Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Similar documents
Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

MISP Training: Galaxies

MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Incident Response tactics with Compromise Indicators

IntelMQ - a KISS incident handling automation project (IHAP)

MySQL Attack Mitigation Using Deception Technology

The impacts of Open Government initiatives on SDIs

What s New. August 2013

FINNISH LINKED DATA PILOTS

1 [15 points] Frequent Itemsets Generation With Map-Reduce

FIRE DEPARMENT SANTA CLARA COUNTY

December 3, Dipartimento di Informatica, Università di Torino. Felicittà. Visualizing and Estimating Happiness in

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

Administering your Enterprise Geodatabase using Python. Jill Penney

University of Colorado Denver Anschutz Medical Campus Online Chemical Inventory System User s Manual

ArcGIS GeoAnalytics Server: An Introduction. Sarah Ambrose and Ravi Narayanan

ON SITE SYSTEMS Chemical Safety Assistant

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

Geodatabase Programming with Python

Portal for ArcGIS: An Introduction

Development of a Web-Based GIS Management System for Agricultural Authorities in Iraq

Migrating Defense Workflows from ArcMap to ArcGIS Pro. Renee Bernstein and Jared Sellers

ArcGIS Pro Q&A Session. NWGIS Conference, October 11, 2017 With John Sharrard, Esri GIS Solutions Engineer

Using CAD data in ArcGIS

MISB ST 1601 STANDARD

Socket Programming. Daniel Zappala. CS 360 Internet Programming Brigham Young University

EEOS 381 -Spatial Databases and GIS Applications

ArcGIS Deployment Pattern. Azlina Mahad

What s New in ArcGIS 10.1 for Desktop. Karen Li Date: October 31, 2012

Administering Your Enterprise Geodatabase using Python. Gerhard Trichtl

TECDIS and TELchart ECS Weather Overlay Guide

Coordinate systems and transformations in action. Melita Kennedy and Keera Morrish

MapOSMatic, free city maps for everyone!

Geodatabase Programming with Python John Yaist

Managing Imagery and Raster Data Using Mosaic Datasets

ArcGIS Enterprise: Administration Workflows STUDENT EDITION

DP Project Development Pvt. Ltd.

ArcGIS for INSPIRE. Paul Hardy. ArcGIS. ArcGIS for INSPIRE Enables Esri ArcGIS users to implement and comply with INSPIRE. INSPIRE Data Themes

PROCESSING, ANALYSIS, AND DISTRIBUTION OF SHALE DATA OVER GIS SERVICES AND WEB APPS

Deep dive into analytics using Aggregation. Boaz

Outline. Offline Evaluation of Online Metrics Counterfactual Estimation Advanced Estimators. Case Studies & Demo Summary

Troubleshooting Replication and Geodata Services. Liz Parrish & Ben Lin

ArcGIS Online Routing and Network Analysis. Deelesh Mandloi Matt Crowder

GeomRDF : A Geodata Converter with a Fine-Grained Structured Representation of Geometry in the Web

EXPECTATIONS OF TURKISH ENVIRONMENTAL SECTOR FROM INSPIRE

Web GIS Administration: Tips and Tricks

NJDOT Pedestrian Safety Analysis Tool 2015 GIS T Conference

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

Lord of the Bing. Taking Back Search Engine Hacking From Google and Bing. 18 MAY 2011 TakeDownCon 2011 Dallas, TX

NOKIS an ISO Based Metadata System

Semantic Web SPARQL. Gerd Gröner, Matthias Thimm. July 16,

GPS Mapping with Esri s Collector App. What We ll Cover

U N I V E R S I T A S N E G E R I S E M A R A N G J U L Y, S U H A R T M A I L. U N N E S. A C. I D E D I T O R D O A J

Introduction to Portal for ArcGIS

Frequently Asked Questions

Network Analysis with ArcGIS Online. Deelesh Mandloi Dmitry Kudinov

Technical Specifications. Form of the standard

Georef - Linked Data Deployment for Spatial Data; Finnish Initiative

ArcGIS 10.1 An Overview of the System

Highly-scalable branch and bound for maximum monomial agreement

Network Configuration Example

Kansas Next Generation 911

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich June 8, 2015

EMMA : ECDC Mapping and Multilayer Analysis A GIS enterprise solution to EU agency. Sharing experience and learning from the others

A Cloud-Based Flood Warning System For Forecasting Impacts to Transportation Infrastructure Systems

Search for the Dubai in the remap search bar:

Corporate. Information. Railway Infrastructure Administrator. Year indracompany.com

Kevin Smith Senior Climatologist. Australian Bureau of Meteorology.

git Tutorial Nicola Chiapolini Physik-Institut University of Zurich January 26, 2015

ArcGIS Enterprise: What s New. Philip Heede Shannon Kalisky Melanie Summers Shreyas Shinde

Search for the Gulf of Carpentaria in the remap search bar:

GIS for Business Intelligence: Getting Cloud Connected

Incorporating ArcGIS Pro in your Curriculum

The File Geodatabase API. Craig Gillgrass Lance Shipman

DANIEL WILSON AND BEN CONKLIN. Integrating AI with Foundation Intelligence for Actionable Intelligence

Task 1: Open ArcMap and activate the Spatial Analyst extension.

Hosted by Esri Official Distributor

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

ArcGIS Enterprise: What s New. Philip Heede Shannon Kalisky Melanie Summers Sam Williamson

rethinking software design by analyzing state

Demand Forecasting. for. Microsoft Dynamics 365 for Operations. User Guide. Release 7.1. April 2018

Exploring Urban Areas of Interest. Yingjie Hu and Sathya Prasad

Innovation. The Push and Pull at ESRI. September Kevin Daugherty Cadastral/Land Records Industry Solutions Manager

MCS 260 Exam 2 13 November In order to get full credit, you need to show your work.

Ad Placement Strategies

INSPIRE and egovernment policies: a common governance for a wider public sector information infrastructure

git Tutorial Nicola Chiapolini University of St. Gallen September 12, 2017

CHAPTER 22 GEOGRAPHIC INFORMATION SYSTEMS

Esri UC2013. Technical Workshop.

GIS ADMINISTRATOR / WEB DEVELOPER EVANSVILLE-VANDERBURGH COUNTY AREA PLAN COMMISSION

DGIWG 200. Defence Geospatial Information Framework (DGIF) Overview

From Research Objects to Research Networks: Combining Spatial and Semantic Search

Transcription:

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP MISP Project @MISPProject - TLP:WHITE MISP Workshop @SWITCH - 20161206

From Tagging to Flexible Taxonomies Tagging is a simple way to attach a classification to an event. In the early version of MISP, tagging was local to an instance. Classification must be globally used to be efficient. After evaluating different solutions of classification, we build a new scheme using the concept of machine tags. 2 of 17

Machine Tags Triple tag or machine tag was introduced in 2004 to extend geotagging on images. A machine tag is just a tag expressed in way that allows systems to parse and interpret it. Still have a human-readable version: admiralty-scale:source Reliability= Fairly reliable 3 of 17

MISP Taxonomies Taxonomies are implemented in a simple JSON format. Anyone can create their own taxonomy or reuse an existing one. The taxonomies are in an independent git repository 1. These can be freely reused and integrated in other threat intel tools. Taxonomies are licensed under CC0 (public domain) except if the taxonomy author decided to use another license. 1 https://www.github.com/misp/misp-taxonomies/ 4 of 17

Existing Taxonomies NATO - Admiralty Scale CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection ecsirt and IntelMQ incident classification EUCI EU classified information marking Information Security Marking Metadata from DNI (Director of National Intelligence - US) NATO Classification Marking OSINT Open Source Intelligence - Classification TLP - Traffic Light Protocol Vocabulary for Event Recording and Incident Sharing - VERIS and many more like ENISA, Europol, or the draft FIRST SIG Information Exchange Policy. 5 of 17

Want to write your own taxonomy? 1/2 1 { 2 namespace : a d m i r a l t y s c a l e, 3 d e s c r i p t i o n : The A d m i r a l t y S c a l e ( a l s o c a l l e d t h e NATO System ) i s used to rank t h e r e l i a b i l i t y o f a s o u r c e and t h e c r e d i b i l i t y o f an i n f o r m a t i o n., 4 v e r s i o n : 1, 5 p r e d i c a t e s : [ 6 { 7 v a l u e : s o u r c e r e l i a b i l i t y, 8 expanded : Source R e l i a b i l i t y 9 }, 10 { 11 v a l u e : i n f o r m a t i o n c r e d i b i l i t y, 12 expanded : I n f o r m a t i o n C r e d i b i l i t y 13 } 14 ], 15.... 6 of 17

Want to write your own taxonomy? 2/2 1 { 2 v a l u e s : [ 3 { 4 p r e d i c a t e : s o u r c e r e l i a b i l i t y, 5 e n t r y : [ 6 { 7 v a l u e : a, 8 expanded : C o m p l e t e l y r e l i a b l e 9 }, 10.... Publishing your taxonomy is as easy as a simple git pull request on misp-taxonomies 2. 2 https://github.com/misp/misp-taxonomies 7 of 17

How are taxonomies integrated in MISP? MISP administrator can just import (or even cherry pick) the namespace or predicates they want to use as tag. Tags can be exported to other instances. Tags are also accessible via the MISP REST API. 8 of 17

Filtering the distribution of events among MISP instances Applying rules for distribution based on tags: 9 of 17

Other use cases using MISP taxonomies Tags can be used to set events for further processing by external tools (e.g. VirusTotal auto-expansion using Viper). Ensuring a classification manager classies the events before release (e.g. release of information from air-gapped/classified networks). Enriching IDS export with tags to fit your NIDS deployment. Using IntelMQ and MISP together to process events (tags limited per organization introduced in MISP 2.4.49). 10 of 17

Future functionalities related to MISP taxonomies Sighting support (thanks to NCSC-NL) is integrated in MISP allowing to auto expire IOC based on user detection. Adjusting taxonomies (adding/removing tags) based on their score or visibility via sighting. Simple taxonomy editors to help non-technical users to create their taxonomies. Filtering mechanisms in MISP to rename or replace taxonomies/tags at pull and push synchronisation. More public taxonomies to be included. 11 of 17

PyTaxonomies Python module to handle the taxonomies Offline and online mode (fetch the newest taxonomies from github) Simple search to make tagging easy Totally independant from MISP No external dependencies in offline mode Python3 only Can be used to create & dump your new taxonomy 12 of 17

PyTaxonomies from p y t a x o n o m i e s import Taxonomies t a x o n o m i e s = Taxonomies ( ) t a x o n o m i e s. v e r s i o n # => 20160725 t a x o n o m i e s. d e s c r i p t i o n # => M a n i f e s t f i l e o f MISP t a x o n o m i e s a v a i l a b l e. l i s t ( t a x o n o m i e s. k e y s ( ) ) # => [ t l p, eu c r i t i c a l s e c t o r s, de v s, o s i n t, c i r c l, v e r i s, # e c s i r t, dhs c i i p s e c t o r s, f r c l a s s i f, misp, a d m i r a l t y s c a l e,... ] t a x o n o m i e s. g e t ( e n i s a ). d e s c r i p t i o n # The p r e s e n t t h r e a t taxonomy i s an i n i t i a l v e r s i o n t h a t has been d e v e l o p e d on # t h e b a s i s o f a v a i l a b l e ENISA m a t e r i a l. This m a t e r i a l has been used as an ENISA i n t e r n a l # s t r u c t u r i n g a i d f o r i n f o r m a t i o n c o l l e c t i o n and t h r e a t c o n s o l i d a t i o n p u r p o s e s. # I t emerged in the time period 2012 2015. p r i n t ( t a x o n o m i e s. g e t ( c i r c l ) ) # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = v u l n e r a b i l i t y # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = malware # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = f a s t f l u x # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = system compromise # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = s q l i n j e c t i o n #.... p r i n t ( t a x o n o m i e s. g e t ( c i r c l ). m a c h i n e t a g s e x p a n d e d ( ) ) # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = P h i s h i n g # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = Malware # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = XSS # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = C o p y r i g h t i s s u e # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = Spam # c i r c l : i n c i d e n t c l a s s i f i c a t i o n = SQL I n j e c t i o n 13 of 17

The dilemma of false-positive False-positive is a common issue in threat intelligence sharing. It s often a contextual issue: false-positive might be different per community of users sharing information. organization might have their own view on false-positive. Based on the success of the MISP taxonomy model, we build misp-warninglists. 14 of 17

MISP warning lists misp-warninglists are lists of well-known indicators that can be associated to potential false positives, errors or mistakes. Simple JSON files 1 { 2 name : L i s t o f known p u b l i c DNS r e s o l v e r s, 3 v e r s i o n : 2, 4 d e s c r i p t i o n : Event c o n t a i n s one o r more p u b l i c DNS r e s o l v e r s as a t t r i b u t e w i t h an IDS f l a g s e t, 5 m a t c h i n g a t t r i b u t e s : [ 6 ip s r c, 7 ip d s t 8 ], 9 l i s t : [ 10 8. 8. 8. 8, 11 8. 8. 4. 4,... ] 12 } 15 of 17

MISP warning lists The warning lists are integrated in MISP to display an info/warning box at the event and attribute level. This can be enabled at MISP instance level. Default warning lists can be enabled or disabled like known public resolver, multicast IP addresses, hashes for empty values, rfc1918, TLDs or known google domains. The warning lists can be expanded or added in JSON locally or via pull requests. Warning lists can be also used for critical or core infrastructure warning, personally identifiable information... 16 of 17

Q&A https://github.com/misp/misp https://github.com/misp/misp-taxonomies https://github.com/misp/misp-warninglists info@circl.lu (if you want to join one of the MISP community operated by CIRCL) PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5 17 of 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback