Z Cyber Threat Intelligence Sharing Platforms - MISP

Cyber Threat Intelligence Sharing Platforms are operational mechanisms to support the exchange of intelligence on cyber security threats and incidents amongst different entities. They can be used by first line responders working on cyber security incidents. Cyber threat intelligence can be shared by commercial providers, based upon a certain fee. Some Cyber threat platforms collect and store cyber incidents and threats, for historical investigations (such as Shadowserver). Other platforms are oriented in providing (near) real time information, and get their relevance and significance on the basis of the contributors. Some platforms are centrally oriented, others work in a decentralized manner. Some platforms are oriented towards providing background and information about the technical components of an incidents, while others orient towards the impact, the origin, the assumed originator, or other components. The information can be useful for investigators, while trying to understand the incident and while limiting its potential damage and impact, while searching for recovery and restoring the situation, in investigating the root cause and trying to resolve the vulnerabilities, in trying to understand the impact it has caused after a breach or for forensic investigations.
As practical example: a computer incident occurs at a company, causing the laptop of an employee to show a screen asking for a payment to be done within the remit of days, threatening the user to destroy all information on the laptop. In the meantime, the information on the laptop has been encrypted with an unknown key. This ransomware attack has likely entered into the laptop from the outside (either clicking on a link, installing a piece of software or opening an email attachment). First line responders will be confronted with the resulting laptop. They can start searching logs and activities of the laptop and they can investigate through specialized cyber security services about the activity. Their activities and results will be noted in a case log. Once a specific email or URL has been discovered, likely to be the source of the damage, it can be shared with others in the community in order to avoid the further spread, and in order to investigate the perpetrators. Usually, these origins will be beyond the sovereignty of the state, crossing international borders and intruding many different servers over multiple jurisdictions. In some cases it could lead to taking down the operations, if for instance law enforcement teams were already involved on the case. The cyber threat sharing will support these operations, the local laptop incident team, national cyber security incident teams, law enforcement, specialist operations and justice in the investigations and the incident, also collecting digital evidence.
There are different sharing mechanisms, both technical standards, open source intelligence providers, commercial intelligence providers, communities with their own sharing infrastructure, information sharing on the basis of simple email and telephone and both commercial an open source platform that support the incident management. Some platforms are only there to provide a communication and community management layer, as a trusted platform. Other platforms aim to automate, and to maximize automated reaction and response. MISP is one platform, built from the need to further automate the manual intervention of sharing intelligence over email, towards a structured way.
The Malware Information Sharing Platform (MISP) is an open source software (freely downloadable and royalty-free operational) platform that can be installed by any organization in order to collect and distribute malware information – cyber threat intelligence amongst peers. It is a cooperation oriented – community-based operation, aimed at cyber threat experts sharing their discoveries and intelligence.
In practice, it is used by some organizations such as incident response teams (Computer Emergency Reponse Teams – CERTs, or Cyber Security Incident Response Teams – CSIRTs), that support their respective stakeholders in case of computer security incidents. Incidents could be data breaches (theft or loss of data), but could equally be intrusions from outsiders (cyber criminals), entering into corporate networks, through malware (virus, ransomware, ….), botnets, ddos attacks, spam, phishing and other cyber-criminal activities.
MISP is a platform for sharing, storing and correlating Indicators of Compromises of targeted attacks. MISP is used today in multiple organisations. Not only to store, share, collaborate on malware, but also to use the IOCs (Indicators of Compromise) to support the detection and prevention of incidents and attacks.
The main purpose of the MISP is to have one incident management team, investigating such an incident, reporting it into the MISP to alert other MISP subscribers to be aware of the incident and be alerted that similar incidents might happen on their constituency – or with their stakeholders.
The incident management teams can sometimes be responsible for one organisation (large corporates, or security services companies) or multiple organisations (such as national CERTs, typically taking care over incidents of national governments, administration and public authority institutions.
MISP is an open source software and it’s also a large community of MISP users creating, maintaining and operating communities of users or organizations sharing information about threats or cyber security indicators worldwide. The MISP project doesn’t maintain an exhaustive list of all communities relying on MISP especially that some communities use MISP internally or privately.
MISP finds its origins already in the early 1990’s. The first technical platform was created in 2011, as frustration that way too many IOCs were shared by email, or in pdf documents and were not readable by automatic machines. The first attempt was called CyDefSIG: Cyber Defence Signatures.Github (open source – open development platform), this got further developed by NATO’s CERT and the Belgian military CERT teams. The lead developer works with the Luxemburg CERT team (CIRCL). Today, there is a community of developers, contributors and users, working on the platform. There is a core team of motivated people who think that information sharing can be improved and supported by creating practical open source tools, open format and practises.

The objective is to support cybersecurity incident response teams, analysts and first line responders in their day to day operations, with intelligence and a connected group of experts. The aim is to provide an effective and structured means of interactions and communications.

Sustainable, continues to be supported through the community, additional developments of the platform under GIThub. Additional extensions built under STIX / TAXI and OpenC2. Additional extensions built on operational commercial platforms (QRadar, Splunk, …)
Sustainable through the return on investment of the volume of incidents and information shared, for relatively low investment (input), high return.
Not Sustainable as it might be overtaken by another similar mechanism over time, providing better efficiency in operations with fewer resources. It is likely that the MISP platform and community will merge into another platform.

The MISP is fully transferable, with the software freely downloadable from the MISP-project website, and contributions and updates coming from GIThub. The experiences and best practices have been shared, community is available to support both setup and operations.

Information usually has been already treated by the front-line practitioners, before they are being shared on MISP.
There are investigations and ongoing actions to increase the efficiency and mechanism of MISP, to report in STIX in a structured way for forensic use focusing on digital evidence. Additional research is undertaken how the MISP can immediately include digital evidence – during an incident to capture all required data and automatically (without any intervention, time stamped and proven in methodology) reported into a platform (possibly MISP).

a) International cooperation is the fundamental of MISP. It is being used today by over 800 organisations in Europe and worldwide, including official CERTs and platforms.
b) Cooperation at the national level supporting interactions of incident response teams within the country (CERTs, CSIRTs, incident response managers, SOC’s, ISAC’s, law enforcement and investigators, both first level and other responders)
c) Cooperation with front-line practitioners is the fundamental of the MISP operation, it facilitates the activities of first line responders – front-line practitioners, also the ones without any expertise / experience on law enforcement or legal systems (justice). It also allows for law enforcement and investigators to investigate using the platform, without disrupting or influencing operations.
d) Other methods of cooperation include reporting platform – when SOC’s or other incident team discover an incident, the platform will receive – store and forward – the information. The system can act as a forensic tool over time.

? (public and private) CERT’s, CSIRT’s, Security Operations Centers (SOC’s)
? Law Enforcement Agencies
? National Coordinator for Security and Counterterrorism
? National Intelligence
? Forensic Investigators
? Cyber Security analysts and first level responders
? Tech Crime Units
? Europol, NATO, CERT.EU
? Private Security Services organizations
? ISAC’s (Information Sharing Analysis Centers)
? ENISA (European Agency for Network and Information Security)

Low - in operations – free to install, host, operate (no license cost), infrastructure relatively limited – can be cloud operated
Low - can already operate with 0,25 FTE, shared resource
Low - shared cost in operation, shared knowledge through community
High – in order to take into full operation, dedicated resources should be required, investigating and coordinating relations, managing the trusted network and the trusted information sharing (traffic light protocol).
High – there is only limited capability of filtering, high volumes of incidents needs to be treated as well, sometimes too much information is being shared

MISP-Project website
CIRCL – National CERT in Luxemburg
CERT.EU & CERT.BE – operational teams
First-Line Practitioners from different cybersecurity expert organisations

MISP-Project https://goo.gl/Vc1KaD
CIRCL (Luxemburg CERT) MISP https://goo.gl/jfnLhC
Operations Handbook : https://goo.gl/kGEyUu
NATO – NCIA : https://goo.gl/3TXYAc

Information Sharing is essential for front-line practitioners, to be able to be prepared for, identify, detect and react on a cyber security incident. A platform such as MISP (or any other) is relevant as it facilitates the technical environment to connect and collect intelligence amongst experienced partners. It creates a form of trust, a relationship whereby the platform itself becomes knowledgeable on the basis of the information provided by the collective, whereby the information in there will be less questionable. It supports the time sensitivity, that is that it helps in any case in reacting against the speed in which some of the cyber incidents take place. The platform allows for a (near) real time reaction to an incident. At least in some cases, information will be delivered for organisations to act, prior to an incident taking place. In this case, by putting in place preventive measures, sometimes cybercriminal behaviour can be avoided, or even quarantined – or ran – just to be able to gather forensic evidence. The platform itself also allows investigators to collect evidence for forensic analysis. The information shared is in the first place to support the computer incident, but can also be used for cybercriminal behaviour investigations, attribution and identifying the link to organized crime activities.

It effectiveness is mainly based upon 1) the effectiveness of the platform itself, 2) the contributing organisation, 3) the information stored (and forwarded) and 4) the organisations or people consulting the platform.
1) The effectiveness of the platform itself is derived out of the user friendliness of the tool (the technical platform), but also its ease of facilitating information gathering (input) by expert – and non-expert people providing information to the platform. Additional effectivity will result out of the level of automation that can be derived from the information input (and output) – (can information easily be exported – copy-pasted from SIEM, and other internal intelligence systems – into the MISP?), and finally whether there are no other (open source) tools and technologies that become available that are more effective (and efficient). The MISP has received comments in the fact that is has been limited to “Malware – related” incidents only, not taking into account, or not providing means to report other types of cybercriminal behaviour.
2) The contributing organisation will need to be able to work with the MISP-tool and platform, that means that they need to be able to get the time – and resources to input, and to get the authorization to provide inputs. The information inputted needs to be in the right format and speedy enough. There have been cases in the past where the information was only put in after the incidents only – in order to avoid an impact on the running investigations. These have impacted the effectivity.
3) The information stored can be valuable, but can also be simply “too much information”, for instance lists of IP addresses which have been blacklisted – but without any further information or intelligence on them. Too much information, especially with already a lot of information coming from own systems during an incident, can be less effective.
4) The organisations consulting the platform need to be knowledgeable and effective. If these people know what they are looking for, know what to expect and know how to interpret and deal with the information provide, they will be more effective. In many cases the platform might not be as effective if the recipient don’t know how to deal with it.

Platforms for sharing have proven to be efficient. Proof is the fact that they are being used by both the cybersecurity industry itself, but equally by law enforcement and many other front-line practitioners.
Platforms are being used on a daily basis to gather intelligence on malware signatures, the way malwares have been engineered and how they have been adapted. Intelligence is being shared on how vulnerabilities have been discovered in systems and applications and how they are being exploited, what channels perpetrators are using and how they go about in “weaponizing”. Through this also information is gathered from the cybercriminals, breadcrumbs are followed in order to discover potential leaks to the organized crime, in order to collect evidence and identify the criminals. Information is being used to finally prosecute them and track them down, even identify their whereabouts once an investigation leads to an arrest warrant.
Some cyber security industry players are reporting to use already for more than 90% automation, including the use of intelligence sharing, to respond to the daily challenges of incidents. The remaining 10% is labour intensive investigations on malwares, cybercriminal activities (such as darknets), which are being collected and shared amongst peers in different expert and other (non-expert) networks (such as MISP).
The efficiency of MISP is debatable. Undoubtable, the platform has gained a lot of success over the last couple of years, because it has been used by some national CERT’s and their teams in order to communicate amongst each other and amongst some other private organizations in a structured way. MISP has gained a lot of interest because it is Open Source, can be easily implemented and it can gain interest, by growing to use it internally and trying to learn from it this way. Other platforms have shown to be more efficient, and in due course MISP will likely transform into a more efficient platform itself.

A recent case where such platforms were used, was in Germany, following a hacker in the UK who was trying to hack into German ISP modems (November 2016) in order to attack the state of Liberia. (BundeskriminaltAmt, February 2017- https://goo.gl/cuGc8a).

Cyber Security Information Sharing platforms have proven to be sustainable, in that they already exist for many years, at least within the industry. They have gained additional interest and attention with other organizations as well. Many different tools exist to support the sharing.
The MISP platform is sustainable as it has seen its basis in the open source community, allowing for regular new updates and upgrades to take place, on the basis of the community. However, there are some key people that empower the continuity of development of MISP, that are crucial to the sustainability of the platform and its developments. Its sustainability will depend on the continued support of its community, its ability to innovate and provide an efficient tool for cyber security incidents and first-line practitioner actions.
Impacting sustainability is also the way it is capable of dealing with issues reported (either centrally or via Open Source : https://goo.gl/nmKdzj).

The MISP tool is fully available on the internet, can be freely installed and operated. Connecting to other MISP’s will take some additional requirements, but is achievable within a reasonable timeframe.
Actors and stakeholders are inclusive – by nature of the platform.
Also additional developments on the MISP interfaces can be build and included into the platform, or can be shared with the other stakeholders.