Agenda for this first part:
- practical usage from user perspective
- MISP project
- sharing communities
- data model
- taxonomies
Full slide deck available from MISP training at : https://github.com/MISP/misp-training
What can I do?
- collect indicators of compromised -> feed, free text import
- write reports -> export
- share informations with analysts -> sharing
- preparing information to share with clients (over a MISP synchronisation for example) -> sharing, tagging
- Using MISP objects and attributs -> data model
- integrate continuous stream of information -> feeds
- work with correlations -> use data
- what is a correlation in intelligence analysis?
- what a correlation is not in intel analysis?
- use correlation in MISP in order to: - corroborate findings - reinforce analysis - confirm a specific aspect - identify new threat in your community
Operational security
- searching & validating for indicators Intelligence analysts
- information gathering about adversary groups
gather informations about campaigns and attack:
- are they related?
- who is targeting me?
- who are the adversaries?
- MISP project includes best practices (for data flow, sharing) in information sharing and open standards for importing and exporting data.
Misp project includes:
- a large community of Misp users and contributors
- opensource software
- an intelligence practice and knowledge database
- open standards
- the possibility to join and build a sharing community
Important:
- MISP is opensource
- you can work with MISP modules to add expansions, export and import functionalities to MISP
(?) What is a user group?
MISP is used among different user groups:
- trusted groups
- financial sectors
- military and international org
- security vendors
Members of a sharing communities can be:
- consumer
- contributor
- producer ...of "information"
-
Analysis with MISP is based on "contextualy linked information"
-
MISP uses templates (object templates) to help the users to extend data models in MISP
-
galaxies are used for the categorization of data and for more granularity (ex: threat actors, TTPs)
Indicators:
- "a pattern that can be used to detect suspicious or malicious cyber activity"
Attributes:
- Can be network indicators, system indicators, or any non-technical information ex forensics ex:banking
- Attributes are relative to an event in MISP
- attributes can be grouped into an object
When you create an attribute you can add:
- the type: ex MD5 how is the information encoded
- the category: payload delivery
- if it has an IDS flag (is it used in an IDS)
- ...
Events have an uuid, an owner org and a creator org.
Events can be found in your MISP instance by searching by uuid (or via the url and by adding the uuid of the event), or by keyword search.
While creating an event, you are asked to specify a tagging (if needed) and a sharing parameter.
event data model |
---|
creator org |
description |
analysis |
threat level |
distribution |
- use it to be efficient, avoid NOISE
- tagging scheme exists in taxonomies, your own can be created (ex: a client can have his own tagging scheme and taxonomies)
Creator of the event decide the sharing parameter of the event.
- [distribution typology]
- your organisation only
- this community only
- connected communities
- all communities
- sharing group*
ex: -> Classification of threat indicators
- tags
- machine tags (triple tag)
- NAMESPACE PREDICATE VALUE
admiralty-scale:source-reliability="c"
admiralty-scale | source-reliability | "c" |
---|---|---|
namepsace | predicate | value |
- implemented in JSON format
- taxonomies are in an independant Git repository
some existing taxonomies |
---|
NATO - Admiralty Scale |
CIRCL Taxonomy - Schemes of Classification in Incident |
Response and Detection |
eCSIRT and IntelMQ incident classification |
EUCI EU classified information marking |
Information Security Marking Metadata from DNI (Director of National Intelligence - US) |
NATO Classification Marking |
OSINT Open Source Intelligence - Classification |
TLP - Traffic Light Protocol |
Vocabulary for Event Recording and Incident Sharing - VERIS |
and many more like ENISA, Europol, or the draft FIRST SIGInformation Exchange Policy. |
taxonomies create tags: example the distribution of events among MISP instances (push rules)
manage taxonomies with PyTaxonomies (Python 3 module)
https://github.com/MISP/misp-taxonomies
https://github.com/MISP/PyTaxonomies
https://github.com/MISP/misp-warninglists
info@circl.lu (if you want to join one of the MISP community operated by CIRCL)
PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5
Check once view and understood:
-
- installing and running a MISP VM
-
- create and populate an event
-
- viewing data
-
- export and API
-
- synchronisation
download from last image (circl.lu/misp-images/latest) creds for machine: - MISP admin: admin@admin.test - SSH: misp/Password1234
- first thing you are asked to do is to change the password.
- secondly you will create an organisation and a user.
- then you'll log into MISP with this new user account.
- add attribute, batch add (import multiple to creation of unique attributes)
- explanation: ip list, if mixed list with ip and domains, use free-text import
- adding objects, object template
- freetext import
- other imports
- consulting available templates
- add attachments
What is done when importing attributes:
- automatic correlation
- input mod via validation (regex)
- tagging
publishing
- with and without an email (send a notification email or not)
- via the API(**)
- the case of delegation
There are 4 important points to start:
- Correlation graphs
- download data in various formats (at freetext import or from you?)
- download an event from MISP: multiple formats
- API* (for automatic publication)
- Download search results
- case of cached exports
Check once view and understood:
-
- synchronization
-
- feeds
-
- collaborating
-
- MISP basic admin
-
- MISP modules
-
- PyMISP
Distribution typology, see above 4.3 Event sharing
- sync connection
- push/pull model
- filter the sync (ex: filter by tag or by org)
- testing
- cherry pick
feeds formats:
-
MISP
-
Freetext
-
CSV
-
adding/ editing feeds
-
previewing feeds
-
local vs network feeds
Normalizing OSINT and private feeds: any normalization is done before pushing data into a MISP
We use warning lists at the exportation of data
IMPORT |
---|
normalizing external input and feed into MISP (feed importer) |
comparing feeds: similarities, false pos |
EXPORTATION |
---|
make warning lists for content to evaluate (quality) |
make warning list to avoid false positive associated with well known indicators (JSON file) |
- How to activate feeds
- How to activate modules in MISP
- Workers
see part SIEM integration
Existing MISP modules ex:
- Viper
- CLI for Passive SSL
- CLI for Passive DNS
- VirusTotal
- mail to MISP (for importing IOC)
API: PyMISP, API : no integration with the UI
Three types of modules:
- Expansion modules
- Import modules
- Export modules
PyMISP usage example: See How to make a MISP import script
https://www.circl.lu/misp-training
activate the modules Go Server Settings : Enrichment