MISP and threat intelligence

MISP Project - https://www.misp-project.org

Koen Van Impe - https://www.cudeso.be

[email protected]
@cudeso

June 2021
TLP:White
What is threat intelligence?

Threat Intelligence (TI)

• evidence-based knowledge, including context, mechanisms, indicators,
implications and actionable advice.

• about an existing or emerging menace or hazard to IT or information assets.

• It can be used to inform decisions regarding the subject's response to that

menace or hazard.

MISP and threat intelligence 2

What is threat intelligence?

Threat Intelligence (TI)

• evidence-based knowledge, including context, mechanisms, indicators,
implications and actionable advice.

• about an existing or emerging menace or hazard to IT or information assets.

• It can be used to inform decisions regarding the subject's response to that

menace or hazard.

• Understand threats targeting an organisation.

• Attackers motives and behaviours.
• Faster and better informed decisions.
• To prepare, protect, detect and respond to these threats.

MISP and threat intelligence 3

Intelligence is more than Information. Or data.

Intelligence
Analyse

Information
Process
Data

Collect
Operational
Environment

MISP and threat intelligence 4

Threat intelligence use cases

“What”, “Where” and “When” “How” “Why” and “Who”

Atomic indicators TTPs, capabiliities and infrastructure High level risks and trends
Security controls Prioritize operations Business decision making
Defend organisation Address blind spots in detection

Threat data feeds Threat feeds with context Threat landscapes

Operational threat reports

Tactical Operational Strategic

MISP and threat intelligence 5

Threat intelligence use cases

“What”, “Where” and “When” “How” “Why” and “Who”

Atomic indicators TTPs, capabiliities and infrastructure High level risks and trends
Security controls Prioritize operations Business decision making
Defend organisation Address blind spots in detection

Threat data feeds Threat feeds with context Threat landscapes

Operational threat reports

Tactical Operational Strategic

SOC analyst SOC analyst CISO

Firewall Incident response CTO
Proxy Vulnerability mgmnt Board
SIEM Threat monitoring

Capability

MISP and threat intelligence 6

Threat intelligence use cases

“What”, “Where” and “When” “How” “Why” and “Who”

Atomic indicators TTPs, capabiliities and infrastructure High level risks and trends
Security controls Prioritize operations Business decision making
Defend organisation Address blind spots in detection

Threat data feeds Threat feeds with context Threat landscapes

Operational threat reports

Tactical Operational Strategic

IP-address: 1.2.3.4 malware.exe has file hash Threat group ZXY attacks
File hash: abcd1234 abcd1234 and exfiltrates energy facilities in Europe
File name: malware.exe data to 1.2.3.4 beween with objective to steal
1-Jan-21 and 2-Jan-21 company secrets

Capability

MISP and threat intelligence 7

Threat intelligence use cases
“What”, “Where” and “When” “How” “Why” and “Who”

Atomic indicators TTPs, capabiliities and infrastructure High level risks and trends
Security controls Prioritize operations Business decision making
Defend organisation Address blind spots in detection

Threat data feeds Threat feeds with context Threat landscapes

Operational threat reports

Tactical Operational Strategic

SOC analyst SOC analyst CISO
Firewall Incident response CTO
Proxy Vulnerability mgmnt Board
SIEM Threat monitoring

MISP and threat intelligence 8

What is MISP?
What is MISP?

MISP is a Threat Information Sharing Platform

Collect Normalize Enrich Correlate Analyse Disseminate Share

• Free and Open Source and exists >10 years

• CIRCL leads development
• Used by >6000 organisations worldwide
• Security teams, national and government CSIRTs, commercial providers

MISP and threat intelligence 10

Diferent users. Different objectives.

Blocking Detection Intelligence

• Prevent infections • Identify infected systems • Who is targeting your
• Improve security controls • Security incidents organisation?
• Protect your organisation • Discover anomalous actions • What are they trying to achieve?

MISP and threat intelligence 11

Everyone can receive data. Everyone can contribute to data.

• Core functionality is sharing

• Everyone can be a consumer

and/ or a contributor/producer

• Quick benefit without the obligation

to contribute

• Low barrier to get acquainted to the system

MISP and threat intelligence 12

How does it work?
How does it work?

• Setup MISP server

• Your environment

MISP and threat intelligence 14

How does it work?

• Setup MISP server

• Your environment

• Connect to threat data feeds

• Free and commercial feeds
• IP addresses, file hashes, domains, TTPs

MISP and threat intelligence 15

How does it work?

• Setup MISP server

• Your environment

• Connect to threat data feeds

• Free and commercial feeds
• IP addresses, file hashes, domains, TTPs

• Connect to trusted providers

• Government and sector/industry MISP

MISP and threat intelligence 16

How does it work?

• Setup MISP server

• Your environment

• Connect to threat data feeds

• Free and commercial feeds
• IP addresses, file hashes, domains, TTPs

• Connect to trusted providers

• Government and sector/industry MISP

• Query and update security controls

• Proxy server, firewall, logs, endpoints
• SIEM, IDS
MISP and threat intelligence 17
Typical process

Analysis Threat event Victim Infrastructure

• Trusted • Detection • Receives • Query for

provider package MISP event activity
• Identifies • Indicators of • Verification • Block
threat for a compromise and approval activity
sector / • Activities
organisation and
behaviour

Share back and report back

MISP and threat intelligence 18

Use cases for received threat events

Block IP Block
Query logs for
address on malicious URL
activity
firewall on proxy

Scan endpoints
with custom IDS signatures SIEM alerts
rules

MISP and threat intelligence 19

What do you need?
What do you need?

• Hardware and software

• One server with Linux (preferably Ubuntu Linux)
• Average storage and memory (250GB/64GB)
• MISP uses a web server (Apache) and database server (MariaDB)

• Installation
• MISP is usually installed from source via Github

• Infrastructure integration
• Customizations for integration with security controls
• Base capabilities are included
• Needs to be tuned to your environment

MISP and threat intelligence 21

MISP details
Access to MISP

• Web interface
• Multiple users and groups
• Role based access

• API access for automation

• Integration with other tools
• Synchronization with security controls
• Python library

MISP and threat intelligence 23

MISP user interface

• Events are containers of contextually

linked information
• From an incident, a security report
or a threat actor analysis

• Contains attributes with indicators

• Tools, techniques and procedures

• Your desired (or expected) actions

• Block, detect

MISP and threat intelligence 24

MISP dashboard with trends and statistics

MISP and threat intelligence 25

Timeline and clusters of activities

MISP and threat intelligence 26

Information quality management

• Contextualization

• False positive
management

27
Correlating data

• Correlate on indicators and context

MISP and threat intelligence 28

Continuous feedback loop

• Feedback on observed indicators

• Confirm presence of activity

MISP and threat intelligence 29

Relevant indicators

• Remove older (less- / non relevant) indicators

MISP and threat intelligence 30

MISP in industrial environment
MISP in industrial / ICS environment

• “Normal” MISP

• Export threat events

MISP and threat intelligence 32

MISP in industrial / ICS environment

• “Normal” MISP

• Export threat events

• Transfer via USB

• Scan via kiosk

MISP and threat intelligence 33

MISP in industrial / ICS environment

• “Normal” MISP

• Export threat events

• Transfer via USB

• Scan via kiosk

ICS – Airgapped
• Import threat events

MISP and threat intelligence 34

Questions?