![Page 1: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/1.jpg)
Turning data into actionable intelligenceadvanced features in MISP supporting your analysts and tools
Threat Sharing
@adulau @Iglocska
FIRST Cyber Threat Intelligence Webinar
![Page 2: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/2.jpg)
MISP and CIRCL
CIRCL is mandated by the Ministry of Economy and acting asthe Luxembourg National CERT for private sector.We lead the development of the Open Source MISP TISPwhich is used by many military or intelligence communities,private companies, �nancial sector, National CERTs and LEAsglobally.CIRCL runs multiple large MISP communities performingactive daily threat-intelligence sharing.
1 33
![Page 3: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/3.jpg)
The aim of this presentation
What is MISP?Our initial scopeWhy is contextualisation important?What options do we have in MISP?How can we leverage this in the end?
2 33
![Page 4: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/4.jpg)
What is MISP?
Open source "TISP" - A TIP with a strong focus on sharingA tool that collects information from partners, your analysts,your tools, feedsNormalises, correlates, enriches the dataAllows teams and communities to collaborateFeeds automated protective tools and analyst tools with theoutputA set of tools to manage sharing communities andinterconnected MISP servers
3 33
![Page 5: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/5.jpg)
Development based on practical user feedback
There are many di�erent types of users of an informationsharing platform like MISP:I Malware reversers willing to share indicators of analysis withrespective colleagues.
I Security analysts searching, validating and using indicatorsin operational security.
I Intelligence analysts gathering information about speci�cadversary groups.
I Law-enforcement relying on indicators to support orbootstrap their DFIR cases.
I Risk analysis teams willing to know about the new threats,likelyhood and occurences.
I Fraud analysts willing to share �nancial indicators to detect�nancial frauds.
4 33
![Page 6: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/6.jpg)
The initial scope of MISP
Extract information during the analysis processStore and correlate these datapointsShare the data with partnersFocus on technical indicators: IP, domain, hostname, hashes,�lename, pattern in �le/memory/tra�cGenerate protective signatures out of the data: snort,suricata, OpenIOC
5 33
![Page 7: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/7.jpg)
The growing need to contextualise data
Contextualisation became more and more important as weas a community maturedI Growth and diversi�cation of our communitiesI Distinguish between information of interest and raw dataI False-positive managementI TTPs and aggregate information may be prevalent comparedto raw data (risk assessment)
I Increased data volumes leads to a need to be able toprioritise
These help with �ltering your TI based on yourrequirements......as highlighted by a great talk from Pasquale Stirparo titledYour Requirements Are Not My Requirements
6 33
![Page 8: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/8.jpg)
Different layers of context
Context added by analysts / toolsData that tells a storyEncoding analyst knowledge to automatically leverage theabove
7 33
![Page 9: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/9.jpg)
Context addedby analysts / tools
![Page 10: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/10.jpg)
Expressing why data-points matter
An IP address by itself is barely ever interestingWe need to tell the recipient / machine why this is relevantAll data in MISP has a bare minimum required contextWe di�erentiate between indicators and supporting data
8 33
![Page 11: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/11.jpg)
Broadening the scope of what sort of contextwe are interested in
Who can receive our data? What can they do with it?Data accuracy, source reliabilityWhy is this data relevant to us?Who do we think is behind it, what tools were used?What sort of motivations are we dealing with? Who are thetargets?How can we block/detect/remediate the attack?What sort of impact are we dealing with?
9 33
![Page 12: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/12.jpg)
Tagging and taxonomies
Simple labelsStandardising on vocabulariesDi�erent organisational/community cultures requiredi�erent nomenclaturesTriple tag system - taxonomiesJSON libraries that can easily be de�ned without ourintervention
10 33
![Page 13: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/13.jpg)
Galaxies
Taxonomy tags often non self-explanatoryI Example: universal understanding of tlp:green vs APT 28
For the latter, a single string was ill-suitedSo we needed something new in addition to taxonomies -GalaxiesI Community driven knowledge-base libraries used as tagsI Including descriptions, links, synonyms, meta information,etc.
I Goal was to keep it simple and make it reusableI Internally it works the exact same way as taxonomies (stick toJSON)
11 33
![Page 14: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/14.jpg)
The emergence of ATT&CK
Standardising on high-level TTPs was a solution to a longlist of issuesAdoption was rapid, tools producing ATT&CK data, familiarinterface for usersA much better take on kill-chain phases in generalFeeds into our �ltering and situational awareness needsextremely wellGave rise to other, ATT&CK-like systems tackling otherconcerns
12 33
![Page 15: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/15.jpg)
The emergence of ATT&CK and similar galaxies
attck4fraud 1 by Francesco Bigarella from INGElection guidelines 2 by NIS Cooperation GroupAM!TT Misinformation pattern 3 by the misinfosecproject
1https://www.misp-project.org/galaxy.html#_attck4fraud2https:
//www.misp-project.org/galaxy.html#_election_guidelines3https://github.com/MISP/misp-galaxy/blob/master/
clusters/misinfosec-amitt-misinformation-pattern.json13 33
![Page 16: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/16.jpg)
False positive handling
Low quality / false positive prone information being sharedLead to alert-fatigueExclude organisation xy out of the community?FPs are often obvious - can be encodedWarninglist system4 aims to do thatLists of well-known indicators which are oftenfalse-positives like RFC1918 networks, ...
4https://github.com/MISP/misp-warninglists14 33
![Page 17: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/17.jpg)
Data that tells a story
![Page 18: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/18.jpg)
More complex data-structures for a modern age
Atomic attributes were a great starting point, but lacking inmany aspectsMISP objects5 systemI Simple templating approachI Use templating to build more complex structuresI Decouple it from the core, allow users to de�ne their ownstructures
I MISP should understand the data without knowing thetemplates
I Massive caveat: Building blocks have to be MISP attributetypes
I Allow relationships to be built between objects
5https://github.com/MISP/misp-objects15 33
![Page 19: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/19.jpg)
Supporting specific datamodels
16 33
![Page 20: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/20.jpg)
Continuous feedback loop
Data shared was frozen in timeAll we had was a creation/modi�cation timestampImproved tooling and willingness allowed us to create afeedback loopLead to the introduction of the Sighting systemSignal the fact of an indicator sighting......as well as when and where it was sightedVital component for IoC lifecycle managementExternal SightingDB and standard - thanks to SebastienTricaud from Devo inc.
17 33
![Page 21: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/21.jpg)
Continuous feedback loop (2)
18 33
![Page 22: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/22.jpg)
Continuous feedback loop (3)
Monitor uptimes of infrastructureMake decisions on whether to action on an IoC
19 33
![Page 23: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/23.jpg)
A brief history of time - Timelines
Data providers including the timing of the data has allowedus to include it directly in MISPFirst_seen and last_seen data pointsAlong with a complete integration with the UIEnables the visualisation and adjustment of indicatorstimeframes
20 33
![Page 24: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/24.jpg)
The various ways of encodinganalyst knowledge to automati-cally leverage our TI
![Page 25: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/25.jpg)
Making use of all this context
Providing advanced ways of querying dataI Uni�ed export APIsI Incorporating all contextualisation options into API �ltersI Allowing for an on-demand way of excluding potential falsepositives
I Allowing users to easily build their own export modules feedtheir various tools
21 33
![Page 26: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/26.jpg)
Example query
/attributes/restSearch
{" returnFormat " : " n e t f i l t e r " ," enforceWarningl is t " : 1 ," tags " : {"NOT " : [" t lp : white " ," type : OSINT "
] ,"OR " : ["misp−galaxy : threat−actor =\" Sofacy \ " " ,"misp−galaxy : sector =\" Chemical \""
] ,}
}
22 33
![Page 27: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/27.jpg)
Example query to generate ATT&CK heatmaps
/events/restSearch
{" returnFormat " : " attack " ," tags " : [
"misp−galaxy : sector =\" Chemical \""] ," timestamp " : "365d"
}
23 33
![Page 28: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/28.jpg)
A sample result for the above query
24 33
![Page 29: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/29.jpg)
Decaying of indicators
We were still missing a way to use all of these systems incombination to decay indicatorsMove the decision making from complex �lter options tocomplex decay modelsThe idea is to not modify our data, but to provide an overlayto make decisions on the �yDecay models would take into account various availablecontextI TaxonomiesI SightingsI type of each indicatorI Creation dateI ...
25 33
![Page 30: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/30.jpg)
Implementation in MISP: Event/view
Decay score toggle buttonI Shows Score for each Models associated to the Attribute type
26 33
![Page 31: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/31.jpg)
Implementation in MISP: Fine tuning tool
Create, modify, visualise, perform mapping
27 33
![Page 32: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/32.jpg)
Implementation in MISP: simulation tool
Simulate Attributes with di�erent Models
28 33
![Page 33: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/33.jpg)
Monitor trends outside of MISP (example:dashboard)
29 33
![Page 34: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/34.jpg)
A small detour - COVID-19 MISP
![Page 35: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/35.jpg)
COVID-19 MISP
Using the new built in dashboarding system of MISPCustomising MISP for a speci�c use-caseWe are focusing on four areas of sharing:I Medical informationI Cyber threats related to / abusing COVID-19I COVID-19 related disinformationI Geo-political events related to COVID-19
Low barrier of entry, aiming for wide spreadAlready a massive communityRegister at https://covid-19.iglocska.eu
30 33
![Page 36: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/36.jpg)
Dashboarding and situational awareness
Create, modify, visualise, perform mapping
31 33
![Page 37: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/37.jpg)
To sum it all up...
Massive rise in user capabilitiesGrowing need for truly actionable threat intelLessons learned:I Context is king - Enables better decision makingI Intelligence and situational awareness are naturalby-products of context
I Don’t lock users into your work�ows, build tools that enabletheirs
32 33
![Page 38: Turning data into actionable intelligence · Lessons learned: I Context is king - Enables better decision making I Intelligence and situational awareness are natural by-products of](https://reader035.vdocuments.net/reader035/viewer/2022062605/5fca57030415ba6ed47dc0b7/html5/thumbnails/38.jpg)
Get in touch if you have any questions
Contact CIRCLI [email protected] https://twitter.com/circl_luI https://www.circl.lu/
Contact MISPProjectI https://github.com/MISPI https://gitter.im/MISP/MISPI https://twitter.com/MISPProject
Join the COVID-19 MISP communityI https://covid-19.iglocska.eu
33 / 33