MISP workshopIntroduction into Information Sharing using MISPfor CSIRTs
Threat Sharing
MISP Training @ CIRCL20181218
Team CIRCLTLP:WHITE
Plan for this session
Explanation of the CSIRT use case for information sharingand what CIRCL doesBuilding an information sharing community and bestpractices
1 33
Communities operated by CIRCL
As a CSIRT, CIRCL operates a wide range of communitiesWe use it as an internal tool to cover various day-to-dayactivitiesWhilst being the main driving force behind thedevelopment, we’re also one of the largest consumersDi�erent communities have di�erent needs and restrictions
2 33
Communities operated by CIRCL
Private sector communityI Our largest sharing communityI Over 900 organisationsI 2000 usersI Functions as a central hub for a lot of sharing communitiesI Private organisations, Researchers, Various SoCs, someCSIRTs, etc
CSIRT communityI Tighter communityI National CSIRTs, connections to international organisations,etc
3 33
Communities operated by CIRCL
Financial sector communityI Banks, payment processors, etc.I Sharing of mule accounts and non-cyber threat infomartion
X-ISACI Bridging the gap between the various sectorial andgeorgraphical ISACs
I New, but ambitious initiativeI Goal is to bootstrap the cross-sectorial sharing along withbuilding the infrastructure to enable sharing when needed
4 33
Communities operated by CIRCL
Coming up - the ATT&CK EU communityI Work on attacker modellingI With the assistance of Mitre themselvesI Unique opportunity to standardise on TTPsI Looking for organisations that want to get involved!
5 33
Communities supported by CIRCL
FIRST.org’s MISP communityTelecom and Mobile operators’ communityVarious ad-hoc communities for exercises for exampleI Most recently for example for the ENISA exercise a few weeksago
6 33
Sharing Scenarios in MISP
Sharing can happen for many di�erent reasons. Let’s seewhat we believe are the typical CSIRT scenariosWe can generally split these activities into 4 main groupswhen we’re talking about traditional CSIRT tasks:I Core servicesI Proactive servicesI Advanced servicesI Sharing communities managed by CSIRTs for various tasks
7 33
CSIRT core services
Incident responseI Internal storage of incident response dataI Sharing of indicators derived from incident responseI Correlating data derived and using the built in analysis toolsI Enrichment servicesI Collaboration with a�ected parties via MISP during IRI Co-ordination and collaborationI Takedown requests
Alerting of information leaks (integration with AIL1)
1https://github.com/CIRCL/AIL-framework8 33
CSIRT proactive services
Contextualising both internal and external dataCollection and dissimination of data from various sources(including OSINT)Storing, correlating and sharing own manual research(reversing, behavioural analysis)Aggregating automated collection (sandboxing, honeypots,spamtraps, sensors)I MISP allows for the creation of internal MISP "clouds"I Store large specialised datasets (for example honeypot data)I MISP has interactions with a large set of such tools (Cuckoo,Mail2MISP, etc)
Situational awareness tools to monitor trends andadversary TTPs within my sector/geographical region(MISP-dashboard, built in statistics)
9 33
CSIRT proactive services - MISP dashboard
10 33
CSIRT proactive services - MISP dashboard
11 33
CSIRT advanced services
Supporting forensic analystsCollaboration with law enforcementVulnerability information sharingI Noti�cations to the constituency about relevantvulnerabilities
I Co-ordinating with vendors for noti�cations (*)I Internal / closed community sharing of pentest resultsI We’re planning on starting a series of hackathons to �nd
12 33
CSIRTs’ management of sharing communities forconstituent actions:
Reporting non-identifying information about incidents(such as outlined in NISD)Seeking and engaging in collaboration with CSIRT or otherparties during an incidentPre-sharing information to request for help / additionalinformation from the communityPseudo-anonymised sharing through 3rd parties to avoidattribution of a potential targetBuilding processes for other types of sharing to get thecommunity engaged and acquainted with the methodologiesof sharing (mule account information, border control, etc)
13 33
A quick note on compliance...
Collaboration with Deloitte as part of a CEF project forcreating compliance documentsI Information sharing and cooperation enabled by GDPRI How MISP enables stakeholders identi�ed by the NISD toperform key activities
I AIL and MISPFor more information: https://github.com/CIRCL/compliance
14 33
Bringing different sharing communitiestogether
We generally all end up sharing with peers that face similarthreatsDivision is either sectorial or geographicalSo why even bother with trying to bridge thesecommunities?
15 33
Advantages of cross sectorial sharing
Reuse of TTPs across sectorsBeing hit by something that another sector has faced beforeHybrid threats - how seemingly unrelated things may beinteresting to correlatePrepare other communities for the capability and culture ofsharing for when the need arises for them to reach out toCSIRTGenerally our �eld is ahead of several other sectors when itcomes to information sharing, might as well spread the love
16 33
Getting started with building your own sharingcommunity
Starting a sharing community is both easy and di�cult atthe same timeMany moving parts and most importantly, you’ll be dealingwith a diverse group of peopleUnderstanding and working with your constituents to helpthem face their challenges is key
17 33
Getting started with building your own sharingcommunity
When you are starting out - you are in a unique position todrive the community and set best practices...
18 33
Running a sharing community using MISP - Howto get going?
Di�erent models for constituentsI Connecting to a MISP instance hosted by a CSIRTI Hosting their own instance and connecting to CSIRT’s MISPI Becoming member of a sectorial MISP community that isconnected to CSIRT’s community
Planning ahead for future growthI Estimating requirementsI Deciding early on common vocabulariesI O�ering services through MISP
19 33
Rely on our instincts to immitate over expectingadherence to rules
Lead by example - the power of immitationEncourage improving by doing instead of blocking sharingwith unrealistic quality controlsI What should the information look like?I How should it be contextualiseI What do you consider as useful information?I What tools did you use to get your conclusions?
Side e�ect is that you will end up raising the capabilities ofyour constituents
20 33
What counts as valuable data?
Sharing comes in many shapes and sizesI Sharing results / reports is the classical exampleI Sharing enhancements to existing dataI Validating data / �agging false positivesI Asking for support from the community
Embrace all of them. Even the ones that don’t do either,you’ll never know when they change their minds...
21 33
How to deal with organisations that only"leech"?
From our own communities, only about 30% of theorganisations actively share dataWe have come across some communities with sharingrequirementsIn our experience, this sets you up for failure because:I Organisations will lose protection who would possibilybene�t the most from it
I Organisations that want to stay above the thresholds willstart sharing junk / fake data
I You lose organisations that might turn into valuablecontributors in the future
22 33
So how does one convert the passive organisa-tions into actively sharing ones?
Rely on organic growthHelp them increase their capabilitiesAs mentioned before, lead by exampleRely on the inherent value to one’s self when sharinginformation (validation, enrichments, correlations)Give credit where credit is due, never steal the accolades ofyour community (that is incredibly demotivating)
23 33
Dispelling the myths around blockers when itcomes to information sharing
Sharing di�culties are not really technical issues but oftenit’s a matter of social interactions (e.g. trust).I You can play a role here: organise regular workshops,conferences, have face to face meetings
Legal restrictionsI "Our legal framework doesn’t allow us to share information."I "Risk of information leak is too high and it’s too risky for ourorganization or partners."
Practical restrictionsI "We don’t have information to share."I "We don’t have time to process or contribute indicators."I "Our model of classi�cation doesn’t �t your model."I "Tools for sharing information are tied to a speci�c format,we use a di�erent one."
24 33
Contextualising the information
Sharing technical information is a great startHowever, to truly create valueable information for yourcommunity, always consider the context:I Your IDS might not care why it should alert on a ruleI But your analysts will be interested in the threat landscapeand the "big picture"
Classify data to make sure your partners understand why itis important for themMassively important once an organisation has the maturityto �lter the most critical subsets of information for theirown defense
25 33
Choice of vocabularies
MISP has a verify versatile system (taxonomies) forclassifying and marking dataHowever, this includes di�erent vocabularies with obviousoverlapsMISP allows you to pick and choose vocabularies to use andenforce in a communityGood idea to start with this process earlyIf you don’t �nd what you’re looking for:I Create your own (JSON format, no coding skills required)I If it makes sense, share it with us via a pull request forredistribution
26 33
Shared libraries of meta-information (Galaxies)
The MISPProject in co-operation with partners provides acurated list of galaxy informationCan include information packages of di�erent types, forexample:I Threat actor informationI Specialised information such as Ransomware, Exploit kits, etcI Methodology information such as preventative actionsI Classi�cation systems for methodologies used by adversaries- ATT&CK
Consider improving the default libraries or contributing yourown (simple JSON format)If there is something you cannot share, run your owngalaxies and share it out of bound with partnersPull requests are always welcome
27 33
False-positive handling
You might often fall into the trap of discarding seemingly"junk" dataBesides volume limitations (which are absolutely valid, fearof false-positives is the most common reason why peoplediscard data) - Our recommendation:I Be lenient when considering what to keepI Be strict when you are feeding tools
MISP allows you to �lter out the relevant data on demandwhen feeding protective toolsWhat may seem like junk to you may be absolutely critical toother users
28 33
Many objectives from different user-groups
Sharing indicators for a detection matter.I ’Do I have infected systems in my infrastructure or the ones Ioperate?’
Sharing indicators to block.I ’I use these attributes to block, sinkhole or divert tra�c.’
Sharing indicators to perform intelligence.I ’Gathering information about campaigns and attacks. Arethey related? Who is targeting me? Who are the adversaries?’
→ These objectives can be con�icting (e.g. False-positiveshave di�erent impacts)
29 33
False-positive handling
Analysts will often be interested in the modus operandi ofthreat actors over long periods of timeEven cleaned up infected hosts might become interestingagain (embedded in code, recurring reuse)Use the tools provided to eliminate obvious false positivesinstead and limit your data-set to the most relevant sets
30 33
Managing sub-communities
Often within a community smaller bubbles of informationsharing will formFor example: Within a national private sector sharingcommunity, speci�c community for �nancial institutionsSharing groups serve this purpose mainlyAs a CSIRT running a national community, considerbootstraping these sharing communitiesOrganisations can of course self-organise, but you are theones with the know-how to get them started
31 33
Managing sub-communities
Consider compartmentalisation - does it make sense tomove a secret squirrel club to their own sharing hub toavoid accidental leaks?Use your best judgement to decide which communitiesshould be separated from one anotherCreate sharing hubs with manual data transferSome organisations will even have their data air-gapped -Feed systemCreate guidance on what should be shared outside of theirbubbles - organisations often lack the insight / experienceto decide how to get going. Take the initiative!
32 33
Get in touch if you need some help to get started
Getting started with building a new community can bedaunting. Feel free to get in touch with us if you have anyquestions!Contact: [email protected]://www.circl.lu/https://github.com/MISP -https://gitter.im/MISP/MISP -https://twitter.com/MISPProject
33 / 33