misp-training/x.8-first-cti-virtual/content.tex

431 lines
16 KiB
TeX

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
\item We lead the development of the Open Source MISP TISP which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item What is MISP?
\item Our initial scope
\item Why is {\bf contextualisation} important?
\item What options do we have in MISP?
\item How can we {\bf leverage} this in the end?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
\item Open source "TISP" - A TIP with a strong focus on sharing
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, correlates, enriches the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\item A set of tools to manage sharing communities and interconnected MISP servers
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Development based on practical user feedback}
\begin{itemize}
\item There are many different types of users of an information sharing platform like MISP:
\begin{itemize}
\item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues.
\item {\bf Security analysts} searching, validating and using indicators in operational security.
\item {\bf Intelligence analysts} gathering information about specific adversary groups.
\item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
\item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
\item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The initial scope of MISP}
\begin{itemize}
\item {\bf Extract information} during the analysis process
\item Store and {\bf correlate} these datapoints
\item {\bf Share} the data with partners
\item Focus on technical indicators: IP, domain, hostname, hashes, filename, pattern in file/memory/traffic
\item Generate protective signatures out of the data: snort, suricata, OpenIOC
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The growing need to contextualise data}
\begin{itemize}
\item Contextualisation became more and more important as we as a community matured
\begin{itemize}
\item {\bf Growth and diversification} of our communities
\item Distinguish between information of interest and raw data
\item {\bf False-positive} management
\item TTPs and aggregate information may be prevalent compared to raw data (risk assessment)
\item {\bf Increased data volumes} leads to a need to be able to prioritise
\end{itemize}
\item These help with filtering your TI based on your {\bf requirements}...
\item ...as highlighted by a great talk from Pasquale Stirparo titled \textit{Your Requirements Are Not My Requirements}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Different layers of context}
\begin{itemize}
\item Context added by analysts / tools
\item Data that tells a story
\item Encoding analyst knowledge to automatically leverage the above
\end{itemize}
\end{frame}
\section{Context added by analysts / tools}
\begin{frame}
\frametitle{Expressing why data-points matter}
\begin{itemize}
\item An {\bf IP address by itself is barely ever interesting}
\item We need to tell the recipient / machine why this is relevant
\item All data in MISP has a {\bf bare minimum required context}
\item We differentiate between {\bf indicators and supporting data}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Broadening the scope of what sort of context we are interested in}
\begin{itemize}
\item {\bf Who} can receive our data? {\bf What} can they do with it?
\item {\bf Data accuracy, source reliability}
\item {\bf Why} is this data relevant to us?
\item {\bf Who} do we think is behind it, {\bf what tools} were used?
\item What sort of {\bf motivations} are we dealing with? Who are the {\bf targets}?
\item How can we {\bf block/detect/remediate} the attack?
\item What sort of {\bf impact} are we dealing with?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Tagging and taxonomies}
\begin{itemize}
\item Simple labels
\item Standardising on vocabularies
\item Different organisational/community cultures require different nomenclatures
\item Triple tag system - taxonomies
\item JSON libraries that can easily be defined without our intervention
\end{itemize}
\includegraphics[width=1.0\linewidth]{taxonomy-workflow.png}
\end{frame}
\begin{frame}
\frametitle{Galaxies}
\begin{itemize}
\item Taxonomy tags often {\bf non self-explanatory}
\begin{itemize}
\item Example: universal understanding of tlp:green vs APT 28
\end{itemize}
\item For the latter, a single string was ill-suited
\item So we needed something new in addition to taxonomies - \textbf{Galaxies}
\begin{itemize}
\item Community driven \textbf{knowledge-base libraries used as tags}
\item Including descriptions, links, synonyms, meta information, etc.
\item Goal was to keep it \textbf{simple and make it reusable}
\item Internally it works the exact same way as taxonomies (stick to \textbf{JSON})
\end{itemize}
\end{itemize}
\begin{center}
\hspace{10em}
\includegraphics[scale=0.30]{galaxy-ransomware.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{The emergence of ATT\&CK}
\begin{itemize}
\item Standardising on high-level {\bf TTPs} was a solution to a long list of issues
\item Adoption was rapid, tools producing ATT\&CK data, familiar interface for users
\item A much better take on kill-chain phases in general
\item Feeds into our {\bf filtering} and {\bf situational awareness} needs extremely well
\item Gave rise to other, ATT\&CK-like systems tackling other concerns
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The emergence of ATT\&CK and similar galaxies}
\begin{itemize}
\item {\bf attck4fraud} \footnote{\url{https://www.misp-project.org/galaxy.html\#_attck4fraud}} by Francesco Bigarella from ING
\item {\bf Election guidelines} \footnote{\url{https://www.misp-project.org/galaxy.html\#_election_guidelines}} by NIS Cooperation Group
\item {\bf AM!TT Misinformation pattern} \footnote{\url{https://github.com/MISP/misp-galaxy/blob/master/clusters/misinfosec-amitt-misinformation-pattern.json}} by the misinfosecproject
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{False positive handling}
\begin{itemize}
\item Low quality / false positive prone information being shared
\item Lead to {\bf alert-fatigue}
\item Exclude organisation xy out of the community?
\item FPs are often obvious - {\bf can be encoded}
\item {\bf Warninglist system}\footnote{\url{https://github.com/MISP/misp-warninglists}} aims to do that
\item Lists of well-known indicators which are often false-positives like RFC1918 networks, ...
\end{itemize}
\begin{center}
\includegraphics[scale=0.22]{warning-list.png}
\includegraphics[scale=0.45]{warning-list-event.png}
\end{center}
\end{frame}
\section{Data that tells a story}
\begin{frame}
\frametitle{More complex data-structures for a modern age}
\begin{itemize}
\item Atomic attributes were a great starting point, but lacking in many aspects
\item {\bf MISP objects}\footnote{\url{https://github.com/MISP/misp-objects}} system
\begin{itemize}
\item Simple {\bf templating} approach
\item Use templating to build more complex structures
\item Decouple it from the core, allow users to {\bf define their own} structures
\item MISP should understand the data without knowing the templates
\item Massive caveat: {\bf Building blocks have to be MISP attribute types}
\item Allow {\bf relationships} to be built between objects
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Supporting specific datamodels}
\begin{center}
\includegraphics[scale=0.24]{bankaccount.png}
\end{center}
\begin{center}
\includegraphics[scale=0.18]{bankview.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Continuous feedback loop}
\begin{itemize}
\item Data shared was {\bf frozen in time}
\item All we had was a creation/modification timestamp
\item Improved tooling and willingness allowed us to create a {\bf feedback loop}
\item Lead to the introduction of the {\bf Sighting system}
\item Signal the fact of an indicator sighting...
\item ...as well as {\bf when} and {\bf where} it was sighted
\item Vital component for IoC {\bf lifecycle management}
\item External {\bf SightingDB} and standard - thanks to Sebastien Tricaud from Devo inc.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Continuous feedback loop (2)}
\begin{center}
\includegraphics[scale=0.5]{sighting-n.png}
\end{center}
\begin{center}
\includegraphics[scale=0.60]{Sightings2.PNG}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Continuous feedback loop (3)}
\begin{itemize}
\item Monitor uptimes of infrastructure
\item Make decisions on whether to action on an IoC
\end{itemize}
\begin{center}
\includegraphics[scale=0.18]{timeline.jpeg}
\end{center}
\end{frame}
\begin{frame}
\frametitle{A brief history of time - Timelines}
\begin{itemize}
\item Data providers including the timing of the data has allowed us to include it directly in MISP
\item {\bf \texttt{First\_seen}} and {\bf \texttt{last\_seen}} data points
\item Along with a complete integration with the {\bf UI}
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
\end{center}
\end{frame}
\section{The various ways of encoding analyst knowledge to automatically leverage our TI}
\begin{frame}
\frametitle{Making use of all this context}
\begin{itemize}
\item Providing advanced ways of querying data
\begin{itemize}
\item Unified export APIs
\item Incorporating all contextualisation options into {\bf API filters}
\item Allowing for an {\bf on-demand} way of {\bf excluding potential false positives}
\item Allowing users to easily {\bf build their own} export modules feed their various tools
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Example query}
\texttt{/attributes/restSearch}
\begin{lstlisting}
{
"returnFormat": "netfilter",
"enforceWarninglist": 1,
"tags": {
"NOT": [
"tlp:white",
"type:OSINT"
],
"OR": [
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:sector=\"Chemical\""
],
}
}
\end{lstlisting}
\end{frame}
\begin{frame}[fragile]
\frametitle{Example query to generate ATT\&CK heatmaps}
\texttt{/events/restSearch}
\begin{lstlisting}
{
"returnFormat": "attack",
"tags": [
"misp-galaxy:sector=\"Chemical\""
],
"timestamp": "365d"
}
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{A sample result for the above query}
\begin{center}
\includegraphics[scale=0.2]{attack-screenshot.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Decaying of indicators}
\begin{itemize}
\item We were still missing a way to use all of these systems in combination to decay indicators
\item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models}
\item The idea is to {\bf not modify our data}, but to provide an overlay to make {\bf decisions on the fly}
\item Decay models would take into account various available {\bf context}
\begin{itemize}
\item Taxonomies
\item Sightings
\item type of each indicator
\item Creation date
\item ...
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{Event/view}}
\includegraphics[width=1.00\linewidth]{decaying-event.png}
\begin{itemize}
\item \texttt{Decay score} toggle button
\begin{itemize}
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
Create, modify, visualise, perform mapping
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: simulation tool}
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
Simulate \textit{Attributes} with different \textit{Models}
\end{frame}
\begin{frame}
\frametitle{Monitor trends outside of MISP (example: dashboard)}
\begin{center}
\includegraphics[scale=0.18]{dashboard-trendings.png}
\end{center}
\end{frame}
\section{A small detour - COVID-19 MISP}
\begin{frame}
\frametitle{COVID-19 MISP}
\begin{itemize}
\item Using the new {\bf built in dashboarding} system of MISP
\item {\bf Customising MISP} for a specific use-case
\item We are focusing on four areas of sharing:
\begin{itemize}
\item {\bf Medical} information
\item {\bf Cyber threats} related to / abusing COVID-19
\item COVID-19 related {\bf disinformation}
\item {\bf Geo-political} events related to COVID-19
\end{itemize}
\item Low barrier of entry, aiming for wide spread
\item Already a {\bf massive community}
\item Register at \url{https://covid-19.iglocska.eu}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding and situational awareness}
\includegraphics[width=1.00\linewidth]{covid.png}
Create, modify, visualise, perform mapping
\end{frame}
\begin{frame}
\frametitle{To sum it all up...}
\begin{itemize}
\item Massive rise in {\bf user capabilities}
\item Growing need for truly {\bf actionable threat intel}
\item Lessons learned:
\begin{itemize}
\item {\bf Context is king} - Enables better decision making
\item {\bf Intelligence and situational awareness} are natural by-products of context
\item Don't lock users into your {\bf workflows}, build tools that enable theirs
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\item Join the COVID-19 MISP community
\begin{itemize}
\item \url{https://covid-19.iglocska.eu}
\end{itemize}
\end{itemize}
\end{frame}