Introduction
+Introduction
+This book objective is to compile the best practices in threat intelligence analysis with the support of the open source threat intelligence platform called MISP. The best practices described are from information sharing communities (ISAC or CSIRT) which are regularly using MISP to support their work and sharing practices.
+The aim of this book is to compile the best practices in threat intelligence analysis.
+Whilst this book can be used as a general guide, it is based on the open source threat intelligence platform called MISP to give the reader the most practical and real-world experience.
+The best practices described herein are from Information Sharing communities (ISAC or CSIRT) which are regularly using MISP to support their work and sharing practices.
+A common difficulty in threat intelligence is to improve existing analyses and especially how to do it efficiently. One of the main questions to ask is: what will be the target audience of the improved analysis and the objective thereof?
+A common difficulty in threat intelligence is to improve existing analyses and especially how to do it efficiently. +One of the main questions to ask is:
+"What will be the target audience of the improved analysis and the objective thereof?"
+The following three answers could come to mind.
-
@@ -489,16 +507,19 @@ Improvement of the analysis process can range from a simple notification of a fa
-
Improving an existing analysis by performing a complementary analysis or review which will be shared to and used by another group (e.g. a specific constituent, or a team within your organisation or a member of an ISAC, etc).
+ -
+
The end-consumer will be an automaton.
+
In the first case, MISP includes a mechanism to propose changes to the original creator, a mechanism we refer to as proposals. By using proposals, you can propose a change to the value or the context of an attribute (such as a typographic error in an IP address, missing contextual information, type of the information, the category or the removal of an IDS flag). The proposal will be sent back to the original author who can decide to accept or discard it.
+In the 1st case, MISP includes a mechanism to propose changes to the original creator, a mechanism MISP refers to as proposals. By using proposals, you can propose a change to the value or the context of an attribute (such as a typographic error in an IP address, missing contextual information, type of the information, the category or the removal of an IDS flag). The proposal will be sent back to the original author who can decide to accept or discard it.
The advantages of using the proposal system include the lack of a need to create a new event as well as the process itself being very simple and fast. However, it assumes that the party providing the improvements is willing to lose control over the proposed data. This is pretty efficient for small changes but for more comprehensive changes, especially those that include non-attribute information such as galaxy clusters or objects, the event extension is more appropriate.
Apart from being more suitable for more comprehensive changes, the second scenario is also a great fit for the extended event functionality, allowing users wanting to provide additional information or an alternate view-point with the opportunity of creating a self-contained event (which can have its own custom distribution rules) that references the original analysis. This information can be shared back to the original author or kept within a limited distribution scope such as a specific sector, a trust group or as internal information for the organisation providing the additional information.
+Apart from being more suitable for more comprehensive changes, the 2nd scenario is also a great fit for the extended event functionality, allowing users wanting to provide additional information or an alternate view-point with the opportunity of creating a self-contained event (which can have its own custom distribution rules) that references the original analysis. This information can be shared back to the original author or kept within a limited distribution scope such as a specific sector, a trust group or as internal information for the organisation providing the additional information.
In the 3rd scenario your use-case might be highly automated, e.g. scripted processing of events and attributes via PyMISP and the end-consumer is mainly another automated process, e.g. Intrusion Detection System, 3rd part visualization tool etc. +This, for automagic reasons, becomes exponentially unreliable. +What is primal in this case is to fully understand what the IDS flag in MISP does and how it impacts attributes. +Further on, it is even more important to fully understand the entire tool-chain, cradle-to-grave style. +Where does the data come from (cradle) where does it go to (grave) and what processes "touch" the data as it flows through, small diagrams can help tremendously to visualize the actual data-flow. +Those diagrams will mostly be of use once unexpected results occur, or other errors appear somewhere in the chain.
+Contribution comes in various shapes and sizes.
Information which are often distributed within sharing communities are the following:
+Information which is often distributed within sharing communities are the following:
-
-
Analysis report of a specific threat (such as security vendor report, blog post) which can be open source intelligence or limited distribution
+Analysis report of a specific threat (such as security vendor report, blog post) which can be Open Source intelligence or come as limited distribution
-
Enhanced analysis of an existing report (such as data qualification, competitive or counter analysis)
@@ -563,7 +592,7 @@ Valuable information is a moving concept and highly depending of the goal of the-By having a look at the object templates or the MISP attribute types, this can help you to discover what it’s actively shared within other communities. If a type or an object template is not matching your data model, you can easily create new ones. +By having a look at the object templates or the MISP attribute types, this can help you discover what is actively shared within other communities. If a type or an object template is not matching your data model, you can easily create new ones. @@ -575,7 +604,7 @@ By having a look at the obje-When asking for the support of the community, using a specific taxonomy such as collaborative intelligence to express your needs might help everyone and improve automation. +When asking for the support of the community, using a specific taxonomy such as collaborative intelligence to express your needs, will make your request more concise improving your feedback potential and improve automation. @@ -583,7 +612,23 @@ When asking for the support of the community, using a specific taxonomy such as
Expressing confidence in an analysis
+Intelligence Tagging
+There are several factors to successful and efficient intelligence sharing. Certainly, one major aspect is the quality of the indicators (or observable depending on the definition you use), +stored as attributes within a MISP event itself. +However, it does not stop there. Even the most viable information gained by a shared event can render itself complete useless if not classified and tagged accordingly. +One feature which enables a uniformed classification is implemented in MISP as tags. Currently, there are two types of tags, which differ in the respective place they are set.
+-
+
-
+
You can add tags to an entire event. These tags should be valid for any individual attribute, thus indicator associated to this specific event.
+
+ -
+
For a more fine-grained specification all of these tags can also be placed at attribute level. This allows the user to put a more detailed and selective view on each attribute.
+
+
-Expressing the confidence or the lack of in an analysis is critical step to help a partner or a third-party to check your hypotheses and conclusions. +Currently there is no programmatic way that prevents you from not following the 1st rule. Thus human garbage tagging in automation output potentially useless. + | +
+ + | ++In future releases there will also be tagging for MISP Objects. Which is, somehow, an intermediate solution for the two prior mentioned options. + | +
+ + | ++MISP Objects in its plain concept is a grouping of indicators within one event. These grouped indicators are somehow logically linked together. The specific relationship is described by the individual object type. +A simple file object, links for example a filename to its observed hash values (md5, sha1, sha256 and many more). This can further be enriched via misp-modules or other plug-ins. |
Analysis or reports are often shared with technical details but often lack the overall confidence level associated.
+A frequent use-case for placing additional tags on attribute level would be to lower the confidence in certain attributes. If the event is classified with a high confidence tag, some indicators e.g. legit-but-compromised domains or popular filenames should be labeled with a lowered confidence class. There are several real world examples where this or similar attribute specific tagging has proven to be worthwhile.
Adding confidence or estimative probability have multiple advantages such as:
+Most of the tags are organised in dedicated MISP Taxonomies. Those schema dictate how tags should look like and how they are to be applied in certain conditions. +There are many general details on this topic which can be read up on in the main MISP Taxonomy GitHub repository. +Currently, there are more than 60 different taxonomies available, each of them containing a number of different tags, which are steadily increasing and evolving. +There are a lot of advantages in having such a vast variety of tags, e.g. there is one tag for each known associated malware type.
+However, this sheer amount of tags can lead to two main concerns, over-tagging and miss-tagging. Beginners can be overwhelmed with the large number of available tags, and might miss exactly the required taxonomy to properly label the to be shared data. +As a site administrator it is thus important to enable the taxonomies that are known to the users on the MISP instance, (or to remote organizations you might sync with).
++ + | +
+In MISP making a Taxonomy available is a 2-step process. First you make the taxonomy available and then you can either decide to enable all the individual tags in the taxonomy or cherry-pick only the relevant ones for your use-case. (The Vocabulary for Event Recording and Incident Sharing (VERIS) has well over 1990 tags, and perhaps you are only interested in the sub-set veris:action:error:variety ).
+ |
+
Over-tagging in most cases only leads to an overwhelming visual appearance. Miss-tagging, however, is a critical step into mis-usage of shared data. +The best and most devastating example would be the miss classification of an event. In dedicated and private sharing groups it is quite usual to share intelligence labeled as „for your company only“. +This data must not leave the boundaries of this virtual border of the recipient’s firm.
+To prevent this kind of mistake, the traffic light protocol (aka TLP) and its respective taxonomy can be used and thus complementing the mitigation in the note below.
++ + | ++One mitigation the scenario of mis-classified data, would be to use the warning lists (or notice lists) as a canary. Whilst not ideal and far from a defacto solution to catch all issues, it would be a good-enough-yet-coarse way of detection. + | +
There are multiple solutions to solve the issue of missing additional information about the shared content. +One of them is the following list of tags which are deemed to be the minimal subset at the start of any event or the individual attributes. +sharing platform. The list below is in order of importance.
+-
+
-
+
TLP-Tags: TLP utilizes a simple four color schema for indicating how intelligence can be shared.
+
+ -
+
Confidence-Tags/Vetting State: There are huge differences in the quality of data, whether it was vetted upon sharing. As this means that the author was confident that the shared data is or at least was a good indicator of compromise.
+
+ -
+
Origin-Tags: Describes where the information came from, whether it was in an automated fashion or in a manual investigation. This should give an impression how value this intelligence is, as manual investigation should supersede any automatic generation of data.
+
+ -
+
PAP-Tags: An even more advanced approach of data classification is using the Permissible Actions Protocol. It indicates how the received data can be used to search for compromises within the individual company or constituency.
+
+
+ + | ++The full list of available taxonomies can be found here. + | +
Expressing confidence/estimative probability in an analysis
++ + | ++Expressing the confidence or the lack of it in an analysis is a critical step to help a partner or a third-party to check your hypotheses and conclusions. + | +
Analysis or reports are often shared together with technical details, but often lack the associated overall confidence level. +To ascertain this confidence level you can use for example the MISP Taxonomies called admiralty-scale and/or estimative-language. +This is a very human way to describe either globally an event or individual indicators of an event, with a set of easy to read human tags. (e.g: admiralty-scale:source-reliability="a/b/c…", estimative-language:likelihood-probability="almost-no-chance", estimative-language:confidence-in-analytic-judgment="moderate") +Generally it is good practice to do this globally for the event as this will enrich the trust/value if set. +Using this in an automated way is also possible but without human intervention, or AI that actually works, not recommended. +Also, on events with hundreds of attributes this is cumbersome and perhaps unfeasible and will just frustrate operators. +The obvious side-effect of this approach is that automation will be the overall benefactor too upping the trust on that level too.
+[TODO: revise description of estimative probability]+
Thus, adding confidence or estimative probability has multiple advantages such as:
-
-
Allowing receiving organisations to filter, classify and score the information in an automated way
+Allow receiving organisations to filter, classify and score the information in an automated way based on related tags
-
-
Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by confidence level
+Information with low-confidence can still be shared and reach communities or organisations interested in such information without impacting organisations filtering out by increased confidence level
-
-
Supporting counter and competitive analyses to validate hypotheses expressed in original reporting
+Support counter analyses and competitive analyses to validate hypotheses expressed in original reporting
+
+ -
+
Depending on source organisation, have an affirmative that some HumInt has one into the sharing process
++++[TODO: define counter and competitive analyses]
+
Complement analysis with contrary evidences is also very welcome to ensure the original analysis and the hypotheses evaluated.
+Complement analysis with contrary evidences is also very welcome to ensure the original analysis and the hypotheses are properly evaluated.