Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
An Introduction to Cybersecurity InformationSharingMISP - Threat Sharing
Threat Sharing
Team CIRCL
MISP Projecthttps://www.misp-project.org/
CanSecWest 2020
MISP features
MISP1 is a threat information sharing free & open sourcesoftware.MISP has a host of functionalities that assist users increating, collaborating & sharing threat information - e.g.�exible sharing groups, automatic correlation, free-textimport helper, event distribution & proposals.Many export formats which support IDSes / IPSes (e.g.Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g.OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNSpolicies (e.g. RPZ).A rich set of MISP modules2 to add expansion, import andexport functionalities.
1https://github.com/MISP/MISP2https://www.github.com/MISP/misp-modules
1 29
MISP and starting from a practical use-case
During a malware analysis workgroup in 2012, we discoveredthat we worked on the analysis of the same malware.We wanted to share information in an easy and automatedway to avoid duplication of work.Christophe Vandeplas (then working at the CERT for theBelgian MoD) showed us his work on a platform that laterbecame MISP.A �rst version of the MISP Platform was used by the MALWGand the increasing feedback of users helped us to build animproved platform.MISP is now a community-driven development.
2 29
about CIRCL
The Computer Incident Response Center Luxembourg (CIRCL) is agovernment-driven initiative designed to provide a systematicresponse facility to computer security threats and incidents.CIRCL is the CERT for the private sector, communes andnon-governmental entities in Luxembourg and is operated bysecuritymadein.lu g.i.e.
3 29
MISP and CIRCL
CIRCL is mandated by the Ministry of Economy and acting asthe Luxembourg National CERT for private sector.CIRCL leads the development of the Open Source MISPthreat intelligence platform which is used by many militaryor intelligence communities, private companies, �nancialsector, National CERTs and LEAs globally.CIRCL runs multiple large MISP communities performingactive daily threat-intelligence sharing.
4 29
MISP model of governance
5 29
Development based on practical user feedback
There are many di�erent types of users of an informationsharing platform like MISP:I Malware reversers willing to share indicators of analysis withrespective colleagues.
I Security analysts searching, validating and using indicatorsin operational security.
I Intelligence analysts gathering information about speci�cadversary groups.
I Law-enforcement relying on indicators to support orbootstrap their DFIR cases.
I Risk analysis teams willing to know about the new threats,likelyhood and occurences.
I Fraud analysts willing to share �nancial indicators to detect�nancial frauds.
6 29
Communities using MISP
Communities are groups of users sharing within a set ofcommon objectives/values.CIRCL operates multiple MISP instances with a signi�cantuser base (more than 950 organizations with more than 2400users).Trusted groups running MISP communities in island mode(air gapped system) or partially connected mode.Financial sector (banks, ISACs, payment processingorganizations) use MISP as a sharing mechanism.Military and international organizations (NATO, militaryCSIRTs, n/g CERTs,...).Security vendors running their own communities (e.g.Fidelis) or interfacing with MISP communities (e.g. OTX).
7 29
Many objectives from different user-groups
Sharing indicators for a detection matter.I ’Do I have infected systems in my infrastructure or the ones Ioperate?’
Sharing indicators to block.I ’I use these attributes to block, sinkhole or divert tra�c.’
Sharing indicators to perform intelligence.I ’Gathering information about campaigns and attacks. Arethey related? Who is targeting me? Who are the adversaries?’
→ These objectives can be con�icting (e.g. False-positiveshave di�erent impacts)
8 29
Sharing Difficulties
Sharing di�culties are not really technical issues but oftenit’s a matter of social interactions (e.g. trust).Legal restriction3I "Our legal framework doesn’t allow us to share information."I "Risk of information-leak is too high and it’s too risky for ourorganization or partners."
Practical restrictionI "We don’t have information to share."I "We don’t have time to process or contribute indicators."I "Our model of classi�cation doesn’t �t your model."I "Tools for sharing information are tied to a speci�c format,we use a di�erent one."
3https://www.misp-project.org/compliance/9 29
MISP Project Overview
Open SourceSoftware
Intelligence& Knowledge Base
Open Standards Intelligence& Sharing Community
misp-taxonomies
misp-galaxy
misp-noticelist
misp-warninglists
MISP core
misp-modules
PyMISP
misp-dashboard
MISP OSINT feeds
compliance documentssuch as GDPR,ISO 27010:2015
threat intelligencebest practices &training materials
ISAC/ISAObest practises
MISP exchangecore format
MISP objects template
10 29
Helping Contributors in MISP
Contributors can use the UI, API or using the freetext importto add events and attributes.I Modules existing in Viper (a binary framework for malwarereverser) to populate and use MISP from the vty or via yourIDA.
Contribution can be direct by creating an event but userscan propose attributes updates to the event owner.Users should not be forced to use a single interface tocontribute.
11 29
Getting some naming conventions out of theway...
Data layerI Events are encapsulations for contextually linked informationI Attributes are individual data points, which can be indicatorsor supporting data.
I Objects are custom templated Attribute compositionsI Object references are the relationships between otherbuilding blocks
Context layerI Tags are labels attached to events/attributes and can comefrom Taxonomies
I Galaxy-clusters are knowledge base items used to labelevents/attributes and come from Galaxies.
12 29
A rich data-model: telling stories viarelationships
13 29
Contextualisation and aggregation
MISP integrates at the event and the attribute levels MITRE’sAdversarial Tactics, Techniques, and Common Knowledge(ATT&CK).
14 29
Sharing in MISP
Sharing via distribution lists - Sharing groupsDelegation for pseudo-anonymised information sharingProposals and Extended events for collaboratedinformation sharingSynchronisation, Feed system, air-gapped sharingUser de�ned �ltered sharing for all the above mentionedmethodsCross-instance information caching for quick lookups oflarge data-setsSupport for multi-MISP internal enclaves
15 29
MISP core distributed sharing functionality
MISPs’ core functionality is sharing where everyone can be aconsumer and/or a contributor/producer."Quick bene�t without the obligation to contribute.Low barrier access to get acquainted to the system.
16 29
Information quality management
Correlating dataFeedback loop from detections via SightingsFalse positive management via the warninglist systemEnrichment system via MISP-modulesIntegrations with a plethora of tools and formatsFlexible API and support libraries such as PyMISP to easeintegrationTimelines and giving information a temporal contextFull chain for indicator life-cycle management
17 29
Correlation features: a tool for analysts
To corroborate a �nding (e.g. is this the same campaign?),reinforce an analysis (e.g. do other analysts have the samehypothesis?), con�rm a speci�c aspect (e.g. are the sinkholeIP addresses used for one campaign?) or just �nd if thisthreat is new or unknown in your community.
18 29
Sightings support
Has a data-point been sighted byme or the community before?Additionally, the sighting systemsupports negative sigthings (FP)and expiration sightings.Sightings can be performed via theAPI or the UI.Many use-cases for scoringindicators based on users sighting.For large quantities of data,SightingDB by Devo
19 29
Timelines and giving information a temporalcontext
Recently introduced first_seen and last_seen datapointsAll data-points can be placed in timeEnables the visualisation and adjustment of indicatorstimeframes
20 29
Life-cycle management via decaying of indicators
Decay score toggle buttonI Shows Score for each Models associated to the Attribute type
21 29
Decaying of indicators: Fine tuning tool
Create, modify, visualise, perform mapping
22 29
Decaying of indicators: simulation tool
Simulate Attributes with di�erent Models
23 29
Documenting IoT hardware reversing in MISP
https://github.com/C00kie-/workshop-materials24 29
Alternate use-cases of MISP... COVID-19
Build objects for completely di�erent use-cases
25 29
Alternate use-cases of MISP... COVID-19
DM us via https://twitter.com/MISPProject for access tothe COVID-19 community
26 29
Conclusion
Information sharing practices come from usage and byexample (e.g. learning by imitation from the sharedinformation).MISP is just a tool. What matters is your sharing practices.The tool should be as transparent as possible to supportyou.Enable users to customize MISP to meet their community’suse-cases.MISP project combines open source software, openstandards, best practices and communities to makeinformation sharing a reality.
27 29
Contact us
https://www.misp-project.org/https://www.misp-standard.org/https://github.com/[email protected]://twitter.com/MISPProject
28 29