2. Agenda
• Threat Intelligence
• IoCs
• TLP
• Integrate SIEM
• MISP
• Distribution model
• False positives & Whitelists
• Modules
• VMRay
• Use Case
• E-mail with attachment
13-Dec-16
MISP EcoSystem 2
3. Threat
• What is a Threat?
• an expression of intent to do harm, i.e. deprive, weaken, damage or
destroy;
• an indication of imminent harm;
• an agent that is regarded as harmful;
• a harmful agent’s actions comprising of tactics, techniques and
procedures (TTPs).
13-Dec-16
MISP EcoSystem 3
Cyber threat intelligence - Marketing hype or innovation?
InfoSecurity Europe
4. Intelligence
• What is Intelligence?
• Information that provides relevant and sufficient understanding
for mitigating the impact of a harmful event
13-Dec-16
MISP EcoSystem 4
Cyber threat intelligence - Marketing hype or innovation?
InfoSecurity Europe
5. Threat Intelligence
• What is Threat Intelligence?
• Information about threats and threat actors that provides
relevant and sufficient understanding for mitigating the impact
of a harmful event
13-Dec-16
MISP EcoSystem 5
Cyber threat intelligence - Marketing hype or innovation?
InfoSecurity Europe
6. Threat Intelligence
• Why do you need Threat Intelligence?
• First step in protecting your business
• Understand exposure to threats
• Expanded attack surface
• Weigh defenses towards threats
• Actionable instead of noise
• Get ahead of the game
13-Dec-16
MISP EcoSystem 6
7. Threat Intelligence & SIEMs
• Insight on network, applications, servers and users
• SIEMS without threat feeds
• Difficult to remove the noise, needle in a haystack
• Why consume threat data in a SIEM?
• Faster, others do the research, you consume
• Instead of "a" connection-> "the" connection
• Fills the blind spots –correlate- things you didn't know
• Not "auto-magic-correlation"
• Additional context
• Prioritize
• Incidents
• Vulnerability management
13-Dec-16
MISP EcoSystem 7
8. Indicator of Compromise - IoC
• Threat intelligence is more (TTPs!) than just IoCs
• But that's how it's most often used
• Information to identify potentially malicious behavior
• IPs
• Careful with shared hosting
• Domain names
• URLs
• File hashes
• High confidence
• Registry keys
• Mutex
13-Dec-16
MISP EcoSystem 8
Context!
Target Scope
Attacker Sophistication
Impact When
Why Likelihood
9. Audience : Traffic Light Protocol - TLP
• When and how (threat) information can be shared
• Not a classification scheme
• https://www.first.org/tlp
13-Dec-16
MISP EcoSystem 9
RED
Strong limited
Not for disclosure
Participants only
Mostly verbally or in person
AMBER
Limited, people that act on the
information
Restricted to participants'organizations
Sources are at liberty to specify
additional intended limits of the sharing
GREEN
Relaxed, known by the inner-circle
The community
Not via publicly accessible channels
WHITE
Open, known by everyone
Disclosure is not limited
Standard copyright rules
10. Threat Intelligence Platforms
• Lots of buzz (fuss)
• Marketing
• Vendor driven <-> What you really need
13-Dec-16
MISP EcoSystem 10
12. MISP - Malware Information Sharing
Platform & Threat Sharing
• Started 2012
• Christophe Vandeplas
• CERT for Belgian MoD
• https://github.com/MISP/MISP
• http://www.misp-project.org/
13-Dec-16
MISP EcoSystem 12
13. MISP – Information Sharing
• Distributed sharing model
• Everyone can be a consumer or contributor
• Based on practical user feedback
• Quick benefit : no obligation to contribute
• Different sharing groups
13-Dec-16
MISP EcoSystem 13
14. For whom?
• Malware reversers willing to share indicators of analysis
with respective colleagues.
• Security analysts searching, validating and using
indicators in operational security.
• Intelligence analysts gathering information about
specific adversary groups.
• Law-enforcement relying on indicators to support or
bootstrap their DFIR cases.
• Risk analysis teams willing to know about the new
threats, likelihood and occurrences.
• Fraud analysts willing to share financial indicators to
detect financial frauds.
13-Dec-16
MISP EcoSystem 14
15. I can't share!
• Be a consumer
• MISP groups
• Use OSINT
• Legal restrictions
• Sharing groups and communities
• Convince management to share
• Share without attribution ('ownership change')
13-Dec-16
MISP EcoSystem 15
16. OSINT Feeds
• Open Source
Intelligence
• Community feeds
• Set filter (import) rules
13-Dec-16
MISP EcoSystem 16
17. MISP Events & Attributes
• Events
• "a threat", for example a new ransomware-run
• Own events
• From connected sites
• Distribution level
• Tagging (TLP, category, ...)
• Attributes
• What is the threat about?
• Sightings
• Network, File hashes, Financial info (CC, Bitcoin)
• Context
• Text
• Correlation with other events
• Seen in other events?
• Proposals
13-Dec-16
MISP EcoSystem 17
19. False positives
• Misconfigured sandbox
• OS Update traffic
• Browsers fetch CRL
• Routing issues
13-Dec-16
MISP EcoSystem 19
Real False Positive
You need context
Learn TTP
Add "If Then"-logic ; infection check
• 1st : Machine visits "evil.com"
• 2nd : Traffic to "download.microsoft.com"
• Only traffic to "evil.com"
• Malware checks network connectivity
• Malware changes resolution of important
domains
Not False Positive
download.microsoft.com
Incident
Response
Not sure compromised or
resisted; dive deeper to
evaluate situation
https://soltra.com/en/articles/the-truth-about-false-positives-and-their-root-causes-in-cyber-threat-intelligence/
20. False positives - MISP
• Recurring challenge in information sharing
• MISP introduced warninglists
• lists of well-known indicators that can be associated to potential
false positives, errors or mistakes
• Enable per list
• https://github.com/MISP/misp-warninglists
• Alexa Top 100
• Microsoft, Google domains
• RFC 1918
• Alert when adding an attribute that is on the warninglist
• You decide what to do!
• You have to "known" the logic, MISP can not do that for you
13-Dec-16
MISP EcoSystem 20
22. Whitelists - MISP
• Whitelist attributes from being added to signatures
• Company assets
13-Dec-16
MISP EcoSystem 22
23. Taxonomies - MISP
• Classification
• JSON
• ENISA, NATO, VERIS
• Your classification
• Machine tags
• Machines can parse it
• Still human-readable
• Tags as filter for
distribution
13-Dec-16
MISP EcoSystem 23
24. Use MISP
• Web UI
• Freetext import : large block of text ; MISP recognizes IoCs
• API access
• PyMISP
• API'ish
• MISP modules
• Import, export, extension
• MISP Galaxy
• large object attached to a MISP event
• Taxonomies
• Workbench
• export attributes
• help on cases outside MISP
13-Dec-16
MISP EcoSystem 24
25. MISP modules
• Expansion service
• Enrichment, Import, Export
• Extend attributes with information from other service providers
• Can also be your own internal provider
• Extending MISP with expansion modules with zero
customization in MISP
• MISP modules can be run on the same system or on a
remote server
• https://github.com/MISP/misp-modules
13-Dec-16
MISP EcoSystem 25
26. MISP modules
• ASN history
• Passive DNS
• Passive SSL
• CVE
• DNS
• PassiveTotal
• Shodan
• Virustotal
• STIX
• VMRay
13-Dec-16
MISP EcoSystem 26
30. MISP EcoSystem
13-Dec-16
MISP EcoSystem 30
Malware Network
TTP
Finance / Fraud
Import/Export
Threat Info
Security devices
Forensic data
Enrichment
IR Platforms
API
IoC
31. Use Case : E-mail with malware
13-Dec-16
MISP EcoSystem 31
Attachment: AG Wire payment confirmation.doc.z
AG Wire payment confirmation.doc.z:
RAR archive data, v1d, os: Win32
MD5 (AG Wire payment confirmation.doc.z) =
56c8abc137aea9e497bee0ebe61d7286
Extract : AG-wirepay-doc.exe
32. Use Case : E-mail with malware
• We can use static analysis
• limited
• obfuscated
• resource intensive
• Use malware sandboxes
• automated analysis
• behavior
• careful with malware that does sandbox evasion / detection
13-Dec-16
MISP EcoSystem 32
33. Use Case : MISP and Malware
13-Dec-16
MISP EcoSystem 33
Malware
MISP Modules
IoC
NetworkForensic data
Security devicesLOKI
Attach malware
sample Submit and import
Export hashes and
network info
34. Step 1: Attach malware sample
• Two types of attachment in MISP
• "Regular" attachments
• Payload Delivery
• Antivirus Detection
• IDS flag not set
• Direct downloadable from UI
• Malware samples
• Artifacts Dropped
• Payload Installation
• IDS flag set
• Download via
password protected ZIP
13-Dec-16
MISP EcoSystem 34
38. Step 3: Wait for analysis
• VMRay does its magic
• Current MISP-VMRay connector is asynchronous
• Submit
• Wait for analysis to complete
• Import
• (work in progress)
13-Dec-16
MISP EcoSystem 38
39. Step 4: Import results
• Via MISP-modules Import
• Based on VMRay sample ID
• Do not forget to set IDS flag
• (pending issue request)
13-Dec-16
MISP EcoSystem 39
41. Consume results in SIEM
• API / PyMISP (Python access via API)
• Import feed
• Select tags
• Type, priority, impact
• Set categories
• Based on tags
• Post sightings back to MISP
13-Dec-16
MISP EcoSystem 41
42. Consume results in NIDS
• Malware analysis revealed network IoCs
• Low confidence when it concerns shared hosting IPs
• Generate NIDS rules
• automatic or manual
• Set of SNORT rules
13-Dec-16
MISP EcoSystem 42
43. End-point investigation
• YARA rules
• Signature based detection
• File hashes
• High confidence
• Slow
• Get files
• Investigate
• High reward
• Use perimeter sandbox
• Before delivery
• Queued
13-Dec-16
MISP EcoSystem 43
47. MISP – The Future
• MISP Modules
• via MISP Hackaton
• MISP Objects
• Semi dynamic data model
• Share the object design along with the events shared
• MISP Galaxy
• Large object -> cluster
• Threat actors, campaigns
• MISP Workbench
• Use attributes outside MISP for further investigation
13-Dec-16
MISP EcoSystem 47
Notes de l'éditeur
Expression of intent to do harm
Contains tactics, techniques and procedures
Intelligence is the information that adds the context
Combining threat and intelligence allows you to evaluate if a certain threat is a problem for your environment
Why do you need threat intelligence?
To evaluate if a certain new attack pattern is a threat to your environment
Change your defenses for this new threat
And get ahead of the game, instead of allowing an attacker to get a strong foothold in your organisation detect the attack in the early stages of the intrusion
Threat intelligence often used in combination with SIEMs
SIEM : connection to an IP, no context
Threat : IP is marked as possibly malicious ; investigate other actions done by the host that started the connection
IoCs are how we most often consume threat intelligence
The most visible part; but there's more
Notes about with whom you share information
You don't want to share with the whole world, otherwise attackers get informed that their actions have been discovered
Color scheme to describe with whom and how you share ; from RED restricted to WHITE open
Started in 2012 by Belgian Ministry of Defense
as a malware information sharing platform
evolved to threat sharing platform
since a couple of years taken over by CIRCL, the LU private CERT
Distributed sharing model
Everyone can contribute or consume
Everyone adds their own bits & pieces found to the threat data, they then describe with whom and how it can be shared -> through the distributed nature of MISP
Correlation
Attributes added to an event
If they already exist MISP will connect them together
Proposal
If you don't agree with an attribute you can propose a "change"
Or add your own attribute
The owner of the threat event can then decided to accept the proposal
Exchange of proposals happens the same way as distribution of threat event data in MISP
When adding events or attributes you'll have to deal with false positives ; as always "context" is important
Looking at an attribute without the context you can not decide if something is false positive or not
Add the context; the logic (different attributes) to evaluate if something is really a problem
Example : connection to evil.com ; malware gets downloaded and installed and then does network connectivity test
Protect your own assets from ending up in signatures
Are a classification scheme to describe what a threat is about
Provided by for example enisa, veris, nato, etc.
Human : visually to know what the threat is about
Machine : used for distribution and import/export security devices
Sightings allow you to vouch that an attribute is "valuable"