MISP Training: Galaxies

Similar documents
MISP Galaxy. Threat Sharing. Team CIRCL. MISP CIRCL

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP

PyMISP - (ab)using MISP API with PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Deep-dive into PyMISP MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Extending MISP with Python modules MISP - Malware Information Sharing Platform & Threat Sharing

Incident Response tactics with Compromise Indicators

cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software Freedom #0 in action

The Big Bang Theory (page 854)

THE UNIVERSE CHAPTER 20

Deep Sky Astronomy page James E. Kotoski

April 11, Astronomy Notes Chapter 16.notebook. Types of Galaxies

LESSON 1. Solar System

PROGRESS REPORT ON APPROACH PAPER THE IMPLEMENTATION OF THE GEF KNOWLEDGE MANAGEMENT. GEF/C.49/Inf.04 September 23, 2015

CHM The Structure of the Atom, Revisited (r14) Charles Taylor 1/5

STARS AND GALAXIES STARS

Learning Outcomes 2. Key Concepts 2. Misconceptions and Teaching Challenges 3. Vocabulary 4. Lesson and Content Overview 5

What is the solar system?

WeatherHawk Weather Station Protocol

INSTALLING TRAK SPORT TIRE CHAINS ON 20 MODEL 3 TIRES

Using Artificial Intelligence to Train Your Chatbot.

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

Building Institutional Capacity for Multi-Hazard Early Warning in Pacific Countries Subtitle

D4.2. First release of on-line science-oriented tutorials

RESEARCG ON THE MDA-BASED GIS INTEROPERABILITY Qi,LI *, Lingling,GUO *, Yuqi,BAI **

Remote Sensing Techniques for Renewable Energy Projects. Dr Stuart Clough APEM Ltd

10.1 Growth and Cell Reproduction

These modules are covered with a brief information and practical in ArcGIS Software and open source software also like QGIS, ILWIS.

FIELD SPECTROMETER QUICK-START GUIDE FOR FIELD DATA COLLECTION (LAST UPDATED 23MAR2011)

AWOS. Automated Weather Observing Systems COASTAL

Time Domain Astronomy in the 2020s:

Cutting Edge Engineering for Modern Geospatial Systems Rear Admiral Dr. S Kulshrestha, retd

FIRE DEPARMENT SANTA CLARA COUNTY

CONTEMPORARY ANALYTICAL ECOSYSTEM PATRICK HALL, SAS INSTITUTE

The Formation of the Solar System

Hendricks County Mini 4-H. Sun, Stars, & Space. Developed by: Karla Smith, Program Assistant-Purdue Extension Hendricks County

The Pierre Auger Observatory

Astroinformatics: massive data research in Astronomy Kirk Borne Dept of Computational & Data Sciences George Mason University

MSGVIEW: AN OPERATIONAL AND TRAINING TOOL TO PROCESS, ANALYZE AND VISUALIZATION OF MSG SEVIRI DATA

Global 3D Machine Vision Market Report- Forecast till 2022

COLLADA BOF Siggraph 2012 Neil Trevett, NVIDIA, Khronos President Fabrice Robinet, Motorola Mobility, COLLADA Chair

POLIMI ACTIVITIES urban data collection and preprocessing

Blowin in the Wind. Making a Ping-Pong Anemometer

Integrating Globus into a Science Gateway for Cryo-EM

Outline Oxana Smirnova, Particle Physics 2

InoPower Storm Detection system

GIS Geographical Information Systems. GIS Management

Chapter 21: Stars Notes

Orbital Insight Energy: Oil Storage v5.1 Methodologies & Data Documentation

Classification trees for improving the accuracy of land use urban data from remotely sensed images

Investigation of the Effect of Transportation Network on Urban Growth by Using Satellite Images and Geographic Information Systems

The Evolution of SPH. J. J. Monaghan Monash University Australia

Welcome! Power BI User Group (PUG) Copenhagen

WIPO s Chemical Search Function

Galaxies Guiding Questions

redf xid - A LEAP INTO THE FUTURE!

Search for the Dubai in the remap search bar:

Securing the Web of Things

NJDOT Pedestrian Safety Analysis Tool 2015 GIS T Conference

CHM 130LL: Molecular Models

I N T R O D U C T I O N : G R O W I N G I T C O M P L E X I T Y

Year 8 Geography Module 1: ITALY

Introduction to Astronomy

New Meteorological Services Supporting ATM

Dinosaur Discovery. KindergarTen-second. Science TEKS. Vocabulary

MITOCW MITRES_18-007_Part1_lec3_300k.mp4

Migration to the New BI360

[FILE] MILKY WAY AT HOME EBOOK

SIRWEC 2012 Helsinki, March Finland. Miroslav Škuthan Central Forecasting Office Czech Hydrometeorological Institute

DIGITAL TWINS W A Z U G D e c e m b e r

Single top quark production at CDF

Observing Dark Worlds

Life Cycle of a Star Worksheet

A. Incorrect! The Cell Cycle contains 4 distinct phases: (1) G 1, (2) S Phase, (3) G 2 and (4) M Phase.

Yes, the Library will be accessible via the new PULSE and the existing desktop version of PULSE.

Newton s Laws of Motion

Search for the Dubai in the remap search bar:

Introduction to Portal for ArcGIS

A Service Architecture for Processing Big Earth Data in the Cloud with Geospatial Analytics and Machine Learning

The Milky Way - Chapter 23

Astronomy 25. Astronomy 25. Anything back then that could not be seen clearly was called a nebulae. detect fuzzy light objects.

Arvind Borde / AST 10, Week 2: Our Home: The Milky Way

FCAT Review Space Science

AP Human Geography Unit 1: Basic Concepts and Development Mr. Stepek Guided Reading/Study Guide

ArcGIS Maps for Power BI An Introduction. DJ Berry Scott Ball

GraspIT Questions AQA GCSE Physics Space physics

Cell Division and Reproduction

Karhunen-Loève Transform KLT. JanKees van der Poel D.Sc. Student, Mechanical Engineering

Oakland County Parks and Recreation GIS Implementation Plan

1. Galaxy (a) the length of a planet s day. 2. Rotational Period (b) dust and gases floating in space

Questions on Universe

distribution of mass! The rotation curve of the Galaxy ! Stellar relaxation time! Virial theorem! Differential rotation of the stars in the disk

Use of administrative registers for strengthening the geostatistical framework of the Census of Agriculture in Mexico

GIS for Crime Analysis. Building Better Analysis Capabilities with the ArcGIS Platform

MantaRay Documentation

Power System Engineering Prof. Debrapriya Das Department of Electrical Engineering Indian Institute of Technology, Kharagpur

Understanding and Measuring Urban Expansion

thinking about gis geographic information system planning for managersgeographical information systems questions and answers

Transcription:

MISP Training: Galaxies Team CIRCL http://www.misp-project.org/ Twitter: @MISPProject MISP Training @ Helsinki 20180423

MISP Galaxies MISP started out as a platform for technical indicator sharing The need for a way to describe threat actors, tools and other commonalities became more and more pressing Taxonomies quickly became essential for classifying events The weakness of the tagging aproach is that it s not very descriptive We needed a way to attach more complex structures to data Also, with the different naming conventions for the same thing attribution was a mess This is where the Galaxy concept came in 2 / 14

Solution Pre-crafted galaxy clusters via GitHub project Attach them to an event (or soon attribute) The main design principle was that these higher level informations are meant for human consumption This means flexibility - key value pairs, describe them dynamically Technical indicators remain strongly typed and validated, galaxies are loose key value lists 3 / 14

The galaxy object stack Galaxy: The type of data described (Threat actor, Tool,...) Cluster: An individual instance of the galaxy (Sofacy, Turla,...) Element: Key value pairs describing the cluster (Country: RU, Synonym: APT28, Fancy Bear) Reference: Referenced galaxy cluster (Such as a threat actor using a specific tool) 4 / 14

(some) Existing galaxies Exploit-Kit: An enumeration of known exploitation kits used by adversaries Microsoft activity group: Adversary groups as defined by Microsoft Preventive measure: Potential preventive measures against threats Ransomware: List of known ransomwares TDS: Traffic Direction System used by adversaries Threat-Actor: Known or estimated adversary groups Tool: Tools used by adversaries (from Malware to common tools) MITRE ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK TM ) 5 / 14

What a cluster looks like 6 / 14

Attaching clusters to events Internally simply using a taxonomy-like tag to attach them to events Example: misp-galaxy:threat-actor= Sofacy Synchronisation works out of the box with older instances too. They will simply see the tags until they upgrade. Currently, as mentioned we rely on the community s contribution of galaxies 7 / 14

Attaching clusters Use a searchable synonym database to find what you re after 8 / 14

Creating your own galaxy Creating galaxy clusters has to be straightforward to get the community to contribute Building on the prior success of the taxonomies and warninglists Simple JSON format in similar fashion Just drop the JSON in the proper directory and let MISP ingest it We always look forward to contributions to our galaxies repository 9 / 14

Galaxy JSON If you want to create a completely new galaxy instead of enriching an existing one 1 { 2 name : Threat Actor, 3 t y p e : t h r e a t a c t o r, 4 d e s c r i p t i o n : Threat a c t o r s a r e c h a r a c t e r i s t i c s o f m a l i c i o u s a c t o r s ( o r a d v e r s a r i e s ) r e p r e s e n t i n g a c y b e r a t t a c k t h r e a t i n c l u d i n g presumed i n t e n t and h i s t o r i c a l l y o b s e r v e d b e h a v i o u r., 5 v e r s i o n : 1, 6 u u i d : 698774 c 7 8022 42 c 4 917 f 8d6 e 4 f 06 ada 3 7 } 10 / 14

Cluster JSON Clusters contain the meat of the data Skeleton structure as follows 1 { 2 v a l u e s : [ 3 { 4 meta : {}, 5 d e s c r i p t i o n :, 6 v a l u e :, 7 r e l a t e d c l u s t e r s : [ {} ], 8 } 9 ] 10 } 11 / 14

Cluster JSON value example 1 { 2 meta : { 3 synonyms : [ 4 APT 28, APT28, Pawn Storm, Fancy Bear, 5 S e d n i t, TsarTeam, TG 4127, Group 4127, 6 STRONTIUM, Grey Cloud 7 ], 8 c o u n t r y : RU, 9 r e f s : [ 10 h t t p s : // en. w i k i p e d i a. org / w i k i / S o f a c y G r o u p 11 ] 12 }, 13 d e s c r i p t i o n : The S o f a c y Group ( a l s o known as APT28, 14 Pawn Storm, Fancy Bear and S e d n i t ) i s a c y b e r 15 e s p i o n a g e group b e l i e v e d to have t i e s to t h e 16 R u s s i a n government. L i k e l y o p e r a t i n g s i n c e 2007, 17 t h e group i s known to t a r g e t government, m i l i t a r y, 18 and s e c u r i t y o r g a n i z a t i o n s. I t has been 19 c h a r a c t e r i z e d as an advanced p e r s i s t e n t t h r e a t., 20 v a l u e : S o f a c y 21 }, 12 / 14

PyMISPGalaxies from p y m i s p g a l a x i e s import C l u s t e r s c = C l u s t e r s ( ) l i s t ( g. k e y s ( ) ) # [ t h r e a t a c t o r, ransomware, e x p l o i t k i t, t d s, t o o l, r a t, m itre a t t a c k p a t t e r # mitre t o o l, m i c r o s o f t a c t i v i t y group, mitre c o u r s e of a c t i o n, mitre malware, # mitre i n t r u s i o n s e t, p r e v e n t i v e measure ] p r i n t ( c. g e t ( r a t ) ) # misp galaxy : rat= Brat # misp galaxy : r a t= Loki RAT # misp g a l a x y : r a t = j o i n. me # misp galaxy : rat= Setro # misp galaxy : rat= drat # misp galaxy : r a t= Plasma RAT # misp galaxy : r a t= NanoCore # misp galaxy : r a t= DarkTrack # misp galaxy : r a t= Theef # misp galaxy : r a t= Greame # misp galaxy : r a t= Nuclear RAT # misp galaxy : rat= DameWare Mini Remote Control # misp galaxy : r a t= ProRat # misp galaxy : rat= death # misp galaxy : r a t= Dark DDoSeR #.... p r i n t ( c. g e t ( r a t ). d e s c r i p t i o n ) # remote a d m i n i s t r a t i o n t o o l o r remote a c c e s s t o o l (RAT), a l s o c a l l e d sometimes remote # access trojan, i s a piece of software or programming that allows a remote operator # to c o n t r o l a system as i f t h e y have p h y s i c a l a c c e s s to t h a t system. 13 / 14

Q&A info@circl.lu (if you want to join the CIRCL MISP sharing community) OpenPGP fingerprint: 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD https://github.com/misp/ - http://www.misp-project.org/ We welcome any contributions to the project, be it pull requests, ideas, github issues,... 14 / 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback