MISP workshopIntroduction into Information Sharing using MISPfor CSIRTs

Threat Sharing

MISP Training @ CIRCL20181218

Team CIRCLTLP:WHITE

Plan for this session

Explanation of the CSIRT use case for information sharingand what CIRCL doesBuilding an information sharing community and bestpractices

1 33

Communities operated by CIRCL

As a CSIRT, CIRCL operates a wide range of communitiesWe use it as an internal tool to cover various day-to-dayactivitiesWhilst being the main driving force behind thedevelopment, we’re also one of the largest consumersDi�erent communities have di�erent needs and restrictions

2 33

Communities operated by CIRCL

Private sector communityI Our largest sharing communityI Over 900 organisationsI 2000 usersI Functions as a central hub for a lot of sharing communitiesI Private organisations, Researchers, Various SoCs, someCSIRTs, etc

CSIRT communityI Tighter communityI National CSIRTs, connections to international organisations,etc

3 33

Communities operated by CIRCL

Financial sector communityI Banks, payment processors, etc.I Sharing of mule accounts and non-cyber threat infomartion

X-ISACI Bridging the gap between the various sectorial andgeorgraphical ISACs

I New, but ambitious initiativeI Goal is to bootstrap the cross-sectorial sharing along withbuilding the infrastructure to enable sharing when needed

4 33

Communities operated by CIRCL

Coming up - the ATT&CK EU communityI Work on attacker modellingI With the assistance of Mitre themselvesI Unique opportunity to standardise on TTPsI Looking for organisations that want to get involved!

5 33

Communities supported by CIRCL

FIRST.org’s MISP communityTelecom and Mobile operators’ communityVarious ad-hoc communities for exercises for exampleI Most recently for example for the ENISA exercise a few weeksago

6 33

Sharing Scenarios in MISP

Sharing can happen for many di�erent reasons. Let’s seewhat we believe are the typical CSIRT scenariosWe can generally split these activities into 4 main groupswhen we’re talking about traditional CSIRT tasks:I Core servicesI Proactive servicesI Advanced servicesI Sharing communities managed by CSIRTs for various tasks

7 33

CSIRT core services

Incident responseI Internal storage of incident response dataI Sharing of indicators derived from incident responseI Correlating data derived and using the built in analysis toolsI Enrichment servicesI Collaboration with a�ected parties via MISP during IRI Co-ordination and collaborationI Takedown requests

Alerting of information leaks (integration with AIL1)

1https://github.com/CIRCL/AIL-framework8 33

CSIRT proactive services

Contextualising both internal and external dataCollection and dissimination of data from various sources(including OSINT)Storing, correlating and sharing own manual research(reversing, behavioural analysis)Aggregating automated collection (sandboxing, honeypots,spamtraps, sensors)I MISP allows for the creation of internal MISP "clouds"I Store large specialised datasets (for example honeypot data)I MISP has interactions with a large set of such tools (Cuckoo,Mail2MISP, etc)

Situational awareness tools to monitor trends andadversary TTPs within my sector/geographical region(MISP-dashboard, built in statistics)

9 33

CSIRT proactive services - MISP dashboard

10 33

CSIRT proactive services - MISP dashboard

11 33

CSIRT advanced services

Supporting forensic analystsCollaboration with law enforcementVulnerability information sharingI Noti�cations to the constituency about relevantvulnerabilities

I Co-ordinating with vendors for noti�cations (*)I Internal / closed community sharing of pentest resultsI We’re planning on starting a series of hackathons to �nd

12 33

CSIRTs’ management of sharing communities forconstituent actions:

Reporting non-identifying information about incidents(such as outlined in NISD)Seeking and engaging in collaboration with CSIRT or otherparties during an incidentPre-sharing information to request for help / additionalinformation from the communityPseudo-anonymised sharing through 3rd parties to avoidattribution of a potential targetBuilding processes for other types of sharing to get thecommunity engaged and acquainted with the methodologiesof sharing (mule account information, border control, etc)

13 33

A quick note on compliance...

Collaboration with Deloitte as part of a CEF project forcreating compliance documentsI Information sharing and cooperation enabled by GDPRI How MISP enables stakeholders identi�ed by the NISD toperform key activities

I AIL and MISPFor more information: https://github.com/CIRCL/compliance

14 33

Bringing different sharing communitiestogether

We generally all end up sharing with peers that face similarthreatsDivision is either sectorial or geographicalSo why even bother with trying to bridge thesecommunities?

15 33

Advantages of cross sectorial sharing

Reuse of TTPs across sectorsBeing hit by something that another sector has faced beforeHybrid threats - how seemingly unrelated things may beinteresting to correlatePrepare other communities for the capability and culture ofsharing for when the need arises for them to reach out toCSIRTGenerally our �eld is ahead of several other sectors when itcomes to information sharing, might as well spread the love

16 33

Getting started with building your own sharingcommunity

Starting a sharing community is both easy and di�cult atthe same timeMany moving parts and most importantly, you’ll be dealingwith a diverse group of peopleUnderstanding and working with your constituents to helpthem face their challenges is key

17 33

Getting started with building your own sharingcommunity

When you are starting out - you are in a unique position todrive the community and set best practices...

18 33

Running a sharing community using MISP - Howto get going?

Di�erent models for constituentsI Connecting to a MISP instance hosted by a CSIRTI Hosting their own instance and connecting to CSIRT’s MISPI Becoming member of a sectorial MISP community that isconnected to CSIRT’s community

Planning ahead for future growthI Estimating requirementsI Deciding early on common vocabulariesI O�ering services through MISP

19 33

Rely on our instincts to immitate over expectingadherence to rules

Lead by example - the power of immitationEncourage improving by doing instead of blocking sharingwith unrealistic quality controlsI What should the information look like?I How should it be contextualiseI What do you consider as useful information?I What tools did you use to get your conclusions?

Side e�ect is that you will end up raising the capabilities ofyour constituents

20 33

What counts as valuable data?

Sharing comes in many shapes and sizesI Sharing results / reports is the classical exampleI Sharing enhancements to existing dataI Validating data / �agging false positivesI Asking for support from the community

Embrace all of them. Even the ones that don’t do either,you’ll never know when they change their minds...

21 33

How to deal with organisations that only"leech"?

From our own communities, only about 30% of theorganisations actively share dataWe have come across some communities with sharingrequirementsIn our experience, this sets you up for failure because:I Organisations will lose protection who would possibilybene�t the most from it

I Organisations that want to stay above the thresholds willstart sharing junk / fake data

I You lose organisations that might turn into valuablecontributors in the future

22 33

So how does one convert the passive organisa-tions into actively sharing ones?

Rely on organic growthHelp them increase their capabilitiesAs mentioned before, lead by exampleRely on the inherent value to one’s self when sharinginformation (validation, enrichments, correlations)Give credit where credit is due, never steal the accolades ofyour community (that is incredibly demotivating)

23 33

Dispelling the myths around blockers when itcomes to information sharing

Sharing di�culties are not really technical issues but oftenit’s a matter of social interactions (e.g. trust).I You can play a role here: organise regular workshops,conferences, have face to face meetings

Legal restrictionsI "Our legal framework doesn’t allow us to share information."I "Risk of information leak is too high and it’s too risky for ourorganization or partners."

Practical restrictionsI "We don’t have information to share."I "We don’t have time to process or contribute indicators."I "Our model of classi�cation doesn’t �t your model."I "Tools for sharing information are tied to a speci�c format,we use a di�erent one."

24 33

Contextualising the information

Sharing technical information is a great startHowever, to truly create valueable information for yourcommunity, always consider the context:I Your IDS might not care why it should alert on a ruleI But your analysts will be interested in the threat landscapeand the "big picture"

Classify data to make sure your partners understand why itis important for themMassively important once an organisation has the maturityto �lter the most critical subsets of information for theirown defense

25 33

Choice of vocabularies

MISP has a verify versatile system (taxonomies) forclassifying and marking dataHowever, this includes di�erent vocabularies with obviousoverlapsMISP allows you to pick and choose vocabularies to use andenforce in a communityGood idea to start with this process earlyIf you don’t �nd what you’re looking for:I Create your own (JSON format, no coding skills required)I If it makes sense, share it with us via a pull request forredistribution

26 33

Shared libraries of meta-information (Galaxies)

The MISPProject in co-operation with partners provides acurated list of galaxy informationCan include information packages of di�erent types, forexample:I Threat actor informationI Specialised information such as Ransomware, Exploit kits, etcI Methodology information such as preventative actionsI Classi�cation systems for methodologies used by adversaries- ATT&CK

Consider improving the default libraries or contributing yourown (simple JSON format)If there is something you cannot share, run your owngalaxies and share it out of bound with partnersPull requests are always welcome

27 33

False-positive handling

You might often fall into the trap of discarding seemingly"junk" dataBesides volume limitations (which are absolutely valid, fearof false-positives is the most common reason why peoplediscard data) - Our recommendation:I Be lenient when considering what to keepI Be strict when you are feeding tools

MISP allows you to �lter out the relevant data on demandwhen feeding protective toolsWhat may seem like junk to you may be absolutely critical toother users

28 33

Many objectives from different user-groups

Sharing indicators for a detection matter.I ’Do I have infected systems in my infrastructure or the ones Ioperate?’

Sharing indicators to block.I ’I use these attributes to block, sinkhole or divert tra�c.’

Sharing indicators to perform intelligence.I ’Gathering information about campaigns and attacks. Arethey related? Who is targeting me? Who are the adversaries?’

→ These objectives can be con�icting (e.g. False-positiveshave di�erent impacts)

29 33

False-positive handling

Analysts will often be interested in the modus operandi ofthreat actors over long periods of timeEven cleaned up infected hosts might become interestingagain (embedded in code, recurring reuse)Use the tools provided to eliminate obvious false positivesinstead and limit your data-set to the most relevant sets

30 33

Managing sub-communities

Often within a community smaller bubbles of informationsharing will formFor example: Within a national private sector sharingcommunity, speci�c community for �nancial institutionsSharing groups serve this purpose mainlyAs a CSIRT running a national community, considerbootstraping these sharing communitiesOrganisations can of course self-organise, but you are theones with the know-how to get them started

31 33

Managing sub-communities

Consider compartmentalisation - does it make sense tomove a secret squirrel club to their own sharing hub toavoid accidental leaks?Use your best judgement to decide which communitiesshould be separated from one anotherCreate sharing hubs with manual data transferSome organisations will even have their data air-gapped -Feed systemCreate guidance on what should be shared outside of theirbubbles - organisations often lack the insight / experienceto decide how to get going. Take the initiative!

32 33

Get in touch if you need some help to get started

Getting started with building a new community can bedaunting. Feel free to get in touch with us if you have anyquestions!Contact: info@circl.luhttps://www.circl.lu/https://github.com/MISP -https://gitter.im/MISP/MISP -https://twitter.com/MISPProject

33 / 33