% DO NOT COMPILE THIS FILE DIRECTLY! % This is included by the other .tex files. \begin{frame}[t,plain] \titlepage \end{frame} \begin{frame} \frametitle{Outline of the presentation} \begin{itemize} \item Present the components used in MISP to expire IOCs \item Present the current state of Indicators life-cycle management in MISP \end{itemize} \end{frame} \section{Expiring IOCs: Why and How?} \begin{frame}[fragile] \frametitle{Indicators lifecycle - Problem Statement} \begin{itemize} \item {\bf Sharing information} about threats {\bf is crucial} \item Organisations are sharing more and more \end{itemize} \vspace{1em} Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\ \vspace{1em} \begin{minipage}{0.45\textwidth} \begin{tabular}{ll} \hline Date & Unique Org \\ \hline 2013 & 17 \\ 2014 & 43 \\ 2015 & 82 \\ 2016 & 105 \\ 2017 & 118 \\ 2018 & 125 \\ 2019-10 & 135 \\ \hline \end{tabular} \vspace{0.5em} \end{minipage} \begin{minipage}{0.5\textwidth} \begin{lstlisting} { "distribution": [1, 2, 3] }\end{lstlisting} \end{minipage} \end{frame} \begin{frame} \frametitle{Indicators lifecycle - Problem Statement} \begin{itemize} \item Various users and organisations can share data via MISP, multiple parties can be involved \begin{itemize} \item \textbf{Trust}, \textbf{data quality} and \textbf{relevance} issues \item Each user/organisation have \textbf{different use-cases} and interests \begin{itemize} \item Conflicting interests: Operational security VS attribution \end{itemize} \end{itemize} \item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies} \pause \vspace{0.5cm} \item Attributes can be shared in large quantities \small{(more than 12M on \texttt{MISPPRIV} - Sept. 2020)} \begin{itemize} \item Partial info about their \textbf{freshness} (\textit{Sightings}) \item Partial info about their \textbf{validity} (\textit{last\_seen}) \end{itemize} \item[] $\rightarrow$ Can be partially solved with our \textit{Data model} \end{itemize} \begin{center} MISP's \textit{Decaying model} combines the two \end{center} \end{frame} \begin{frame} \frametitle{Requirements to enjoy the decaying feature in MISP} \begin{itemize} \item Starting from \textbf{MISP 2.4.116}, the decaying feature is available \item \textbf{Update} decay models and \textbf{enable} some \item MISP Decaying strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration \end{itemize} \vspace{0.7cm} Note: The decaying feature has no impact on the information stored in MISP, it's just an \textbf{overlay} to be used in the user-interface and API \end{frame} \begin{frame} \frametitle{\textit{Sightings} - Refresher (1)} \textit{Sightings} add a \textbf{temporal context} to indicators. \begin{itemize} \item \textit{Sightings} can be used to represent that you saw the IoC \item \textbf{Usecase:} Continuous feedback loop MISP $\leftrightarrow$ IDS \end{itemize} \begin{center} \includegraphics[scale=1.00]{pics/sightings.png} \end{center} \end{frame} \begin{frame} \frametitle{\textit{Sightings} - Refresher (2)} \textit{Sightings} add a \textbf{temporal context} to indicators. \begin{itemize} \item \textit{Sightings} give more credibility/visibility to indicators \item This information can be used to {\bf prioritise and decay indicators} \end{itemize} \end{frame} \begin{frame} \frametitle{Taxonomies - Refresher (1)} \includegraphics[width=1.00\linewidth]{pics/taxonomies.png} \begin{itemize} \item \textit{Taxonomies} are a simple way to attach a classification to an \textit{Event} or an \textit{Attribute} \item Classification must be globally used to be efficient (or agreed on beforehand) \end{itemize} \end{frame} \begin{frame} \frametitle{Taxonomies - Refresher (2)} \includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png} \begin{center} $\rightarrow$ Cherry-pick allowed \textit{Tags} \end{center} \end{frame} \begin{frame} \frametitle{Taxonomies - Refresher (3)} \begin{itemize} \item Some taxonomies have a \texttt{numerical\_value} \item Allows concepts to be used in an mathematical expression \begin{itemize} \item[$\rightarrow$] Can be used to prioritise IoCs \end{itemize} \end{itemize} \vspace{0.5cm} \begin{footnotesize} \texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}} \begin{columns}[T] % align columns \begin{column}{.40\textwidth} \begin{tabular}{|ll|} \hline \textbf{Description} & \textbf{Value}\\ \hline Completely reliable & 100\\ Usually reliable & 75\\ Fairly reliable & 50\\ Not usually reliable & 25\\ Unreliable & 0\\ Reliability cannot be judged & 50\\ Deliberatly deceptive & 0\\ \hline \end{tabular} \end{column}% \hfill% \begin{column}{.48\textwidth} \begin{tabular}{|ll|} \hline \textbf{Description} & \textbf{Value}\\ \hline Confirmed by other sources & 100\\ Probably true & 75\\ Possibly true & 50\\ Doubtful & 25\\ Improbable & 0\\ Truth cannot be judged & 50\\ \hline \end{tabular} \end{column}% \end{columns} \end{footnotesize} \end{frame} \begin{frame} \frametitle{Taxonomies - Refresher (3)} \begin{footnotesize} \texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}} \begin{columns}[T] % align columns \begin{column}{.40\textwidth} \begin{tabular}{|ll|} \hline \textbf{Description} & \textbf{Value}\\ \hline Completely reliable & 100\\ Usually reliable & 75\\ Fairly reliable & 50\\ Not usually reliable & 25\\ Unreliable & 0\\ Reliability cannot be judged & 50 \textbf{\color{red}?}\\ Deliberatly deceptive & 0 \textbf{\color{red}?}\\ \hline \end{tabular} \end{column}% \hfill% \begin{column}{.48\textwidth} \begin{tabular}{|ll|} \hline \textbf{Description} & \textbf{Value}\\ \hline Confirmed by other sources & 100\\ Probably true & 75\\ Possibly true & 50\\ Doubtful & 25\\ Improbable & 0\\ Truth cannot be judged & 50 \textbf{\color{red}?}\\ \hline \end{tabular} \end{column}% \end{columns} \end{footnotesize} \vspace{0.5cm} $\rightarrow$ Users can override tag \texttt{numerical\_value} \end{frame} \begin{frame} \frametitle{Scoring Indicators: Our solution} $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ \begin{itemize} \item \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \begin{itemize} \item Initial score of the \textit{Attribute} only considering the context (\textit{Attribute's type}, \textit{Tags}) \end{itemize} \vspace{1cm} \item \texttt{decay}(\texttt{\tiny Model, time}) \begin{itemize} \item Function composed of the \textbf{lifetime} and \textbf{decay speed} \item Decreases the \texttt{base\_score} over time \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Scoring Indicators: Our solution} $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ \begin{center} \begin{tikzpicture} \draw[->] (-1, 0) -- (4.5, 0) node[right] {$time$}; \draw[->] (0, -1) -- (0, 4.2) node[left] {$score$}; \node at (-1, 2.6) {\footnotesize base\_score}; \draw[scale=0.5, domain=0:8, smooth, variable=\y, blue] plot ({\y}, {5 * (1 - (\y/8)^(3.5))}); \end{tikzpicture} \end{center} \end{frame} \section{Current implementation in MISP} \begin{frame} \frametitle{Implementation in MISP: \texttt{Event/view}} \includegraphics[width=1.00\linewidth]{pics/decaying-event.png} \begin{itemize} \item \texttt{Decay score} toggle button \begin{itemize} \item Shows Score for each \textit{Models} associated to the \textit{Attribute} type \end{itemize} \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{Implementation in MISP: API result} \texttt{/attributes/restSearch} \begin{lstlisting} "Attribute": [ { "category": "Network activity", "type": "ip-src", "to_ids": true, "timestamp": "1565703507", [...] "value": "8.8.8.8", "decay_score": [ { "score": 54.475223849544456, "decayed": false, "DecayingModel": { "id": "85", "name": "NIDS Simple Decaying Model" } } ], [...] \end{lstlisting} \end{frame} \begin{frame} \frametitle{Implementation in MISP: Objectives} \begin{itemize} \item \textbf{Automatic scoring} based on default values \item \textbf{User-friendly UI} to manually set \textit{Model} configuration (lifetime, decay, etc.) \item \textbf{Simulation} tool \item Interaction through the \textbf{API} \item Opportunity to create your \textbf{own} formula or algorithm \end{itemize} \end{frame} \begin{frame} \frametitle{Implementation in MISP: Models definition} \hspace{190pt} \raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $} \textit{Models} are an instanciation of the formula with configurable parameters: \begin{itemize} \item Parameters: \texttt{lifetime, decay\_rate, threshold} \item \texttt{base\_score} computation \item \texttt{default base\_score} \item associate \textit{Attribute} types \item formula \item creator organisation \end{itemize} \end{frame} \begin{frame} \frametitle{Implementation in MISP: Models Types} Two types of model are available \begin{itemize} \item \textbf{Default Models}: Created and shared by the community. Coming from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}. \begin{itemize} \item[$\rightarrow$] Not editable \end{itemize} \vspace{0.5cm} \item \textbf{Organisation Models}: Created by a user on MISP \begin{itemize} \item Can be hidden or shared to other organisation \item[$\rightarrow$] Editable \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Implementation in MISP: Index} \includegraphics[width=1.00\linewidth]{pics/decaying-index.png} Standard CRUD operations: View, update, add, create, delete, enable, export, import \end{frame} \begin{frame} \frametitle{Implementation in MISP: Fine tuning tool} \includegraphics[width=1.00\linewidth]{pics/decaying-tool.png} Configure models: Create, modify, visualise, perform mapping \end{frame} \begin{frame} \frametitle{Implementation in MISP: \texttt{base\_score} tool} \includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png} Adjust Taxonomies relative weights \end{frame} \begin{frame} \frametitle{Implementation in MISP: simulation tool} \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png} Simulate decay on \textit{Attributes} with different \textit{Models} \end{frame} \begin{frame}[fragile] \frametitle{Implementation in MISP: API query body} \texttt{/attributes/restSearch} \begin{lstlisting} { "includeDecayScore": 1, "includeFullModel": 0, "excludeDecayed": 0, "decayingModel": [85], "modelOverrides": { "threshold": 30 } "score": 30, } \end{lstlisting} \end{frame} \lstset{language=PHP} \begin{frame}[fragile] \frametitle{Creating a new decay algorithm} \lstset{basicstyle=\scriptsize} \begin{lstlisting} \end{lstlisting} \end{frame} \begin{frame} \frametitle{Decaying Models 2.0} \begin{itemize} \item Improved support of \textit{Sightings} \begin{itemize} \item \texttt{False positive} \textit{Sightings} should somehow reduce the score \item \texttt{Expiration} \textit{Sightings} should mark the attribute as decayed \end{itemize} \item Potential \textit{Model} improvements \begin{itemize} \item Instead of resetting the score to \texttt{base\_score} once a \textit{Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf{prioritizing surges} rather than infrequent \textit{Sightings} \item Take into account related \textit{Tags} or \textit{Correlations} when computing score \end{itemize} \item Increase \textit{Taxonomy} coverage \begin{itemize} \item Users should be able to manually override the \texttt{numerical\_value} of \textit{Tags} \end{itemize} \end{itemize} \end{frame}