oss is changing the security information sharing landscape
play

OSS is changing the Security information sharing landscape. Focus on - PowerPoint PPT Presentation

Oct 19, 2022 •471 likes •793 views

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other recent improvements on the platform Rapha el Vinot - TLP:WHITE info@circl.lu RMLL 2017 TL;DR Started in 2012 by Christophe Vandeplas (Belgian

  1. OSS is changing the Security information sharing landscape. Focus on the MISP objects and other recent improvements on the platform Rapha¨ el Vinot - TLP:WHITE info@circl.lu RMLL 2017

  2. TL;DR • Started in 2012 by Christophe Vandeplas (Belgian MoD) • Supports automation and pluggable with other tools • Help information sharing within a team and with 3rd parties • Supports plenty of usecases (from the malware reverser to the Fraud analysts ) • MISP’s development is community-driven 2 of 31

  3. MISP core distributed sharing functionality • MISP’s core functionality is sharing where everyone can be a consumer and/or a contributor/producer. • Quick benefit without the obligation to contribute. • Low barrier access to get acquainted to the system. 3 of 31

  4. A Common Integration 4 of 31

  5. The MISP pipeline CSV feed Enrichment CSV feed Proposals modules Remote instances CSV feed Other formats Threat Sharing Remote instances Threat Sharing Threat Sharing Threat Sharing IDS Other formats Threat Sharing SIEMs Sandboxes Analyst Analyst input Incident Analysis response tools Viper 5 of 31

  6. Recent updates and changes • Big improvement in the sightings • Contunious expansion of the galaxies • Feeds overlap matrix • Now... -ish: objects 6 of 31

  7. Question ”My IDS cannot ingest all those indicators, how do I keep the list sane?” 7 of 31

  8. Sightings • Lifetime and evolution of an indicator • Improve the feedback loop • 3 options: ◦ Positive: currently compromised infrastructure ◦ Negative: false positive ◦ Expiration: date where the indicator should be considered as expired • Mapped to an organisation • Type of source (SIEM, honeypot, ...) 8 of 31

  9. Sightings • Contextual activity based on tags and galaxies • Automation based on PCAP: usage : pcapreader . py [ − h ] − r READ [ − f FILTER ] [ − s SOURCE] [ − t TYPE] [ − v ] [ − d ] o p t i o n a l arguments : − r READ, − − read READ pcap/dumpcap f i l e that should be read by t s h a r k − f FILTER , − − f i l t e r FILTER P r e f i x that should be skipped ( s u b s t r i n g ) − s SOURCE, − − source SOURCE De scr ibe the source of the pcap − t TYPE, − − type TYPE S p e c i f y the type of s i g h t i n g s : 0=Default ,1= F a l s e p o s i t i v e • https://github.com/MISP/misp-sighting-tools 9 of 31

  10. Question ”How can I keep track of all the cyber names made up by the cyber vendors for cyber communication purposes?” ”... and create my own names?” 10 of 31

  11. MISP Galaxies • MISP started out as a platform for technical indicator sharing • The need for a way to describe threat actors, tools and other commonalities became more and more pressing • Taxonomies quickly became essential for classifying events • The weakness of the tagging aproach is that it’s not very descriptive • We needed a way to attach more complex structures to data • Also, with the different naming conventions for the same ”thing” attribution was a mess • This is where the Galaxy concept came in 11 of 31

  12. Solution • Pre-crafted galaxy ”clusters” via GitHub project • Attach them to an event (or soon attribute) • The main design principle was that these higher level informations are meant for human consumption • This means flexibility - key value pairs, describe them dynamically • Technical indicators remain strongly typed and validated, galaxies are loose key value lists 12 of 31

  13. The galaxy object stack • Galaxy : The type of data described (Threat actor, Tool, ...) • Cluster : An individual instance of the galaxy (Sofacy, Turla, ...) • Element : Key value pairs describing the cluster (Country: RU, Synonym: APT28, Fancy Bear) • Reference : Referenced galaxy cluster (Such as a threat actor using a specific tool) 13 of 31

  14. Existing clusters • Exploit-Kit : An enumeration of known exploitation kits used by adversaries • Microsoft activity group : Adversary groups as defined by Microsoft • Preventive measure : Potential preventive measures against threats • Ransomware : List of known ransomwares • TDS : Traffic Direction System used by adversaries • Threat-Actor : Known or estimated adversary groups • Tool : Tools used by adversaries (from Malware to common tools) 14 of 31

  15. What a cluster looks like 15 of 31

  16. Attaching clusters to events • Internally simply using a taxonomy-like tag to attach them to events • Example: misp-galaxy:threat-actor=”Sofacy” • Synchronisation works out of the box with older instances too. They will simply see the tags until they upgrade. • Currently, as mentioned we rely on the community’s contribution of galaxies 16 of 31

  17. Attaching clusters • Use a searchable synonym database to find what you’re after 17 of 31

  18. Cluster JSON value example 1 { 2 ”meta” : { 3 ”synonyms” : [ 4 ”APT 28” , ”APT28” , ”Pawn Storm” , ”Fancy Bear ” , 5 ” Sednit ” , ”TsarTeam” , ”TG − 4127” , ”Group − 4127” , 6 ”STRONTIUM” , ”Grey − Cloud ” 7 ] , 8 ” country ” : ”RU” , 9 ” r e f s ” : [ 10 ” h t t p s : // en . w i k i p e d i a . org / w i k i / Sofacy Group ” 11 ] 12 } , 13 ” d e s c r i p t i o n ” : ”The Sofacy Group ( a l s o known as APT28 , 14 Pawn Storm , Fancy Bear and Sednit ) i s a cyber 15 espionage group b e l i e v e d to have t i e s to the 16 Russian government . L i k e l y o p e r a t i n g s i n c e 2007 , 17 the group i s known to t a r g e t government , m i l i t a r y , 18 and s e c u r i t y o r g a n i z a t i o n s . I t has been 19 c h a r a c t e r i z e d as an advanced p e r s i s t e n t t h r e a t .” , 20 ” v a l u e ” : ” Sofacy ” 21 } , 18 of 31

  19. Question ”$CYBER VENDOR has new cyber feed for USD 100.000, should I get it?” ”They said it will make me sleep better at night. I like sleeping.” 19 of 31

  20. Feed integration • Objective: Get all the feeds in one single place • Profit of the functionalities of MISP (correlation with other events) • Automatic updates • Add your own • Problem: Lots of duplicates 20 of 31

  21. Feed overlap matrix 21 of 31

  22. Question ”STIX has objects, how do I represent it in MISP without creating tons of events?” ”Yes, I know, STIX is awful, but my boss wants me to use it” 22 of 31

  23. MISP objects • Objective: create a semi-dynamic data model. • Using existing MISP attributes to build new objects. • Share the object designs within partners automatically along with the events shared (e.g. allowing to share events with yet unknown objects). • Have a community-driven set of default objects 1 . 1 https://github.com/misp/misp-objects 23 of 31

  24. Use case • File: hashes, filename, size, .... • PE: original filename, timestamp, number of sections, ... • PE Section: entropy, hashes, ... • ... And all other kind of objects: ELF, PDF, Office documents, VBA Macro, Embedded JavaScript, ... • Your own object with the indicators you wish 24 of 31

  25. 25 of 31

  26. r2graphity: Messing with binaries • Research project of Marion Marschalek (@pinkflawd) and me • Reversing binaries is painful and repetitive • Families of malwares have similar patterns/features • Automating extractions with radare2 • Push everything into graphs 26 of 31

  27. 27 of 31

  28. 28 of 31

  29. 29 of 31

  30. References • Marion’s talk @ RECON17 - https://github.com/pinkflawd/ r2graphity/blob/master/GraphDracula_Recon17.pdf • MISP project - https://github.com/MISP/MISP • MISP Organisation - https://github.com/MISP • MISP Chatroom - https://gitter.im/MISP/MISP • MISP website - http://www.misp.software 30 of 31

  31. 31 of 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna

Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna

Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna Vapen, Niklas Carlsson, Anirban Mahanti, Nahid Shahmehri Linkping University, Sweden NICTA, Australia 2 Information Sharing and User

246 views • 24 slides
Association Landscape in 2016 Technology Expectations Changing Information Member Overload

Association Landscape in 2016 Technology Expectations Changing Information Member Overload

Membership Model Research and Options Overview 1 Association Landscape in 2016 Technology Expectations Changing Information Member Overload Demographics Calls for Explicit ROI Regulatory Employer Climate Policies 2 www.mckinley

461 views • 17 slides
Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat Landscape Customers Biggest Security Challenges Changing Dynamic Complexity Business Models Threat Landscape and Fragmentation A

550 views • 13 slides
UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San

219 views • 17 slides
The Changing Credit Landscape In Australia What It Means To You Credit landscape Economic

The Changing Credit Landscape In Australia What It Means To You Credit landscape Economic

The Changing Credit Landscape In Australia What It Means To You Credit landscape Economic conditions are good with growth expected in 2018. Consumer and Business sentiment is improving. Commercial delinquency is low. No

148 views • 12 slides
FinTech: The Threat Landscape and Promising Initiatives Information Security Conference for the

FinTech: The Threat Landscape and Promising Initiatives Information Security Conference for the

FinTech: The Threat Landscape and Promising Initiatives Information Security Conference for the Financial Sector Doha, Qatar 5 November 2017 The FinTech landscape In the first nine months of 2016, global investment in FinTech reached 21

637 views • 17 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
1 Africa's changing economic landscape Africa's changing health

1 Africa's changing economic landscape Africa's changing health

THE CHANGING AFRICAN LANDSCAPE - WHAT HAS CHANGED IN THE LAST 25 YEARS, DEVELOPMENTS ENVISAGED FOR THE NEXT 25 YEARS CAROLINE JEHU-APPIAH (MD, MSc, PhD) PRINCIPAL HEALTH ECONOMIST AFRICAN DEVELOPMENT BANK GROUP (AFDB) 1

579 views • 31 slides
Teaching information literacy for engineering students in a rapidly changing landscape Creating

Teaching information literacy for engineering students in a rapidly changing landscape Creating

Teaching information literacy for engineering students in a rapidly changing landscape Creating Knowledge VIII, Reykjavik, June 3, 2016 KTH ROYAL INSTITUTE OF TECHNOLOGY Teaching information literacy for engineering students in a rapidly

329 views • 20 slides
How to adapt to the changing landscape? CASE TELESUR Inspiring Innovation : Important

How to adapt to the changing landscape? CASE TELESUR Inspiring Innovation : Important

How to adapt to the changing landscape? CASE TELESUR Inspiring Innovation : Important Ingredients D.Currie CEO Telesur MAGICSS Mobile, Analytics, Governance, Internet of Things, Cloud, Social and Security 4 Is: Inspiring Innovation

302 views • 17 slides
The ever changing landscape of official statistics Jelke Bethlehem Leiden University, the

The ever changing landscape of official statistics Jelke Bethlehem Leiden University, the

The ever changing landscape of official statistics Jelke Bethlehem Leiden University, the Netherlands NTTS 2015 | The ever changing landscape of official statistics 1 / 33 The ever changing landscape of official statistics The past There

628 views • 33 slides
Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security Research Scientist Oak Ridge National Laboratory Main Points Information Sharing Enable discovering and sharing information about real threats to

216 views • 6 slides
BT21CN and New Services BT Group Yung Kim The changing landscape Convergence Convergence Cost

BT21CN and New Services BT Group Yung Kim The changing landscape Convergence Convergence Cost

BT21CN and New Services BT Group Yung Kim The changing landscape Convergence Convergence Cost Regulation Regulation transformation Customer M&A expectation activities Technology BTs strategy to the changing landscape Helping

392 views • 24 slides
Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line DeepSec 2014, Vienna, 21 November 2014 NATO UNCLASSIFIED Cyber Security In NATO NATO in a nutshell: Collective defence Interoperable

666 views • 42 slides
Resources and the Changing CSA Funding Landscape May 14, 2020 2:00 3:15 PM EST Welcome

Resources and the Changing CSA Funding Landscape May 14, 2020 2:00 3:15 PM EST Welcome

CSA Virtual Discussion: Connecting Families to Financial Resources and the Changing CSA Funding Landscape May 14, 2020 2:00 3:15 PM EST Welcome Oliver Robinson Program Associate, Children's Savings Prosperity Now Housekeeping This

667 views • 44 slides
Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security

Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security

Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security Analyst Christian Van Heurck Coordinator 24 th annual FIRST conference Malta - 17-22 June 2012 Knowledge is power . Knowledge shared is

404 views • 39 slides
THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune.

THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune.

THE DISCOVERY OF ELEMENTS Dr. K. Guruswamy National Chemical Laboratory (NCL), Pune. http://www.excitingscience.org SUPPORTED BY: What are ELEMENTS? PURE chemical substances having ONE type of ATOM Examples: Hydrogen, Carbon, Iron, Gold,

803 views • 37 slides
( ) ( ) 9.8 m / s 2 0.35 kg F = kx k = = 28.58 N / m 0.12 m m 0.35 kg T = 2 k = 6.28

( ) ( ) 9.8 m / s 2 0.35 kg F = kx k = = 28.58 N / m 0.12 m m 0.35 kg T = 2 k = 6.28

1) When a mass of 0.350 kg is attached to a vertical spring and lowered slowly, the spring stretches 12.0 cm. The mass is now displaced from its equilibrium position and released, and undergoes simple harmonic oscillations. What is the period of

96 views • 6 slides
1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and

1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and

1 2 Preparation and characterization of MWCNT/Zn 0.25 Co 0.75 Fe 2 O 4 nanocomposite and investigation of its microwave absorption properties at x-band by silicone rubber polymeric matrix Microwave absorption has attracted a considerable

312 views • 9 slides
Comparing Malicious Files RVAsec May 22, 2019 Problem Statements AV Problem Many AV companies

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements AV Problem Many AV companies

Comparing Malicious Files RVAsec May 22, 2019 Problem Statements AV Problem Many AV companies use their own unique nomenclature for malware and malware families @MalwareUtkonos Marketing Problem Marketing departments want to brand the

1.1k views • 88 slides
Math 1060Q Lecture 22 Jeffrey Connors University of Connecticut Dec. 1, 2014 Models of

Math 1060Q Lecture 22 Jeffrey Connors University of Connecticut Dec. 1, 2014 Models of

Math 1060Q Lecture 22 Jeffrey Connors University of Connecticut Dec. 1, 2014 Models of exponential growth and decay. General form of exponential growth and decay models. Example 1: Compound interest Example 2: Population growth

362 views • 14 slides
Spin and orbital freezing in unconventional superconductors Philipp Werner University of

Spin and orbital freezing in unconventional superconductors Philipp Werner University of

Spin and orbital freezing in unconventional superconductors Philipp Werner University of Fribourg Kyoto, November 2017 Spin and orbital freezing in unconventional superconductors In collaboration with: Shintaro Hoshino (Saitama) Hiroshi

972 views • 52 slides
Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for

Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for

Choosing a microscope John Rubinstein Molecular Structure and Function Program The Hospital for Sick Children Research Institute Departments of Biochemistry and Medical Biophysics The University of Toronto The questions: What do you need?

532 views • 25 slides
Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies

Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies

Nonlinear Dimension Reduction to Improve Predictive Accuracy in Genomic and Neuroimaging Studies Maxime Turgeon June 5, 2018 McGill University Department of Epidemiology, Biostatistics, and Occupational Health 1/21 Acknowledgements This

514 views • 25 slides

More recommend