SlideShare a Scribd company logo

MISP EcoSystem - Threat Intelligence, VMRay, MISP

Download as PPTX, PDF
Koen Van Impe
Koen Van Impe

The MISP EcoSystem - Threat Intelligence, VMRay, MISP Use case of analysing e-mail malware sample with VMRay sandbox.

Internet
1 of 47
MISP-ECOSYSTEM Threat Intelligence, VMRay and MISP 13-Dec-16 Koen Van Impe – koen.vanimpe@cudeso.be
Agenda • Threat Intelligence • IoCs • TLP • Integrate SIEM • MISP • Distribution model • False positives & Whitelists • Modules • VMRay • Use Case • E-mail with attachment 13-Dec-16 MISP EcoSystem 2
Threat • What is a Threat? • an expression of intent to do harm, i.e. deprive, weaken, damage or destroy; • an indication of imminent harm; • an agent that is regarded as harmful; • a harmful agent’s actions comprising of tactics, techniques and procedures (TTPs). 13-Dec-16 MISP EcoSystem 3 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
Intelligence • What is Intelligence? • Information that provides relevant and sufficient understanding for mitigating the impact of a harmful event 13-Dec-16 MISP EcoSystem 4 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
Threat Intelligence • What is Threat Intelligence? • Information about threats and threat actors that provides relevant and sufficient understanding for mitigating the impact of a harmful event 13-Dec-16 MISP EcoSystem 5 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
Threat Intelligence • Why do you need Threat Intelligence? • First step in protecting your business • Understand exposure to threats • Expanded attack surface • Weigh defenses towards threats • Actionable instead of noise • Get ahead of the game 13-Dec-16 MISP EcoSystem 6
Threat Intelligence & SIEMs • Insight on network, applications, servers and users • SIEMS without threat feeds • Difficult to remove the noise, needle in a haystack • Why consume threat data in a SIEM? • Faster, others do the research, you consume • Instead of "a" connection-> "the" connection • Fills the blind spots –correlate- things you didn't know • Not "auto-magic-correlation" • Additional context • Prioritize • Incidents • Vulnerability management 13-Dec-16 MISP EcoSystem 7
Indicator of Compromise - IoC • Threat intelligence is more (TTPs!) than just IoCs • But that's how it's most often used • Information to identify potentially malicious behavior • IPs • Careful with shared hosting • Domain names • URLs • File hashes • High confidence • Registry keys • Mutex 13-Dec-16 MISP EcoSystem 8 Context! Target Scope Attacker Sophistication Impact When Why Likelihood
Audience : Traffic Light Protocol - TLP • When and how (threat) information can be shared • Not a classification scheme • https://www.first.org/tlp 13-Dec-16 MISP EcoSystem 9 RED Strong limited Not for disclosure Participants only Mostly verbally or in person AMBER Limited, people that act on the information Restricted to participants'organizations Sources are at liberty to specify additional intended limits of the sharing GREEN Relaxed, known by the inner-circle The community Not via publicly accessible channels WHITE Open, known by everyone Disclosure is not limited Standard copyright rules
Threat Intelligence Platforms • Lots of buzz (fuss) • Marketing • Vendor driven <-> What you really need 13-Dec-16 MISP EcoSystem 10
Threat Intelligence Platforms • https://www.vanimpe.eu/pewpew/index.html?pew=1 13-Dec-16 MISP EcoSystem 11
MISP - Malware Information Sharing Platform & Threat Sharing • Started 2012 • Christophe Vandeplas • CERT for Belgian MoD • https://github.com/MISP/MISP • http://www.misp-project.org/ 13-Dec-16 MISP EcoSystem 12
MISP – Information Sharing • Distributed sharing model • Everyone can be a consumer or contributor • Based on practical user feedback • Quick benefit : no obligation to contribute • Different sharing groups 13-Dec-16 MISP EcoSystem 13
For whom? • Malware reversers willing to share indicators of analysis with respective colleagues. • Security analysts searching, validating and using indicators in operational security. • Intelligence analysts gathering information about specific adversary groups. • Law-enforcement relying on indicators to support or bootstrap their DFIR cases. • Risk analysis teams willing to know about the new threats, likelihood and occurrences. • Fraud analysts willing to share financial indicators to detect financial frauds. 13-Dec-16 MISP EcoSystem 14
I can't share! • Be a consumer • MISP groups • Use OSINT • Legal restrictions • Sharing groups and communities • Convince management to share • Share without attribution ('ownership change') 13-Dec-16 MISP EcoSystem 15
OSINT Feeds • Open Source Intelligence • Community feeds • Set filter (import) rules 13-Dec-16 MISP EcoSystem 16
MISP Events & Attributes • Events • "a threat", for example a new ransomware-run • Own events • From connected sites • Distribution level • Tagging (TLP, category, ...) • Attributes • What is the threat about? • Sightings • Network, File hashes, Financial info (CC, Bitcoin) • Context • Text • Correlation with other events • Seen in other events? • Proposals 13-Dec-16 MISP EcoSystem 17
MISP Events & Attributes 13-Dec-16 MISP EcoSystem 18 • Multiple attributes per event
False positives • Misconfigured sandbox • OS Update traffic • Browsers fetch CRL • Routing issues 13-Dec-16 MISP EcoSystem 19 Real False Positive You need context Learn TTP Add "If Then"-logic ; infection check • 1st : Machine visits "evil.com" • 2nd : Traffic to "download.microsoft.com" • Only traffic to "evil.com" • Malware checks network connectivity • Malware changes resolution of important domains Not False Positive download.microsoft.com Incident Response Not sure compromised or resisted; dive deeper to evaluate situation https://soltra.com/en/articles/the-truth-about-false-positives-and-their-root-causes-in-cyber-threat-intelligence/
False positives - MISP • Recurring challenge in information sharing • MISP introduced warninglists • lists of well-known indicators that can be associated to potential false positives, errors or mistakes • Enable per list • https://github.com/MISP/misp-warninglists • Alexa Top 100 • Microsoft, Google domains • RFC 1918 • Alert when adding an attribute that is on the warninglist • You decide what to do! • You have to "known" the logic, MISP can not do that for you 13-Dec-16 MISP EcoSystem 20
False positives - MISP 13-Dec-16 MISP EcoSystem 21
Whitelists - MISP • Whitelist attributes from being added to signatures • Company assets 13-Dec-16 MISP EcoSystem 22
Taxonomies - MISP • Classification • JSON • ENISA, NATO, VERIS • Your classification • Machine tags • Machines can parse it • Still human-readable • Tags as filter for distribution 13-Dec-16 MISP EcoSystem 23
Use MISP • Web UI • Freetext import : large block of text ; MISP recognizes IoCs • API access • PyMISP • API'ish • MISP modules • Import, export, extension • MISP Galaxy • large object attached to a MISP event • Taxonomies • Workbench • export attributes • help on cases outside MISP 13-Dec-16 MISP EcoSystem 24
MISP modules • Expansion service • Enrichment, Import, Export • Extend attributes with information from other service providers • Can also be your own internal provider • Extending MISP with expansion modules with zero customization in MISP • MISP modules can be run on the same system or on a remote server • https://github.com/MISP/misp-modules 13-Dec-16 MISP EcoSystem 25
MISP modules • ASN history • Passive DNS • Passive SSL • CVE • DNS • PassiveTotal • Shodan • Virustotal • STIX • VMRay 13-Dec-16 MISP EcoSystem 26
VMRay • Agentless • Hypervisor based malware analysis • OEM Integration • Embedded into security appliances • Windows • 32b/64b • 64b kernel rootkits (Turla) • exe, pdf, docx, swf 13-Dec-16 MISP EcoSystem 27
VMRay • Analysis in different VMs • Windows • Popular office software • Custom • Extract IoCs • Hashes, Mutex • Network information • STIX • JSON-output • API • Submit, Retrieve results • Automation 13-Dec-16 MISP EcoSystem 28
VMRay - Process 13-Dec-16 MISP EcoSystem 29 Sample Job Submission Analysis
MISP EcoSystem 13-Dec-16 MISP EcoSystem 30 Malware Network TTP Finance / Fraud Import/Export Threat Info Security devices Forensic data Enrichment IR Platforms API IoC
Use Case : E-mail with malware 13-Dec-16 MISP EcoSystem 31 Attachment: AG Wire payment confirmation.doc.z AG Wire payment confirmation.doc.z: RAR archive data, v1d, os: Win32 MD5 (AG Wire payment confirmation.doc.z) = 56c8abc137aea9e497bee0ebe61d7286 Extract : AG-wirepay-doc.exe
Use Case : E-mail with malware • We can use static analysis • limited • obfuscated • resource intensive • Use malware sandboxes • automated analysis • behavior • careful with malware that does sandbox evasion / detection 13-Dec-16 MISP EcoSystem 32
Use Case : MISP and Malware 13-Dec-16 MISP EcoSystem 33 Malware MISP Modules IoC NetworkForensic data Security devicesLOKI Attach malware sample Submit and import Export hashes and network info
Step 1: Attach malware sample • Two types of attachment in MISP • "Regular" attachments • Payload Delivery • Antivirus Detection • IDS flag not set • Direct downloadable from UI • Malware samples • Artifacts Dropped • Payload Installation • IDS flag set • Download via password protected ZIP 13-Dec-16 MISP EcoSystem 34
Step 1: Attach malware sample 13-Dec-16 MISP EcoSystem 35 AddAttachment_orig.move
Step 2: Submit sample to VMRay • Via MISP-modules Enrichment 13-Dec-16 MISP EcoSystem 36
Step 2: Submit sample to VMRay 13-Dec-16 MISP EcoSystem 37 Submit_orig.move
Step 3: Wait for analysis • VMRay does its magic • Current MISP-VMRay connector is asynchronous • Submit • Wait for analysis to complete • Import • (work in progress) 13-Dec-16 MISP EcoSystem 38
Step 4: Import results • Via MISP-modules Import • Based on VMRay sample ID • Do not forget to set IDS flag • (pending issue request) 13-Dec-16 MISP EcoSystem 39
Step 4: Import results 13-Dec-16 MISP EcoSystem 40 Import_orig.move
Consume results in SIEM • API / PyMISP (Python access via API) • Import feed • Select tags • Type, priority, impact • Set categories • Based on tags • Post sightings back to MISP 13-Dec-16 MISP EcoSystem 41
Consume results in NIDS • Malware analysis revealed network IoCs • Low confidence when it concerns shared hosting IPs • Generate NIDS rules • automatic or manual • Set of SNORT rules 13-Dec-16 MISP EcoSystem 42
End-point investigation • YARA rules • Signature based detection • File hashes • High confidence • Slow • Get files • Investigate • High reward • Use perimeter sandbox • Before delivery • Queued 13-Dec-16 MISP EcoSystem 43
End-point investigation • Loki • https://github.com/Neo23x0/Loki • Fetch YARA rules from MISP • File hashes 13-Dec-16 MISP EcoSystem 44
End-point investigation • FireEye – Redline • Memory acquisition • Drive acquisition • Per image • Dedicated • You known the hosts in scope 13-Dec-16 MISP EcoSystem 45
End-point investigation • Nessus • Plugin 65548 • Search custom file hashes 13-Dec-16 MISP EcoSystem 46
MISP – The Future • MISP Modules • via MISP Hackaton • MISP Objects • Semi dynamic data model • Share the object design along with the events shared • MISP Galaxy • Large object -> cluster • Threat actors, campaigns • MISP Workbench • Use attributes outside MISP for further investigation 13-Dec-16 MISP EcoSystem 47

Recommended

Introduction to Threat Sharing
Introduction to Threat SharingIntroduction to Threat Sharing
Introduction to Threat SharingDavid Sweigert
 
Misp(malware information sharing platform)
Misp(malware information sharing platform)Misp(malware information sharing platform)
Misp(malware information sharing platform)Nadim Kadiwala
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf9905234521
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

Recommended

Introduction to Threat Sharing
Introduction to Threat SharingIntroduction to Threat Sharing
Introduction to Threat SharingDavid Sweigert
 
Misp(malware information sharing platform)
Misp(malware information sharing platform)Misp(malware information sharing platform)
Misp(malware information sharing platform)Nadim Kadiwala
 
misp-training.pdf
misp-training.pdfmisp-training.pdf
misp-training.pdf9905234521
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixFrode Hommedal
 
Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016Mateo Martinez
 

More Related Content

What's hot

Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 

What's hot (20)

IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 

Viewers also liked

The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixFrode Hommedal
 
Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016Mateo Martinez
 
Secure Communication
Secure CommunicationSecure Communication
Secure CommunicationKoen Van Impe
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Secure communication in Networking
Secure communication in NetworkingSecure communication in Networking
Secure communication in Networkinganita maharjan
 
MISP 2020 Overview
MISP 2020 OverviewMISP 2020 Overview
MISP 2020 OverviewAngus Hobson
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSwolfSSL
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]Statistique descriptives s1 de bien www.learneconomie.blogspot.com]
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]jamal yasser
 
Exam rsolus 2016 statistique s1www.td-economie.blogspot.com
Exam rsolus 2016 statistique s1www.td-economie.blogspot.comExam rsolus 2016 statistique s1www.td-economie.blogspot.com
Exam rsolus 2016 statistique s1www.td-economie.blogspot.comjamal yasser
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slidesmonchai sopitka
 
Data mining - Classification - arbres de décision
Data mining - Classification - arbres de décisionData mining - Classification - arbres de décision
Data mining - Classification - arbres de décisionMohamed Heny SELMI
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture designEnterpriseGRC Solutions, Inc.
 
Graphical presentation of data
Graphical presentation of dataGraphical presentation of data
Graphical presentation of datadrasifk
 

Viewers also liked (20)

The Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence MatrixThe Cyber Threat Intelligence Matrix
The Cyber Threat Intelligence Matrix
 
Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016Open source tools for Incident Response bogota 2016
Open source tools for Incident Response bogota 2016
 
Secure Communication
Secure CommunicationSecure Communication
Secure Communication
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Secure communication in Networking
Secure communication in NetworkingSecure communication in Networking
Secure communication in Networking
 
MISP 2020 Overview
MISP 2020 OverviewMISP 2020 Overview
MISP 2020 Overview
 
wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013wolfSSL Year In Review, 2013
wolfSSL Year In Review, 2013
 
Rsvp Invitation
Rsvp InvitationRsvp Invitation
Rsvp Invitation
 
Secure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLSSecure Communication: Usability and Necessity of SSL/TLS
Secure Communication: Usability and Necessity of SSL/TLS
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]Statistique descriptives s1 de bien www.learneconomie.blogspot.com]
Statistique descriptives s1 de bien www.learneconomie.blogspot.com]
 
Exam rsolus 2016 statistique s1www.td-economie.blogspot.com
Exam rsolus 2016 statistique s1www.td-economie.blogspot.comExam rsolus 2016 statistique s1www.td-economie.blogspot.com
Exam rsolus 2016 statistique s1www.td-economie.blogspot.com
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
Data mining - Classification - arbres de décision
Data mining - Classification - arbres de décisionData mining - Classification - arbres de décision
Data mining - Classification - arbres de décision
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Graphical presentation of data
Graphical presentation of dataGraphical presentation of data
Graphical presentation of data
 

Similar to MISP EcoSystem - Threat Intelligence, VMRay, MISP

2021-02-10_CogSecCollab_UBerkeley
2021-02-10_CogSecCollab_UBerkeley2021-02-10_CogSecCollab_UBerkeley
2021-02-10_CogSecCollab_UBerkeleySara-Jayne Terp
 
Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Sara-Jayne Terp
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Ahmed Mekkawy
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.pptDetSersi
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
The Future Of Threat Intelligence Platforms
The Future Of Threat Intelligence PlatformsThe Future Of Threat Intelligence Platforms
The Future Of Threat Intelligence PlatformsDr. Paolo Di Prodi
 
City of San Diego Customer Presentation
City of San Diego Customer PresentationCity of San Diego Customer Presentation
City of San Diego Customer PresentationShannon Cuthbertson
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 

Similar to MISP EcoSystem - Threat Intelligence, VMRay, MISP (20)

Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
2021-02-10_CogSecCollab_UBerkeley
2021-02-10_CogSecCollab_UBerkeley2021-02-10_CogSecCollab_UBerkeley
2021-02-10_CogSecCollab_UBerkeley
 
Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...Distributed defense against disinformation: disinformation risk management an...
Distributed defense against disinformation: disinformation risk management an...
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynets
 
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
Securing Governmental Public Services with Free/Open Source Tools - Egyptian ...
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
honeypots.ppt
honeypots.ppthoneypots.ppt
honeypots.ppt
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
The Future Of Threat Intelligence Platforms
The Future Of Threat Intelligence PlatformsThe Future Of Threat Intelligence Platforms
The Future Of Threat Intelligence Platforms
 
City of San Diego Customer Presentation
City of San Diego Customer PresentationCity of San Diego Customer Presentation
City of San Diego Customer Presentation
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 

Recently uploaded

Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...nilamkumrai
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Datingkojalkojal131
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 

Recently uploaded (20)

Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
( Pune ) VIP Baner Call Girls 🎗️ 9352988975 Sizzling | Escorts | Girls Are Re...
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 

MISP EcoSystem - Threat Intelligence, VMRay, MISP

  • 1. MISP-ECOSYSTEM Threat Intelligence, VMRay and MISP 13-Dec-16 Koen Van Impe – koen.vanimpe@cudeso.be
  • 2. Agenda • Threat Intelligence • IoCs • TLP • Integrate SIEM • MISP • Distribution model • False positives & Whitelists • Modules • VMRay • Use Case • E-mail with attachment 13-Dec-16 MISP EcoSystem 2
  • 3. Threat • What is a Threat? • an expression of intent to do harm, i.e. deprive, weaken, damage or destroy; • an indication of imminent harm; • an agent that is regarded as harmful; • a harmful agent’s actions comprising of tactics, techniques and procedures (TTPs). 13-Dec-16 MISP EcoSystem 3 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
  • 4. Intelligence • What is Intelligence? • Information that provides relevant and sufficient understanding for mitigating the impact of a harmful event 13-Dec-16 MISP EcoSystem 4 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
  • 5. Threat Intelligence • What is Threat Intelligence? • Information about threats and threat actors that provides relevant and sufficient understanding for mitigating the impact of a harmful event 13-Dec-16 MISP EcoSystem 5 Cyber threat intelligence - Marketing hype or innovation? InfoSecurity Europe
  • 6. Threat Intelligence • Why do you need Threat Intelligence? • First step in protecting your business • Understand exposure to threats • Expanded attack surface • Weigh defenses towards threats • Actionable instead of noise • Get ahead of the game 13-Dec-16 MISP EcoSystem 6
  • 7. Threat Intelligence & SIEMs • Insight on network, applications, servers and users • SIEMS without threat feeds • Difficult to remove the noise, needle in a haystack • Why consume threat data in a SIEM? • Faster, others do the research, you consume • Instead of "a" connection-> "the" connection • Fills the blind spots –correlate- things you didn't know • Not "auto-magic-correlation" • Additional context • Prioritize • Incidents • Vulnerability management 13-Dec-16 MISP EcoSystem 7
  • 8. Indicator of Compromise - IoC • Threat intelligence is more (TTPs!) than just IoCs • But that's how it's most often used • Information to identify potentially malicious behavior • IPs • Careful with shared hosting • Domain names • URLs • File hashes • High confidence • Registry keys • Mutex 13-Dec-16 MISP EcoSystem 8 Context! Target Scope Attacker Sophistication Impact When Why Likelihood
  • 9. Audience : Traffic Light Protocol - TLP • When and how (threat) information can be shared • Not a classification scheme • https://www.first.org/tlp 13-Dec-16 MISP EcoSystem 9 RED Strong limited Not for disclosure Participants only Mostly verbally or in person AMBER Limited, people that act on the information Restricted to participants'organizations Sources are at liberty to specify additional intended limits of the sharing GREEN Relaxed, known by the inner-circle The community Not via publicly accessible channels WHITE Open, known by everyone Disclosure is not limited Standard copyright rules
  • 10. Threat Intelligence Platforms • Lots of buzz (fuss) • Marketing • Vendor driven <-> What you really need 13-Dec-16 MISP EcoSystem 10
  • 11. Threat Intelligence Platforms • https://www.vanimpe.eu/pewpew/index.html?pew=1 13-Dec-16 MISP EcoSystem 11
  • 12. MISP - Malware Information Sharing Platform & Threat Sharing • Started 2012 • Christophe Vandeplas • CERT for Belgian MoD • https://github.com/MISP/MISP • http://www.misp-project.org/ 13-Dec-16 MISP EcoSystem 12
  • 13. MISP – Information Sharing • Distributed sharing model • Everyone can be a consumer or contributor • Based on practical user feedback • Quick benefit : no obligation to contribute • Different sharing groups 13-Dec-16 MISP EcoSystem 13
  • 14. For whom? • Malware reversers willing to share indicators of analysis with respective colleagues. • Security analysts searching, validating and using indicators in operational security. • Intelligence analysts gathering information about specific adversary groups. • Law-enforcement relying on indicators to support or bootstrap their DFIR cases. • Risk analysis teams willing to know about the new threats, likelihood and occurrences. • Fraud analysts willing to share financial indicators to detect financial frauds. 13-Dec-16 MISP EcoSystem 14
  • 15. I can't share! • Be a consumer • MISP groups • Use OSINT • Legal restrictions • Sharing groups and communities • Convince management to share • Share without attribution ('ownership change') 13-Dec-16 MISP EcoSystem 15
  • 16. OSINT Feeds • Open Source Intelligence • Community feeds • Set filter (import) rules 13-Dec-16 MISP EcoSystem 16
  • 17. MISP Events & Attributes • Events • "a threat", for example a new ransomware-run • Own events • From connected sites • Distribution level • Tagging (TLP, category, ...) • Attributes • What is the threat about? • Sightings • Network, File hashes, Financial info (CC, Bitcoin) • Context • Text • Correlation with other events • Seen in other events? • Proposals 13-Dec-16 MISP EcoSystem 17
  • 18. MISP Events & Attributes 13-Dec-16 MISP EcoSystem 18 • Multiple attributes per event
  • 19. False positives • Misconfigured sandbox • OS Update traffic • Browsers fetch CRL • Routing issues 13-Dec-16 MISP EcoSystem 19 Real False Positive You need context Learn TTP Add "If Then"-logic ; infection check • 1st : Machine visits "evil.com" • 2nd : Traffic to "download.microsoft.com" • Only traffic to "evil.com" • Malware checks network connectivity • Malware changes resolution of important domains Not False Positive download.microsoft.com Incident Response Not sure compromised or resisted; dive deeper to evaluate situation https://soltra.com/en/articles/the-truth-about-false-positives-and-their-root-causes-in-cyber-threat-intelligence/
  • 20. False positives - MISP • Recurring challenge in information sharing • MISP introduced warninglists • lists of well-known indicators that can be associated to potential false positives, errors or mistakes • Enable per list • https://github.com/MISP/misp-warninglists • Alexa Top 100 • Microsoft, Google domains • RFC 1918 • Alert when adding an attribute that is on the warninglist • You decide what to do! • You have to "known" the logic, MISP can not do that for you 13-Dec-16 MISP EcoSystem 20
  • 21. False positives - MISP 13-Dec-16 MISP EcoSystem 21
  • 22. Whitelists - MISP • Whitelist attributes from being added to signatures • Company assets 13-Dec-16 MISP EcoSystem 22
  • 23. Taxonomies - MISP • Classification • JSON • ENISA, NATO, VERIS • Your classification • Machine tags • Machines can parse it • Still human-readable • Tags as filter for distribution 13-Dec-16 MISP EcoSystem 23
  • 24. Use MISP • Web UI • Freetext import : large block of text ; MISP recognizes IoCs • API access • PyMISP • API'ish • MISP modules • Import, export, extension • MISP Galaxy • large object attached to a MISP event • Taxonomies • Workbench • export attributes • help on cases outside MISP 13-Dec-16 MISP EcoSystem 24
  • 25. MISP modules • Expansion service • Enrichment, Import, Export • Extend attributes with information from other service providers • Can also be your own internal provider • Extending MISP with expansion modules with zero customization in MISP • MISP modules can be run on the same system or on a remote server • https://github.com/MISP/misp-modules 13-Dec-16 MISP EcoSystem 25
  • 26. MISP modules • ASN history • Passive DNS • Passive SSL • CVE • DNS • PassiveTotal • Shodan • Virustotal • STIX • VMRay 13-Dec-16 MISP EcoSystem 26
  • 27. VMRay • Agentless • Hypervisor based malware analysis • OEM Integration • Embedded into security appliances • Windows • 32b/64b • 64b kernel rootkits (Turla) • exe, pdf, docx, swf 13-Dec-16 MISP EcoSystem 27
  • 28. VMRay • Analysis in different VMs • Windows • Popular office software • Custom • Extract IoCs • Hashes, Mutex • Network information • STIX • JSON-output • API • Submit, Retrieve results • Automation 13-Dec-16 MISP EcoSystem 28
  • 29. VMRay - Process 13-Dec-16 MISP EcoSystem 29 Sample Job Submission Analysis
  • 30. MISP EcoSystem 13-Dec-16 MISP EcoSystem 30 Malware Network TTP Finance / Fraud Import/Export Threat Info Security devices Forensic data Enrichment IR Platforms API IoC
  • 31. Use Case : E-mail with malware 13-Dec-16 MISP EcoSystem 31 Attachment: AG Wire payment confirmation.doc.z AG Wire payment confirmation.doc.z: RAR archive data, v1d, os: Win32 MD5 (AG Wire payment confirmation.doc.z) = 56c8abc137aea9e497bee0ebe61d7286 Extract : AG-wirepay-doc.exe
  • 32. Use Case : E-mail with malware • We can use static analysis • limited • obfuscated • resource intensive • Use malware sandboxes • automated analysis • behavior • careful with malware that does sandbox evasion / detection 13-Dec-16 MISP EcoSystem 32
  • 33. Use Case : MISP and Malware 13-Dec-16 MISP EcoSystem 33 Malware MISP Modules IoC NetworkForensic data Security devicesLOKI Attach malware sample Submit and import Export hashes and network info
  • 34. Step 1: Attach malware sample • Two types of attachment in MISP • "Regular" attachments • Payload Delivery • Antivirus Detection • IDS flag not set • Direct downloadable from UI • Malware samples • Artifacts Dropped • Payload Installation • IDS flag set • Download via password protected ZIP 13-Dec-16 MISP EcoSystem 34
  • 35. Step 1: Attach malware sample 13-Dec-16 MISP EcoSystem 35 AddAttachment_orig.move
  • 36. Step 2: Submit sample to VMRay • Via MISP-modules Enrichment 13-Dec-16 MISP EcoSystem 36
  • 37. Step 2: Submit sample to VMRay 13-Dec-16 MISP EcoSystem 37 Submit_orig.move
  • 38. Step 3: Wait for analysis • VMRay does its magic • Current MISP-VMRay connector is asynchronous • Submit • Wait for analysis to complete • Import • (work in progress) 13-Dec-16 MISP EcoSystem 38
  • 39. Step 4: Import results • Via MISP-modules Import • Based on VMRay sample ID • Do not forget to set IDS flag • (pending issue request) 13-Dec-16 MISP EcoSystem 39
  • 40. Step 4: Import results 13-Dec-16 MISP EcoSystem 40 Import_orig.move
  • 41. Consume results in SIEM • API / PyMISP (Python access via API) • Import feed • Select tags • Type, priority, impact • Set categories • Based on tags • Post sightings back to MISP 13-Dec-16 MISP EcoSystem 41
  • 42. Consume results in NIDS • Malware analysis revealed network IoCs • Low confidence when it concerns shared hosting IPs • Generate NIDS rules • automatic or manual • Set of SNORT rules 13-Dec-16 MISP EcoSystem 42
  • 43. End-point investigation • YARA rules • Signature based detection • File hashes • High confidence • Slow • Get files • Investigate • High reward • Use perimeter sandbox • Before delivery • Queued 13-Dec-16 MISP EcoSystem 43
  • 44. End-point investigation • Loki • https://github.com/Neo23x0/Loki • Fetch YARA rules from MISP • File hashes 13-Dec-16 MISP EcoSystem 44
  • 45. End-point investigation • FireEye – Redline • Memory acquisition • Drive acquisition • Per image • Dedicated • You known the hosts in scope 13-Dec-16 MISP EcoSystem 45
  • 46. End-point investigation • Nessus • Plugin 65548 • Search custom file hashes 13-Dec-16 MISP EcoSystem 46
  • 47. MISP – The Future • MISP Modules • via MISP Hackaton • MISP Objects • Semi dynamic data model • Share the object design along with the events shared • MISP Galaxy • Large object -> cluster • Threat actors, campaigns • MISP Workbench • Use attributes outside MISP for further investigation 13-Dec-16 MISP EcoSystem 47

Editor's Notes

  1. Expression of intent to do harm Contains tactics, techniques and procedures
  2. Intelligence is the information that adds the context
  3. Combining threat and intelligence allows you to evaluate if a certain threat is a problem for your environment
  4. Why do you need threat intelligence? To evaluate if a certain new attack pattern is a threat to your environment Change your defenses for this new threat And get ahead of the game, instead of allowing an attacker to get a strong foothold in your organisation detect the attack in the early stages of the intrusion
  5. Threat intelligence often used in combination with SIEMs SIEM : connection to an IP, no context Threat : IP is marked as possibly malicious ; investigate other actions done by the host that started the connection
  6. IoCs are how we most often consume threat intelligence The most visible part; but there's more
  7. Notes about with whom you share information You don't want to share with the whole world, otherwise attackers get informed that their actions have been discovered Color scheme to describe with whom and how you share ; from RED restricted to WHITE open
  8. Started in 2012 by Belgian Ministry of Defense as a malware information sharing platform evolved to threat sharing platform since a couple of years taken over by CIRCL, the LU private CERT
  9. Distributed sharing model Everyone can contribute or consume Everyone adds their own bits & pieces found to the threat data, they then describe with whom and how it can be shared -> through the distributed nature of MISP
  10. Correlation Attributes added to an event If they already exist MISP will connect them together Proposal If you don't agree with an attribute you can propose a "change" Or add your own attribute The owner of the threat event can then decided to accept the proposal Exchange of proposals happens the same way as distribution of threat event data in MISP
  11. When adding events or attributes you'll have to deal with false positives ; as always "context" is important Looking at an attribute without the context you can not decide if something is false positive or not Add the context; the logic (different attributes) to evaluate if something is really a problem Example : connection to evil.com ; malware gets downloaded and installed and then does network connectivity test
  12. Protect your own assets from ending up in signatures
  13. Are a classification scheme to describe what a threat is about Provided by for example enisa, veris, nato, etc. Human : visually to know what the threat is about Machine : used for distribution and import/export security devices
  14. Sightings allow you to vouch that an attribute is "valuable"