- Cyber Threat Intelligence
- Analyzed cyber threat data giving a strategic and tactical advantage over the adversary.
- Offense informs defense
- Intelligence
- Taking in external
information from a variety of sources and analyzing it against existing
requirements in order to
provide an assessment that will affect decision making. - Examples:
- Weather Report: Do I need to bring a coat today?
- Traffic Report: How much time do I need to get to work?
- Threat Intelligence
- combination of intent, capability and opportunity.
- Intent is a malicious actor’s desire to target your organization
- Capability is their means to do so (such as specific types of malware)
- Opportunity is the opening the actor needs (such as vulnerabilities, whether it be in software, hardware, or personnel)
- Cyber Threat Intelligence
- the analysis of how
adversaries use the cyber domain to accomplish their goals.
- TIP Workflow
- a threat
intelligence platform does not produce
intelligence for you. It enables you to
store and query the threat information and intelligence you have created on your own or obtained from others.
- A free, open-source analyst favorite
- Capability of high-volume indicator storage
- Great web UI and REST API interface
- Classification and sharing functionality
- Flexible indicator storage
- Easy import/export
- Integrates with TheHive for automated storage/analysis
- Terminology
- Events:
- the object type that everything in MISP is centered around.
- Events have unique ID numbers associated with them and act as parent containers to hold a group of attributes.
- Attributes:
- the individual bits of data that are being tracked about an event.
- Attributes that are identical across multiple events will be highlighted for correlation.
- Categories:
- describe how that attribute was used.
- Ex: for a md5 hash,
categories available are "payload delivery", "artifacts
dropped", "payload installation", and
"external analysis." - Type:
- the type of attribute you are entering.
- Ex: md5, sha1, user-agent, email-subject, mime-type.
- Instances:
- are a single running copy of the MISP process and are important
to keep straight because, by nature, MISP is
made to facilitate sharing. - One instance of
MISP can be linked to other copies for selective
sharing of information within an
organization, or with external organizations. - Sightings:
- a simple "thumbs up" and "thumbs down mechanism developed to lend credibility to each attribute.
- The intention is for
analysts to indicate
when they’ve run into the indicator, whether it was a true
positive
(thumbs up) or a false positive (thumbs down). - This way, each attribute can develop a reputation over time and bad or useless attributes can be expired.
- Tags:
- arbitrary data that can be attached at the event level to information being stored in MISP.
- Taxonomies
- pre-made lists of tags that can be defined and enabled within MISP.
- Ex: there is a kill-chain taxonomy that creates tags called "kill-chain:Delivery" and "kill-chain:Installation".
- Galaxies
- similar to tags in
that they label an event as part of a larger group but come broken down
into families of options
called "clusters" which are a pre-set group of values, sort of like a taxonomy of tags. - Ex: there may be a "threat actor" galaxy intended to track the names of adversary groups.
- Analyst Usage:
- Analyst creates new event
- All indicators, links, files, and notes are added as attributes
- Tags and other classifications (galaxies) applied
- Event reviewed, published to other organizations (if desired)
- Automated usage through SOC tools:
- SIEM, SOAR, IMS use API to look up or push attributes to event.
- Subscribed feeds automatically download external event data.
- Anytime any of them are seen in live traffic = Alert.
