Context Helps Understand a Threat

Posted on

For this post, I will reference the platform MISP.

Bing defines MISP as:

The MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that allows you to share, collate, analyze, and distribute threat intelligence 123It is used by finance, healthcare, telecommunications, government, and technology organizations to share and analyze information about the latest threats 3.”

Helps, but just scratches the surface. The folks that make the platform available to the Open Source community provide a document that has over 500 pages — those 500 pages cover the functionality from a high level. The potential is enormous. For this post, I will address the Galaxy and MISP.

From Bing:

MISP (Malware Information Sharing Platform & Threat Sharing) and customized galaxies are both related to threat intelligence and information sharing. Let’s explore their roles:

  1. MISP:
    • MISP is an open-source threat intelligence platform that facilitates the sharing of structured threat information among organizations and security professionals.
    • It allows users to collect, store, and share indicators of compromise (IOCs), threat intelligence, and other security-related data.
    • Galaxies within MISP provide a way to express large objects called clusters. These clusters can be attached to MISP events or attributes.
    • A cluster can consist of one or more elements, expressed as key-value pairs.
    • MISP includes default vocabularies in its galaxy, but these can be customized, replaced, or updated according to the user’s needs.
    • Vocabularies can come from existing standards (such as STIX, Veris, ATT&CK, MISP, etc.) or custom ones specific to an organization.
    • The goal is to have a common set of clusters for initial analysis, which can then be expanded with localized or additional information.
    • MISP galaxy is available on GitHub.
  2. Customized Galaxies:
    • Organizations often need to tailor threat intelligence to their specific context.
    • Customized galaxies allow users to create their own clusters or modify existing ones within MISP.
    • These customized clusters can represent specific threat actors, tactics, techniques, or other relevant information.
    • Users can apply MISP distribution settings to each cluster, controlling how widely the information is shared.
    • Additionally, galaxies can express existing matrix-like standards (such as MITRE ATT&CK) or entirely custom ones.
    • By customizing galaxies, organizations can enhance their threat intelligence capabilities and adapt to their unique requirements.

In summary, MISP provides a platform for sharing threat intelligence, and galaxies (both default and customized) play a crucial role in expressing and organizing relevant information within MISP events or attributes123.”

Galaxies are important because they help shape context. Context is about understanding a real-world environment — provide definition.

When I first looked at threat hunting, I thought that the basis of threat hunting was about detection, remediation, and recovery from malware and phishing attacks. Then I started to think about the problem. Instead of just malware and phishing, understanding threats is about understanding people, nation states, companies, rifles, handguns, ammunition, drones, using ships and trucks to smuggle arms, drugs, understanding the psychological make up of people that commit financial crimes, etc. Then there are relationships. Galaxies help model context by defining entities, attributes and values. Threats are identified by correlating the information among entities.

Time for an example. Drones can be as simple as an off the shelf machine that flies and collects images and audio, to multi-million-dollar machines that collect information and deliver ordinance. In today’s world, drones can help grow more crops and can be threats that take lives. Malware and drones share similarities and are unique at the same time. Both drones and malware can be categorized as threats.

To define a drone so that it can be added to a context within MISP, a JSON file is created.

The file defines different drones by using attributes and assigning values to the attributes.

The complete file can be found here.

If nothing else, I find it interesting to understand the source of information, very often OSINT, and who is manufacturing what drone for what purpose.

I spent some more time reviewing Galaxy entries and the problems that I have most interest. I thought about all the experiences in security, the books, the certifications in infrastructure and applications, the enterprise, the cloud, the available tools, and still threats go undetected for months and often years. And at the same time major vendors, with all the tools and expertise, often fail to detect.

I think there is an enormous learning opportunity where teachers in high school, an instructor at a junior college, a professor at a college offers a course where students are taught the importance of context in effectively detecting threats. The students are tasked with creating files that define psychological profiles, ships, their manifests, their crew, transporting by rail, and truck. As a follow on, students are taught to correlate, and how to detect in the real world.

With the data available from OSINT resources, and the available Open-Source tools, there is tremendous opportunity to do “good” in the world.

Discover more from Threat Detection

Subscribe to get the latest posts to your email.

Leave a Reply

Discover more from Threat Detection

Subscribe now to keep reading and get access to the full archive.

Continue reading