Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Similar documents
Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

MISP Training: Galaxies

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Incident Response tactics with Compromise Indicators

FINNISH LINKED DATA PILOTS

December 3, Dipartimento di Informatica, Università di Torino. Felicittà. Visualizing and Estimating Happiness in

IntelMQ - a KISS incident handling automation project (IHAP)

MISB ST 1601 STANDARD

The impacts of Open Government initiatives on SDIs

What s New. August 2013

ON SITE SYSTEMS Chemical Safety Assistant

University of Colorado Denver Anschutz Medical Campus Online Chemical Inventory System User s Manual

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

Georef - Linked Data Deployment for Spatial Data; Finnish Initiative

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

1 [15 points] Frequent Itemsets Generation With Map-Reduce

INSPIRE and egovernment policies: a common governance for a wider public sector information infrastructure

Semantic Web SPARQL. Gerd Gröner, Matthias Thimm. July 16,

Administering your Enterprise Geodatabase using Python. Jill Penney

EXPECTATIONS OF TURKISH ENVIRONMENTAL SECTOR FROM INSPIRE

PROCESSING, ANALYSIS, AND DISTRIBUTION OF SHALE DATA OVER GIS SERVICES AND WEB APPS

FIRE DEPARMENT SANTA CLARA COUNTY

Coordinate systems and transformations in action. Melita Kennedy and Keera Morrish

The importance of persistent URIs for the implementation of INSPIRE

IR Requirement Article 14 Portrayal

Deep dive into analytics using Aggregation. Boaz

Using CAD data in ArcGIS

Geographic Analysis of Linguistically Encoded Movement Patterns A Contextualized Perspective

From Research Objects to Research Networks: Combining Spatial and Semantic Search

MySQL Attack Mitigation Using Deception Technology

Big Data and Geospatial with HPCC Systems

NOKIS an ISO Based Metadata System

What s New in ArcGIS 10.1 for Desktop. Karen Li Date: October 31, 2012

Question 1: Is zero a rational number? Can you write it in the form p, where p and q are integers and q 0?

Technical Specifications. Form of the standard

Network Configuration Example

Socket Programming. Daniel Zappala. CS 360 Internet Programming Brigham Young University

IMPACT Improving Massachusetts Post-Acute Care Transfers

Rick Ebert & Joseph Mazzarella For the NED Team. Big Data Task Force NASA, Ames Research Center 2016 September 28-30

Geodatabase Programming with Python

Orbital Insight Energy: Oil Storage v5.1 Methodologies & Data Documentation

DEVELOPMENT OF GPS PHOTOS DATABASE FOR LAND USE AND LAND COVER APPLICATIONS

rethinking software design by analyzing state

The SIntegraM Stairway

Development of a Web-Based GIS Management System for Agricultural Authorities in Iraq

ArcGIS Enterprise: Administration Workflows STUDENT EDITION

MapOSMatic, free city maps for everyone!

Erfassung und Speicherung von Forschungsdaten im Fachbereich Chemie

Analytical data, the web, and standards for unified laboratory informatics databases

Lord of the Bing. Taking Back Search Engine Hacking From Google and Bing. 18 MAY 2011 TakeDownCon 2011 Dallas, TX

Data Structures & Database Queries in GIS

ArcGIS for INSPIRE. Paul Hardy. ArcGIS. ArcGIS for INSPIRE Enables Esri ArcGIS users to implement and comply with INSPIRE. INSPIRE Data Themes

Search for the Gulf of Carpentaria in the remap search bar:

ISO Series Standards in a Model Driven Architecture for Landmanagement. Jürgen Ebbinghaus, AED-SICAD

Building a 4-D Weather Data Cube for the NextGen Initial Operating Capability (IOC)

2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

Search for the Dubai in the remap search bar:

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

Cryptology. Vilius Stakėnas autumn

Please click the link below to view the YouTube video offering guidance to purchasers:

ArcGIS Deployment Pattern. Azlina Mahad

Observing the BitTorrent Universe Through Telescopes

PW 001 SNOW REMOVAL AND SANDING FOR ROADWAYS AND SIDEWALKS October 6, 2014 (#223-14) Original October 19, 2015; October 15, 2018 Public Works

EEOS 381 -Spatial Databases and GIS Applications

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

Administering Your Enterprise Geodatabase using Python. Gerhard Trichtl

This paper outlines the steps we took to process the repository file into a Geodatabase Utility Data Model for Bloomfield Township s analysis.

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Troubleshooting Replication and Geodata Services. Liz Parrish & Ben Lin

First Quarter OSHA Hazardous Chemical Labeling Requirements

ChemAxon Partner Session: Arxspan Overview

TECDIS and TELchart ECS Weather Overlay Guide

What is 511? Need for 511 Services. Development & Deployment of Regional Road and Weather Information Supporting 511 Traveler Services

Citation for published version (APA): Andogah, G. (2010). Geographically constrained information retrieval Groningen: s.n.

Geologi for samfunnet

CS5314 Randomized Algorithms. Lecture 15: Balls, Bins, Random Graphs (Hashing)

Geodatabase Programming with Python John Yaist

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich June 8, 2015

EHSA Chemical Inventory Guidance. As of 8/15/2018

Machine Learning for NLP

Anonymous Proxy Signature with Restricted Traceability

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich January 26, 2015

David Lanter PhD GISP. Information Security Risks and Controls of Public Geospatial Datasets July 17, 2014

Leveraging Web GIS: An Introduction to the ArcGIS portal

An ESRI Technical Paper June 2007 An Overview of Distributing Data with Geodatabases

Topic Models and Applications to Short Documents

Task 1: Open ArcMap and activate the Spatial Analyst extension.

Efficient query evaluation

Status of implementation of the INSPIRE Directive 2016 Country Fiches. COUNTRY FICHE Croatia

Open Cloud Computing Interface JSON Rendering


The File Geodatabase API. Craig Gillgrass Lance Shipman

ATLAS of Biochemistry

Transcription:

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP Alexandre Dulaunoy - TLP:WHITE June 16, 2016

From Tagging to Flexible Taxonomies Tagging is a simple way to attach a classification to an event. In the early version of MISP, tagging was local to an instance. Classification must be globally used to be efficient. After evaluating different solutions of classification, we build a new scheme using the concept of machine tags. 2 of 15

Machine Tags Triple tag or machine tag was introduced in 2004 to extend geotagging on images. A machine tag is just a tag expressed in way that allows systems to parse and interpret it. Still have a human-readable version: admiralty-scale:source Reliability= Fairly reliable 3 of 15

MISP Taxonomies Taxonomies are implemented in a simple JSON format. Anyone can create their own taxonomy or reuse an existing one. The taxonomies are in an independent git repository 1. These can be freely reused and integrated in other threat intel tools. 1 https://www.github.com/misp/misp-taxonomies/ 4 of 15

Existing Taxonomies NATO - Admiralty Scale CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection ecsirt and IntelMQ incident classification EUCI EU classified information marking Information Security Marking Metadata from DNI (Director of National Intelligence - US) NATO Classification Marking OSINT Open Source Intelligence - Classification TLP - Traffic Light Protocol Vocabulary for Event Recording and Incident Sharing - VERIS and many more like ENISA, Europol, or the draft FIRST SIG Information Exchange Policy. 5 of 15

Want to write your own taxonomy? 1/2 1 { 2 namespace : a d m i r a l t y s c a l e, 3 d e s c r i p t i o n : The A d m i r a l t y S c a l e ( a l s o c a l l e d t h e NATO System ) i s used to rank t h e r e l i a b i l i t y o f a s o u r c e and t h e c r e d i b i l i t y o f an i n f o r m a t i o n., 4 v e r s i o n : 1, 5 p r e d i c a t e s : [ 6 { 7 v a l u e : s o u r c e r e l i a b i l i t y, 8 expanded : Source R e l i a b i l i t y 9 }, 10 { 11 v a l u e : i n f o r m a t i o n c r e d i b i l i t y, 12 expanded : I n f o r m a t i o n C r e d i b i l i t y 13 } 14 ], 15.... 6 of 15

Want to write your own taxonomy? 2/2 1 { 2 v a l u e s : [ 3 { 4 p r e d i c a t e : s o u r c e r e l i a b i l i t y, 5 e n t r y : [ 6 { 7 v a l u e : a, 8 expanded : C o m p l e t e l y r e l i a b l e 9 }, 10.... Publishing your taxonomy is as easy as a simple git pull request on misp-taxonomies 2. 2 https://github.com/misp/misp-taxonomies 7 of 15

How are taxonomies integrated in MISP? MISP administrator can just import (or even cherry pick) the namespace or predicates they want to use as tag. Tags can be exported to other instances. Tags are also accessible via the MISP REST API. 8 of 15

Filtering the distribution of events among MISP instances Applying rules for distribution based on tags: 9 of 15

Other use cases using MISP taxonomies Tags can be used to set events for further processing by external tools (e.g. VirusTotal auto-expansion using Viper). Ensuring a classification manager classies the events before release (e.g. release of information from air-gapped/classified networks). Enriching IDS export with tags to fit your NIDS deployment. 10 of 15

Future functionalities related to MISP taxonomies Sighting support (thanks to NCSC-NL) is integrated in MISP allowing to auto expire IOC based on user detection. Adjusting taxonomies (adding/removing tags) based on their score or visibility via sighting. Simple taxonomy editors to help non-technical users to create their taxonomies. Filtering mechanisms in MISP to rename or replace taxonomies/tags at pull and push synchronisation. More public taxonomies to be included. 11 of 15

The dilemma of false-positive False-positive is a common issue in threat intelligence sharing. It s often a contextual issue: false-positive might be different per community of users sharing information. organization might have their own view on false-positive. Based on the success of the MISP taxonomy model, we build misp-warninglists. 12 of 15

MISP warning lists misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes. Simple JSON files 1 { 2 name : L i s t o f known p u b l i c DNS r e s o l v e r s, 3 v e r s i o n : 2, 4 d e s c r i p t i o n : Event c o n t a i n s one o r more p u b l i c DNS r e s o l v e r s as a t t r i b u t e w i t h an IDS f l a g s e t, 5 m a t c h i n g a t t r i b u t e s : [ 6 ip s r c, 7 ip d s t 8 ], 9 l i s t : [ 10 8. 8. 8. 8, 11 8. 8. 4. 4,... ] 12 } 13 of 15

MISP warning lists The warning lists are integrated in MISP to display an info/warning box at the event and attribute level. This can be enabled at MISP instance level. Default warning lists can be enabled or disabled like known public resolver, multicast IP addresses, hashes for empty values, rfc1918, TLDs or known google domains. The warning lists can be expanded or added in JSON locally or via pull requests. Warning lists can be also used for critical or core infrastructure warning, personally identifiable information... 14 of 15

Q&A https://github.com/misp/misp https://github.com/misp/misp-taxonomies https://github.com/misp/misp-warninglists info@circl.lu (if you want to join one of the MISP community operated by CIRCL) PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5 15 of 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback