,799 regarding the multi MISP internal enclave 2064 01:05:52,798 --> 01:05:57,599 someone was asking about synchronizing with an existing MISP and so. 2066 01:05:57,599 --> 01:06:00,720 You have this kind of local enclave options, where you can synchronize to MISP 2068 01:06:00,719 --> 01:06:05,199 like they behave in the same organization, that's one of the interesting options. 2071 01:06:05,199 --> 01:06:09,358 By the way, I would just give the mic to Josh that will explain a bit more about 2074 01:06:09,358 --> 01:06:16,0 the question and answer in zoom, to have directly the ability to answer the question answering the Zoom {inaudible} 2077 01:06:18,400 --> 01:06:20,639 I just want to jump in real quick, yeah if you have any questions 2080 01:06:20,639 --> 01:06:26,400 please direct them at the Q&A board versus the chat room 2081 01:06:26,400 --> 01:06:28,0 that way we can kind of keep a monitor of that 2082 01:06:28,0 --> 01:06:32,0 and other people can actually see the questions and the answer directly in that area 2085 01:06:32,0 --> 01:06:38,0 so if you have questions feel free to use the Q&A board and that's all 2086 01:06:38,0 --> 01:06:43,199 thank you josh that's very useful so we can keep track of them and we can answer live or 2090 01:06:43,199 --> 01:06:44,700 directly in the chat. 2091 01:06:44,700 --> 01:06:49,520 Okay great, so you see that the sharing aspect of MISP is like pretty extensive 2094 01:06:49,520 --> 01:06:53,279 and you have different models of of usage of MISP 2097 01:06:53,279 --> 01:06:58,318 some people have this pre-conception about MISP being like oh I need to share with MISP 2099 01:06:58,318 --> 01:07:01,119 no, it's depending on what you want to do with your MISP instance 2101 01:07:01,119 --> 01:07:05,500 and the core functionality of MISP is really to give, I would say the freedom 2104 01:07:05,500 --> 01:07:11,0 to each of the organizations to decide what to do with the data, if they want to share or not 2106 01:07:11,0 --> 01:07:17,359 and we always design MISP that everyone can be kind of consumers 2109 01:07:17,359 --> 01:07:21,838 so that basically getting data from different fields or producer or contributors 2110 01:07:21,838 --> 01:07:29,0 Andras mentioned a different way of contributing like sightings, making proposals, things like that 2114 01:07:29,0 --> 01:07:34,240 but it's up to the original contributors to decide if they want to share 2117 01:07:34,240 --> 01:07:41,119 that's really the thing, with MISP you can set up a MISP for like just pulling data, getting the data and that's it 2120 01:07:41,119 --> 01:07:46,480 and if at one point in time you want to like push some data you can just enable it and that's it 2123 01:07:46,480 --> 01:07:51,0 so it's really, it's just a matter of just tuning the configuration , 2126 01:07:51,0 --> 01:07:53,0 the filtering really on the synchronization, if you want to share. 2128 01:07:53,0 --> 01:07:55,838 So you don't have to change anything in your MISP instance 2129 01:07:55,838 --> 01:07:59,0 it's just a matter of of what you decide and what you need to share 2132 01:07:59,0 --> 01:08:01,500 and then the thing that is really important in MISP 2133 01:08:01,500 --> 01:08:05,760 everything can be in flex. I mean even for example that we were mentioning 2135 01:08:05,760 --> 01:08:10,240 so those kind of envelope information might change over time 2137 01:08:10,239 --> 01:08:15,0 we have seen for example some past or incident report that has been updated like 2140 01:08:15,0 --> 01:08:19,0 two years later because they discover who was the target or the threat actor behind 2142 01:08:19,0 --> 01:08:24,0 and that's the thing that's really in MISP that we really want to be flexible 2145 01:08:24,0 --> 01:08:29,500 you can really expand the information either internally, add some comment and so on 2147 01:08:29,500 --> 01:08:35,359 and to share this information in your different MISP instances and share with partners, 2150 01:08:35,359 --> 01:08:37,200 your teams and so on so. 2151 01:08:37,200 --> 01:08:42,0 Really, MISP the core functionality of MISP is distributing information 2153 01:08:42,0 --> 01:08:46,500 but if you don't want to use it it's fine you just don't enable synchronization 2156 01:08:46,500 --> 01:08:50,0 but if you want to use partially, part of synchronization and so on 2158 01:08:50,0 --> 01:08:53,838 you just set up this kind of parameters. 2160 01:08:55,0 --> 01:09:00,0 So on top of collecting all this information 2161 01:09:00,0 --> 01:09:03,0 and synchronizing the information that we talked about before 2162 01:09:03,0 --> 01:09:06,0 we basically do a bunch of different stuff to improve 2164 01:09:06,0 --> 01:09:08,0 to handle the quality management of the information as well. 2165 01:09:08,0 --> 01:09:11,0 So one of the first things we do, this is something we mentioned a bit before 2167 01:09:11,0 --> 01:09:16,0 is we correlate information so we're interested in data that we've already seen before 2170 01:09:16,0 --> 01:09:18,559 we also have the feedback loop that we mentioned before with sightings 2172 01:09:18,560 --> 01:09:22,0 that means we really want to get timeliness to the information as well 2175 01:09:22,0 --> 01:09:27,439 so that we can but make better decisions on what we keep in our working data set for detection, 2177 01:09:27,439 --> 01:09:29,5 for blocking and so on. 2178 01:09:29,520 --> 01:09:33,679 The false positive management is a huge part so the warning list system 2180 01:09:33,679 --> 01:09:37,0 where we basically exclude those typical false positives 2182 01:09:37,0 --> 01:09:41,440 plays a very important role in the legal equation and this is also a community driven effort 2184 01:09:41,439 --> 01:09:46,0 so if you want to get involved with that and build and include your own infrastructure 2187 01:09:46,0 --> 01:09:48,399 for example in the warning list and so on, 2189 01:09:48,399 --> 01:09:53,0 either do it internally for your MISP or just share it with the open source community as well 2191 01:09:53,0 --> 01:09:56,719 so let us know if you want to have that included as well 2193 01:09:56,719 --> 01:09:58,500 we haven't talked about enrichment systems yet 2195 01:09:58,500 --> 01:10:00,880 but basically one of the things that we do in MISP is 2196 01:10:00,880 --> 01:10:05,238 we have connectors to all those different services that you might already be subscribed to 2199 01:10:05,238 --> 01:10:11,439 so if you have domain tools, passive total or what way or any of the other services 2202 01:10:11,439 --> 01:10:15,439 intel 471, and so on that you already subscribed to, then you can use 2205 01:10:15,439 --> 01:10:19,600 those services to enrich the data that you're working on 2208 01:10:19,600 --> 01:10:22,0 so if you have an incident and you're encoding information 2209 01:10:22,0 --> 01:10:24,640 you go out to all the services that you connect, that you have access to 2210 01:10:24,640 --> 01:10:29,600 4224.64 --> 4228 and fetch the information on what else those systems know about the different data points that you're encoding 2213 01:10:29,600 --> 01:10:33,679 so that you basically get a jump start on your investigation. 2215 01:10:33,679 --> 01:10:37,119 Now one of the most important things that we have to deal with and this is probably 2217 01:10:37,119 --> 01:10:42,559 i think about 50% of the code base of MISP 2219 01:10:42,560 --> 01:10:46,560 is basically the APIs and the libraries that deal with integrating MISP with other tools 2221 01:10:46,560 --> 01:10:50,580 so everything that we can do by the UI, MISP is also exposed to the api 2223 01:10:50,580 --> 01:10:54,960 and one of the most important things for us is to make sure that 2225 01:10:54,960 --> 01:11:00,0 you can use MISP as simply a backend for another tool as opposed to just directly using MISP itself. 2228 01:11:00,0 --> 01:11:04,640 As for timeliness, we haven't really touched on that yet. 2230 01:11:04,640 --> 01:11:10,480 Besides the sighting aspect, you can also encode information about time ranges when something was seen 2233 01:11:10,480 --> 01:11:19,200 and you can build a full timeline of the events that occurred during a cyber incident for example. 2237 01:11:19,200 --> 01:11:22,719 So if you encode this information together with all your data points 2239 01:11:22,719 --> 01:11:26,960 then you get an additional graph out of it that tells you when what happens 2241 01:11:26,960 --> 01:11:30,0 and time-based correlations are really important as well. 2243 01:11:30,0 --> 01:11:33,599 So very often when you're seeing two things happening at the same time 2245 01:11:33,600 --> 01:11:35,800 they might be related with each other and 2248 01:11:35,800 --> 01:11:40,960 they might be worth digging into whether there is a link between those two things that happened. 2250 01:11:40,960 --> 01:11:43,480 So something else that we will touch on more tomorrow 2251 01:11:43,480 --> 01:11:47,200 is we have a full indicator lifecycle management system in MISP. 2254 01:11:47,200 --> 01:11:50,0 That means you can define your own rules and tune your own rules 2256 01:11:50,0 --> 01:11:53,500 on how you're going to be scoring and decaying indicators 2257 01:11:53,500 --> 01:11:57,119 based on all the contextualization that you have, 2258 01:11:57,119 --> 01:11:58,719 based on the type of the data that you have, 2259 01:11:58,719 --> 01:12:02,439 based on source of the information that you have and so on and so forth. 2260 01:12:02,439 --> 01:12:09,0 So we're going to go into much more detail on that tomorrow. Alex. 2265 01:12:15,359 --> 01:12:20,359 Yeah, so I was just answering a question and then I will make it public in a minute 2267 01:12:20,359 --> 01:12:25,639 that's a question about the API and using MISP. 2270 01:12:25,639 --> 01:12:30,0 There are different ways to evaluate the quality of the information that you share in MISP. 2273 01:12:30,0 --> 01:12:35,238 One of those is obviously to look at statistics, There is a statistics version in MISP to see 2276 01:12:35,238 --> 01:12:40,238 for example, the kind of indicator shared by organization and so on. 2278 01:12:40,238 --> 01:12:43,279 In addition to that, there is for example 2279 01:12:43,279 --> 01:12:46,279 MISP dashboard which includes a kind of gamification of the platforms 2281 01:12:46,279 --> 01:12:53,600 and which is giving badges per organization depending on the kind of information that you share 2284 01:12:53,600 --> 01:12:59,520 and that's a nice way to to find out if you are reaching a certain level of capabilities when using MISP 2287 01:12:59,520 --> 01:13:02,360 where you basically have for example information like 2289 01:13:02,360 --> 01:13:08,960 are you using sightings, do you use objects and stuff like that. 2292 01:13:08,960 --> 01:13:12,0 For example, thing that you can really look at if you want to see 2293 01:13:12,0 --> 01:13:14,480 if the quality of information that you create in MISP 2296 01:13:14,480 --> 01:13:19,560 i would just following the standards what is following the best practices in the different organization 2297 01:13:19,560 --> 01:13:22,640 is to compare with the {inaudible} feed 2300 01:13:22,640 --> 01:13:25,198 there are some goods even in the OSINT feed and 2301 01:13:25,198 --> 01:13:29,519 for example, things that are really a good indicator is to see 2303 01:13:29,520 --> 01:13:32,880 are you just using indicators and using objects, 2305 01:13:32,880 --> 01:13:35,0 are those objects linked together by using the relationship to it, 2306 01:13:35,0 --> 01:13:40,199 are you using galaxies, are those galaxies at the event level, {inaudible} level, 2308 01:13:40,198 --> 01:13:46,0 do you have tags, labels on specific objects or specific attributes and so on 2311 01:13:46,0 --> 01:13:52,960 that's different parameters and I think the question from {inaudible} is pretty good. 2315 01:13:52,960 --> 01:14:00,39 and if you really want to dive into the KPI aspect of MISP and quality of information. 2316 01:14:00,39 --> 01:14:03,239 In addition to what Andras just said 2320 01:14:03,239 --> 01:14:07,600 there are some other things about the quality of information shared within the community 2321 01:14:07,600 --> 01:14:11,920 and there's some good examples in the MISP dashboard about the different badges 2324 01:14:11,920 --> 01:14:16,0 there is even a model for sharing such kind of information. 2326 01:14:16,0 --> 01:14:19,0 So another thing that is I think quite useful and 2329 01:14:19,0 --> 01:14:23,520 it was one of the core functionality of MISP was the correlation features. 2330 01:14:23,520 --> 01:14:29,119 This one is, it looks like obvious but it's not always obvious 2332 01:14:29,119 --> 01:14:32,800 I mean a lot of tools in the security field exist but they don't do automatic correlations. 2334 01:14:32,800 --> 01:14:35,679 For example, at the {inaudible} we are using ticketing system 2337 01:14:37,119 --> 01:14:39,0 and sometimes it's very difficult to find if we have two correlating events 2338 01:14:39,0 --> 01:14:42,820 and what we decided in MISP which covers the cost. 2339 01:14:42,820 --> 01:14:48,800 I mean the correlation engine is maybe one of the costly aspects of using MISP on a database level. 2341 01:14:48,800 --> 01:14:49,919 but it's really useful. 2342 01:14:49,919 --> 01:14:52,500 For example, here we just have an example of 2343 01:14:52,500 --> 01:15:00,500 information about some malware spam that are used to share uh information about 2348 01:15:00,500 --> 01:15:04,239 target campaigns for the financial malware 2351 01:15:04,239 --> 01:15:09,819 and what we can see there is basically correlation on similar points 2352 01:15:09,819 --> 01:15:12,880 and those ones are mainly IP addresses of the infrastructure 2355 01:15:12,880 --> 01:15:16,0 but you can really spot interesting things there. 2357 01:15:16,0 --> 01:15:19,679 For example, you see that the third {inaudible bone/bin} in Germany share indicators, 2360 01:15:19,679 --> 01:15:24,0 you have a polish bank sharing the same kind of indicators 2361 01:15:24,0 --> 01:15:26,560 we were sharing such kind of indicators too 2362 01:15:26,560 --> 01:15:30,640 and even if they have different names or different contextualization 2365 01:15:30,640 --> 01:15:33,439 we can really spot similar infrastructure 2366 01:15:33,439 --> 01:15:39,198 so we can see okay, it's maybe the same actors using an infrastructure for different kind of things 2369 01:15:39,198 --> 01:15:45,679 or for example we can actually see here that we have different names of the similar malware 2372 01:15:45,679 --> 01:15:48,0 so really this is important for example another thing that is interesting is 2374 01:15:48,0 --> 01:15:53,739 for example if you have a sinkhole IP address setup by a antivirus company for example, 2377 01:15:53,739 --> 01:15:57,560 you can directly spot it. I mean if you have, I don't know, APT 29 2380 01:15:57,560 --> 01:16:01,840 and you have like three different criminals malware going on that one and so on 2383 01:16:01,840 --> 01:16:05,600 obviously it's usually not the same infrastructures but on the other hand 2385 01:16:05,600 --> 01:16:08,39 you can directly spot, okay this one is already take down 2386 01:16:08,39 --> 01:16:12,159 it's handled by this antivirus company and you can really handle it 2388 01:16:12,158 --> 01:16:20,679 so it's really a way to quickly find if it's a new threat or something that is already known in the infrastructure 2392 01:16:22,439 --> 01:16:28,640 So a little bit of the sightings themselves so we're going to see this more in practice 2395 01:16:28,640 --> 01:16:36,79 basically we have a very simple interfacing list that allows us to to tell the community 2398 01:16:36,79 --> 01:16:40,158 that we've seen an indicator, as well as when we've seen it 2401 01:16:40,158 --> 01:16:46,238 and perhaps also include information on what tool we've picked up, what context we've seen, 2402 01:16:46,238 --> 01:16:50,359 so sightings can have some metadata on top of just being a sighting. 2406 01:16:50,359 --> 01:16:54,79 We can also flag something that we call negative sightings which is a false positive sighting 2409 01:16:54,79 --> 01:16:59,0 where we indicate that we've seen it but it produced issues for us so it was a false positive. 2412 01:16:59,0 --> 01:17:05,520 We can also indicate that something is potentially going to be expired at a certain date, 2415 01:17:05,520 --> 01:17:10,0 so this is interesting, for example, if we're in talks with a provider 2418 01:17:10,0 --> 01:17:11,519 and we know that there is going to be a takedown 2420 01:17:11,519 --> 01:17:17,0 then we can already indicate that okay, this is no longer an indicator after a certain point in time. 2422 01:17:17,0 --> 01:17:21,679 Apart from that if you are ever dealing with bulk sightings, 2424 01:17:21,679 --> 01:17:28,0 so if you want to for example just capture any IP address seen in your network or something like that 2427 01:17:28,0 --> 01:17:34,560 there is another tool called SightingDB, which is developed by Devo, it's also an open source tool. 2430 01:17:34,560 --> 01:17:38,79 It's really recommended to use that, it allows you to to capture massive massive amounts of data 2432 01:17:38,79 --> 01:17:45,539 so if you're capturing the entire network flow of your constituency and or your organization 2436 01:17:45,539 --> 01:17:49,920 and just dumping all the data somewhere this is a great place to do it 2439 01:17:49,920 --> 01:17:53,760 and it's a very fast lookup database that is integrated with MISP 2441 01:17:53,760 --> 01:17:58,500 where MISP can automatically just query it for any of the indicators that you're seeing in MISP, 2445 01:17:58,500 --> 01:18:05,359 and whether it was seen in your network, and in which time range it was seen in. 2446 01:18:03,0 --> 01:18:07,500 interesting thing with that is it's also for historical values 2448 01:18:07,500 --> 01:18:14,238 so if you're just doing bulk collection of all the observables in your network 2451 01:18:14,238 --> 01:18:26,500 and then even half a year later if it turns out that a indicator is being shared with you 2454 01:18:26,500 --> 01:18:27,0 that correlates with an observable that SightingDB from half a year ago 2456 01:18:27,0 --> 01:18:30,0 then you know that you might need to launch an investigation into something 2459 01:18:30,0 --> 01:18:34,0 that happened half a year ago in logs and so on based on the historic look up. 2460 01:18:38,0 --> 01:18:41,0 Alex 2462 01:18:41,0 --> 01:18:44,500 Just complementary notes regarding sightings and 2464 01:18:44,500 --> 01:18:49,439 that's something that is basically maybe the easiest way of sharing additional information 2467 01:18:49,439 --> 01:18:53,839 it costs nothing and if you are connected to a MISP instance 2468 01:18:53,839 --> 01:18:56,319 and you can tell someone else that you have seen it 2469 01:18:56,319 --> 01:18:59,900 it's really a quick thing that can be useful for many organizations. 2473 01:18:59,900 --> 01:19:04,500 So the sighting itself sounds like a very small feature 2474 01:19:04,500 --> 01:19:10,399 but at the end, it's a an easy one for contributing and helping the others to know 2478 01:19:10,399 --> 01:19:15,0 if an indicator is still valuable and so on, so sighting is really something that 2481 01:19:15,0 --> 01:19:22,920 can basically be a kind of of entry-level things to do when sharing information 2484 01:19:22,920 --> 01:19:28,500 Something else that we have in MISP, this one is I think becoming more and more important 2487 01:19:28,500 --> 01:19:32,239 and we will do a quick demo later regarding that. 2489 01:19:32,238 --> 01:19:37,0 It's a timeline, I mean when we do analysis and so on, 2490 01:19:37,0 --> 01:19:40,0 it's really I would say common to have a first seen, last seen 2492 01:19:40,0 --> 01:19:42,159 to see the evolution of things over time. 2494 01:19:42,159 --> 01:19:45,198 In the example that you see on the screen there 2496 01:19:45,198 --> 01:19:47,319 It's based on specific threat actors 2497 01:19:47,319 --> 01:19:54,839 that sends a significant numbers of spear phishing 2499 01:19:54,839 --> 01:20:00,0 and those spear phishing are very well known when we collect those timestamps and so on. 2503 01:20:00,0 --> 01:20:03,0 So you can really see and trace the evolution of a specific group and so on. 2506 01:20:03,0 --> 01:20:07,500 This can be done automatically, for example passive dns records 2507 01:20:07,500 --> 01:20:13,0 I have very often the first seen, last seen and automatically you can really build 2510 01:20:13,0 --> 01:20:18,0 and create this kind of timeline because it can be really cumbersome if you have to do it manually 2514 01:20:18,0 --> 01:20:22,239 So we have a nice view like that so that means every time you set a first seen, last seen 2516 01:20:22,239 --> 01:20:26,0 on any attribute, object, and so on; it automatically populate on the timeline 2518 01:20:26,0 --> 01:20:31,7 and it's an easy way to to see evolution, trend and so on for your analysis 2521 01:20:31,700 --> 01:20:39,280 and this is a completely interactive so you can navigate over that. 2522 01:20:39,280 --> 01:20:42,0 We will show that later. 2524 01:20:43,0 --> 01:20:47,39 So for life cycle management, again this is something that we show briefly but 2527 01:20:47,39 --> 01:20:49,480 we're going to way more depth about that tomorrow 2528 01:20:49,480 --> 01:20:53,519 is basically here we see some examples of some attributes 2531 01:20:53,519 --> 01:20:58,800 that have scores applied to them coming from different scoring models. 2532 01:20:58,800 --> 01:21:03,0 So we see there an IDS simple decaying model and then a custom model 2533 01:21:03,0 --> 01:21:08,800 titled "Model 5" that are basically running on each of those indicators 2535 01:21:08,800 --> 01:21:13,500 and they generate a score taking into account for things such as labels that are attached to them, 2536 01:21:13,500 --> 01:21:17,0 the timestamp on when the attribute was created 2537 01:21:17,0 --> 01:21:21,0 as well as the timestamp of the different sightings that came in so generally 2544 01:21:21,0 --> 01:21:24,0 if something is still being actively seen in your network 2545 01:21:24,0 --> 01:21:28,0 that is still relevant despite the indicator itself being perhaps older 2546 01:21:28,0 --> 01:21:33,520 and then using the score that gets generated from these different models that you define 2551 01:21:33,520 --> 01:21:37,500 you can basically then make those decisions when you're exporting data to only include 2554 01:21:37,500 --> 01:21:43,0 data above a certain threshold when you're feeding your SIEM for example. 2556 01:21:44,79 --> 01:21:48,500 Yeah, and this one is quite interesting because you can really define 2557 01:21:48,500 --> 01:21:52,159 so the thing that is really important with the decaying of indicators 2559 01:21:52,159 --> 01:21:58,920 you are not modifying that actually you are really just updating and overlapping 2564 01:21:58,920 --> 01:22:01,759 and you can just define those kind of models so that means for example 2566 01:22:01,759 --> 01:22:05,39 even within a team where you don't agree on a specific model, you can have both models. 2569 01:22:05,39 --> 01:22:09,679 It's very common, for example, to have models for intrusion detection systems 2571 01:22:09,679 --> 01:22:16,719 and specific models for I don't know, endpoint, {inaudible} or endpoint protection device 2574 01:22:16,719 --> 01:22:20,639 and in MISP you have even a models or kind of simulator 2575 01:22:20,639 --> 01:22:25,500 where you can simulate the different model that you want to apply 2578 01:22:25,500 --> 01:22:28,920 and to see what kind of lifetime you want to apply, 2579 01:22:28,920 --> 01:22:32,0 when it decay, when for example you have a specific threshold where 2582 01:22:32,0 --> 01:22:39,500 basically say okay you don't use anymore those kind of data and you can do the mapping with 2583 01:22:39,500 --> 01:22:45,500 specific taxonomies you can with the different types, attributes, and so on 2585 01:22:45,500 --> 01:22:49,0 directly in MISP and it is really a quick win. 2588 01:22:49,0 --> 01:22:53,500 So you are not bound, for example, we know that some TIPs for example 2591 01:22:53,500 --> 01:22:58,479 have a kind of system-wide decaying models in MISP it is not like that, 2593 01:22:56,880 --> 01:23:02,679 everyone has their models, we are sharing some models 2594 01:23:02,679 --> 01:23:06,0 and you can define what you want to use without really altering the data. 2598 01:23:06,0 --> 01:23:10,238 So that means this kind of of information there is just an overlay 2599 01:23:10,238 --> 01:23:15,0 and you actually keep your own data in the systems without having any modification. 2601 01:23:17,0 --> 01:23:24,0 And you can simulate that one. 2605 01:23:27,0 --> 01:23:31,0 So when it comes to starting out, one of the trickiest things obviously is 2606 01:23:31,0 --> 01:23:34,0 when you're starting out with MISP is if you're staring as an empty instance 2607 01:23:34,0 --> 01:23:37,198 then getting started and encoding information is really tough 2610 01:23:37,198 --> 01:23:40,0 because you don't know what is really expected from the communities out there, you don't know how. 2612 01:23:40,0 --> 01:23:44,0 It's a new tool, you don't really know how to get started. 2616 01:23:44,0 --> 01:23:50,239 So in order to ease this a little bit there are a bunch of different feeds some of those that we also provide ourselves 2619 01:23:50,239 --> 01:23:54,500 which is obviously operational information something that you can use directly 2622 01:23:54,500 --> 01:24:00,799 so these are OSINT feeds that we produce as well from our TLP white data set 2623 01:24:00,799 --> 01:24:04,0 and the idea is that this will really help with bootstrapping your processes. 2625 01:24:04,0 --> 01:24:08,0 Look at the data we consider that generally well-formed 2629 01:24:08,0 --> 01:24:12,500 and well contextualized. It should give you an idea of what data generally looks like in MISP. 2631 01:24:12,500 --> 01:24:15,500 So don't start out with a fresh instance, 2632 01:24:15,500 --> 01:24:18,0 just go to your feed menu in your MISP when you're installing it 2633 01:24:18,0 --> 01:24:22,500 and pull in some of these OSINT feeds so that you see the information already. 2636 01:24:23,500 --> 01:24:27,359 Also it's a great way to test your internal tooling 2637 01:24:27,359 --> 01:24:31,119 so if you want to test the APIs, if you want to test internal synchronization, 2640 01:24:31,119 --> 01:24:33,500 it's good to have larger data set already from the get go 2641 01:24:33,500 --> 01:24:38,679 so that you already see that the movement of the data is working as expected. 2645 01:24:38,679 --> 01:24:44,500 Yeah, the other thing that you can do and where we're going to talk about that quite a bit tomorrow 2648 01:24:44,500 --> 01:24:50,500 is basically figuring out which feeds are worth ingesting, 2650 01:24:50,500 --> 01:24:55,719 how the feeds compare to each other, running overlap analysis between them and so on 2653 01:24:55,719 --> 01:25:00,0 So this is something that this is quite a heavy topic for tomorrow. 2656 01:25:05,0 --> 01:25:08,0 You're muted alex. 2657 01:25:08,0 --> 01:25:09,500 Yeah just discover {inaudible this/MISP}. 2658 01:25:09,500 --> 01:25:12,0 So as you can see for MISP, 2659 01:25:12,0 --> 01:25:15,300 it's the development of MISP already done over the years, 2661 01:25:15,300 --> 01:25:19,760 based on the feedback of users and that's really one of the key elements for us. 2663 01:25:19,760 --> 01:25:22,0 We wanted a tool for us that works 2665 01:25:22,0 --> 01:25:28,879 and it's key and based on that we wanted something that works for others too 2667 01:25:28,880 --> 01:25:33,679 and I mean the tool is evolving over time so you see that we have plenty of functionalities 2670 01:25:33,679 --> 01:25:37,79 On those two days of workshop we'll try to cover a part of it, 2672 01:25:37,79 --> 01:25:41,679 we had already some good questions regarding how to customize this and so on. 2675 01:25:41,679 --> 01:25:45,119 We might give you some hints how to do it and and so on, 2677 01:25:45,119 --> 01:25:47,0 so we won't be able to cover everything in those two days 2678 01:25:47,0 --> 01:25:54,0 but you'll see that you can really update MISP based on your specific use cases and so on. 2679 01:25:54,0 --> 01:26:00,500 So MISP is there as a tool, what really usually matters and are the successful, 2680 01:26:00,500--> 01:26:07,0 I would say, sharing communities depends on the practices or you do that and so on 2687 01:26:07,0 --> 01:26:11,0 and we really want at least at the end, even if it's a complex tool and so on 2690 01:26:11,0 --> 01:26:15,520 to be as easy as possible for covering different use case 2691 01:26:15,520 --> 01:26:17,500 and that's really the thing that we want to do, 2693 01:26:17,500 --> 01:26:19,520 is for example for a lot of things that we have in MISP 2694 01:26:19,520 --> 01:26:23,700 and someone just asked the questions about how can you customize MISP 2697 01:26:23,700 --> 01:26:27,119 a lot of things in MISP can be customized by just modifying some JSON files. 2700 01:26:27,119 --> 01:26:32,519 It's the case for MISP objects so if you want to create a new object you just update the json files, 2701 01:26:32,519 --> 01:26:39,500 if you want to, for example, create a new taxonomies or create a new galaxy 2706 01:26:39,50 --> 01:26:41,839 you just create those kind of json files. 2708 01:26:41,839 --> 01:26:45,500 You have other ways to update and change the behavior of MISP. 2709 01:26:45,500 --> 01:26:48,158 it's based for example on MISP modules 2710 01:26:48,158 --> 01:26:51,439 so if you want to change the behavior of the expansion and so on 2712 01:26:51,439 --> 01:26:58,800 you can just play with MISP modules and we will quickly show you some examples on these modules 2716 01:26:58,800 --> 01:27:02,80 but that's really simple I mean there's no {inaudible} 2719 01:27:02,80 --> 01:27:10,239 and that's the thing that you have to understand with MISP project is not just a small open source software somewhere 2720 01:27:10,239 --> 01:27:16,800 it's really a set of combination of tool, software, packages, open standards, 2721 01:27:16,800 --> 01:27:23,799 various best practices, shared knowledge base and obviously the community is using it. 2728 01:27:23,799 --> 01:27:26,500 So that's really the thing that we will have we love with FIRST for example. 2731 01:27:26,500 --> 01:27:31,0 it is to have this kind of community, learning together, sharing information, 2732 01:27:31,0 --> 01:27:33,119 and so that's that's really a key for us. 2735 01:27:33,119 --> 01:27:41,500 We have, I think more than 500 contributors on the MISP project with even more nowadays. 2738 01:27:41,500 --> 01:27:45,500 So if you want to become one of the contributors it's really straightforward I mean 2739 01:27:45,500 --> 01:27:48,800 if you have something, a problem that you want to solve, 2742 01:27:48,800 --> 01:27:51,400 for example on an object, you just do a pull request and 2743 01:27:51,400 --> 01:27:55,840 it will be in MISP immediately and you become a contributor in the project 2747 01:27:57,679 --> 01:27:58,0 so really for us, it's really key in MISP 2748 01:27:58,0 --> 01:28:02,0 is to have a kind of tool that is supporting the different use cases 2749 01:28:02,0 --> 01:28:06,238 Okay so before that, we do a break I will share you with you 2750 01:28:06,238 --> 01:28:12,759 some practical details on accessing the MISP training instance because there were some questions regarding that 2755 01:28:12,759 --> 01:28:20,0 and after the break, we will do the hands-on practical session 2756 01:28:20,0 --> 01:28:25,359 with an example, so we will with a real example, so you will create the full event 2757 01:28:25,359 --> 01:28:27,359 based on some information that you receive. 2759 01:28:27,359 --> 01:28:36,500 So first of all, I will give you some details about how to access the MISP instance. 2763 01:28:36,500 --> 01:28:42,500 S0, first of all we have a {inaudible acting/active} page 2764 01:28:42,500 --> 01:28:48,500 which I obviously share at some point in time and I will share it again. 2766 01:28:48,500 --> 01:28:54,799 Yes. So there's a page with some pages that you can even edit. 2769 01:28:54,799 --> 01:29:00,0 I will paste the link again in the chat for everyone. 2772 01:29:05,639 --> 01:29:11,319 That's the link, so we have a 50 account on the training instance. 2773 01:29:11,319 --> 01:29:14,159 Pick randomly one 2775 01:29:14,158 --> 01:29:18,0 it doesn't matter if you are multiple one using the same account but be careful 2777 01:29:18,0 --> 01:29:22,119 don't change the password because maybe some people will complain, 2780 01:29:22,119 --> 01:29:30,800 and then we have a "TrainingFIRST2021" password so super simple 2782 01:29:30,800 --> 01:29:33,600 not so secure but that's fine it's a training instance. 2785 01:29:33,600 --> 01:29:41,0 Just for the reference, for the one that doesn't want to use the training instance 2786 01:29:41,0 --> 01:29:44,0 sometimes for whatever reason you want to use your own instance. 2788 01:29:44,0 --> 01:29:50,238 We have different images, virtual box and VMware images for MISP. 2791 01:29:50,238 --> 01:29:54,158 So if you want to play with MISP locally and so on. 2793 01:29:54,158 --> 01:29:57,279 If you want to play with synchronization too, you can even connect those two 2794 01:29:59,500 --> 01:30:05,280 So and during the sessions we will connect to that instance so the instant is "iglocska.eu" 2796 01:30:05,280 --> 01:30:14,0 and when you connect, you will get access to the instance. 2799 01:30:14,0 --> 01:30:18,158 So you enter your training password so I will enter with my specific account 2802 01:30:18,158 --> 01:30:23,500 and we will use that instance for the hands-on that we will do just after the break. 2804 01:30:23,500 --> 01:30:31,0 So what I propose now is to do a 15 minute break and we start at 45, if it's fine for everyone 2808 01:30:31,0 --> 01:30:39,600 and we will start by with the practical sessions with a specific email 2811 01:30:39,600 --> 01:30:43,600 that we will share in the {inaudible} as a practical example 2813 01:30:43,600 --> 01:30:51,300 so thank you for the one that join us now and we will start again at 45 2814 01:30:51,300 --> 01:30:54,500 to do the hands-on session. Thank you very much. 2817 01:30:55,500 --> 01:30:57,500 Thank you. 2819 01:44:10,399 --> 01:44:14,0 Okay and shall we get started. 2820 01:44:15,0 --> 01:44:18,559 Sure, welcome back everyone. 2821 01:44:19,0 --> 01:44:25,399 Okay so now what we're going to be doing is we're going to look a little bit at MISP itself 2824 01:44:25,399 --> 01:44:28,500 so we've talked plenty about it but we haven't actually done anything with it yet. 2825 01:44:28,500 --> 01:44:34,560 So I really encourage everyone that has a MISP instance to also play along and to create your own events. 2827 01:44:34,560 --> 01:44:39,199 What we're going to be doing is we're going to go through a set of fictional little exercise. 2830 01:44:39,199 --> 01:44:46,560 Assume that you receive an email from, in this case, luxembourg {inaudible} telecom 2836 01:44:46,560 --> 01:44:51,80 the CSIRT of them describing an incident, of a very simplistic incident, 2838 01:44:51,80 --> 01:44:56,479 of what happened and what we're going to be trying to do now is to model this in MISP 2840 01:44:56,479 --> 01:45:01,839 and to explain how you can further improve it and contextualize this information 2843 01:45:01,839 --> 01:45:07,0 So before we start, once you're logged into the MISP instance, 2845 01:45:07,0 --> 01:45:11,0 such as the hosted training instance. This is what you're going to be seeing. 2848 01:45:11,0 --> 01:45:14,500 So it's a little bit squeezed on Alex's screen 2850 01:45:14,500 --> 01:45:21,599 but the idea is that you have a list of events that are listed on the main page. 2852 01:45:21,599 --> 01:45:25,280 So we're in the event index, this is our landing page when we load up MISP 2854 01:45:25,280 --> 01:45:29,0 and each of these individual lines represents an event so they're describing either an attack, 2857 01:45:29,0 --> 01:45:39,500 or perhaps a report, recurring distribution, or a certain type of of indicator lists and so on. 2861 01:45:39,500 --> 01:45:45,0 So what you're seeing here is, you have each of these events having an ID and some metadata around it 2863 01:45:45,0 --> 01:45:50,500 so these metadata can be either coming from this galaxy cluster system that we mentioned. 2864 01:45:50,500 --> 01:45:53,500 For example describing different attacker techniques, 2867 01:45:53,500 --> 01:46:00,0 different types of ransomwares in this case or attack patterns that are leveraged 2871 01:46:00,0 --> 01:46:04,0 and then if we scroll a bit further right so this is a bit lower resolution here that we see 2874 01:46:04,0 --> 01:46:07,500 but you should have it visible on the same page. 2877 01:46:07,500 --> 01:46:14,239 You see the information about what this event is trying to describe to us 2880 01:46:14,239 --> 01:46:17,500 it's simple to understand text-based representation. 2881 01:46:17,500 --> 01:46:22,500 Now this instance is used for trainings in general so it's going to be filled with a lot of junk 2883 01:46:21,198 --> 01:46:26,500 interspersed with real data that is coming from our TLP white feed. 2886 01:46:26,500 --> 01:46:31,679 So you're going to see some obviously weird events in there. 2889 01:46:31,679 --> 01:46:37,199 These are just there for testing, just players playing during an exercise and so on 2891 01:46:37,199 --> 01:46:39,500 but also some real events there. 2892 01:46:39,500 --> 01:46:42,500 So what we're going to be doing now is we're going to create our own event 2894 01:46:42,500 --> 01:46:46,0 based on that email that we received it's also on the hackmd page 2896 01:46:46,0 --> 01:46:52,880 so just have a look at the email itself and we need to start encoding that event. 2900 01:46:52,880 --> 01:46:56,0 so before we include anything in MISP, the first thing that we need to do 2902 01:46:56,0 --> 01:46:59,500 is we need to create a new event so this is where everything starts. 2904 01:46:59,500 --> 01:47:04,0 Way to do it is to just click on add event on the left side of the menu 2906 01:47:04,0 --> 01:47:07,0 and then you start with a very simplistic form 2907 01:47:07,0 --> 01:47:10,800 where we can describe the event in a very high level in MISP. 2909 01:47:10,800 --> 01:47:14,500 so here you see the first step is very straightforward 2911 01:47:14,500 --> 01:47:19,300 the things that we have to watch out for out here is we have to decide who gets to see the event 2914 01:47:19,300 --> 01:47:21,500 so this is the distribution level 2915 01:47:21,500 --> 01:47:25,0 and that we need to set a basic description of it. 2918 01:47:25,0 --> 01:47:31,500 As for the distribution itself, you have different ways of interacting with the data here already 2921 01:47:31,500 --> 01:47:34,400 so one of the decisions that you have to make, 2922 01:47:34,400 --> 01:47:37,500 even if you're going to share to the wider community out there is 2925 01:47:37,500 --> 01:47:41,119 do I keep this internal until I am ready to share it with the community 2926 01:47:41,119 --> 01:47:45,500 or do I already make it visible to anyone that has access to the data in the community. 2930 01:47:45,500 --> 01:47:51,500 Now keep in mind that we have a publishing process in MISP, so until an event is published 2933 01:47:51,500 --> 01:47:55,118 it is not propagated out to other MISP instances, 2934 01:47:55,118 --> 01:47:58,0 that means anyone on the current MISP instance can see the data 2936 01:47:58,0 --> 01:48:01,500 but it will not jump to a different MISP instance at this point in any way. 2939 01:48:01,500 --> 01:48:06,0 but if you are creating it on a hosted instance for example 2941 01:48:05,439 --> 01:48:10,500 if your ISAC is running a MISP instance and you're creating it on that one directly 2944 01:48:10,500 --> 01:48:13,0 then this already has an impact on who can see the data. 2946 01:48:13,0 --> 01:48:17,500 So the option here, either go with "Your organization only" 2947 01:48:17,500 --> 01:48:20,500 and then raise the distribution level once it's ready to be released 2949 01:48:20,500 --> 01:48:25,500 or you already involve addressing the process and you pick something like "This community only" 2952 01:48:25,500 --> 01:48:28,319 where others can chip in with their ideas from the get-go. 2954 01:48:28,319 --> 01:48:32,559 So this is up to you, it's a risk versus efficiency question. 2956 01:48:32,560 --> 01:48:36,500 Do I want to share the information and potentially overshare a bit 2959 01:48:36,500 --> 01:48:43,0 by accidentally uploading information that is not yet confirmed that it can be shared out 2962 01:48:43,0 --> 01:48:47,439 versus losing out on perhaps others immediately jumping on board 2963 01:48:47,439 --> 01:48:52,0 and saying okay this is also something we've seen we've already done the analysis of it here you go, 2967 01:48:52,0 --> 01:48:54,960 so you have to balance those two things out. 2969 01:48:56,0 --> 01:49:02,0 For example some CSIRT was aware of this, so when people are working on a case 2972 01:49:03,359 --> 01:49:09,0 by default it is "Your organization only" {inaudible} and at one point in time the team lead 2974 01:49:09,0 --> 01:49:13,0 for example decide at some point it's okay, now you can share it to a wider community 2977 01:49:13,0 --> 01:49:15,0 and then you change the distribution level. 2978 01:49:16,0 --> 01:49:19,500 Yeah, indeed. So let's start with the organization only for now 2980 01:49:19,500 --> 01:49:21,500 for different reasons that we'll get back to later on 2981 01:49:21,500 --> 01:49:26,500 it allows us to show off another feature afterwards that is handy, so we start with that. 2983 01:49:26,500 --> 01:49:30,500 Then we have to describe the threat level so this is a very subjective question. 2987 01:49:30,500 --> 01:49:36,500 Threat level will depend a lot on what sort of an organization you are versus who you're sharing it with 2990 01:49:35,500 --> 01:49:40,500 so we all have different interpretations of what we consider a high threat level. 2993 01:49:40,500 --> 01:49:44,500 We have some descriptions for each of these fields predefined. 2996 01:49:44,500 --> 01:49:46,500 If you click on the little information box, 2997 01:49:46,500 --> 01:49:52,500 it will tell you that high is sophisticated APT malware or zero day attack. 3000 01:49:52,500 --> 01:49:56,0 Please just freely disregard this because 3003 01:49:56,0 --> 01:50:00,0 nowadays a lot of information sharing happens in completely different domains, 3004 01:50:00,0 --> 01:50:04,500 so if a fraud team is sharing information about fraudster 3005 01:50:04,500 --> 01:50:11,0 their definition of high threat level would be very different from those in cyber security for example. 3010 01:50:11,0 --> 01:50:14,500 So generally it's just a subjective first measure 3011 01:50:14,500 --> 01:50:18,500 but a lot of organizations users use this to briefly filter out what they should tackle first 3013 01:50:18,500 --> 01:50:24,500 so still use it with care. If you don't want to use this field, picking undefined is fine too. 3017 01:50:25,760 --> 01:50:29,500 Analysis is the next field, describes how far along you've come with the analysis process. 3019 01:50:29,500 --> 01:50:34,480 So basically with this what you're telling the community is 3020 01:50:34,480 --> 01:50:37,500 I'm just starting out with the analysis these are my initial findings 3023 01:50:37,500 --> 01:50:41,839 versus for example saying that my analysis process is already complete 3024 01:50:41,839 --> 01:50:46,500 i'm not going to be digging more for now, I consider this complete, 3026 01:50:46,500 --> 01:50:54,500 if you have additional information then obviously start collaborating with us. 3029 01:50:54,500 --> 01:50:59,500 So just pick whichever is most appropriate for you. Let's just go with "Initial" for now. 3032 01:50:59,840 --> 01:51:05,500 and then comes the most important part of this form which is describing the event info, 3035 01:51:05,500 --> 01:51:09,0 so this is a brief description for analysts that are looking at the data 3036 01:51:09,0 --> 01:51:13,500 that best described the event that you're basically sharing 3039 01:51:13,500 --> 01:51:21,0 Now be brief here and be careful about including very domain or organization specific information. 3042 01:51:21,0 --> 01:51:25,500 One of the mistakes that people often make here is 3043 01:51:25,500 --> 01:51:29,500 for example typing a ticket number or ticket id in there 3048 01:51:29,500 --> 01:51:35,500 so if you have a ticketing system and you basically start your investigation from your ticketing system 3051 01:51:35,500 --> 01:51:39,500 sharing out something like what Alex has typed there is not very handy for anyone else 3053 01:51:39,500 --> 01:51:41,500 nobody will have a clue what you mean with that. 3055 01:51:41,500 --> 01:51:44,500 Another mistake that can happen here very often is 3056 01:51:44,500 --> 01:51:49,0 especially if you're starting out small and in turn initially you're only keeping the events for yourself 3057 01:51:49,0 --> 01:51:56,500 and then perhaps later on you decide that you want to maybe perhaps after all share it out to a community 3063 01:51:56,500 --> 01:52:59,500 then one of the things that can really hurt you at that point is if you've used different language 3065 01:52:59,500 --> 01:52:03,500 for example to describe the event info so we've seen this very often 3068 01:52:03,500 --> 01:52:09,0 instead of describing the things in English, we choose our own languages 3070 01:52:12,0 --> 01:52:19,500 Both Alex {inaudible} and myself is hungarian, we are pretty prone to doing this in general 3073 01:52:19,500 --> 01:52:23,500 and this is generally something that will hurt us in the long term 3076 01:52:23,500 --> 01:52:27,500 because once you share it out with a more international community 3077 01:52:25,920 --> 01:52:30,500 you either have to go through the effort of translating it 3078 01:52:30,500 --> 01:52:34,500 or basically make it illegible for the recipient 3081 01:52:34,500 --> 01:52:40,500 So stick to something simple, simple phrasing, be as concise as possible 3083 01:52:40,500 --> 01:52:44,500 but make sure that it's still understood what you mean. 01:52:46,500 --> 01:52:51,500 Okay, once you are done. In this case we are doing a {inaudible} spearphishing email, 3085 01:52:51,920 --> 01:52:55,800 we know that it's targeting the telco sector in luxembourg and we know that we have a malware sample 3087 01:52:55,800 --> 01:53:00,0 so that's a pretty nice short explanation of what the event is about. 3091 01:53:00,0 --> 01:53:05,0 So once we click submit, we have our event created and we already see that that 3092 01:53:05,0 --> 01:53:09,500 our event suddenly has a lot of data that we didn't intentionally put in there yet. 3094 01:53:09,500 --> 01:53:11,500 So we see a bunch of tags that are applied to the event, 3098 01:53:11,500 --> 01:53:15,500 we see that the event already has information about 3099 01:53:15,500 --> 01:53:20,500 who created the information, who the local owners is information and so on. 3101 01:53:20,500 --> 01:53:25,500 So MISP basically takes a lot of {inaudible local/global} settings from the instance 3105 01:53:25,500 --> 01:53:29,500 and it fills in the event when it is created with these basic datasets. 3107 01:53:29,500 --> 01:53:33,500 A lot of these also involve the contextualization that we start out with 3108 01:53:33,500 --> 01:53:37,500 so it might seem a little bit pointless to immediately label something 3109 01:53:37,500 --> 01:53:39,500 that we have not even started working on yet 3110 01:53:39,500 --> 01:53:44,200 but also keep in mind that very often what we do internally in our organizations is 3111 01:53:44,200 --> 01:53:50,0 we have several MISP instances that already are domain specific 3118 01:53:50,0 --> 01:53:55,500 So, for example we have our spam collector instance, we have our our sandboxing in MISP instance and so on. 3121 01:53:55,500 --> 01:54:00,500 These already define the scope of the information that go into them 3124 01:54:00,500 --> 01:54:05,0 so we can already decide okay if we are on our spam collector MISP instance 3127 01:54:05,0 --> 01:54:07,500 anything that goes in there will be related to spam 3128 01:54:07,500 --> 01:54:14,0 so in this case we can remove these tags because we don't actually want to include those just yet. 3131 01:54:14,0 --> 01:54:16,0 Maybe we can keep that one because it's still a draft, 3132 01:54:16,0 --> 01:54:20,500 so that means we will do an evaluation of this spam email accuracy 3135 01:54:20,500 --> 01:54:25,500 and then, so we have some defined taxonomy in MISP on this instance we enabled 3138 01:54:25,500 --> 01:54:30,500 for example the workflow one, this one is maybe of interest from different organizations 3141 01:54:31,39 --> 01:54:35,500 is a generic one about workflow, what is the current state of things. 3142 01:54:35,500 --> 01:54:39,500 So don't forget, in the initial event when we created the event 3143 01:54:39,500 --> 01:54:42,500 we have information about the state and stuff like that 3144 01:54:42,500 --> 01:54:45,0 Now with this what we do is recommend to have taxonomies 3150 01:54:45,0 --> 01:54:49,500 and you can really set up whatever you like in the misp event 3153 01:54:49,500 --> 01:54:55,500 to define the current state of this event so we keep "Draft" for this case. 3154 01:54:57,0 --> 01:55:00,500 Yup indeed, so we keep it at this 3155 01:55:00,500 --> 01:55:03,500 and we scroll further down and we see that MISP warns us about a few things, 3156 01:55:03,500 --> 01:55:05,500 first of all, data is not published 3158 01:55:05,500 --> 01:55:07,500 and second of all if we scroll a bit further down 3159 01:55:07,500 --> 01:55:11,0 we see that MISP also tells us that there are no attributes in here. 3160 01:55:11,0 --> 01:55:13,0 So this is still an empty envelope that we are about to share 3162 01:55:13,0 --> 01:55:16,500 so MISP tells us, don't share this just yet, fill it up with data first. 3165 01:55:16,500 --> 01:55:23,0 So at this point, we can start populating the information 3168 01:55:23,0 --> 01:55:30,0 So if you look at the initial document that we use as a starting point, 3171 01:55:30,0 --> 01:55:35,0 we see in there that we have a lot of information in there described 3173 01:55:35,0 --> 01:55:38,500 we see for example that we are dealing with spearphishing, 3175 01:55:38,500 --> 01:55:42,500 we see that we have an email that was received at a certain point in time 3177 01:55:42,500 --> 01:55:51,0 and we also see that we have an attacker that pretends to be working at the CEO's daughter school 3181 01:55:51,0 --> 01:55:57,500 and sending the email from a spoofed email address. 3184 01:55:57,500 --> 01:56:01,500 So we can start by describing this information, by including this information. 3187 01:56:01,500 --> 01:56:04,500 So perhaps one of the things that we can take here is, 3188 01:56:04,500 --> 01:56:08,500 let's start with the most basic thing we're describing, an email, so let's start with an email object. 3191 01:56:08,500 --> 01:56:16,0 So we're going to add an object and we're going to select email 3193 01:56:18,479 --> 01:56:21,0 So here we see that this is coming from the templating system 3194 01:56:21,0 --> 01:56:27,500 where you can define different concepts with different fields 3197 01:56:27,500 --> 01:56:30,500 that have to be then populated using this object templating system. 3199 01:56:31,760 --> 01:56:34,500 So we have a bunch of information that we can fill out here 3200 01:56:34,500 --> 01:56:40,0 we see the spoofed address so we see a "From" address that we can encode 3203 01:56:45,439 --> 01:56:54,500 Okay. we also have a sample that I don't know if I've uploaded it anywhere. Alex? 3205 01:56:54,500 --> 01:56:57,500 If not just pick any file for now because I think that's something I forgot to do. 3208 01:57:00,880 --> 01:57:03,500 Yeah I don't know where the sample is. Yeah maybe we should add it. 3210 01:57:03,500 --> 01:57:08,0 Yeah just put putty.x or something if you have it 3212 01:57:12,800 --> 01:57:14,500 Oops 3213 01:57:16,639 --> 01:57:19,500 or we can do it as a separate object, we can just do this separately 3215 01:57:19,500 --> 01:57:21,0 Yeah, we can do a separate object. 3216 01:57:21,0 --> 01:57:26,0 Yeah, indeed, indeed. Okay so what we can already describe here is 3219 01:57:26,0 --> 01:57:31,500 we can still add the name of the attachment that we had in there 3222 01:57:35,500 --> 01:57:38,500 just to fast track it a bit 3223 01:57:40,639 --> 01:57:42,880 good 3224 01:57:46,79 --> 01:57:48,500 so we have a timestamp too which is interesting 3225 01:57:47,679 --> 01:57:52,319 um 3226 01:57:49,760 --> 01:57:54,239 3227 01:57:52,319 --> 01:57:55,500 so this one has been received at a specific date so it was the third of.... 3228 01:57:54,238 --> 01:57:59,0 so the "First Seen" is basically something that you can already set up 3230 01:57:59,0 --> 01:58:07,500 so it was the third of February, we had a specific time if i'm not mistaken. 3231 01:58:03,920 --> 01:58:10,158 3232 01:58:07,198 --> 01:58:20,500 So in this one has been sent on, received on 15, 16, 3237 01:58:27,0 --> 01:58:35,500 we also see that that basically the attachment was spoofing the document 3238 01:58:30,639 --> 01:58:41,0 about the report about the CEO's daughter's progress in school. 3242 01:58:41,0 --> 01:58:48,500 So we can pick the file name for the attachment and that is under the attachment section in the object 3245 01:58:55,500 --> 01:58:57,500 Good. 3246 01:58:57,500 --> 01:58:59,0 I'm just clicking it. Yeah 3247 01:58:59,0 --> 01:59:03,500 It is called report.doc.exe, I mean maybe it's not in the text right now. 3248 01:59:03,500 --> 01:59:06,500 Ah okay, it might not be in the text, might be just in the original file. 3251 01:59:06,500 --> 01:59:12,500 Sorry about that. So yeah report.doc.exe 3252 01:59:18,0 --> 01:59:19,500 Ok yeah perfect. 3253 01:59:19,500 --> 01:59:26,500 And then we also know that it was received, that we have the received header ip 325 6 01:59:26,500 --> 01:59:34,0 so we can include that as well that's also stated in the email. It's 137.221.106.104 3259 01:59:41,500 --> 01:59:50,500 and we even have the hostname ,if you want to include that, that was also included in the email/report 3263 01:59:54,0 --> 01:59:59,500 Perfect, so as you can see here we did not fill everything out 3264 01:59:59,500 --> 02:00:02,500 because we don't know everything based on the report but we knew some of the fields. 3267 02:00:02,500 --> 02:00:08,500 We also see that each of these objects basically have some requirements and we satisfy those in this case. 3271 02:00:08,500 --> 02:00:13,0 So if you scroll all the way to the top you will see that that this object had a requirement 3274 02:00:13,0 --> 02:00:17,500 any of those fields have to be filled, we've definitely met that so we can just click submit 3276 02:00:16,0 --> 02:00:20,500 and we can create our object in this case 3278 02:00:23,0 --> 02:00:27,500 so here we see MISP telling us if we create this object that's what it will look like. 3281 02:00:27,500 --> 02:00:31,0 So we have in this case created our object and now it is attached to the event 3284 02:00:31,359 --> 02:00:33,0 and suddenly stuff happened here 3285 02:00:33,0 --> 02:00:38,500 so we see that each of these attributes already start correlating with existing events. 3288 02:00:38,500 --> 02:00:43,500 Now we ran this little exercise before so it correlate with some of those previous events 3291 02:00:43,500 --> 02:00:48,500 but normally if this was a real case if you get a correlation 3293 02:00:48,500 --> 02:00:53,500 there is either something very similar that already happened before 3294 02:00:53,500 --> 02:00:58,0 or is it something that simply might be a coincidence 3295 02:00:58,0 --> 02:01:01,500 but it's still cause for investigation to check 3296 02:01:01,500 --> 02:01:06,500 is this something that might help me bootstrap my investigation or is it just noise that is not relevant. 3300 02:01:06,500 --> 02:01:09,0 Maybe a side note because we have often the questions 3301 02:01:09,0 --> 02:01:15,500 when you create such object in MISP, you see that can be cumbersome to create it manually 3302 02:01:15,500 --> 02:01:19,500 so don't forget that everything that we do right now can be done through the API 3308 02:01:19,500 --> 02:01:23,0 so you can use PyMISP, automatically do it and so on. 3310 02:01:23,0 --> 02:01:29,500 So what we show there, if you think on the API level it can be done automatically 3312 02:01:27,840 --> 02:01:34,500 so if you have tool that are extracting emails automatically from the PC mailbox, whatever 3315 02:01:34,500 --> 02:01:36,500 you can automatically do it in MISP. 3317 02:01:36,560 --> 02:01:40,500 We just show the complete process manually but you can have a mix for some event 3320 02:01:40,500 --> 02:01:45,500 maybe some might be created automatically and then update it manually and so on. 3323 02:01:45,500 --> 02:01:49,500 Something else that might be interesting here at this point is we've encoded this object 3325 02:01:49,520 --> 02:01:57,0 and we look at it and perhaps we might want to change the distribution settings 3328 02:01:57,0 --> 02:01:59,500 based on the different data points that we have in there 3330 02:01:59,279 --> 02:02:04,500 so most of these such as the malicious host that email is sent from 3331 02:02:04,500 --> 02:02:05,759 are technical information that we can share with the broader community 3334 02:02:07,279 --> 02:02:12,500 but perhaps the name of the school that our CEO's daughter attends 3335 02:02:12,500 --> 02:02:13,599 is something that we don't need to share with the entire community 3338 02:02:15,118 --> 02:02:20,0 so we could reduce the distribution of that individual attribute in this object 3340 02:02:20,0 --> 02:02:24,500 so that we keep that, for example only for our own organization and for our own internal records. 3343 02:02:24,500 --> 02:02:28,500 So one of the things you can do in this case is you can edit that individual attribute 3346 02:02:28,158 --> 02:02:36,500 so the from address in the object and you can set a distribution level to "Your organization only". 3349 02:02:36,500 --> 02:02:40,500 In this case, once we release the event to a broader audience 3351 02:02:40,500 --> 02:02:44,0 it will keep this individual attribute for an organization 3352 02:02:44,0 --> 02:02:48,500 and it will not share it out with with other constituencies 3354 02:02:48,500 --> 02:02:51,500 Okay, so some other stuff that happened at this point 3355 02:02:51,500 --> 02:02:55,500 we see that several of you are creating events so that's great. 3358 02:02:55,500 --> 02:02:58,0 The correlation count really went up all of the sudden so it's good to see. 3360 02:02:57,359 --> 02:03:04,0 Something else that happened at this point is the event itself got correlated to other events as well 3361 02:03:04,0 --> 02:03:08,500 So if you scroll up all the way, we see that the attributes that we've added 3366 02:03:07,599 --> 02:03:10,0 are also showing us what other events we're correlating in. 3368 02:03:10,0 --> 02:03:15,500 So this is a summary of all the individual attributes, correlations from the event 3369 02:03:15,500 --> 02:03:18,500 that means that if this object is correlating 3370 02:03:18,500 --> 02:03:22,500 or these attributes within the object are correlating to it with a certain event 3375 02:03:22,500 --> 02:03:25,500 and certain other objects are correlating with other events 3377 02:03:25,500 --> 02:03:29,500 then this would be a full summary of all the events that you're correlating with. 3379 02:03:29,500 --> 02:03:31,500 You can also draw a graph out of that. 3380 02:03:31,920 --> 02:03:34,500 If you click on the correlation graph you will see how the events are interlinked 3382 02:03:35,198 --> 02:03:38,500 and you can further explore this by selecting any of the nodes 3384 02:03:38,500 --> 02:03:44,0 and pressing x on that to further expand it with its own correlations. 3387 02:03:46,500 --> 02:03:50,500 Okay. Let's go back to the event 3388 02:03:52,0 --> 02:03:57,0 Yeah I don't think we have a lot of correlations there, for the other events they're all the same 3392 02:03:59,679 --> 02:04:06,500 Okay now going back to our little example we have now created four attributes all together 3395 02:04:06,500 --> 02:04:11,0 out of the object template but we could have done this differently as well 3397 02:04:11,0 --> 02:04:16,0 what we could have done is we could also have created those attributes individually 3398 02:04:16,0 --> 02:04:20,500 and added those to the event directly. 3404 02:04:20,500 --> 02:04:22,500 So one of the things that we can do now 3405 02:04:24,319 --> 02:04:26,500 is we can go back to our report and tackle the next thing that is described there 3406 02:04:25,920 --> 02:04:27,500 and let's do it slightly differently. 3407 02:04:27,359 --> 02:04:35,500 So we also see that basically the person that is impersonated is also described 3410 02:04:31,760 --> 02:04:43,500 so that is basically, in this case John Doe the teacher of the student 3411 02:04:43,500 --> 02:04:46,500 So let's just create a person object and describe that. 3416 02:04:46,500 --> 02:04:53,0 So what we can do now is instead of directly describing it as an object, 3418 02:04:53,0 --> 02:04:59,500 we can first add those different fields, at least a name as individual attributes. 3421 02:04:59,500 --> 02:05:02,500 So let's see how adding individual attributes work 3422 02:05:00,0 --> 02:05:04,500 so we click on the little plus icon above the attribute list 3425 02:05:04,500 --> 02:05:08,500 and we simply select category "Person" 3426 02:05:08,500 --> 02:05:13,500 and from "Person" we select "first-name", "first-name" is John. 3428 02:05:13,500 --> 02:05:16,0 and here we can already define, is this an indicator? 3429 02:05:15,39 --> 02:05:20,0 Do we want to set it for intrusion detection system flag? 3431 02:05:20,0 --> 02:05:23,0 No, definitely not, this in itself is not an indicator 3433 02:05:23,0 --> 02:05:29,0 In fact we want to also disable correlation on this as this is a pretty common name 3436 02:05:29,0 --> 02:05:33,0 that is definitely not something to... 3437 02:05:33,0 --> 02:05:37,500 We don't need a comment for now, we're going to convert it into an object anyway 3440 02:05:40,0 --> 02:05:44,500 So what we can do is we can also disable correlation on this we don't want to correlate on John. 3443 02:05:44,0 --> 02:05:48,500 Okay, doesn't matter. 3444 02:05:48,500 --> 02:05:58,500 We can do the same thing for the last name Doe and we can basically say that this is now "last-name". 3447 02:05:58,500 --> 02:05:06,500 Now we've added these two things in there now the problem with this is 3448 02:05:06,500 --> 02:06:04,500 if we just had attributes instead of objects is we don't really see that 3449 02:06:04,500 --> 02:06:07,500 "John" and "Doe" in this case are the first name and last name belong together. 3455 02:06:07,500 --> 02:06:11,500 So if I were to describe several people in the same event 3456 02:06:11,500 --> 02:06:18,500 you would have a list of first names and a list of last names with no connection between the two things 3457 02:06:18,500 --> 02:06:24,500 so it's better to use objects in general whenever you're describing multiple aspects of the same thing. 3463 02:06:24,500 --> 02:06:27,500 Obviously if you just have a list of file hashes that you got from a feed 3464 02:06:27,500 --> 02:06:30,500 and you just encode those and you don't have any other information with them 3465 02:06:30,500 --> 02:06:33,500 you might as well just create flat attributes out of them 3466 02:06:33,500 --> 02:06:36,500 because there is nothing else to describe from your perspective. 3471 02:06:36,880 --> 02:06:40,500 But even in that case it's arguable whether you don't want to start with an object 3474 02:06:40,500 --> 02:06:44,0 from the get go but what we can do in this case if we did start with this way 3476 02:06:44,0 --> 02:06:48,500 or if you receive information in this format or your tools parse the data out in this format is 3479 02:06:48,500 --> 02:06:51,500 you can select those two attributes by clicking the little check marks next 3480 02:06:51,500 --> 02:06:57,500 or little tick boxes next to them and then clicking on "Group selected Attributes into an Object" 3485 02:06:56,500 --> 02:07:01,500 and here MISP will propose, okay these are the different object templates 3486 02:07:01,500 --> 02:07:05,500 that satisfy the list of attributes that you've selected, 3488 02:07:05,500 --> 02:07:09,500 there's a person object that we can use so let's just pick that one for now. 3492 02:07:09,500 --> 02:07:16,500 So here we see if we were to combine these two things they would be merged into an object 3495 02:07:16,500 --> 02:07:24,500 that is fine with us we see first name will become the first name of the object,last name, the last name 3499 02:07:24,500 --> 02:07:25,500 so let's merge it, 3500 02:07:28,960 --> 02:07:35,0 Now we basically have a person object, now we also know that this person that we're dealing with here 3501 02:07:35,0 --> 02:07:38,0 is impersonating the teacher of the CEO's daughter 3503 02:07:38,0 --> 02:07:42,500 so the impersonated person is a teacher of the CEO's daughter 3506 02:07:42,500 --> 02:07:48,0 so we added the object and we also see that we can add just another text field. 3509 02:07:48,0 --> 02:07:51,500 Yeah, just text field works, where we can describe it. 3510 02:07:51,500 --> 02:07:55,500 i just want to first disable the correlation because different {inaudible} 3513 02:07:55,500 --> 02:07:56,500 Okay yeah sure. 3514 02:08:08,238 --> 02:08:12,500 Yeah that works and we just add a text, description of the identity of the person 3516 02:08:12,500 --> 02:08:14,500 we can just say teacher of the ceo's daughter. 3518 02:08:14,500 --> 02:08:27,0 Okay, now we're done. We have now added the additional attribute 3520 02:08:27,0 --> 02:08:30,500 and now we know what this object is actually about without having a description in there 3522 02:08:30,500 --> 02:08:34,500 but we still just have an email and a person described in here 3524 02:08:34,500 --> 02:08:38,500 but we don't know anything else, we don't know that this email is spoofing to be that person 3526 02:08:38,500 --> 02:08:40,500 so we should add a relationship between the two. 3528 02:08:40,500 --> 02:08:46,500 Mow for this we can switch over to the event graph view so that is a little bit further up. 3531 02:08:46,719 --> 02:08:50,500 This one allows us to create connected graphs out of our individual data points 3533 02:08:50,500 --> 02:08:56,500 so we see that we have two unreferenced objects, so we explode that node by pressing x. 3536 02:08:56,500 --> 02:09:03,0 and we can draw an edge between those two nodes by clicking edit and add reference 3539 02:09:03,0 --> 02:09:07,500 and drawing a line between the two from the email to the person. 3542 02:09:07,500 --> 02:09:15,500 When you do, that MISP will propose a list of relationship types between these two different nodes. 3546 02:09:15,500 --> 02:09:20,500 There is also a custom one there so if you don't want to select anything from the list that is fine too 3548 02:09:20,500 --> 02:09:26,500 but for now we can just use the "impersonates" relationship which already exists in the default library. 3552 02:09:26,500 --> 02:09:33,500 Just click on submit and now we have a relationship set between those two. 3554 02:09:33,500 --> 02:09:38,500 So we started telling our story by basically having a connected graph between these two points. 3557 02:09:37,520 --> 02:09:46,500 Now let's further look at our original email and see what else we can get out of the text from there. 3561 02:09:47,520 --> 02:09:52,500 We also see that the malicious file was contained in the email as well as an attachment 3563 02:09:52,500 --> 02:09:55,500 So let's upload an attachment now to MISP. 3564 02:09:54,0 --> 02:09:59,500 I hope you have put in the text there or something because I forgot to {inaudible} it. 3565 02:09:59,500 --> 02:10:02,500 {inaudible} Perfect . 3567 02:10:02,500 --> 02:10:07,500 So as an attachment and this is where things become a little bit tricky. 3568 02:10:07,500 --> 02:10:12,500 There's a quick question there on the chat i'll just quickly answer that then we can get back to this. 3573 02:10:12,500 --> 02:10:13,500 Where can I create reference? 3574 02:10:13,500 --> 02:10:18,0 If you go above the attribute list there is an event graph button if you click on that 3575 02:10:18,0 --> 02:10:23,0 you get the event graph and on the top left side you click on edit and then add reference 3577 02:10:23,0 --> 02:10:24,0 Like I can show it again now. 3580 02:10:24,0 --> 02:10:26,500 Yeah that's a bit better, yeah. 3581 02:10:26,500 --> 02:10:33,500 So you have this kind of gray bar there with event graph so you can basically collapse or expand it 3583 02:10:33,500 --> 02:10:39,500 and then there you can select one of those reference objects you press x 3589 02:10:39,500 --> 02:10:49,500 to expand all those reference objects then you can just select one object that you want to add 3591 02:10:49,500 --> 02:10:53,500 and then you can edit, add the references and then you can add specific references. 3594 02:10:53,500 --> 02:10:57,500 In this case it doesn't make sense to make a second reference but that's basically how you do it 3597 02:10:57,500 --> 02:11:01,500 then you select your relationship type and you can add your reference. 3599 02:11:01,279 --> 02:11:04,479 It's not the only way to do it, there's a, I would say current-based representation 3602 02:11:06,78 --> 02:11:11,500 where you can do it, we can even show it so you have to go 3604 02:11:11,500 --> 02:11:13,0 It's much more difficult to understand what happens. 3606 02:11:13,0 --> 02:11:19,0 Yeah, so so there the reference that you created through the event graph is represented here 3608 02:11:19,0 --> 02:11:25,500 so you see that this object has a reference so from email to impersonate 3612 02:11:25,500 --> 02:11:29,0 and here's the opposite relationship that even describes the "Referenced by" 3613 02:11:29,0 --> 02:11:31,0 and you have the "Referenced by" on this object 3614 02:11:28,960 --> 02:11:38,500 so another just mention is I think less, I would say {inaudible} and so on 3618 02:11:38,500 --> 02:11:40,0 but sometimes you just when you are in the object 3619 02:11:40,0 --> 02:11:45,500 you just want to see if you have any reference or a sign and you can quickly see that. 3622 02:11:48,500 --> 02:11:58,500 So let's add an attachment now and upload the sample that was included in the original email. 3625 02:11:58,500 --> 02:12:03,0 Sso we just click on add attachment we select the file that you want to upload. 3628 02:12:03,0 --> 02:12:06,500 yeah so for the attachment in MISP you have really two models, 3630 02:12:06,500 --> 02:12:08,0 you have the model that an attachment is basically something 3631 02:12:08,0 --> 02:12:15,500 completely benign, safe and you can basically share it directly. 3635 02:12:13,118 --> 02:12:19,0 So for example you have attachment like reports and stuff like that. 3637 02:12:19,0 --> 02:12:21,500 In our case what we want to share here, 3638 02:12:21,500 --> 02:12:30,500 it's a malicious sample so and that's I will take a sample somewhere. 3644 02:12:34,0 --> 02:12:42,500 Press on one {inaudible} interesting there {inaudible} windows executables 3647 02:12:42,500 --> 02:12:45,0 and then you have to select if the sample is malicious 3648 02:12:44,158 --> 02:12:48,0 if you don't do anything, what it will be, it will be something 3649 02:12:48,0 --> 02:12:54,0 like saving report, a pdf report, something that's like supporting you in contextualization 3654 02:12:54,0 --> 02:12:56,600 could be a screenshot for example things like that. 3656 02:12:56,600 --> 02:13:00,500 But if you share a sample you have to select "Is a malware sample" 3657 02:13:00,500 --> 02:13:05,0 because like that MISP will encrypt and hash a file 3658 02:13:05,0 --> 02:13:09,500 so that means you have a zip file encrypted with a default password "infected" 3663 02:13:08,719 --> 02:13:13,500 but I got to avoid classical mistake of clicking on a link 3664 02:13:13,500 --> 02:13:17,0 executing binaries on your analysis machines and so on. 3667 02:13:17,0 --> 02:13:21,500 you don't want to do that, so if it's malicious always click malware samples 3670 02:13:21,500 --> 02:13:38,500 then you have one below "Advanced extraction", MISP can do a lot of things behind the scene 3673 02:13:38,500 --> 02:13:33,500 when you receive a file, in this case it's a window portable executable files 3676 02:13:33,500 --> 02:13:37,500 so we have particular advanced extraction for those files 3677 02:13:37,500 --> 02:13:43,500 and we can expand completely the files including resources, code segment, and stuff like that. 3679 02:13:44,0 --> 02:13:45,500 So I will upload the files. 3682 02:13:53,0 --> 02:13:57,0 Okay in this case this one was just like a very simple one. 3684 02:13:57,0 --> 02:14:00,500 So in this case, what do we have? We have an object 3685 02:14:00,500 --> 02:14:05,500 with the file name, the size-in-bytes and then the hash file, 3686 02:14:01,279 --> 02:14:08,500 so automatically MISP will do the hashing of the different files 3690 02:14:08,500 --> 02:14:12,0 the sample itself is attached so you can basically use it 3691 02:14:12,0 --> 02:14:14,880 and some additional ones like ssdeep for example, mimetype are automatically extracted 3695 02:14:18,880 --> 02:14:22,0 just maybe for the sake of it I will just take maybe another binary 3696 02:14:22,0 --> 02:14:27,500 just for showing you what could happen with other binaries. 3697 02:14:27,500 --> 02:14:32,500 Maybe that's for later for different events so we don't have the objects in this one 3701 02:14:32,500 --> 02:14:34,500 because it's easier to see for the graph 3703 02:14:34,500 --> 02:14:35,0 That's fine too. 3704 02:14:35,0 --> 02:14:37,0 You can show it afterwards 3705 02:14:37,0 --> 02:14:41,0 Yeah, okay so now we have this again this kind of object attached 3707 02:14:41,0 --> 02:14:43,0 and there's a relationship to create obviously. 3708 02:14:43,0 --> 02:14:48,0 Indeed. So in this case the relationship is to the email itself so we know that the email contained 3711 02:14:48,0 --> 02:14:55,500 this file so what we can do is we can just create relationship between the email and the file 3714 02:14:54,479 --> 02:14:57,500 and see that email contain that file 3716 02:15:00,500 --> 02:15:03,500 So you see, it it's again the same model. 3717 02:15:06,500 --> 02:15:08,500 contains 3719 02:15:15,0 --> 02:15:16,500 There we go. 3720 02:15:16,500 --> 02:15:19,500 So now what we can do is if you look further in the email 3721 02:15:19,500 --> 02:15:21,0 we see that there is a bunch of other stuff still described 3722 02:15:21,0 --> 02:15:25,500 so what we can do is we can just, now for exercise sake, just take 3723 02:15:25,500 --> 02:15:31,0 at least the next few lines or the next paragraph 3724 02:15:31,0 --> 02:15:35,500 and drop the entire paragraph into something called the free text importer. 3729 02:15:35,500 --> 02:15:39,500 What this will do is it will try to parse this text blob 3730 02:15:39,500 --> 02:15:43,0 and it will try to extract anything that looks like an indicator out of that 3733 02:15:43,0 --> 02:15:47,500 So this is another method of basically entering attribute into MISP. 3737 02:15:47,500 --> 02:15:52,500 So "Freetext Import", we just paste it in there and we just hit "Submit". 3739 02:15:54,000 --> 02:15:57,500 So MISP will tell us in this case it didn't extract everything actually, 3741 02:15:57,679 --> 02:16:00,500 so we need to still go back to it and refined a bit more 3742 02:16:00,500 --> 02:16:02,500 but it extracted some of those things that were in there already. 3745 02:16:03,118 --> 02:16:05,500 So that's fine, we can just already add those to the event 3747 02:16:08,0 --> 02:16:13,500 so how does it work behind the scenes is we have a bunch of regex in MISP 3748 02:16:13,500 --> 02:16:18,0 automatically extracting information from natural text, it's one way to do it. 3752 02:16:18,0 --> 02:16:21,500 There's another tool for doing it which is part of the event report 3755 02:16:21,500 --> 02:16:26,500 but it's usually a quick way to automatically extract information 3756 02:16:26,500 --> 02:16:27,500 and to see if it's already known for example. 3758 02:16:28,500 --> 02:16:34,500 So what we see here already is that evil provider was basically, 3759 02:16:31,198 --> 02:16:40,500 according to the email text, the place that was used to download the secondary payload from 3760 02:16:40,500 --> 02:16:46,0 so we can take evil provider and we also know that we got an IPv6 address to it. 3766 02:16:44,558 --> 02:16:49,500 So we're going to add that to it as well and convert this into an object again. 3769 02:16:51,0 --> 02:16:54,500 So we're going to to just select that one convert to object 3770 02:16:54,500 --> 02:17:00,0 and the object that we're going to convert it to is going to be a "URL" object. 3774 02:17:01,599 --> 02:17:04,500 Yep. all the way down there. Perfect. 3775 02:17:04,799 --> 02:17:08,0 Let's just do the conversion and then we edit the object afterwards 3776 02:17:08,0 --> 02:17:10,500 and we add the additional information that we have about it. 3779 02:17:11,500 --> 02:17:25,500 So we have an IPv6 that it resolves to. We also have a port. 3780 02:17:25,500 --> 02:17:32,500 So once we're done with that IP destination, perfect. 3784 02:17:32,500 --> 02:17:41,500 We can also add the port. It was communicating on port 443. 3786 02:17:41,500 --> 02:17:51,500 and again everything i'm currently doing there can be done through the API obviously. 3788 02:17:51,500 --> 02:17:56,500 Yeah and and finally we also have a domain evilprovider.com 3790 02:18:03,0 --> 02:18:07,500 now let's deal with referencing this to the other objects later on. 3792 02:18:07,500 --> 02:18:12,500 We can still still add the additional information that we have in there 3795 02:18:12,500 --> 02:18:14,500 and then we do the linking afterwards. 3796 02:18:14,500 --> 02:18:16,500 Again, we have the same problem here on this 3797 02:18:16,500 --> 02:18:20,500 because for example you see that the comment has the port 3799 02:18:20,500 --> 02:18:24,0 so that means we can just convert it as an object again. 3800 02:18:24,0 --> 02:18:26,500 Yeah and the IP belongs to that one as well by the way 3801 02:18:26,500 --> 02:18:28,500 Okay great, it's even better. 3802 02:18:28,500 --> 02:18:30,500 Yeah exactly. 3803 02:18:30,500 --> 02:18:33,500 Just my screen that is a bit small. Okay. 3805 02:18:40,0 --> 02:18:42,500 So in this case, it's again a url. 3806 02:18:48,0 --> 02:18:54,500 And the things that we have this time the port is actually a high port. 3808 02:18:54,500 --> 02:18:59,500 So while in the other one we do not correlate on on the port because port 443 is common 3811 02:18:59,500 --> 02:19:03,500 this is one of those ports that we might want to correlate on already. 3813 02:19:03,500 --> 02:19:06,500 So we don't want to disable correlation for this one. 3815 02:19:09,840 --> 02:19:15,500 Where as for the other one we we should disable the correlation for the other port 443. 3819 02:19:21,0 --> 02:19:26,500 Okay. Now the other thing that we have at this point is we have a secondary sample 3821 02:19:26,500 --> 02:19:30,0 so if you have a second one that you can upload now. 3822 02:19:30,0 --> 02:19:36,500 Yeah I just just add the domain so I get {inaudible}. Okay. 3824 02:19:36,500 --> 02:19:39,500 so what do you want {inaudible} 3825 02:19:39,500 --> 02:19:44,500 So we still have another file to update and we have a CVE that was also mentioned in the email. 3828 02:19:44,500 --> 02:19:51,0 Okay. CVE is an interesting one, we have single attributes for CVE 3830 02:19:51,0 --> 02:19:53,500 but sometimes you want to have some more information 3831 02:19:53,500 --> 02:19:57,500 so what you could do there is to create a simple attribute 3832 02:19:57,500 --> 02:20:01,500 so the CVE is "Payload delivery" in this case. 3836 02:20:02,719 --> 02:20:07,500 We have "Type" which is "Vulnerability" and usually a "Vulnerability" is defined by CVE 3838 02:20:07,500 --> 02:20:13,500 you can use other value but the best practice is the obviously to use CVE. 3841 02:20:13,500 --> 02:20:19,500 It's a very old CVE, those kind of attackers are always reusing those kind of old things 3843 02:20:19,500 --> 02:20:23,500 but you know, it works. You know people never patch their Windows. 3846 02:20:23,500 --> 02:20:26,0 This one is interesting because you know it was exploited 3847 02:20:26,0 --> 02:20:33,500 so I would add the IDS flag because it may be interesting to look into your system for additional ones. 3851 02:20:33,500 --> 02:20:35,0 So in this case, what do we have? 3852 02:20:35,0 --> 02:20:41,500 We have again, a single attribute, which is not the nice thing that you want to have 3853 02:20:41,500 --> 02:20:45,500 is basically you want to have as much context as you want for those kind of investigation. 3857 02:20:45,500 --> 02:20:52,500 Luckily on this instance, we have one of those expansion modules 3860 02:20:52,500 --> 02:20:56,500 and why the "CVE Advanced" is empty, that is quite interesting. 3861 02:20:56,500 --> 02:21:01,500 Ok, great. So and then you have some additional information 3862 02:21:01,500 --> 02:21:07,500 in this case we have some description, so what I can do in this in this one is 3866 02:21:07,500 --> 02:21:13,0 so you see that we have either the overlay thing 3867 02:21:13,0 --> 02:21:17,0 so in MISP modules, someone was asking about extension of MISP. 3870 02:21:17,0 --> 02:21:20,500 This is one way. You have this overlay things where you can basically just do expansions 3873 02:21:20,500 --> 02:21:23,500 and see okay contextual information 3874 02:21:23,500 --> 02:21:27,500 but sometimes you just want to have a bit more than just contextual information. 3876 02:21:27,500 --> 02:21:33,500 You want to have the associated object there 3878 02:21:31,200 --> 02:21:39,500 so there you have this kind of explosion there and you can add the enrichment 3881 02:21:39,500 --> 02:21:41,500 I'll give a try on that one 3883 02:21:41,500 --> 02:21:45,500 Okay great. So there's something wrong on this machine 3884 02:21:45,500 --> 02:21:51,500 That's great. I'll take the other one but this is not an object but that's fine we can just like... 3887 02:21:51,500 --> 02:21:57,0 Yeah, we got some attribute in this case so we have basically the description 3890 02:21:57,0 --> 02:22:04,500 that coming from the enrichment and what we can do is to then make an object called "Vulnerability" 3894 02:22:05,520 --> 02:22:09,500 and "id", it's not a "credit" in this case is the "description" 3896 02:22:09,500 --> 02:22:15,500 and make an object of it. Usually you should have a full expansion there 3898 02:22:15,500 --> 02:22:20,500 but I didn't test it on the training instance maybe something is broken on that instance. 3901 02:22:20,500 --> 02:22:25,500 Okay so now what do we have is more contextual information. 3904 02:22:27,500 --> 02:22:30,500 We start with a story and we see that we have an email we have a first url, 3905 02:22:30,500 --> 02:22:33,500 a second one which is a download and a specific CVE. 3907 02:22:33,500 --> 02:22:36,0 So maybe now we can go back to the... 3908 02:22:36,0 --> 02:22:40,500 We still miss one thing which was a secondary file that was downloaded. 3909 02:22:38,79 --> 02:22:42,239 3910 02:22:40,500 --> 02:22:43,500 Oh okay. The secondary files, yes. 3912 02:22:43,500 --> 02:22:51,500 Yeah. So according to story what happens was the initial sample was when executed 3915 02:22:51,500 --> 02:22:55,500 was downloading a secondary sample and that one was basically 3919 02:22:55,500 --> 02:23:00,500 then used to exfiltrate data from from the system. 3920 02:23:00,719 --> 02:23:07,0 Yes, so this was a {inaudible} malicious file okay then I will add... 3923 02:23:07,0 --> 02:23:12,0 Yeah just another file and we just pretend it's the one that we were supposed to use. 3926 02:23:12,0 --> 02:23:19,0 Why is this one makes sense, it's an Emotet one {inaudible}, that makes sense. 3930 02:23:21,0 --> 02:23:24,0 so now we have all these different objects in our event 3931 02:23:24,0 --> 02:23:26,0 and it's time to build the story out of it as Alex has mentioned. 3932 02:23:26,0 --> 02:23:29,500 So it's time to go back to our event graph. 3935 02:23:34,0 --> 02:23:38,500 And basically so far the story is that we got an email. 3938 02:23:38,500 --> 02:23:44,500 The email was impersonating a person and we basically got a primary sample out of it. 3939 02:23:44,500 --> 02:23:52,500 That primary sample then reaches out to evilprovider.com to download a secondary sample. 3942 02:23:52,500 --> 02:24:03,500 So we have a relationship between the file which "downloads-from". "downloads-from" yeah. 3946 02:24:03,500 --> 02:24:05,500 Perfect. 3947 02:24:05,500 --> 02:24:12,500 from "evilprovider" and then "evilprovider" downloads the secondary sample 3950 02:24:19,0 --> 02:24:40,0 which is in this case "index.html.1" and this one then exfiltrates to another evilprovider url. 3953 02:24:51,0 --> 02:24:55,500 Now there's one thing we missed in the story here is that the first one try 3955 02:24:55,500 --> 02:25:59,0 so in this case "trilog.exe" was actually abusing the CVE that 3956 02:25:59,0 --> 02:25:08,500 that Alex has already expanded so we have an abuser's relationship from "trilog.exe" to vulnerability. 3961 02:25:14,0 --> 02:25:17,0 So and once we're done with this we already see the entire story in this graph. 3963 02:25:17,0 --> 02:25:22,500 So even if you have no idea about what happened in the report and you don't read the original report 3966 02:25:22,500 --> 02:25:29,0 by just looking at this graph you can clearly read it out in simple sentences. 3969 02:25:29,0 --> 02:25:33,500 We see email impersonator a person, John. Email contains "trilog.exe" 3970 02:25:31,520 --> 02:25:40,500 and that exploits the vulnerability. Downloads from evilprovider.com, "index.html.1". 3974 02:25:40,500 --> 02:25:43,0 which exfiltrates to a url. 3975 02:25:43,0 --> 02:25:48,500 So it's a very simple story to comprehend without us knowing the original data information 3978 02:25:48,500 --> 02:25:53,500 and without us having even having to look at the individual indicators further below. 3982 02:25:53,500 --> 02:25:58,500 So this is when we're talking about information sharing we're basically sharing on two layers. 3985 02:25:59,40 --> 02:26:03,500 One of the layers is sharing with machines so informing an IDS about things to alert on 3988 02:26:04,79 --> 02:26:06,500 and at the same time we're sharing with analysts 3989 02:26:06,500 --> 02:26:09,500 that want to really understand what the threat actor was doing in this case 3992 02:26:09,500 --> 02:26:11,500 and what happened during the incident. 3993 02:26:11,500 --> 02:26:17,500 However at this stage, we have described our event but we're still missing something at this point. 3996 02:26:17,500 --> 02:26:23,0 We still haven't actually contextualized the information with everything else that we know about it. 3999 02:26:23,0 --> 02:26:30,0 So we have vocabularies at our disposal, we have the ATTACK matrix at our disposal 4002 02:26:30,0 --> 02:26:32,0 So let's start going through the individual attributes 4004 02:26:32,0 --> 02:26:35,500 and let's start to attach those different labels to the data 4007 02:26:35,500 --> 02:26:42,500 so first of all if we look at perhaps, which one should we start with? 4010 02:26:42,500 --> 02:26:45,500 Let's not do everything. Let's look at the original email for example. 4012 02:26:45,500 --> 02:26:48,500 We know that the original email deals with phishing. 4014 02:26:48,500 --> 02:26:51,500 Now ATTACK has a pattern that describes phishing 4015 02:26:51,500 --> 02:26:57,500 so we can just attach the galaxy cluster of attack to the attributes in there. 4018 02:26:57,500 --> 02:27:01,500 So we use cluster yeah. 4019 02:27:01,500 --> 02:27:06,0 and we can just use ATTACK. mitre-attack, perfect. 4020 02:27:06,0 --> 02:27:09,500 and we can click on "Attack Pattern" then we get the attack matrix 4023 02:27:11,200 --> 02:27:17,500 and here we can select "Phishing". It should be in... 4026 02:27:18,500 --> 02:27:20,500 Yeah there it is perfect. 4027 02:27:20,500 --> 02:27:28,500 So we attach it. We refresh and there we see it is now attached to the attribute 4030 02:27:28,500 --> 02:27:32,500 and if we generate a heat map now out of the events if we scroll up. 4033 02:27:32,500 --> 02:27:36,500 We have an attack matrix view next to the event graph. 4035 02:27:36,500 --> 02:27:43,0 If we click on that one now we now see that as a first overview already we know 4036 02:27:43,0 --> 02:27:46,500 without looking at any of the details we see that we're dealing with phishing here. 4040 02:27:46,500 --> 02:27:49,500 So this is one of the attack patterns that we've described. 4041 02:27:49,500 --> 02:27:52,0 let's see what other attack patterns from attack we can describe 4043 02:27:52,0 --> 02:27:55,0 You also see that there is automated exfiltration happening. 4046 02:27:55,0 --> 02:28:00,0 So if we go to the secondary url, so another evilprovider.com. 4049 02:28:03,0 --> 02:28:05,500 We can attach the pattern there as well. 4050 02:28:05,500 --> 02:28:10,500 now we can choose to do a single attribute what we're doing or we can just select all 4 4053 02:28:10,500 --> 02:28:13,500 and attach the cluster to all 4 for let's just do one for now, it's enough. 4056 02:28:15,500 --> 02:28:24,0 Watch out it's... Yeah, perfect. And just pick "Automated Exfiltration". 4058 02:28:24,0 --> 02:28:27,0 It's the first one on the... Yeah. 4060 02:28:30,0 --> 02:28:35,500 Okay so now we've attached some attack patterns, we could attach it to the sample as well. 4063 02:28:35,500 --> 02:28:39,0 What the sample is doing but we're not going to go through all that effort 4065 02:28:39,0 --> 02:28:43,500 Let's look at some type of contextualization for example... 4069 02:28:47,120 --> 02:28:47,500 maybe this then it's a matter of taste again regarding 4073 02:28:47,500 --> 02:28:51,500 at which level you want to attach the galaxy 4074 02:28:51,500 --> 02:28:58,500 there is really the topic is a matter of phishing at a global level, usually we can add a galaxy there 4075 02:28:58,500 --> 02:29:03,500 and then for example add MITRE ATTACK directly there 4076 02:29:03,500 --> 02:29:09,500 and select the pattern phishing then the techniques there directly. 4078 02:29:09,500 --> 02:29:14,500 so you have different options usually we recommend to make it at attribute level 4081 02:29:14,500 --> 02:29:21,500 but in some case you don't even know which attribute level it applies then you select the event level. 4084 02:29:21,500 --> 02:29:26,500 Exactly. So that's indeed a good point if you know that the entire chain of what you're describing 4087 02:29:26,500 --> 02:29:34,500 references to a single contextualization, be it label, be it a galaxy cluster then indeed 4090 02:29:34,500 --> 02:29:39,500 what we assume is anything that you label on the event level is inherited by all 4091 02:29:39,500 --> 02:29:43,500 data contained within unless explicitly overwritten by the opposite tag basically. 4095 02:29:43,500 --> 02:29:51,500 So indeed that's the case. In this case we're kind of in a weird situation 4096 02:29:51,500 --> 02:29:55,500 because we're describing the full chain of the attack which includes initial phishing attempt 4100 02:29:55,500 --> 02:29:59,500 but also includes the secondary payload and the exfiltration and so on 4103 02:29:59,500 --> 02:30:03,500 and if we do this on the attribute level as oppose to the event level 4106 02:30:03,500 --> 02:30:08,0 then you're really only describing which part deals with the phishing 4107 02:30:08,0 --> 02:30:11,500 which part deals with the actual exfiltration and so on. 4111 02:30:11,500 --> 02:30:16,0 So this is really up to you. What we generally recommend is don't just do it on the event level. 4114 02:30:16,0 --> 02:30:19,500 So if you're describing more concepts in a single event 4115 02:30:19,500 --> 02:30:22,0 make sure that you contextualize individual parts of it 4118 02:30:22,0 --> 02:30:26,500 because one of one of the things that we use these labels for as well is Searches. 4120 02:30:26,500 --> 02:30:29,500 so if I were to search for all indicators that relate to phishing 4121 02:30:29,500 --> 02:30:36,500 I might not want to get the secondary payloads artifacts included in that response. 4125 02:30:35,920 --> 02:30:40,500 because that was just the initial vector of getting into the network of the victim 4128 02:30:40,500 --> 02:30:44,500 whatever happens afterwards is not directly related to the phishing. 4130 02:30:44,500 --> 02:30:47,500 So keep that in mind as well. something else... 4132 02:30:47,500 --> 02:30:52,500 Yeah so just something that you have to keep in mind too it's about 4133 02:30:52,500 --> 02:30:58,500 which classification to choose or which contextualization source you want to use. 4138 02:30:58,500 --> 02:31:01,500 On this instance, we have already a lot of things enabled 4139 02:31:01,500 --> 02:31:07,500 and if for example you go for taxonomy. You have a lot of taxonomy that is describing phishing. 4143 02:31:07,500 --> 02:31:15,500 For example you have even a complete taxonomy about the kind of phishing you have and so on. 4147 02:31:15,500 --> 02:31:20,500 So when you install your MISP instance and you start to make it operational 4149 02:31:20,500 --> 02:31:24,500 you really have to decide what kind of taxonomy you want to use 4151 02:31:24,500 --> 02:31:29,500 in this case we have already a lot of things are available by default 4153 02:31:29,920 --> 02:31:36,500 so the phishing taxonomy itself is a complete one coming from I think {inaudible} academic paper 4155 02:31:35,200 --> 02:31:38,0 where we have all the techniques that are used. 4157 02:31:38,0 --> 02:31:45,500 So for example you can say that this one is coming from a spearphishing 4159 02:31:45,500 --> 02:31:51,500 which was described there and you have the different techniques. 4161 02:31:51,500 --> 02:31:53,500 So in this case it's email spoofing 4162 02:31:53,500 --> 02:31:57,760 and you can go deeper there into the description of what is exactly the phishing. 4165 02:31:58,719 --> 02:32:05,500 and you can mix match both. I mean Andras selected the ATTACK phishing techniques 4167 02:32:05,500 --> 02:32:07,0 at specific indicator level 4169 02:32:07,0 --> 02:32:12,500 Maybe another analyst would want to classify it and maybe the objectives might be different. 4172 02:32:12,500 --> 02:32:16,500 Maybe on one, for example it's more specific for tools. 4174 02:32:16,719 --> 02:32:21,500 But if you want to run out statistics at the end of, I don't know, quarterly meetings 4177 02:32:21,500 --> 02:32:25,500 and say okay, how many spearfishing that you receive or maybe emails spoofing. 4179 02:32:25,600 --> 02:32:30,0 For example if you can control better emails spoofing, the SPF record and so on 4181 02:32:30,0 --> 02:32:34,0 you can just look at the current technique that are used by by the attacker. 4184 02:32:34,0 --> 02:32:39,500 So you see that those kind of, it's full of taxonomies that can be used 4187 02:32:39,500 --> 02:32:44,0 and obviously we usually recommend to not enable everything 4189 02:32:44,0 --> 02:32:47,500 but just pick what you really want and some are very generic, 4191 02:32:47,500 --> 02:32:53,0 some are more advanced but that's maybe something that we dig into more afterwards 4193 02:32:53,0 --> 02:32:58,500 but just be careful of which kind of taxonomy you want to use because it will be the language 4196 02:32:58,500 --> 02:33:05,500 that you use with the community and your partners for sharing this information. 4200 02:33:09,0 --> 02:33:13,500 Maybe something interesting to look into the email and that's linked to classifications 4202 02:33:13,500 --> 02:33:15,500 but there's this comment there 4204 02:33:16,0 --> 02:33:19,0 "Please be mindful that this is an ongoing investigation 4206 02:33:19,0 --> 02:33:24,0 and we would like to avoid informing the attacker of the detection 4207 02:33:24,0 --> 02:33:30,0 and kindly ask you to to only use the contained information to protect your constituents". 4211 02:33:30,0 --> 02:33:37,500 So this is kind of your language describing to you what kind of classification it is. 4214 02:33:37,500 --> 02:33:47,0 And so now which one should we use so if we are FIRST members, if we are using the FIRST community 4217 02:33:47,0 --> 02:33:51,500 obviously the classification that we will use is not the NATO one, 4218 02:33:48,639 --> 02:33:55,0 or the Ministry of Defense in whatever country, it's really TLP. 4222 02:33:55,0 --> 02:34:05,500 So then again based on that, we will look into different taxonomy that we have 4223 02:34:01,840 --> 02:34:09,200 4224 02:34:05,500 --> 02:34:11,500 we can look for TLP and I should not do that like that. 4226 02:34:12,0 --> 02:34:20,0 I go for the TLP library and then I have the specific taxonomy TLP 4227 02:34:20,0 --> 02:34:22,500 and then you have the different one. 4230 02:34:22,500 --> 02:34:26,0 In this case they say you have to share it with your constituents only 4231 02:34:26,0 --> 02:34:31,500 so TLP amber seems to be the most appropriate one. 4234 02:34:31,500 --> 02:34:34,500 We say that the TLP Amber information is given to organization 4236 02:34:34,500 --> 02:34:37,500 sharing limited within organization to basically act upon. 4238 02:34:38,0 --> 02:34:45,0 If we have the extended classifications from FIRST it includes the constituent too. 4241 02:34:45,0 --> 02:34:49,500 So I will just use a TLP but I mentioned something else that is interesting. 4244 02:34:49,500 --> 02:34:59,500 In the email they mentioned that this is an ongoing investigation, to avoid informing the attacker. 4245 02:34:59,500 --> 02:35:06,0 In this case, how would you inform the attacker but if you do actions on specific indicators and attributes 4251 02:35:06,0 --> 02:35:10,0 you might want to restrict that so there is another classification, 4252 02:35:10,0 --> 02:35:11,500 I don't know if this one is enabled. 4254 02:35:11,500 --> 02:35:18,500 It's called PAP which is exactly that, it's similar to TLP 4256 02:35:18,500 --> 02:35:21,500 but describing what you can do with this information. 4257 02:35:21,500 --> 02:35:28,500 If we don't want to at least notify the attacker that we are doing some further investigations. 4260 02:35:27,439 --> 02:35:34,0 Maybe we want to restrict that and the PAP is really telling you 4261 02:35:34,0 --> 02:35:36,500 what are the permissive action that you can do. 4265 02:35:36,500 --> 02:35:43,500 In our case, "PAP: RED" for example, non-detectable actions only and that's really what we wants 4268 02:35:43,500 --> 02:35:48,500 because the reporter say okay we have an ongoing investigation 4269 02:35:48,500 --> 02:35:51,500 so you don't want the other parties are informed. 4272 02:35:51,500 --> 02:35:56,500 So in this case, I will use RED and again this is used at event level 4274 02:35:56,500 --> 02:36:00,500 and that's something quite important because MISP will take care of that. 4276 02:36:00,478 --> 02:36:04,500 You don't need to set "PAP: RED" on every single attribute. 4278 02:36:04,639 --> 02:36:11,500 Behind, it's really at event level so it's automatically allocating on all attributes 4281 02:36:11,500 --> 02:36:15,500 We don't show it on the interface because it will be too cramp. 4283 02:36:16,0 --> 02:36:21,500 You know, overloaded with information but we do it in a way that's on the API level. 4285 02:36:21,600 --> 02:36:25,500 If you do {inaudible} search. for example on event level or attribute level 4287 02:36:25,500 --> 02:36:32,500 "PAP: RED" will be included there if you have an attribute containing some information 4288 02:36:32,500 --> 02:36:38,500 automatically tags like "PAP: RED" will be then included into the information. 4292 02:36:38,500 --> 02:36:41,500 So that's something to keep in mind when we have information from third party 4294 02:36:41,500 --> 02:36:45,0 is to to wonder okay what is the classification scheme 4295 02:36:45,0 --> 02:36:49,500 so sometimes they don't say a specific classification to use that you just use natural language 4299 02:36:49,500 --> 02:36:54,500 or just a normal sentence to describe all the information should be shared. 4300 02:36:54,500 --> 02:36:58,500 So the interesting thing here is that what we've seen now is 4303 02:36:58,500 --> 02:37:01,0 we've contextualized information in many different aspects 4306 02:37:01,0 --> 02:37:07,500 and this is just scraping the top layer basically 4307 02:37:07,500 --> 02:37:09,0 we could go much much further with contextualization. 4308 02:37:09,0 --> 02:37:14,500 Imagine for example describing how this information is relevant to whether it's used. 4311 02:37:14,500 --> 02:37:18,0 What sort of mechanisms they should have in place to be able to block this information? 4313 02:37:18,0 --> 02:37:21,500 How can you make this useful? Think of different maturity organizations as well 4316 02:37:21,500 --> 02:37:26,500 when you're sharing information. You could also describe information about who's behind it, 4318 02:37:26,500 --> 02:37:29,0 what the motivations are? So we did not describe the threat actor 4321 02:37:29,0 --> 02:37:32,0 because we haven't done any analysis yet. 4323 02:37:32,0 --> 02:37:36,500 This is the initial information we got from a CSIRT that just reported an incident to us 4325 02:37:36,500 --> 02:37:41,500 but we could go further and if we did our analysis we would find who's behind this 4327 02:37:41,500 --> 02:37:46,500 we could go for information with the threat actor, we could look at target sectors 4330 02:37:46,500 --> 02:37:53,500 we could look at a lot of different information in regards to to further contextualizing the information. 4334 02:37:58,0 --> 02:38:00,500 So in this case we could also, for example say that's in the {inaudible} where 4336 02:38:00,500 --> 02:38:04,500 because we know that this is something that was targeting an organization in Luxembourg. 4339 02:38:04,500 --> 02:38:09,500 We know there is also a sector taxonomy that you can use 4340 02:38:09,500 --> 02:38:12,500 so that's not a galaxy but the taxonomy. 4343 02:38:12,500 --> 02:38:16,0 So we can also add for example information about the financial sector 4345 02:38:16,0 --> 02:38:19,500 We know the CEO is a CEO of a financial sector organization. 4347 02:38:20,79 --> 02:38:23,500 So we could also say that it's probably has to do with that as well. 4349 02:38:23,760 --> 02:38:25,500 Maybe it's not enabled, sorry about that. 4350 02:38:25,500 --> 02:38:32,0 Yeah this one never. But if you search... Yeah, exactly, there. 4351 02:38:32,0 --> 02:38:34,500 If you just search for "sector", it should be there. 4353 02:38:34,500 --> 02:38:40,500 Yeah but I'm... Yeah there's something that you can do talk about it later but it's... 4355 02:38:40,500 --> 02:38:45,0 "sector" so we have different one. 4357 02:38:45,0 --> 02:38:50,500 Maybe you find that so if... there was one for finance you can just pick that, yeah. 4360 02:38:50,500 --> 02:38:56,500 Yeah, something else you can do and this one is important too, 4361 02:38:56,500 --> 02:39:00,500 it's going a bit further than the email. So for example, as a source 4363 02:38:59,40 --> 02:39:04,0 we receive emails from various people, I mean if I receive an email from, 4366 02:39:04,0 --> 02:39:07,000 I don't know, from an analyst from, I don't know, he is at Mcafee and so on, 4367 02:39:07,000 --> 02:39:13,500 that I'm working with them for years my confidence on this information is quite high. 4372 02:39:13,500 --> 02:39:19,0 On the other hand, if I receive an email from someone unknown maybe my confidence will be a bit different. 4376 02:39:19,0 --> 02:39:23,500 So in MISP, you have plenty of taxonomies to express confidence. 4378 02:39:23,500 --> 02:39:31,500 For example, the one that is actively used, for example, the military network is Admiralty Scale or NATO scale 4381 02:39:31,500 --> 02:39:36,500 where you can basically define the credibility of the source. 4383 02:39:36,500 --> 02:39:43,500 In this case, we can say that we know the source and is usually reliable so that's the source itself. 4387 02:39:43,500 --> 02:39:51,500 and we can say for this specific information that is probably true because they send us some evidence. 4391 02:39:51,500 --> 02:39:59,500 Now if I have like three emails talking about the same case maybe my level of credibility will increase 4395 02:39:59,500 --> 02:40:03,500 because we have multiple people that have seen exactly the same kind of thing 4397 02:40:03,500 --> 02:40:06,500 So in this case I will have those kind of information there 4398 02:40:06,500 --> 02:40:11,500 Again it's a way to really contextualize information and the quality of the information 4402 02:40:11,500 --> 02:40:19,500 and you have, for example, additional one like, for example, we have one called "estimative-language". 4403 02:40:19,760 --> 02:40:23,500 so this one is more coming from DNI and the CIA. 4407 02:40:23,500 --> 02:40:26,500 It's like the likelihood of probability that this happen. 4409 02:40:27,439 --> 02:40:31,0 So we can say that this one has been almost certain and then we can even qualify 4412 02:40:31,0 --> 02:40:37,0 or own analysis judgment on this and I can say that it was like quickly done 4414 02:40:37,0 --> 02:40:40,500 and it's not perfect, I will just say low for example. 4417 02:40:40,500 --> 02:40:43,500 So then you can have this kind of information. 4418 02:40:42,318 --> 02:40:47,500 And you can either use it as an event level again or a specific attribute. 4420 02:40:46,318 --> 02:40:52,500 So for example, if one of the emails it was like, not properly collected or it was skirts, 4423 02:40:52,500 --> 02:40:55,500 or someone modified the headers and so on, maybe you can reduce 4425 02:40:55,500 --> 02:40:59,500 the summative language of the confidence level that you have 4429 02:40:59,500 --> 02:41:06,500 in the analytic judgment of the specific evidence or element by tagging that at the attribute level. 4431 02:41:06,500 --> 02:41:11,500 So again, those kind of information that we are putting there are factors and so on and more like event level. 4434 02:41:11,500 --> 02:41:15,500 But if you have really specific things that need to be changed 4436 02:41:15,500 --> 02:41:22,500 or that are specific to the attribute or object then you can change it at the attribute level. 4439 02:41:26,0 --> 02:41:29,500 Just some other thing on the user interface that might be useful too that we skipped. 4442 02:41:29,500 --> 02:41:34,500 On the metadata of the event you have plenty of information there. 4444 02:41:35,840 --> 02:41:39,0 Why that is interesting regarding "organization only" and "distribution", 4446 02:41:39,0 --> 02:41:41,500 In this case, we just distribute to the organization 4449 02:41:41,500 --> 02:41:45,500 but if you have pretty large event at some point in time and you want to distribute. 4450 02:41:45,500 --> 02:41:51,500 You have this kind of overview there which is helping you to see at which level you share this information 4453 02:41:51,500 --> 02:41:56,500 In this case, it's super easy. We just distribute it to the training organization, that's fine. 4456 02:41:56,500 --> 02:42:00,500 But if you have a pretty large instance with a lot of organization and so on 4458 02:42:00,500 --> 02:42:06,500 It will display you a full graph of where the information will flow and will be distributed. 4461 02:42:08,0 --> 02:42:14,500 Okay. Now going back to our event, basically the reason why we went so deeply into the contextualization part 4464 02:42:14,500 --> 02:42:21,500 is looking at this event we can already use this right away when feeding our tools, 4467 02:42:20,0 --> 02:42:26,500 when doing our searches, to basically search for anything targeting the financial sector for example. 4472 02:42:26,500 --> 02:42:34,0 we can search for anything related to phishing and find the data contained in this particular event 4475 02:42:34,0 --> 02:42:46,500 So this already helps us with our filtering mechanisms. 4476 02:42:46,500 --> 02:42:46,500 As for PAP and TLP, those tags we can use when we make decisions on which tools we feed the data to 4480 02:42:46,500 --> 02:42:49,500 or which partners we share the information within the case of TLP. 4482 02:42:49,500 --> 02:42:54,500 So we're going to see that more tomorrow when we're creating synchronization links with other instances. 4486 02:42:54,500 --> 02:43:01,0 We can for example set restrictions on TLP when we're pushing data to another node and we can say 4489 02:43:01,0 --> 02:43:07,500 okay, no matter what distribution setting don't send anything TLP Amber in this direction for example. 4493 02:43:07,500 --> 02:43:13,500 Yeah, as an example there's a very good open source tool called TheHive for threat hunting 4497 02:43:13,500 --> 02:43:17,0 and they use PAP to know which kind of actions they can do on the data. 4498 02:43:17,00 --> 02:43:24,0 So if you synchronize MISP with TheHive instance you can really be sure that 4501 02:43:24,0 --> 02:43:30,0 what you set as PAP for example "RED" on the MISP instance will not generate issues 4503 02:43:30,0 --> 02:43:34,500 when you are starting to expansion within Cortex on TheHive 4506 02:43:34,500 --> 02:43:38,500 to be sure that the information is not basically flowing somewhere else. 4508 02:43:38,500 --> 02:43:45,500 So at this point something that we didn't do so far is we did not include the initial email. 4510 02:43:45,500 --> 02:43:48,0 So what we're going to do now is we're going to use another functionality of MISP 4513 02:43:48,0 --> 02:43:52,500 that we haven't talked much about called the report, the event report. 4514 02:43:51,200 --> 02:44:00,0 We can also include clear text information such as a report description and so on together with the event. 4518 02:44:00,398 --> 02:44:04,500 So what we're going to do now is something very simple, we're not going to write our own report. 4520 02:44:04,500 --> 02:44:07,500 We have a report already available from the original source 4523 02:44:07,500 --> 02:44:11,0 so we're just going to paste that entire email in. 4525 02:44:14,0 --> 02:44:17,0 Okay. Just submit for now. 4527 02:44:26,0 --> 02:44:33,500 So now if you look at our email report we just have a simple report here in clear text. 4529 02:44:33,500 --> 02:44:36,500 We're going to see an example what you can do with this. So this is all in markdown 4531 02:44:36,500 --> 02:44:41,500 so you could go into edit mode and pretty it up, add additional information there. 4535 02:44:41,500 --> 02:44:46,0 We're not going to do that now because we're going to just look at an example that already has that 4538 02:44:46,0 --> 02:44:51,0 but before we do that let's get back to our event and let's assume that we're done this entire process. 4541 02:44:51,0 --> 02:44:55,500 We have our report, we have our event we have contextualized all our data 4542 02:44:55,500 --> 02:44:57,500 and let's publish it now to the community. 4546 02:44:57,500 --> 02:45:04,500 So when it comes to publishing we have different ways of achieving that in MISP. 4549 02:45:04,500 --> 02:45:07,500 By default, when we create an event like this, at this stage 4550 02:45:07,500 --> 02:45:11,500 we have all the data contained that we want to share out and that we want to use 4553 02:45:11,500 --> 02:45:18,500 however MISP considers this to be non-final, it is not to be used by automation tools connected to MISP, 4557 02:45:18,500 --> 02:45:24,500 it is not going to be synchronized out to other instances and so on. 4560 02:45:25,500 --> 02:45:31,500 And what we can do now is first of all we need to decide how we shared it out 4562 02:45:31,500 --> 02:45:35,500 it is the organization only for now so even if we were to publish it 4564 02:45:35,500 --> 02:45:40,500 would still only be pushed to our own tools that connect to our MISP 4565 02:45:40,500 --> 02:45:45,500 but it would not be made visible to other organizations but we want to change this, in this case. 4569 02:45:45,500 --> 02:45:51,500 However, let's assume that we are an organization that does not wish to reveal 4572 02:45:51,500 --> 02:45:58,500 that we were involved in this entire incident. We just want to entrust the third party with doing it. 4575 02:45:58,500 --> 02:46:02,500 So as you see there, where Alex is hovering. We basically have several options here. 4578 02:46:02,500 --> 02:46:07,0 We can either publish the event which means we initiate the entire exchange with other instances 4580 02:46:07,0 --> 02:46:12,500 if the distribution allows it. It will alert everyone that we have published this 4584 02:46:12,500 --> 02:46:17,0 or alternatively we can delegate the publishing to third party and stay anonymous ourselves 4586 02:46:17,0 --> 02:46:22,0 So let's do that option for now. So what we're doing now is 4590 02:46:22,0 --> 02:46:25,500 we're entrusting a third party to take over this event for us 4591 02:46:25,500 --> 02:46:29,500 so let's say that we would entrust, say for example CIRCL, to take over this event 4593 02:46:29,500 --> 02:46:35,0 and we tell CIRCL that we want to share this event, to be shared with the entire community. 4596 02:46:35,0 --> 02:46:37,500 so we've collected.. 4597 02:46:45,0 --> 02:46:50,500 Yeah and you can see "This community only" for example or a sharing group whatever you prefer. 4600 02:46:50,500 --> 02:46:55,0 Okay, so this is again a suggestion to the other organization saying 4602 02:46:55,0 --> 02:46:59,500 okay, we want you to share this out and we want you to share this to this community. 4605 02:46:59,500 --> 02:47:04,0 Once we click "Yes", even though the event was your organizationa and only visible to us. 4607 02:47:04,0 --> 02:47:08,500 It now becomes visible to two organizations, ourselves and the other organization 4608 02:47:08,500 --> 02:47:12,500 that we entrust in this case CIRCL. So CIRCL would get an email saying 4610 02:47:12,500 --> 02:47:17,500 Okay, there's this delegation request someone wants you to take over their event 4613 02:47:17,500 --> 02:47:19,500 are you willing to take it over and publish it under your name. 4616 02:47:19,500 --> 02:47:23,0 This will look something like this with slightly different text we're cheating here now 4619 02:47:23,0 --> 02:47:28,500 since we're doing a training, we're site administrators so we see both sides of the story, 4622 02:47:28,500 --> 02:47:33,500 so we can either accept or discard this request. Keep in mind if you accept such a request, 4624 02:47:33,500 --> 02:47:37,500 the event becomes your event a copy of it is created under your name 4628 02:47:37,500 --> 02:47:42,500 and basically you are taking responsibility for the event from now on, 4629 02:47:42,500 --> 02:47:45,500 so also make sure that you're not pushing junk under your name. 4630 02:47:45,500 --> 02:47:48,500 So in this case let's just discard it 4631 02:47:48,500 --> 02:47:52,500 but we could have accepted it and then it would have become our event. 4634 02:47:52,500 --> 02:47:56,500 Okay. Let's go back to the event. 4635 02:48:00,0 --> 02:48:04,0 Okay, so now the other alternative is if you want to publish it under our name, 4637 02:48:04,0 --> 02:48:08,500 what you would need to do is you would need to raise the distribution level first 4640 02:48:08,500 --> 02:48:12,0 if you wanted to involve any other parties 4642 02:48:12,0 --> 02:48:15,500 So we need to edit the event in that case and raise the distribution level 4645 02:48:15,500 --> 02:48:20,500 to say "This Community" or "Connected Communities". Let's go with "Connected Communities". 4647 02:48:20,500 --> 02:48:24,500 connected communities means anyone that has access to my MISP instance 4648 02:48:24,500 --> 02:48:29,500 and all the directly interconnected instances including all their members as well. 4652 02:48:29,500 --> 02:48:34,500 So in the case, for example, of us publishing something like this in the FIRST instance 4654 02:48:34,500 --> 02:48:37,0 we as CIRCL have our instance connected to it 4655 02:48:37,0 --> 02:48:42,0 so all the members of the CIRCL instance will automatically also be included in the exchange. 4658 02:48:42,0 --> 02:48:45,500 Here we see a graph of that so we see the event would 4659 02:48:45,500 --> 02:48:50,0 be also visible to all the directly connected instances which we only have one of 4664 02:48:50,0 --> 02:48:57,0 which is a loopback connection to "iglocska.eu" so not that interesting 4666 02:48:57,0 --> 02:49:00,500 and to everyone that has access to this current instance 4668 02:49:00,500 --> 02:49:07,0 Okay. Once we're done we can click publish and then the event gets synchronized. 4671 02:49:08,0 --> 02:49:14,500 So what happens at this stage is first of all the event will jump over to directly connected instances. 4674 02:49:14,500 --> 02:49:19,500 MISP will send out a bunch of emails to everyone that subscribes to publish alerts 4675 02:49:19,500 --> 02:49:22,500 that there is a new event with all the data contained within. 4678 02:49:22,500 --> 02:49:30,500 it will push the event down various local channels to other tools using ZeroMQ, Kafka and so on and syslog. 4681 02:49:30,500 --> 02:49:36,200 So if you have any tools that are subscribed to these published feeds 4684 02:49:36,200 --> 02:49:41,500 and they will ingest the data and it will also make it available to the API 4686 02:49:41,500 --> 02:49:44,500 and to make it available to all the integration tools out there. 4689 02:49:44,500 --> 02:49:52,500 so if you have your SIEM connected to MISP, it will now be able to fetch the data contained in this event 4691 02:49:52,500 --> 02:50:00,0 So this is basically the publishing process however if at this point we noticed that 4696 02:50:00,0 --> 02:50:06,500 okay we've now shared this event out but we've actually made a typo in the title we wanted to include 4699 02:50:06,500 --> 02:50:17,500 I don't know, a trailing period at the end of the sentence {inaudible} something like that. 4702 02:50:17,500 --> 02:50:23,500 in the title and we edit the event. wWat happens now is, there is a modification to the event 4703 02:50:23,500 --> 02:50:29,500 so even though it was published, it becomes unpublished again and it needs to be to be republished. 4707 02:50:29,500 --> 02:50:33,500 now the reason why we do this is whenever there is a change 4708 02:50:33,500 --> 02:50:36,500 we need to synchronize it out to the other instances out there 4710 02:50:36,500 --> 02:50:40,0 and if you have a publishing process in place 4711 02:50:40,0 --> 02:50:44,500 where so only certain users have access to publishing rights for example 4714 02:50:44,500 --> 02:50:47,500 then anytime your organization is pushing out information 4715 02:50:47,500 --> 02:50:52,500 it can go through the irregular vetting process so any change will unset the publishing of the event 4719 02:50:52,500 --> 02:50:55,500 now in this case this is a very small change that we've made 4720 02:50:55,500 --> 02:50:58,500 so we don't want to actually send out emails to all the other users. 4722 02:50:58,500 --> 02:51:02,500 We don't want to spam them with data that is pretty irrelevant for them 4723 02:51:02,500 --> 02:51:08,0 so we can do the publishing again but this time using the "Publish (no email) option. 4727 02:51:09,0 --> 02:51:11,500 So it will also synchronize the data 4728 02:51:11,500 --> 02:51:15,500 it will again make it available to all different means of ingesting the data 4730 02:51:15,500 --> 02:51:18,500 but it will not spam our users with emails. 4732 02:51:18,500 --> 02:51:24,500 Okay so that's basically it for the publishing and perhaps one thing that is interesting 4735 02:51:24,500 --> 02:51:26,500 and that we didn't talk much about is 4736 02:51:26,500 --> 02:51:31,500 we have now raised the distribution level of this event to "Connected Communities". 4740 02:51:31,500 --> 02:51:36,500 So the event is synchronized out but we actually had an attribute if you look further down 4743 02:51:36,500 --> 02:51:41,500 that's had a different distribution level. So that one is actually going to be removed 4745 02:51:41,500 --> 02:51:42,500 from the synchronized button. 4747 02:51:42,500 --> 02:51:51,0 So we had one that the impersonated person's email address that was set to organization only. 4750 02:51:51,0 --> 02:51:54,500 So whenever we're talking about synchronization that thing will, 4753 02:51:54,500 --> 02:51:57,500 in this case, not synchronize out. So that will be redacted from the event. 4755 02:51:59,0 --> 02:52:04,0 Okay something else that we can do at this point once we have created our event is 4757 02:52:04,0 --> 02:52:08,500 we can also extract it in different formats, so if you click on "Download as..." on the left side. 4760 02:52:09,40 --> 02:52:13,0 You will see that we can basically convert this automatically to a bunch of different formats 4762 02:52:12,79 --> 02:52:17,500 and extract it in those formats directly. This is also what we would be accessing by the API 4765 02:52:16,559 --> 02:52:22,500 if you were to search for this event. We can also mark whatever response format we want. 4768 02:52:23,520 --> 02:52:27,500 just very briefly we won't go very deeply into this. These formats are coming partially 4770 02:52:26,559 --> 02:52:32,500 from our predefined hard-coded list of formats that we support in MISP 4773 02:52:32,500 --> 02:52:38,500 but some of these formats also come from the different export modules that we have 4776 02:52:40,0 --> 02:52:44,500 So if you want you can either build your own native modules for exporting and converting data 4779 02:52:44,500 --> 02:52:51,500 or you can build modules that are sitting in another tool called MISP modules, 4782 02:52:51,500 --> 02:52:55,500 side by side with MISP that will ingest the data and then convert it to other formats. 4785 02:52:55,500 --> 02:52:59,500 So here's a PDF report that was created directly out of the event 4786 02:52:59,500 --> 02:53:05,500 and that you can just share out directly for the event. 4789 02:53:05,500 --> 02:53:11,500 Something else that you can do is anything that we do in MISP, so all the process of adding attributes, 4792 02:53:11,500 --> 02:53:16,500 all the process of viewing data, you can also do that in a machine {inaudible} way 4793 02:53:16,500 --> 02:53:19,500 by just appending .json at the end of any of the url. 4797 02:53:19,500 --> 02:53:24,500 So in that case in this event we're going to get the json representation of the event 4800 02:53:24,500 --> 02:53:26,500 Okay. 4801 02:53:28,0 --> 02:53:32,500 So that's basically for creating an event. 4804 02:53:32,500 --> 02:53:37,500 Just maybe one thing that is interesting we have a very good question from Martin {inaudible}. 4806 02:53:37,500 --> 02:53:44,500 It's a quite complex one but maybe we can already partially answer it. 4808 02:53:44,500 --> 02:53:51,500 So when you create an event and in this case the creator of the training. 4811 02:53:51,500 --> 02:53:59,500 People can contribute on that one but if you have an ISAC and you want to distribute back the information and so on, 4815 02:53:59,500 --> 02:54:05,500 one of the options that you have is to try to create extended events for example out of it. 4818 02:54:05,500 --> 02:54:14,0 So you can out of an event, you can create a new one which would be for example with additional information 4822 02:54:14,0 --> 02:54:22,0 like validations, additional things that you want to add. So you have this kind of extend event 4825 02:54:22,0 --> 02:54:27,0 and you will create automatically a new event based on that. 4826 02:54:27,0 --> 02:54:39,0 A thing that is interesting there, the thing is you can really create something completely new out of it 4832 02:54:39,0 --> 02:54:46,500 and then see, so for example, for this case I can say that we did a kind of session with additional information. 4836 02:54:46,500 --> 02:54:51,500 There the distribution is "Your organization only" 4838 02:54:51,500 --> 02:55:01,500 and I would add for example a specific attribute which is for example "Targeting data" 4841 02:55:01,500 --> 02:55:08,500 and I can say "target-user", the son of the prime minister. 4843 02:55:08,500 --> 02:55:13,500 So it may be information that you really don't want to share with others. 4844 02:55:13,500 --> 02:55:19,500 So this one is basically a normal event with additional information there 4845 02:55:19,500 --> 02:55:23,500 and it's only shared within your organization. 4850 02:55:23,500 --> 02:55:29,500 Nevertheless, if you go to the original event, you have this kind of extended view there 4853 02:55:29,500 --> 02:55:36,500 and we can have what we call an extended view and not an atomic view 4855 02:55:36,500 --> 02:55:41,500 and the two information is combined and you can see there 4856 02:55:41,500 --> 02:55:46,500 that we have one with the information about the son of the prime minister 4859 02:55:46,500 --> 02:55:52,500 which is the extended event there. So just to answer the question of Martin 4861 02:55:52,500 --> 02:55:59,500 about the question about adding information on existing event, this is one way of doing it. 4865 02:55:59,500 --> 02:56:07,500 So using extended event is a way to qualify or extend event with additional information and so on. 4868 02:56:07,500 --> 02:56:12,500 It's actively used, for example, for when you have two different view of the information 4871 02:56:12,500 --> 02:56:17,500 because one is distributed and another one is like the private information 4872 02:56:17,500 --> 02:56:20,500 like the forensic evidence that you cannot share for example, 4873 02:56:20,500 --> 02:56:24,500 you can create this kind of thing. It's one way of doing it. 4877 02:56:24,500 --> 02:56:28,500 It's not answering completely the question of Martin but we can even go deeper later on that 4878 02:56:28,500 --> 02:56:33,500 but it's one way of... because tomorrow we talk about synchronization 4883 02:56:33,500 --> 02:56:39,500 there are some specific options for ISAC like unpublishing events if we do synchronization and so on 4887 02:56:39,500 --> 02:56:46,500 that can be used in some some cases for ISAC. There are many options but that's one way of 4890 02:56:46,500 --> 02:56:54,500 partially solving this kind of issues of not owning the data. It is to extend the information. 4894 02:56:54,500 --> 02:56:58,500 So I know you have something you want to add on Alexandre. 4896 02:56:58,500 --> 02:57:02,0 No, no, that makes sense. 4898 02:57:03,0 --> 02:57:08,500 Again for the collaboration on this one, we can do various things so 4899 02:57:08,500 --> 02:57:13,500 in the case of, you have a typo for example in the specifications and so on. 4901 02:57:13,500 --> 02:57:19,500 you can make proposal, another thing with on the interface here you see that 4905 02:57:19,500 --> 02:57:26,500 you can basically make either an edit or you see that you can make a proposed edit. 4907 02:57:26,500 --> 02:57:31,500 So what is the use case for that? It's not like for fundamental changes 4911 02:57:31,500 --> 02:57:34,500 but for I would say minor challenges on a specific report. 4912 02:57:34,500 --> 02:57:40,0 Imagine that you don't agree on this IP Address, there's a typo 4915 02:57:40,0 --> 02:57:46,500 and it's not D5 but E5 in the ipv6 address, so you propose the change. 4916 02:57:46,500 --> 02:57:50,500 in this case i'm playing both roles here but what do I have here, 4920 02:57:50,500 --> 02:57:56,500 it's basically an attribute with a proposal of the change and I'm playing the both roles 4922 02:57:56,500 --> 02:58:04,500 contributor roles and the original creator then I can say, okay I accept the change there indeed, 4925 02:58:04,500 --> 02:58:12,500 this proposal makes sense or basically discard and this is a way to get updates 4926 02:58:12,500 --> 02:58:19,500 from supportive other members, other organizations and so on. 4930 02:58:19,500 --> 02:58:25,500 It's one way to to update the information in this case I will discard it because it's not correct. 4933 02:58:25,500 --> 02:58:31,500 We were talking about contributions, this is another way of contributing is the sighting itself. 4936 02:58:31,500 --> 02:58:37,0 So for example for this indicator if for example we have an intrusion detection system 4937 02:58:37,0 --> 02:58:40,500 and we have seen it like three times in a row 4939 02:58:40,500 --> 02:58:49,0 we can add on the interface, with the API, through the user interface, and so on 4943 02:58:49,0 --> 02:58:59,500 that you have seen that multiple times and like that you can share this kind of details about the sharing aspect 4947 02:58:59,500 --> 02:59:03,500 So what we have seen that at this specific amount of times we have the three counts 4948 02:59:01,200 --> 02:59:09,500 saying this is a sighting and you have seen it and you can do it per organization 4949 02:59:02,799 --> 02:59:14,500 or it could be even anonymously you get different configuration in the model of sighting in MISP 4956 02:59:15,439 --> 02:59:20,0 but it's a way to see that an indicator has been seen or not. 4957 02:59:18,159 --> 02:59:26,500 If one specific {inaudible} for example a false positive you can see the negative one, 4961 02:59:25,600 --> 02:59:33,500 negative sightings which basically tell others that okay this one is generating a lot of false positives 4962 02:59:33,840 --> 02:59:36,500 sometimes not every organization agrees on the false positive 4965 02:59:35,840 --> 02:59:40,500 because they have different views coming from different networks and so on. 4968 02:59:40,799 --> 02:59:51,500 That's a way to provide feedback, so one is delegations proposals or another way is to basically get sighting. 4972 02:59:57,0 --> 02:59:59,0 Okay. 4973 03:00:01,0 --> 03:00:04,0 I'm just trying to go through the questions 4974 03:00:04,0 --> 03:00:06,500 yeah maybe there are some... 4976 03:00:07,279 --> 03:00:10,500 Yeah there are some that are repeating so perhaps it's good to call them out 4978 03:00:10,559 --> 03:00:14,500 So there was a bit of confusion about how to add the email object. 4981 03:00:16,0 --> 03:00:20,0 So it is a little bit confusing so when you're in an event and you click on add objects, 4984 03:00:20,0 --> 03:00:24,0 first you need to select the scope from which you choose from 4985 03:00:24,0 --> 03:00:26,0 So it's going to be climate file and so on. 4986 03:00:26,0 --> 03:00:30,500 Just click on all objects if you're unsure and then you can search for whatever. 4989 03:00:30,500 --> 03:00:35,500 So after you click on all objects and you type email, it's going to show email object. 4992 03:00:35,500 --> 03:00:39,500 Here the first step is more like finding out the category of an object 4994 03:00:39,500 --> 03:00:44,500 Yeah so some sometimes you just know the category but you don't know what is really available there for you 4997 03:00:44,500 --> 03:00:49,500 So you want to see okay what sort of objects can I use in network contacts 4999 03:00:49,500 --> 03:00:50,500 and I would click on network first 5000 03:00:50,500 --> 03:00:54,500 and then you get a list of of all tangently related objects 5002 03:00:54,500 --> 03:01:01,500 that will have to do with network connectivity but not necessarily describing the same concept at all 5006 03:01:01,500 --> 03:01:06,500 but if you don't know which domain you want to pick it from 5007 03:01:06,500 --> 03:01:11,500 or if you know exactly already what you want and you just want to search by name 5010 03:01:11,500 --> 03:01:14,500 Just click on all objects first and then you will find what you're looking for 5013 03:01:14,500 --> 03:01:19,500 by just typing it. So email is easy to find that way. 5015 03:01:19,500 --> 03:01:24,0 Okay so just type email and that's it. 5016 03:01:24,0 --> 03:01:32,500 Okay, other questions that were there. Okay perfect. 5018 03:01:33,0 --> 03:01:37,0 And there there were a few other questions that I answered in the ... 5020 03:01:37,0 --> 03:01:40,500 Meanwhile, maybe it's a good idea to read some of them out. 5021 03:01:40,500 --> 03:01:45,500 Yeah, indeed there was a good one about correlation graph and filtering on it. 5025 03:01:45,500 --> 03:01:48,500 Indeed, we don't have a way to filter the correlation graph 5026 03:01:48,500 --> 03:01:52,500 but it's something that we've discussed for a while already and we want to do it at one point 5030 03:01:52,500 --> 03:01:54,500 so that you can add some filter rules in there. 5032 03:01:54,500 --> 03:01:59,00 Yes, the only way to to do it here is through the api 5034 03:01:59,00 --> 03:02:05,500 so that means you done creating one and then you have to do a filtering {inaudible priority/proactively} 5037 03:02:05,500 --> 03:02:10,500 but it needs something there to be added 5039 03:02:10,500 --> 03:02:13,500 I don't know if you have an issue on that one. 5041 03:02:13,500 --> 03:02:16,500 Yeah I think we do. Yes, yes, I think we should be good. 5042 03:02:16,500 --> 03:02:23,500 So maybe you know what sometimes what we do is just to add the one on this one 5045 03:02:23,500 --> 03:02:28,500 If i can find it back so I guess you can see what kind of issue that we have and so on. 5048 03:02:28,500 --> 03:02:32,0 A lot of the issue that we have is more like 5049 03:02:32,0 --> 03:02:26,500 I mean around 25 percent, 30 percent are basically installation problem. 5052 03:02:26,500 --> 03:02:43,500 That's something that you can discuss maybe tomorrow about recommendation on the system 5056 03:02:43,500 --> 03:02:48,0 We don't need a lot of requirements but at least you need to have a LAMP system working 5059 03:02:48,0 --> 03:02:51,500 So MariaDB, linux systems and Redis running. 5061 03:02:51,500 --> 03:02:59,500 So obviously, for example, an Ubuntu distribution out of the box is working without any problems. 5064 03:02:59,500 --> 03:03:04,500 Now if you try to install a MISP on the MAC OS, you might run into problems obviously. 5067 03:03:04,500 --> 03:03:11,500 But what we recommend is we have automatic install script for ubuntu for example 5070 03:03:11,500 --> 03:03:13,500 and this one works works quite well. 5072 03:03:13,500 --> 03:03:19,0 I wanted to search the issue for... 5073 03:03:19,0 --> 03:03:21,500 You can just search the correlation graph, for correlation. 5074 03:03:21,500 --> 03:03:24,500 Yeah. correlation filtering. 5075 03:03:24,500 --> 03:03:30,500 Nah, that will be a bit too specific I think. No maybe not. Maybe yes. 5078 03:03:30,500 --> 03:03:32,500 We're filtering by correlation on {inaudible}. 5081 03:03:32,500 --> 03:03:51,500 Oh this one maybe. Yes. Yeah, yeah okay, this one, okay. So... One sec. 5082 03:03:51,500 --> 03:04:07,500 So that's how it works so if you see a component issue that 5086 03:04:07,500 --> 03:04:09,500 or a feature that is really interesting for you 5087 03:04:09,500 --> 03:04:14,500 don't hesitate to take an existing issue about specific requests and add some comments there. 5090 03:04:14,500 --> 03:04:20,500 Like for example, it's really the feature that you want, is it important for you, why and so on 5093 03:04:20,500 --> 03:04:23,500 and then we use that as a source of of doing a feature request 5095 03:04:23,500 --> 03:04:29,500 As an example, we do a release of MISP every three weeks usually 5098 03:04:29,500 --> 03:04:35,0 and there are many new features on each release 5100 03:04:35,0 --> 03:04:43,0 As an example we had a request like that someone just fixed two days ago about the events... 5102 03:04:43,0 --> 03:04:49,500 Oh we didn't even show it. Event timeline and then 5103 03:04:49,500 --> 03:04:51,500 we wanted to have something that is easy to set the number of days 5104 03:04:51,500 --> 03:04:55,500 and then he added the new feature. So sometimes it makes a lot of sense 5105 03:04:55,500 --> 03:05:00,500 so don't hesitate to create an issue and and propose a new feature. 5113 03:05:00,500 --> 03:05:08,500 Which remind me of showing you the event timeline because we didn't really show it. 5116 03:05:08,500 --> 03:05:18,500 So you see that on this one we have nearly everything on the same time 5118 03:05:18,500 --> 03:05:28,500 which is basically the time when we create the different object we just set the time for one so... 5120 03:05:28,500 --> 03:05:34,500 and then I can basically look at this one and this one is like the.. 5125 03:05:34,500 --> 03:05:38,500 Yeah, I don't know why we don't have the expansion on that one. 5127 03:05:38,500 --> 03:05:45,0 so for example if you have a specific time we can expand it and even change it in the graph 5130 03:05:45,0 --> 03:05:47,500 so that means if we have for example this email, 5134 03:05:47,500 --> 03:05:54,0 a thing that we can do is expand it and change when this has been seen 5135 03:05:54,0 --> 03:06:00,0 and we can even change at which time this specific model has been seen. 5138 03:06:00,0 --> 03:06:10,500 But that's again a good point to do is to automatically create a first thing last seen on your element. 5141 03:06:10,500 --> 03:06:16,0 Because every time you do that you will get an automatic timeline and actually a quick 5142 03:06:16,0 --> 03:06:19,500 I would say quick win when you do analysis. 5146 03:06:23,0 --> 03:06:28,500 So if there are no more questions about event creation perhaps one of the things we can do is show the searching. 5149 03:06:28,500 --> 03:06:33,0 How to search for stuff in your MISP. 5150 03:06:36,0 --> 03:06:40,0 okay so this is something that we're going to show very briefly now 5152 03:06:40,0 --> 03:06:42,500 and we're going to go in a bit more detail into this tomorrow 5154 03:06:42,500 --> 03:06:47,500 when we're also going to look at the api but generally whenever you're searching in MISP 5157 03:06:47,500 --> 03:06:52,500 the main question you need to ask yourself is what scope am I searching on? 5159 03:06:52,500 --> 03:06:56,500 Am i searching for individual attributes or am I searching for events? 5160 03:06:56,500 --> 03:07:01,500 The search filters very often overlapping or are almost the same 5164 03:07:01,500 --> 03:07:03.500 but one of the things you need to keep in mind is for example 5165 03:07:03.500 --> 03:07:08,500 if i'm searching for bitcoin addresses in my MISP instance, bitcoin wallets. 5169 03:07:08,500 --> 03:07:14,500 Am I searching for any event that contains at least one bitcoin address 5171 03:07:14,500 --> 03:07:18,500 or am I searching for just the bitcoin addresses themselves? 5173 03:07:18,500 --> 03:07:21,0 So this is when we decide between different scopes 5174 03:07:21,0 --> 03:07:26,500 so generally attribute scope will only give you the individual attributes that match the criteria 5178 03:07:26,500 --> 03:07:31,500 and the event scope will give you everything that contains at least one matching value. 5180 03:07:31,500 --> 03:07:39,0 So here what Alex did, he just searched using the attribute search for all the bitcoin addresses in the instance 5184 03:07:39,0 --> 03:07:41,500 and we see we get a bunch of them from different sources, 5186 03:07:41,500 --> 03:07:47,500 we see which events they're from which organization has created that information and so on and so forth 5190 03:07:47,500 --> 03:07:54,500 If we're happy with the search results and we've set up all our features and we're getting exactly what we were looking for 5192 03:07:54,500 --> 03:07:57,500 maybe even several pages of it like here. 5195 03:07:57,500 --> 03:08:00,500 We can download the results in any of these supported formats 5196 03:08:00,500 --> 03:08:03,0 so we could say okay now we have all these bitcoin addresses out there 5197 03:08:03,0 --> 03:08:07,500 generate the csv out of it and it will generate a massive csv 5200 03:08:07,500 --> 03:08:11,500 with all the attribute information for each of these. 5203 03:08:13,0 --> 03:08:17,500 I hope you're not running my time instance out of memory. 5205 03:08:19,0 --> 03:08:20,500 There it is. 5207 03:08:20,500 --> 03:08:28,500 So if you open it. Just to see the results quickly. There we go. 5209 03:08:28,500 --> 03:08:35,500 So in this case, we now downloaded our search results as csv. 5212 03:08:35,500 --> 03:08:38,500 Now keep in mind whenever you're dealing with integration of MISP 5213 03:08:38,500 --> 03:08:42,500 with other tools or exports keep in mind that certain formats don't really cater 5216 03:08:42,500 --> 03:08:44,0 to exporting certain types of data. 5218 03:08:44,0 --> 03:08:50,500 So if you're searching for ransomware payout wallets. 5220 03:08:50,500 --> 03:08:55,500 you could, for example, specify as a tag, all the different ransomware related tags that you have 5224 03:08:55,500 --> 03:09:01,0 and as a type select BTC like what Alex has done here and export the information. 5226 03:09:01,0 --> 03:09:03,500 Now when you're deciding what format to download in, 5228 03:09:03,500 --> 03:09:08,500 again, some don't make any sense so don't download bitcoin addresses in STIX format 5229 03:09:08,500 --> 03:09:12,500 because STIX doesn't have a way to express bitcoin addresses for example. 5233 03:09:12,500 --> 03:09:17,0 So just make sure that you also take that into consideration when exporting data 5235 03:09:17,0 --> 03:09:18,500 so that it's not {inaudible}. 5236 03:09:18,500 --> 03:09:24,500 Besides that we can do the same on the event level, we can also do searches on the event level. 5239 03:09:24,500 --> 03:09:28,500 If we go back to our event index, we have a little magnifying glass icon 5240 03:09:28,500 --> 03:09:34,500 where you can add additional filter options to the index and filter the database on that. 5245 03:09:34,500 --> 03:09:39,500 So let's just do "CIRCL", we're going to just filter on events coming from CIRCL 5248 03:09:39,500 --> 03:09:42,500 and we can also add, for example, events that are not published. 5250 03:09:42,500 --> 03:09:46,500 If you wanted to do some final checks on whether... 5251 03:09:46,500 --> 03:09:49,500 We need to add the organization again. 5253 03:09:49,500 --> 03:09:52,500 whether we have any events that need to be vetted. 5254 03:09:52,500 --> 03:09:56,500 For example for our own organization, then we could use this filter for it. 5257 03:09:56,500 --> 03:10:02,0 On the event index, all of these search filters that you apply generate a specific url 5259 03:10:02,0 --> 03:10:06,500 and you can bookmark it, so if you have recurring queries that you want to monitor 5263 03:10:06,500 --> 03:10:10,0 then you can just bookmark the url and you can go back to it later on 5265 03:10:10,0 --> 03:10:13,500 and see if there is anything that popped up that matches your search criteria. 5267 03:10:14,0 --> 03:10:21,0 now generally like I think 90% of our searches do not actually happen via the UI 5270 03:10:21,0 --> 03:10:25,500 they happen via the API, so very often you have tools that you search through 5272 03:10:25,500 --> 03:10:30,500 So if you have a tool that acts as a front-end for your MISP for certain searches that works as well. 5276 03:10:32,0 --> 03:10:36,500 We're going to talk more about those type of searches and how you integrate with other tools tomorrow more 5279 03:10:36,500 --> 03:10:39,0 When we go into the api 5280 03:10:39,0 --> 03:10:42,500 There is a question about soft delete attribute search 5282 03:10:42,500 --> 03:10:44,0 I just lost the Q&A page. 5283 03:10:44,0 --> 03:10:49,500 So Martin asks "is there a way to do a global search for soft delete attributes?" 5285 03:10:49,500 --> 03:10:54,500 Yes, sorry, where is it? For soft delete attributes? Yes there is. 5288 03:10:54,500 --> 03:11:01,0 So not via the UI but via the API which you can also access via the UI by the way. 5290 03:11:01,0 --> 03:11:04,500 We have a tool. We have a built-in tool. We can even show this example there. 5291 03:11:04,500 --> 03:11:07,500 we didn't show the delete 5294 03:11:07,500 --> 03:11:08,500 Haha, that's a good point. 5294 03:11:08,500 --> 03:11:14,500 Let's start with the question first and then we go to the delete S296 03:11:14,500 --> 03:11:20,500 so we have this built-in tool called the "REST client" that allows us to run searches directly from the interface. 5299 03:11:20,500 --> 03:11:25,500 So generally indeed we have a soft delete mechanism in MISP 5300 03:11:25,500 --> 03:11:31,500 that allows you to to not fully remove an attribute but mark it for deletion. 5304 03:11:32,238 --> 03:11:36,500 The reason why we do this in general is whenever we're synchronizing information 5306 03:11:36,159 --> 03:11:38,799 and we delete an attribute we want to inform all the other instances 5307 03:11:37,439 --> 03:11:41,500 that an attribute needs to be removed, it is revoked. 5310 03:11:42,159 --> 03:11:47,500 So this is why we do the soft delete where we hide it from the interface, we hide it from the exports 5313 03:11:48,478 --> 03:11:53,500 but we still keep the data and we inform the other instances that they need to also mark it for deletion. 5316 03:11:54,0 --> 03:11:59,500 Now if the question is how do we do a global search for all the soft deleted attributes. 5318 03:11:58,799 --> 03:12:04,500 So first of all what we need to do using our little REST search tool is 5321 03:12:04,478 --> 03:12:09,500 by the way we have the Modern APIs here, so to create a new API unless you know yours by heart 5324 03:12:12,0 --> 03:12:22,500 so alex because... So just quickly, so in the meanwhile what Alex is doing now is 5327 03:12:20,478 --> 03:12:28,500 he's going to generate a new api key for himself so that we can actually test the api queries. 5331 03:12:28,500 --> 03:12:31,500 Oh that won't work. 5332 03:12:31,500 --> 03:12:37,500 Yeah you can add another key from here as well, this will work. 5333 03:12:37,500 --> 03:12:39,500 Yeah that works. 5335 03:12:59,0 --> 03:13:02,500 Global action, my profile, by the way if you want to find your profile. 5337 03:13:17,0 --> 03:13:19,500 Okay, so now we have our api key. 5338 03:13:19,500 --> 03:13:23,500 Now we go to REST client we just paste it in there now in the authorization field. 5341 03:13:27,0 --> 03:13:30,0 Here we go and now what we're going to do is we're going to run a search 5343 03:13:30,0 --> 03:13:34,500 for all soft delete attributes so we're going to search for attribute restSearch. 5345 03:13:34,500 --> 03:13:38,500 So that is a scope that allows us to search on the attribute level. 5347 03:13:38,500 --> 03:13:42,500 we'll see more of this tomorrow, just a small example. 5349 03:13:42,500 --> 03:13:47,0 For return format, let's pick something like JSON 5350 03:13:54,0 --> 03:14:00,0 and perhaps set a page under limit or take one limit 100 or something like that 5354 03:14:01,120 --> 03:14:03,500 I don't know how much was deleted here but it might be a lot 5356 03:14:04,639 --> 03:14:07,500 and then just add another key deleted, there we go 5358 03:14:07,500 --> 03:14:16,0 and then deleted set to 1 5359 03:14:16,0 --> 03:14:19,0 and we don't need anything else 5360 03:14:19,0 --> 03:14:26,500 and this will return the first 100 hits from the instance of attributes that are deleted. 5363 03:14:30,0 --> 03:14:35,0 There we go And now if you wanted to paginate through all these attributes 5364 03:14:33,600 --> 03:14:37,500 you would have to just raise the page number. 5367 03:14:37,500 --> 03:14:40,500 Go back and and get page 2, page 3, page 4, and so on 5369 03:14:40,500 --> 03:14:44,500 or if we have enough memory certainly my training instance definitely doesn't 5371 03:14:44,500 --> 03:14:47,500 then we could just say give us everything in one shot. 5373 03:14:49,0 --> 03:14:53,500 Okay so I hope that answers your question Martin. 5375 03:14:53,500 --> 03:14:58,500 There is also a question, is there an official MISP docker image? 5377 03:14:58,500 --> 03:15:04,500 There are actually several, they're not maintained by us but by contributors 5380 03:15:04,500 --> 03:15:08,500 that are very active and working closely with us. 5382 03:15:08,500 --> 03:15:12,500 So I've pasted one example in the zoom group chat. 5384 03:15:12,500 --> 03:15:18,500 I don't know if maybe it's not visible to everyone. I can just drop it as an answer here. 5387 03:15:18,500 --> 03:15:20,500 Yeah, it's better. 5388 03:15:20,500 --> 03:15:25,500 So this one is done by coolacid, so why are there are so many docker MISP? 5390 03:15:25,500 --> 03:15:34,0 That's I think the specialty of docker, not everyone agrees on a model with docker 5392 03:15:34,0 --> 03:15:38,0 so there are at least as far as I know four or five different dockers 5394 03:15:38,0 --> 03:15:43,500 there's one managed by DCSO, one by CoolAcid, one by Xavier Mertens and 5397 03:15:43,500 --> 03:15:47,00 one by HarvardSecurity and I'm sure I'm missing some. 5399 03:15:47,00 --> 03:15:55,500 So the thing is for the docker images it's depending on I would say your taste 5402 03:15:55,500 --> 03:15:59,500 so have a look at what the different contributors are doing 5404 03:15:59,500 --> 03:16:05,500 and you'll see that you pick the one that is matching what you really want to do with docker. 5408 03:16:05,500 --> 03:16:12,500 Some are really more separated container wise some are more like one single container with everything 5412 03:16:12,500 --> 03:16:16,500 Again it's a maker of taste and how you want to operate one 5414 03:16:16,500 --> 03:16:18,500 we don't maintain one as MISP project 5415 03:16:18,500 --> 03:16:22,00 but there are some that are under our MISP project {inaudible} position. 5418 03:16:27,0 --> 03:16:32,0 Someone is asking about API key to invoke cortex analyzer. 5420 03:16:32,0 --> 03:16:39,500 For the cortex analyzer, it's a separate toolset part of the HIVE project 5423 03:16:39,500 --> 03:16:42,500 and then you have specific API keys. 5424 03:16:42,500 --> 03:16:48,500 Cortex extension is like MISP module so it works for the expansion services 5426 03:16:48,500 --> 03:16:53,500 Be careful, cortex analyzer are not supporting objects and stuff like that 5428 03:16:53,500 --> 03:16:58,500 which is the case for MISP modules so you might have expansion on the interface 5431 03:16:58,500 --> 03:17:00,500 but if you want full-blown expansion with relationship and so on 5433 03:17:00,500 --> 03:17:04,500 then you can use MISP modules. A lot of organizations are mixing both 5434 03:17:04,500 --> 03:17:09,500 so you can have cortex-enabled and MISP modulus enabled on the same MISP instance 5438 03:17:09,500 --> 03:17:14,500 But going back to the question if you already have the Cortex API encoded in your MISP 5440 03:17:14,500 --> 03:17:19,0 and you want to invoke a lookup through the API through MISP 5442 03:17:19,0 --> 03:17:24,500 then you can use your MISP API to tell your MISP to run a query against Cortex. 5445 03:17:27,0 --> 03:17:33,500 But with the new api key models usually it's better to have dedicated API key per {inaudible}. 5447 03:17:35,0 --> 03:17:41,500 Okay, there is something else, is there a way.. we had that already 5450 03:17:44,0 --> 03:17:47,500 Could you touch on how we could use one event to add multiple attributes 5451 03:17:47,500 --> 03:17:50,500 and how would correlation work here? 5453 03:17:50,500 --> 03:17:53,500 Configure event one to fetch all records from a feed 5455 03:17:53,500 --> 03:17:55,0 Would this work with correlation? 5456 03:17:55,0 --> 03:17:59,500 Show all instances where any of those attributes match with other events from other organization events 5459 03:17:59,500 --> 03:18:05,500 Well okay if I understand it correctly, indeed so if you do that 5461 03:18:05,500 --> 03:18:10,0 you create an event for a phishing feed and you have those attributes in there 5464 03:18:10,0 --> 03:18:15,500 and you have cached other instances, then within that that feed's event 5466 03:18:15,500 --> 03:18:21,500 you will see correlations both to other events created locally on your instance by other organizations 5470 03:18:21,500 --> 03:18:27,500 as well as links to other instances that have the data as long as you have cached those events 5474 03:18:27,500 --> 03:18:31,500 so we're going to talk more about that tomorrow about the synchronization 5475 03:18:31,500 --> 03:18:34,500 but when you're interconnecting with another instance you can do it in two ways, 5479 03:18:34,500 --> 03:18:37,500 one I want to start exchanging data, pushing data, pooling data 5481 03:18:37,500 --> 03:18:41,500 or two I can just tell my MISP to go crawl that other instance 5484 03:18:41,500 --> 03:18:46,500 hash all the values that they have and if I ever get the correlation 5486 03:18:46,500 --> 03:18:51,500 then it flags it for me then it shows me that the instance already knows about this value 5488 03:18:51,500 --> 03:18:57,500 and I can pivot over to previewing the data. So I hope that answers that. 5489 03:18:57,500 --> 03:19:02,500 Yeah, and then the correlation of feeds for example if you just enable the caching 5493 03:19:02,500 --> 03:19:07,500 you just see that it's correlating with specific values without providing the full feed 5495 03:19:07,500 --> 03:19:11,0 sometimes it's quite handy when you have for example feed that 5499 03:19:11,0 --> 03:19:14,500 you cannot show the data but you can show the correlation, 5500 03:19:16,0 --> 03:19:18,500 There's another one, do you recommend using MISP alone 5501 03:19:18,500 --> 03:19:21,500 or using the Hive MISP Cortex integration 5502 03:19:21,500 --> 03:19:26,500 I mean generally if you need a case management tool then using the Hive for that is great 5506 03:19:26,500 --> 03:19:34,500 So it makes absolute sense to use them together and integration is really smoothly done 5509 03:19:34,500 --> 03:19:37,500 so that means that no matter where you start your process, 5510 03:19:37,500 --> 03:19:39,500 whether you start by creating an event in MISP 5511 03:19:39,500 --> 03:19:42,500 or whether you start by creating a case in the Hive 5512 03:19:42,500 --> 03:19:45,500 you can basically propagate the data to the other tool 5513 03:19:45,500 --> 03:19:50,0 and work on both tools and data. So yeah, so absolutely 5519 03:19:50,0 --> 03:19:55,0 Yeah, absolutely it's pretty smooth, just be careful if you use the expansion on MISP 5521 03:19:55,0 --> 03:19:59,0 and you have MISP modules enabled I would prefer to have MISP modules enabled 5523 03:19:59,0 --> 03:20:05,500 because you basically have all the features of MISP like relationship, objects and so on 5526 03:20:05,500 --> 03:20:10,500 with the cortex integration is basically just a layover with the Cortex 5528 03:20:10,500 --> 03:20:12,500 Yeah but one of the things that you can do is 5531 03:20:12,500 --> 03:20:16,500 if you start for example from the Hive perspective and you push the data afterwards to misp 5533 03:20:16,500 --> 03:20:21,500 you can then go through this process like what we've done here with enriching the information 5536 03:20:21,500 --> 03:20:25,500 creating objects that affect attributes so you can do it as a secondary step 5538 03:20:25,500 --> 03:20:28,500 before you share it out to community to refine the data in MISP 5539 03:20:28,500 --> 03:20:30,500 that you've created in the Hive for example 5540 03:20:30,500 --> 03:20:34,500 and the same thing if you've used cortex to fetch additional information in the Hive 5544 03:20:34,500 --> 03:20:38,500 you can then take that data and further enrich it with MISP modules once it's in MISP. 5547 03:20:38,500 --> 03:20:43,500 Yeah this is a good question from Muhamad Junaid about 5549 03:20:43,500 --> 03:20:47,500 when I try to import the data from STIX to MISP it's called lossy 5551 03:20:47,500 --> 03:20:50,500 like can you please explain that a bit and this one is interesting 5553 03:20:50,500 --> 03:20:54,0 because it's... I was saying a long long long discussion 5554 03:20:54,0 --> 03:20:59,500 and that even influence how MISP evolved and the standard behind MISP 5557 03:20:59,500 --> 03:21:05,500 so STIX is really focusing on cybersecurity and cyber threat intelligence 5558 03:21:05,500 --> 03:21:11,500 and the problem is you might have at some point in time 5559 03:21:11,500 --> 03:21:14,500 data that are basically not defined anywhere 5564 03:21:14,500 --> 03:21:20,500 so it's more for the export of data so for example if you export in a MISP event 5566 03:21:20,500 --> 03:21:25,0 and you have for example an object with the person and stuff like that 5568 03:21:25,0 --> 03:21:27,500 it won't be in the STIX to export for example. 5570 03:21:27,500 --> 03:21:32,500 So it means that in MISP even if you get all the information 5571 03:21:32,500 --> 03:21:35,500 but it's bound to the limitation of the standards and the format 5574 03:21:35,500 --> 03:21:38,500 where you export and it's exactly the same for any format 5575 03:21:38,500 --> 03:21:42,500 I mean if you export a person in Suricata format 5576 03:21:42,500 --> 03:21:47,500 obviously you don't have any field or things like that with person and so on 5580 03:21:47,500 --> 03:21:50,500 so that's why we call it lossy because sometimes when you import data 5582 03:21:50,500 --> 03:21:57,500 it's bound to a specific set of fields that are supported and so on 5584 03:21:57,500 --> 03:22:00,500 Another thing that is quite important with STIX, 5585 03:22:00,500 --> 03:22:06,500 you might have a lot of peculiarities or specialities depending on the vendor 5589 03:22:06,500 --> 03:22:10,500 some vendors are adding some specific custom objects things like that 5591 03:22:10,500 --> 03:22:13,500 that are not bound to any existing one 5593 03:22:13,500 --> 03:22:19,500 so we are importing them as kind of you know generic one but it is basically like lossy again 5596 03:22:19,500 --> 03:22:23,500 so you have to be careful when you use a specific format 5598 03:22:23,500 --> 03:22:27,500 to be sure that you properly map an existing different one. 5600 03:22:27,500 --> 03:22:31,200 So it's more for the export, MISP quite flexible on that 5601 03:22:31,200 --> 03:22:36,500 so you can basically have any object you like but when we export for example in STIX one 5603 03:22:36,500 --> 03:22:42,00 we just export what is existing in STIX even if we start we added some custom objects too 5607 03:22:42,00 --> 03:22:49,500 some which are on to the MISP object but some tools will not recognize obviously the custom object 5610 03:22:49,500 --> 03:22:53,500 because they are just having a profile for a specific set of known objects. 5614 03:22:53,500 --> 03:22:58,500 Yeah I think that's exactly the point that maybe is different from 5615 03:22:58,500 --> 03:23:01,500 when we described the text in those import and export fields. 5619 03:23:01,500 --> 03:23:06,500 we say lossy but in reality what we do is we do try to capture everything 5620 03:23:06,500 --> 03:23:09,500 and we do try to map everything but a lot of it will end up in custom objects. 5624 03:23:09,500 --> 03:23:16,500 Now what Alex mentioned is the problem even if we export bitcoin addresses for example 5626 03:23:16,500 --> 03:23:19,500 whenever we're pushing in STIX2 format as custom objects 5627 03:23:19,500 --> 03:23:23,500 no other tool will pick up on it because we're just using custom objects 5628 03:23:23,500 --> 03:23:26,500 unless the other tool specifically looks for them 5629 03:23:26,500 --> 03:23:30,500 they will just either store it as is or not know what to do with it. 5630 03:23:30,500 --> 03:23:38,500 Yeah and that that's why we recommend a feed provider or vendors and so on to actively support the MISP format 5637 03:23:38,500 --> 03:23:42,500 then they can they can really import a full set of objects 5638 03:23:42,500 --> 03:23:44,500 and {inauidble, either some already exist in MISP/some are resisting it}. 5643 03:23:44,500 --> 03:23:47,500 Yeah in some cases however you don't really care about having the full set 5645 03:23:47,500 --> 03:23:50,500 and that's where for example specialized formats are really cool 5647 03:23:50,500 --> 03:23:56,500 so whenever we're feeding for example an ids for example we don't care about bitcoin addresses. 5649 03:23:56,500 --> 03:24:03,500 So in those cases STIX and MISP both are very expressive exchange formats 5653 03:24:03,500 --> 03:24:06,500 but whenever you're dealing with feeding tools for example 5654 03:24:06,500 --> 03:24:10,500 you don't care about about losing, 90% even, of the data set 5655 03:24:10,500 --> 03:24:16,500 as long as you capture those type of data points that your tool can process in the end. 5659 03:24:16,500 --> 03:24:19,500 So this is why generally what we recommend is 5660 03:24:19,500 --> 03:24:21,500 if you have the option for example to export data from MISP 5663 03:24:21,500 --> 03:24:24,500 is for your IDS for your SIEM and so on and you have the option between 5665 03:24:24,500 --> 03:24:28,500 for example STIX or Snort or Surikata go with Snort or Surikata 5666 03:24:28,500 --> 03:24:34,500 because those are much more catering to what your tools can actually understand 5670 03:24:34,500 --> 03:24:38,500 Yeah, for example for Yara the same you prefer to have like a 5671 03:24:38,500 --> 03:24:44,500 good Yara rule set that you can run into another anti-virus or your endpoint protection device 5675 03:24:44,500 --> 03:24:48,500 and having a generic one that will not help you to lose the detection. 5677 03:24:52,0 --> 03:24:55,0 Are there any other questions? 5678 03:24:56,0 --> 03:24:59,500 You already took that one that is there that is longer. 5681 03:24:59,500 --> 03:25:02,500 I think we took most of them unless they missed one. 5682 03:25:03,500 --> 03:25:09,500 Yeah, perhaps we should show the deletions because we we didn't actually show it, indeed. 5685 03:25:09,500 --> 03:25:10,500 Yeah, exactly. 5686 03:25:13,0 --> 03:25:18,500 Okay, oh and now we have some more questions but we can take those after. 5688 03:25:18,500 --> 03:25:23,500 Yeah let's quickly show the deletions so if we go to an event. 5691 03:25:23,500 --> 03:25:25,500 yeah I'll take a hundred events. 5692 03:25:25,500 --> 03:25:29,500 So this is a massive gotcha basically in MISP 5694 03:25:29,500 --> 03:25:33,500 which we have some protective measures in place to avoid this 5695 03:25:33,500 --> 03:25:37,500 but one of the things that you really need to watch out for is 5698 03:25:37,500 --> 03:25:40,500 when you when you add data to MISP and you noticed 5700 03:25:40,500 --> 03:25:45,500 oh crap I should not have added a piece of information that is either confidential information, 5702 03:25:45,500 --> 03:25:48,500 information about the victim that I shouldn't share and so on. 5705 03:25:48,500 --> 03:25:53,500 First delete the attribute, that attribute might still be contained in the event 5707 03:25:53,500 --> 03:25:58,500 in a soft deleted format. You can always toggle and see the deleted attributes within an event 5710 03:25:58,500 --> 03:26:04,500 So I will create an event from scratch as you can see 5712 03:26:04,500 --> 03:26:10,0 Okay so before I move forward on that so we have two protective measures in place 5714 03:26:10,0 --> 03:26:14,500 to avoid accidental information leakage violation. 5715 03:26:14,500 --> 03:26:19,500 One is basically that by default we do not use the soft delete method for 5717 03:26:19,500 --> 03:26:24,500 anything that was unpublished at first so we're going to show it as an example 5720 03:26:24,500 --> 03:26:27,500 so here's some sensitive information, if Alex were to delete this now 5723 03:26:27,500 --> 03:26:29,500 this attribute, this would get hard deleted, 5724 03:26:29,500 --> 03:26:34,500 So this will not create a soft deletion, MISP already tells us 5725 03:26:34,500 --> 03:26:37,500 are you sure you want to hard delete the attribute? So when you read the text 5728 03:26:37,500 --> 03:26:39,500 you will see the difference there in the wording. 5729 03:26:39,500 --> 03:26:43,500 The reason for that is the event has not been published yet 5730 03:26:43,500 --> 03:26:45,500 we know that it has not probably been propagated to other instances. 5734 03:26:45,500 --> 03:26:49,500 There is absolutely no reason to inform anyone that this has been deleted 5736 03:26:49,500 --> 03:26:52,500 so we can immediately just hard delete it. 5738 03:26:52,500 --> 03:26:56,0 So when we do that, it will get hard deleted. 5739 03:26:56,0 --> 03:26:58,500 However, if the event has already been published 5740 03:26:58,500 --> 03:27:01,500 this has already been shared out to other instances potentially. 5742 03:27:01,500 --> 03:27:04,0 So in this case, if we were to delete it, MISP will tell us 5743 03:27:04,0 --> 03:27:07,500 oh are you sure you want to soft delete this attribute 5744 03:27:07,500 --> 03:27:09,500 because this is already a published event. 5747 03:27:09,500 --> 03:27:14,0 Now it looks like our event is empty but if you look at the deleted flag 5748 03:27:14,0 --> 03:27:16,500 you will see that the sensitive attribute is still there 5751 03:27:16,500 --> 03:27:19,500 and if I were to publish the event now, this sensitive attribute 5753 03:27:19,500 --> 03:27:23,500 would get propagated along with the event. 5754 03:27:23,500 --> 03:27:29,500 If you want to avoid this altogether, there is a way to mangle any attribute that gets self-deleted. 5757 03:27:29,500 --> 03:27:32,500 What happens in that case is a category will be set to Other 5759 03:27:32,500 --> 03:27:36,500 type will be set to Other and value will be set to Redacted. 5761 03:27:36,500 --> 03:27:40,500 This is a server-wide setting so your administrator or if you are the administrator 5762 03:27:40,500 --> 03:27:43,500 then you yourself can set this setting in the server settings. 5765 03:27:43,500 --> 03:27:48,0 The downside of that is if you are mangling attributes that you're soft deleting 5767 03:27:48,0 --> 03:27:52,0 it will still inform the other instances, they will still remove the data 5768 03:27:52,0 --> 03:27:54,500 soft delete the data because the uid is reserved. 5771 03:27:54,500 --> 03:27:57,500 However, you cannot recover the attribute anymore. 5772 03:27:57,500 --> 03:28:02,500 So in this case right now we deleted attribute, Alex could now click on the recover button 5776 03:28:02,500 --> 03:28:07,500 and the attribute will be recovered as a normal attribute so if you made a mistake you can recover it. 5779 03:28:07,500 --> 03:28:12,500 So there are two different mindsets, I want to make my data recoverable 5781 03:28:12,500 --> 03:28:15,500 and that I want to always inform others 5783 03:28:15,500 --> 03:28:19,500 versus I want to always hard delete data that I delete. 5784 03:28:19,500 --> 03:28:25,500 Both of them have a setting so just pick and choose whichever makes sense for your community. 5787 03:28:25,500 --> 03:28:31,500 Whether you prefer secrecy or prefer convenience basically so that's it's basically. 5790 03:28:31,500 --> 03:28:37,0 -Yeah that's delete for attribute so if we delete an event that's another story. -Yeah 5792 03:28:37,0 --> 03:28:42,500 And this one is interesting because now we have these options where we say 5795 03:28:42,500 --> 03:28:46,500 I want to delete this event and obviously it will be deleted on your instance. 5798 03:28:46,500 --> 03:28:53,500 Nevertheless this even has been already synchronized, copy on different MISP instances 5802 03:28:53,500 --> 03:28:56,500 so that means at the next synchronizations the event should be pulled 5805 03:28:56,500 --> 03:28:59,500 but to avoid such kind of of issue 5806 03:28:59,500 --> 03:29:04,500 MISP is automatically generating a block list of all those deleted events 5808 03:29:04,500 --> 03:29:09,500 so if you are the administrator you can see at the "Blocklist events", 5810 03:29:09,500 --> 03:29:14,500 you can see the the one that I just deleted. So why we do that? 5812 03:29:14,500 --> 03:29:19,500 It's very simple. We don't want to re-import the event that has been deleted 5814 03:29:19,500 --> 03:29:21,500 because locally we don't want this event. 5816 03:29:21,500 --> 03:29:27,500 So it's a blocklist of all the {inaudible} but there is a catch there. 5818 03:29:27,500 --> 03:29:31,500 Sometimes we have people, oh i'm doing some tests and so on 5820 03:29:31,500 --> 03:29:33,500 I'm synchronizing with MISP but I can't seem to get my event back 5822 03:29:33,500 --> 03:29:36,500 and obviously yes because it's there in this block list. 5824 03:29:36,500 --> 03:29:40,500 So if you have some tests and you're running some tests, don't forget to look at the block list 5826 03:29:40,500 --> 03:29:46,0 and maybe you want to just remove the event from the blocklist 5827 03:29:46,0 --> 03:29:48,500 and then you can synchronize back the event. 5830 03:29:48,500 --> 03:29:52,0 there's something to keep in mind it's there, it's done automatically 5831 03:29:52,0 --> 03:29:56,500 but in some cases you want to manage the blocklist so that's something to keep in mind. 5835 03:29:56,500 --> 03:30:05,500 Yep something else that we perhaps should touch on here is 5838 03:30:05,500 --> 03:30:09,500 for the event deletions besides just a blocklist part 5840 03:30:09,500 --> 03:30:12,0 there is one thing that comes up as a question very often is. 5841 03:30:12,0 --> 03:30:14,500 how do I inform others that an event needs to be removed? 5843 03:30:14,500 --> 03:30:19,500 We don't have a mechanism in place for that so while we can revoke attributes for events 5845 03:30:19,500 --> 03:30:22,500 We don't have that and there's a reason for that. 5847 03:30:22,500 --> 03:30:27,500 In general whenever it comes to events we don't want to give the power 5848 03:30:27,500 --> 03:30:34,500 to just outright delete events remotely this way so this might change in the future. 5853 03:30:34,500 --> 03:30:39,500 We're having discussions on that whether we want to enable that or not but currently that's not the case. 5855 03:30:39,500 --> 03:30:45,500 Yeah and usually we take as an example emails I mean you can remove emails from your personal mailbox 5858 03:30:45,500 --> 03:30:48,500 but from the remote mailbox if someone already receives the emails 5861 03:30:48,500 --> 03:30:52,500 you want to have the control over third parties on the mailbox 5862 03:30:52,500 --> 03:30:56,0 that might be one of the drawback I would say. 5864 03:30:56,0 --> 03:31:01,500 So there are two new questions one of them is basically can you demonstrate 5866 03:31:01,500 --> 03:31:06,500 the progressive enrichments of events by the shared communities over time with correlations. 5869 03:31:06,500 --> 03:31:10,500 This one is tough I mean i'm not sure how we could demonstrate that because 5871 03:31:10,500 --> 03:31:15,500 we're not dealing with live instances with live data sets and active sharing 5875 03:31:15,500 --> 03:31:21,500 but perhaps for tomorrow we will prepare an example where we can show it off 5877 03:31:21,500 --> 03:31:28,500 and choose an event that we can show on one of the operational instances 5879 03:31:28,500 --> 03:31:34,500 but I can show one on, you know what I can go on just one second 5880 03:31:34,500 --> 03:31:42,500 I'm going on an instance. So it was.. oh we are flexible 5881 03:31:42,500 --> 03:31:49,500 So it's not simple to do it no but so it's maybe something interesting there. 5888 03:31:49,500 --> 03:31:56,500 So I'm connecting an instance where I have more expansion services active and so on. 5892 03:31:56,500 --> 03:32:01,500 I'll just keep it for "My Organization Only" so i'm creating an event there 5894 03:32:01,500 --> 03:32:08,500 so what happens on progressively enriching event by shared communities 5896 03:32:08,500 --> 03:32:11,0 I mean it's going back and forth to different communities 5898 03:32:11,0 --> 03:32:14,500 but I can imitate what the community is doing usually. 5900 03:32:14,500 --> 03:32:24,500 so if I'm creating an attribute for example I will create a hostname with some network activity. 5903 03:32:24,500 --> 03:32:37,500 So we have specifically a test that we created with this kind of... 5905 03:32:37,500 --> 03:32:41,0 so what would be your community and sharing? 5907 03:32:41,0 --> 03:32:42,500 So it could be for example in the same organization 5908 03:32:42,500 --> 03:32:47,500 in my case it's just shared to the organization so if I publish event here 5910 03:32:47,500 --> 03:32:53,500 it will be shared with all different instances maybe the different members of CIRCL 5914 03:32:53,500 --> 03:33:01,500 and one of my colleagues is taking one of the indicators there 5916 03:33:01,500 --> 03:33:07,500 and then he's going on the Faresight database doing a full-blown expansion 5917 03:33:07,500 --> 03:33:09,500 so that means he's basically doing a full-blown expansion. 5921 03:33:09,500 --> 03:33:17,500 What do I have here? I have a a complete set of objects for a specific domain 5922 03:33:17,500 --> 03:33:24,500 so you see again I'm going to the event graph now I enter my domain name 5923 03:33:24,500 --> 03:33:27,500 and I have all the passive DNS records associated to that one 5929 03:33:27,500 --> 03:33:32,500 and in this one I think I will have the event timeline 5930 03:33:32,500 --> 03:33:36,0 I have a completely different timeline of the different expansion and so on. 5932 03:33:36,0 --> 03:33:44,500 So then I will have one of my... it will be published again with the data. 5937 03:33:44,500 --> 03:33:51,0 If it's a collaboration I would say in the same team that's a thing 5939 03:33:51,0 --> 03:33:56,500 so it's sometimes people are working on the same event and publishing it 5942 03:33:56,500 --> 03:34:03,500 Sometimes they are sharing it and doing additional expansion on the things 5945 03:34:03,500 --> 03:34:07,500 until to reach a specific point that is like I would say 5946 03:34:07,500 --> 03:34:15,500 accessible or at least publishable in a publishing state that is acceptable by various people. 5950 03:34:16,0 --> 03:34:23,500 Now we can make proposal too. So that means if we are again with a different organization, 5952 03:34:23,500 --> 03:34:28,500 i don't know if in this example it will work but I can take... 5956 03:34:28,500 --> 03:34:31,500 do I have something interesting there 5958 03:34:33,760 --> 03:34:38,500 Yeah, for example I see an interesting IP address, this one. 5960 03:34:38,500 --> 03:34:46,500 So what I could do is i could add.. 5961 03:34:46,500 --> 03:34:52,500 What's going on here? 5964 03:34:52,500 --> 03:34:57,500 {inaudible} 5965 03:35:04,0 --> 03:35:13,500 Okay just a demo effect, typical. 5967 03:35:13,500 --> 03:35:22,500 What's going on? Okay, just going back to this one I just want to add a proposal. 5970 03:35:22,500 --> 03:35:27,500 Yes I cannot just... 5971 03:35:27,500 --> 03:35:30,500 you wanted but you're admin. 5972 03:35:30,500 --> 03:35:37,500 You can cheat if you really want, you can do it. 5974 03:35:37,500 --> 03:35:44,0 Yeah, wait, fine. It's just like okay so I don't know for {inaudible} if we answered your question 5977 03:35:44,0 --> 03:35:50,500 but I mean a full-blown step would be like that, if you work on an event it's not a single person obviously. 5980 03:35:50,500 --> 03:35:54,500 When you do an investigation, you do like multiple steps but the question is more like 5984 03:35:54,500 --> 03:35:59,500 if you do it within a team usually you edit the current event in the same organizations 5987 03:35:59,500 --> 03:36:05,500 if you do inter-team, you do proposal, extend it even like we showed before 5988 03:36:05,500 --> 03:36:09,500 and then you start to work on this thing, so it's really depending on the case. 5992 03:36:09,500 --> 03:36:15,0 so I hope you can see what are the capabilities there 5993 03:36:15,0 --> 03:36:22,500 but it's really the progressive approach of collaboration usually depends on how people are working together. 5994 03:36:22,500 --> 03:36:25,500 If they are really external it's more proposal, extended event. 5999 03:36:25,500 --> 03:36:30,500 If it's within the same team it could be extended event or within the same event, 6001 03:36:30,500 --> 03:36:35,500 that's usually the two way of working. Andras, if you want to add something on that? 6003 03:36:35,500 --> 03:36:43,500 No yeah, that's perfect. Perhaps another question if you're okay with switching. 6007 03:36:43,500 --> 03:36:49,0 Yeah when speaking of feeding tools what would be the automatic way of doing it? 6009 03:36:49,0 --> 03:36:52,500 So normally when we're talking about feeding tools there are two separate ways of doing it 6011 03:36:52,500 --> 03:36:56,500 and we'll go way way deeper into this tomorrow when we talk about integration 6013 03:36:56,500 --> 03:36:58,500 but generally tools can either fetch data from MISP 6014 03:36:58,500 --> 03:37:02,500 so this is a more common way where a tool would use REST search API 6015 03:37:02,500 --> 03:37:06,0 that we mentioned before where you define your search patterns 6016 03:37:06,0 --> 03:37:10,500 for example give me everything that is newer than 30 days, 6017 03:37:10,500 --> 03:37:16,500 everything that is not coming from say OSINT sources 6025 03:37:16,500 --> 03:37:21,500 or perhaps not something, nothing that comes related to a certain topic 6027 03:37:21,500 --> 03:37:26,500 for example I'm not interested in Ransomware when feeding my tools, just a stupid example. 6031 03:37:26,500 --> 03:37:28,500 So you set up your filter options 6032 03:37:28,500 --> 03:37:32,500 and then your tool would fetch data from MISP every 60 minutes, for example. 6035 03:37:32,500 --> 03:37:40,500 and then replace the data set there. You can also do sliding time window searches 6037 03:37:40,500 --> 03:37:43,500 where you say give me everything from the past 60 minutes that is new 6040 03:37:43,760 --> 03:37:50,500 and then you keep concatenating your dataset on the SIEM side, IDS side, whatever tool you're feeding. 6043 03:37:50,500 --> 03:37:53,500 the alternative, if you want to have the data push automatically as it comes in 6046 03:37:53,500 --> 03:37:56,500 you have different channels in MISP that your tools can latch on to. 6048 03:37:56,500 --> 03:38:01,500 The downside being that you still need to do the conversion in those cases. 6050 03:38:01,500 --> 03:38:08,500 So if you were not using the APIs to fetch the data from MISP 6053 03:38:08,500 --> 03:38:12,0 then MISP can push using the MISP JSON format data down 6054 03:38:12,0 --> 03:38:19,500 via different channels ZeroMQ or the Kafka channel or this blog and so on 6059 03:38:19,500 --> 03:38:25,500 and then your tools automatically feed on that data so you have these two different ways of interacting with it 6062 03:38:25,500 --> 03:38:28,0 There's also a third way where you can basically 6063 03:38:28,0 --> 03:38:33,500 either build an export module or an enrichment module where an analyst can trigger 6064 03:38:33,500 --> 03:38:38,500 a direct push of a certain data point to another tool, so that's another option. 6069 03:38:38,500 --> 03:38:44,500 We'll talk about these different strategies when to use which and how to mix those tomorrow more. 6072 03:38:44,500 --> 03:38:50,0 So I hope that answers it in a brief fashion. 6073 03:38:50,0 --> 03:38:57,500 Yeah what i'm showing here is it's just like on the REST search client 6076 03:38:57,500 --> 03:39:01,500 for example you want to feed your Suricata and so on. 6078 03:39:01,500 --> 03:39:15,500 Just take page and a specific limit. So what you can do is 6079 03:39:15,500 --> 03:39:18,0 if you have a python script and so on you can pull directly the data. 6080 03:39:18,0 --> 03:39:24,500 So the rest client, so you see in this case I have the Suricata rule set 6081 03:39:24,500 --> 03:39:28,500 but if you want to feed your specific tools and and so on, 6088 03:39:28,500 --> 03:39:36,500 automatically we are generating curl and python card so it could be a bootstrap to see okay, 6090 03:39:36,500 --> 03:39:40,500 how should I create my own tool for feeding my IDS and so on. 6092 03:39:40,500 --> 03:39:45,500 For Suricata, for example a lot of management interface have already MISP connector 6096 03:39:45,500 --> 03:39:52,500 So you can even like feed the data directly from the interface if they have the ability 6100 03:39:52,500 --> 03:39:55,500 Splunk for example, there's a specific application 6101 03:39:55,500 --> 03:40:01,500 which is an external tools part of the app store of Splunk 6102 03:40:01,500 --> 03:40:03,500 that you can install for doing the connection 6105 03:40:03,500 --> 03:40:08,500 and some other people are using their own python script to feed other SIEM. 6107 03:40:08,500 --> 03:40:15,500 So again it's a matter of taste if you are curious about the different kind of integrations 6110 03:40:15,500 --> 03:40:22,500 or you can do it in Python for example on PyMISP itself there are plenty of examples. 6113 03:40:22,500 --> 03:40:29,0 So if you go in the example directory of PyMISP 6115 03:40:29,0 --> 03:40:38,500 you have quite significant set of default scripts that you can use 6116 03:40:38,500 --> 03:40:42,500 and that's I think usually a good basis 6117 03:40:42,500 --> 03:40:47,500 if you want to start to write your own custom custom tool set for 6118 03:40:47,500 --> 03:40:52,500 feeding your systems or existing software in your infrastructure. 6124 03:40:52,500 --> 03:41:04,500 Yep, I don't know if we should jump on a new topic 6125 03:41:04,500 --> 03:41:07,500 or we just push the Copalos example for tomorrow? 6128 03:41:07,500 --> 03:41:11,500 yeah I think we can do maybe tomorrow. 6130 03:41:11,500 --> 03:41:16,500 I think that would be stretching it a little bit if we were to start with that 6133 03:41:16,500 --> 03:41:24,500 So quick summary of today, so today we showed how to create an event 6134 03:41:24,500 --> 03:41:28,500 the basis of MISP like what is an attribute, an object and so on. 6138 03:41:28,500 --> 03:41:35,500 How to create it, how to make proposal, delete and stuff like that, so it's really a simple example. 6142 03:41:35,500 --> 03:41:40,500 Tomorrow, we want to show you more the event report aspect 6144 03:41:40,500 --> 03:41:46,500 and automatic imports into into MISP with a practical example of an original report. 6147 03:41:46,500 --> 03:41:51,500 and we will discuss tomorrow about how to build sharing communities 6148 03:41:51,500 --> 03:41:55,500 and especially we will share our experience of things that worked 6149 03:41:55,500 --> 03:42:00,0 and things that didn't work in the past years when creating sharing communities. 6153 03:42:00,0 --> 03:42:05,500 So if you are ISAC members or creating your own sharing community even within your organization 6157 03:42:05,500 --> 03:42:09,500 It's something good to participate because we will share with you 6158 03:42:09,5000 --> 03:42:15,500 some of the things that are interesting of building and bootstrapping such kind of of community. 6163 03:42:15,500 --> 03:42:20,500 I don't know Andras if you want to add something 6164 03:42:20,500 --> 03:42:26,500 No and that's basically it thanks for everyone for sticking through this 6167 03:42:26,500 --> 03:42:30,500 through it's a very condensed session so we said we didn't make as much progress 6170 03:42:30,500 --> 03:42:33,500 as we hoped so we have quite a bit left for tomorrow 6172 03:42:33,500 --> 03:42:35,500 and hope to see you all here tomorrow. 6173 03:42:35,500 --> 03:42:40,500 Thank you very much, take care and don't hesitate to ask questions 6175 03:42:40,500 --> 03:42:45,0 either later on directly contact us, thank you very much, see you tomorrow. 6177 03:42:45,0 --> 03:42:49,500 Thank you all see you tomorrow