An Introduction to Cybersecurity InformationSharingMISP - Threat Sharing

Threat Sharing

Team CIRCL

MISP Projecthttps://www.misp-project.org/

CanSecWest 2020

MISP features

MISP1 is a threat information sharing free & open sourcesoftware.MISP has a host of functionalities that assist users increating, collaborating & sharing threat information - e.g.�exible sharing groups, automatic correlation, free-textimport helper, event distribution & proposals.Many export formats which support IDSes / IPSes (e.g.Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g.OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNSpolicies (e.g. RPZ).A rich set of MISP modules2 to add expansion, import andexport functionalities.

1https://github.com/MISP/MISP2https://www.github.com/MISP/misp-modules

1 29

MISP and starting from a practical use-case

During a malware analysis workgroup in 2012, we discoveredthat we worked on the analysis of the same malware.We wanted to share information in an easy and automatedway to avoid duplication of work.Christophe Vandeplas (then working at the CERT for theBelgian MoD) showed us his work on a platform that laterbecame MISP.A �rst version of the MISP Platform was used by the MALWGand the increasing feedback of users helped us to build animproved platform.MISP is now a community-driven development.

2 29

about CIRCL

The Computer Incident Response Center Luxembourg (CIRCL) is agovernment-driven initiative designed to provide a systematicresponse facility to computer security threats and incidents.CIRCL is the CERT for the private sector, communes andnon-governmental entities in Luxembourg and is operated bysecuritymadein.lu g.i.e.

3 29

MISP and CIRCL

CIRCL is mandated by the Ministry of Economy and acting asthe Luxembourg National CERT for private sector.CIRCL leads the development of the Open Source MISPthreat intelligence platform which is used by many militaryor intelligence communities, private companies, �nancialsector, National CERTs and LEAs globally.CIRCL runs multiple large MISP communities performingactive daily threat-intelligence sharing.

4 29

MISP model of governance

5 29

Development based on practical user feedback

There are many di�erent types of users of an informationsharing platform like MISP:I Malware reversers willing to share indicators of analysis withrespective colleagues.

I Security analysts searching, validating and using indicatorsin operational security.

I Intelligence analysts gathering information about speci�cadversary groups.

I Law-enforcement relying on indicators to support orbootstrap their DFIR cases.

I Risk analysis teams willing to know about the new threats,likelyhood and occurences.

I Fraud analysts willing to share �nancial indicators to detect�nancial frauds.

6 29

Communities using MISP

Communities are groups of users sharing within a set ofcommon objectives/values.CIRCL operates multiple MISP instances with a signi�cantuser base (more than 950 organizations with more than 2400users).Trusted groups running MISP communities in island mode(air gapped system) or partially connected mode.Financial sector (banks, ISACs, payment processingorganizations) use MISP as a sharing mechanism.Military and international organizations (NATO, militaryCSIRTs, n/g CERTs,...).Security vendors running their own communities (e.g.Fidelis) or interfacing with MISP communities (e.g. OTX).

7 29

Many objectives from different user-groups

Sharing indicators for a detection matter.I ’Do I have infected systems in my infrastructure or the ones Ioperate?’

Sharing indicators to block.I ’I use these attributes to block, sinkhole or divert tra�c.’

Sharing indicators to perform intelligence.I ’Gathering information about campaigns and attacks. Arethey related? Who is targeting me? Who are the adversaries?’

→ These objectives can be con�icting (e.g. False-positiveshave di�erent impacts)

8 29

Sharing Difficulties

Sharing di�culties are not really technical issues but oftenit’s a matter of social interactions (e.g. trust).Legal restriction3I "Our legal framework doesn’t allow us to share information."I "Risk of information-leak is too high and it’s too risky for ourorganization or partners."

Practical restrictionI "We don’t have information to share."I "We don’t have time to process or contribute indicators."I "Our model of classi�cation doesn’t �t your model."I "Tools for sharing information are tied to a speci�c format,we use a di�erent one."

3https://www.misp-project.org/compliance/9 29

MISP Project Overview

Open SourceSoftware

Intelligence& Knowledge Base

Open Standards Intelligence& Sharing Community

misp-taxonomies

misp-galaxy

misp-noticelist

misp-warninglists

MISP core

misp-modules

PyMISP

misp-dashboard

MISP OSINT feeds

compliance documentssuch as GDPR,ISO 27010:2015

threat intelligencebest practices &training materials

ISAC/ISAObest practises

MISP exchangecore format

MISP objects template

10 29

Helping Contributors in MISP

Contributors can use the UI, API or using the freetext importto add events and attributes.I Modules existing in Viper (a binary framework for malwarereverser) to populate and use MISP from the vty or via yourIDA.

Contribution can be direct by creating an event but userscan propose attributes updates to the event owner.Users should not be forced to use a single interface tocontribute.

11 29

Getting some naming conventions out of theway...

Data layerI Events are encapsulations for contextually linked informationI Attributes are individual data points, which can be indicatorsor supporting data.

I Objects are custom templated Attribute compositionsI Object references are the relationships between otherbuilding blocks

Context layerI Tags are labels attached to events/attributes and can comefrom Taxonomies

I Galaxy-clusters are knowledge base items used to labelevents/attributes and come from Galaxies.

12 29

A rich data-model: telling stories viarelationships

13 29

Contextualisation and aggregation

MISP integrates at the event and the attribute levels MITRE’sAdversarial Tactics, Techniques, and Common Knowledge(ATT&CK).

14 29

Sharing in MISP

Sharing via distribution lists - Sharing groupsDelegation for pseudo-anonymised information sharingProposals and Extended events for collaboratedinformation sharingSynchronisation, Feed system, air-gapped sharingUser de�ned �ltered sharing for all the above mentionedmethodsCross-instance information caching for quick lookups oflarge data-setsSupport for multi-MISP internal enclaves

15 29

MISP core distributed sharing functionality

MISPs’ core functionality is sharing where everyone can be aconsumer and/or a contributor/producer."Quick bene�t without the obligation to contribute.Low barrier access to get acquainted to the system.

16 29

Information quality management

Correlating dataFeedback loop from detections via SightingsFalse positive management via the warninglist systemEnrichment system via MISP-modulesIntegrations with a plethora of tools and formatsFlexible API and support libraries such as PyMISP to easeintegrationTimelines and giving information a temporal contextFull chain for indicator life-cycle management

17 29

Correlation features: a tool for analysts

To corroborate a �nding (e.g. is this the same campaign?),reinforce an analysis (e.g. do other analysts have the samehypothesis?), con�rm a speci�c aspect (e.g. are the sinkholeIP addresses used for one campaign?) or just �nd if thisthreat is new or unknown in your community.

18 29

Sightings support

Has a data-point been sighted byme or the community before?Additionally, the sighting systemsupports negative sigthings (FP)and expiration sightings.Sightings can be performed via theAPI or the UI.Many use-cases for scoringindicators based on users sighting.For large quantities of data,SightingDB by Devo

19 29

Timelines and giving information a temporalcontext

Recently introduced first_seen and last_seen datapointsAll data-points can be placed in timeEnables the visualisation and adjustment of indicatorstimeframes

20 29

Life-cycle management via decaying of indicators

Decay score toggle buttonI Shows Score for each Models associated to the Attribute type

21 29

Decaying of indicators: Fine tuning tool

Create, modify, visualise, perform mapping

22 29

Decaying of indicators: simulation tool

Simulate Attributes with di�erent Models

23 29

Documenting IoT hardware reversing in MISP

https://github.com/C00kie-/workshop-materials24 29

Alternate use-cases of MISP... COVID-19

Build objects for completely di�erent use-cases

25 29

Alternate use-cases of MISP... COVID-19

DM us via https://twitter.com/MISPProject for access tothe COVID-19 community

26 29

Conclusion

Information sharing practices come from usage and byexample (e.g. learning by imitation from the sharedinformation).MISP is just a tool. What matters is your sharing practices.The tool should be as transparent as possible to supportyou.Enable users to customize MISP to meet their community’suse-cases.MISP project combines open source software, openstandards, best practices and communities to makeinformation sharing a reality.

27 29

Contact us

https://www.misp-project.org/https://www.misp-standard.org/https://github.com/MISPinfo@misp-project.orghttps://twitter.com/MISPProject

28 29