SlideShare a Scribd company logo

MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint

M
MNCERT

Steve Clement - CERT Luxembourg

Technology
1 of 25
Usually a MISP workshop Introduction into Information Sharing using MISP for CSIRTs Team CIRCL TLP:WHITE MNSEC 2018 20181004
Plan for this session • Explanation of the CSIRT use case for information sharing and what CIRCL does • Building an information sharing community and best practices 2 / 25
Communities operated by CIRCL • As a CSIRT, CIRCL operates a wide range of communities • We use it as an internal tool to cover various day-to-day activities • Whilst being the main driving force behind the development, we’re also one of the largest consumers • Different communities have different needs and restrictions 3 / 25
Communities operated by CIRCL • Private sector community ◦ Our largest sharing community ◦ Over 900 organisations ◦ 2000 users ◦ Functions as a central hub for a lot of sharing communities ◦ Private organisations, Researchers, Various SoCs, some CSIRTs, etc • CSIRT community ◦ Tighter community ◦ National CSIRTs, connections to international organisations, etc 4 / 25
Communities operated by CIRCL • Financial sector community ◦ Banks, payment processors, etc. ◦ Sharing of mule accounts and non-cyber threat infomartion • X-ISAC ◦ Bridging the gap between the various sectorial and georgraphical ISACs ◦ New, but ambitious initiative ◦ Goal is to bootstrap the cross-sectorial sharing along with building the infrastructure to enable sharing when needed ◦ https://www.x-isac.org/ Need access? np: mailto:info@circl.lu 5 / 25
Communities operated by CIRCL • Coming up - the ATT&CK EU community ◦ Work on attacker modelling ◦ With the assistance of Mitre themselves ◦ Unique opportunity to standardise on TTPs ◦ Looking for organisations that want to get involved! ◦ https://attack.mitre.org 6 / 25
Communities supported by CIRCL • FIRST.org’s MISP community • Telecom and Mobile operators’ community • Various ad-hoc and time limited communities, exercises for example ◦ Most recently the ENISA exercise a few months ago (2nd year MISP was used) ◦ Open for other events 7 / 25
Sharing Scenarios in MISP • Sharing can happen for many different reasons. What are the typical CSIRT scenarios? • We can generally split these activities into 4 main groups when we’re talking about traditional CSIRT tasks: ◦ Core services ◦ Proactive services ◦ Advanced services ◦ Sharing communities managed by CSIRTs for various tasks 8 / 25
CSIRT core services • Incident response ◦ Internal storage of incident response data ◦ Sharing of indicators derived from incident response ◦ Correlating data derived and using the built in analysis tools ◦ Enrichment services ◦ Collaboration with affected parties via MISP during IR ◦ Co-ordination and collaboration ◦ Takedown requests • Alerting of information leaks (integration with AIL1) 1 https://github.com/CIRCL/AIL-framework9 / 25
CSIRT proactive services • Contextualising both internal and external data • Collection and dissimination of data from various sources (including OSINT) • Storing, correlating and sharing own manual research (reversing, behavioural analysis) • Aggregating automated collection (sandboxing, honeypots, spamtraps, sensors) ◦ MISP allows for the creation of internal MISP ”clouds” ◦ Store large specialised datasets (for example honeypot data) ◦ MISP has interactions with a large set of such tools (Cuckoo, Mail2MISP, etc) • Situational awareness tools to monitor trends and adversary TTPs within my sector/geographical region (MISP-dashboard, built in statistics) 10 / 25
CSIRT proactive services - MISP dashboard 11 / 25
CSIRT proactive services - MISP dashboard 12 / 25
CSIRT advanced services • Supporting forensic analysts • Collaboration with law enforcement • Vulnerability information sharing ◦ Notifications to the constituency about relevant vulnerabilities ◦ Co-ordinating with vendors for notifications (*) ◦ Internal / closed community sharing of pentest results ◦ We’re planning on starting a series of hackathons to find 13 / 25
CSIRTs’ management of sharing communities for constituent actions: • Reporting non-identifying information about incidents (such as outlined in NISD) • Seeking and engaging in collaboration with CSIRT or other parties during an incident • Pre-sharing information to request for help / additional information from the community • Pseudo-anonymised sharing through 3rd parties to avoid attribution of a potential target • Building processes for other types of sharing to get the community engaged and acquainted with the methodologies of sharing (mule account information, border control, etc) 14 / 25
A quick note on compliance... • Collaboration with Deloitte as part of a CEF project for creating compliance documents ◦ Information sharing and cooperation enabled by GDPR ◦ How MISP enables stakeholders identified by the NISD to perform key activities ◦ AIL and MISP • For more information: https://github.com/CIRCL/compliance 15 / 25
Getting started with building your own sharing community • Starting a sharing community is both easy and difficult at the same time • Many moving parts and most importantly, you’ll be dealing with a diverse group of people • Understanding and working with your constituents to help them face their challenges is key 16 / 25
Getting started with building your own sharing community • When you are starting out - you are in a unique position to drive the community and set best practices... 17 / 25
Running a sharing community using MISP - How to get going? • Different models for constituents ◦ Connecting to a MISP instance hosted by a CSIRT ◦ Hosting their own instance and connecting to CSIRT’s MISP ◦ Becoming member of a sectorial MISP community that is connected to CSIRT’s community • Planning ahead for future growth ◦ Estimating requirements ◦ Deciding early on common vocabularies ◦ Offering services through MISP 18 / 25
Rely on our instincts to immitate over expecting adherence to rules • Lead by example - the power of immitation • Encourage improving by doing instead of blocking sharing with unrealistic quality controls ◦ What should the information look like? ◦ How should it be contextualise ◦ What do you consider as useful information? ◦ What tools did you use to get your conclusions? • Side effect is that you will end up raising the capabilities of your constituents 19 / 25
What counts as valuable data? • Sharing comes in many shapes and sizes ◦ Sharing results / reports is the classical example ◦ Sharing enhancements to existing data ◦ Validating data / flagging false positives ◦ Asking for support from the community • Embrace all of them. Even the ones that don’t do either, you’ll never know when they change their minds... 20 / 25
How to deal with organisations that only ”leech”? • From our own communities, only about 30% of the organisations actively share data • We have come across some communities with sharing requirements • In our experience, this sets you up for failure because: ◦ Organisations will lose protection who would possibily benefit the most from it ◦ Organisations that want to stay above the thresholds will start sharing junk / fake data ◦ You lose organisations that might turn into valuable contributors in the future 21 / 25
So how does one convert the passive organisations into actively sharing ones? • Rely on organic growth • Help them increase their capabilities • As mentioned before, lead by example • Rely on the inherent value to one’s self when sharing information (validation, enrichments, correlations) • Give credit where credit is due, never steal the accolades of your community (that is incredibly demotivating) 22 / 25
Dispelling the myths around blockers when it comes to information sharing • Sharing difficulties are not really technical issues but often it’s a matter of social interactions (e.g. trust). ◦ You can play a role here: organise regular workshops, conferences, have face to face meetings • Legal restrictions ◦ ”Our legal framework doesn’t allow us to share information.” ◦ ”Risk of information leak is too high and it’s too risky for our organization or partners.” • Practical restrictions ◦ ”We don’t have information to share.” ◦ ”We don’t have time to process or contribute indicators.” ◦ ”Our model of classification doesn’t fit your model.” ◦ ”Tools for sharing information are tied to a specific format, we use a different one.” 23 / 25
Get in touch if you need some help to get started • Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions! • Contact: info@circl.lu • https://www.circl.lu/ • https://github.com/MISP - https://gitter.im/MISP/MISP - https://twitter.com/MISPProject 24 / 25
One final #rant 25 / 25

Recommended

Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
MicheleNati
 
The decentralized politics of bitcoin
The decentralized politics of bitcoinThe decentralized politics of bitcoin
The decentralized politics of bitcoin
Ron Gross
 
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
MicheleNati
 
Decentralized Autonomous Organizations: Concept & Practical Examples
Decentralized Autonomous Organizations: Concept & Practical ExamplesDecentralized Autonomous Organizations: Concept & Practical Examples
Decentralized Autonomous Organizations: Concept & Practical Examples
Jan Brejcha
 
David Smith gfke 2014
David Smith gfke 2014David Smith gfke 2014
David Smith gfke 2014
innovationoecd
 
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
MicheleNati
 
Delivering blockchain’s potential for environmental sustainability
Delivering blockchain’s potential for environmental sustainabilityDelivering blockchain’s potential for environmental sustainability
Delivering blockchain’s potential for environmental sustainability
Anna Poberezhna
 
Blockchain vision
Blockchain visionBlockchain vision
Blockchain vision
Cyber Fund
 

Recommended

Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
Personal data and blockchain: Opportunities and Challenges - Michele Nati - L...
MicheleNati
 
The decentralized politics of bitcoin
The decentralized politics of bitcoinThe decentralized politics of bitcoin
The decentralized politics of bitcoin
Ron Gross
 
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
Consent Receipts: The Future of Personal Data - Michele Nati - Lead Technolog...
MicheleNati
 
Decentralized Autonomous Organizations: Concept & Practical Examples
Decentralized Autonomous Organizations: Concept & Practical ExamplesDecentralized Autonomous Organizations: Concept & Practical Examples
Decentralized Autonomous Organizations: Concept & Practical Examples
Jan Brejcha
 
David Smith gfke 2014
David Smith gfke 2014David Smith gfke 2014
David Smith gfke 2014
innovationoecd
 
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust -...
MicheleNati
 
Delivering blockchain’s potential for environmental sustainability
Delivering blockchain’s potential for environmental sustainabilityDelivering blockchain’s potential for environmental sustainability
Delivering blockchain’s potential for environmental sustainability
Anna Poberezhna
 
Blockchain vision
Blockchain visionBlockchain vision
Blockchain vision
Cyber Fund
 
Digitization strategy
Digitization strategyDigitization strategy
Digitization strategy
vargasonrt
 
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
MicheleNati
 
Fredinand Garoff: What's next?
Fredinand Garoff: What's next?Fredinand Garoff: What's next?
Fredinand Garoff: What's next?
THL
 
Customers, Leadership and Big Data
Customers, Leadership and Big DataCustomers, Leadership and Big Data
Customers, Leadership and Big Data
Mick Yates
 
I-DREAM Central by Blockchain Worx
I-DREAM Central by Blockchain WorxI-DREAM Central by Blockchain Worx
I-DREAM Central by Blockchain Worx
Blockchain Worx
 
Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?
ITU
 
Introduction to Blockchain Business Models
Introduction to Blockchain Business ModelsIntroduction to Blockchain Business Models
Introduction to Blockchain Business Models
Gokul Alex
 
Deep dive: enterprise blockchain
Deep dive: enterprise blockchainDeep dive: enterprise blockchain
Deep dive: enterprise blockchain
ErickTractionTechnology
 
Xact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcastXact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcast
Robbie Hilson
 
Structural Innovations: ARNOVA 2010 Conference
Structural Innovations: ARNOVA 2010 ConferenceStructural Innovations: ARNOVA 2010 Conference
Structural Innovations: ARNOVA 2010 Conference
CauseShift
 
Modelling Higher Education's digital future
Modelling Higher Education's digital future Modelling Higher Education's digital future
Modelling Higher Education's digital future
Kate Carruthers
 
DeFi PPT.pptx
DeFi PPT.pptxDeFi PPT.pptx
DeFi PPT.pptx
Gloria Bell
 
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
Connecting Up
 
Blockchain - a platform for Digital Transformation
Blockchain - a platform for Digital TransformationBlockchain - a platform for Digital Transformation
Blockchain - a platform for Digital Transformation
Floyd DCosta
 
Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing
itnewsafrica
 
Big Data, You and Them
Big Data, You and ThemBig Data, You and Them
Big Data, You and Them
Mick Yates
 
Aussie outback
Aussie outbackAussie outback
Aussie outback
dominion
 
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
Govnet Events
 
What are the different types of blockchain technology explained
What are the different types of blockchain technology explainedWhat are the different types of blockchain technology explained
What are the different types of blockchain technology explained
OliviaJune1
 
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
Andile Ngcaba
 
Digital Transformation Business Evolution
Digital Transformation Business Evolution Digital Transformation Business Evolution
Digital Transformation Business Evolution
Digital Catapult
 
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
MicheleNati
 

More Related Content

What's hot

Xact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcastXact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcast
Robbie Hilson
 
Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing
itnewsafrica
 
Aussie outback
Aussie outbackAussie outback
Aussie outback
dominion
 
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
Andile Ngcaba
 

What's hot (20)

Digitization strategy
Digitization strategyDigitization strategy
Digitization strategy
 
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
IoTMeetupGuildford#20: Michele Nati, Personal data and Blockchain: Opportunit...
 
Fredinand Garoff: What's next?
Fredinand Garoff: What's next?Fredinand Garoff: What's next?
Fredinand Garoff: What's next?
 
Customers, Leadership and Big Data
Customers, Leadership and Big DataCustomers, Leadership and Big Data
Customers, Leadership and Big Data
 
I-DREAM Central by Blockchain Worx
I-DREAM Central by Blockchain WorxI-DREAM Central by Blockchain Worx
I-DREAM Central by Blockchain Worx
 
Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?Blockchains : Risk or Mitigation?
Blockchains : Risk or Mitigation?
 
Introduction to Blockchain Business Models
Introduction to Blockchain Business ModelsIntroduction to Blockchain Business Models
Introduction to Blockchain Business Models
 
Deep dive: enterprise blockchain
Deep dive: enterprise blockchainDeep dive: enterprise blockchain
Deep dive: enterprise blockchain
 
Xact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcastXact aceds 5-7-14 webcast
Xact aceds 5-7-14 webcast
 
Structural Innovations: ARNOVA 2010 Conference
Structural Innovations: ARNOVA 2010 ConferenceStructural Innovations: ARNOVA 2010 Conference
Structural Innovations: ARNOVA 2010 Conference
 
Modelling Higher Education's digital future
Modelling Higher Education's digital future Modelling Higher Education's digital future
Modelling Higher Education's digital future
 
DeFi PPT.pptx
DeFi PPT.pptxDeFi PPT.pptx
DeFi PPT.pptx
 
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
#CU12: Take control of your data with CiviCRM - Chris Ward at Connecting Up 2012
 
Blockchain - a platform for Digital Transformation
Blockchain - a platform for Digital TransformationBlockchain - a platform for Digital Transformation
Blockchain - a platform for Digital Transformation
 
Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing Corporate Governance And Cloud Computing
Corporate Governance And Cloud Computing
 
Big Data, You and Them
Big Data, You and ThemBig Data, You and Them
Big Data, You and Them
 
Aussie outback
Aussie outbackAussie outback
Aussie outback
 
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
Working Collaboratively to Share and Analyse Data to Prevent, Detect and Dete...
 
What are the different types of blockchain technology explained
What are the different types of blockchain technology explainedWhat are the different types of blockchain technology explained
What are the different types of blockchain technology explained
 
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
ICANN 50: Report by the panel on Global Internet Cooperation and Governance M...
 

Similar to MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint

NDSA Regional Amherst Presentation
NDSA Regional Amherst PresentationNDSA Regional Amherst Presentation
NDSA Regional Amherst Presentation
Micah Altman
 
Developing a digital transformation framework for higher education - enabling...
Developing a digital transformation framework for higher education - enabling...Developing a digital transformation framework for higher education - enabling...
Developing a digital transformation framework for higher education - enabling...
Jisc
 

Similar to MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint (20)

Digital Transformation Business Evolution
Digital Transformation Business Evolution Digital Transformation Business Evolution
Digital Transformation Business Evolution
 
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
UNICOM Conference on Digital Transformation - The Trust Framework Initiative ...
 
NDSA Regional Amherst Presentation
NDSA Regional Amherst PresentationNDSA Regional Amherst Presentation
NDSA Regional Amherst Presentation
 
IGF MAG Update
IGF MAG UpdateIGF MAG Update
IGF MAG Update
 
Data Governance in a big data era
Data Governance in a big data eraData Governance in a big data era
Data Governance in a big data era
 
CIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento totalCIO 360 grados: empoderamiento total
CIO 360 grados: empoderamiento total
 
Socitm Supplier Briefing Bolton
Socitm Supplier Briefing BoltonSocitm Supplier Briefing Bolton
Socitm Supplier Briefing Bolton
 
Socitm Supplier Briefing Bolton
Socitm Supplier Briefing BoltonSocitm Supplier Briefing Bolton
Socitm Supplier Briefing Bolton
 
Deconstructing Challenges Webinar
Deconstructing Challenges WebinarDeconstructing Challenges Webinar
Deconstructing Challenges Webinar
 
Gs awebinar al
Gs awebinar alGs awebinar al
Gs awebinar al
 
Developing a digital transformation framework for higher education - enabling...
Developing a digital transformation framework for higher education - enabling...Developing a digital transformation framework for higher education - enabling...
Developing a digital transformation framework for higher education - enabling...
 
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
CIS14: NSTIC - Why the Identity Ecosystem Steering Group (IDESG)?
 
MIT ICIQ 2017 Keynote: Data Governance and Data Capitalization in the Big Dat...
MIT ICIQ 2017 Keynote: Data Governance and Data Capitalization in the Big Dat...MIT ICIQ 2017 Keynote: Data Governance and Data Capitalization in the Big Dat...
MIT ICIQ 2017 Keynote: Data Governance and Data Capitalization in the Big Dat...
 
Community Informatics for Community Informaticians (keynote at CIRN 2010, Pra...
Community Informatics for Community Informaticians (keynote at CIRN 2010, Pra...Community Informatics for Community Informaticians (keynote at CIRN 2010, Pra...
Community Informatics for Community Informaticians (keynote at CIRN 2010, Pra...
 
Digital Social Innovation and the Impact of Data Analytics
Digital Social Innovation and the Impact of Data Analytics Digital Social Innovation and the Impact of Data Analytics
Digital Social Innovation and the Impact of Data Analytics
 
Sharing in Smart Cities
Sharing in Smart CitiesSharing in Smart Cities
Sharing in Smart Cities
 
Isoc bishkek 2015 11-25
Isoc bishkek 2015 11-25Isoc bishkek 2015 11-25
Isoc bishkek 2015 11-25
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby - Presentation to Innovation Masters 2016
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar
 
Seeing Connecticut Now and Then: Repository Services that Support Your Best M...
Seeing Connecticut Now and Then: Repository Services that Support Your Best M...Seeing Connecticut Now and Then: Repository Services that Support Your Best M...
Seeing Connecticut Now and Then: Repository Services that Support Your Best M...
 

More from MNCERT

MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNCERT
 
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
MNCERT
 

More from MNCERT (12)

MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
 
MNSEC 2018 - Active Directory - how not to
MNSEC 2018 - Active Directory - how not toMNSEC 2018 - Active Directory - how not to
MNSEC 2018 - Active Directory - how not to
 
MNSEC 2018 - Mongolian Internet Healthiness
MNSEC 2018 - Mongolian Internet HealthinessMNSEC 2018 - Mongolian Internet Healthiness
MNSEC 2018 - Mongolian Internet Healthiness
 
MNSEC 2018 - Malware Distribution Trends, October 2018
MNSEC 2018 - Malware Distribution Trends, October 2018 MNSEC 2018 - Malware Distribution Trends, October 2018
MNSEC 2018 - Malware Distribution Trends, October 2018
 
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
MNSEC 2018- FortiGuard Lab’s Threat Landscape Highlights
 
MNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat LandscapeMNSEC 2018 - Evolving DDoS Threat Landscape
MNSEC 2018 - Evolving DDoS Threat Landscape
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
MNSEC 2018 - Linux hardening
MNSEC 2018 - Linux hardeningMNSEC 2018 - Linux hardening
MNSEC 2018 - Linux hardening
 
MNSEC 2018 - Cryptography
MNSEC 2018 - CryptographyMNSEC 2018 - Cryptography
MNSEC 2018 - Cryptography
 
MNSEC 2018 - MNCERT REPORT
MNSEC 2018 - MNCERT REPORTMNSEC 2018 - MNCERT REPORT
MNSEC 2018 - MNCERT REPORT
 
MNSEC 2018 - Data center security
MNSEC 2018 - Data center securityMNSEC 2018 - Data center security
MNSEC 2018 - Data center security
 
MNSEC 2018 - Information security in blockchain
MNSEC 2018 - Information security in blockchainMNSEC 2018 - Information security in blockchain
MNSEC 2018 - Information security in blockchain
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

MNSEC 2018 - Threat Intel Sharing from a CSIRT Standpoint

  • 1. Usually a MISP workshop Introduction into Information Sharing using MISP for CSIRTs Team CIRCL TLP:WHITE MNSEC 2018 20181004
  • 2. Plan for this session • Explanation of the CSIRT use case for information sharing and what CIRCL does • Building an information sharing community and best practices 2 / 25
  • 3. Communities operated by CIRCL • As a CSIRT, CIRCL operates a wide range of communities • We use it as an internal tool to cover various day-to-day activities • Whilst being the main driving force behind the development, we’re also one of the largest consumers • Different communities have different needs and restrictions 3 / 25
  • 4. Communities operated by CIRCL • Private sector community ◦ Our largest sharing community ◦ Over 900 organisations ◦ 2000 users ◦ Functions as a central hub for a lot of sharing communities ◦ Private organisations, Researchers, Various SoCs, some CSIRTs, etc • CSIRT community ◦ Tighter community ◦ National CSIRTs, connections to international organisations, etc 4 / 25
  • 5. Communities operated by CIRCL • Financial sector community ◦ Banks, payment processors, etc. ◦ Sharing of mule accounts and non-cyber threat infomartion • X-ISAC ◦ Bridging the gap between the various sectorial and georgraphical ISACs ◦ New, but ambitious initiative ◦ Goal is to bootstrap the cross-sectorial sharing along with building the infrastructure to enable sharing when needed ◦ https://www.x-isac.org/ Need access? np: mailto:info@circl.lu 5 / 25
  • 6. Communities operated by CIRCL • Coming up - the ATT&CK EU community ◦ Work on attacker modelling ◦ With the assistance of Mitre themselves ◦ Unique opportunity to standardise on TTPs ◦ Looking for organisations that want to get involved! ◦ https://attack.mitre.org 6 / 25
  • 7. Communities supported by CIRCL • FIRST.org’s MISP community • Telecom and Mobile operators’ community • Various ad-hoc and time limited communities, exercises for example ◦ Most recently the ENISA exercise a few months ago (2nd year MISP was used) ◦ Open for other events 7 / 25
  • 8. Sharing Scenarios in MISP • Sharing can happen for many different reasons. What are the typical CSIRT scenarios? • We can generally split these activities into 4 main groups when we’re talking about traditional CSIRT tasks: ◦ Core services ◦ Proactive services ◦ Advanced services ◦ Sharing communities managed by CSIRTs for various tasks 8 / 25
  • 9. CSIRT core services • Incident response ◦ Internal storage of incident response data ◦ Sharing of indicators derived from incident response ◦ Correlating data derived and using the built in analysis tools ◦ Enrichment services ◦ Collaboration with affected parties via MISP during IR ◦ Co-ordination and collaboration ◦ Takedown requests • Alerting of information leaks (integration with AIL1) 1 https://github.com/CIRCL/AIL-framework9 / 25
  • 10. CSIRT proactive services • Contextualising both internal and external data • Collection and dissimination of data from various sources (including OSINT) • Storing, correlating and sharing own manual research (reversing, behavioural analysis) • Aggregating automated collection (sandboxing, honeypots, spamtraps, sensors) ◦ MISP allows for the creation of internal MISP ”clouds” ◦ Store large specialised datasets (for example honeypot data) ◦ MISP has interactions with a large set of such tools (Cuckoo, Mail2MISP, etc) • Situational awareness tools to monitor trends and adversary TTPs within my sector/geographical region (MISP-dashboard, built in statistics) 10 / 25
  • 11. CSIRT proactive services - MISP dashboard 11 / 25
  • 12. CSIRT proactive services - MISP dashboard 12 / 25
  • 13. CSIRT advanced services • Supporting forensic analysts • Collaboration with law enforcement • Vulnerability information sharing ◦ Notifications to the constituency about relevant vulnerabilities ◦ Co-ordinating with vendors for notifications (*) ◦ Internal / closed community sharing of pentest results ◦ We’re planning on starting a series of hackathons to find 13 / 25
  • 14. CSIRTs’ management of sharing communities for constituent actions: • Reporting non-identifying information about incidents (such as outlined in NISD) • Seeking and engaging in collaboration with CSIRT or other parties during an incident • Pre-sharing information to request for help / additional information from the community • Pseudo-anonymised sharing through 3rd parties to avoid attribution of a potential target • Building processes for other types of sharing to get the community engaged and acquainted with the methodologies of sharing (mule account information, border control, etc) 14 / 25
  • 15. A quick note on compliance... • Collaboration with Deloitte as part of a CEF project for creating compliance documents ◦ Information sharing and cooperation enabled by GDPR ◦ How MISP enables stakeholders identified by the NISD to perform key activities ◦ AIL and MISP • For more information: https://github.com/CIRCL/compliance 15 / 25
  • 16. Getting started with building your own sharing community • Starting a sharing community is both easy and difficult at the same time • Many moving parts and most importantly, you’ll be dealing with a diverse group of people • Understanding and working with your constituents to help them face their challenges is key 16 / 25
  • 17. Getting started with building your own sharing community • When you are starting out - you are in a unique position to drive the community and set best practices... 17 / 25
  • 18. Running a sharing community using MISP - How to get going? • Different models for constituents ◦ Connecting to a MISP instance hosted by a CSIRT ◦ Hosting their own instance and connecting to CSIRT’s MISP ◦ Becoming member of a sectorial MISP community that is connected to CSIRT’s community • Planning ahead for future growth ◦ Estimating requirements ◦ Deciding early on common vocabularies ◦ Offering services through MISP 18 / 25
  • 19. Rely on our instincts to immitate over expecting adherence to rules • Lead by example - the power of immitation • Encourage improving by doing instead of blocking sharing with unrealistic quality controls ◦ What should the information look like? ◦ How should it be contextualise ◦ What do you consider as useful information? ◦ What tools did you use to get your conclusions? • Side effect is that you will end up raising the capabilities of your constituents 19 / 25
  • 20. What counts as valuable data? • Sharing comes in many shapes and sizes ◦ Sharing results / reports is the classical example ◦ Sharing enhancements to existing data ◦ Validating data / flagging false positives ◦ Asking for support from the community • Embrace all of them. Even the ones that don’t do either, you’ll never know when they change their minds... 20 / 25
  • 21. How to deal with organisations that only ”leech”? • From our own communities, only about 30% of the organisations actively share data • We have come across some communities with sharing requirements • In our experience, this sets you up for failure because: ◦ Organisations will lose protection who would possibily benefit the most from it ◦ Organisations that want to stay above the thresholds will start sharing junk / fake data ◦ You lose organisations that might turn into valuable contributors in the future 21 / 25
  • 22. So how does one convert the passive organisations into actively sharing ones? • Rely on organic growth • Help them increase their capabilities • As mentioned before, lead by example • Rely on the inherent value to one’s self when sharing information (validation, enrichments, correlations) • Give credit where credit is due, never steal the accolades of your community (that is incredibly demotivating) 22 / 25
  • 23. Dispelling the myths around blockers when it comes to information sharing • Sharing difficulties are not really technical issues but often it’s a matter of social interactions (e.g. trust). ◦ You can play a role here: organise regular workshops, conferences, have face to face meetings • Legal restrictions ◦ ”Our legal framework doesn’t allow us to share information.” ◦ ”Risk of information leak is too high and it’s too risky for our organization or partners.” • Practical restrictions ◦ ”We don’t have information to share.” ◦ ”We don’t have time to process or contribute indicators.” ◦ ”Our model of classification doesn’t fit your model.” ◦ ”Tools for sharing information are tied to a specific format, we use a different one.” 23 / 25
  • 24. Get in touch if you need some help to get started • Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions! • Contact: info@circl.lu • https://www.circl.lu/ • https://github.com/MISP - https://gitter.im/MISP/MISP - https://twitter.com/MISPProject 24 / 25