Misp Training

An Introduction to Cybersecu-
rity Information Sharing

MISP - Threat Sharing
CIRCL / Team MISP Project
MISP Project
https://www.misp-project.org/
CIISI-IE
Threat Sharing
Agenda
Agenda and details available

https://tinyurl.com/CIISI-IE-MISP
1 14
MISP and starting from a practical use-case
During a malware analysis workgroup in 2012, we discovered

that we worked on the analysis of the same malware.
We wanted to share information in an easy and automated
way to avoid duplication of work.
Christophe Vandeplas (then working at the CERT for the
Belgian MoD) showed us his work on a platform that later
became MISP.
A first version of the MISP Platform was used by the MALWG
and the increasing feedback of users helped us to build an
improved platform.
MISP is now a community-driven development.
2 14
about CIRCL
The Computer Incident Response Center Luxembourg (CIRCL) is a

government-driven initiative designed to provide a systematic
response facility to computer security threats and incidents.
CIRCL is the CERT for the private sector, communes and
non-governmental entities in Luxembourg and is operated by
securitymadein.lu g.i.e.
3 14
MISP and CIRCL
CIRCL is mandated by the Ministry of Economy and acting as

the Luxembourg National CERT for private sector.
CIRCL leads the development of the Open Source MISP
threat intelligence platform which is used by many military
or intelligence communities, private companies, financial
sector, National CERTs and LEAs globally.
CIRCL runs multiple large MISP communities performing
active daily threat-intelligence sharing.
4 14
What is MISP?
MISP is a threat information sharing platform that is free &

open source software
A tool that collects information from partners, your analysts,
your tools, feeds
Normalises, correlates, enriches the data
Allows teams and communities to collaborate
Feeds automated protective tools and analyst tools with the
output
5 14
Development based on practical user feedback
There are many different types of users of an information

sharing platform like MISP:
I Malware reversers willing to share indicators of analysis with
respective colleagues.
I Security analysts searching, validating and using indicators in
operational security.
I Intelligence analysts gathering information about specific
adversary groups.
I Law-enforcement relying on indicators to support or
bootstrap their DFIR cases.
I Risk analysis teams willing to know about the new threats,
likelyhood and occurences.
I Fraud analysts willing to share financial indicators to detect
financial frauds.
6 14
MISP model of governance
7 14
Many objectives from different user-groups
Sharing indicators for a detection matter.

I ’Do I have infected systems in my infrastructure or the ones I
operate?’
Sharing indicators to block.
I ’I use these attributes to block, sinkhole or divert traffic.’
Sharing indicators to perform intelligence.
I ’Gathering information about campaigns and attacks. Are
they related? Who is targeting me? Who are the adversaries?’
→ These objectives can be conflicting (e.g. False-positives
have different impacts)
8 14
Communities using MISP
Communities are groups of users sharing within a set of

common objectives/values.
CIRCL operates multiple MISP instances with a significant
user base (more than 1200 organizations with more than
4000 users).
Trusted groups running MISP communities in island mode
(air gapped system) or partially connected mode.
Financial sector (banks, ISACs, payment processing
organizations) use MISP as a sharing mechanism.
Military and international organizations (NATO, military
CSIRTs, n/g CERTs,...).
Security vendors running their own communities (e.g.
Fidelis) or interfacing with MISP communities (e.g. OTX).
Topical communities set up to tackle individual specific
issues (COVID-19 MISP)
9 14
Sharing Difficulties
Sharing difficulties are not really technical issues but often

it’s a matter of social interactions (e.g. trust).
Legal restriction1
I "Our legal framework doesn’t allow us to share information."
I "Risk of information-leak is too high and it’s too risky for our
organization or partners."
Practical restriction
I "We don’t have information to share."
I "We don’t have time to process or contribute indicators."
I "Our model of classification doesn’t fit your model."
I "Tools for sharing information are tied to a specific format,
we use a different one."
1
https://www.misp-project.org/compliance/
10 14
MISP Project Overview
Open Source Intelligence Intelligence

Open Standards
Software & Knowledge Base & Sharing Community
MISP core misp-taxonomies MISP exchange MISP OSINT feeds

core format
misp-modules misp-galaxy
compliance documents
such as GDPR,
MISP objects template
ISO 27010:2015
PyMISP
misp-noticelist
threat intelligence
best practices &
misp-dashboard
training materials
misp-warninglists
ISAC/ISAO
best practises
11 14
Sharing in MISP
Sharing via distribution lists - Sharing groups

Delegation for pseudo-anonymised information sharing
Proposals and Extended events for collaborated information
sharing
Synchronisation, Feed system, air-gapped sharing
User defined filtered sharing for all the above mentioned
methods
Cross-instance information caching for quick lookups of
large data-sets
Support for multi-MISP internal enclaves
12 14
Information quality management
Correlating data
Feedback loop from detections via Sightings
False positive management via the warninglist system
Enrichment system via MISP-modules
workflow system to review and control information
publication
Integrations with a plethora of tools and formats
Flexible API and support libraries such as PyMISP to ease
integration
Timelines and giving information a temporal context
Full chain for indicator life-cycle management
13 14
Conclusion
Information sharing practices come from usage and by

example (e.g. learning by imitation from the shared
information).
MISP is just a tool. What matters is your sharing practices.
The tool should be as transparent as possible to support
you.
Enable users to customize MISP to meet their community’s
use-cases.
MISP project combines open source software, open
standards, best practices and communities to make
information sharing a reality.
14 / 14
MISP Project
CIISI-IE
Threat Sharing
Agenda
Agenda and details available

https://tinyurl.com/CIISI-IE-MISP
1 24
MISP and starting from a practical use-case
During a malware analysis workgroup in 2012, we discovered

that we worked on the analysis of the same malware.
We wanted to share information in an easy and automated
way to avoid duplication of work.
Christophe Vandeplas (then working at the CERT for the
Belgian MoD) showed us his work on a platform that later
became MISP.
A first version of the MISP Platform was used by the MALWG
and the increasing feedback of users helped us to build an
improved platform.
MISP is now a community-driven development.
2 24
about CIRCL
The Computer Incident Response Center Luxembourg (CIRCL) is a

government-driven initiative designed to provide a systematic
response facility to computer security threats and incidents.
CIRCL is the CERT for the private sector, communes and
non-governmental entities in Luxembourg and is operated by
securitymadein.lu g.i.e.
3 24
MISP and CIRCL

4 24
What is MISP?
MISP is a threat information sharing platform that is free &

open source software
A tool that collects information from partners, your analysts,
your tools, feeds
Normalises, correlates, enriches the data
Allows teams and communities to collaborate
Feeds automated protective tools and analyst tools with the
output
5 24

adversary groups.
financial frauds.
6 24
MISP model of governance
7 24

operate?’
8 24
Communities using MISP
Communities are groups of users sharing within a set of

common objectives/values.
CIRCL operates multiple MISP instances with a significant
user base (more than 1200 organizations with more than
4000 users).
Trusted groups running MISP communities in island mode
(air gapped system) or partially connected mode.
Financial sector (banks, ISACs, payment processing
organizations) use MISP as a sharing mechanism.
Military and international organizations (NATO, military
CSIRTs, n/g CERTs,...).
Security vendors running their own communities (e.g.
Fidelis) or interfacing with MISP communities (e.g. OTX).
Topical communities set up to tackle individual specific
issues (COVID-19 MISP)
9 24
Sharing Difficulties

Legal restriction1
I "Risk of information-leak is too high and it’s too risky for our
Practical restriction
1
https://www.misp-project.org/compliance/
10 24
MISP Project Overview
Open Source Intelligence Intelligence

Open Standards
Software & Knowledge Base & Sharing Community
MISP core misp-taxonomies MISP exchange MISP OSINT feeds

core format
misp-modules misp-galaxy
compliance documents
such as GDPR,
MISP objects template
ISO 27010:2015
PyMISP
misp-noticelist
threat intelligence
best practices &
misp-dashboard
training materials
misp-warninglists
ISAC/ISAO
best practises
11 24
A rich data-model: telling stories via
relationships
12 24
Contextualisation and aggregation
MISP integrates at the event and the attribute levels MITRE’s

Adversarial Tactics, Techniques, and Common Knowledge
(ATT&CK).
13 24
Sharing in MISP
Sharing via distribution lists - Sharing groups

Delegation for pseudo-anonymised information sharing
Proposals and Extended events for collaborated information
sharing
Synchronisation, Feed system, air-gapped sharing
User defined filtered sharing for all the above mentioned
methods
Cross-instance information caching for quick lookups of
large data-sets
Support for multi-MISP internal enclaves
14 24
MISP core distributed sharing functionality
MISPs’ core functionality is sharing where everyone can be a

consumer and/or a contributor/producer."
Quick benefit without the obligation to contribute.
Low barrier access to get acquainted to the system.
15 24
Information quality management
Correlating data
Feedback loop from detections via Sightings
False positive management via the warninglist system
Enrichment system via MISP-modules
Integrations with a plethora of tools and formats
Flexible API and support libraries such as PyMISP to ease
integration
Timelines and giving information a temporal context
Full chain for indicator life-cycle management
16 24
Correlation features: a tool for analysts
To corroborate a finding (e.g. is this the same campaign?),

reinforce an analysis (e.g. do other analysts have the same
hypothesis?), confirm a specific aspect (e.g. are the sinkhole
IP addresses used for one campaign?) or just find if this
threat is new or unknown in your community.
17 24
Sightings support
Has a data-point been sighted by

me or the community before?
Additionally, the sighting system
supports negative sigthings (FP)
and expiration sightings.
Sightings can be performed via the
API or the UI.
Many use-cases for scoring
indicators based on users sighting.
For large quantities of data,
SightingDB by Devo
18 24
Timelines and giving information a temporal
context
Recently introduced first_seen and last_seen data
points
All data-points can be placed in time
Enables the visualisation and adjustment of indicators
timeframes
19 24
Life-cycle management via decaying of indicators
Decay score toggle button

I Shows Score for each Models associated to the Attribute type
20 24
Decaying of indicators: Fine tuning tool
Create, modify, visualise, perform mapping
21 24
Decaying of indicators: simulation tool
Simulate Attributes with different Models
22 24
Bootstrapping your MISP with data
We maintain the default CIRCL OSINT feeds (TLP:WHITE

selected from our communities) in MISP to allow users to
ease their bootstrapping.
The format of the OSINT feed is based on standard MISP
JSON output pulled from a remote TLS/HTTP server.
Additional content providers can provide their own MISP
feeds. (https://botvrij.eu/)
Allows users to test their MISP installations and
synchronisation with a real dataset.
Opening contribution to other threat intel feeds but also
allowing the analysis of overlapping data2 .
2
A recurring challenge in information sharing
23 24
Conclusion
Information sharing practices come from usage and by

example (e.g. learning by imitation from the shared
information).
MISP is just a tool. What matters is your sharing practices.
The tool should be as transparent as possible to support
you.
Enable users to customize MISP to meet their community’s
use-cases.
MISP project combines open source software, open
standards, best practices and communities to make
information sharing a reality.
24 / 24
MISP User Training - General us-
age of MISP
http://www.misp-project.org/
Twitter: @MISPProject
CIISI-IE
Threat Sharing
MISP - VM
Credentials
I MISP admin: [email protected]/admin
I SSH: misp/Password1234
Available at the following location (VirtualBox and VMWare):
I https://www.circl.lu/misp-images/latest/
1 22
MISP - VM
It is a bit broken.
I sudo -s
I cd /var/www/MISP/
I sudo pear install
INSTALL/dependencies/Console_CommandLine/package.xml
I sudo pear install
INSTALL/dependencies/Crypt_GPG/package.xml
I cd /usr/local/src/misp-modules
I pip3 install -r REQUIREMENTS
I pip3 install .
I reboot
2 22
MISP - General Usage
Plan for this part of the training

Data model
Viewing data
Creating data
Co-operation
Distribution
Exports
3 22
MISP - Event (MISP’s basic building block)
4 22
MISP - Event (Attributes, giving meaning to
events)
5 22
MISP - Event (Correlations on similar
attributes)
6 22
MISP - Event (Proposals)
7 22
MISP - Event (Tags)
8 22
MISP - Event (Discussions)
9 22
MISP - Event (Taxonomies and proposal
correlations)
10 22
MISP - Event (The state of the art MISP
datamodel)
11 22
MISP - Viewing the Event Index
Event Index
I Event context
I Tags
I Distribution
I Correlations
Filters
12 22
MISP - Viewing an Event
Event View
I Event context
I Attributes
Category/type, IDS, Correlations
I Objects
I Galaxies
I Proposals
I Discussions
Tools to find what you are looking for
Correlation graphs
13 22
MISP - Creating and populating events in various
ways (demo)
The main tools to populate an event

I Adding attributes / batch add
I Adding objects and how the object templates work
I Freetext import
I Import
I Templates
I Adding attachments / screenshots
I API
14 22
MISP - Various features while adding data
What happens automatically when adding data?

I Automatic correlation
I Input modification via validation and filters (regex)
I Tagging / Galaxy Clusters
Various ways to publish data
I Publish with/without e-mail
I Publishing via the API
I Delegation
15 22
MISP - Using the data
Correlation graphs
Downloading the data in various formats
API (explained later)
Collaborating with users (proposals, discussions, emails)
16 22
MISP - Sync explained (if no admin training)
Sync connections
Pull/push model
Previewing instances
Filtering the sync
Connection test tool
Cherry pick mode
17 22
MISP - Feeds explained (if no admin training)
Feed types (MISP, Freetext, CSV)

Adding/editing feeds
Previewing feeds
Local vs Network feeds
18 22
MISP - Distributions explained
Your Organisation Only

This Community Only
Connected Communities
All Communities
Sharing Group
19 22
MISP - Distribution and Topology
20 22
MISP - Exports and API
Download an event
Quick glance at the APIs
Download search results
ReST API and query builder
21 22
MISP - Shorthand admin (if no admin training)
Settings
Troubleshooting
Workers
Logs
22 / 22
MISP Training: MISP Deployment
and Integration
CIISI-IE
Threat Sharing
A Common Integration
1 11
Recommended MISP Setup
Provisioning your MISP infrastructure depends heavily on

the number of attributes/events (whether your dataset is
below or above 50 million attributes).
Number of MISP instances and the overall design depends
on the following factors:
I Is your community private? Are you gathering MISP events
from other communities? Are you publishing events to
external (trusted/untrusted) communities.
I Do you plan to have automatic tools (e.g. sandbox analysis or
low-value information needing correlation or an analyst
workbench) feeding MISP?
2 11
Vendors and Formats
There is a jungle of formats with some vendors having little

to no interest in keeping their users autonomous.
Attacks and threats require a dynamic format to be
efficiently shared (e.g. from financial indicators to personal
information).
Review your current list of formats/vendors to ensure a
limited loss of information, especially when exporting from
MISP to other formats (e.g. STIX not supporting financial
indicators or taxonomies/galaxies).
3 11
Use case: Normalizing OSINT and Private Feeds
Normalizing external input and feed into MISP (e.g. feed

importer).
Comparing feeds before import (how many similarities?
false-positives?).
Evaluating quality of information before import (warning-list
lookup at feed evaluation).
4 11
Connecting Devices and Tools to MISP
One of the main goals of MISP is to feed protective or

detection tools with data
I IDSes / IPSes (e.g. Suricata, Bro, Snort format as included in
Cisco products)
I SIEMs (e.g. CEF, CSV or real-time ZMQ pub-sub or Sigma)
I Host scanners (e.g. OpenIOC, STIX, yara rule-set, CSV)
I Various analysis tools (e.g. Maltego)
I DNS policies (e.g. RPZ)
Various ways of exporting this data (downloads of the
selected data, full exports, APIs)
The idea was to leave the selection process of the subset of
data to be pushed to these up to the user using APIs.
5 11
SIEM and MISP Integration
SIEMs and MISP can be integrated with different techniques

depending on the processes at your SOC or IR:
I Pulling events (via the API) or indicator lists at regular
intervals in a given time frame to perform lookups.
I Subscribing to the MISP ZMQ pub-sub channel to directly get
the published events and use these in a lookup process.
I Lookup expansion module in MISP towards the SIEM to have a
direct view of the attributes matched against the SIEM.
The above options can be combined, depending on your
organisation or requirements to increase coverage and
detection.
6 11
ZMQ integration: misp-dashboard
A dashboard showing live data and statistics from the ZMQ

pub-sub of one or more MISP instances.
Building low-latency software by consuming pub-sub
channel provides significant advantages over standard API
use.
Process information in real-time when it’s updated, created,
published or gathered in MISP.
Demo!
7 11
New integrations: IR and threat hunting using
MISP
Close co-operation with the Hive project for IR

I Interact with MISP directly from the Hive
I Use both the MISP modules and the Cortex analysers in MISP
or the Hive directly
Using MISP to support your threat hunting via McAfee
OpenDXL
(https://securingtomorrow.mcafee.com/business/
optimize-operations/
expanding-automated-threat-hunting-response-open-
8 11
The Hive integration
9 11
Reporting Back from your Devices, Tools or
Processes
As Sightings can be positive, negative or even based on

expiration, different use cases are possible:
Sightings allow users to notify a MISP instance about the
activities related to an indicator.
Activities can be from a SIEM (e.g. Splunk lookup validation
or false-positive feedback), a NIDS or honeypot devices1 .
Sighting can affect the API to limit the NIDS exports and
improve the NIDS rule-set directly.
1
https://www.github.com/MISP/misp-sighting-tools
10 11
Q&A
[email protected] (if you want to join the CIRCL MISP sharing

community)
https://github.com/MISP/ -
We welcome any contributions to the project, be it pull
requests, ideas, github issues,...
11 / 11
Viper - Using MISP from your ter-
minal
MISP Project
CIISI-IE
Threat Sharing
Viper - Main ideas
Viper is a binary analysis and management framework.

Its fundamental objective is to provide a solution to easily
organize your collection of malware and exploit samples
as well as your collection of scripts you created or found
over the time to facilitate your daily research. Think of
it as a Metasploit for malware researchers: it provides a
terminal interface that you can use to store, search and
analyze arbitrary files with and a framework to easily cre-
ate plugins of any sort.
1 12
Viper
Solid CLI
Plenty of modules (PE files, *office, ELF, APK, ...)
Connection to 3rd party services (MISP, VirusTotal, cuckoo)
Connectors to 3rd party tools (IDA, radare)
Locale storage of your own zoo
Django interface is available (I’ve been told)
2 12
Viper
3 12
PyMISP & Viper
Full featured CLI for MISP

Remote storage of your zoo
Search / Cross check with VirusTotal
Create / Update / Show / Publish Event
Download / Upload Samples
Mass export / Upload / Download
Get Yara rules
4 12
MISP Module
5 12
Viper & VT
Searches for hashes/ips/domains/URLs from the current

MISP event, or download the samples
Download samples from current MISP event
Download all samples from all the MISP events of the
current session
6 12
VirusTotal Module
7 12
Extra features
Link to a MISP event

Local storage of the MISP event
On the fly cross-check of MISP atributes with 3rd party
services
Never leaving your CLI!
8 12
Other modules
Fully featured CLI for Passive SSL

Fully featured CLI for Passive DNS
Can launch Radare2 or IDA
9 12
Passive SSL
10 12
Passive DNS
11 12
Q&A
https://github.com/MISP/PyMISP
https://github.com/MISP/
https://github.com/viper-framework/viper
We welcome new functionalities and pull requests.
12 / 12
mail_to_misp
Connect your mail infrastructure to MISP to
create events based on the information con-
CIRCL
tained/ Team MISP Project
within mails
CIISI-IE
Threat Sharing
Context
You receive emails with IoC’s inside

How to create an event out of it?
Create event manually and copy paste
→ This works once or twice
Forwarding the email would be nice
→ mail_to_misp
1 6
Features: Email handling
Extraction of URLs and IP addresses and port numbers

Extraction of hostnames from URLs
Extraction of hashes (MD5, SHA1, SHA256)
DNS expansion
Subject filters
Refanging of URLs (’hxxp://...’)
... and more
2 6
Features: Support MISP features
Add tags automatically

Ignore ’whitelisted’ domains
Configurable list of attributes not to enable the IDS flag
DNS expansion
Automatically create ’external analysis’ links based on filter
list (e.g. VirusTotal, malwr.com)
Automatically filter out attributes that are on a server side
warning list
Support for value sighting
... and more
3 6
Implementation
Legacy
I Email → Apple Mail → Mail rule → AppleScript
→ AppleScript → mail_to_misp → PyMISP → MISP
I Email → Thunderbird → Mail rule → filterscript →

thunderbird_wrapper → mail_to_misp → PyMISP → MISP
Postfix and others

I Email → mail_to_misp
4 6
Installation
mail_to_misp
1. git clone
git://github.com/MISP/mail_to_misp.git
2. Install dependencies - See Github site
MTA (Postfix or alike)

1. Setup a new email address in the aliases file (e.g.
/etc/aliases)
misp_handler: "|/path/to/mail_to_misp.py -"
2. Rebuild the DB
sudo newaliases
3. Configure mail_to_misp_config.py
misp_url = ’ h t t p : / / 1 2 7 . 0 . 0 . 1 / ’
misp_key = ’ s5jPWCIud36Z8XHgsiCVI7SaL1XsMTyfEsN45tTe ’
m i s p _ v e r i f y c e r t = True
b o d y _ c o n f i g _ p r e f i x = ’m2m’
...
...
5 6
Exercise: mail_2_misp.py
Bonus:
https://github.com/MISP/mail_to_misp_test
. / mail_to_misp . py −r m a i l _ t o _ m i s p _ t e s t / simple_forward . eml
Bonus: Fake-SMTPD spamtrap

. / fake_smtp . py
t e l n e t 1 2 7 . 0 . 0 . 1 2526
Trying 1 2 7 . 0 . 0 . 1 . . .
Connected to 1 2 7 . 0 . 0 . 1 .
Escape c h a r a c t e r i s ’ ^ ] ’ .
220 misp Python SMTP 1 . 1
helo misp
250 misp
mail from : mikel
250 OK
r c p t to : m2m
250 OK
data
354 End data with <CR>< LF > . < CR>< LF >
6/6
MISP User Training - Administra-
tion of MISP 2.4
MISP Threat Sharing
CIISI-IE
Threat Sharing
MISP - VM
VM can be downloaded at
https://www.circl.lu/misp-training/
Credentials
I MISP admin: [email protected]/admin
I SSH: misp/Password1234
2 network interfaces
I NAT
I Host only adapter
Start the enrichment system by typing:
I cd /home/misp/misp-modules/bin
I python3 misp-modules.py
1 21
MISP - Administration
Plan for this part of the training

I User and Organisaton administration
I Sharing group creation
I Templates
I Tags and Taxonomy
I Whitelisting and Regexp entries
I Setting up the synchronisation
I Scheduled tasks
I Feeds
I Settings and diagnostics
I Logging
I Troubleshooting and updating
2 21
MISP - Creating Users
Add new user ([email protected])

NIDS SID, Organisation, disable user
Fetch the PGP key
Roles
I Re-using standard roles
I Creating a new custom role
Send out credentials
3 21
MISP - Creating Organisations
Adding a new organisation

UUID
Local vs External organisation
Making an organisation self sustaining with Org Admins
Creating a sync user
4 21
MISP - Sharing groups
The concept of a sharing group

Creating a sharing group
Adding extending rights to an organisation
Include all organisations of an instance
Not specifying an instance
Making a sharing group active
Reviewing the sharing group
5 21
MISP - Templates
Why templating?
Create a basic template
Text fields
Attribute fields
Attachment fields
Automatic tagging
6 21
MISP - Tags and Taxonomies
git submodule init && git submodule update

Loading taxonomies
Enabling taxonomies and associated tags
Tag management
Exportable tags
7 21
MISP - Object Templates

Enabling objects (and what about versioning)
8 21
MISP - Whitelisting, Regexp entries,
Warninglists
Block from exports - whitelisting

Block from imports - blacklisting via regexp
Modify on import - modification via regexp
Maintaining the warninglists
9 21
MISP - Setting up the synchronisation
Requirements - versions
Pull/Push
One way vs Two way synchronisation
Exchanging sync users
Certificates
Filtering
Connection test tool
Previewing an instance
Cherry picking and keeping the list updated
10 21
MISP - Scheduled tasks
How to schedule the next execution

Frequency, next execution
What happens if a job fails?
11 21
MISP - Setting up the synchronisation
MISP Feeds and their generation

PyMISP
Default free feeds
Enabling a feed
Previewing a feed and cherry picking
Feed filters
Auto tagging
12 21
MISP - Settings and diagnostics
Settings
I Settings interface
I The tabs explained at a glance
I Issues and their severity
I Setting guidance and how to best use it
13 21
MISP - Settings and diagnostics continued
Basic instance setup

Additional features released as hotfixes
Customise the look and feel of your MISP
Default behaviour (encryption, e-mailing, default
distributions)
Maintenance mode
Disabling the e-mail alerts for an initial sync
14 21
Plugins
I Enrichment Modules
I RPZ
I ZeroMQ
15 21
Diagnostics
I Updating MISP
I Writeable Directories
I PHP settings
I Dependency diagnostics
16 21
Workers
I What do the background workers do?
I Queues
I Restarting workers, adding workers, removing workers
I Worker diagnostics (queue size, jobs page)
I Clearing worker queues
I Worker and background job debugging
17 21
Seeking help
I Dump your settings to a file!
I Make sure to sanitise it
I Send it to us together with your issue to make our lives easier
I Ask Github (https://github.com/MISP/MISP)
I Have a chat with us on gitter (https://gitter.im/MISP/MISP)
I Ask the MISP mailing list
I If this is security related, drop us a PGP encrypted email to
mailto:[email protected]
18 21
MISP - Logging
Audit logs in MISP

Enable IP logging / API logging
Search the logs, the fields explained
External logs
I /var/www/MISP/app/tmp/logs/error.log
I /var/www/MISP/app/tmp/logs/resque-worker-error.log
I /var/www/MISP/app/tmp/logs/resque-scheduler-error.log
I /var/www/MISP/app/tmp/logs/resque-[date].log
I /var/www/MISP/app/tmp/logs/error.log
I apache access logs
19 21
MISP - Updating MISP
git pull
reset the permissions if it goes wrong according to the
INSTALL.txt
when MISP complains about missing fields, make sure to
clear the caches
I in /var/www/MISP/app/tmp/cache/models remove myapp*
I in /var/www/MISP/app/tmp/cache/persistent remove
myapp*
No additional action required on hotfix level
Read the migration guide for major and minor version
changes
20 21
MISP - Administrative tools
Upgrade scripts for minor / major versions

Maintenance scripts
21 / 21
Information Sharing and Tax-
onomies
Practical Classification of Threat Indicators us-
ing MISP
CIISI-IE
Threat Sharing
From Tagging to Flexible Taxonomies
Tagging is a simple way to attach a classification to an event

or an attribute.
In the early version of MISP, tagging was local to an instance.
Classification must be globally used to be efficient.
After evaluating different solutions of classification, we built
a new scheme using the concept of machine tags.
1 16
Machine Tags
Triple tag, or machine tag, format was introduced in 2004 to

extend geotagging on images.
A machine tag is just a tag expressed in way that allows

systems to parse and interpret it.
Still have a human-readable version:
I admiralty-scale:source-reliability="Fairly reliable"
2 16
MISP Taxonomies
Taxonomies are implemented in a simple JSON format.

Anyone can create their own taxonomy or reuse an existing
one.
The taxonomies are in an independent git repository1 .
These can be freely reused and integrated into other threat
intel tools.
Taxonomies are licensed under Creative Commons (public
domain) except if the taxonomy author decided to use
another license.
1
https://www.github.com/MISP/misp-taxonomies/
3 16
Existing Taxonomies
NATO - Admiralty Scale

CIRCL Taxonomy - Schemes of Classification in Incident
Response and Detection
eCSIRT and IntelMQ incident classification
EUCI EU classified information marking
Information Security Marking Metadata from DNI (Director of
National Intelligence - US)
NATO Classification Marking
OSINT Open Source Intelligence - Classification
TLP - Traffic Light Protocol
Vocabulary for Event Recording and Incident Sharing - VERIS
And many more like ENISA, Europol, or the draft FIRST SIG
Information Exchange Policy.
4 16
Want to write your own taxonomy? 1/2
1 {
2 " namespace " : " admiralty−s c a l e " ,
3 " d e s c r i p t i o n " : " The A d m i r a l t y S c a l e ( a l s o c a l l e d the NATO System
) i s used to rank the r e l i a b i l i t y of a source and the
c r e d i b i l i t y of an i n f o r m a t i o n . " ,
4 " version " : 1 ,
5 " predicates " : [
6 {
7 " value " : " source−r e l i a b i l i t y " ,
8 " expanded " : " Source R e l i a b i l i t y "
9 },
10 {
11 " value " : " information−c r e d i b i l i t y " ,
12 " expanded " : " I n f o r m a t i o n C r e d i b i l i t y "
13 }
14 ],
15 . . . .
5 16
Want to write your own taxonomy? 2/2
1 {
2 " values " : [
3 {
4 " p r e d i c a t e " : " source−r e l i a b i l i t y " ,
5 " entry " : [
6 {
7 " value " : " a " ,
8 " expanded " : " Completely r e l i a b l e "
9 },
10 . . . .
Publishing your taxonomy is as easy as a simple git pull

request on misp-taxonomies2 .
2
https://github.com/MISP/misp-taxonomies
6 16
How are taxonomies integrated in MISP?
MISP administrator can just import (or even cherry pick) the
namespace or predicates they want to use as tags.
Tags can be exported to other instances.
Tags are also accessible via the MISP REST API.
7 16
Filtering the distribution of events among MISP
instances
Applying rules for distribution based on tags:
8 16
Other use cases using MISP taxonomies
Tags can be used to set events or attributes for further

processing by external tools (e.g. VirusTotal auto-expansion
using Viper).
Ensuring a classification manager classifies the events
before release (e.g. release of information from
air-gapped/classified networks).
Enriching IDS export with tags to fit your NIDS deployment.
Using IntelMQ and MISP together to process events (tags
limited per organization introduced in MISP 2.4.49).
9 16
Future functionalities related to MISP
taxonomies
Sighting support (thanks to NCSC-NL) is integrated in MISP

allowing to auto expire IOC based on user detection.
Adjusting taxonomies (adding/removing tags) based on their
score or visibility via sighting.
Simple taxonomy editors to help non-technical users to
create their taxonomies.
Filtering mechanisms in MISP to rename or replace
taxonomies/tags at pull and push synchronisation.
More public taxonomies to be included.
10 16
PyTaxonomies
Python module to handle the taxonomies

Offline and online mode (fetch the newest taxonomies from
GitHub)
Simple search to make tagging easy
Totally independent from MISP
No external dependencies in offline mode
Python3 only
Can be used to create & dump a new taxonomy
11 16
PyTaxonomies
from pytaxonomies import Taxonomies

taxonomies = Taxonomies ( )
taxonomies . v e r s i o n
# => ’20160725 ’
taxonomies . d e s c r i p t i o n
# = > ’ M a n i f e s t f i l e of MISP taxonomies a v a i l a b l e . ’
l i s t ( taxonomies . keys ( ) )
# = > [ ’ t l p ’ , ’ eu−c r i t i c a l −s e c t o r s ’ , ’ de−vs ’ , ’ o s i n t ’ , ’ c i r c l ’ , ’ v e r i s ’ ,
# ’ e c s i r t ’ , ’ dhs−c i i p−s e c t o r s ’ , ’ f r−c l a s s i f ’ , ’ misp ’ , ’ admiralty−s c a l e ’ , . . . ]
taxonomies . get ( ’ enisa ’ ) . d e s c r i p t i o n
# ’ The p r e s e n t t h r e a t taxonomy i s an i n i t i a l v e r s i o n t h a t has been developed on
# the b a s i s of a v a i l a b l e ENISA m a t e r i a l . T h i s m a t e r i a l has been used as an ENISA−i n t e r n a l
# s t r u c t u r i n g aid f o r i n f o r m a t i o n c o l l e c t i o n and t h r e a t c o n s o l i d a t i o n purposes .
# I t emerged i n the time period 2012 −2015. ’
p r i n t ( taxonomies . get ( ’ c i r c l ’ ) )
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " v u l n e r a b i l i t y "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " malware "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " f a s t f l u x "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " system−compromise "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " sql−i n j e c t i o n "
# ....
p r i n t ( taxonomies . get ( ’ c i r c l ’ ) . machinetags_expanded ( ) )
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " Phishing "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " Malware "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " XSS "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " C o p y r i g h t i s s u e "
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = "Spam"
# c i r c l : i n c i d e n t−c l a s s i f i c a t i o n = " SQL I n j e c t i o n "
12 16
The dilemma of false-positives
False-positives are a common issue in threat intelligence

sharing.
It’s often a contextual issue:
I False-positives might be different per community of users
sharing information.
I Organizations might have their own view on false-positives.
Based on the success of the MISP taxonomy model, we built
misp-warninglists.
13 16
MISP warning lists
misp-warninglists are lists of well-known indicators that can

¯ positives, errors, or
be associated to potential false
mistakes.
Simple JSON files
1 {
2 "name" : " L i s t of known p u b l i c DNS r e s o l v e r s " ,
3 " version " : 2 ,
4 " d e s c r i p t i o n " : " Event c o n t a i n s one or more p u b l i c DNS r e s o l v e r s
as a t t r i b u t e with an IDS f l a g s e t " ,
5 " matching_attributes " : [
6 " ip−s r c " ,
7 " ip−dst "
8 ],
9 " list " : [
10 "8 . 8 . 8 . 8" ,
11 "8 . 8 . 4 . 4" , . . . ]
12 }
14 16
MISP warning lists
The warning lists are integrated in MISP to display an

info/warning box at the event and attribute level.
Enforceable via the API where all attributes that have a hit
on a warninglist will be excluded.
This can be enabled at MISP instance level.
Default warning lists can be enabled or disabled like known
public resolver, multicast IP addresses, hashes for empty
values, rfc1918, TLDs or known Google domains.
The warning lists can be expanded or added in JSON locally
or via pull requests.
Warning lists can be also used for critical or core
infrastructure warning, personally identifiable information...
15 16
Q&A
https://github.com/MISP/MISP
https://github.com/MISP/misp-taxonomies
https://github.com/MISP/PyTaxonomies
https://github.com/MISP/misp-warninglists
[email protected] (if you want to join one of the MISP community
operated by CIRCL)
PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD
CFFC 22BD 4CD5
16 / 16
Extending MISP with Python mod-
ules
CIISI-IE
Threat Sharing
Why we want to go more modular...
Ways to extend MISP before modules

I APIs (PyMISP, MISP API)
Works really well
No integration with the UI
I Change the core code
Have to change the core of MISP, diverge from upstream
Needs a deep understanding of MISP internals
Let’s not beat around the bush: Everyone hates PHP
1 20
Goals for the module system
Have a way to extend MISP without altering the core

Get started quickly without a need to study the internals
Make the modules as light weight as possible
I Module developers should only have to worry about the data
transformation
I Modules should have a simple and clean skeleton
In a friendlier language - Python
2 20
MISP modules - extending MISP with Python
scripts
Extending MISP with expansion

modules with zero
customization in MISP.
A simple ReST API between the
modules and MISP allowing
auto-discovery of new modules
with their features.
Benefit from existing Python
modules in Viper or any other
tools.
MISP modules functionnality
introduced in MISP 2.4.28.
MISP import/export modules
3 introduced in MISP 2.4.50. 20
MISP modules - installation
MISP modules can be run on the same system or on a

remote server.
Python 3 is required to run MISP modules.
I sudo apt-get install python3-dev python3-pip libpq5
I cd /usr/local/src/
I sudo git clone https://github.com/MISP/misp-modules.git
I cd misp-modules
I sudo pip3 install -I -r REQUIREMENTS
I sudo pip3 install -I .
I sudo vi /etc/rc.local, add this line: ‘sudo -u www-data
misp-modules -s &‘
4 20
MISP modules - Simple REST API mechanism
http://127.0.0.1:6666/modules - introspection interface to get

all modules available
I returns a JSON with a description of each module
http://127.0.0.1:6666/query - interface to query a specific
module
I to send a JSON to query the module
MISP autodiscovers the available modules and the MISP site
administrator can enable modules as they wish.
If a configuration is required for a module, MISP adds
automatically the option in the server settings.
5 20
Finding available MISP modules
curl -s http://127.0.0.1:6666/modules
1 {
2 "type": "expansion",
3 "name": "dns",
4 "meta": {
5 "module-type": [
6 "expansion",
7 "hover"
8 ],
9 "description": "Simple DNS expansion service
to resolve IP address from MISP
attributes",
10 "author": "Alexandre Dulaunoy",
11 "version": "0.1"
12 },
13 "mispattributes": {
14 "output": [
15 "ip-src",
16 "ip-dst"
17 ],
18 "input": [
19 "hostname",
20 "domain"
21 ]
22 }
6 20
MISP modules - configuration in the UI
7 20
MISP modules - How it’s integrated in the UI?
8 20
MISP modules - main types of modules
Expansion modules - enrich data that is in MISP

I Hover type - showing the expanded values directly on the
attributes
I Expansion type - showing and adding the expanded values
via a proposal form
Import modules - import new data into MISP
Export modules - export existing data from MISP
9 20
Querying a module
curl -s http://127.0.0.1:6666/query -H "Content-Type:

application/json" –data @body.json -X POST
body.json
1 {"module": "dns", "hostname": "www.circl.lu"}
and the response of the dns module:
1 {"results": [{"values": ["149.13.33.14"],

2 "types": ["ip-src", "ip-dst"]}]}
10 20
Creating your module - DNS module
import json
import dns . r e s o l v e r
misperrors = { ’ e r r o r ’ : ’ E r r o r ’ }
m i s p a t t r i b u t e s = { ’ i n p u t ’ : [ ’ hostname ’ , ’ domain ’ ] , ’ output ’ : [ ’ ip−s r c ’ , ’ ip−dst ’ ] }
moduleinfo = { ’ v e r s i o n ’ : ’ 0 . 1 ’ , ’ author ’ : ’ Alexandre Dulaunoy ’ ,
’ d e s c r i p t i o n ’ : ’ Simple DNS expansion s e r v i c e to r e s o l v e I P address from MISP a t t r i b u t e s ’ , ’ module−type ’ : [ ’ expansion ’ , ’ hover ’ ] }
def handler ( q= F a l s e ) :
i f q i s False :
return False
request = json . loads ( q )
i f request . get ( ’ hostname ’ ) :
toquery = request [ ’ hostname ’ ]
e l i f request . get ( ’ domain ’ ) :
toquery = request [ ’ domain ’ ]
else :
return False
r = dns . r e s o l v e r . Resolver ( )
r . timeout = 2
r . lifetime = 2
r . nameservers = [ ’ 8 . 8 . 8 . 8 ’ ]
try :
answer = r . query ( toquery , ’ A ’ )
except dns . r e s o l v e r . NXDOMAIN :
misperrors [ ’ e r r o r ’ ] = "NXDOMAIN"
r e t u r n misperrors
except dns . exception . Timeout :
misperrors [ ’ e r r o r ’ ] = " Timeout "
except :
misperrors [ ’ e r r o r ’ ] = "DNS r e s o l v i n g e r r o r "
r = { ’ r e s u l t s ’ : [ { ’ types ’ : m i s p a t t r i b u t e s [ ’ output ’ ] , ’ values ’ : [ s t r ( answer [ 0 ] ) ] } ] }
return r
def i n t r o s p e c t i o n ( ) :
return mispattributes
def v e r s i o n ( ) :
r e t u r n moduleinfo
11 20
Testing your module
Copy your module dns.py in modules/expansion/

Restart the server misp-modules.py
[ adulau : ~ / g i t /misp−modules/ bin ] $ python3 misp−modules . py
2016−03−20 1 9 : 2 5 : 4 3 , 7 4 8 − misp−modules − INFO − MISP modules p a s s i v e t o t a l imported
2016−03−20 1 9 : 2 5 : 4 3 , 7 8 7 − misp−modules − INFO − MISP modules sourcecache imported
2016−03−20 1 9 : 2 5 : 4 3 , 7 8 9 − misp−modules − INFO − MISP modules cve imported
2016−03−20 1 9 : 2 5 : 4 3 , 7 9 0 − misp−modules − INFO − MISP modules dns imported
2016−03−20 1 9 : 2 5 : 4 3 , 7 9 7 − misp−modules − INFO − MISP modules s e r v e r s t a r t e d on TCP port 6666
Check if your module is present in the introspection

curl -s http://127.0.0.1:6666/modules
If yes, test it directly with MISP or via curl
12 20
Code samples (Configuration)
# C o n f i g u r a t i o n at the top
moduleconfig = [ ’ username ’ , ’ password ’ ]
# Code block i n the handler
i f request . get ( ’ c o n f i g ’ ) :
i f ( request [ ’ c o n f i g ’ ] . get ( ’ username ’ ) i s None ) or ( request [ ’ c o n f i g ’ ] . get ( ’ password ’ ) i s None ) :
misperrors [ ’ e r r o r ’ ] = ’ CIRCL P a s s i v e SSL a u t h e n t i c a t i o n i s missing ’
−
x = p y p s s l . PyPSSL ( basic_auth = ( request [ ’ c o n f i g ’ ] [ ’ username ’ ] , request [ ’ c o n f i g ’ ] [ ’ password ’ ] ) )
13 20
Default expansion module set
asn history
CIRCL Passive DNS
CIRCL Passive SSL
Country code lookup
CVE information expansion
DNS resolver
DomainTools
eupi (checking url in phishing database)
IntelMQ (experimental)
ipasn
PassiveTotal -
http://blog.passivetotal.org/misp-sharing-done-differently
sourcecache
Virustotal
Whois
14 20
Import modules
Similar to expansion modules

Input is a file upload or a text paste
Output is a list of parsed attributes to be editend and
verified by the user
Some examples
I Cuckoo JSON import
I email import
I OCR module
I Open IoC import
15 20
Export modules
Not the preferred way to export data from MISP

Input is currently only a single event
Output is a file in the export format served back to the user
Will be moved / merged with MISP built-in export modules
I Allows export of event / attribute collections
16 20
New expansion & import modules format
Backward compatible - an additional field to extend the

format
m i s p _ a t t r i b u t e s = { ’ i n p u t ’ : [ . . . ] , ’ output ’ : [ . . . ] ,
’ format ’ : ’ misp_standard ’ }
Takes a standard MISP attribute as input

Returns MISP format
I Attributes
I Objects (with their references)
I Tags
results = { ’ Attribute ’ : [ . . . ] , ’ Object ’ : [...] ,
’ Tag ’ : [ . . . ] }
First modules supporting this new export format

I urlhaus expansion module
I Joe Sandbox import & query module
17 20
New expansion & import modules view (MISP
2.4.110
18 20
Future of the modules system
Enrichment on full events

Move the modules to background processes with a
messaging system
Have a way to skip the results preview
I Preview can be very heavy
I Difficulty is dealing with uncertain results (without the user
having final say)
19 20
Q&A
https://github.com/MISP/misp-modules
We welcome new modules and pull requests.
MISP modules can be designed as standalone application.
20 / 20
MISP Galaxy
CIISI-IE
Threat Sharing
MISP Galaxies
MISP started out as a platform for technical indicator sharing

The need for a way to describe threat actors, tools and other
commonalities became more and more pressing
Taxonomies quickly became essential for classifying events
The weakness of the tagging aproach is that it’s not very
descriptive
We needed a way to attach more complex structures to data
Also, with the different naming conventions for the same
"thing" attribution was a mess
This is where the Galaxy concept came in
1 19
Solution
Pre-crafted galaxy "clusters" via GitHub project

Attach them to an event and attribute(s)
The main design principle was that these higher level
informations are meant for human consumption
This means flexibility - key value pairs, describe them
dynamically
Technical indicators remain strongly typed and validated,
galaxies are loose key value lists
2 19
The galaxy object stack
Galaxy: The type of data described (Threat actor, Tool, ...)

Cluster: An individual instance of the galaxy (Sofacy, Turla, ...)
Element: Key value pairs describing the cluster (Country: RU,
Synonym: APT28, Fancy Bear)
Reference: Referenced galaxy cluster (Such as a threat actor
using a specific tool)
3 19
(some) Existing galaxies
Exploit-Kit: An enumeration of known exploitation kits used

by adversaries
Microsoft activity group: Adversary groups as defined by
Microsoft
Preventive measure: Potential preventive measures against
threats
Ransomware: List of known ransomwares
TDS: Traffic Direction System used by adversaries
Threat-Actor: Known or estimated adversary groups
Tool: Tools used by adversaries (from Malware to common
tools)
MITRE ATT&CK: Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK™)
4 19
What a cluster looks like
5 19
Attaching clusters to events
Internally simply using a taxonomy-like tag to attach them

to events
Example: misp-galaxy:threat-actor="Sofacy"
Synchronisation works out of the box with older instances
too. They will simply see the tags until they upgrade.
Currently, as mentioned we rely on the community’s
contribution of galaxies
6 19
Attaching clusters
Use a searchable synonym database to find what you’re after
7 19
Creating your own galaxy
Creating galaxy clusters has to be straightforward to get the

community to contribute
Building on the prior success of the taxonomies and
warninglists
Simple JSON format in similar fashion
Just drop the JSON in the proper directory and let MISP
ingest it
We always look forward to contributions to our galaxies
repository
8 19
Galaxy JSON
If you want to create a completely new galaxy instead of

enriching an existing one
1 {
2 "name" : " Threat A c t o r " ,
3 " type " : " t h r e a t−a c t o r " ,
4 " d e s c r i p t i o n " : " Threat a c t o r s are c h a r a c t e r i s t i c s of m a l i c i o u s
a c t o r s ( or a d v e r s a r i e s ) r e p r e s e n t i n g a cyber a t t a c k t h r e a t
i n c l u d i n g presumed i n t e n t and h i s t o r i c a l l y observed
behaviour . " ,
5 " version " : 1 ,
6 " uuid " : " 698 7 7 4 c 7−802 2−4 2 c 4−9 1 7 f−8d6e4 f 06ada3 "
7 }
9 19
Cluster JSON
Clusters contain the meat of the data

Skeleton structure as follows
1 {
2 " values " : [
3 {
4 " meta " : { } ,
5 " description " : "" ,
6 " value " : " " ,
7 " related_clusters " : [ { } ] ,
8 }
9 ]
10 }
10 19
Cluster JSON value example
1 {
2 " meta " : {
3 " synonyms " : [
4 " APT 28 " , " APT28 " , "Pawn Storm " , " Fancy Bear " ,
5 " S e d n i t " , " TsarTeam " , " TG−4 1 2 7 " , " Group−4 1 2 7 " ,
6 " STRONTIUM " , " Grey−Cloud "
7 ],
8 " country " : "RU" ,
9 " refs " : [
10 " h t t p s : //en . w i k i p e d i a . org / w i k i / Sofacy_Group "
11 ]
12 },
13 " d e s c r i p t i o n " : " The Sofacy Group ( a l s o known as APT28 ,
14 Pawn Storm , Fancy Bear and S e d n i t ) i s a cyber
15 espionage group b e l i e v e d to have t i e s to the
16 Russian government . L i k e l y o p e r a t i n g s i n c e 2007 ,
17 the group i s known to t a r g e t government , m i l i t a r y ,
18 and s e c u r i t y o r g a n i z a t i o n s . I t has been
19 c h a r a c t e r i z e d as an advanced p e r s i s t e n t t h r e a t . " ,
20 " value " : " Sofacy "
21 },
11 19
meta best practices
Reusing existing values such as complexity, effectiveness,

country, possible_issues, colour, motive, impact, refs,
synonyms, derivated_from, status, date, encryption,
extensions, ransomnotes, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident,
cfr-target-category, kill_chain.
Or adding your own meta fields.
12 19
meta best practices - a sample
1 {
2 " d e s c r i p t i o n " : " P u t t e r Panda were the s u b j e c t of an
e x t e n s i v e r e p o r t by CrowdStrike , which s t a t e d : ’ The
CrowdStrike I n t e l l i g e n c e team has been t r a c k i n g t h i s
p a r t i c u l a r u n i t s i n c e 201 2 , under the codename PUTTER
PANDA , and has documented a c t i v i t y d a t i n g back to 2007 .
The r e p o r t i d e n t i f i e s Chen Ping , aka cpyy , and the
primary l o c a t i o n of U n i t 6 1 486 . ’ " ,
3 " meta " : {
4 " c f r −suspected−s t a t e−sponsor " : " China " ,
5 " c f r −suspected−v i c t i m s " : [
6 "U . S . s a t e l l i t e and aerospace s e c t o r "
7 ],
8 " c f r −t a r g e t −c a t e g or y " : [
9 " Private sector " ,
10 " Government "
11 ],
12 " c f r −type−of−i n c i d e n t " : " Espionage " ,
13 " country " : "CN" ,
14 " refs " : [
15 " h t t p : //cdn0 . vox−cdn . com/ a s s e t s /4 58985 3/ c r o w d s t r i k e−
i n t e l l i g e n c e −report−putter−panda . o r i g i n a l . pdf " ,
16 " h t t p s : //www. c f r . org / i n t e r a c t i v e / cyber−o p er a ti o n s / putter
−panda "
17 ], 13 19
Galaxy JSON matrix-like
14 19
1 {
2 " d e s c r i p t i o n " : " U n i v e r s a l Development and S e c u r i t y G u i d e l i n e s as
A p p l i c a b l e to E l e c t i o n Technology . " ,
3 " icon " : "map" ,
4 "kill_chain_order": { \\Tab in the matrix
5 "example-of-threats": [ \\Column in the matrix
6 "setup | party/candidate-registration",
7 "setup | electoral-rolls",
8 "campaign | campaign-IT",
9 "all-phases | governement-IT",
10 "voting | election-technology",
11 "campaign/public-communication | media/press"
12 ]
13 },
14 "name" : " E l e c t i o n g u i d e l i n e s " ,
15 " namespace " : " misp " ,
16 " type " : " g u i d e l i n e s " ,
17 " uuid " : " c 1 dc03b2−89b3−4 2a5−9d4 1−7 82 e f 7 264 3 5a " ,
18 " version " : 1
19 }
15 19
Cluster JSON matrix-like
1 {
2 " d e s c r i p t i o n " : " DoS or overload of p a r t y /campaign
r e g i s t r a t i o n , causing them to miss the deadline " ,
3 " meta " : {
4 " date " : " March 201 8 . " ,
5 "kill_chain": [ \\Define in which column the cluster should be placed
6 "example-of-threats:setup | party/candidate-registration"
7 ],
8 " refs " : [
9 " h t t p s : //www. r i a . ee/ s i t e s / d e f a u l t / f i l e s / content−e d i t o r s /
kuberturve / c y b e r _ s e c u r i t y _ o f _ e l e c t i o n _ t e c h n o l o g y . pdf
"
10 ]
11 },
12 " uuid " : " 1 5 4 c6 1 86−a007−4 460−a029−ea2 3 1 63 4 48 f e " ,
13 " value " : " DoS or overload of p a r t y /campaign r e g i s t r a t i o n ,
causing them to miss the deadline "
14 }
16 19
Expressing relation between clusters
Cluster can be related to one or more clusters using default

relationships from MISP objects and a list of tags to classify
the relation.
1 " related " : [
2 {
3 " dest−uuid " : " 5 ce 5 392a−3a6c−4e07−9 df 3−9b6a9 1 59ac 4 5 " ,
4 " tags " : [
5 " e s t i m a t i v e −language : l i k e l i h o o d −p r o b a b i l i t y =\" l i k e l y
\""
6 ],
7 " type " : " s i m i l a r "
8 }
9 ],
10 " uuid " : "0ca 4 5 1 63−e2 2 3−4 1 6 7−b1 af−f 088ed 1 4a93d " ,
11 " value " : " P u t t e r Panda "
17 19
PyMISPGalaxies
from pymispgalaxies import C l u s t e r s

c = Clusters ( )
l i s t ( g . keys ( ) )
# [ ’ t h r e a t−a c t o r ’ , ’ ransomware ’ , ’ e x p l o i t−k i t ’ , ’ tds ’ , ’ t o o l ’ , ’ r a t ’ , ’ mitre−attack−p a t t e r n ’ ,
# ’ mitre−t o o l ’ , ’ m i c r o s o f t−a c t i v i t y −group ’ , ’ mitre−course−of−a c t i o n ’ , ’ mitre−malware ’ ,
# ’ mitre−i n t r u s i o n−s e t ’ , ’ p r e v e n t i v e−measure ’ ]
p r i n t ( c . get ( " r a t " ) )
# misp−galaxy : r a t = " Brat "
# misp−galaxy : r a t = " L o k i RAT "
# misp−galaxy : r a t = " j o i n . me"
# misp−galaxy : r a t = " S e t r o "
# misp−galaxy : r a t = " d r a t "
# misp−galaxy : r a t = " Plasma RAT "
# misp−galaxy : r a t = " NanoCore "
# misp−galaxy : r a t = " DarkTrack "
# misp−galaxy : r a t = " Theef "
# misp−galaxy : r a t = " Greame "
# misp−galaxy : r a t = " Nuclear RAT "
# misp−galaxy : r a t = "DameWare Mini Remote C o n t r o l "
# misp−galaxy : r a t = " ProRat "
# misp−galaxy : r a t = " death "
# misp−galaxy : r a t = " Dark DDoSeR "
# ....
p r i n t ( c . get ( " r a t " ) . d e s c r i p t i o n )
# remote a d m i n i s t r a t i o n t o o l or remote access t o o l ( RAT ) , a l s o c a l l e d sometimes remote
# access t r o j a n , i s a p i e c e of software or programming t h a t a ll o w s a remote " operator "
# to c o n t r o l a system as i f they have p h y s i c a l access to t h a t system .
18 19
Q&A
[email protected] (if you want to join the CIRCL MISP sharing

community)
OpenPGP fingerprint: 3B12 DCC2 82FA 2931 2F5B 709A 09E2
CD49 44E6 CBCD
https://github.com/MISP/ -
We welcome any contributions to the project, be it pull
requests, ideas, github issues,...
19 / 19
MISP Object Template
Building custom and open data models
CIISI-IE
Threat Sharing
Objects - or How We Learned to Stop Worrying
and Love the Templates
Attributes are a simple but powerful tool to describe data
Lacking the capability to create containers around attributes
describing a common concept
The goal was to develop something semi-standardised, with
the option to dynamically build templates
We have considered a list of different solutions such as
simple boolean operators, but found that the current
implementation was superior.
The result is a simple template that uses the basic attriubte
types as building blocks along with some meta data
The template does not have to be known in order to use the
constructed objects
What we maintain now is a set of common objects, but
similarly to our other JSON formats, users can extend it with
their own ideas.
1 11
MISP Object Templates
Using a similar JSON format as the taxonomies, galaxies,

warninglists.
You can find the default set of object templates in the git
repository1 .
Some of the object templates capture objects from other
standards or mimic the output of tools
We tried to capture the most common use-cases coming
from our own use-case as well as those of various partners
that got involved
Improvements or pull requests for new object templates are
of course always welcome
1
https://www.github.com/MISP/misp-objects/
2 11
Existing Object examples
AIL-leak - AIL object, an example for an object catering to

the output of another tool
Android permission - An object used to further contextualise
another object
Bank account
File Generic object to describe a file
Passive DNS
Regex
Sandbox report
Vulnerability Enabling new use-cases such as pre-sharing of
vulnerability information
x509
Yara Verbatim sharing of rule sets along with meta-data
3 11
Object Template skeleton
1 {
2 " requiredOneOf " : [ ] ,
3 " required " : [ ] ,
4 " attributes " : { } ,
5 " version " : 1 ,
6 " d e s c r i p t i o n " : "My d e s c r i p t i o n " ,
7 " meta−c a t e go r y " : " Chosen meta c a t e g o ry " ,
8 " uuid " : " Object template uuid " ,
9 "name" : " Object template name"
10 }
4 11
Adding elements to an object template
1 " regexp−type " : {

2 " d e s c r i p t i o n " : " Type of the r e g u l a r expression syntax . " ,
3 " disable_correlation " : true ,
4 " ui−p r i o r i t y " : 0 ,
5 " misp−a t t r i b u t e " : " t e x t " ,
6 " values_list " : [
7 " PCRE " ,
8 " PCRE2 " ,
9 " POSIX BRE " ,
10 " POSIX ERE "
11 ]
12 } ,
5 11
Attribute keys
Primary key: Object relation

description: A description of the attribute in relation to the
object
disable_correlation: You can disable correlations for
attributes in the resulting object
ui-priority: Not implemented yet, but the idea is to have a
"quick view" of objects only showing certain prio levels
misp-attribute: The misp attribute type used as as the
building block
values_list: an optional list of values from which the user
must choose instead of entering a value manually
sane_defaults: an optional list of values from which the user
may choose instead of entering a value
multiple: Allow the user to add more than one of this
attribute
6 11
Enforcement of certain keys
The template also defines which of the added attributes are

mandatory
Requirements are pointed to via their object relations names
We differentiate between two types of rule sets:
I Required: Everything in this list has to be set in order for the
object to validate
I Required One Of: Any of the attributes in this list will satisfy
the requirements
7 11
What will the template actually do?
Templates create a form that can be used to populate an

event
When using templates, MISP will enforce everything
according to the template rules
However, these are only optional, users can avoid using the
templates when creating events via the API
The reason for this is that you do not need to have the
template in order to create an object
The limitation of this system: You cannot modify objects that
were created with unknown templates
8 11
Templates as rendered in the UI
9 11
Templates as rendered in the UI
10 11
Q&A
https://github.com/MISP/MISP
https://github.com/MISP/misp-objects
[email protected] (if you want to join one of the MISP community
operated by CIRCL)
PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD
CFFC 22BD 4CD5
11 / 11
MISP Dashboard
Real-time overview of threat intelligence from
MISP instances
[email protected]
February 9, 2023
Threat Sharing
MISP ZeroMQ
1 14
MISP ZeroMQ
MISP includes a flexible publish-subscribe model to allow

real-time integration of the MISP activities:
Event publication
Attribute creation or removal
Sighting
User login
→ Operates at global level in MISP
2 14
MISP ZeroMQ
MISP ZeroMQ functionality can be used for various model of

integration or to extend MISP functionalities:
Real-time search of indicators into a SIEM1
Dashboard activities
Logging mechanisms
Continuous indexing
Custom software or scripting
1
Security Information & Event Management
3 14
MISP-Dashboard: An
introduction
4 14
MISP-Dashboard - Realtime activities and threat
intelligence
5 14
MISP-Dashboard - Features
Subscribe to multiple ZMQ MISP instances

Provides historical geolocalised information
Present an experimental Gamification of the platform
Shows when and how MISP is used
Provides real time information showing current threats and
activity
6 14
MISP-Dashboard: Architecture
and development
7 14
Setting up the dashboard
1. Be sure to have a running redis server: e.g.

I redis-server -p 6250
2. Update your configuration in config.cfg
3. Activate your virtualenv:
I . ./DASHENV/bin/activate
4. Listen to the MISP feed by starting the zmq_subscriber:
I ./zmq_subscriber.py
5. Start the dispatcher to process received messages:
I ./zmq_dispatcher.py
6. Start the Flask server:
I ./server.py
7. Access the interface at http://localhost:8001/
8 14
MISP-Dashboard architecture
9 14
Writing your handler
1 # Register your handler

2 dico_action = {
3 "misp_json": handler_dispatcher,
4 "misp_json_event": handler_event,
5 "misp_json_self": handler_keepalive,
6 "misp_json_attribute": handler_attribute,
7 "misp_json_object": handler_object,
8 "misp_json_sighting": YOUR_CUSTOM_SIGHTINGS_HANDLER,
9 "misp_json_organisation": handler_log,
10 "misp_json_user": handler_user,
11 "misp_json_conversation": handler_conversation,
12 "misp_json_object_reference": handler_log,
13 }
14
10 14
1 # Implement your handler
2
3 # e.g. user handler
4 def handler_user(zmq_name, jsondata):
5 # json action performed by the user
6 action = jsondata[’action’]
7 # user json data
8 json_user = jsondata[’User’]
9 # organisation json data
10 json_org = jsondata[’Organisation’]
11 # organisation name
12 org = json_org[’name’]
13 # only consider user login
14 if action == ’login’:
15 timestamp = time.time()
16 # users_helper is a class to interact with the DB
17 users_helper.add_user_login(timestamp, org)
18
11 14
Recent changes in the misp-dashboard
MISP authentication can now be used in the misp-dashboard

Improved TLS/SSL support in the default misp-dashboard
Self-test tool to debug and test ZMQ connectivity
12 14
Future development
Optimizing contribution scoring and model to

encourage sharing and contributions enrichment
Increasing geolocation coverage
Global filtering capabilities

- Geolocation: Showing wanted attribute or only on specific
region
- Trendings: Showing only specified taxonomies
Tighter integration with MISP

- Present in MISP by default
- ACL enabled version
13 14
Conclusion
MISP-Dashboard can provides realtime information to support

security teams, CSIRTs or SOC showing current threats and
activity by providing:
Historical geolocalised information
Geospatial information from specific regions
The most active events, categories, tags, attributes, ...
It also propose a prototype of gamification of the platform

providing incentive to share and contribute to the community
14 / 14
Contributing to the MISP Project
Become part of the community to design, develop
and improve information sharing
CIISI-IE
Threat Sharing
Code of Conduct
The MISP project has a Contributor Covenant Code of

Conduct1 .
The goal of the code of conduct is to foster an open, fun and
welcoming environment.
Another important aspect of the MISP projects is to welcome
different areas of expertise in information sharing and
analysis. The diversity of the MISP community is important
to make the project useful for everyone.
1
https://github.com/MISP/MISP/code_of_conduct.md
1 7
Reporting a bug, an issue or suggesting features
The most common way to contribute to the MISP project is to

report a bug, issues or suggesting features.
Each project (MISP core, misp-modules, misp-book,
misp-taxonomies, misp-galaxy, misp-object or PyMISP) has
their own issue management.
Don’t forget that you can cross-reference issues from other
sub-projects.
If you know an answer or could help on a specific issue, we
welcome all contributions including useful comments to
reach a resolution.
2 7
Reporting security vulnerabilities
If you find security vulnerabilities (even minor ones) in MISP

project, send an encrypted email ([email protected]) with the
details and especially how to reproduce the issues. Avoid to
share publicly the vulnerability before a fix is available in
MISP. PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89
EAAD CFFC 22BD 4CD5.
We usually fix reported and confirmed security
vulnerabilities in less than 48 hours.
We will request a CVE number if the reporters didn’t ask for
one (don’t forget to mention how you want to be credited).
3 7
Automatic integration and testing
The majority of the repositories within the MISP GitHub

organisation includes automatic integration via Github
Actions.
If you contribute and make a pull-request, verify if your
changes affect the result of the tests.
Automatic integration is not perfect including Travis but it’s a
quick win to catch new bugs or major issues in contribution.
When you do a pull-request, the CI suite is automatically
called2 .
I If this fails, no worries, review the output at Github actions
(it’s not always you).
We are working on additional automatic tests including
security testing for the MISP core software (contributors are
welcome).
2
https://github.com/MISP/MISP/actions
4 7
JSON validation for MISP libraries
All JSON format (galaxy, taxonomies, objects or

warning-lists) are described in a JSON Schema3 .
The TravisCI tests are including JSON validation (via jq) and
validated with the associated JSON schema.
How to contribute a JSON library (objects, taxonomies,
galaxy or warning-list):
I If you update a JSON library, don’t forget to run
jq_all_the_things.sh. It’s fast and easy. If it fails, review your
JSON.
I Commit your code and make a pull-request.
Documentations (in PDF and HTML format) for the librairies
are automatically generated from the JSON via asciidoctor4 .
3
schema_name.json
4
example https://github.com/MISP/misp-galaxy/blob/master/
tools/adoc_galaxy.py
5 7
Documentation
In addition to the automatic generation of documentations

from JSON files, we maintain misp-book5 which is a generic
documentation for MISP including usage, API documentation,
best practices and specific configuration settings.
The book is generated in HTML, PDF, epub and mobi using
GitBook6 which is a framework to write documentation in
MarkDown format.
TravisCI is included in misp-book and the book generation is
tested at each commit.
The MISP book is regularly published on misp-project.org
and circl.lu website.
Contributors are welcome especially for new topics7 and also
fixing our broken english.
5
https://github.com/MISP/misp-book
6
https://github.com/GitbookIO
7
Topics of interest are analysts best-practices,
6 7
Internet-Draft - IETF for MISP formats
If you want to contribute to our IETF Internet-Draft for the

MISP standard, misp-rfc8 is the repository where to
contribute.
Update only the markdown file, the XML and ASCII for the
IETF I-D are automatically generated.
If a major release or updates happen in the format, we will
publish the I-D to the IETF9 .
The process is always MISP implementation → IETF I-D
updates.
8
https://github.com/MISP/misp-rfc
9
https://datatracker.ietf.org/doc/search/?name=misp&
activedrafts=on&rfcs=on
7/7
MISP core development crash
course
How I learned to stop worrying and love the PHP
CIISI-IE
Threat Sharing
Some things to know in advance...
MISP is based on PHP 7.3+

Using the MVC framework CakePHP 2.x
What we’ll look at now will be a quick glance at the
structuring / layout of the code
1 18
MVC frameworks in general
separation of business logic and views, interconnected by

controllers
main advantage is clear separation of the various
components
lean controllers, fat models (kinda...)
domain based code reuse
No interaction between Model and Views, ever
2 18
Structure of MISP Core app directories
Config: general configuration files

Console: command line tools
Controller: Code dealing with requests/responses,
generating data for views based on interactions with the
models
Lib: Generic reusable code / libraries
Model: Business logic, data gathering and modification
Plugin: Alternative location for plugin specific codes,
ordered into controller, model, view files
View: UI views, populated by the controller
3 18
Controllers - scope
Each public function in a controller is exposed as an API

action
request routing (admin routing)
multi-use functions (POST/GET)
request/response objects
contains the action code, telling the application what data
fetching/modifying calls to make, preparing the resulting
data for the resulting view
grouped into controller files based on model actions
Accessed via UI, API, AJAX calls directly by users
For code reuse: behaviours
Each controller bound to a model
4 18
Controllers - functionalities of controllers
pagination functionality
logging functionality
Controllers actions can access functionality / variables of
Models
Controllers cannot access code of other controller actions
(kind of...)
Access to the authenticated user’s data
beforeFilter(), afterFilter() methods
Inherited code in AppController
5 18
Controllers - components
Components = reusable code for Controllers

I Authentication components
I RestResponse component
I ACL component
I Cidr component
I IOCImport component (should be moved)
6 18
Controllers - additional functionalities
Handling API responses (RestResponseComponent)

Handling API requests (IndexFilterComponent)
auth/session management
ACL management
CRUD Component
Security component
important: quertString/PyMISP versions, MISP version
handler
future improvements to the export mechanisms
7 18
Models - scope
Controls anything that has to do with:

I finding subsets of data
I altering existing data
I inherited model: AppModel
I reusable code for models: Behaviours
I regex, trim
8 18
Models - hooking system
Versatile hooking system

I manipulate the data at certain stages of execution
I code can be located in 3 places: Model hook, AppModel hook,
behaviour
9 18
Model - hooking pipeline (add/edit)
Hooks / model pipeline for data creation / edits

I beforeValidate() (lowercase all hashes)
I validate() (check hash format)
I afterValidate() (we never use it
I could be interesting if we ever validated without saving)
I beforeSave() (purge existing correlations for an attribute)
I afterSave() (create new correlations for an attribute / zmq)
10 18
Models - hooking pipeline (delete/read)
Hooks for deletions

I beforeDelete() (purge correlations for an attribute)
I afterDelete() (zmq)
Hooks for retrieving data
I beforeFind() (modify the find parameters before execution,
we don’t use it)
I afterFind() (json decode json fields)
11 18
Models - misc
code to handle version upgrades contained in AppModel

generic cleanup/data migration tools
centralised redis/pubsub handlers
(Show example of adding an attribute with trace)
12 18
Views - scope and structure
templates for views

layouts
reusable template code: elements
I attribute list, rows (if reused)
reusable code: helpers
I commandhelper (for discussion boards), highlighter for
searches, tag colour helper
views per controller
13 18
Views - Types of views and helpers
ajax views vs normal views

data views vs normal views vs serialisation in the controller
sanitisation h()
creating forms
I sanitisation
I CSRF
14 18
Views - Generators
Mostly in genericElements
Preparing the move to Cake4
Important ones
I Form - generate forms in a standardised way (/add, /edit, etc)
I IndexTable - index lists using Field templates (/index, etc)
I SingleViews - key-value lists with child elements (/view, etc)
I Menues - to be refactored, see Cerebrate
15 18
General reusable libraries
Located in app/Lib
Code that is to be reused across several layers
Important ones
I Dashboard - Dashboard widget backend code
I EventReport - Report generation
I Export - MISP -> external format converter modules
I Tools - List of generic helper libraries - examples:
Attachment, JSON conversion, random generation, emailing,
sync request generation
Kafka, ZMQ, AWS S3, Elastic integration, PGP encryption, CIDR
operations
16 18
Distribution
algorithm for checking if a user has access to an attribute

creator vs owner organisation
distribution levels and inheritance (events -> objects ->
attributes)
shorthand inherit level
sharing groups (org list, instance list)
correlation distribution
algorithms for safe data fetching (fetchEvents(),
fetchAttributes(),...)
17 18
Testing your code
funtional testing
Github actions
impact scope
I view code changes: only impacts request type based views
I controller code changes: Should only affect given action
I model code changes: can have impact on entire application
I lib changes: can have affect on the entire application
Don’t forget: queryACL, change querystring
18 / 18
Deep-dive into PyMISP
CIISI-IE
Threat Sharing
Context
MISP is a large project

Your production environment is even more complex
3rd party services are even worse
Querying MISP via CURL is doable, but get’s painful fast
Talking to MySQL directly can be dangerous
POST a JSON blob, receive a JSON blob. You can do it
manually(-ish)
1 21
Big picture
Core goal: providing stable access to APIs, respect access

control
Simplifying handling & automation of indicators in 3rd party
tools
Hiding complexity of the JSON blobs
Providing pre-cooked examples for commonly used
operations
Helping integration with existing infrastructure
2 21
Common queries: Recent changes on a timeframe
There are 4 main cases here:

Metadata of the events that have been modified
I search_index ⇒ timestamp (1h, 1d, 7d, ...), returns list of all
the modified events
Full events (metadata + attributes)
I search ⇒ timestamp (1h, 1d, 7d, ...)
Modified attributes
I search ⇒ controller = attributes and timestamp (1h, 1d, 7d, ...)
Other use case: get last published events by using the last
parameter in the search method.
3 21
Common queries: Search things

Easy, but slow: full text search with search_all
Faster: use the search method and search by tag, type,
enforce the warning lists, with(-out) attachments, dates
interval, ...
Get malware samples (if available on the instance).
4 21
Common queries: create things

Add Event, edit its metadata
Add attributes or objects to event
(un)Tag event or attribute (soon object)
Edit Attributes medatada
Upload malware sample (and automatically expand it)
5 21
Administrative tasks
Assyming you have the right to do it on the instance.

Managing users
Managing organisations
Managing sync servers
6 21
Other Capabilities
Upload/download samples
Proposals: add, edit, accept, discard
Sightings: Get, set, update
Export statistics
Manage feeds
Get MISP server version, recommended PyMISP version
And more, look at the api file
7 21
MISPEvent - Usecase
from pymisp import MISPEvent , EncodeUpdate
# C r ea t e a new event with d e f a u l t v a l u e s

event = MISPEvent ( )
# Load an e x i s t i n g JSON dump ( o p t i o n a l )

event . l o a d _ f i l e ( ’ Path / to / event . json ’ )
event . i n f o = ’ My cool event ’ # Duh .
# Add an a t t r i b u t e of type ip−dst

event . a d d _ a t t r i b u t e ( ’ ip−dst ’ , ’ 8 . 8 . 8 . 8 ’ )
# Mark an a t t r i b u t e as d e l e t e d ( From 2 . 4 . 6 0 )
event . d e l e t e _ a t t r i b u t e ( ’ < A t t r i b u t e UUID> ’ )
# Dump as j so n
event_as_jsondump = json . dumps ( event , c l s =EncodeUpdate )
8 21
Basics
Python 3.5+ is recommended

PyMISP is always inline with current version (pip3 install
pymisp)
Dev version: pip3 install
git+https://github.com/MISP/PyMISP.git
Get your auth key from:
https://misppriv.circl.lu/events/automation
I Not available: you don’t have "Auth key access" role. Contact
your instance admin.
Source available here: git clone
https://github.com/MISP/PyMISP.git
9 21
Examples
PyMISP needs to be installed (duh)

Usage:
I Create examples/keys.py with the following content
misp_url = " h t t p s : / / u r l −to−your−misp "

misp_key = " <API_KEY > "
m i s p _ v e r i f y c e r t = True
Proxy support:
proxies = {
’ http ’ : ’ http : / / 1 2 7 . 0 . 0 . 1 : 8 1 2 3 ’ ,
’ https ’ : ’ http : / / 1 2 7 . 0 . 0 . 1 : 8 1 2 3 ’ ,
}
PyMISP ( misp_url , misp_key , m i s p _ v e r i f y c e r t , p r o x i e s = p r o x i e s )
10 21
Examples
Lots of ideas on how to use the API

You may also want to look at the tests directory
All the examples use argparse. Help usage is available:
script.py -h
I add_file_object.py: Attach a file (PE/ELF/Mach-O) object to
an event
I upload.py: Upload a malware sample (use advanced
expansion is available on the server)
I last.py: Returns all the most recent events (on a timeframe)
I add_named_attribute.py: Add attribute to an event
I sighting.py: Update sightings on an attribute
I stats.py: Returns the stats of a MISP instance
I {add,edit,create}_user.py : Add, Edit, Create a user on MISP
11 21
Usage
Basic example
from pymisp import PyMISP
a pi = PyMISP ( u r l , apikey , v e r i f y c e r t = True , debug= False , p r o x i e s =None )
response = api . < f u n c t i o n >
i f response [ ’ e r r o r ’ ] :
# <something went wrong >
else :
# <do something with the output >
12 21
Concept behind AbstractMISP
JSON blobs are python dictionaries

... Accessing content can be a pain
AbstractMISP inherits collections.MutableMapping, they are
all dictionaries!
... Has helpers to load, dump, and edit JSON blobs
Important: All the public attributes (not starting with a _)
defined in a class are dumped to JSON
Tags: Events and Attributes have tags, soon Objects. Tag
handling is defined in this class.
edited: When pushing a full MISPEvent, only the objects
without a timestamp, or with a newer timestamp will be
updated. This method recursively finds updated events, and
removes the timestamp key from the object.
13 21
MISPEvent, MISPAttribute, MISPObject,
MISPSighting...
Pythonic representation of MISP elements

Easy manipulation
I Load an existing event
I Update te metadata, add attributes, objects, tags, mark an
attribute as deleted, ...
I Set relations between objects
I Load and add attachments or malware samples as pseudo
files
Dump to JSON
14 21
MISPEvent - Main entrypoints
load_file(event_path)
load(json_event)
add_attribute(type, value, **kwargs)
add_object(obj=None, **kwargs)
add_attribute_tag(tag, attribute_identifier)
get_attribute_tag(attribute_identifier)
add_tag(tag=None, **kwargs)
objects[], attributes[], tags[]
edited, all other paramaters of the MISPEvent element (info,
date, ...)
to_json()
15 21
MISPObject - Main entrypoints
add_attribute(object_relation, **value)
add_reference(referenced_uuid, relationship_type,
comment=None, **kwargs)
has_attributes_by_relation(list_of_relations)
get_attributes_by_relation(object_relation)
attributes[], relations[]
edited, all other paramaters of the MISPObject element
(name, comment, ...)
to_json()
Can be validated against their template
Can have default parameters applied to all attributes (i.e.
distribution, category, ...)
16 21
MISPAttribute - Main entrypoints
add_tag(tag=None, **kwargs)
delete()
malware_binary (if relevant)
tags[]
edited, all other paramaters of the MISPObject element
(value, comment, ...)
to_json()
17 21
PyMISP - Tools
Libraries requiring specfic 3rd party dependencies

Callable via PyMISP for specific usecases
Curently implemented:
I OpenIOC to MISP Event
I MISP to Neo4J
18 21
PyMISP - Default objects generators
File - PE/ELF/MachO - Sections

VirusTotal
Generic object generator
19 21
PyMISP - Logging / Debugging
debug=True passed to the constructor enable debug to

stdout
Configurable using the standard logging module
Show everything send to the server and received by the
client
import pymisp
import l o g g i n g
l o g g e r = l o g g i n g . getLogger ( ’ pymisp ’ )
l o g g e r . s e t L e v e l ( l o g g i n g . DEBUG ) # enable debug to stdout
l o g g i n g . b a s i c C o n f i g ( l e v e l = l o g g i n g . DEBUG , # Enable debug to f i l e

filename = " debug . l o g " ,
filemode = ’w ’ ,
format =pymisp . FORMAT )
20 21
Q&A
https://pymisp.readthedocs.io/
21 / 21
MISP feeds - A simple and secure
approach to generate, select and
collect intelligence
Providing ready-to-use threat intelligence in
MISP standard format
TLP:WHITE
CIISI-IE
MISP Feed - Basics
MISP Feeds provide a way to

Exchange information via any transports (e.g. HTTP, TLS, USB keys)
Preview events along with their attributes, objects
Select and import events
Correlate attributes using caching
MISP Feeds have the following advantages
Feeds work without the need of MISP synchronisation (reducing
attack surface and complexity to a static directory with the events)
Feeds can be produced without a MISP instance (e.g. security
devices, honeypot sensors)
1 10
Feed - Overview
By default, MISP is bundled with ∼50 default feeds (MISP feeds,

CSV or freetext feeds) which are not enabled by default and
described in a simple JSON file1 .
The feeds include CIRCL OSINT feed but also feeds like abuse.ch,
Tor exit nodes or many more 2 .
1 https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/
defaults.json
2 http://www.misp-project.org/feeds/
2 10
Feed - Operations
Cache feed attributes for correlation (not imported but visible in

MISP)
Disable feed
Explore remote events
Fetch all events (imported in MISP as event)
Edit the feed configuration (e.g. authentication, URL,...)
Remove feed
Download feed metadata (to share feed details)
3 10
Feed - Creation using PyMISP feed generator
feed generator fetches events (matching some filtering) from a

MISP instance and construct the manifest (defined in MISP core format)
needed to export data.
Particularly,
Used to generate the CIRCL OSINT feed
Export events as json based on tags, organisation, events, ...
Automatically update the dumps and the metadata file
Comparable to a lighweight TAXII interface
4 10
Feed generator - configuration file
1 url = ’your/misp/url’
2 key = ’YourAPIKey’
3 ssl = True
4 outputdir = ’output_directory’
5
6 filters = {
7 ’tag’:’tlp:white|feed-export|!privint’,
8 ’org’:’CIRCL’
9 }
10 # the above would generate a feed for all events created by CIRCL,
tagged tlp:white and/or feed-export but exclude anything
tagged privint
11
12 valid_attribute_distribution_levels = [’0’, ’1’, ’2’, ’3’, ’4’, ’5
’]
13 # 0: Your Organisation Only
14 # 4: Sharing Group
15 # 5: Inherit Event
16
5 10
Real-time Feed generator - Purpose
The PyMISP feed generator is great but may be inadequate or

ineficient:
Batch import of attributes/objects
Data producer doesn’t have a MISP instance at hand and only
wants to produce a directly consumable feed:
Honeypot MISP
ip-src
payload-delivery
url
malware
...
6 10
Real-time Feed generator - Usage
generator.py exposes a class allowing to generate a MISP feed

in real-time
Each items can be appended on daily generated events
Example:
1 # Init generator
2 generator = FeedGenerator()
3
4 # Adding an attribute to the daily event
5 attr_type = "ip-src"
6 attr_value = "8.8.8.8"
7 additional_data = {}
8 generator.add_attribute_to_event(attr_type,
9 attr_value,
10 **additional_data)
7 10
Real-time Feed generator - Usage (2)
1 # Adding a MISP object (cowrie) to the daily event

2 obj_name = "cowrie"
3 obj_data = {
4 "session": "session_id",
5 "username": "admin",
6 "password": "admin",
7 "protocol": "telnet"
8 }
9 generator.add_object_to_event(obj_name, **obj_data)
8 10
Adding custom feed to MISP
Enabled
Lookup visible
Name
Provider
Source Format
Url
Source Format
Headers
Distribution
Default Tag
Filter rules
9 10
Q&A
10 / 10
MISP workshop
Introduction into Information Sharing using
MISP for CSIRTs
Team CIRCL
TLP:WHITE
CIISI-IE
Threat Sharing
Plan for this session
Explanation of the CSIRT use case for information sharing

and what CIRCL does
Building an information sharing community and best
practices1
1
We published the complete guidelines in https://www.x-isac.org/
assets/images/guidelines_to_set-up_an_ISAC.pdf
1 31
Communities operated by CIRCL
As a CSIRT, CIRCL operates a wide range of communities

We use it as an internal tool to cover various day-to-day
activities
Whilst being the main driving force behind the development,
we’re also one of the largest consumers
Different communities have different needs and restrictions
2 31
Private sector community (fall-back community)

I Our largest sharing community
I Over +1500 organisations
I +4000 users
I Functions as a central hub for a lot of sharing communities
I Private organisations, Researchers, Various SoCs, some
CSIRTs, etc
CSIRT community
I Tighter community
I National CSIRTs, connections to international organisations,
etc
3 31
Financial sector community

I Banks, payment processors, etc.
I Sharing of mule accounts and non-cyber threat information
X-ISAC2
I Bridging the gap between the various sectorial and
geographical ISACs
I Goal is to bootstrap the cross-sectorial sharing along with
building the infrastructure to enable sharing when needed
I Provide a basic set of threat intelligence for new ISACs
2
https://www.x-isac.org/
4 31
The ATT&CK EU community3

I Work on attacker modelling
I With the assistance of MITRE themselves
I Unique opportunity to standardise on TTPs
I Increasing the use of TTPs4 especially in sharing community
like MITRE ATT&CK
I Major increase of MITRE ATT&CK context in sharing
communities
3
https://www.attack-community.org/
4
Tactics, Techniques and Procedures
5 31
Communities supported by CIRCL
ISAC / specialised community MISPs

I Topical or community specific instances hosted or
co-managed by CIRCL
I Examples, GSMA, FIRST.org, CSIRTs network, etc
I Often come with their own taxonomies and domain specific
object definitions
FIRST.org’s MISP community
Telecom and Mobile operators’ such as GSMA T-ISAC
community
Various ad-hoc communities for cyber security exercises
I The ENISA exercise (Cyber Europe)
I NATO Locked Shields exercise
6 31
Sharing Scenarios in MISP
Sharing can happen for many different reasons. Let’s see

what we believe are the typical CSIRT scenarios
We can generally split these activities into 4 main groups
when we’re talking about traditional CSIRT tasks:
I Core services
I Proactive services
I Advanced services
I Sharing communities managed by CSIRTs for various tasks
7 31
CSIRT core services
Incident response
I Internal storage of incident response data
I Sharing of indicators derived from incident response
I Correlating data derived and using the built in analysis tools
I Enrichment services
I Collaboration with affected parties via MISP during IR
I Co-ordination and collaboration
I Takedown requests
Alerting of information leaks (integration with AIL5 )
5
https://www.ail-project.org/
8 31
CSIRT proactive services
Contextualising both internal and external data

Collection and dissimination of data from various sources
(including OSINT)
Storing, correlating and sharing own manual research
(reversing, behavioural analysis)
Aggregating automated collection (sandboxing, honeypots,
spamtraps, sensors)
I MISP allows for the creation of internal MISP "clouds"
I Store large specialised datasets (for example honeypot data)
I MISP has interactions with a large set of such tools (Cuckoo,
Mail2MISP, etc)
Situational awareness tools to monitor trends and adversary
TTPs within my sector/geographical region (MISP-dashboard,
built in statistics)
9 31
CSIRT advanced services
Supporting forensic analysts

Collaboration with law enforcement
Vulnerability information sharing
I Notifications to the constituency about relevant
vulnerabilities
I Co-ordinating with vendors for notifications (*)
I Internal / closed community sharing of pentest results
10 31
CSIRTs’ management of sharing communities for
constituent actions:
Reporting non-identifying information about incidents (such

as outlined in NISD)
Seeking and engaging in collaboration with CSIRT or other
parties during an incident
Pre-sharing information to request for help / additional
information from the community
Pseudo-anonymised sharing through 3rd parties to avoid
attribution of a potential target
Building processes for other types of sharing to get the
community engaged and acquainted with the methodologies
of sharing (mule account information, disinformation
campaigns, border control, etc)
11 31
A quick note on compliance...
Collaboration with Deloitte and legal advisors as part of a

CEF project for creating compliance documents
I Information sharing and cooperation enabled by GDPR
I How MISP enables stakeholders identified by the NISD to
perform key activities
I AIL and MISP
For more information:
https://github.com/CIRCL/compliance
12 31
Bringing different sharing communities
together
We generally all end up sharing with peers that face similar

threats
Division is either sectorial or geographical
So why even bother with trying to bridge these communities?
13 31
Advantages of cross sectorial sharing
Reuse of TTPs across sectors

Being hit by something that another sector has faced before
Hybrid threats - how seemingly unrelated things may be
interesting to correlate
Prepare other communities for the capability and culture of
sharing for when the need arises for them to reach out to
CSIRT
Generally our field is ahead of several other sectors when it
comes to information sharing, might as well spread the love
14 31
Getting started with building your own sharing
community
Starting a sharing community is both easy and difficult at

the same time
Many moving parts and most importantly, you’ll be dealing
with a diverse group of people
Understanding and working with your constituents to help
them face their challenges is key
15 31
Getting started with building your own sharing
community
When you are starting out - you are in a unique position to

drive the community and set best practices...
16 31
Running a sharing community using MISP - How
to get going?
Different models for constituents

I Connecting to a MISP instance hosted by a CSIRT
I Hosting their own instance and connecting to CSIRT’s MISP
I Becoming member of a sectorial MISP community that is
connected to CSIRT’s community
Planning ahead for future growth
I Estimating requirements
I Deciding early on common vocabularies
I Offering expansion,analysis and intelligence services through
MISP
17 31
Rely on our instincts to immitate over expecting
adherence to rules
Lead by example - the power of immitation

Encourage improving by doing instead of blocking sharing
with unrealistic quality controls
I What should the information look like?
I How should it be contextualise
I What do you consider as useful information?
I What tools did you use to get your conclusions?
Side effect is that you will end up raising the capabilities of
your constituents
18 31
What counts as valuable data?
Sharing comes in many shapes and sizes

I Sharing results / reports is the classical example
I Sharing enhancements to existing data/intelligence
I Validating data / flagging false positives (sighting)
I Asking for support and collaboration from the community
Embrace all of them. Even the ones that don’t make sense
right now, you never know when they come handy...
19 31
How to deal with organisations that only
"leech"?
From our own communities, only about 30% of the

organisations actively share data
We have come across some communities with sharing
requirements
In our experience, this sets you up for failure because:
I Organisations losing access are the ones who would possibily
benefit the most from it
I Organisations that want to stay above the thresholds will
start sharing junk / fake data
I You lose organisations that might turn into valuable
contributors in the future
20 31
So how does one convert the passive organisa-
tions into actively sharing ones?
Rely on organic growth and it takes time (+2 years is

common)
Help them increase their capabilities
As mentioned before, lead by example
Rely on the inherent value to one’s self when sharing
information (validation, enrichments, correlations)
Give credit where credit is due, never steal the contributions
of your community (that is incredibly demotivating)
21 31
Dispelling the myths around blockers when it
comes to information sharing

I You can play a role here: organise regular workshops,
conferences, have face to face meetings
Legal restrictions
I "Risk of information leak is too high and it’s too risky for our
Practical restrictions
22 31
Contextualising the information
Sharing technical information is a great start

However, to truly create valueable information for your
community, always consider the context:
I Your IDS might not care why it should alert on a rule
I But your analysts will be interested in the threat landscape
and the "big picture"
Classify data to make sure your partners understand why it
is important for you, so they can see why it could be useful
to them
Massively important once an organisation has the maturity
to filter the most critical subsets of information for their
own defense
23 31
Choice of vocabularies
MISP has a verify versatile system (taxonomies) for

classifying and marking data
However, this includes different vocabularies with obvious
overlaps
MISP allows you to pick and choose vocabularies to use and
enforce in a community
Good idea to start with this process early
If you don’t find what you’re looking for:
I Create your own (JSON format, no coding skills required)
I If it makes sense, share it with us via a pull request for
redistribution
24 31
Shared libraries of meta-information (Galaxies)
The MISPProject in co-operation with partners provides a

curated list of galaxy information
Can include information packages of different types, for
example:
I Threat actor information (event different models or
approaches)
I Specialised information such as Ransomware, Exploit kits, etc
I Methodology information such as preventative actions
I Classification systems for methodologies used by adversaries
- ATT&CK
Consider improving the default libraries or contributing your
own (simple JSON format)
If there is something you cannot share, run your own
galaxies and share it out of bound with partners
Pull requests are always welcome
25 31
False-positive handling
You might often fall into the trap of discarding seemingly

"junk" data
Besides volume limitations (which are absolutely valid, fear
of false-positives is the most common reason why people
discard data) - Our recommendation:
I Be lenient when considering what to keep
I Be strict when you are feeding tools
MISP allows you to filter out the relevant data on demand
when feeding protective tools
What may seem like junk to you may be absolutely critical to
other users
26 31

operate?’
27 31
False-positive handling
Analysts will often be interested in the modus operandi of

threat actors over long periods of time
Even cleaned up infected hosts might become interesting
again (embedded in code, recurring reuse)
Use the tools provided to eliminate obvious false positives
instead and limit your data-set to the most relevant sets
28 31
Managing sub-communities
Often within a community smaller bubbles of information

sharing will form
For example: Within a national private sector sharing
community, specific community for financial institutions
Sharing groups serve this purpose mainly
As a CSIRT running a national community, consider
bootstraping these sharing communities
Organisations can of course self-organise, but you are the
ones with the know-how to get them started
29 31
Managing sub-communities
Consider compartmentalisation - does it make sense to

move a secret squirrel club to their own sharing hub to avoid
accidental leaks?
Use your best judgement to decide which communities
should be separated from one another
Create sharing hubs with manual data transfer if needed
Some organisations will even have their data air-gapped -
Feed system
Create guidance on what should be shared outside of their
bubbles - organisations often lack the insight / experience
to decide how to get going. Take the initiative!
30 31
Get in touch if you need some help to get started
Getting started with building a new community can be

daunting. Feel free to get in touch with us if you have any
questions!
Contact: [email protected]
https://www.circl.lu/
https://github.com/MISP
https://gitter.im/MISP/MISP
https://twitter.com/MISPProject
31 / 31
MISP and Decaying of Indicators
An indicator scoring method and ongoing imple-
mentation in MISP
Team CIRCL
[email protected]
February 9, 2023
Threat Sharing
Expiring IOCs: Why and How?
1 29
Indicators - Problem Statement
Sharing information about threats is crucial

Organisations are sharing more and more
Contribution by unique organisation (Orgc.name) on MISPPriv:
Date Unique Org

2013 17
2014 43 1 {
2015 82 2 "distribution": [1, 2, 3]
3 }
2016 105
2017 118
2018 125
2019-10 135
2 29
Various users and organisations can share data via MISP,

multiple parties can be involved
I Trust, data quality and time-to-live issues
I Each user/organisation has different use-cases and interests
Conflicting interests such as operational security, attribution,...
(depends on the user)
→ Can be partially solved with Taxonomies
3 29

I Trust, data quality and time-to-live issues
I Each user/organisation has different use-cases and interests
Conflicting interests such as operational security, attribution,...
(depends on the user)
Attributes can be shared in large quantities (more than 7.3

million on MISPPRIV)
I Partial info about their freshness (Sightings)
I Partial info about their validity (last update)
→ Can be partially solved with our Decaying model
3 29
Requirements to enjoy the decaying feature in
MISP
Starting from MISP 2.4.116, the decaying feature is available

Don’t forget to update the decay models and enable the
ones you want
The decaying feature has no impact on the information in
MISP, it’s just an overlay to be used in the user-interface and
API
Decay strongly relies on Taxonomies and Sightings, don’t
forget to review their configuration
4 29
Sightings - Refresher
Sightings add temporal context to indicators. A user, script or an

IDS can extend the information related to indicators by reporting
back to MISP that an indicator has been seen, or that an
indicator can be considered as a false-positive
Sightings give more credibility/visibility to indicators

This information can be used to prioritise and decay
indicators
5 29
Organisations opt-in - setting a level of
confidence
MISP is a peer-to-peer system, information passes through

multiple instances.
Producers can add context (such as tags from Taxonomies,
Galaxies) about their asserted confidence or the reliability of
the data
Consumers can have different levels of trust in the
producers and/or analysts themselves
Users might have other contextual needs
→ Achieved thanks to Taxonomies
6 29
Taxonomies - Refresher (1)
Tagging is a simple way to attach a classification to an Event

or an Attribute
Classification must be globally used to be efficient
7 29
→ Cherry-pick allowed Tags

8 29
Some taxonomies have numerical_value

→ Can be used to prioritise Attributes
Description Value Description Value

Completely reliable 100 Confirmed by other sources 100
Usually reliable 75 Probably true 75
Fairly reliable 50 Possibly true 50
Not usually reliable 25 Doubtful 25
Unreliable 0 Improbable 0
Reliability cannot be judged 50 ? Truth cannot be judged 50 ?
Deliberatly deceptive 0?
9 29
Scoring Indicators: Our solution
score(Attribute) = base_score(Attribute, Model ) • decay(Model, )

time
Where,
score ∈ [0, +∞
base_score ∈ [0, 100]
decay is a function defined by model’s parameters
controlling decay speed
Attribute Contains Attribute’s values and metadata
(Taxonomies, Galaxies, ...)
Model Contains the Model’s configuration
10 29
Current implementation in
MISP
11 29
Implementation in MISP: Event/view

12 29
Implementation in MISP: API result
/attributes/restSearch
1 "Attribute": [
2 {
3 "category": "Network activity",
4 "type": "ip-src",
5 "to_ids": true,
6 "timestamp": "1565703507",
7 [...]
8 "value": "8.8.8.8",
9 "decay_score": [
10 {
11 "score": 54.475223849544456,
12 "decayed": false,
13 "DecayingModel": {
14 "id": "85",
15 "name": "NIDS Simple Decaying Model"
16 }
17 }
18 ],
19 [...]
20 13 29
Implementation in MISP: Playing with Models
Automatic scoring based on default values

User-friendly UI to manually set Model configuration
(lifetime, decay, etc.)
Simulation tool
Interaction through the API
Opportunity to create your own formula or algorithm
14 29
Decaying Models in Depth
15 29
Scoring Indicators: base_score (1)

time
When scoring indicators1 , multiple parameters2 can be taken into

account. The base score is calculated with the following in mind:
Data reliability, credibility, analyst skills, custom
prioritisation tags (economical-impact), etc.
Trust in the source
base_score = ωtg · tags + ωsc · source_confidence

Where,
ωsc + ωtg = 1
1
Paper available: https://arxiv.org/pdf/1803.11052
2
at a variable extent as required
16 29
Scoring Indicators: base_score (2)
Current implentation ignores source_confidence:
→ base_score = tags
→ The base_score can be use to prioritize attribute based on

their attached context and source
17 29
Scoring Indicators: decay speed (1)

time
The decay is calculated using:

The lifetime of the indicator
I May vary depending on the indicator type
I short for an IP, long for an hash
The decay rate, or speed at which an attribute loses score
over time
The time elapsed since the latest update or sighting
18 29
Scoring Indicators: putting it all toghether
→ decay rate is re-initialized upon sighting addition, or said

differently, the score is reset to its base score as new sightings
are applied.
1!
t δ
score = base_score · 1 −
τ
τ = lifetime
δ = decay speed
19 29
Implementation in MISP: Models definition
1
score = base_score · 1 − τt δ

Models are an instanciation of the formula where elements can
be defined:
Parameters: lifetime, decay_rate, threshold
base_score
default base_score
formula
associate Attribute types
creator organisation
20 29
Implementation in MISP: Models Types
Multiple model types are available

Default Models: Models created and shared by the
community. Available from misp-decaying-models
repository3 .
I → Not editable
Organisation Models: Models created by a user belonging to
an organisation
I These models can be hidden or shared to other organisation
I → Editable
3
https://github.com/MISP/misp-decaying-models.git
21 29
Implementation in MISP: Index
View, update, add, create, delete, enable, export, import

22 29
Implementation in MISP: Fine tuning tool
23 29
Implementation in MISP: base_score tool
Adjust Taxonomies relative weights 24 29

Implementation in MISP: simulation tool
25 29
Implementation in MISP: API query body
1 {
2 "includeDecayScore": 1,
3 "includeFullModel": 0,
4 "excludeDecayed": 0,
5 "decayingModel": [85],
6 "modelOverrides": {
7 "threshold": 30
8 }
9 "score": 30,
10 }
11
26 29
Creating a new decay algorithm (1)
The current architecture allows users to create their own

formulae.
1. Create a new file $filename in
app/Model/DecayingModelsFormulas/
2. Extend the Base class as defined in DecayingModelBase
3. Implement the two mandatory functions computeScore
and isDecayed using your own formula/algorithm
4. Create a Model and set the formula field to $filename
Use cases:
Add support for more feature (expiration taxonomy)
Query external services then influence the score
Completely different approach (i.e streaming algorithm)
...
27 29
Creating a new decay algorithm (2)
1 <?php
2 include_once ’ Base . php ’ ;
3
4 c l a s s Polynomial extends DecayingModelBase
5 {
6 p u b l i c const DESCRIPTION = ’ The d e s c r i p t i o n of your new
decaying a l g o r i t h m ’ ;
7
8 p u b l i c f u n c t i o n computeScore ( $model , $ a t t r i b u t e , $base_score ,
$elapsed_time )
9 {
10 // a l g o r i t h m r e t u r n i n g a numerical score
11 }
12
13 p u b l i c f u n c t i o n isDecayed ( $model , $ a t t r i b u t e , $score )
14 {
15 // a l g o r i t h m r e t u r n i n g a boolean s t a t i n g
16 // i f the a t t r i b u t e i s expired or not
17 }
18 }
19 ?>
20
28 29
Decaying Models 2.0
Improved support of Sightings
I False positive Sightings should somehow reduce the
score
I Expiration Sightings should mark the attribute as decayed
Potential Model improvements
I Instead of resetting the score to base_score once a
Sighting is set, the score should be increased additively
(based on a defined coefficient); thus prioritizing surges
rather than infrequent Sightings
I Take into account related Tags or Correlations when
computing score
Increase Taxonomy coverage
I Users should be able to manually override the
numerical_value of Tags
For specific type, take into account data from other services
I Could fetch data from BGP ranking, Virus Total, Passive X for
IP/domain/... and adapt the score
29 / 29
MISP and Decaying of Indicators
Primer for indicator scoring in MISP
Team CIRCL
[email protected]
February 9, 2023
Threat Sharing
Outline of the presentation
Present the components used in MISP to expire IOCs

Present the current state of Indicators life-cycle
management in MISP
1 26
Expiring IOCs: Why and How?
2 26
Indicators lifecycle - Problem Statement
Sharing information about threats is crucial

Organisations are sharing more and more
Contribution by unique organisation (Orgc.name) on MISPPriv:
Date Unique Org

2013 17
2014 43 1 {
2015 82 2 "distribution": [1, 2, 3]
3 }
2016 105
2017 118
2018 125
2019-10 135
3 26

I Trust, data quality and relevance issues
I Each user/organisation have different use-cases and
interests
Conflicting interests: Operational security VS attribution
4 26

I Trust, data quality and relevance issues
I Each user/organisation have different use-cases and
interests
Conflicting interests: Operational security VS attribution
Attributes can be shared in large quantities (more than 12M on

MISPPRIV - Sept. 2020)
I Partial info about their freshness (Sightings)
I Partial info about their validity (last_seen)
→ Can be partially solved with our Data model
MISP’s Decaying model combines the two
4 26
Requirements to enjoy the decaying feature in
MISP
Starting from MISP 2.4.116, the decaying feature is available

Update decay models and enable some
MISP Decaying strongly relies on Taxonomies and Sightings,
don’t forget to review their configuration
Note: The decaying feature has no impact on the information

stored in MISP, it’s just an overlay to be used in the
user-interface and API
5 26
Sightings - Refresher (1)
Sightings add a temporal context to indicators.

Sightings can be used to represent that you saw the IoC
Usecase: Continuous feedback loop MISP ↔ IDS
6 26
Sightings - Refresher (2)
Sightings add a temporal context to indicators.

Sightings give more credibility/visibility to indicators
This information can be used to prioritise and decay
indicators
7 26
Taxonomies are a simple way to attach a classification to an

Event or an Attribute
Classification must be globally used to be efficient (or
agreed on beforehand)
8 26
→ Cherry-pick allowed Tags

9 26
Some taxonomies have a numerical_value

Allows concepts to be used in an mathematical expression
→ Can be used to prioritise IoCs
admirality-scale taxonomy1
Reliability cannot be judged 50 Truth cannot be judged 50
Deliberatly deceptive 0
1
https://github.com/MISP/misp-taxonomies/blob/master/
admiralty-scale/machinetag.json
10 26
admirality-scale taxonomy2
Reliability cannot be judged 50 ? Truth cannot be judged 50 ?
Deliberatly deceptive 0?
→ Users can override tag numerical_value
2
https://github.com/MISP/misp-taxonomies/blob/master/
admiralty-scale/machinetag.json
11 26

time
base_score(Attribute, Model )
I Initial score of the Attribute only considering the context
(Attribute’s type, Tags)
decay(Model, )
time
I Function composed of the lifetime and decay speed

I Decreases the base_score over time
12 26

time
score
base_score
time
13 26
Current implementation in
MISP
14 26

15 26
1 "Attribute": [
2 {
3 "category": "Network activity",
4 "type": "ip-src",
5 "to_ids": true,
6 "timestamp": "1565703507",
7 [...]
8 "value": "8.8.8.8",
9 "decay_score": [
10 {
11 "score": 54.475223849544456,
12 "decayed": false,
13 "DecayingModel": {
14 "id": "85",
15 "name": "NIDS Simple Decaying Model"
16 }
17 }
18 ],
19 [...]
20 16 26
Implementation in MISP: Objectives
Automatic scoring based on default values

User-friendly UI to manually set Model configuration
(lifetime, decay, etc.)
Simulation tool
Interaction through the API
Opportunity to create your own formula or algorithm
17 26
Implementation in MISP: Models definition
1
score = base_score · 1 − τt δ

Models are an instanciation of the formula with configurable
parameters:
Parameters: lifetime, decay_rate, threshold
base_score computation
default base_score
associate Attribute types
formula
creator organisation
18 26
Implementation in MISP: Models Types
Two types of model are available

Default Models: Created and shared by the community.
Coming from misp-decaying-models repository3 .
→ Not editable
Organisation Models: Created by a user on MISP

I Can be hidden or shared to other organisation
→ Editable
3
https://github.com/MISP/misp-decaying-models.git
19 26
Standard CRUD operations: View, update, add, create, delete,

enable, export, import
20 26
Configure models: Create, modify, visualise, perform mapping
21 26

Simulate decay on Attributes with different Models
23 26
1 {
2 "includeDecayScore": 1,
3 "includeFullModel": 0,
4 "excludeDecayed": 0,
5 "decayingModel": [85],
6 "modelOverrides": {
7 "threshold": 30
8 }
9 "score": 30,
10 }
11
24 26
Creating a new decay algorithm
1 <?php
2 include_once ’ Base . php ’ ;
3
4 c l a s s Polynomial extends DecayingModelBase
5 {
6 p u b l i c const DESCRIPTION = ’ The d e s c r i p t i o n of your new
decaying a l g o r i t h m ’ ;
7
8 p u b l i c f u n c t i o n computeScore ( $model , $ a t t r i b u t e , $base_score ,
$elapsed_time )
9 {
10 // a l g o r i t h m r e t u r n i n g a numerical score
11 }
12
13 p u b l i c f u n c t i o n isDecayed ( $model , $ a t t r i b u t e , $score )
14 {
15 // a l g o r i t h m r e t u r n i n g a boolean s t a t i n g
16 // i f the a t t r i b u t e i s expired or not
17 }
18 }
19 ?>
20
25 26
Decaying Models 2.0
Improved support of Sightings

I False positive Sightings should somehow reduce the
score
I Expiration Sightings should mark the attribute as decayed
Potential Model improvements
I Instead of resetting the score to base_score once a
Sighting is set, the score should be increased additively
(based on a defined coefficient); thus prioritizing surges
rather than infrequent Sightings
I Take into account related Tags or Correlations when
computing score
Increase Taxonomy coverage
I Users should be able to manually override the
numerical_value of Tags
26 / 26
Forensic support in MISP
Tools and visualization to support digital
forensic expert
Team CIRCL
[email protected]
February 9, 2023
Threat Sharing
DFIR and MISP digital evidences
Share analyses and reports of digital forensic evidences.

Propose changes to existing analyses or reports.
Extending existing events with additional evidences for local
or use in limited distribution sharing (sharing can be defined
at event level or attribute level).
Evaluate correlations1 of evidences against external or local
attributes.
Report sightings such as false-positive or true-positive (e.g.
a partner/analyst has seen a similar indicator).
1
MISP has a flexible correlation engine which can correlate on 1-to-1 value
matches, but also on fuzzy hashing (e.g. ssdeep) or CIDR block matching.
1 5
Benefits of using MISP
LE can leverage the long-standing experience in information

sharing and bridge their use-cases with MISP’s information
sharing mechanisms.
Accessing existing MISP information sharing communities by
receiving actionable information from CSIRT/CERT networks
or security researchers.
Bridging LE communities with other communities. Sharing
groups can be created (and managed) cross-sectors to
support specific use-cases.
The MISP standard is a flexible format which can be
extended by users using the MISP platform. A MISP object
template can be created in under 30 minutes, allowing users
to rapidly share information using their own data-models
with existing communities.
2 5
Challenges and implementations
Standard sharing mechanism for forensic cases

I MISP allows for the efficient collaborative analysis of digital
evidences
I Correlation on certain attributes
Importing disk images and file system data activity
(Mactime)
I Development of an adaptable import tool: From Mactime to
MISP Mactime object
Create, modify and visualise the timeline of events
I Development of a flexible timeline system at the event level
3 5
Forensic import (MISP 2.4.98)
Possibility to import Mactime files [done]

Pick only relevant files [done]
MISPObject will be created [done]
4 5
Data visualization (MISP zoidberg branch)
View: start-date only, spanning and search [dev-branch]

Manipulate: Edit, Drag and Expand [dev-branch]
Others: Timezone support [dev-branch]
→ For now [dev-branch], supports up to micro-seconds in the

database and up to milliseconds in the web interface.
5/5
MISP restSearch API
An easy way to query, add and update your threat
intelligence in MISP
CIISI-IE
MISP API reworked
The MISP API has grown gradually with a UI first design in

many cases
Endpoints all solved specific issues with their own rulesets
Growth was organic - whenever the need to add a new
functionality / filter popped up we’ve added it
Lead to frankenmonsters such as this:
http://localhost:5000/events/csv/download/false/false/tag1&&tag2&&tag3/Network%20activity/domain
1 10
Goals we’ve set for ourselves
Open up every functionality in MISP available via the UI to

the API
Including ones related to instance management
APIs that expect input objects for data creation should be
self-describing
URL parameters should be discouraged, but still usable by
legacy tools (deprecation)
APIs should be heavily tested (Raphael Vinot’s exhaustive
test suite in PyMISP)
Largest focus on Export APIs
2 10
Export API’s reimagined
Scrapped all existing type specific APIs (deprecated,

documentation moved to legacy, still available)
Single entry point - all export APIs baked into restSearch
Queries consist of a combination of:
I Scope (Event, Attribute, Sighting, more coming in the future)
I Filter parameters - passed via JSON objects, url parameters
(key value or ordered list)
I A return format
Everything that we could do before the rework we should be
able to accomplish after the rework
Under the hood now also used by the UI search and exports
3 10
Export API’s reimagined
One of our largest issues solved: pagination

I Scope specific pagination (number of events, attributes, etc)
I Simply control it via the framework friendly page / limit
parameters
I Alternatively, use the improved time based controls
(timestamp, publish_timestamp windows)
4 10
Performance tuning
Single execution with subqueries

Internal pagination aligned with memory limits
I Probing of available memory for the current process
I Chunking of the query results to fit in object specific memory
envelopes
I Constructing export set on disk in chunks has slashed
memory usage considerably
5 10
Designing tools that use the APIs can be com-
plex, but there’s help
The result of our own frustration

Built in ReST client with templating
Extensive query builder UI by Sami Mokaddem
Build queries in a simple interface, automatically set URLs,
headers, etc
Uses the self documentation of APIs
Export your queries as cURL or Python scripts
Built in testing tools (performance measurements, result
parsers)
Store queries for reuse and download the results directly
6 10
Why is the search API receiving so much focus?
The maturity of the communities and threat intel sharing at

large has improved
We are sharing more
Most importantly: we are sharing more context along with
technical indicators
This allows us to manage our data more accuractely before
feeding them to our protective tools
Different contexts (APT targeting me? Persisting techniques?)
- lifecycle management
Use several queries / boolean operators to select the slice
of data most relevant for the task
7 10
CLI tools for the CLI God, automation for the au-
tomation throne
Open up commonly used system management tasks to the

CLI
I sync servers/feeds
I caching feeds
I Password resets
I Server settings
I Bruteforce protection resets
I Enrichment
I Worker management
Goal was also to move away from the often malfunctioning
scheduler and have cron friendly CLI scripts
8 10
So what does all of this look like in practice?
Demo time!
9 10
Plans for the future
Add export modules to the restSearch API

Improve the query language to support some missing
features (such as AND boolean operators)
Support for extended events via the restSearch API
I We’re missing a framing structure in the export module
system (how are a list of conversions encapsulated and
delimited?)
I Proof of concept of the system implemented by Christian
Studer already works using the STIX / STIX2 export
subsystems
I Would open us up to simple customiseable search APIs
Open up search APIs to other scopes (objects, users,
organisations, proposals, feeds, galaxies, taxonomies)
10 / 10
Best Practices in Threat Intelli-
gence
Gather, document, analyse and contextualise in-
telligence using MISP
MISP Project
CIISI-IE
Threat Sharing
Objectives
Learn how to use MISP to support common OSINT gathering

use-cases often used by SOC, CSIRTs and CERTs
I Use practical exercise examples1
I The exercises are based on practical recent cases to model
and structure intelligence using the MISP standard
Improve the data models available in MISP by exchanging
live improvements and ideas
Be able to share the results to the community at the end of
this session
1
https:
//gist.github.com/adulau/8c1de48060e259799d3397b83b0eec4f
1 12
(Threat) Intelligence
Cyber threat intelligence (CTI) is a vast concept which

includes different concepts, methods, and workflows
I Intelligence is defined differently in the military than in the
financial sector than in the intelligence community
MISP project doesn’t want to lock an organisation or a user
into a specific model. Each model is useful depending on the
objectives of an organisation
A set of pre-defined knowledge base or data-models are
available and organisations can select (or create) what they
need
During this session, an overview of the most used
taxonomies, galaxies, and objects will be described
2 12
Overall process of collecting and analysing
OSINT
3 12
Meta information and contextualisation 1/2
Quality of indicators/attributes are important but tagging

and classification are also critical to ensure actionable
information
Organizing intelligence is done in MISP by using tags, which
often originate from MISP taxonomy libraries
The scope can be classification (tlp, PAP), type (osint, type,
veris), state (workflow), collaboration
(collaborative-intelligence), or many other fields
MISP taxonomy documentation is readily available2
Review existing practices of tagging in your sharing
community, reuse practices, and improve context
2
https://www.misp-project.org/taxonomies.html
4 12
Meta information and contextualisation 2/2
When information cannot be expressed in triple tags format

(namespace:predicate=value), MISP use Galaxies
Galaxies contain a huge set of common libraries3 such as
threat actors, malicious tools, tactics, target information,
mitigations, and more
When tagging or adding a Galaxy cluster, tagging at the event
level is for the whole event (including attributes and
objects). Tagging at the attribute level is for a more specific
context
3
https://www.misp-project.org/galaxy.html
5 12
Estimative Probability
Words of Estimative Probability4 propose clear wording

while estimating probability of occurence from an event
A MISP taxonomy called estimative-language5 proposes an
applied model to tag information in accordance with the
concepts of Estimative Probability
4
https:
//www.cia.gov/library/center-for-the-study-of-intelligence/
csi-publications/books-and-monographs/
sherman-kent-and-the-board-of-national-estimates-collected-essa
6words.html
5
6 12
Reliability, credibility, and confidence
The Admiralty Scale6 (also called the NATO System) is used

to rank the reliability of a source and the credibility of
information
A MISP taxonomy called admiralty-scale7 is available
US DoD JP 2-0, Joint Intelligence8 includes an appendix to
express confidence in analytic judgments
A MISP predicate in estimative-language called
confidence-in-analytic-judgment9 is available
6
https:
//www.ijlter.org/index.php/ijlter/article/download/494/234,
US Army Field Manual 2-22.3, 2006
7
8
http:
//www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf,
page 114
9
7 12
Adding attributes/objects to an event
If the information is a single atomic element, using a single

attribute is preferred
I Choosing an attribute type is critical as this defines the
automation/export rule (e.g. url versus link or ip-src/ip-dst?)
I Enabling the IDS (automation) flag is also important, but
when you are in doubt, don’t set the IDS flag
If the information is composite (ip/port, filename/hash,
bank account/BIC), using an object is strongly recommended
8 12
How to select the right object?
There are more than 150 MISP object10 templates.

As an example, at CIRCL, we regularly use the following object
templates file, microblog, domain-ip, ip-port, coin-address,
virustotal-report, paste, person, ail-leak, pe, pe-section,
registry-key.
10
https://www.misp-project.org/objects.html
9 12
microblog object
Use case
A series of OSINT tweets from a
security researcher. To
structure the thread, the Object to use
information, and keep a history. The microblog object can be
used for Tweets or any
microblog post (e.g. Facebook).
The object can be linked using
followed-by to describe a series
of post.
10 12
file object
Object to use
Use case The file object can be used to
A file sample was received describe file. It’s usual to have
by email or extracted from partial meta information such
VirusTotal as a single hash and a filename.
A list of file hashes were
included in a report
A hash value was
mentioned in a blog post
11 12
References
Graphical overview of OSINT collection using MISP https:

//github.com/adulau/misp-osint-collection
MISP objects documentation
https://www.misp-project.org/objects.html
MISP taxonomies documentation
MISP galaxy documentation
https://www.misp-project.org/galaxy.html
12 / 12
MISP core development hands-on
exercise
Building a small nifty feature for the MISP core
CIISI-IE
Threat Sharing
Some practical things first...
If you’d like to take a peak at the main files already

implemented:
https://github.com/iglocska/misp-dev-training-cheat-sheet
Full implementation:
https://github.com/MISP/MISP/tree/dev_session/app
1 20
Let’s try to develop a feature together
Idea: Users should have the option to set alert filters for the
publish alert e-mails
By default receive all alerts as before
If a filter is set, check if the alert is interesting for us or not
2 20
How to ensure that the feature is useful for the
community at large?
Always try to think in reusable systems instead of fixing a

single issue
I Much higher chance of getting a PR merged if it doesn’t just
cover your specific use-case
I Try to stay two steps ahead, see how your feature can be
reused for other tasks
3 20
User settings - a long overdue feature
Allow users to set preferences for certain views

For high level users, all the technical details are sometimes
wasted
Simply not being interested in certain types of data points
Non-standard MISP deployments (island only MISP
instances, etc)
User pre-sets for certain settings
4 20
Objectives of the feature
User should be able to do the following with filter rules:

I set
I get
I remove
I index
Filter rules should be flexible - we do not want to anticipate
all possible settings in advance
Ensure that the system is easy to extend and reuse
5 20
Before we start with anything...
Update our MISP instance (git pull origin 2.4)

Fork github.com/MISP/MISP (via the github interface)
Add a new remote to our fork:
I via username/password auth: git remote add my_fork
https://github.com/iglocska/MISP
I via ssh: git remote add my_fork
gitgithub.com:iglocska/MISP.git
Generally a good idea to work on a new branch: git checkout
-b dev_exercise
Enable debug in MISP
6 20
Implementation
Storage:
I Single key/value table for all settings
I Each user should be able to set a single instance of a key
I Values could possible become complex, let’s use JSON!
I Add timestamping for traceability
I Consider which fields we might want to look-up frequently for
indexing
7 20
The database changes we need
The table structure:

I id int(11) auto increment //primary key
I key varchar(100) //add index!
I value text //json
I user_id int(11) //add index!
I timestamp int(11) //add index!
Tie it to into the upgrade system (app/Model/AppModel.php)
Test our upgrade process! Check the output in the audit logs
8 20
Checklist
Outline of the changes needed:

I New Controller (UserSettingsController.php)
I New Model (UserSetting.php)
I New Views (setSetting, index)
I Add new controller actions to ACL
I Update the e-mail alert system to use the functionality
9 20
Create the new Model skeleton
location: /var/www/MISP/app/Model/UserSetting.php
Create basic skeleton
Add model relationships (hasMany/BelongsTo)
Use the hooking functionality to deal with the JSON field
(beforeSave(), beforeFind())
Add a function that can be used to check if a user should get
an alert based on filters (checkPublishFilter())
Add a function to check if a user can access/modify a setting
(checkAccess())
10 20
Create the Controller skeleton
location: /var/www/MISP/app/Model/UserSetting.php
Create basic skeleton
Set pagination rules
Define CRUD functions (exceptionally, we diverge here from
the norm)
I setSetting()
I getSetting()
I index()
I delete()
11 20
Start with an API only approach at first
setSetting():
I Accepted methods: ADD / POST
I Separate handling of API / UI
I POST should create/update an entry
I GET should describe the API
12 20
getSetting / index
getSetting():
I Accepted methods: GET
I Retrieves a single setting based on either ID or setting key
and user_id
I Encode the data depending on API/UI
I Accepted methods: GET
I List all settings
I Filter user scope on demand
I Filter available scopes based on role
13 20
delete
delete():
I Accepted methods: POST / DELETE
I Deletes a single entry based on ID or setting key
I Encode the data depending on API/UI
14 20
Add the ACL functionalities
Tie functions into checkAccess():

I Check if user is allowed to execute actions and throw
exceptions if not
I Add it to: setSetting() / getSetting() / delete()
Consider that:
I Site admins have full reign
I Org admins can manage their own users
I Everyone else can self-manage
15 20
Test the functionalities
Use the REST client

Expectations
I GET on /setSetting and /delete describing our endpoints
I POST /setSetting with "key": "publish_filter", "value":
"Event.tags":"%sofacy%" should return newly added or
modified filter
I GET on /index should list our entries, GET on /getSetting
should show an individual entry
I DELETE on /delete should delete the entry
16 20
Start adding the UI components
We now have a rudimentary CRUD, let’s add some simple UI

views
I setSetting as a simple form
I index should use the parametrised generators (IndexTable)
I Add both views to the menu systems (side-menu, global
menu)
I Don’t forget about sanitisation and translations!
17 20
Add the checkPublishFilter() function to the e-
mailing
Trace the code path of the e-mail sending to understand the

process
Decide on the best place to inject our check
Don’t break the flow of the process!
What do we have access to at this point? What format are
they in?
18 20
Test if our code works correctly
Do we see any notices / errors?

Is our code easily accessible?
Consider other roles! Can users/org admins do things we
don’t want them to do?
Is our code-base breaking the default behaviour?
Is our update script working as expected?
19 20
Push our code to our fork and create a pull
request
git status to check what changed / got added

git add /path/to/file to add files we want to commit
git commit (format: is "new/fix/chg: [topic] My description"
git push my_fork
Create pull request from the github interface
Wait for Travis to run, update the code if needed
20 / 20
MISP restSearch module develop-
ment
Building a simple export module for the core
CIISI-IE
Threat Sharing
Building a native restSearch export
Similar in scope to an export module of the MISP modules

system
Pros:
I Can be used for composited data coming from a filtered query
I Fast, native approach
I Can be built to support several scopes (events, attributes,
sightings)
Cons...
1 28
Building a native restSearch export
Similar in scope to an export module of the MISP modules

system
Pros:
I Can be used for composited data coming from a filtered query
I Fast, native approach
I Can be built to support several scopes (events, attributes,
sightings)
Cons...
2 28
So how does restSearch work?
Standardised way of collecting parameters

Using the parameters, a loop is started to chunk and
gradually build our export data
The chunk size depends on memory envelopes
Each chunk is converted piece by piece...
... and subsequently are concatenated into a temporary file
Once no more elements are left, the file is sent in the
response
3 28
Where does the module system come into play?
The export modules handle 5 tasks:

I Pass meta-information back to restSearch on the export
format itself
I Add a start segment to the exported data
I Do the actual conversion from MISP’s internal format to the
desired export format
I Provide a separator for data chunks
I Have a closing segment for the returned data, based on the
formatś conventions
4 28
Our little training module: Nibbler, the ever
hungry IDS/IPS
5 28
Nibbler
Simplistic tool with its own proprietary format

Meant to mimic a typical in-house tool
Lightweight scope, for simplicityś sake
pipe separated values
VALUE | TYPE | DESCRIPTION | REFERENCE | ACTION
6 28
Nibbler format - caveats
Rules can be prepended by comments, each comment line

starting with #
Some characters have to be escaped in some custom, crazy
ways
I linebreaks: ##LINEBREAK##
I commas: ##COMMA##
I pipes: ##PIPE##
7 28
Nibbler format
Value: The actual indicator value

Type: The format of the indicator
Description: A quick description for analysts investigating
the alert, why is this relevant
Reference: A backreference that the analyst can use to find
out more about the alert
Action: What should Nibbler do if it trips over the value?
8 28
Supported types
IP
Domain
Hostname
MD5
SHA1
SHA256
Filename
9 28
Supported values
ALERT - default behaviour, create an alert.

BLOCK - block the action outright. Only set if the tag
nibbler:block is present
10 28
Mapping the types to MISP
Though we have types to map from MISP, in some cases

several types map to a Nibbler type
We’ve created a rough mapping (this is probably the most
difficult task) in advance
Some MISP types map to a Nibbler type directly
Composite MISP types map to 2 Nibbler types each
11 28
Mapping the types to MISP
ip-dst :: IP
ip-src :: IP
domain :: Domain
domain|ip :: Domain, IP
hostname :: Hostname
md5 :: MD5
sha1 :: SHA1
sha256 :: SHA256
filename|md5 :: Filename, MD5
malware-sample :: Filename, MD5
filename|sha1 :: Filename, SHA1
filename|sha256 :: Filename, SHA256
12 28
Export module skeleton
<?php
class NibblerExport
{
p u b l i c $additional_params = a r r a y ( ) ;
p u b l i c f u n c t i o n handler (
$data , $options = a r r a y ( )
) {}
p u b l i c f u n c t i o n header (
$options = a r r a y ( )
) {}
public function footer ( ) { }
public function separator ( ) { }
}
13 28
Additional parameters
p u b l i c $additional_params = a r r a y (
’ f l a t t e n ’ => 1
);
14 28
Adding our mapping
p r i v a t e $__mapping = a r r a y (
’ ip−dst ’ => ’ IP ’ ,
’ ip−src ’ => ’ IP ’ ,
’ domain ’ => ’ Domain ’ ,
’ domain | ip ’ => [ ’ Domain ’ , ’ IP ’ ] ,
’ hostname ’ => ’ Hostname ’ ,
’md5 ’ => ’ MD5 ’ ,
’ sha1 ’ => ’ SHA1 ’ ,
’ sha256 ’ => ’ SHA256 ’ ,
’ filename |md5 ’ = > a r r a y ( ’ Filename ’ , ’ MD5 ’ ) ,
’ malware−sample ’ = > a r r a y ( ’ Filename ’ , ’ MD5 ’ ) ,
’ filename | sha1 ’ = > a r r a y ( ’ Filename ’ , ’ SHA1 ’ ) ,
’ filename | sha256 ’ = > a r r a y ( ’ Filename ’ , ’ SHA256 ’ )
);
15 28
Writing the start of the output
p u b l i c f u n c t i o n header ( $options = a r r a y ( ) )
{
return s p r i n t f (
"# N i b b l e r r u l e s generated by MISP a t %s \n " ,
date ( ’ Y−m−d H : i : s ’ )
);
}
16 28
Footer function - how should the output end?
public function footer ( )

{
r e t u r n "\ n " ;
}
17 28
What separates the chunks?
public function separator ( )

{
r e t u r n "\ n " ;
}
18 28
The actual legwork, the handler
p u b l i c f u n c t i o n handler ( $data , $options = a r r a y ( ) )

{
i f ( $options [ ’ scope ’ ] === ’ A t t r i b u t e ’ ) {
$data [ ’ A t t r i b u t e ’ ] [ ’ A t t r i b u t e T a g ’ ] = $data [ ’ A t t r i b u t e T a g ’ ] ;
r e t u r n $ t h i s −>_ _ c o n v e r t A t t r i b u t e ( $data [ ’ A t t r i b u t e ’ ] , $data [ ’ Event ’ ] ) ;
}
i f ( $options [ ’ scope ’ ] === ’ Event ’ ) {
$result = array ( ) ;
foreach ( $data [ ’ A t t r i b u t e ’ ] as $ a t t r i b u t e ) {
$temp = $ t h i s −>_ _ c o n v e r t A t t r i b u t e ( $ a t t r i b u t e , $data [ ’ Event ’ ] ) ;
i f ( $temp ) $ r e s u l t [ ] = $temp ;
}
r e t u r n implode ( $ t h i s −>s e p a r a t o r ( ) , $ r e s u l t ) ;
}
return ’ ’ ;
}
19 28
Building an optional internal converter
function
p r i v a t e f u n c t i o n _ _ c o n v e r t A t t r i b u t e ( $ a t t r i b u t e , $even
{
i f ( empty ( $ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ) ) {
// mapping not found − i n v a l i d type f o r n i b b l e r
return ’ ’ ;
}
i f ( i s _ a r r a y ( $ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ) )
// handle mappings f o r composites − s l i d e
} else {
// handle simple mappings − s l i d e
}
// r e t u r n 1 or 2 l i n e s , separated by s e p a r a t o r ( )
}
20 28
Handling the simple case
$result [ ] = sprintf (
’% s|%s|%s|%s|%s ’ ,
$ t h i s −>__escapeSpecialChars ( $ a t t r i b u t e [ ’ value ’ ] ) ,
$ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ,
$event [ ’ uuid ’ ] ,
$ t h i s −>__escapeSpecialChars ( $event [ ’ i n f o ’ ] ) ,
’ ALERT ’
);
21 28
Handling the case for composites
$ a t t r i b u t e [ ’ value ’ ] = explode (
’ | ’ , $ a t t r i b u t e [ ’ value ’ ]
);
foreach ( a r r a y ( 0 , 1 ) as $ p a r t ) {
’% s|%s|%s|%s|%s ’ ,
$ t h i s −>__escapeSpecialChars (
$ a t t r i b u t e [ ’ value ’ ] [ $ p a r t ]
),
$ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] [ $ p a r t ] ,
$event [ ’ uuid ’ ] ,
’ ALERT ’
);
}
22 28
Putting it together
p r i v a t e f u n c t i o n _ _ c o n v e r t A t t r i b u t e ( $ a t t r i b u t e , $event ) {
i f ( empty ( $ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ) ) r e t u r n ’ ’ ;
$result = array ( ) ;
$attributes = array ( ) ;
i f ( i s _ a r r a y ( $ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ) ) {
$ a t t r i b u t e [ ’ value ’ ] = explode ( ’ | ’ , $ a t t r i b u t e [ ’ value ’ ] ) ;
foreach ( a r r a y ( 0 , 1 ) as $part ) {
’% s|%s|%s|%s|%s ’ ,
$ t h i s −>__escapeSpecialChars ( $ a t t r i b u t e [ ’ value ’ ] [ $pa rt ] ) ,
$ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] [ $part ] ,
/ events / view / . $event [ ’ uuid ’ ] ,
$ t h i s −>__decideOnAction ( $ a t t r i b u t e [ ’ A t t r i b u t e T a g ’ ] )
);
}
} else {
’% s|%s|%s|%s|%s ’ ,
$ t h i s −>__escapeSpecialChars ( $ a t t r i b u t e [ ’ value ’ ] ) ,
$ t h i s −>__mapping [ $ a t t r i b u t e [ ’ type ’ ] ] ,
/ events / view / . $event [ ’ uuid ’ ] ,
$ t h i s −>__decideOnAction ( $ a t t r i b u t e [ ’ A t t r i b u t e T a g ’ ] )
);
}
}
23 28
Adding the function that decides on the action
p r i v a t e f u n c t i o n __decideOnAction ( $ a t t r i b u t e T a g s )
{
foreach ( $ a t t r i b u t e T a g s as $ a t t r i b u t e T a g ) {
if (
$ a t t r i b u t e T a g [ ’ Tag ’ ] [ ’ name ’ ] ===
’ n i b b l e r : block ’
) {
r e t u r n ’ BLOCK ’ ;
}
}
r e t u r n ’ ALERT ’ ;
}
24 28
Finalising the export module... The escaping
function
p r i v a t e f u n c t i o n __escapeSpecialChars ( $value )
{
$value = preg_replace (
"/\ r |\ n / " , "## LINEBREAK # # " , $value
);
" / , / " , "##COMMA# # " , $value
);
" / \ | / " , "## PIPE # # " , $value
);
r e t u r n $value ;
}
25 28
Modifying the MISP core to know about the ex-
port module
The models that we are targeting by scope (Event, Attribute)

need to be updated
They are located in /var/www/MISP/app/Model/
The global variable $validFormats houses all mappings
Simply add a new line such as the following:
’nibbler’ => array(’nibbler’, ’NibblerExport’, ’nibbler’)
26 28
Let us test the module!
Use the rest client to test it conveniently

Both the event and attribute level restSearch function
should work
Simply set the returnFormat to nibbler, which should also
show up as a valid export format
27 28
REST client
28 / 28
MISP - Galaxy 2.0
Method for sharing threat intelligence
Team CIRCL
[email protected]
February 9, 2023
Threat Sharing
Outline of the presentation
Present the features available for Sharing galaxy clusters

Look at the internals of what changed in the datamodel and
MISP’s behaviors
1 12
MISP Galaxy 2.0
Galaxy 2.0 introduces various new features for Galaxies and their
Clusters allowing:
Creation of custom Clusters
ACL on Clusters
Connection of Clusters via Relations
Synchronization to connected instances.
Visualization of forks and relationships
2 12
Default Galaxy clusters
Default Galaxy cluster

Coming from the misp-galaxy repository1
Cannot be edited
I Only way to provide modification is to modify the stored JSON
or to open a pull request
I Are not synchronized
I Source of trust
Restrictions propagate to their children (Galaxy cluster
elements, Cluster relationships)
Custom Galaxy cluster

Can be created via the UI or API
Belongs to an organisation
I Fully editable
I Are synchronized
1
https://github.com/MISP/misp-galaxy
3 12
MISP Galaxy 2.0 - Comparison with prior version
Clusters and Relations can be edited.

New Clusters fields
I distribution, sharing_group_id
I org_id, orgc_id
I locked, published, deleted
I default
Clusters coming from the misp-galaxies repository are
marked as default
Not synchronized
Same purpose as Event’s locked field
I extends_uuid
Point to the Cluster that has been forked
I extends_version
Keep track of the Cluster version that has been forked
4 12
MISP Galaxy 2.0 - Others changes
Role perm_galaxy_editor
Relations also have a distribution and can have Tags
Synchronization servers have 2 new flags
I pull_galaxy_clusters
I push_galaxy_clusters
Clusters blocklist
5 12
Features in depth: CRUD
Standard CRUD
Soft and Hard deletion
Publishing
Update forked cluster to keep it synchronized with its parent
ACL on the Cluster itself, not on its tag
I misp-galaxy:galaxy-type="cluster UUID"
I misp-galaxy:mitre-attack-pattern="e4932f21-4867-4de6-849a-1b11e48e2682"
6 12
Features in depth: Visualization
Tree view of forked Clusters
7 12
Tree and network views for Relations between Clusters
8 12
Tree and network views for Relations between Clusters
9 12
Galaxy cluster elements
Hasn’t been touched: Still a key-value stored. But new feature

have been added2
Tabular view
Allows you to browse cluster elements like before
2
Will be included in next release
10 12
Galaxy cluster elements
JSON view
Allows you to visualisation cluster element in a JSON
structure
Allows you to convert any JSON into cluster elements
enabling searches and correlations
11 12
Synchronization in depth
Has its own synchronization mechanism which can be enabled

with the pull_galaxy_cluster and push_galaxy_cluster
flags
Pull All: Pull all remote Clusters (similar to event’s pull all)
Pull Update: Update local Clusters (similar to event’s pull
update)
Pull Relevant: Pull missing Clusters based on local Tags
Push: Triggered whenever a Cluster is published or via
standard push
12 / 12
MISP Project
CIISI-IE
Threat Sharing
Content of the presentation
Data sharing in MISP

Data models for the Data layer
Data models for the Context layer
1 36
Layers of data model
Data layer
I The raw data itself as well as element to link them together
I Indicators, Observables and means to contextually link them
I MISP terminology: Event, Attributes, misp-objects, ...
Context layer
I As important as the data layer, allow triage, false-positive
management, risk-assessment and prioritisation
I Latches on the data layer, usually referencing threat
intelligence, concepts, knowledge base and vocabularies
I Tags, Taxonomies, Galaxies, ...
2 36
Data sharing in MISP
Sharing in MISP: Distribution
MISP offers granulars distribution settings:
Organisation only
This community
Connected communities
All communities
Distribution lists - aka Sharing groups
At multiple levels: Events, Attributes, Objects (and their

Attributes) and Galaxy-clusters
3 36
Sharing in MISP: Distribution
4 36
Data layer
Data layer: Naming conventions
Data layer
I Events are encapsulations for contextually linked information
I Attributes are individual data points, which can be indicators
or supporting data.
I Objects are custom templated Attribute compositions
I Object references are the relationships between individual
building blocks
I Shadow Attributes/Proposal are suggestions made by users
to modify an existing attribute
I Sightings are a means to convey that a data point has been
seen
I Event reports are supporting materials for analysts to
describe events, processes, etc
5 36
Data layer: Events
Events are encapsulations for contextually linked information
Purpose: Group datapoints and context together. Acting as
an envelop, it allows setting distribution and sharing rules
for itself and its children.
Usecase: Encode incidents / events / reports / ...
6 36
Data layer: Event building blocks - Base
7 36
Data layer: Events
1 {
2 " date " : " 2019−02−20 " ,
3 " i n f o " : " I o T malware − G a f g y t . Gen28 ( a c t i v e ) " ,
4 " uuid " : " 5 c6d21e5−bb60−47b7−b892−42e6950d2111 " ,
5 " analysis " : "2" ,
6 " timestamp " : " 1602315388 " ,
7 " distribution " : "3" ,
8 " s h a r i n g _ g r o u p _ i d " : "0" ,
9 " threat_level_id " : "3" ,
10 " extends_uuid " : " " ,
11 " Attribute " : [ . . . ] ,
12 " Object " : [ . . . ] ,
13 " EventReport " : [ . . . ] ,
14 " Tag " : [ . . . ] ,
15 " Galaxy " : [ . . . ]
16 }
8 36
Data layer: Attributes
Attributes are individual data points, indicators or supporting

data
Purpose: Individual data point. Can be an indicator or
supporting data.
Usecase: Domain, IP, link, sha1, attachment, ...
9 36
Data layer: Event building blocks - Raw data
10 36
Data layer: Attributes
1 {
2 " type " : " u r l " ,
3 " c a t ego r y " : " Network a c t i v i t y " ,
4 " t o _ i d s " : true ,
5 " uuid " : " 5 c6d24bd−d094−4dd6−a1b6−4f a 3 9 5 0 d 2 1 1 1 " ,
6 " e ven t_i d " : " 178 " ,
8 " s h a r i n g _ g r o u p _ i d " : "0" ,
9 " timestamp " : " 1550656701 " ,
10 "comment" : " D e l i v e r y p o i n t f o r the malware " ,
11 " o b j e c t _ i d " : "0" ,
12 " object_relation " : null ,
13 " first_seen " : null ,
14 " last_seen " : null ,
15 " value " : " f t p : / / 1 8 5 . 1 3 5 . 8 0 . 1 6 3 / " ,
16 " Tag " : [ . . . ]
17 " Galaxy " : [ . . . ]
18 }
11 36
Data layer: MISP Objects
Objects are custom templated Attribute compositions
Purpose: Groups Attributes that are intrinsically linked
together
Usecase: File, person, credit-card, x509, device, ...
12 36
Data layer: Event building blocks - Data
composition
13 36
Data layer: MISP Objects
1 {
2 "name" : " e l f −s e c t i o n " ,
3 " meta−c a t e go r y " : " f i l e " ,
4 " d e s c r i p t i o n " : " Object d e s c r i b i n g a s e c t . . . " ,
5 " template_uuid " : " c a 2 7 1 f 3 2 −1234−4e87−b240−6b6e882de5de " ,
6 " template_version " : " 4 " ,
7 " uuid " : " ab5f0c85 −5623−424c−bc03−d79841700d74 " ,
8 " timestamp " : " 1550655984 " ,
10 " s h a r i n g _ g r o u p _ i d " : "0" ,
11 "comment" : " " ,
12 " first_seen " : null ,
13 " last_seen " : null ,
14 " ObjectReference " : [ ] ,
15 " Attribute " : [ . . . ]
16 }
14 36
Data layer: Object references
Object references are the relationships between individual
building blocks
Purpose: Allows to create relationships between entities,
thus creating a graph where they are the edges and entities
are the nodes.
Usecase: Represent behaviours, similarities, affiliation, ...
15 36
Data layer: Object references
1 {
2 " uuid " : " 5 c6d21f9 −0384−4bd2−b256−40de950d2111 " ,
3 " timestamp " : " 1602318569 " ,
4 " o b j e c t _ i d " : " 1024 " ,
5 " source_uuid " : " 23275 e05−c202−460e−aadf −819 c 4 1 7 f b 3 2 6 " ,
6 " referenced_uuid " : " ab5f0c85 −5623−424c−bc03−d79841700d74 " ,
7 " referenced_type " : " 1 " ,
8 " r e l a t i o n s h i p _ t y p e " : " included−i n " ,
9 "comment" : " S e c t i o n 0 of ELF "
10 }
16 36
Data layer: Event building blocks - Context
17 36
Data layer: Sightings
Sightings are a means to convey that a data point has been seen
Purpose: Allows to add temporality to the data.
Usecase: Record activity or occurence, perform IoC
expiration, ...
1 {
2 " org_id " : " 1 " ,
3 " date_sighting " : " 1573722432 " ,
4 " uuid " : " 5 dcd1940−5de8−4462−93dd−12a2a5e38e14 " ,
5 " source " : " " ,
6 " type " : "0" ,
7 " a t t r i b u t e _ u u i d " : " 5 da97b59−9650−4be2 −9443−2194 a5e38e14 "
8 }
18 36
Data layer: Event reports
Event reports are supporting data for analysis to describe
events, processes, ect
Purpose: Supporting data point to describe events or
processes
Usecase: Encode reports, provide more information about
the Event, ...
19 36
Data layer: Event building blocks - Collabora-
tion & intelligence
20 36
Data layer: Event reports
1 {
2 " uuid " : " 076e240b−5a76−4a8b−9eab−c f f f 5 5 1 9 9 3 d d " ,
3 " e ven t_i d " : " 2 1 2 7 " ,
4 "name" : " Event r e p o r t ( 1 6 0 7 3 6 2 9 8 6 ) " ,
5 " content " : " . . . " ,
7 " s h a r i n g _ g r o u p _ i d " : "0" ,
8 " timestamp " : " 1607362986 "
9 }
21 36
Data layer: Event building blocks - Full
22 36
Context layer
Context layer: Naming conventions
Context layer
I Tags are free-text labels attached to events/attributes and
can come from Taxonomies
Android Malware, C2, ...
I Taxonomies are a set of common classification allowing to
express the same vocabulary among a distributed set of
users and organisations
tlp:green, false-positive:risk="high",
admiralty-scale:information-credibility="2"
23 36
Context layer: Naming conventions
Context layer
I Galaxies are container copmosed of Galaxy-clusters that
belongs to the same family
Similar to what Events are to Attributes
Country, Threat actors, Botnet, ...
I Galaxy-clusters are knowledge base items coming from
Galaxies.
Basically a taxonomy with additional meta-information
misp-galaxy:threat-actor="APT 29",
misp-galaxy:country="luxembourg"
24 36
Context layer: Tags
Simple free-text labels
1 {
2 "name" : " Android malware " ,
3 " c o l o u r " : " #22681 c " ,
4 " exp or ta bl e " : true ,
5 " numerical_value " : n u l l ,
6 }
25 36
Context layer: Taxonomies
Simple label standardised on common set of vocabularies

Purpose: Enable efficent classification globally understood,
easing consumption and automation.
Usecase: Provide classification such as: TLP, Confidence,
Source, Workflows, Event type, ...
26 36
Context layer: Taxonomies
1 {
2 " Taxonomy " : {
3 " namespace " : " admiralty−s c a l e " ,
4 " d e s c r i p t i o n " : " The A d m i r a l t y S c a l e or Ranking ( a l s o c a l l e d
the NATO System ) . . . " ,
5 " version " : "6" ,
6 " exclusive " : false ,
7 },
8 " entries " : [
9 {
10 " tag " : " admiralty−s c a l e : information−c r e d i b i l i t y = \ " 1 \ " " ,
11 " expanded " : " I n f o r m a t i o n C r e d i b i l i t y : Confirmed by other
sources " ,
12 " numerical_value " : 100 ,
13 " e x c l u s i v e _ p r e d i c a t e " : true ,
14 },
15 ...
16 ]
17 }
27 36
Context layer: Galaxies
Collections of galaxy clusters
28 36
Context layer: Galaxy clusters
Kownledge base items including a description, links, synonyms,
meta-information and relationships
Purpose: Enable description of complex high-level
information for classification
Usecase: Extensively describe elements such as threat
actors, countries, technique used, ...
29 36
Galaxy cluster elements: Tabular view
Galaxy cluster elements: JSON view
30 36
1 {
2 " uuid " : " 5 eda0a53−1d98−4d01−ae06−40da0a00020f " ,
3 " type " : " f e l l o w s h i p −c h a r a c t e r s " ,
4 " value " : " Aragorn w i e l d i n g A n d u r i l " ,
5 " tag_name " : " misp−g a l a x y : f e l l o w s h i p −c h a r a c t e r s =\" c3fe907a −6a36
−4cd1 −9456−d c d f 3 5 c 3 f 9 0 7 \" " ,
6 " d e s c r i p t i o n " : " The Aragorn c h a r a c t e r w i e l d i n g A n d u r i l " ,
7 " source " : " Middle−earth u n i v e r s e by J . R . R . T o l k i e n " ,
8 " authors " : n u l l ,
9 " version " : " 1591347795 " ,
10 " d i s t r i b u t i o n " : "0" ,
11 " sharing_group_id " : null ,
12 " default " : false ,
13 " extends_uuid " : " 5 eda0117 −1e14−4b0a−9e26−34 a f f 3 3 1 d c 3 b " ,
14 " extends _version " : " 1 5 9 1 3 4 5 4 3 1 " ,
15 " GalaxyElement " : [ . . . ] ,
16 " GalaxyClusterRelation " : [ . . . ]
17 }
31 36
Context layer: Galaxies & Galaxy clusters
MISP integrates MITRE’s Adversarial Tactics, Techniques, and

Common Knowledge (ATT&CK) and similar Galaxy Matrix
MISP terminology of these matrixes: Galaxy Matrix
32 36
1 {
2 " d e s c r i p t i o n " : " U n i v e r s a l Development and S e c u r i t y G u i d e l i n e s as
A p p l i c a b l e to E l e c t i o n Technology . " ,
3 " icon " : "map" ,
4 "kill_chain_order": { \\Tab in the matrix
5 "example-of-threats": [ \\Column in the matrix
6 "setup | party/candidate-registration",
7 "setup | electoral-rolls",
8 "campaign | campaign-IT",
9 "all-phases | governement-IT",
10 "voting | election-technology",
11 "campaign/public-communication | media/press"
12 ]
13 },
14 "name" : " E l e c t i o n g u i d e l i n e s " ,
15 " namespace " : " misp " ,
16 " type " : " g u i d e l i n e s " ,
17 " uuid " : " c1dc03b2 −89b3−42a5−9d41 −782 e f 7 2 6 4 3 5 a " ,
18 " version " : 1
19 }
33 36
Cluster JSON matrix-like
1 {
2 " d e s c r i p t i o n " : " DoS or overload of p a r t y /campaign
r e g i s t r a t i o n , causing them to miss the deadline " ,
3 " meta " : {
4 " date " : " March 2 0 1 8 . " ,
5 "kill_chain": [ \\Define in which column the cluster should be placed
6 "example-of-threats:setup | party/candidate-registration"
7 ],
8 " refs " : [
9 " h t t p s : / /www. r i a . ee/ s i t e s / d e f a u l t / f i l e s / content−e d i t o r s /
kuberturve / c y b e r _ s e c u r i t y _ o f _ e l e c t i o n _ t e c h n o l o g y . pdf
"
10 ]
11 },
12 " uuid " : " 154 c6186−a007−4460−a029−ea23163448fe " ,
13 " value " : " DoS or overload of p a r t y /campaign r e g i s t r a t i o n ,
causing them to miss the deadline "
14 }
34 36
Expressing relation between clusters
Cluster can be related to one or more clusters using default

relationships from MISP objects and a list of tags to classify
the relation.
1 " related " : [
2 {
3 " dest−uuid " : " 5 ce5392a −3a6c−4e07−9df3 −9b6a9159ac45 " ,
4 " tags " : [
5 " e s t i m a t i v e −language : l i k e l i h o o d −p r o b a b i l i t y =\" l i k e l y \"
"
6 ],
7 " type " : " s i m i l a r "
8 }
9 ],
10 " uuid " : "0ca45163−e223 −4167−b1af−f088ed14a93d " ,
11 " value " : " P u t t e r Panda "
35 36
Acknowledgements
Supported by the grant 2018-LU-IA-0148
36 / 36
Visualise all the things
Building dashboard widgets for MISP
CIISI-IE
Threat Sharing
Dashboard in MISP
User configurable simple dashboard interface

Visualise, aggregate and track data important to you
Brand new feature, still undergoing reworks
1 9
The internals of awidget
Backend for the widget, full access to all MISP internals

Load, convert, format to be represented via view widgets
Widget metadata - size, name, description, behaviours
Only main function required to be implemented: handler()
Optional: checkPermissions() for ACL
Accepts user configuration for which a template can be
provided
Located in /var/www/MISP/app/Lib/Dashboard/
Custom widgets can be placed in
/var/www/MISP/app/Lib/Dashboard/Custom/
2 9
The view layer of a widget
View files are included by default and reusable

Currently we have a small but growing list of views
I BarChart
I SimpleList
I WorldMap
Converts the data passed by the Widget logic to HTML
Located in
/var/www/MISP/view/Elements/dashboard/Widgets/
3 9
Widget behaviours
Widgets can additionally be tied to certain behaviours:

I Caching
Executions of the widget logic are cached
Separate caches for each organisation in addition to site
admins
Cache duration is controlled by the widget logic
I Refresh
Widgets can be set to refresh after x seconds
I Both of these should be used with special care in regards to
the use of system resources
4 9
Exercise module: simple Whoami
Let’s start with a skeleton

Create /var/www/MISP/app/Lib/Dashboard/Cus-
tom/WhoamiWidget.php
MISP will parse anything ending with Widget.php in this
directory
5 9
Exercise module: simple Whoami
1 <?php
2 class MispWhoamiWidget
3 {
4 public $title = ’Whoami’;
5 public $render = ’SimpleList’;
6 public $width = 2;
7 public $height = 2;
8 public $params = array();
9 public $description = ’Shows information about the
currently logged in user.’;
10 public $cacheLifetime = false;
11 public $autoRefreshDelay = 3;
12
13 public function handler($user, $options = array())
14 {
15 $data = array();
16 return $data;
17 }
18 }
6 9
Meta information
$title: The name of the widget

$description: A description of the widget
$render: The view element to use in rendering the widget
$width & $height: Default relative dimensions
$params: Configuration array with explanations for each key
$cacheLifetime: The lifetime of the caches in seconds (false
disables it)
$autoRefreshDelay: The time in seconds between each
refresh (false disables it)
7 9
The handler
1 public function handler($user, $options = array())
2 {
3 $this->Log = ClassRegistry::init(’Log’);
4 $entries = $this->Log->find(’all’, array(
5 ’recursive’ => -1,
6 ’conditions’ => array(
7 ’action’ => ’login’, ’user_id’ => $user[’id’]
8 ),
9 ’order’ => ’id desc’,
10 ’limit’ => 5,
11 ’fields’ => array(’created’, ’ip’)
12 ));
13 foreach ($entries as &$entry) {
14 $entry = $entry[’Log’][’created’] . ’ --- ’ .
15 (
16 empty($entry[’Log’][’ip’]) ?
17 ’IP not logged’ :
18 $entry[’Log’][’ip’]
19 );
20 }
21 return array(
22 array(’title’ => ’Email’, ’value’ => $user[’email’]),
23 array(
24 ’title’ => ’Role’, ’value’ => $user[’Role’][’name’]
25 ),
26 array(
27 ’title’ => ’Organisation’,
28 ’value’ => $user[’Organisation’][’name’]
29 ),
30 array(
31 ’title’ => ’IP’, ’value’ => $_SERVER[’REMOTE_ADDR’]
32 ),
33 array(’title’ => ’Last logins’, ’value’ => $entries)
34 );
35 }
8 9
Result
9/9
Turning data into actionable in-
telligence
advanced features in MISP supporting your ana-
lysts and tools
CIISI-IE
Threat Sharing
about CIRCL
The Computer Incident Response Center Luxembourg (CIRCL)

is a government-driven initiative designed to provide a
systematic response facility to computer security threats
and incidents. CIRCL is the CERT for the private sector,
communes and non-governmental entities in Luxembourg
and is operated by securitymadein.lu g.i.e.
1 37
MISP and CIRCL

2 37
The aim of this presentation
To give some insight into what sort of an evolution of our

various communities’ have gone through as observed over
the past 8 years
Show the importance of strong contextualisation...
...and how that can be leveraged when trying to make our
data actionable
3 37

adversary groups.
financial frauds.
4 37
The initial scope of MISP
Extract information during the analysis process

Store and correlate these datapoints
Share the data with partners
Focus on technical indicators: IP, domain, hostname, hashes,
filename, pattern in file/memory/traffic
Generate protective signatures out of the data: snort,
suricata, OpenIOC
5 37
Initial workflow
6 37
Why was it so simplistic?
This was both a reflection of our maturity as a community

I Capabilities for extracting information
I Capabilities for utilising the information
I Lack of willingness to share context
I Lack of co-operation between teams doing technical
analysis/monitoring and threat-intel
The more growth we saw in maturity, the more we tried to
match it with our data-model, often against pushback
7 37
The growing need to contextualise data
There were separate factors that made our data-sets less

and less useful for detection/defense in general
I Growth of our communities
I Distinguish between information of interest and raw data
I False-positive management
I TTPs and aggregate information may be prevalent compared
to raw data (risk assessment)
I Increased data volumes leads to be able to prioritise
8 37
Our initial solution
Allow users to tag any information created in MISP

We wanted to be lax with what we accept in terms of data,
but be strict on what we fed to our tools, with strong filter
options
We had some ideas on how to potentially move forward...
9 37
Our initial failures
Try to capture different aspects of contextualisation into

normalised values (threat level, source reliability, etc)
I Didn’t scale with needs other than our own
I Incorporating new types of contextualisation would mean the
modification of the software
I Getting communities with established naming conventions to
use anything but their go-to vocabularies was a pipe-dream
I Heated arguments over numeric conversions
10 37
Human creativity
We tried an alternate approach instead: Free tagging
I Result was spectacularly painful, at least 7 different ways to
spell tlp:amber
I No canonisation for common terms lead to tagging ultimately
becoming a highly flawed tool for filtering within a sharing
community
11 37
How we ended up tackling the issue more
successfuly
We ended up with a mixed approach, currently implemented
by the MISP-taxonomy system
I Taxonomies are vocabularies of known tags
I Tags would be in a triple tag format
namespace:predicate=”value”
I Create your own taxonomies, recipients should be able to use
data you tag with them without knowing it at the first place
I Avoid any coding, stick to JSON
Massive success, approaching 100 taxonomies
Organisations can solve their own issues without having to
rely on us
12 37
We were still missing something...
Taxonomy tags often non self-explanatory
Example: universal understanding of tlp:green vs APT 28
For the latter, a single string was ill-suited
So we needed something new in addition to taxonomies -
Galaxies
I Community driven knowledge-base libraries used as tags
I Including descriptions, links, synonyms, meta information,
etc.
I Goal was to keep it simple and make it reusable
I Internally it works the exact same way as taxonomies (stick to
JSON)
13 37
Broadening the scope of what sort of context
we are interested in
Who can receive our data? What can they do with it?
Data accuracy, source reliability
Why is this data relevant to us?
Who do we think is behind it, what tools were used?
What sort of motivations are we dealing with? Who are the
targets?
How can we block/detect/remediate the attack?
What sort of impact are we dealing with?
14 37
Parallel to the contextualisation efforts: False
positive handling
Low quality / false positive prone information being shared

Lead to alert-fatigue
Exclude organisation xy out of the community?
False positives are often obvious - can be encoded
Warninglist system1 aims to do that
Lists of well-known indicators which are often
false-positives like RFC1918 networks, ...
1
15 37
More complex data-structures for a modern age
Atomic attributes were a great starting point, but lacking in

many aspects
MISP objects2 system
I Simple templating approach
I Use templating to build more complex structures
I Decouple it from the core, allow users to define their own
structures
I MISP should understand the data without knowing the
templates
I Massive caveat: Building blocks have to be MISP attribute
types
I Allow relationships to be built between objects
2
16 37
Supporting specific datamodel
17 37
Continuous feedback loop
Data ingested by MISP was in a sense frozen in time

We had a creation data, but lacked a way to use the output
of our detection
Lead to the introduction of the Sighting system
The community could sight indicators and convey the time of
sighting
Potentially powerful tool for IoC lifecycle management,
clumsy query implementation default
18 37
Supporting specific datamodel
19 37
Making use of all this context
Most obvious goal: Improve the way we query data

I Unified all export APIs
I Incorporate all contextualisation options into API filters
I Allow for an on-demand way of excluding potential false
positives
I Allow users to easily build their own export modules feed
their various tools
20 37
Example query
{
" returnFormat " : " n e t f i l t e r " ,
" enforceWarninglist " : 1 ,
" tags " : {
"NOT " : [
" t l p : white " ,
" type : OSINT "
],
"OR " : [
" misp−g a l a x y : t h r e a t −a c t o r =\" Sofacy \ " " ,
" misp−g a l a x y : s e c t o r =\" Chemical \ " "
],
}
}
21 37
Synchronisation filters
Make decisions on whom to share data with based on

context
I MISP by default decides based on the information creator’s
decision who data gets shared with
I Community hosts should be able to act as a safety net for
sharing
Push filters - what can I push?
Pull filters - what am I interested in?
Local tags allow for information flow control
22 37
The emergence of ATT&CK and similar galaxies
Standardising on high-level TTPs was a solution to a long list

of issues
Adoption was rapid, tools producing ATT&CK data, familiar
interface for users
A much better take on kill-chain phases in general
Feeds into our filtering and situational awareness needs
extremely well
Gave rise to other, ATT&CK-like systems tackling other
concerns
I attck4fraud 3 by Francesco Bigarella from ING
I Election guidelines 4 by NIS Cooperation Group
3
https://www.misp-project.org/galaxy.html#_attck4fraud
4
https:
//www.misp-project.org/galaxy.html#_election_guidelines
23 37
Example query to generate ATT&CK heatmaps
/events/restSearch
{
" returnFormat " : " a t t a c k " ,
" tags " : [
],
" timestamp " : "365 d "
}
24 37
A sample result for the above query
25 37
Monitor trends outside of MISP (example:
dashboard)
26 37
Decaying of indicators
We were still missing a way to use all of these systems in

combination to decay indicators
Move the decision making from complex filter options to
complex decay models
Decay models would take into account various taxonomies,
sightings, the type of each indicator Sightings and Creation
date
The first iteration of what we have in MISP now took:
I 2 years of research
I 3 published research papers
I A lot of prototyping
27 37

time
Where,
score ∈ [0, 100]

base_score ∈ [0, 100]
decay is a function defined by model’s parameters
controlling decay speed
Attribute Contains Attribute’s values and metadata
(Taxonomies, Galaxies, ...)
Model Contains the Model’s configuration
28 37

29 37
" Attribute " : [
{
" c ategory " : " Network a c t i v i t y " ,
" type " : " ip−s r c " ,
" t o _ i d s " : true ,
" timestamp " : " 1 5 6 5 7 0 3 5 0 7 " ,
[...]
" value " : " 8 . 8 . 8 . 8 " ,
" decay_score " : [
{
" score " : 5 4 . 4 7 5 2 2 3 8 4 9 5 4 4 4 5 6 ,
" decayed " : f a l s e ,
" DecayingModel " : {
" id " : "85" ,
"name " : " NIDS Simple Decaying Model "
} 30 37
View, update, add, create, delete, enable, export, import

31 37
32 37

34 37
{
" includeDecayScore " : 1 ,
" includeFullModel " : 0 ,
" excludeDecayed " : 0 ,
" decayingModel " : [ 8 5 ] ,
" modelOverrides " : {
" t h r e s h o l d " : 30
}
" score " : 30 ,
}
35 37
To sum it all up...
Massive rise in user capabilities

Growing need for truly actionable threat intel
Lessons learned:
I Context is king - Enables better decision making
I Intelligence and situational awareness are natural
by-products of context
I Don’t lock users into your workflows, build tools that enable
theirs
36 37
Get in touch if you have any questions
Contact us
I https://twitter.com/mokaddem_sami
I https://twitter.com/iglocska
Contact CIRCL
I [email protected]
I https://twitter.com/circl_lu
I https://www.circl.lu/
Contact MISPProject
I https://github.com/MISP
I https://gitter.im/MISP/MISP
I https://twitter.com/MISPProject
37 / 37
Turning data into actionable in-
telligence
advanced features in MISP supporting your ana-
lysts and tools
CIISI-IE
Threat Sharing
The aim of this presentation
Why is contextualisation important?

What options do we have in MISP?
How can we leverage this in the end?
1 25
The growing need to contextualise data
Contextualisation became more and more important as we

as a community matured
I Growth and diversification of our communities
I Distinguish between information of interest and raw data
I False-positive management
I TTPs and aggregate information may be prevalent compared
to raw data (risk assessment)
I Increased data volumes leads to a need to be able to
prioritise
These help with filtering your TI based on your
requirements...
...as highlighted by Pasquale Stirparo Your Requirements Are
Not My Requirements
2 25
Objectives
Some main objectives we want to achieve when producing

data
I Ensure that the information is consumable by everybody
I That it is useful to the entire target audience
I The data is contextualised for it to be understood by
everyone
What we ideally want from our data
I We want to be able to filter data for different use-cases
I We want to be able to get as much knowledge out of the data
as possible
I We want to know where the data is from, how it got there,
why we should care
3 25
Different layers of context
Context added by analysts / tools

Data that tells a story
Encoding analyst knowledge to automatically leverage the
above
4 25
Context added by analysts / tools
Expressing why data-points matter
An IP address by itself is barely ever interesting

We need to tell the recipient / machine why this is relevant
All data in MISP has a bare minimum required context
We differentiate between indicators and supporting data
5 25
Broadening the scope of what sort of context
we are interested in
Who can receive our data? What can they do with it?
Data accuracy, source reliability
Why is this data relevant to us?
Who do we think is behind it, what tools were used?
What sort of motivations are we dealing with? Who are the
targets?
How can we block/detect/remediate the attack?
What sort of impact are we dealing with?
6 25
Tagging and taxonomies
Simple labels
Standardising on vocabularies
Different organisational/community cultures require
different nomenclatures
Triple tag system - taxonomies
JSON libraries that can easily be defined without our
intervention
7 25
Galaxies
Taxonomy tags often non self-explanatory
I Example: universal understanding of tlp:green vs APT 28
For the latter, a single string was ill-suited
So we needed something new in addition to taxonomies -
Galaxies
I Community driven knowledge-base libraries used as tags
I Including descriptions, links, synonyms, meta information,
etc.
I Goal was to keep it simple and make it reusable
I Internally it works the exact same way as taxonomies (stick to
JSON)
8 25
The emergence of ATT&CK and similar galaxies
Standardising on high-level TTPs was a solution to a long list

of issues
Adoption was rapid, tools producing ATT&CK data, familiar
interface for users
A much better take on kill-chain phases in general
Feeds into our filtering and situational awareness needs
extremely well
Gave rise to other, ATT&CK-like systems tackling other
concerns
I attck4fraud 1 by Francesco Bigarella from ING
I Election guidelines 2 by NIS Cooperation Group
1
https://www.misp-project.org/galaxy.html#_attck4fraud
2
https:
//www.misp-project.org/galaxy.html#_election_guidelines
9 25
Data that tells a story
More complex data-structures for a modern age
Atomic attributes were a great starting point, but lacking in

many aspects
MISP objects3 system
I Simple templating approach
I Use templating to build more complex structures
I Decouple it from the core, allow users to define their own
structures
I MISP should understand the data without knowing the
templates
I Massive caveat: Building blocks have to be MISP attribute
types
I Allow relationships to be built between objects
3
10 25
Supporting specific datamodels
11 25
Continuous feedback loop
Data shared was frozen in time

All we had was a creation/modification timestamp
Improved tooling and willingness allowed us to create a
feedback loop
Lead to the introduction of the Sighting system
Signal the fact of an indicator sighting...
...as well as when and where it was sighted
Vital component for IoC lifecycle management
12 25
Continuous feedback loop (2)
13 25
A brief history of time - Adding temporality to
our data
As Andreas said - no time based aspect was painful
Recently introduced first_seen and last_seen data
points
Along with a complete integration with the UI
Enables the visualisation and adjustment of indicators
timeframes
14 25
The various ways of encoding
analyst knowledge to automati-
cally leverage our TI
False positive handling
Low quality / false positive prone information being shared

Lead to alert-fatigue
Exclude organisation xy out of the community?
FPs are often obvious - can be encoded
Warninglist system4 aims to do that
Lists of well-known indicators which are often
false-positives like RFC1918 networks, ...
4
15 25
Making use of all this context
Providing advanced ways of querying data

I Unified export APIs
I Incorporating all contextualisation options into API filters
I Allowing for an on-demand way of excluding potential false
positives
I Allowing users to easily build their own export modules feed
their various tools
16 25
Example query
{
" returnFormat " : " n e t f i l t e r " ,
" enforceWarninglist " : 1 ,
" tags " : {
"NOT " : [
" t l p : white " ,
" type : OSINT "
],
"OR " : [
" misp−g a l a x y : t h r e a t −a c t o r =\" Sofacy \ " " ,
],
}
}
17 25
Example query to generate ATT&CK heatmaps
/events/restSearch
{
" returnFormat " : " a t t a c k " ,
" tags " : [
],
" timestamp " : "365 d "
}
18 25
A sample result for the above query
19 25
Monitor trends outside of MISP (example:
dashboard)
20 25
Decaying of indicators
We were still missing a way to use all of these systems in

combination to decay indicators
Move the decision making from complex filter options to
complex decay models
Decay models would take into account various available
context
I Taxonomies
I Sightings
I type of each indicator
I Creation date
I ...
21 25

22 25
" Attribute " : [
{
" c ategory " : " Network a c t i v i t y " ,
" type " : " ip−s r c " ,
" t o _ i d s " : true ,
" timestamp " : " 1 5 6 5 7 0 3 5 0 7 " ,
[...]
" value " : " 8 . 8 . 8 . 8 " ,
" decay_score " : [
{
" score " : 5 4 . 4 7 5 2 2 3 8 4 9 5 4 4 4 5 6 ,
" decayed " : f a l s e ,
" DecayingModel " : {
" id " : "85" ,
"name " : " NIDS Simple Decaying Model "
} 23 25
To sum it all up...
Massive rise in user capabilities

Growing need for truly actionable threat intel
Lessons learned:
I Context is king - Enables better decision making
I Intelligence and situational awareness are natural
by-products of context
I Don’t lock users into your workflows, build tools that enable
theirs
24 25
Get in touch if you have any questions
Contact us
I https://twitter.com/mokaddem_sami
I https://twitter.com/iglocska
Contact CIRCL
I [email protected]
I https://twitter.com/circl_lu
I https://www.circl.lu/
Contact MISPProject
I https://github.com/MISP
I https://gitter.im/MISP/MISP
I https://twitter.com/MISPProject
25 / 25
MISP Standard
The collaborative intelligence standard pow-
ering intelligence and information exchange,
CIRCL / Teamand
sharing MISP Project
modeling.
http://www.misp-standard.org/
CIISI-IE
Threat Sharing
MISP Standard
Following the grow of organisations relying on MISP, the

JSON format used by MISP are standardised under the
misp-standard.org umbrella
The goal is to provide a flexible set of standards to support
information exchange and data modeling in the following
field:
I Cybersecurity intelligence
I Threat intelligence
I Financial fraud
I Vulnerability information
I Border control information
I Digital Forensic and Incident Response
I and intelligence at large
1 6
Standard - MISP core format
This standard describes the MISP core format used to exchange

indicators and threat information between MISP instances. The
JSON format includes the overall structure along with the
semantics associated for each respective key. The format is
described to support other implementations, aiming to reuse the
format and ensuring the interoperability with the existing MISP
software and other Threat Intelligence Platforms.
2 6
MISP object template format
This standard describes the MISP object template format which

describes a simple JSON format to represent the various
templates used to construct MISP objects. A public directory of
common MISP object templates and relationships is available
and relies on the MISP object reference format.
3 6
MISP galaxy format
This standard describes the MISP galaxy format which describes

a simple JSON format to represent galaxies and clusters that can
be attached to MISP events or attributes. A public directory of
MISP galaxies is available and relies on the MISP galaxy format.
MISP galaxies are used to attach additional information
structures such as MISP events or attributes. MISP galaxy is a
public repository of known malware, threats actors and various
other collections of data that can be used to mark, classify or
label data in threat information sharing.
4 6
SightingDB format
This standard describes the format used by SightingDB to give

automated context to a given Attribute by counting occurrences
and tracking times of observability. SightingDB was designed to
provide to MISP and other tools an interoperable, scalable and
fast way to store and retrieve attributes sightings.
5 6
Internet-Draft - IETF for MISP formats and MISP
standard
If you want to contribute to our IETF Internet-Draft for the

MISP standard, misp-rfc1 is the repository where to
contribute.
Update only the markdown file, the XML and ASCII for the
IETF I-D are automatically generated.
If a major release or updates happen in the format, we will
publish the I-D to the IETF2 .
The process is always MISP implementation → IETF I-D
updates.
Then published standards in misp-standard.org.
1
https://github.com/MISP/misp-rfc
2
https://datatracker.ietf.org/doc/search/?name=misp&
activedrafts=on&rfcs=on
6/6
MISP CLI
Automate all the things
CIISI-IE
MISP CLI functionalities
The MISP API is great for remotely executing administrative

tasks
But sometimes we want to simplify the process / avoid
having to deal with authentication
MISP also has an extensive CLI sub-system for this reason
1 5
Types of objectives for the scripts
Automating recurring tasks

Recovery from loss of access
Updates / initialisation
Background worker management
2 5
CLI documentation
https://path.to.your.misp/events/automation
3 5
Usage
/var/www/MISP/app/Console/cake [Shell] [Command]

[parameters]
Example:
I /var/www/MISP/app/Console/cake Password
"[email protected]" "Nutella"
I Change password to "Nutella" for my user
I Some shells are single use and don’t need a command
parameter
Also used by the background processing
Automation is meant to be used via cron jobs
4 5
Automation via crontab
Edit crontab of www-data user

crontab -u www-data -e
0 3,9,15,21 * * *
/var/www/MISP/app/Console/cake Server pull 1
30 full
Pull server ID #30 as user #1 every 6 hours
@hourly /var/www/MISP/app/Console/cake Server
cacheFeed 1 csv full
Cache all csv feeds as user #1 every hour
5/5
MISP Deployment
Some basic guidelines
CIISI-IE
MISP deployment considerations
Deployment types
Distro choice
Hardware specs
Authentication
Other considerations - settings, gotchas
1 11
Deployment types
Native install
I Manual
I One liner script - INSTALL.sh
https://github.com/MISP/MISP/tree/2.4/INSTALL
MISP VM
https://www.circl.lu/misp-images/latest/
Docker
RPM maintained by SWITCH
https://github.com/amuehlem/MISP-RPM
Cloud provider images
https://github.com/MISP/misp-cloud
2 11
Docker options
CoolAcid’s MISP images

https://github.com/coolacid/docker-misp
MISP-docker by XME
https://github.com/MISP/misp-docker
docker-misp by Harvard security
https://github.com/MISP/docker-misp
3 11
Distro options
Ubuntu 20.04 (18.04 will also work)

I Our target platform
I Our CI target
I Use this unless you are absolutely forced not to
I This is the platform we can support you with!
CentOS 7
I Annoying to operate
I Less tested, though used by many
I CentOS is going away. Consider other options
RHEL 7
I Same annoyance as CentOS in general
I We test against CentOS in general, some assembly may be
required
4 11
Hardware specs
No firm recommendations, it’s highly usage dependent

It’s better to go a bit over what you need than under
SSDs are massively beneficial
Let’s look at what affects specs and some sample
configurations
5 11
Hardware considerations
What are the factors that can impact my performance?

I Clustering of the data (how many datapoints / event?) (RAM,
disk speed)
I Correlation (RAM, disk speed, disk space)
Consider blocking overtly correlating values from doing so
Feed ingestion strategy is crucial
I Over-contextualisation (RAM, disk speed)
Tag/attach galaxies to the event instead of each attribute when
possible
6 11
Hardware considerations - continues
What are the factors that can impact my performance?

I Number of users that are active at any given time (RAM, CPU,
disk speed)
I Logging strategy (Disk space)
I API users especially with heavy searches (substring searches
for example) (RAM, CPU, Disk speed)
7 11
Hardware considerations - continues
What are the factors that generally do NOT impact my

performance as much as expected?
I Warninglist usage
I Number of raw attributes on the instance
I Number of sync connections / recurring syncs (with measure)
I Tools feeding off the automation channels (ZMQ, kafka,
syslog)
8 11
Authentication options
Username/password is the default

Some built in modules by 3rd parties (LDAP, Shibboleth,
x509, OpenID, Azure Active Directory)
CustomAuth system for more flexibility
Additionally, consider Email OTP
9 11
Other considerations - tuning
PHP tuning
I Maximum memory usage (per process)
I Timeout settings
I Consider setting it per role!
I Background processes are exempt
MySQL: key buffer size is important
Generally, tune for few heavy requests rather than many
light ones
10 11
Other considerations - high availability
Clustering
I Load balanced apache servers with MISP
I Replicating / mirrored database backends
Careful about session pinning
Attachment storage can be abstracted / network attached
An example implementation for AWS
https://github.com/0xtf/HAMISPA
11 / 11
An Introduction to Workflows in
MISP
MISP Project
CIISI-IE
Threat Sharing
Content of the presentation
MISP Workflows fundamentals

Getting started
Design of the system & how it can be extended
1 30
What problems are we trying to tackle
Initial idea came during GeekWeek7.51

Needs:
I Prevent default MISP behaviors
I Hook specific actions to run callbacks
Use-cases:
I Prevent publication of events not meeting some criterias
I Prevent querying thrid-party services (e.g. virustotal) with
sensitive information
I Send notifications in a chat rooms
I And much much more..
1
Workshop organized by the Canadian Cyber Center
2 30
Workflow - Fundamentals
Simplistic overview of a Workflow in action
1. An action happens in MISP

2. If there is an enabled Workflow for that action, run it
3. If all went fine, MISP continue to perform the action
I The operation can potentially be cancelled by blocking
modules
3 30
Terminology
workflow: Sequence of all operations (nodes) to be

executed. Basically the whole graph.
execution path: A path composed of nodes
trigger: Starting point of a workflow. Triggers are called
when specific actions happen in MISP
I A trigger can only have one workflow and vice-versa
4 30
Workflow execution process
Typical execution process:

1. An action happens in MISP
2. The workflow associated to the trigger is ran
3. Execution result?
I success: Continue the action
I failure | blocked: Cancel the action
Example for Event publish:

1. An Event is about to be published
2. MISP executes the workflow listening to the
event-publish trigger
I success: Continue the publishing action
I failure | blocked: Stop publishing and log the reason
5 30
Blocking and non-blocking Workflows
Currently 2 types of workflows:

Blocking: Completion of the action can be prevented
I If a blocking module blocks the action
I If a blocking module raises an exception
Non-blocking: Workflow execution outcome has no impact

I Blocking modules can still stop the execution
6 30
Execution context
Workflows can be triggered by any users

Workflows can be triggered by actions done via the UI or API
However, the user for which the workflow executes has:
I The site-admin permission
I Is from the MISP.host_org_id
Ensures data is processed regardless of ownership and
access: no ACL
7 30
Classes of Workflow modules
3 classes of modules
action: Allow to executes functions, callbacks or scripts
I Can stop execution
I e.g. Webhook, block the execution, perform enrichments, ...
logic: Allow to redirect the execution flow.
I IF condition, fork the blocking execution into a non-blocking
one, ...
blueprint: Allow to reuse composition of modules
I Can save subworkflows and its module’s configuration
8 30
Sources of Workflow modules
3 sources of action modules

Built-in default modules
I Part of the MISP codebase
I app/Model/WorkflowModules/action/[module_name].php
User-defined custom modules
I Written in PHP
I Can extend existing default modules
I Can use MISP’s built-in functionalities (restsearch,
enrichment, push to zmq, ...)
I Faster and easier to implement new complex behaviors
I app/Lib/WorkflowModules/action/[module_name].php
9 30
Sources of Workflow modules
3 sources of action modules

Modules from the enrichment service
I Default and custom modules
I From the misp-module
I Written in Python
I Can use any python libraries
I New misp-module module type: action
→ Both the PHP and Python systems are plug-and-play
10 30
Triggers currently available
Currently 8 triggers can be hooked. 3 being blocking.
11 30
Workflow - Getting started
Getting started with workflows (1)
Review MISP settings:
1. Make sure MISP.background_jobs is turned on
2. Make sure workers are up-and-running and healthy
3. Turn the setting Plugin.Workflow_enable on
4. [optional:misp-module] Turn the setting

Plugin.Action_services_enable on
12 30
If you wish to use action modules from misp-module, make

sure to have:
The latest update of misp-module
I There should be an action_mod module type in
misp-modules/misp_modules/modules
Restarted your misp-module application
1 # T h i s command should show a l l ‘ action ‘ modules

2 $ c u r l −s h t t p : / / 1 2 7 . 0 . 0 . 1 : 6 6 6 6 / modules | \
3 j q ’ . [ ] | s e l e c t ( . meta . " module−type " [ ] | c o n t a i n s ( " a c t i o n " ) ) |
4 { name : . name , v e r s i o n : . meta . v e r s i o n } ’
13 30
1. Go to the list of modules

I Administration > Workflows > List Modules
I or /workflows/moduleIndex
2. Make sure default modules are loaded
3. [optional:misp-module] Make sure misp-module modules
are loaded
14 30
Creating a workflow with the editor
1. Go to the list of triggers Administration > Workflows
2. Enable and edit a trigger from the list
3. Drag an action module from the side panel to the canvas
4. From the trigger output, drag an arrow into the action’s
input (left side)
5. Execute the action that would run the trigger and observe
the effect!
15 30
Working with the editor
Operations not allowed:

Execution loop are not authorized
I Current caveat: If an action re-run the workflow in any way
16 30
Operations not allowed:

Multiple connections from the same output
I Execution order not guaranted and confusing for users
17 30
Operations showing a warning:

Blocking modules after a concurrent tasks module
Blocking modules in a non-blocking workflow
18 30
Workflow blueprints
1. Blueprints allow to re-use parts of a workflow in another one

2. Blueprints can be saved, exported and shared
Blueprints origins:
1. From the "official" misp-workflow-blueprints
repository
2. Created or imported by users
19 30
Workflow blueprints: Create
Select one or more modules to be saved as blueprint then click
on the save blueprint button
20 30
Hash path filtering
Some modules have the possibility to filter or check
conditions using CakePHP’s path expression.
1 $path_expression = ’ { n } [ name= f r e d ] . i d ’ ;
2 $users = [
3 { ’ i d ’ : 1 2 3 , ’ name ’ : ’ f r e d ’ , ’ surname ’ : ’ bloggs ’ } ,
4 { ’ i d ’ : 2 4 5 , ’ name ’ : ’ f r e d ’ , ’ surname ’ : ’ smith ’ } ,
5 { ’ i d ’ : 3 5 6 , ’ name ’ : ’ joe ’ , ’ surname ’ : ’ smith ’ } ,
6 ];
7 $ i d s = Hash : : e x t r a c t ( $users , $path_expression ) ;
8 // => $ids will be [123, 245]
21 30
Module filtering
Some action modules accept filtering conditions
E.g. the enrich-event module will only perform the
enrichment on Attributes having a tlp:white Tag
22 30
Data format in Workflows
All triggers will inject data in a workflow

In some cases, there is no format (e.g. User after-save)
In others, the format is compliant with the MISP Core format
In addition to the RFC, the passed data has additional
properties
I Attributes are always encapsulated in the Event or Object
I Additional key _AttributeFlattened
I Additional key _allTags
I Additional key inherited for Tags
23 30
Logic module: Concurrent Task
Special type of logic module allowing multiple connections
Allows breaking the execution flow into a concurrent tasks
to be executed later on by a background worker
As a side effect, blocking modules cannot cancel ongoing
operations
24 30
Debugging Workflows: Log Entries
Workflow execution is logged in the application logs:

I /admin/logs/index
Or stored on disk in the following file:
I /app/tmp/logs/workflow-execution.log
Use the webhook-listener.py tool
I /app/tools/misp-workflows/webhook-listener.py
25 30
Debugging Workflows: Debug mode
The can be turned on for each workflows

Each nodes will send data to the provided URL
I Configure the setting: Plugin.Workflow_debug_url
Result can be visualized in
I offline: tools/misp-workflows/webhook-listener.py
I online: requestbin.com or similar websites
26 30
Learning by examples
Workflow example 1
1. The Event-Publish trigger uses the MISP core format

2. The IF::Tag module checks if at least one of the Attribute
has the tlp:white tag
3. If it does, the Push-to-ZMQ module will be executed
27 30
Workflow example 2
If an event has the tlp:red tag or any of the attribute has

it, the publish process will be cancelled
28 30
Extending the system
Creating a new module in PHP
app/Lib/WorkflowModules/action/[module_name].php
Module configuration are defined as public variables
The exec function has to be implemented.
I If it returns true, execution will proceed
I If it returns false
And the module is blocking, the execution will stop and the
operation will be blocked
29 30
Creating a new module in Python
Module configuration are defined in the moduleinfo and

moduleconfig variables
The handler function has to be implemented.
Blocking logic is the same as other modules
30 / 30
MISP-STIX Project
Python library to convert MISP <-> STIX
MISP core team

TLP:WHITE
MISP Project
Threat Sharing
MISP Training
MISP & STIX
Built-in integration
Export & Import features
I Export MISP Events collections
I Import STIX files
Supported version
I STIX 1.1.1
I STIX 2.0
Accessible via restSearch
1 7
Limitations
Feature limitations
I Supported versions
I Data type support
Practical limitations
I Export and import features only available via MISP rest client
I Github: STIX issues lost within the MISP core issues
2 7
Handling the conversion with a python library
Revamp of the source code

Enable a standalone use of the python code
I MISP JSON format -> STIX
I Pass files with MISP JSON format -> get file with the export
results in STIX
Possible integration within python code
3 7
Key features
Support all the STIX versions

I STIX 2.1 Support
I 1.1.1, 1.2, 2.0 Support enhanced
Various MISP data collection supported
Mapping documentation
Package available on PyPI1
1
https://pypi.org/project/misp-stix/
4 7
Work in Progress & Next improvements
WiP
I Implement the import feature
I Support of existing STIX objects libraries2
Next features on the roadmap
I Extend the export feature to any kind of data collection
I Support custom STIX format3
Continuous improvement
I Mapping improvement
I More tests to avoid edge case issues
2
https://github.com/mitre/cti
3
Especially while importing STIX data, and as long as we can implement
support of well defined versions
5 7
How to report bugs/issues
Github issues
I https://github.com/MISP/misp-stix/issues
I https://github.com/MISP/MISP/issues
Please provide details

I How did the issue happen
I Recommendation: provide samples
Any feedback welcome
6 7
To get in touch with us
https://github.com/MISP/misp-stix
https://github.com/MISP/misp-stix/tree/main/
documentation
https://github.com/MISP
https://twitter.com/MISPProject
https://twitter.com/chrisred_68
7/7
MISP Concepts Cheat sheet
Glossary Distribution
Correlations: Links created automatically whenever an Attribute is created or Controls who can see the data and how it should be synchronised.
modified. They allow interconnection between Events based on their attributes. Organisation only: Only members of your organisation
Correlation Engine: Is the system used by MISP to create correlations between This community: Organisations on this MISP instance
Attribute ’s value. It currently supports strict string comparison, SSDEEP and Connected Communities: Organisations on this MISP instance and those on
CDIR blocks matches. MISP instances synchronising with this one. Upon receiving data, the distribution
Caching: Is the process of fetching data from a MISP instance or feed but only will be downgraded to This community to avoid further propagation. (n ≤ 1)
storing hashes of the collected values for correlation and look-up purposes. n=0 n=1 n=2 n=3 n=4
Delegation: Act of transfering the ownership of an Event to another organisation Does not have the Event
while hidding the original creator, thus providing anonymity. Has the Event
Deletion (hard/soft): Hard deletion is the act of removing the element from All Communities: Anyone having access. Data will be freely propagated in the
the system; it will not perform revocation on other MISP instances. Soft deletion network of connected MISP instances. (n = ∞)
is the act flagging an element as deleted and propagating the revocation among
n=0 n=1 n=2 n=3 n=4
the network of connected MISP instances.
Extended Event: Event that extends an existing Event , providing a combined
view of the data contained in both Events . The owner of the extending Event
is the organisation that created the extension. This allows anyone to extend any Sharing Groups: Distribution list that exhaustively keeps track of which organ-
Events and have total control over them. isations can access the data and how it should be synchronised.
Galaxy Matrix: Matrix derived from Galaxy Clusters belonging to the same
Galaxy . The layout (pages and columns) is defined at the Galaxy level and its Sharing Group configuration MISP 2
content comes from the Galaxy Clusters meta-data themselves. Org. α
MISP 1 Org. ω
Organisations Org. ω
Indicators: Attribute containing a pattern that can be used to detect suspicious
Org. γ Org. α
or malicious activity. These Attributes usually have their to ids flag enabled.
MISP 1 MISP 3
Orgc / Org: Creator Organisation (Orgc) is the organisation that created the Instances* MISP 2 Org. ω
data and the one allowed to modify it. Owner Organisation (Org) is the organi- MISP 3 Org. γ
sation owning the data on a given instance and is allowed to view it regardless of *Or enable roaming mode instead
the distribution level. The two are not necessarily the same.
Publishing: Action of declaring that an Event is ready to be synchronised. It
Synchronisation
may also send e-mail notifications and makes it available to some export formats.
The act of sharing where everyone can be a consumer and/or a producer. A one
Pulling: Action of using a user on a remote instance to fetch the accessible data
and storing it locally. way synchronisation link between two MISP instances. Organisation α created a
sync user on MISP 2 and noted down the generated API Key. A synchroni-
Pushing: Action of using an uplink connection via a sync. user to send data to
sation link can be created on MISP 1 using the API Key and the organisation of
a remote instance.
the sync user. At that point, MISP 1 can pull data from MISP 2 and push data
Synchronisation: Is the exchange of data between two (or more) MISP instances to MISP 2.
throught the pull or push mechanisms.
MISP 1 MISP 2
Sync. filtering rule: Can be applied on a synchronisation link for both the pull
and push mechanisms to block or allow data to be transfered. Org. α PUSH Org. α Org. ω
Sync. User: Special role of a user granting addional sync permissions. The
ggg gg ggg
recommanded way to setup push synchronisation is to use sync users. PULL
Proposals: Are a mechanism to propose modications to the creating organisa-
tions (Orgc). If a path of connected MISP instances exists, the Proposal will be Sync. connection
synchronised allowing the creator to accept or discard it.
MISP Data Model Cheat Sheet
$ Context such as Taxonomies or Galaxy % Object Reference T Taxonomies
Clusters can be attached to the element T Machine and human-readable labels standardised on a
X Has a distribution level Relationships between individual building blocks. common set of vocabularies.
T Can be synchronised to/from other instances
Purpose: Allows to create relationships between en- Purpose: Enable efficent classification globally un-
R Event tities, thus creating a graph where they are the edges derstood, easing consumption and automation.
$XT and entities are the nodes. Usecase: Provide classification such as: TLP, Confi-
Encapsulations for contextually linked information. Usecase: Represent behaviours, similarities, affilia- dence, Source, Workflows, Event type, . . .
tion, . . . I Even though MISP allows the creation of free-text
Purpose: Group datapoints and context together.
I References can have a textual relationship which tags, it’s always preferable to use those coming from
Acting as an envelop, it allows setting distribution
can come from MISP or be set freely. Taxonomies , if they exists.
and sharing rules for itself and its children.
Usecase: Encode incidents/events/reports/. . .
I Events can contain other elements such as Y Sightings  Galaxies
Attributes , MISP Objects and Event Reports . T
Act as a container to group together context described
I The distribution level and any context added on an Means to convey that an Attribute has been seen. in Galaxy Clusters by their type.
Event (such as Taxonomies ) are propagated to its Purpose: Allows to add temporality to the data. Purpose: Bundle Galaxy Clusters by their type to
underlying data. Usecase: Record activity or occurence, perform IoC avoid confusion and to ease searches.
expiration, . . . Usecase: Bundle types: Exploit-Kit, Preventive
" Attribute I Sightings are the best way to express that some- Measures, ATT&CK, Tools, Threat-actors, . . .
$XT thing has been seen. They can also be used to mark
Basic building block to share information. false positives.
 Galaxies Clusters
Purpose: Individual data point. Can be an indicator XT
or supporting data. p Event Report Kownledge base items used as tags with additional
Usecase: Domain, IP, link, sha1, attachment, . . . XT
complex meta-data aimed for human consumption.
I Attributes cannot be duplicated inside the same Advanced building block containing formated text.
Event and can have Sightings . Purpose: Enable description of complex high-level
Purpose: Supporting data point to describe events information for classification.
I The difference between an indicator or supporting or processes.
data is usualy indicated by the state of the attribute’s Usecase: Extensively describe elements such as:
Usecase: Encode reports, provide more information threat actors, countries, technique used, . . .
to ids flag. about the Event , . . . I Galaxy Clusters can be seen as an enhanced
I Event Reports are markdown-aware and include a Taxonomy as they can have meta-data and relation-
# MISP Object special syntax to reference data points or context. ships with other Galaxy Clusters .
XT I Any Galaxy Clusters can contain the following:
Advanced building block providing Attribute compo- 7 Proposals • Cluster Elements: Key-Value pair forming
sitions via templates. T the meta-data.
Purpose: Groups Attributes that are intrinsically Clone of an Attribute containing information about Example: Country:LU, Synonym:APT28,
linked together. modification to be done. Currency:Dollar, refs:https://*,
Usecase: File, person, credit-card, x509, device, . . . Purpose: Allow the correction or the creation of ...
I MISP Objects have their attribute compositions Attributes for Events your organisation does not • Cluster Relations ($ T X ): Enable the
described in their respective template. They are in- own. creation of relationships between one or more
stanciated with Attributes and can Reference other Usecase: Disable the IDS flag, Correct errors Galaxy Clusters .
Attributes or MISP Objects . I As Proposals are sync., if the creator organisation Example: Threat actor X is similar to threat actor
I MISP is not required to know the template to save is connected to the MISP instance from where the Y with high-likelyhood.
and display the object. However, edits will not be pos- Proposal has been created, it will be able to either
sible as the template to validate against is unknown. accept or discard it.
Failed spear-phishing attempt Representation of an incident in MISP
UUID 28b1cd2e-46a7-4ee2-a364-c3d26451b089
Date 2021-12-09
Creator Org. CIRCL.lu
Distribution
Event: Encapsulates contextually linked information.
Connected Communities
✓
Events also have basic information including ownership and access-control
Published
Here: Contains all the information related to the spear-phishing incident.
Taxonomies: Simple label standardised on common set of vocabularies.

Here: Usage of labels to classify the current completeness of the Event, what recipient can do
with the information and the category of the incident.
Galaxies & Galaxy-Clusters: Advanced label containing meta-data

Here: The sector affected by the incident as well as the country. The kill-chain of the attack
> Intelligence Visualization Widgets can be described using the MITRE ATT&CK framework
Event Graph: Visualization of the relationships between entities contained in the Event.
Here: The whole story of the attack can be described with relationships defined between
Attributes and Objects
Event Timeline: Visualization of the temporality of the data contained in the event.
Here: A timeline of the steps performed during the attack. The time data is taken directly from
the Attributes and Objects belonging to the Event.
Event Report: Markdown-aware supporting text document to describe events or incidents

> Attributes Here: The report describe the steps taken by the attacker and provide additional contextual
information. It also contains references to Attributes and Object encoded in the Event
... Attributes: Basic building block to represent information.

They can have context such as taxonomy and express if they are supportive data or
> Objects meant for automation. An Event can have multiple Attributes
Here: Two Attributes representing payload delivery. One is an IP address, the other is an URL.
Objects: Advanced building block allowing Attribute composition via predefined templates.
As an Object is an instantiation of its template, it is composed of Attributes that make sense
... Together. They can also have relationship to other entity contained in the Event
Here: A file object composed of Attributes such as the filename, size and hashes. It also
have a relationship
MISP User & Admin Cheat Sheet
- User - - Admin -
API Reset Password
Wildcard searches: API: POST /users/initiatePasswordReset/[id] {"password": "***"}
POST / attributes / restSearch
{ " value " : " 1.2.3.% " } CLI: MISP/app/Console/cake Password [email] [password]
Or and Negation searches:

POST / attributes / restSearch Reset Bruteforce login protection
{ " tags " : [ " tlp : white " , " ! tlp : green " ]}
CLI: MISP/app/Console/cake Admin clearBruteforce [email]
And and Negation searches:
{ " tags " : { " AND " : [ " tlp : green " , " Malware " ] , " NOT " : [ " % ransomware % " ]}} Upgrade to the latest version
Galaxy Cluster metadata searches: All in 1-shot: MISP/app/Console/cake Admin updateMISP

Manually:
{ 1. cd /var/www/MISP
" galaxy . synonyms " : " APT29 " , 2. git pull origin 2.4
" galaxy . cfr - target - category " : " Financial sector "
} 3. git submodule update --init --recursive
Attach tags: 4. MISP/app/Console/cake Admin updateJSON
POST / tags / a t t a c h T a gT o O b j e c t 5. Check live update progress GET /servers/updateProgress
{
" uuid " : " [ Could be UUID from Event , Attribute , ...] " ,
" tag " : " tlp : amber " Workers
}
Restart All: MISP/app/Console/cake Admin restartWorkers
Timestamps: Add: MISP/app/Console/cake Admin startWorker [queue]
timestamp: Time of the last modification on the data
Stop: MISP/app/Console/cake Admin stopWorker [pid]
• Usecase: Get data was modified in the last t
• E.g.: Last updated data from a feed
publish timestamp: Time at which the event was published Settings
• Usecase: Get data that arrived in my system since t Get: MISP/app/Console/cake Admin getSetting [setting]
• E.g.: New data from a feed
Set: MISP/app/Console/cake Admin setSetting [setting] [value]
event timestamp: Used in the Attribute scope
• Usecase: Get events modified in the last t Base URL: MISP/app/Console/cake Baseurl [baseurl]
Usage:
{ " timestamp " : 1521846000} Miscellaneous
{ " timestamp " : " 7 d " }
{ " timestamp " : [ " 2 d " , " 1 h " ]} Clean Caches: MISP/app/Console/cake Admin cleanCaches
Get IPs For User ID: MISP/app/Console/cake Admin UserIP [user_id]
Get User ID For User IP: MISP/app/Console/cake Admin IPUser [ip]
Tips & Tricks
Documentation: /events/automation
Get JSON Representation: Append .json to any URLs to get their content Logs files location: MISP/app/tmp/logs
in JSON format. Example: /events/view/42.json
1
User
Check Description Length

Add events
- via Standard UI
- Distribution levels and publication
- Different timestamps & publish timestamp
Add attributes
- Freetext
- Standard UI
- Template
- ReST API
- via EventGraph
Object
- add Object
- add References
- show via EventGraph
*-lists
- Warninglists: show warnings raised in steps above
- Noticelists: show warnings when adding data
- Import Regexp: avoid leaking private/personal data
Correlations
- show correlations that were added
- pivot to events via correlations
- show correlations graph
- feeds & servers correlation
Tags and Galaxies
- Tag from Taxonomy
- GalaxyCluster
- ATT&CK pattern & Galaxy matrix
- Tag Collection
Sighting
- via UI & API
Delegation
Proposal
Delete (including soft versus hard delete)
- Event blocklist when deleting
Extending event (how and when to use it)
Exporting data
- download from
- download from via modules
- .json routing
- RestSearch
Searching for data
- Attribute search
- Event index filter search
Advanced features
- Event graph, Event timeline, Event report
- Decaying of IoC
- Galaxy 2.0
Enrichments
- Hover & persistent
2
Administrator (Community)

Organisations 10m
- local and remote
- administration: Creation and merge
User 5m
- administration and contact via standard UI
- Pasword/Auth key reset
- Disabling (never remove)
Roles and permissions 3m
- Constraints & special sync-user
Sharing group 10m
- administration via standard UI
Block listing 3m
- Events & Organisations
Synchronisation 35m
- MISP to MISP (sync user, test & preview, flow control)
- Feeds to MISP (Options, overlap)
- Pub-Sub
Collaboration settings
- ‘proposal block attributes‘, ‘sanitise attribute on delete‘, ‘Sightings anonymise‘
Templates
- administration via standard UI
3
Administrator (Instance)

Advanced Auth keys 3m
- Migration from old system
- Usage
Server settings 5m
Maintenance 15m
- Updating & release process
- Submodules and populate DB
- Diagnostic
Jobs and Workers 10m
- Administration via standard UI
- Scheduled Tasks and CRON jobs
User settings & User management 5m
- User settings
- User monitoring, self-management, auto-registration
Logging & auditing 10m
- Logs (and purge: event history)
- Paranoid, IP & Auth log, Sync audit
Troubleshooting 5m
- Clean cache & DB Schema diagnostic
- Stuck workers
- Update in progress
- Apache logs & workers logs
MISP Training Slide Decks
MISP1 is a threat intelligence platform for gathering, sharing, storing and cor-
relating Indicators of Compromise of targeted attacks, threat intelligence, fi-
nancial fraud information, vulnerability information or even counter-terrorism
information.
This document includes the slides which are the support materials2 used for
MISP trainings. The content is dual-licensed under CC-BY-SA version 4 license
or GNU Affero General Public License version 3 which allows you to freely use,
remixes and share-alike the slides while still mentioning the contributors under
the same conditions.
Contributors
• Steve Clement https://github.com/SteveClement
• Alexandre Dulaunoy https://github.com/adulau
• Andras Iklody https://github.com/iglocska
• Sami Mokaddem https://github.com/mokaddem
• Sascha Rommelfangen https://github.com/rommelfs
• Christian Studer https://github.com/chrisr3d
• Raphaël Vinot https://github.com/rafiot
• Gerard Wagener https://github.com/haegardev
Acknowledgment
The MISP project is co-financed and resource supported by CIRCL Computer
Incident Response Center Luxembourg3 and co-financed by a CEF (Connecting
Europe Facility) funding under CEF-TC-2016-3 - Cyber Security as Improving
MISP as building blocks for next-generation information sharing.
Co-financed by the Connecting Europe

Facility of the European Union
1 https://www.misp-project.org/
2 https://github.com/MISP/misp-training
3 https://www.circl.lu/
1
2

Misp Training

Uploaded by

Copyright:

Available Formats

Misp Training

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Misp Training

Uploaded by

Copyright:

Available Formats

An Introduction to Cybersecu-

rity Information Sharing

CIRCL / Team MISP Project

Agenda and details available

During a malware analysis workgroup in 2012, we discovered

The Computer Incident Response Center Luxembourg (CIRCL) is a

CIRCL is mandated by the Ministry of Economy and acting as

MISP is a threat information sharing platform that is free &

There are many different types of users of an information

Sharing indicators for a detection matter.

Communities are groups of users sharing within a set of

Sharing difficulties are not really technical issues but often

Open Source Intelligence Intelligence

MISP core misp-taxonomies MISP exchange MISP OSINT feeds

Sharing via distribution lists - Sharing groups

Information sharing practices come from usage and by

CIRCL / Team MISP Project

Agenda and details available

During a malware analysis workgroup in 2012, we discovered

The Computer Incident Response Center Luxembourg (CIRCL) is a

CIRCL is mandated by the Ministry of Economy and acting as

MISP is a threat information sharing platform that is free &

There are many different types of users of an information

Sharing indicators for a detection matter.

Communities are groups of users sharing within a set of

Sharing difficulties are not really technical issues but often

Open Source Intelligence Intelligence

MISP core misp-taxonomies MISP exchange MISP OSINT feeds

MISP integrates at the event and the attribute levels MITRE’s

Sharing via distribution lists - Sharing groups

MISPs’ core functionality is sharing where everyone can be a

To corroborate a finding (e.g. is this the same campaign?),

Has a data-point been sighted by

Decay score toggle button

Create, modify, visualise, perform mapping

Simulate Attributes with different Models

We maintain the default CIRCL OSINT feeds (TLP:WHITE

Information sharing practices come from usage and by

CIRCL / Team MISP Project

Plan for this part of the training

The main tools to populate an event

What happens automatically when adding data?

Feed types (MISP, Freetext, CSV)

Your Organisation Only

CIRCL / Team MISP Project

Provisioning your MISP infrastructure depends heavily on

There is a jungle of formats with some vendors having little

Normalizing external input and feed into MISP (e.g. feed

One of the main goals of MISP is to feed protective or

SIEMs and MISP can be integrated with different techniques

A dashboard showing live data and statistics from the ZMQ

Close co-operation with the Hive project for IR

As Sightings can be positive, negative or even based on

[email protected] (if you want to join the CIRCL MISP sharing

CIRCL / Team MISP Project

Viper is a binary analysis and management framework.

Full featured CLI for MISP

Searches for hashes/ips/domains/URLs from the current

Link to a MISP event

Fully featured CLI for Passive SSL