mirror of https://github.com/MISP/misp-training
431 lines
16 KiB
TeX
431 lines
16 KiB
TeX
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP and CIRCL}
|
|
\begin{itemize}
|
|
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
|
|
\item We lead the development of the Open Source MISP TISP which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
|
|
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The aim of this presentation}
|
|
\begin{itemize}
|
|
\item What is MISP?
|
|
\item Our initial scope
|
|
\item Why is {\bf contextualisation} important?
|
|
\item What options do we have in MISP?
|
|
\item How can we {\bf leverage} this in the end?
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What is MISP?}
|
|
\begin{itemize}
|
|
\item Open source "TISP" - A TIP with a strong focus on sharing
|
|
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
|
|
\item Normalises, correlates, enriches the data
|
|
\item Allows teams and communities to {\bf collaborate}
|
|
\item {\bf Feeds} automated protective tools and analyst tools with the output
|
|
\item A set of tools to manage sharing communities and interconnected MISP servers
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Development based on practical user feedback}
|
|
\begin{itemize}
|
|
\item There are many different types of users of an information sharing platform like MISP:
|
|
\begin{itemize}
|
|
\item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues.
|
|
\item {\bf Security analysts} searching, validating and using indicators in operational security.
|
|
\item {\bf Intelligence analysts} gathering information about specific adversary groups.
|
|
\item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
|
|
\item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
|
|
\item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The initial scope of MISP}
|
|
\begin{itemize}
|
|
\item {\bf Extract information} during the analysis process
|
|
\item Store and {\bf correlate} these datapoints
|
|
\item {\bf Share} the data with partners
|
|
\item Focus on technical indicators: IP, domain, hostname, hashes, filename, pattern in file/memory/traffic
|
|
\item Generate protective signatures out of the data: snort, suricata, OpenIOC
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The growing need to contextualise data}
|
|
\begin{itemize}
|
|
\item Contextualisation became more and more important as we as a community matured
|
|
\begin{itemize}
|
|
\item {\bf Growth and diversification} of our communities
|
|
\item Distinguish between information of interest and raw data
|
|
\item {\bf False-positive} management
|
|
\item TTPs and aggregate information may be prevalent compared to raw data (risk assessment)
|
|
\item {\bf Increased data volumes} leads to a need to be able to prioritise
|
|
\end{itemize}
|
|
\item These help with filtering your TI based on your {\bf requirements}...
|
|
\item ...as highlighted by a great talk from Pasquale Stirparo titled \textit{Your Requirements Are Not My Requirements}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Different layers of context}
|
|
\begin{itemize}
|
|
\item Context added by analysts / tools
|
|
\item Data that tells a story
|
|
\item Encoding analyst knowledge to automatically leverage the above
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\section{Context added by analysts / tools}
|
|
|
|
\begin{frame}
|
|
\frametitle{Expressing why data-points matter}
|
|
\begin{itemize}
|
|
\item An {\bf IP address by itself is barely ever interesting}
|
|
\item We need to tell the recipient / machine why this is relevant
|
|
\item All data in MISP has a {\bf bare minimum required context}
|
|
\item We differentiate between {\bf indicators and supporting data}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Broadening the scope of what sort of context we are interested in}
|
|
\begin{itemize}
|
|
\item {\bf Who} can receive our data? {\bf What} can they do with it?
|
|
\item {\bf Data accuracy, source reliability}
|
|
\item {\bf Why} is this data relevant to us?
|
|
\item {\bf Who} do we think is behind it, {\bf what tools} were used?
|
|
\item What sort of {\bf motivations} are we dealing with? Who are the {\bf targets}?
|
|
\item How can we {\bf block/detect/remediate} the attack?
|
|
\item What sort of {\bf impact} are we dealing with?
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Tagging and taxonomies}
|
|
\begin{itemize}
|
|
\item Simple labels
|
|
\item Standardising on vocabularies
|
|
\item Different organisational/community cultures require different nomenclatures
|
|
\item Triple tag system - taxonomies
|
|
\item JSON libraries that can easily be defined without our intervention
|
|
\end{itemize}
|
|
\includegraphics[width=1.0\linewidth]{taxonomy-workflow.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Galaxies}
|
|
\begin{itemize}
|
|
\item Taxonomy tags often {\bf non self-explanatory}
|
|
\begin{itemize}
|
|
\item Example: universal understanding of tlp:green vs APT 28
|
|
\end{itemize}
|
|
\item For the latter, a single string was ill-suited
|
|
\item So we needed something new in addition to taxonomies - \textbf{Galaxies}
|
|
\begin{itemize}
|
|
\item Community driven \textbf{knowledge-base libraries used as tags}
|
|
\item Including descriptions, links, synonyms, meta information, etc.
|
|
\item Goal was to keep it \textbf{simple and make it reusable}
|
|
\item Internally it works the exact same way as taxonomies (stick to \textbf{JSON})
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\begin{center}
|
|
\hspace{10em}
|
|
\includegraphics[scale=0.30]{galaxy-ransomware.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The emergence of ATT\&CK}
|
|
\begin{itemize}
|
|
\item Standardising on high-level {\bf TTPs} was a solution to a long list of issues
|
|
\item Adoption was rapid, tools producing ATT\&CK data, familiar interface for users
|
|
\item A much better take on kill-chain phases in general
|
|
\item Feeds into our {\bf filtering} and {\bf situational awareness} needs extremely well
|
|
\item Gave rise to other, ATT\&CK-like systems tackling other concerns
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The emergence of ATT\&CK and similar galaxies}
|
|
\begin{itemize}
|
|
\item {\bf attck4fraud} \footnote{\url{https://www.misp-project.org/galaxy.html\#_attck4fraud}} by Francesco Bigarella from ING
|
|
\item {\bf Election guidelines} \footnote{\url{https://www.misp-project.org/galaxy.html\#_election_guidelines}} by NIS Cooperation Group
|
|
\item {\bf AM!TT Misinformation pattern} \footnote{\url{https://github.com/MISP/misp-galaxy/blob/master/clusters/misinfosec-amitt-misinformation-pattern.json}} by the misinfosecproject
|
|
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{False positive handling}
|
|
\begin{itemize}
|
|
\item Low quality / false positive prone information being shared
|
|
\item Lead to {\bf alert-fatigue}
|
|
\item Exclude organisation xy out of the community?
|
|
\item FPs are often obvious - {\bf can be encoded}
|
|
\item {\bf Warninglist system}\footnote{\url{https://github.com/MISP/misp-warninglists}} aims to do that
|
|
\item Lists of well-known indicators which are often false-positives like RFC1918 networks, ...
|
|
\end{itemize}
|
|
\begin{center}
|
|
\includegraphics[scale=0.22]{warning-list.png}
|
|
\includegraphics[scale=0.45]{warning-list-event.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\section{Data that tells a story}
|
|
|
|
\begin{frame}
|
|
\frametitle{More complex data-structures for a modern age}
|
|
\begin{itemize}
|
|
\item Atomic attributes were a great starting point, but lacking in many aspects
|
|
\item {\bf MISP objects}\footnote{\url{https://github.com/MISP/misp-objects}} system
|
|
\begin{itemize}
|
|
\item Simple {\bf templating} approach
|
|
\item Use templating to build more complex structures
|
|
\item Decouple it from the core, allow users to {\bf define their own} structures
|
|
\item MISP should understand the data without knowing the templates
|
|
\item Massive caveat: {\bf Building blocks have to be MISP attribute types}
|
|
\item Allow {\bf relationships} to be built between objects
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Supporting specific datamodels}
|
|
\begin{center}
|
|
\includegraphics[scale=0.24]{bankaccount.png}
|
|
\end{center}
|
|
\begin{center}
|
|
\includegraphics[scale=0.18]{bankview.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Continuous feedback loop}
|
|
\begin{itemize}
|
|
\item Data shared was {\bf frozen in time}
|
|
\item All we had was a creation/modification timestamp
|
|
\item Improved tooling and willingness allowed us to create a {\bf feedback loop}
|
|
\item Lead to the introduction of the {\bf Sighting system}
|
|
\item Signal the fact of an indicator sighting...
|
|
\item ...as well as {\bf when} and {\bf where} it was sighted
|
|
\item Vital component for IoC {\bf lifecycle management}
|
|
\item External {\bf SightingDB} and standard - thanks to Sebastien Tricaud from Devo inc.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Continuous feedback loop (2)}
|
|
\begin{center}
|
|
\includegraphics[scale=0.5]{sighting-n.png}
|
|
\end{center}
|
|
\begin{center}
|
|
\includegraphics[scale=0.60]{Sightings2.PNG}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Continuous feedback loop (3)}
|
|
\begin{itemize}
|
|
\item Monitor uptimes of infrastructure
|
|
\item Make decisions on whether to action on an IoC
|
|
\end{itemize}
|
|
\begin{center}
|
|
\includegraphics[scale=0.18]{timeline.jpeg}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A brief history of time - Timelines}
|
|
\begin{itemize}
|
|
\item Data providers including the timing of the data has allowed us to include it directly in MISP
|
|
\item {\bf \texttt{First\_seen}} and {\bf \texttt{last\_seen}} data points
|
|
\item Along with a complete integration with the {\bf UI}
|
|
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
|
|
\end{itemize}
|
|
\begin{center}
|
|
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\section{The various ways of encoding analyst knowledge to automatically leverage our TI}
|
|
|
|
\begin{frame}
|
|
\frametitle{Making use of all this context}
|
|
\begin{itemize}
|
|
\item Providing advanced ways of querying data
|
|
\begin{itemize}
|
|
\item Unified export APIs
|
|
\item Incorporating all contextualisation options into {\bf API filters}
|
|
\item Allowing for an {\bf on-demand} way of {\bf excluding potential false positives}
|
|
\item Allowing users to easily {\bf build their own} export modules feed their various tools
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Example query}
|
|
\texttt{/attributes/restSearch}
|
|
\begin{lstlisting}
|
|
{
|
|
"returnFormat": "netfilter",
|
|
"enforceWarninglist": 1,
|
|
"tags": {
|
|
"NOT": [
|
|
"tlp:white",
|
|
"type:OSINT"
|
|
],
|
|
"OR": [
|
|
"misp-galaxy:threat-actor=\"Sofacy\"",
|
|
"misp-galaxy:sector=\"Chemical\""
|
|
],
|
|
}
|
|
}
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\frametitle{Example query to generate ATT\&CK heatmaps}
|
|
\texttt{/events/restSearch}
|
|
\begin{lstlisting}
|
|
{
|
|
"returnFormat": "attack",
|
|
"tags": [
|
|
"misp-galaxy:sector=\"Chemical\""
|
|
],
|
|
"timestamp": "365d"
|
|
}
|
|
\end{lstlisting}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A sample result for the above query}
|
|
\begin{center}
|
|
\includegraphics[scale=0.2]{attack-screenshot.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Decaying of indicators}
|
|
\begin{itemize}
|
|
\item We were still missing a way to use all of these systems in combination to decay indicators
|
|
\item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models}
|
|
\item The idea is to {\bf not modify our data}, but to provide an overlay to make {\bf decisions on the fly}
|
|
\item Decay models would take into account various available {\bf context}
|
|
\begin{itemize}
|
|
\item Taxonomies
|
|
\item Sightings
|
|
\item type of each indicator
|
|
\item Creation date
|
|
\item ...
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Implementation in MISP: \texttt{Event/view}}
|
|
\includegraphics[width=1.00\linewidth]{decaying-event.png}
|
|
\begin{itemize}
|
|
\item \texttt{Decay score} toggle button
|
|
\begin{itemize}
|
|
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Implementation in MISP: Fine tuning tool}
|
|
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
|
|
Create, modify, visualise, perform mapping
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Implementation in MISP: simulation tool}
|
|
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
|
|
Simulate \textit{Attributes} with different \textit{Models}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Monitor trends outside of MISP (example: dashboard)}
|
|
\begin{center}
|
|
\includegraphics[scale=0.18]{dashboard-trendings.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\section{A small detour - COVID-19 MISP}
|
|
|
|
\begin{frame}
|
|
\frametitle{COVID-19 MISP}
|
|
\begin{itemize}
|
|
\item Using the new {\bf built in dashboarding} system of MISP
|
|
\item {\bf Customising MISP} for a specific use-case
|
|
\item We are focusing on four areas of sharing:
|
|
\begin{itemize}
|
|
\item {\bf Medical} information
|
|
\item {\bf Cyber threats} related to / abusing COVID-19
|
|
\item COVID-19 related {\bf disinformation}
|
|
\item {\bf Geo-political} events related to COVID-19
|
|
\end{itemize}
|
|
\item Low barrier of entry, aiming for wide spread
|
|
\item Already a {\bf massive community}
|
|
\item Register at \url{https://covid-19.iglocska.eu}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Dashboarding and situational awareness}
|
|
\includegraphics[width=1.00\linewidth]{covid.png}
|
|
Create, modify, visualise, perform mapping
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{To sum it all up...}
|
|
\begin{itemize}
|
|
\item Massive rise in {\bf user capabilities}
|
|
\item Growing need for truly {\bf actionable threat intel}
|
|
\item Lessons learned:
|
|
\begin{itemize}
|
|
\item {\bf Context is king} - Enables better decision making
|
|
\item {\bf Intelligence and situational awareness} are natural by-products of context
|
|
\item Don't lock users into your {\bf workflows}, build tools that enable theirs
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Get in touch if you have any questions}
|
|
\begin{itemize}
|
|
\item Contact CIRCL
|
|
\begin{itemize}
|
|
\item info@circl.lu
|
|
\item \url{https://twitter.com/circl_lu}
|
|
\item \url{https://www.circl.lu/}
|
|
\end{itemize}
|
|
\item Contact MISPProject
|
|
\begin{itemize}
|
|
\item \url{https://github.com/MISP}
|
|
\item \url{https://gitter.im/MISP/MISP}
|
|
\item \url{https://twitter.com/MISPProject}
|
|
\end{itemize}
|
|
\item Join the COVID-19 MISP community
|
|
\begin{itemize}
|
|
\item \url{https://covid-19.iglocska.eu}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|