1 MISP Training Slide Decks MISP 1 is a threat intelligence platform for gathering, sharing, storing and cor- relating Indicators of Compromise of targeted attacks, threat intelligence, fi- nancial fraud information, vulnerability information or even counter-terrorism information. This document includes the slides which are the support materials used for MISP trainings. The slides are licensed under CC-BY-SA license which allows you to freely use, remixes and share-alike the slides while still mentioning the contributors under the same conditions. 2 Contributors • Steve Clement https://github.com/SteveClement • Alexandre Dulaunoy https://github.com/adulau • Andras Iklody https://github.com/iglocska • Sami Mokaddem https://github.com/mokaddem • Rapha¨ el Vinot https://github.com/rafiot • Gerard Wagener https://github.com/haegardev 3 Acknowledgment The MISP project is co-financed and resource supported by CIRCL Computer Incident Response Center Luxembourg 2 and co-financed by a CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security as Improving MISP as building blocks for next-generation information sharing. Co-financed by the Connecting Europe Facility of the European Union 1 https://www.misp-project.org/ 2 https://www.circl.lu/ 1
309
Embed
MISP Training and Slide Decks - CIRCL1 MISP Training Slide Decks MISP1 is a threat intelligence platform for gathering, sharing, storing and cor- relating Indicators of Compromise
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 MISP Training Slide Decks
MISP1 is a threat intelligence platform for gathering, sharing, storing and cor-relating Indicators of Compromise of targeted attacks, threat intelligence, fi-nancial fraud information, vulnerability information or even counter-terrorisminformation.
This document includes the slides which are the support materials used forMISP trainings. The slides are licensed under CC-BY-SA license which allowsyou to freely use, remixes and share-alike the slides while still mentioning thecontributors under the same conditions.
2 Contributors
• Steve Clement https://github.com/SteveClement
• Alexandre Dulaunoy https://github.com/adulau
• Andras Iklody https://github.com/iglocska
• Sami Mokaddem https://github.com/mokaddem
• Raphael Vinot https://github.com/rafiot
• Gerard Wagener https://github.com/haegardev
3 Acknowledgment
The MISP project is co-financed and resource supported by CIRCL ComputerIncident Response Center Luxembourg2 and co-financed by a CEF (ConnectingEurope Facility) funding under CEF-TC-2016-3 - Cyber Security as ImprovingMISP as building blocks for next-generation information sharing.
• During a malware analysis workgroup in 2012, we discovered thatwe worked on the analysis of the same malware.
• We wanted to share information in an easy and automated way toavoid duplication of work.
• Christophe Vandeplas (then working at the CERT for the BelgianMoD) showed us his work on a platform that later became MISP.
• A first version of the MISP Platform was used by the MALWG andthe increasing feedback of users helped us to build an improvedplatform.
• MISP is now a community-driven development.
3 of 22
Development based on practical user feedback
• There are many different types of users of an information sharingplatform like MISP:◦ Malware reversers willing to share indicators of analysis with
respective colleagues.◦ Security analysts searching, validating and using indicators in
operational security.◦ Intelligence analysts gathering information about specific adversary
groups.◦ Law-enforcement relying on indicators to support or bootstrap their
DFIR cases.◦ Risk analysis teams willing to know about the new threats,
likelyhood and occurences.◦ Fraud analysts willing to share financial indicators to detect financial
frauds.
4 of 22
MISP model of governance
5 of 22
Many objectives from different user-groups
• Sharing indicators for a detection matter.◦ ’Do I have infected systems in my infrastructure or the ones I operate?’
• Sharing indicators to block.◦ ’I use these attributes to block, sinkhole or divert traffic.’
• Sharing indicators to perform intelligence.◦ ’Gathering information about campaigns and attacks. Are they
related? Who is targeting me? Who are the adversaries?’
• → These objectives can be conflicting (e.g. False-positives havedifferent impacts)
6 of 22
Sharing Difficulties
• Sharing difficulties are not really technical issues but often it’s amatter of social interactions (e.g. trust).
• Legal restriction1
◦ ”Our legal framework doesn’t allow us to share information.”◦ ”Risk of information-leak is too high and it’s too risky for our
organization or partners.”
• Practical restriction◦ ”We don’t have information to share.”◦ ”We don’t have time to process or contribute indicators.”◦ ”Our model of classification doesn’t fit your model.”◦ ”Tools for sharing information are tied to a specific format, we use a
• MISP2 is a threat information sharing free & open source software.
• MISP has a host of functionalities that assist users in creating,collaborating & sharing threat information - e.g. flexible sharinggroups, automatic correlation, free-text import helper, eventdistribution & proposals.
• Many export formats which support IDSes / IPSes (e.g. Suricata,Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC,STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g.RPZ).
• A rich set of MISP modules3 to add expansion, import and exportfunctionalities.
• Communities are groups of users sharing within a set of commonobjectives/values.
• CIRCL operates multiple MISP instances with a significant userbase (more than 950 organizations with more than 2400 users).
• Trusted groups running MISP communities in island mode (airgapped system) or partially connected mode.
• Financial sector (banks, ISACs, payment processingorganizations) use MISP as a sharing mechanism.
• Military and international organizations (NATO, militaryCSIRTs, n/g CERTs,...).
• Security vendors running their own communities (e.g. Fidelis) orinterfacing with MISP communities (e.g. OTX).
10 of 22
MISP core distributed sharing functionality
• MISPs’ core functionality is sharing where everyone can be aconsumer and/or a contributor/producer.”
• Quick benefit without the obligation to contribute.
• Low barrier access to get acquainted to the system.
11 of 22
Events, Objects and Attributes in MISP
• MISP events are encapsulations for contextually linked information
• MISP attributes4 initially started with a standard set of ”cybersecurity” indicators.
• MISP attributes are purely based on usage (what people andorganizations use daily).
• Evolution of MISP attributes is based on practical usage & users(e.g. the addition of financial indicators in 2.4).
• MISP objects are attribute compositions describing points of datausing many facets, constructed along the lines of community anduser defined templates.
• Galaxies granularly contextualise, classify & categorise data basedon threat actors, preventive measures, tools used by adversaries.4attributes can be anything that helps describe the intent of the event package
from indicators, vulnerabilities or any relevant information12 of 22
Terminology about Indicators
• Indicators5
◦ Indicators contain a pattern that can be used to detect suspicious ormalicious cyber activity.
• Attributes in MISP can be network indicators (e.g. IP address),system indicators (e.g. a string in memory) or even bank accountdetails.◦ A type (e.g. MD5, url) is how an attribute is described.
◦ An attribute is always in a category (e.g. Payload delivery) which putsit in a context.
• A category is what describes an attribute.
◦ An IDS flag on an attribute allows to determine if an attribute canbe automatically used for detection.
5IoC (Indicator of Compromise) is a subset of indicators13 of 22
Helping Contributors in MISP
• Contributors can use the UI, API or using the freetext import toadd events and attributes.◦ Modules existing in Viper (a binary framework for malware reverser)
to populate and use MISP from the vty or via your IDA.
• Contribution can be direct by creating an event but users canpropose attributes updates to the event owner.
• Users should not be forced to use a single interface tocontribute.
14 of 22
Example: Freetext import in MISP
15 of 22
Supporting Classification
• Tagging is a simple way to attach a classification to an event or anattribute.
• Classification must be globally used to be efficient.• MISP includes a flexible tagging scheme where users can select
from more than 42 existing taxonomies or create their owntaxonomy.
16 of 22
Supporting Sharing in MISP
• Delegate events publication to another organization (introduced inMISP 2.4.18).◦ The other organization can take over the ownership of an event and
provide pseudo-anonymity to initial organization.
• Sharing groups allow custom sharing (introduced in MISP 2.4) perevent or even at attribute level.◦ Sharing communities can be used locally or even cross MISP instances.◦ Sharing groups can be done at event level or attributes level (e.g.
financial indicators shared to a financial sharing groups and cybersecurity indicators to CSIRT community).
17 of 22
Sightings support
• Sightings allow users to notify thecommunity about the activities relatedto an indicator.
• In recent MISP versions, the sightingsystem supports negative sigthings (FP)and expiration sightings.
• Sightings can be performed via the API,and the UI, even including the import ofSTIX sighting documents.
• Many use-cases for scoring indicatorsbased on users sighting.
18 of 22
Improving Information Sharing in MISP
• False-positives are a recurring challenge in information sharing.
• In MISP 2.4.39, we introduced the misp-warninglists6 to helpanalysts in their day-to-day job.
• Predefined lists of well-known indicators which are oftenfalse-positives like RFC1918 networks, public DNS resolver areincluded by default.
6https://github.com/MISP/misp-warninglists19 of 22
Improving support of sharing within and outside anorganization
• Even in a single organization, multiple use-cases of MISP canappear (groups using it for dynamic malware analysis correlations,dispatching notification).
• In MISP 2.4.51, we introduced the ability to have local MISPservers connectivity to avoid changes in distribution level. Thisallows to have mixed synchronization setup within and outside anorganization.
• Feed support was also introduced to support synchronizationbetween untrusted and trusted networks.
20 of 22
Bootstrapping MISP with indicators
• We maintain the default CIRCL OSINT feeds (TLP:WHITEselected from our communities) in MISP to allow users to easetheir bootstrapping.
• The format of the OSINT feed is based on standard MISP JSONoutput pulled from a remote TLS/HTTP server.
• Additional content providers can provide their own MISP feeds.(https://botvrij.eu/)
• Allows users to test their MISP installations andsynchronisation with a real dataset.
• Opening contribution to other threat intel feeds but also allowingthe analysis of overlapping data7.
7A recurring challenge in information sharing21 of 22
• The MISP project has a Contributor Covenant Code of Conduct1.
• The goal of the code of conduct is to foster an open, fun andwelcoming environment.
• Another important aspect of the MISP projects is to welcomedifferent areas of expertise in information sharing and analysis. Thediversity of the MISP community is important to make theproject useful for everyone.
• The most common way to contribute to the MISP project is toreport a bug, issues or suggesting features.
• Each project (MISP core, misp-modules, misp-book,misp-taxonomies, misp-galaxy, misp-object or PyMISP) has theirown issue management.
• Don’t forget that you can cross-reference issues from othersub-projects.
• If you know an answer or could help on a specific issue, wewelcome all contributions including useful comments to reach aresolution.
Reporting security vulnerabilities
• If you find security vulnerabilities (even minor ones) in MISPproject, send an encrypted email ([email protected]) with the detailsand especially how to reproduce the issues. Avoid to share publiclythe vulnerability before a fix is available in MISP. PGP keyfingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC22BD 4CD5.
• We usually fix reported and confirmed security vulnerabilities inless than 48 hours.
• We will request a CVE number if the reporters didn’t ask forone (don’t forget to mention how you want to be credited).
Automatic integration and testing
• The majority of the repositories within the MISP GitHuborganisation includes automatic integration with TravisCI.
• If you contribute and make a pull-request, verify if your changesaffect the result of the tests.
• Automatic integration is not perfect including Travis but it’s aquick win to catch new bugs or major issues in contribution.
• When you do a pull-request, TravisCI is automatically called2.◦ If this fails, no worries, review the output at Travis (it’s not always
you).
• We are working on additional automatic tests including unit testingfor the MISP core software (contributors are welcome).
• All JSON format (galaxy, taxonomies, objects or warning-lists)are described in a JSON Schema3.
• The TravisCI tests are including JSON validation (via jq) andvalidated with the associated JSON schema.
• How to contribute a JSON library (objects, taxonomies, galaxy orwarning-list):◦ If you update a JSON library, don’t forget to run jq all the things.sh.
It’s fast and easy. If it fails, review your JSON.◦ Commit your code and make a pull-request.
• Documentations (in PDF and HTML format) for the librairies areautomatically generated from the JSON via asciidoctor4.
• In addition to the automatic generation of documentations fromJSON files, we maintain misp-book5 which is a genericdocumentation for MISP including usage, API documentation, bestpractices and specific configuration settings.
• The book is generated in HTML, PDF, epub and mobi usingGitBook6 which is a framework to write documentation inMarkDown format.
• TravisCI is included in misp-book and the book generation istested at each commit.
• The MISP book is regularly published on misp-project.org andcircl.lu website.
• Contributors are welcome especially for new topics7 and also fixingour broken english.5https://github.com/MISP/misp-book6https://github.com/GitbookIO7Topics of interest are analysts best-practices,
MISP core development crash courseHow I learned to stop worrying and love the PHP
Team CIRCL
MISP Training @ Prague20180917
1 of 17
Some things to know in advance...
• MISP is based on PHP 5.6+
• Using the MVC framework CakePHP 2.x
• What we’ll look at now will be a quick glance at the structuring /layout of the code
2 of 17
MVC frameworks in general
• separation of business logic and views, interconnected by controllers
• main advantage is clear separation of the various components
• lean controllers, fat models (kinda...)
• domain based code reuse
• No interaction between Model and Views, ever
3 of 17
Structure of MISP Core app directories
• Config: general configuration files
• Console: command line tools
• Controller: Code dealing with requests/responses, generating datafor views based on interactions with the models
• Lib: Generic reusable code / libraries
• Model: Business logic, data gathering and modification
• Plugin: Alternative location for plugin specific codes, ordered intocontroller, model, view files
• View: UI views, populated by the controller
4 of 17
Controllers - scope
• Each public function in a controller is exposed as an API action
• request routing (admin routing)
• multi-use functions (POST/GET)
• request/response objects
• contains the action code, telling the application what datafetching/modifying calls to make, preparing the resulting data forthe resulting view
• grouped into controller files based on model actions
• Accessed via UI, API, AJAX calls directly by users
• For code reuse: behaviours
• Each controller bound to a model
5 of 17
Controllers - functionalities of controllers
• pagination functionality
• logging functionality
• Controllers actions can access functionality / variables of Models
• Controllers cannot access code of other controller actions (kindof...)
• Access to the authenticated user’s data
• beforeFilter(), afterFilter() methods
• Inherited code in AppController
6 of 17
Controllers - components
• Components = reusable code for Controllers◦ Authentication components◦ RestResponse component◦ ACL component◦ Cidr component◦ IOCImport component (should be moved)
7 of 17
Controllers - additional functionalities
• code handling API requests
• auth/session management
• ACL management
• API management
• Security component
• important: quertString/PyMISP versions, MISP version handler
• future improvements to the export mechanisms
8 of 17
Models - scope
• Controls anything that has to do with:◦ finding subsets of data◦ altering existing data◦ inherited model: AppModel◦ reusable code for models: Behaviours◦ regex, trim
9 of 17
Models - hooking system
• Versatile hooking system◦ manipulate the data at certain stages of execution◦ code can be located in 3 places: Model hook, AppModel hook,
behaviour
10 of 17
Model - hooking pipeline (add/edit)
• Hooks / model pipeline for data creation / edits◦ beforeValidate() (lowercase all hashes)◦ validate() (check hash format)◦ afterValidate() (we never use it◦ could be interesting if we ever validated without saving)◦ beforeSave() (purge existing correlations for an attribute)◦ afterSave() (create new correlations for an attribute / zmq)
11 of 17
Models - hooking pipeline (delete/read)
• Hooks for deletions◦ beforeDelete() (purge correlations for an attribute)◦ afterDelete() (zmq)
• Hooks for retrieving data◦ beforeFind() (modify the find parameters before execution, we don’t
use it)◦ afterFind() (json decode json fields)
12 of 17
Models - misc
• code to handle version upgrades contained in AppModel
• generic cleanup/data migration tools
• centralised redis/pubsub handlers
• (Show example of adding an attribute with trace)
• reusable code: helpers◦ commandhelper (for discussion boards), highlighter for searches, tag
colour helper
• views per controller
14 of 17
Views - Types of views and helpers
• ajax views vs normal views
• data views vs normal views vs serialisation in the controller
• sanitisation h()
• creating forms◦ sanitisation◦ CSRF
15 of 17
Distribution
• algorithm for checking if a user has access to an attribute
• creator vs owner organisation
• distribution levels and inheritance (events -¿ objects -¿ attributes)
• shorthand inherit level
• sharing groups (org list, instance list)
• correlation distribution
• algorithms for safe data fetching (fetchEvents(),fetchAttributes(),...)
16 of 17
Testing your code
• funtional testing
• impact scope◦ view code changes: only impacts request type based views◦ controller code changes: Should only affect given action◦ model code changes: can have impact on entire application◦ lib changes: can have affect on the entire application
• Don’t forget: queryACL, change querystring
17 of 17
Deep-dive into PyMISPMISP - Malware Information Sharing Platform & Threat Sharing
Assyming you have the right to do it on the instance.
• Managing users
• Managing organisations
• Managing sync servers
7 of 22
Other Capabilities
• Upload/download samples
• Proposals: add, edit, accept, discard
• Sightings: Get, set, update
• Export statistics
• Manage feeds
• Get MISP server version, recommended PyMISP version
• And more, look at the api file
8 of 22
MISPEvent - Usecase
from pymisp import MISPEvent , EncodeUpdate
# Create a new even t w i th d e f a u l t v a l u e se v e n t = MISPEvent ( )
# Load an e x i s t i n g JSON dump ( o p t i o n a l )e v e n t . l o a d f i l e ( ’ Path / to / e v e n t . j s o n ’ )e v e n t . i n f o = ’My c o o l e v e n t ’ # Duh .
# Add an a t t r i b u t e o f type ip−d s te v e n t . a d d a t t r i b u t e ( ’ ip−d s t ’ , ’ 8 . 8 . 8 . 8 ’ )
# Mark an a t t r i b u t e as d e l e t e d (From 2 . 4 . 6 0 )e v e n t . d e l e t e a t t r i b u t e ( ’<A t t r i b u t e UUID> ’ )
# Dump as j s o ne v e n t a s j s o n d u m p = j s o n . dumps ( event , c l s=EncodeUpdate )
9 of 22
Basics
• Python 3.5+ is recommended
• PyMISP is always inline with current version (pip3 install pymisp)
• Dev version: pip3 installgit+https://github.com/MISP/PyMISP.git
• Get your auth key from:https://misppriv.circl.lu/events/automation
◦ Not available: you don’t have ”Auth key access” role. Contact yourinstance admin.
• Source available here: git clonehttps://github.com/MISP/PyMISP.git
• Usage:◦ Create examples/keys.py with the following content
m i s p u r l = ” h t t p s : / / u r l−to−your−misp ”m i s p k e y = ”<API KEY>”m i s p v e r i f y c e r t = True
• Proxy support:p r o x i e s = {
’ h t t p ’ : ’ h t t p : / / 1 2 7 . 0 . 0 . 1 : 8 1 2 3 ’ ,’ h t t p s ’ : ’ h t t p : / / 1 2 7 . 0 . 0 . 1 : 8 1 2 3 ’ ,
}PyMISP ( m i s p u r l , misp key , m i s p v e r i f y c e r t , p r o x i e s=p r o x i e s )
11 of 22
Examples
• Lots of ideas on how to use the API
• You may also want to look at the tests directory
• All the examples use argparse. Help usage is available: script.py-h◦ add file object.py: Attach a file (PE/ELF/Mach-O) object to an
event◦ upload.py: Upload a malware sample (use advanced expansion is
available on the server)◦ last.py: Returns all the most recent events (on a timeframe)◦ add named attribute.py: Add attribute to an event◦ sighting.py: Update sightings on an attribute◦ stats.py: Returns the stats of a MISP instance◦ {add,edit,create} user.py : Add, Edit, Create a user on MISP
12 of 22
Usage
• Basic example
from pymisp import PyMISPa p i = PyMISP ( u r l , a p i k e y , v e r i f y c e r t=True , debug=F a l s e , p r o x i e s=None )r e s p o n s e = a p i .< f u n c t i o n >i f r e s p o n s e [ ’ e r r o r ’ ] :
# <someth ing went wrong>e l s e :
# <do someth ing wi th the output>
13 of 22
Concept behind AbstractMISP
• JSON blobs are python dictionaries
• ... Accessing content can be a pain
• AbstractMISP inherits collections.MutableMapping, they areall dictionaries!
• ... Has helpers to load, dump, and edit JSON blobs
• Important: All the public attributes (not starting with a ) definedin a class are dumped to JSON
• Tags: Events and Attributes have tags, soon Objects. Taghandling is defined in this class.
• edited: When pushing a full MISPEvent, only the objects withouta timestamp, or with a newer timestamp will be updated. Thismethod recursively finds updated events, and removes thetimestamp key from the object.
• edited, all other paramaters of the MISPObject element (name,comment, ...)
• to json()
• Can be validated against their template
• Can have default parameters applied to all attributes (i.e.distribution, category, ...)
17 of 22
MISPAttribute - Main entrypoints
• add tag(tag=None, **kwargs)
• delete()
• malware binary (if relevant)
• tags[]
• edited, all other paramaters of the MISPObject element (value,comment, ...)
• to json()
18 of 22
PyMISP - Tools
• Libraries requiring specfic 3rd party dependencies
• Callable via PyMISP for specific usecases
• Curently implemented:◦ OpenIOC to MISP Event◦ MISP to Neo4J
19 of 22
PyMISP - Default objects generators
• File - PE/ELF/MachO - Sections
• VirusTotal
• Generic object generator
20 of 22
PyMISP - Logging / Debugging
• debug=True passed to the constructor enable debug to stdout
• Configurable using the standard logging module
• Show everything send to the server and received by the client
import pymispimport l o g g i n g
l o g g e r = l o g g i n g . g e t L o g g e r ( ’ pymisp ’ )l o g g e r . s e t L e v e l ( l o g g i n g .DEBUG) # enab l e debug to s t dou t
l o g g i n g . b a s i c C o n f i g ( l e v e l=l o g g i n g .DEBUG, # Enable debug to f i l ef i l e n a m e=” debug . l o g ” ,f i l e m o d e= ’w ’ ,format=pymisp .FORMAT)
21 of 22
Q&A
• https://github.com/MISP/PyMISP
• https://github.com/MISP/
• https://pymisp.readthedocs.io/
• We welcome new functionalities and pull requests.
• Exchange information via any transports (e.g. HTTP, TLS, USBkeys)
• Preview events along with their attributes, objects
• Select and import events
• Correlate attributes using caching
MISP Feeds have the following advantages
• Feeds work without the need of MISP synchronisation (reducing attacksurface and complexity to a static directory with the events)
• Feeds can be produced without a MISP instance (e.g. securitydevices, honeypot sensors)
2 of 11
Feed - Overview
• By default, MISP is bundled with ∼50 default feeds (MISP feeds, CSV orfreetext feeds) which are not enabled by default and described in a simpleJSON file1.
• The feeds include CIRCL OSINT feed but also feeds like abuse.ch, Torexit nodes or many more 2.
• Cache feed attributes for correlation (not imported but visible in MISP)
• Disable feed
• Explore remote events
• Fetch all events (imported in MISP as event)
• Edit the feed configuration (e.g. authentication, URL,...)
• Remove feed
• Download feed metadata (to share feed details)
4 of 11
Feed - Creation using PyMISP feed generator
feed generator fetches events (matching some filtering) from a MISPinstance and construct the manifest (defined in MISP core format) neededto export data.
Particularly,
• Used to generate the CIRCL OSINT feed
• Export events as json based on tags, organisation, events, ...
• Automatically update the dumps and the metadata file
• Comparable to a lighweight TAXII interface
5 of 11
Feed generator - configuration file
1 url = ’your/misp/url’
2 key = ’YourAPIKey ’
3 ssl = True
4 outputdir = ’output_directory ’
5
6 filters = {
7 ’tag’:’tlp:white|feed -export |! privint ’,
8 ’org’:’CIRCL ’
9 }
10 # the above would generate a feed for all events created by
CIRCL , tagged tlp:white and/or feed -export but exclude
MISP workshopIntroduction into Information Sharing using MISP for CSIRTs
Team CIRCLTLP:WHITE
MISP Training @ Prague20180917
Plan for this session
• Explanation of the CSIRT use case for information sharing andwhat CIRCL does
• Building an information sharing community and best practices
2 / 34
Communities operated by CIRCL
• As a CSIRT, CIRCL operates a wide range of communities
• We use it as an internal tool to cover various day-to-day activities
• Whilst being the main driving force behind the development, we’realso one of the largest consumers
• Different communities have different needs and restrictions
3 / 34
Communities operated by CIRCL
• Private sector community◦ Our largest sharing community◦ Over 900 organisations◦ 2000 users◦ Functions as a central hub for a lot of sharing communities◦ Private organisations, Researchers, Various SoCs, some CSIRTs, etc
• CSIRT community◦ Tighter community◦ National CSIRTs, connections to international organisations, etc
4 / 34
Communities operated by CIRCL
• Financial sector community◦ Banks, payment processors, etc.◦ Sharing of mule accounts and non-cyber threat infomartion
• X-ISAC◦ Bridging the gap between the various sectorial and georgraphical
ISACs◦ New, but ambitious initiative◦ Goal is to bootstrap the cross-sectorial sharing along with building
the infrastructure to enable sharing when needed
5 / 34
Communities operated by CIRCL
• Coming up - the ATT&CK EU community◦ Work on attacker modelling◦ With the assistance of Mitre themselves◦ Unique opportunity to standardise on TTPs◦ Looking for organisations that want to get involved!
6 / 34
Communities supported by CIRCL
• FIRST.org’s MISP community
• Telecom and Mobile operators’ community
• Various ad-hoc communities for exercises for example◦ Most recently for example for the ENISA exercise a few weeks ago
7 / 34
Sharing Scenarios in MISP
• Sharing can happen for many different reasons. Let’s see whatwe believe are the typical CSIRT scenarios
• We can generally split these activities into 4 main groups whenwe’re talking about traditional CSIRT tasks:◦ Core services◦ Proactive services◦ Advanced services◦ Sharing communities managed by CSIRTs for various tasks
8 / 34
CSIRT core services
• Incident response◦ Internal storage of incident response data◦ Sharing of indicators derived from incident response◦ Correlating data derived and using the built in analysis tools◦ Enrichment services◦ Collaboration with affected parties via MISP during IR◦ Co-ordination and collaboration◦ Takedown requests
• Alerting of information leaks (integration with AIL1)
• Collection and dissimination of data from various sources(including OSINT)
• Storing, correlating and sharing own manual research (reversing,behavioural analysis)
• Aggregating automated collection (sandboxing, honeypots,spamtraps, sensors)◦ MISP allows for the creation of internal MISP ”clouds”◦ Store large specialised datasets (for example honeypot data)◦ MISP has interactions with a large set of such tools (Cuckoo,
Mail2MISP, etc)
• Situational awareness tools to monitor trends and adversaryTTPs within my sector/geographical region (MISP-dashboard,built in statistics)
10 / 34
CSIRT proactive services - MISP dashboard
11 / 34
CSIRT proactive services - MISP dashboard
12 / 34
CSIRT advanced services
• Supporting forensic analysts
• Collaboration with law enforcement
• Vulnerability information sharing◦ Notifications to the constituency about relevant vulnerabilities◦ Co-ordinating with vendors for notifications (*)◦ Internal / closed community sharing of pentest results◦ We’re planning on starting a series of hackathons to find
13 / 34
CSIRTs’ management of sharing communities forconstituent actions:
• Reporting non-identifying information about incidents (such asoutlined in NISD)
• Seeking and engaging in collaboration with CSIRT or otherparties during an incident
• Pre-sharing information to request for help / additionalinformation from the community
• Pseudo-anonymised sharing through 3rd parties to avoidattribution of a potential target
• Building processes for other types of sharing to get thecommunity engaged and acquainted with the methodologies ofsharing (mule account information, border control, etc)
14 / 34
A quick note on compliance...
• Collaboration with Deloitte as part of a CEF project for creatingcompliance documents◦ Information sharing and cooperation enabled by GDPR◦ How MISP enables stakeholders identified by the NISD to perform
key activities◦ AIL and MISP
• For more information: https://github.com/CIRCL/compliance
15 / 34
Bringing different sharing communities together
• We generally all end up sharing with peers that face similarthreats
• Division is either sectorial or geographical
• So why even bother with trying to bridge these communities?
16 / 34
Advantages of cross sectorial sharing
• Reuse of TTPs across sectors• Being hit by something that another sector has faced before• Hybrid threats - how seemingly unrelated things may be
interesting to correlate• Prepare other communities for the capability and culture of
sharing for when the need arises for them to reach out to CSIRT• Generally our field is ahead of several other sectors when it comes
to information sharing, might as well spread the love
17 / 34
Getting started with building your own sharingcommunity
• Starting a sharing community is both easy and difficult at thesame time
• Many moving parts and most importantly, you’ll be dealing with adiverse group of people
• Understanding and working with your constituents to help themface their challenges is key
18 / 34
Getting started with building your own sharingcommunity
• When you are starting out - you are in a unique position to drivethe community and set best practices...
19 / 34
Running a sharing community using MISP - How toget going?
• Different models for constituents◦ Connecting to a MISP instance hosted by a CSIRT◦ Hosting their own instance and connecting to CSIRT’s MISP◦ Becoming member of a sectorial MISP community that is connected
to CSIRT’s community
• Planning ahead for future growth◦ Estimating requirements◦ Deciding early on common vocabularies◦ Offering services through MISP
20 / 34
Rely on our instincts to immitate over expectingadherence to rules
• Lead by example - the power of immitation
• Encourage improving by doing instead of blocking sharing withunrealistic quality controls◦ What should the information look like?◦ How should it be contextualise◦ What do you consider as useful information?◦ What tools did you use to get your conclusions?
• Side effect is that you will end up raising the capabilities of yourconstituents
21 / 34
What counts as valuable data?
• Sharing comes in many shapes and sizes◦ Sharing results / reports is the classical example◦ Sharing enhancements to existing data◦ Validating data / flagging false positives◦ Asking for support from the community
• Embrace all of them. Even the ones that don’t do either, you’llnever know when they change their minds...
22 / 34
How to deal with organisations that only ”leech”?
• From our own communities, only about 30% of the organisationsactively share data
• We have come across some communities with sharing requirements
• In our experience, this sets you up for failure because:◦ Organisations will lose protection who would possibily benefit the
most from it◦ Organisations that want to stay above the thresholds will start sharing
junk / fake data◦ You lose organisations that might turn into valuable contributors in
the future
23 / 34
So how does one convert the passive organisationsinto actively sharing ones?
• Rely on organic growth
• Help them increase their capabilities
• As mentioned before, lead by example
• Rely on the inherent value to one’s self when sharing information(validation, enrichments, correlations)
• Give credit where credit is due, never steal the accolades of yourcommunity (that is incredibly demotivating)
24 / 34
Dispelling the myths around blockers when it comes toinformation sharing
• Sharing difficulties are not really technical issues but often it’s amatter of social interactions (e.g. trust).◦ You can play a role here: organise regular workshops, conferences,
have face to face meetings
• Legal restrictions◦ ”Our legal framework doesn’t allow us to share information.”◦ ”Risk of information leak is too high and it’s too risky for our
organization or partners.”
• Practical restrictions◦ ”We don’t have information to share.”◦ ”We don’t have time to process or contribute indicators.”◦ ”Our model of classification doesn’t fit your model.”◦ ”Tools for sharing information are tied to a specific format, we use a
different one.”25 / 34
Contextualising the information
• Sharing technical information is a great start
• However, to truly create valueable information for your community,always consider the context:◦ Your IDS might not care why it should alert on a rule◦ But your analysts will be interested in the threat landscape and the
”big picture”
• Classify data to make sure your partners understand why it isimportant for them
• Massively important once an organisation has the maturity to filterthe most critical subsets of information for their own defense
26 / 34
Choice of vocabularies
• MISP has a verify versatile system (taxonomies) for classifying andmarking data
• However, this includes different vocabularies with obvious overlaps
• MISP allows you to pick and choose vocabularies to use andenforce in a community
• Good idea to start with this process early
• If you don’t find what you’re looking for:◦ Create your own (JSON format, no coding skills required)◦ If it makes sense, share it with us via a pull request for redistribution
27 / 34
Shared libraries of meta-information (Galaxies)
• The MISPProject in co-operation with partners provides a curatedlist of galaxy information
• Can include information packages of different types, for example:◦ Threat actor information◦ Specialised information such as Ransomware, Exploit kits, etc◦ Methodology information such as preventative actions◦ Classification systems for methodologies used by adversaries -
ATT&CK
• Consider improving the default libraries or contributing your own(simple JSON format)
• If there is something you cannot share, run your own galaxies andshare it out of bound with partners
• Pull requests are always welcome
28 / 34
False-positive handling
• You might often fall into the trap of discarding seemingly ”junk”data
• Besides volume limitations (which are absolutely valid, fear offalse-positives is the most common reason why people discarddata) - Our recommendation:◦ Be lenient when considering what to keep◦ Be strict when you are feeding tools
• MISP allows you to filter out the relevant data on demand whenfeeding protective tools
• What may seem like junk to you may be absolutely critical to otherusers
29 / 34
Many objectives from different user-groups
• Sharing indicators for a detection matter.◦ ’Do I have infected systems in my infrastructure or the ones I operate?’
• Sharing indicators to block.◦ ’I use these attributes to block, sinkhole or divert traffic.’
• Sharing indicators to perform intelligence.◦ ’Gathering information about campaigns and attacks. Are they
related? Who is targeting me? Who are the adversaries?’
• → These objectives can be conflicting (e.g. False-positives havedifferent impacts)
30 / 34
False-positive handling
• Analysts will often be interested in the modus operandi of threatactors over long periods of time
• Even cleaned up infected hosts might become interesting again(embedded in code, recurring reuse)
• Use the tools provided to eliminate obvious false positives insteadand limit your data-set to the most relevant sets
31 / 34
Managing sub-communities
• Often within a community smaller bubbles of information sharingwill form
• For example: Within a national private sector sharing community,specific community for financial institutions
• Sharing groups serve this purpose mainly
• As a CSIRT running a national community, consider bootstrapingthese sharing communities
• Organisations can of course self-organise, but you are the oneswith the know-how to get them started
32 / 34
Managing sub-communities
• Consider compartmentalisation - does it make sense to move asecret squirrel club to their own sharing hub to avoid accidentalleaks?
• Use your best judgement to decide which communities should beseparated from one another
• Create sharing hubs with manual data transfer
• Some organisations will even have their data air-gapped - Feedsystem
• Create guidance on what should be shared outside of their bubbles- organisations often lack the insight / experience to decide how toget going. Take the initiative!
33 / 34
Get in touch if you need some help to get started
• Getting started with building a new community can be daunting.Feel free to get in touch with us if you have any questions!
MISP - Creating and populating events in variousways (demo)
• The main tools to populate an event◦ Adding attributes / batch add◦ Adding objects and how the object templates work◦ Freetext import◦ Import◦ Templates◦ Adding attachments / screenshots◦ API
14 of 22
MISP - Various features while adding data
• What happens automatically when adding data?◦ Automatic correlation◦ Input modification via validation and filters (regex)◦ Tagging / Galaxy Clusters
• Various ways to publish data◦ Publish with/without e-mail◦ Publishing via the API◦ Delegation
15 of 22
MISP - Using the data
• Correlation graphs
• Downloading the data in various formats
• Cached exports
• API (explained later)
• Collaborating with users (proposals, discussions, emails)
16 of 22
MISP - Sync explained (if no admin training)
• Sync connections
• Pull/push model
• Previewing instances
• Filtering the sync
• Connection test tool
• Cherry pick mode
17 of 22
MISP - Feeds explained (if no admin training)
• Feed types (MISP, Freetext, CSV)
• Adding/editing feeds
• Previewing feeds
• Local vs Network feeds
18 of 22
MISP - Distributions explained
• Your Organisation Only
• This Community Only
• Connected Communities
• All Communities
• Sharing Group
19 of 22
MISP - Distribution and Topology
20 of 22
MISP - Exports and API
• Download an event
• Quick glance at the APIs
• Download search results
• Cached exports
21 of 22
MISP - Shorthand admin (if no admin training)
• Settings
• Troubleshooting
• Workers
• Logs
22 of 22
Viper - Using MISP from your terminalMISP - Malware Information Sharing Platform & Threat Sharing
Viper is a binary analysis and management framework. Itsfundamental objective is to provide a solution to easily orga-nize your collection of malware and exploit samples as well asyour collection of scripts you created or found over the time tofacilitate your daily research. Think of it as a Metasploit formalware researchers: it provides a terminal interface that youcan use to store, search and analyze arbitrary files with and aframework to easily create plugins of any sort.
2 of 13
Viper
• Solid CLI
• Plenty of modules (PE files, *office, ELF, APK, ...)
• Connection to 3rd party services (MISP, VirusTotal, cuckoo)
• Connectors to 3rd party tools (IDA, radare)
• Locale storage of your own zoo
• Django interface is available (I’ve been told)
3 of 13
Viper
4 of 13
PyMISP & Viper
• Full featured CLI for MISP
• Remote storage of your zoo
• Search / Cross check with VirusTotal
• Create / Update / Show / Publish Event
• Download / Upload Samples
• Mass export / Upload / Download
• Get Yara rules
5 of 13
MISP Module
6 of 13
Viper & VT
• Searches for hashes/ips/domains/URLs from the current MISPevent, or download the samples
• Download samples from current MISP event
• Download all samples from all the MISP events of the currentsession
7 of 13
VirusTotal Module
8 of 13
Extra features
• Link to a MISP event
• Local storage of the MISP event
• On the fly cross-check of MISP atributes with 3rd party services
• Never leaving your CLI!
9 of 13
Other modules
• Fully featured CLI for Passive SSL
• Fully featured CLI for Passive DNS
• Can launch Radare2 or IDA
10 of 13
Passive SSL
11 of 13
Passive DNS
12 of 13
Q&A
• https://github.com/MISP/PyMISP
• https://github.com/MISP/
• https://github.com/viper-framework/viper
• We welcome new functionalities and pull requests.
• Provisioning your MISP infrastructure depends heavily on thenumber of attributes/events (whether your dataset is below orabove 50 million attributes).
• Number of MISP instances and the overall design depends on thefollowing factors:◦ Is your community private? Are you gathering MISP events from
other communities? Are you publishing events to external(trusted/untrusted) communities.
◦ Do you plan to have automatic tools (e.g. sandbox analysis orlow-value information needing correlation or an analyst workbench)feeding MISP?
3 / 12
Vendors and Formats
• There is a jungle of formats with some vendors having little to nointerest in keeping their users autonomous.
• Attacks and threats require a dynamic format to be efficientlyshared (e.g. from financial indicators to personal information).
• Review your current list of formats/vendors to ensure a limitedloss of information, especially when exporting from MISP to otherformats (e.g. STIX not supporting financial indicators ortaxonomies/galaxies).
4 / 12
Use case: Normalizing OSINT and Private Feeds
• Normalizing external input and feed into MISP (e.g. feedimporter).
• Comparing feeds before import (how many similarities?false-positives?).
• Evaluating quality of information before import (warning-listlookup at feed evaluation).
5 / 12
Connecting Devices and Tools to MISP
• One of the main goals of MISP is to feed protective or detectiontools with data◦ IDSes / IPSes (e.g. Suricata, Bro, Snort format as included in Cisco
products)◦ SIEMs (e.g. CEF, CSV or real-time ZMQ pub-sub or Sigma)◦ Host scanners (e.g. OpenIOC, STIX, yara rule-set, CSV)◦ Various analysis tools (e.g. Maltego)◦ DNS policies (e.g. RPZ)
• Various ways of exporting this data (downloads of the selecteddata, full exports, APIs)
• The idea was to leave the selection process of the subset of data tobe pushed to these up to the user using APIs.
6 / 12
SIEM and MISP Integration
• SIEMs and MISP can be integrated with different techniquesdepending on the processes at your SOC or IR:◦ Pulling events (via the API) or indicator lists at regular intervals in a
given time frame to perform lookups.◦ Subscribing to the MISP ZMQ pub-sub channel to directly get the
published events and use these in a lookup process.◦ Lookup expansion module in MISP towards the SIEM to have a
direct view of the attributes matched against the SIEM.
• The above options can be combined, depending on yourorganisation or requirements to increase coverage and detection.
7 / 12
ZMQ integration: misp-dashboard
• A dashboard showing live data and statistics from the ZMQpub-sub of one or more MISP instances.
• Building low-latency software by consuming pub-sub channelprovides significant advantages over standard API use.
• Process information in real-time when it’s updated, created,published or gathered in MISP.
• Demo!
8 / 12
New integrations: IR and threat hunting using MISP
• Close co-operation with the Hive project for IR◦ Interact with MISP directly from the Hive◦ Use both the MISP modules and the Cortex analysers in MISP or the
Hive directly
• Using MISP to support your threat hunting via McAfeeOpenDXL
• Plan for this part of the training◦ User and Organisaton administration◦ Sharing group creation◦ Templates◦ Tags and Taxonomy◦ Whitelisting and Regexp entries◦ Setting up the synchronisation◦ Scheduled tasks◦ Feeds◦ Settings and diagnostics◦ Logging◦ Troubleshooting and updating
• Workers◦ What do the background workers do?◦ Queues◦ Restarting workers, adding workers, removing workers◦ Worker diagnostics (queue size, jobs page)◦ Clearing worker queues◦ Worker and background job debugging
18 of 22
MISP - Settings and diagnostics continued
• Seeking help◦ Dump your settings to a file!◦ Make sure to sanitise it◦ Send it to us together with your issue to make our lives easier◦ Ask Github (https://github.com/MISP/MISP)◦ Have a chat with us on gitter (https://gitter.im/MISP/MISP)◦ Ask the MISP mailing list◦ If this is security related, drop us a PGP encrypted email tomailto:[email protected]
• reset the permissions if it goes wrong according to the INSTALL.txt
• when MISP complains about missing fields, make sure to clear thecaches◦ in /var/www/MISP/app/tmp/cache/models remove myapp*◦ in /var/www/MISP/app/tmp/cache/persistent remove myapp*
• No additional action required on hotfix level
• Read the migration guide for major and minor version changes
21 of 22
MISP - Administrative tools
• Upgrade scripts for minor / major versions
• Maintenance scripts
22 of 22
Information Sharing and TaxonomiesPractical Classification of Threat Indicators using MISP
• Tagging is a simple way to attach a classification to an event or anattribute.
• In the early version of MISP, tagging was local to an instance.• Classification must be globally used to be efficient.• After evaluating different solutions of classification, we build a new
scheme using the concept of machine tags.2 of 17
Machine Tags
• Triple tag or machine tag was introduced in 2004 to extendgeotagging on images.
• A machine tag is just a tag expressed in way that allows systems toparse and interpret it.
• CIRCL Taxonomy - Schemes of Classification in IncidentResponse and Detection
• eCSIRT and IntelMQ incident classification
• EUCI EU classified information marking
• Information Security Marking Metadata from DNI (Director ofNational Intelligence - US)
• NATO Classification Marking
• OSINT Open Source Intelligence - Classification
• TLP - Traffic Light Protocol
• Vocabulary for Event Recording and Incident Sharing - VERIS
• and many more like ENISA, Europol, or the draft FIRST SIGInformation Exchange Policy.
5 of 17
Want to write your own taxonomy? 1/2
1 {2 ”namespace” : ” adm i r a l t y−s c a l e ” ,3 ” d e s c r i p t i o n ” : ”The Admi ra l t y S ca l e ( a l s o c a l l e d the NATO
System ) i s used to rank the r e l i a b i l i t y o f a s ou r c e andthe c r e d i b i l i t y o f an i n f o rma t i o n . ” ,
4 ” v e r s i o n ” : 1 ,5 ” p r e d i c a t e s ” : [6 {7 ” va l u e ” : ” source− r e l i a b i l i t y ” ,8 ” expanded ” : ” Source R e l i a b i l i t y ”9 } ,
10 {11 ” va l u e ” : ” i n f o rma t i on−c r e d i b i l i t y ” ,12 ” expanded ” : ” I n f o rma t i o n C r e d i b i l i t y ”13 }14 ] ,15 . . . .
6 of 17
Want to write your own taxonomy? 2/2
1 {2 ” v a l u e s ” : [3 {4 ” p r e d i c a t e ” : ” source− r e l i a b i l i t y ” ,5 ” e n t r y ” : [6 {7 ” va l u e ” : ”a” ,8 ” expanded ” : ” Comp le te l y r e l i a b l e ”9 } ,
10 . . . .
• Publishing your taxonomy is as easy as a simple git pull request onmisp-taxonomies2.
• MISP administrator can just import (or even cherry pick) thenamespace or predicates they want to use as tag.
• Tags can be exported to other instances.
• Tags are also accessible via the MISP REST API.
8 of 17
Filtering the distribution of events among MISPinstances
• Applying rules for distribution based on tags:
9 of 17
Other use cases using MISP taxonomies
• Tags can be used to set events or attributes for further processingby external tools (e.g. VirusTotal auto-expansion using Viper).
• Ensuring a classification manager classies the events beforerelease (e.g. release of information from air-gapped/classifiednetworks).
• Enriching IDS export with tags to fit your NIDS deployment.
• Using IntelMQ and MISP together to process events (tags limitedper organization introduced in MISP 2.4.49).
10 of 17
Future functionalities related to MISP taxonomies
• Sighting support (thanks to NCSC-NL) is integrated in MISPallowing to auto expire IOC based on user detection.
• Adjusting taxonomies (adding/removing tags) based on their scoreor visibility via sighting.
• Simple taxonomy editors to help non-technical users to createtheir taxonomies.
• Filtering mechanisms in MISP to rename or replacetaxonomies/tags at pull and push synchronisation.
• More public taxonomies to be included.
11 of 17
PyTaxonomies
• Python module to handle the taxonomies
• Offline and online mode (fetch the newest taxonomies fromGitHub)
• Simple search to make tagging easy
• Totally independant from MISP
• No external dependencies in offline mode
• Python3 only
• Can be used to create & dump a new taxonomy
12 of 17
PyTaxonomies
from pytaxonomies import Taxonomiestaxonomies = Taxonomies ( )taxonomies . v e r s i o n# => ’20160725 ’taxonomies . d e s c r i p t i o n# => ’ Man i f e s t f i l e o f MISP taxonomies a v a i l a b l e . ’l i s t ( taxonomies . keys ( ) )# => [ ’ t l p ’ , ’ eu−c r i t i c a l −s e c t o r s ’ , ’ de−vs ’ , ’ o s i n t ’ , ’ c i r c l ’ , ’ v e r i s ’ ,# ’ e c s i r t ’ , ’ dhs−c i i p−s e c t o r s ’ , ’ f r−c l a s s i f ’ , ’ misp ’ , ’ adm i r a l t y−s c a l e ’ , . . . ]taxonomies . ge t ( ’ e n i s a ’ ) . d e s c r i p t i o n# ’The p r e s e n t t h r e a t taxonomy i s an i n i t i a l v e r s i o n tha t has been deve l oped on# the b a s i s o f a v a i l a b l e ENISA ma t e r i a l . Th i s ma t e r i a l has been used as an ENISA−i n t e r n a l# s t r u c t u r i n g a i d f o r i n f o rma t i o n c o l l e c t i o n and t h r e a t c o n s o l i d a t i o n pu rpo s e s .# I t emerged i n the t ime p e r i o d 2012−2015. ’p r i n t ( taxonomies . ge t ( ’ c i r c l ’ ) )# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=” v u l n e r a b i l i t y ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”malware ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=” f a s t f l u x ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”system−compromise ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”sq l−i n j e c t i o n ”# . . . .p r i n t ( taxonomies . ge t ( ’ c i r c l ’ ) . mach ine tags expanded ( ) )# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”Ph i s h i ng ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”Malware”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”XSS”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”Copy r i gh t i s s u e ”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”Spam”# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n=”SQL I n j e c t i o n ”
13 of 17
The dilemma of false-positive
• False-positive is a common issue in threat intelligence sharing.
• It’s often a contextual issue:◦ false-positive might be different per community of users sharing
information.◦ organization might have their own view on false-positive.
• Based on the success of the MISP taxonomy model, we buildmisp-warninglists.
14 of 17
MISP warning lists
• misp-warninglists are lists of w¯
ell-known indicators that can beassociated to potential false positives, errors or mistakes.
• Simple JSON files
1 {2 ”name” : ” L i s t o f known p u b l i c DNS r e s o l v e r s ” ,3 ” v e r s i o n ” : 2 ,4 ” d e s c r i p t i o n ” : ”Event c o n t a i n s one or more p u b l i c DNS
r e s o l v e r s as a t t r i b u t e w i th an IDS f l a g s e t ” ,5 ” ma t c h i n g a t t r i b u t e s ” : [6 ” ip−s r c ” ,7 ” ip−ds t ”8 ] ,9 ” l i s t ” : [
• The warning lists are integrated in MISP to display aninfo/warning box at the event and attribute level.
• Enforceable via the API where all attributes that have a hit on awarninglist will be excluded.
• This can be enabled at MISP instance level.
• Default warning lists can be enabled or disabled like known publicresolver, multicast IP addresses, hashes for empty values,rfc1918, TLDs or known google domains.
• The warning lists can be expanded or added in JSON locally or viapull requests.
• Warning lists can be also used for critical or core infrastructurewarning, personally identifiable information...
16 of 17
Q&A
• https://github.com/MISP/MISP
• https://github.com/MISP/misp-taxonomies
• https://github.com/MISP/PyTaxonomies
• https://github.com/MISP/misp-warninglists
• [email protected] (if you want to join one of the MISP communityoperated by CIRCL)
• Ways to extend MISP before modules◦ APIs (PyMISP, MISP API)
• Works really well• No integration with the UI
◦ Change the core code
• Have to change the core of MISP, diverge from upstream• Needs a deep understanding of MISP internals• Let’s not beat around the bush: Everyone hates PHP
2 of 32
Goals for the module system
• Have a way to extend MISP without altering the core
• Get started quickly without a need to study the internals
• Make the modules as light weight as possible◦ Module developers should only have to worry about the data
transformation◦ Modules should have a simple and clean skeleton
• In a friendlier language - Python
3 of 32
MISP modules - extending MISP with Python scripts
• Extending MISP with expansionmodules with zero customization inMISP.
• A simple ReST API between themodules and MISP allowingauto-discovery of new modules withtheir features.
• Benefit from existing Pythonmodules in Viper or any other tools.
• MISP modules functionnalityintroduced in MISP 2.4.28.
• MISP import/export modulesintroduced in MISP 2.4.50.
4 of 32
MISP modules - installation
• MISP modules can be run on the same system or on a remoteserver.
• Python 3 is required to run MISP modules.◦ sudo apt-get install python3-dev python3-pip libpq5◦ cd /usr/local/src/◦ sudo git clone https://github.com/MISP/misp-modules.git◦ cd misp-modules◦ sudo pip3 install -I -r REQUIREMENTS◦ sudo pip3 install -I .◦ sudo vi /etc/rc.local, add this line: ‘sudo -u www-data misp-modules
-s &‘
5 of 32
MISP modules - Simple REST API mechanism
• http://127.0.0.1:6666/modules - introspection interface to get allmodules available◦ returns a JSON with a description of each module
• http://127.0.0.1:6666/query - interface to query a specificmodule◦ to send a JSON to query the module
• MISP autodiscovers the available modules and the MISP siteadministrator can enable modules as they wish.
• If a configuration is required for a module, MISP addsautomatically the option in the server settings.
6 of 32
Finding available MISP modules
• curl -s http://127.0.0.1:6666/modules
1 {2 "type": "expansion",
3 "name": "dns",
4 "meta": {5 "module -type": [
6 "expansion",
7 "hover"
8 ],
9 "description": "Simple DNS expansion
service to resolve IP address from
MISP attributes",
10 "author": "Alexandre Dulaunoy",
11 "version": "0.1"
12 },13 "mispattributes": {14 "output": [
15 "ip-src",
16 "ip-dst"
17 ],
18 "input": [
19 "hostname",
20 "domain"
21 ]
22 }
7 of 32
Querying a module
• curl -s http://127.0.0.1:6666/query -H ”Content-Type:application/json” –data @body.json -X POST
body.json
1 {"module": "dns", "hostname": "www.circl.lu"}
• and the response of the dns module:
1 {"results": [{"values": ["149.13.33.14"],
2 "types": ["ip-src", "ip-dst"]}]}
8 of 32
MISP modules - How it’s integrated in the UI?
9 of 32
MISP modules - configuration in the UI
10 of 32
MISP modules - main types of modules
• Expansion modules - enrich data that is in MISP◦ Hover type - showing the expanded values directly on the attributes◦ Expansion type - showing and adding the expanded values via a
proposal form
• Import modules - import new data into MISP
• Export modules - export existing data from MISP
11 of 32
Creating your Expansion module (Skeleton)
import j s o nimport dns . r e s o l v e r
m i s p e r r o r s = { ’ e r r o r ’ : ’ E r r o r ’ }m i s p a t t r i b u t e s = { ’ i n p u t ’ : [ ] , ’ output ’ : [ ] }m o d u l e i n f o = { ’ v e r s i o n ’ : ’ ’ , ’ a u t h o r ’ : ’ ’ ,
’ d e s c r i p t i o n ’ : ’ ’ , ’ module−t y p e ’ : [ ] }
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )r = { ’ r e s u l t s ’ : [{ ’ t y p e s ’ : [ ] , ’ v a l u e s ’ : [ ] } ] }return r
def i n t r o s p e c t i o n ( ) :return m i s p a t t r i b u t e s
def v e r s i o n ( ) :return m o d u l e i n f o
12 of 32
Creating your Expansion module (metadata 1)
m i s p e r r o r s = { ’ e r r o r ’ : ’ E r r o r ’ }m i s p a t t r i b u t e s = { ’ i n p u t ’ : [ ’ hostname ’ , ’ domain ’ ] , ’ output ’ : [ ’ ip−s r c ’ , ’ ip−d s t ’ ]}m o d u l e i n f o = { ’ v e r s i o n ’ : ’ ’ , ’ a u t h o r ’ : ’ ’ ,
’ d e s c r i p t i o n ’ : ’ ’ , ’ module−t y p e ’ : [ ] }
13 of 32
Creating your Expansion module (metadata 2)
m i s p e r r o r s = { ’ e r r o r ’ : ’ E r r o r ’ }m i s p a t t r i b u t e s = { ’ i n p u t ’ : [ ’ hostname ’ , ’ domain ’ ] , ’ output ’ : [ ’ ip−s r c ’ , ’ ip−d s t ’ ]}m o d u l e i n f o = { ’ v e r s i o n ’ : ’ 0 . 1 ’ , ’ a u t h o r ’ : ’ A l e x a n d r e Dulaunoy ’ ,
’ d e s c r i p t i o n ’ : ’ S imple DNS e x p a n s i o n s e r v i c e tor e s o l v e IP a d d r e s s from MISP a t t r i b u t e s ’ , ’ module−t y p e ’ : [ ’ e x p a n s i o n ’ , ’ h o v e r ’ ]}
14 of 32
Creating your Expansion module (handler 1)
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )# MAGIC# MORE MAGICr = { ’ r e s u l t s ’ : [
{ ’ t y p e s ’ : o u t p u t t y p e s , ’ v a l u e s ’ : v a l u e s } ,{ ’ t y p e s ’ : o u t p u t t y p e s 2 , ’ v a l u e s ’ : v a l u e s 2 }
]}return r
15 of 32
Creating your Expansion module (handler 2)
i f r e q u e s t . g e t ( ’ hostname ’ ) :t o q u e r y = r e q u e s t [ ’ hostname ’ ]
e l i f r e q u e s t . g e t ( ’ domain ’ ) :t o q u e r y = r e q u e s t [ ’ domain ’ ]
e l s e :return F a l s e
r = dns . r e s o l v e r . R e s o l v e r ( )r . t i m e o u t = 2r . l i f e t i m e = 2r . n a m e s e r v e r s = [ ’ 8 . 8 . 8 . 8 ’ ]t r y :
answer = r . qu e r y ( toquery , ’A ’ )except dns . r e s o l v e r .NXDOMAIN:
m i s p e r r o r s [ ’ e r r o r ’ ] = ”NXDOMAIN”return m i s p e r r o r s
except dns . e x c e p t i o n . Timeout :m i s p e r r o r s [ ’ e r r o r ’ ] = ” Timeout ”return m i s p e r r o r s
except :m i s p e r r o r s [ ’ e r r o r ’ ] = ”DNS r e s o l v i n g e r r o r ”return m i s p e r r o r s
r = { ’ r e s u l t s ’ : [{ ’ t y p e s ’ : m i s p a t t r i b u t e s [ ’ output ’ ] , ’ v a l u e s ’ : [ s t r ( answer [ 0 ] ) ] } ] }return r
16 of 32
Creating your module - finished DNS module
import j s o nimport dns . r e s o l v e rm i s p e r r o r s = { ’ e r r o r ’ : ’ E r r o r ’ }m i s p a t t r i b u t e s = { ’ i n p u t ’ : [ ’ hostname ’ , ’ domain ’ ] , ’ output ’ : [ ’ ip−s r c ’ , ’ ip−d s t ’ ]}m o d u l e i n f o = { ’ v e r s i o n ’ : ’ 0 . 1 ’ , ’ a u t h o r ’ : ’ A l e x a n d r e Dulaunoy ’ ,
’ d e s c r i p t i o n ’ : ’ S imple DNS e x p a n s i o n s e r v i c e to r e s o l v e IP a d d r e s s from MISP a t t r i b u t e s ’ , ’ module−t y p e ’ : [ ’ e x p a n s i o n ’ , ’ h o v e r ’ ]}def h a n d l e r ( q=F a l s e ) :
i f q i s F a l s e :return F a l s e
r e q u e s t = j s o n . l o a d s ( q )i f r e q u e s t . g e t ( ’ hostname ’ ) :
t o q u e r y = r e q u e s t [ ’ hostname ’ ]e l i f r e q u e s t . g e t ( ’ domain ’ ) :
t o q u e r y = r e q u e s t [ ’ domain ’ ]e l s e :
return F a l s er = dns . r e s o l v e r . R e s o l v e r ( )r . t i m e o u t = 2r . l i f e t i m e = 2r . n a m e s e r v e r s = [ ’ 8 . 8 . 8 . 8 ’ ]t r y :
answer = r . qu e r y ( toquery , ’A ’ )except dns . r e s o l v e r .NXDOMAIN:
m i s p e r r o r s [ ’ e r r o r ’ ] = ”NXDOMAIN”return m i s p e r r o r s
except dns . e x c e p t i o n . Timeout :m i s p e r r o r s [ ’ e r r o r ’ ] = ” Timeout ”return m i s p e r r o r s
except :m i s p e r r o r s [ ’ e r r o r ’ ] = ”DNS r e s o l v i n g e r r o r ”return m i s p e r r o r s
r = { ’ r e s u l t s ’ : [{ ’ t y p e s ’ : m i s p a t t r i b u t e s [ ’ output ’ ] , ’ v a l u e s ’ : [ s t r ( answer [ 0 ] ) ] } ] }return r
def i n t r o s p e c t i o n ( ) :return m i s p a t t r i b u t e s
def v e r s i o n ( ) :return m o d u l e i n f o
17 of 32
Testing your module
• Copy your module dns.py in modules/expansion/
• Restart the server misp-modules.py[ a d u l a u : ˜ / g i t / misp−modules / b i n ] $ python3 misp−modules . py2016−03−20 1 9 : 2 5 : 4 3 , 7 4 8 − misp−modules − INFO − MISP modules p a s s i v e t o t a l i m p o r t e d2016−03−20 1 9 : 2 5 : 4 3 , 7 8 7 − misp−modules − INFO − MISP modules s o u r c e c a c h e i m p o r t e d2016−03−20 1 9 : 2 5 : 4 3 , 7 8 9 − misp−modules − INFO − MISP modules cve i m p o r t e d2016−03−20 1 9 : 2 5 : 4 3 , 7 9 0 − misp−modules − INFO − MISP modules dns i m p o r t e d2016−03−20 1 9 : 2 5 : 4 3 , 7 9 7 − misp−modules − INFO − MISP modules s e r v e r s t a r t e d on TCP p o r t 6666
• Check if your module is present in the introspection
• curl -s http://127.0.0.1:6666/modules
• If yes, test it directly with MISP or via curl
18 of 32
Code samples (Configuration)
# Con f i g u r a t i o n at the topm o d u l e c o n f i g = [ ’ username ’ , ’ password ’ ]# Code b l o ck i n the hand l e r
i f r e q u e s t . g e t ( ’ c o n f i g ’ ) :i f ( r e q u e s t [ ’ c o n f i g ’ ] . g e t ( ’ username ’ ) i s None ) or ( r e q u e s t [ ’ c o n f i g ’ ] . g e t ( ’ password ’ ) i s None ) :
m i s p e r r o r s [ ’ e r r o r ’ ] = ’ CIRCL P a s s i v e SSL a u t h e n t i c a t i o n i s m i s s i n g ’return m i s p e r r o r s
−x = p y p s s l . PyPSSL ( b a s i c a u t h =( r e q u e s t [ ’ c o n f i g ’ ] [ ’ username ’ ] , r e q u e s t [ ’ c o n f i g ’ ] [ ’ password ’ ] ) )
19 of 32
Default expansion module set
• asn history• CIRCL Passive DNS• CIRCL Passive SSL• Country code lookup• CVE information expansion• DNS resolver• DomainTools• eupi (checking url in phishing database)• IntelMQ (experimental)• ipasn• PassiveTotal -
http://blog.passivetotal.org/misp-sharing-done-differently• sourcecache• Virustotal• Whois20 of 32
Import modules
• Similar to expansion modules
• Input is a file upload or a text paste
• Output is a list of parsed attributes to be editend and verified bythe user
• System is still new but some modules already exist◦ Cuckoo JSON import◦ email import◦ OCR module◦ Simple STIX import module
• Many ideas for future modules (OpenIOC import, connector tosandboxes, STIX 2.0, etc)
21 of 32
Creating your Import module (Skeleton)
import j s o n
m i s p e r r o r s = { ’ e r r o r ’ : ’ E r r o r ’ }u s e r C o n f i g = {
’ number1 ’ : {’ t y p e ’ : ’ I n t e g e r ’ ,’ r e g e x ’ : ’ /ˆ[0−4] $/ i ’ ,’ e r r o r M e s s a g e ’ : ’ Expected a number i n ra ng e [0−4] ’ ,’ message ’ : ’ Column number used f o r v a l u e ’
}} ;
i n p u t S o u r c e = [ ’ f i l e ’ , ’ p a s t e ’ ]m o d u l e i n f o = { ’ v e r s i o n ’ : ’ ’ , ’ a u t h o r ’ : ’ ’ ,
’ d e s c r i p t i o n ’ : ’ ’ , ’ module−t y p e ’ : [ ’ i m p o r t ’ ]}m o d u l e c o n f i g =[ ]
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )r e q u e s t [ ” data ” ] = base64 . b64decode ( r e q u e s t [ ” data ” ] )r = { ’ r e s u l t s ’ : [{ ’ c a t e g o r i e s ’ : [ ] , ’ t y p e s ’ : [ ] , ’ v a l u e s ’ : [ ] } ] }return r
def i n t r o s p e c t i o n ( ) :return { ’ u s e r C o n f i g ’ : u s e r C o n f i g , ’ i n p u t S o u r c e ’ : i n p u t S o u r c e , ’ modu leConf ig ’ : modu leConf ig }
def v e r s i o n ( ) :return m o d u l e i n f o
22 of 32
Creating your import module (userConfig andinputSource)
u s e r C o n f i g = {’ number1 ’ : {
’ t y p e ’ : ’ I n t e g e r ’ ,’ r e g e x ’ : ’ /ˆ[0−4] $/ i ’ ,’ e r r o r M e s s a g e ’ : ’ Expected a number i n ra ng e [0−4] ’ ,’ message ’ : ’ Column number used f o r v a l u e ’
}} ;i n p u t S o u r c e = [ ’ f i l e ’ , ’ p a s t e ’ ]
23 of 32
Creating your import module (Handler)
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )r e q u e s t [ ” data ” ] = base64 . b64decode ( r e q u e s t [ ” data ” ] )r = { ’ r e s u l t s ’ : [{ ’ c a t e g o r i e s ’ : [ ] , ’ t y p e s ’ : [ ] , ’ v a l u e s ’ : [ ] } ] }return r
24 of 32
Creating your import module (Introspection)
def i n t r o s p e c t i o n ( ) :modulesetup = {}t r y :
u s e r C o n f i gmodulesetup [ ’ u s e r C o n f i g ’ ] = u s e r C o n f i g
except NameError :pass
t r y :modu leConf igmodulesetup [ ’ modu leConf ig ’ ] = moduleConf ig
except NameError :pass
t r y :i n p u t S o u r c emodulesetup [ ’ i n p u t S o u r c e ’ ] = i n p u t S o u r c e
except NameError :pass
return modulesetup
25 of 32
Export modules
• Input is currently only a single event
• Dynamic settings
• Later on to be expanded to event collections / attribute collections
• Output is a file in the export format served back to the user
• Export modules was recently introduced but a CEF export modulealready available
• Lots of ideas for upcoming modules and including interaction withmisp-darwin
26 of 32
Creating your Export module (Skeleton)
import j s o ni n p u t S o u r c e = [ ’ e v e n t ’ ]o u t p u t F i l e E x t e n s i o n = ’ t x t ’r e s p o n s e T y p e = ’ a p p l i c a t i o n / t x t ’m o d u l e i n f o = { ’ v e r s i o n ’ : ’ 0 . 1 ’ , ’ a u t h o r ’ : ’ Andras I k l o d y ’ ,
’ d e s c r i p t i o n ’ : ’ S k e l e t o n e x p o r t module ’ ,’ module−t y p e ’ : [ ’ e x p o r t ’ ]}
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )# i n s e r t your magic he r e !output = my magic ( r e q u e s t [ ” data ” ] )r = {” data ” : base64 . b64encode ( output . encode ( ’ u t f−8 ’ ) ) . decode ( ’ u t f−8 ’ )}return r
def i n t r o s p e c t i o n ( ) :return { ’ u s e r C o n f i g ’ : u s e r C o n f i g , ’ i n p u t S o u r c e ’ : i n p u t S o u r c e , ’ modu leConf ig ’ : moduleConf ig , ’ o u t p u t F i l e E x t e n s i o n ’ : o u t p u t F i l e E x t e n s i o n }
def v e r s i o n ( ) :return m o d u l e i n f o
27 of 32
Creating your export module (settings)
i n p u t S o u r c e = [ ’ e v e n t ’ ]o u t p u t F i l e E x t e n s i o n = ’ t x t ’r e s p o n s e T y p e = ’ a p p l i c a t i o n / t x t ’
28 of 32
Creating your export module (handler)
def h a n d l e r ( q=F a l s e ) :i f q i s F a l s e :
return F a l s er e q u e s t = j s o n . l o a d s ( q )# i n s e r t your magic he r e !output = my magic ( r e q u e s t [ ” data ” ] )r = {” data ” : base64 . b64encode ( output . encode ( ’ u t f−8 ’ ) ) . decode ( ’ u t f−8 ’ )}return r
29 of 32
Creating your export module (introspection)def i n t r o s p e c t i o n ( ) :
modu lesetup = {}t r y :
r e s p o n s e T y p emodulesetup [ ’ r e s p o n s e T y p e ’ ] = r e s p o n s e T y p e
except NameError :pass
t r y :u s e r C o n f i gmodulesetup [ ’ u s e r C o n f i g ’ ] = u s e r C o n f i g
except NameError :pass
t r y :modu leConf igmodulesetup [ ’ modu leConf ig ’ ] = moduleConf ig
except NameError :pass
t r y :o u t p u t F i l e E x t e n s i o nmodulesetup [ ’ o u t p u t F i l e E x t e n s i o n ’ ] = o u t p u t F i l e E x t e n s i o n
except NameError :pass
t r y :i n p u t S o u r c emodulesetup [ ’ i n p u t S o u r c e ’ ] = i n p u t S o u r c e
except NameError :pass
return modulesetup
30 of 32
Upcoming additions to the module system - General
• Expose the modules to the APIs
• Move the modules to background processes with a messagingsystem
• Difficulty is dealing with uncertain results on import (without theuser having final say)
31 of 32
Q&A
• https://github.com/MISP/misp-modules
• https://github.com/MISP/
• We welcome new modules and pull requests.
• MISP modules can be designed as standalone application.
• TDS: Traffic Direction System used by adversaries
• Threat-Actor: Known or estimated adversary groups
• Tool: Tools used by adversaries (from Malware to common tools)
• MITRE ATT&CK: Adversarial Tactics, Techniques, and CommonKnowledge (ATT&CKTM)
5 / 17
What a cluster looks like
6 / 17
Attaching clusters to events
• Internally simply using a taxonomy-like tag to attach them toevents
• Example: misp-galaxy:threat-actor=”Sofacy”
• Synchronisation works out of the box with older instances too.They will simply see the tags until they upgrade.
• Currently, as mentioned we rely on the community’s contributionof galaxies
7 / 17
Attaching clusters
• Use a searchable synonym database to find what you’re after
8 / 17
Creating your own galaxy
• Creating galaxy clusters has to be straightforward to get thecommunity to contribute
• Building on the prior success of the taxonomies and warninglists
• Simple JSON format in similar fashion
• Just drop the JSON in the proper directory and let MISP ingest it
• We always look forward to contributions to our galaxies repository
9 / 17
Galaxy JSON
• If you want to create a completely new galaxy instead of enrichingan existing one
1 {2 ”name” : ”Threat Actor ” ,3 ” type ” : ” th r e a t−a c t o r ” ,4 ” d e s c r i p t i o n ” : ”Threat a c t o r s a r e c h a r a c t e r i s t i c s o f
ma l i c i o u s a c t o r s ( o r a d v e r s a r i e s ) r e p r e s e n t i n g a cybe ra t t a c k t h r e a t i n c l u d i n g presumed i n t e n t andh i s t o r i c a l l y ob s e r v ed behav i ou r . ” ,
5 ” v e r s i o n ” : 1 ,6 ” uu id ” : ”698774c7−8022−42c4−917 f−8d6e4 f 06ada3”7 }
10 / 17
Cluster JSON
• Clusters contain the meat of the data
• Skeleton structure as follows1 {2 ” v a l u e s ” : [3 {4 ”meta” : {} ,5 ” d e s c r i p t i o n ” : ”” ,6 ” v a l u e ” : ”” ,7 ” r e l a t e d c l u s t e r s ” : [ {} ] ,8 }9 ]
10 }
11 / 17
Cluster JSON value example1 {2 ”meta” : {3 ” synonyms” : [4 ”APT 28” , ”APT28” , ”Pawn Storm” , ”Fancy Bear ” ,5 ” Sedn i t ” , ”TsarTeam” , ”TG−4127” , ”Group−4127” ,6 ”STRONTIUM” , ”Grey−Cloud”7 ] ,8 ” coun t r y ” : ”RU” ,9 ” r e f s ” : [
10 ” h t t p s : // en . w i k i p e d i a . org / w i k i / Sofacy Group ”11 ]12 } ,13 ” d e s c r i p t i o n ” : ”The Sofacy Group ( a l s o known as APT28 ,14 Pawn Storm , Fancy Bear and Sedn i t ) i s a cybe r15 e sp i onage group b e l i e v e d to have t i e s to the16 Rus s i an government . L i k e l y o p e r a t i n g s i n c e 2007 ,17 the group i s known to t a r g e t government , m i l i t a r y ,18 and s e c u r i t y o r g a n i z a t i o n s . I t has been19 c h a r a c t e r i z e d as an advanced p e r s i s t e n t t h r e a t . ” ,20 ” v a l u e ” : ” So facy ”21 } ,
12 / 17
meta best practices
• Reusing existing values such as properties, complexity,effectiveness, country, possible issues, colour, motive,impact, refs, synonyms, derivated from, status, date,encryption, extensions, ransomnotes, cfr-suspected-victims,cfr-suspected-state-sponsor, cfr-type-of-incident,cfr-target-category.
• Or adding your own meta fields.
13 / 17
meta best practices - a sample1 {2 ” d e s c r i p t i o n ” : ” Pu t t e r Panda were the s u b j e c t o f an
e x t e n s i v e r e p o r t by CrowdSt r i ke , which s t a t e d : ’TheCrowdSt r i ke I n t e l l i g e n c e team has been t r a c k i n g t h i sp a r t i c u l a r u n i t s i n c e 2012 , under the codename
PUTTER PANDA, and has documented a c t i v i t y d a t i n gback to 2007 . The r e p o r t i d e n t i f i e s Chen Ping , akacpyy , and the p r imary l o c a t i o n o f Un i t 61486 . ’ ” ,
3 ”meta” : {4 ” c f r−su spec ted−s t a t e−spon so r ” : ”China ” ,5 ” c f r−su spec ted−v i c t im s ” : [6 ”U. S . s a t e l l i t e and ae r o spac e s e c t o r ”7 ] ,8 ” c f r−t a r g e t−c a t e go r y ” : [9 ” P r i v a t e s e c t o r ” ,
10 ”Government”11 ] ,12 ” c f r−type−of− i n c i d e n t ” : ” Esp ionage ” ,13 ” coun t r y ” : ”CN” ,14 ” r e f s ” : [15 ” h t tp : // cdn0 . vox−cdn . com/ a s s e t s /4589853/ c r owd s t r i k e−
i n t e l l i g e n c e −r e po r t−pu t t e r−panda . o r i g i n a l . pd f ” ,16 ” h t t p s : //www. c f r . o rg / i n t e r a c t i v e / cyber−o p e r a t i o n s /
pu t t e r−panda”17 ] ,18 ” synonyms” : [19 ”PLA Uni t 61486” ,20 ”APT 2” ,21 ”Group 36” ,22 ”APT−2” ,23 ”MSUpdater” ,24 ”4HCrew” ,25 ”SULPHUR” ,26 ”TG−6952”27 ]28 }}
14 / 17
Expressing relation between clusters
• Cluster can be related to one or more clusters using defaultrelationships from MISP objects and a list of tags to classify therelation.
1 ” r e l a t e d ” : [2 {3 ” dest−uu id ” : ”5 ce 5392a−3a6c−4e07−9 d f 3−9b6a9159ac45” ,4 ” t ag s ” : [5 ” e s t ima t i v e−l anguage : l i k e l i h o o d −p r o b a b i l i t y =\”
l i k e l y \””6 ] ,7 ” type ” : ” s i m i l a r ”8 }9 ] ,
10 ” uu id ” : ”0 ca45163−e223−4167−b1 af−f 088ed14a93d” ,11 ” v a l u e ” : ” Pu t t e r Panda”
15 / 17
PyMISPGalaxies
from p ym i s p g a l a x i e s import C l u s t e r sc = C l u s t e r s ( )l i s t ( g . keys ( ) )# [ ’ t h r e a t−a c t o r ’ , ’ ransomware ’ , ’ e x p l o i t−k i t ’ , ’ t d s ’ , ’ t o o l ’ , ’ r a t ’ , ’ m i t re−at tack−pa t t e r n ’ ,# ’ mit re−t o o l ’ , ’ m i c r o s o f t−a c t i v i t y−group ’ , ’ mi t re−cour se−of−a c t i o n ’ , ’ mi t re−malware ’ ,# ’ mit re−i n t r u s i o n−s e t ’ , ’ p r e v e n t i v e−measure ’ ]p r i n t ( c . ge t ( ” r a t ” ) )# misp−ga l a x y : r a t=”Brat ”# misp−ga l a x y : r a t=”Lok i RAT”# misp−ga l a x y : r a t=” j o i n .me”# misp−ga l a x y : r a t=”Se t ro ”# misp−ga l a x y : r a t=”d r a t ”# misp−ga l a x y : r a t=”Plasma RAT”# misp−ga l a x y : r a t=”NanoCore”# misp−ga l a x y : r a t=”DarkTrack”# misp−ga l a x y : r a t=”Theef ”# misp−ga l a x y : r a t=”Greame”# misp−ga l a x y : r a t=”Nuc l ea r RAT”# misp−ga l a x y : r a t=”DameWare Mini Remote Con t r o l ”# misp−ga l a x y : r a t=”ProRat”# misp−ga l a x y : r a t=”death ”# misp−ga l a x y : r a t=”Dark DDoSeR”# . . . .p r i n t ( c . ge t ( ” r a t ” ) . d e s c r i p t i o n )# remote a dm i n i s t r a t i o n t o o l o r remote a c c e s s t o o l (RAT) , a l s o c a l l e d somet imes remote# ac c e s s t r o j a n , i s a p i e c e o f s o f twa r e or programming tha t a l l ow s a remote ” op e r a t o r ”# to c o n t r o l a system as i f they have p h y s i c a l a c c e s s to tha t system .
16 / 17
Q&A
• [email protected] (if you want to join the CIRCL MISP sharingcommunity)
• AIL-leak - AIL object, an example for an object catering tothe output of another tool
• Android permission - An object used to further contextualiseanother object
• Bank account
• File Generic object to describe a file
• Passive DNS
• Regex
• Sandbox report
• Vulnerability Enabling new use-cases such as pre-sharing ofvulnerability information
• x509
• Yara Verbatim sharing of rule sets along with meta-data4 of 12
Object Template skeleton
1 {2 ” requ i r edOneOf ” : [ ] ,3 ” r e q u i r e d ” : [ ] ,4 ” a t t r i b u t e s ” : {} ,5 ” v e r s i o n ” : 1 ,6 ” d e s c r i p t i o n ” : ”My d e s c r i p t i o n ” ,7 ”meta−c a t e go r y ” : ”Chosen meta c a t e go r y ” ,8 ” uu id ” : ”Object t emp la t e uu id ” ,9 ”name” : ”Object t emp la t e name”
10 }
5 of 12
Adding elements to an object template
1 ” regexp−t ype ” : {2 ” d e s c r i p t i o n ” : ”Type o f the r e g u l a r e x p r e s s i o n s yn tax . ” ,3 ” d i s a b l e c o r r e l a t i o n ” : t r u e ,4 ” u i−p r i o r i t y ” : 0 ,5 ”misp−a t t r i b u t e ” : ” t e x t ” ,6 ” v a l u e s l i s t ” : [7 ”PCRE” ,8 ”PCRE2” ,9 ”POSIX BRE” ,
10 ”POSIX ERE”11 ]12 } ,
6 of 12
Attribute keys
• Primary key: Object relation
• description: A description of the attribute in relation to the object
• disable correlation: You can disable correlations for attributes inthe resulting object
• ui-priority: Not implemented yet, but the idea is to have a ”quickview” of objects only showing certain prio levels
• misp-attribute: The misp attribute type used as as the buildingblock
• values list: an optional list of values from which the user mustchoose instead of entering a value manually
• sane defaults: an optional list of values from which the user maychoose instead of entering a value
• multiple: Allow the user to add more than one of this attribute7 of 12
Enforcement of certain keys
• The template also defines which of the added attributes aremandatory
• Requirements are pointed to via their object relations names
• We differentiate between two types of rule sets:◦ Required: Everything in this list has to be set in order for the object
to validate◦ Required One Of: Any of the attributes in this list will satisfy the
requirements
8 of 12
What will the the template actually do?
• Templates create a form that can be used to populate an event
• When using templates, MISP will enforce everything according tothe template rules
• However, these are only optional, users can avoid using thetemplates when creating events via the API
• The reason for this is that you do not need to have the template inorder to create an object
• The limitation of this system: You cannot modify objects thatwere created with unknown templates
9 of 12
Templates as rendered in the UI
10 of 12
Templates as rendered in the UI
11 of 12
Q&A
• https://github.com/MISP/MISP
• https://github.com/MISP/misp-objects
• [email protected] (if you want to join one of the MISP communityoperated by CIRCL)