{"id":7112,"date":"2023-01-04T21:59:57","date_gmt":"2023-01-04T20:59:57","guid":{"rendered":"https:\/\/dcg420.org\/?p=7112"},"modified":"2023-01-04T21:59:57","modified_gmt":"2023-01-04T20:59:57","slug":"eng-the-other-side-of-cti-misp-contribution","status":"publish","type":"post","link":"https:\/\/www.dcg420.org\/en\/eng-the-other-side-of-cti-misp-contribution\/","title":{"rendered":"(ENG) The other side (not the dark side) of CTI &#8211; our contribution to MISP 2.4.167"},"content":{"rendered":"<div class=\"bt_rc_container\"><p>&nbsp;<\/p>\n<h3 style=\"font-weight: 400;\"><strong>The other side (not the dark side) of CTI &#8211; our contribution to MISP 2.4.167<\/strong><\/h3>\n<p style=\"font-weight: 400;\">All this year we have talked a lot and often about two things. The first is Cyber Threat Intelligence (CTI) and then our main topic, Active Cyber Defense (ACD). Overall, our longstanding dedication to this topic culminated in a presentation by our members at the <a href=\"https:\/\/www.blackhat.com\/eu-22\/briefings\/schedule\/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence--active-defense-to-protecting-critical-information-infrastructures-29400\" target=\"_blank\" rel=\"noopener\"><strong>BlackHat Europe 2022<\/strong><\/a> conference.<\/p>\n<p style=\"font-weight: 400;\">Everything that was said there (and there was very little of it) was basically about two open-source platforms &#8211; <strong><a href=\"https:\/\/www.dcg420.org\/en\/category\/misp\/\" target=\"_blank\" rel=\"noopener\">MISP<\/a>\u00a0<\/strong>and <a href=\"https:\/\/www.dcg420.org\/en\/category\/vectr\/\" target=\"_blank\" rel=\"noopener\"><strong>VECTR<\/strong><\/a>.<\/p>\n<p style=\"font-weight: 400;\">In our testing of CTI&#8217;s capabilities, we encountered several obstacles that did not allow us to continue our activities in a way that would remain transparent and, above all, ensure the sustainability of our data and its preservation. Overall, managing structured data related to CTI is a big challenge for us.<\/p>\n<p><span style=\"font-weight: 400;\">It is for this reason that we have created <a href=\"https:\/\/github.com\/MISP\/misp-objects\" target=\"_blank\" rel=\"noopener\"><strong>3 new object<\/strong><strong>s<\/strong><strong> for the MISP<\/strong><\/a> platform to address this issue.<\/span><\/p>\n<div><span lang=\"CS\">These new objects have been released in <a href=\"https:\/\/www.misp-project.org\/2022\/12\/26\/MISP.2.4.167.released.html\/\" target=\"_blank\" rel=\"noopener\"><b>MISP 2.4.167 &#8211; release notes<\/b><\/a>.<\/span><\/div>\n<div><\/div>\n<div>\n<hr \/>\n<\/div>\n<h4><\/h4>\n<p>&nbsp;<\/p>\n<h4>MISP addons by DCG420:<\/h4>\n<div>\n<h4 style=\"font-weight: 400;\"><span style=\"color: #ff0000;\"><strong>#1 ADS+ object<\/strong><\/span><\/h4>\n<div><span lang=\"CS\">Most native CTI platforms do not address the flip side of CTI, i.e. how to detect shared IoCs or behaviors. Although it is logical that just the detection part and the binding to it must be part of one platform.<\/span><\/div>\n<\/div>\n<div><\/div>\n<div>The ADS or Alerting and Detection Strategy was published by PALANTIR in 2017. We have <strong>added two more categories<\/strong> to the original ten, namely:<\/div>\n<div><\/div>\n<ol>\n<li><strong>The detection rule (SIGMA, Generic rule)<\/strong><\/li>\n<li><strong>Active Cyber\u00a0Defence (ACD) elements use for Blind spots<\/strong><\/li>\n<\/ol>\n<h6>Read more about our <strong>custom ADS framework<\/strong> <a href=\"https:\/\/www.dcg420.org\/en\/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use\/\" target=\"_blank\" rel=\"noopener\"><strong>here<\/strong><\/a>.<\/h6>\n<h6><\/h6>\n<h6><strong>What it looks like in MISP:<\/strong><\/h6>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-7146\" src=\"http:\/\/dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386.jpeg\" alt=\"\" width=\"1124\" height=\"853\" srcset=\"https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386.jpeg 1124w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386-320x243.jpeg 320w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386-768x583.jpeg 768w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386-16x12.jpeg 16w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/410B55C3-3F69-49CF-ACF8-3440EF3BE386-540x410.jpeg 540w\" sizes=\"(max-width: 1124px) 100vw, 1124px\" \/><\/p>\n<hr \/>\n<h4><\/h4>\n<h4 style=\"font-weight: 400;\"><span style=\"color: #ff0000;\"><strong>#2 PersNOna object<\/strong><\/span><\/h4>\n<p style=\"font-weight: 400;\">When creating fake profiles, we often run into the problem of managing them. There is also the problem of managing their connections and activities. Here we have taken inspiration from the <a href=\"https:\/\/itk.mitre.org\/toolkit-tools\/personas\/\" target=\"_blank\" rel=\"noopener\"><strong>Fake PersNOna template by MITRE<\/strong><\/a>, which exists only as a pdf template, which is totally inadequate for managing more than one identity.<\/p>\n<p style=\"font-weight: 400;\">Therefore, we have created a fake persona definition that can be used both for known fake adversary profiles and as a fake profile manager, for example to monitor social media or profiles required to register on various services.<\/p>\n<p><strong>What it looks like in MISP:<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-7136 aligncenter\" src=\"http:\/\/dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona.png\" alt=\"\" width=\"1039\" height=\"861\" srcset=\"https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona.png 1039w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona-320x265.png 320w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona-768x636.png 768w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona-14x12.png 14w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_2_Persnona-540x447.png 540w\" sizes=\"(max-width: 1039px) 100vw, 1039px\" \/><\/p>\n<hr \/>\n<h4><\/h4>\n<h4 style=\"font-weight: 400;\"><span style=\"color: #ff0000;\"><strong>#3 Groups object <\/strong><\/span><\/h4>\n<p style=\"font-weight: 400;\">This object is inspired by ThaiCERT&#8217;s <a href=\"https:\/\/apt.etda.or.th\/cgi-bin\/aptgroups.cgi\" target=\"_blank\" rel=\"noopener\"><strong>Threat Group Cards<\/strong><\/a> project. The Object itself allows to create an adversary profile according to a template. Thus, CTI does not depend only on defined threat groups, for example according to <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\"><strong>MITRE ATT&amp;CK<\/strong><\/a>.<\/p>\n<p><strong>What it looks like in MISP:<\/strong><\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-7137\" src=\"http:\/\/dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups.png\" alt=\"\" width=\"1092\" height=\"846\" srcset=\"https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups.png 1092w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups-320x248.png 320w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups-768x595.png 768w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups-15x12.png 15w, https:\/\/www.dcg420.org\/wp-content\/uploads\/2023\/01\/MISP_3_Groups-540x418.png 540w\" sizes=\"(max-width: 1092px) 100vw, 1092px\" \/><\/p>\n<h6><\/h6>\n<hr \/>\n<h5><\/h5>\n<h5 style=\"font-weight: 400;\"><strong>Sources:<\/strong><\/h5>\n<p><a href=\"https:\/\/www.blackhat.com\/eu-22\/briefings\/schedule\/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence--active-defense-to-protecting-critical-information-infrastructures-29400\" target=\"_blank\" rel=\"noopener\">https:\/\/www.blackhat.com\/eu-22\/briefings\/schedule\/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence&#8211;active-defense-to-protecting-critical-information-infrastructures-29400<\/a><\/p>\n<p><a href=\"https:\/\/www.dcg420.org\/en\/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use\/\" target=\"_blank\" rel=\"noopener\">https:\/\/dcg420.org\/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use\/<\/a><\/p>\n<p><a href=\"https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.palantir.com\/alerting-and-detection-strategy-framework-52dc33722df2<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/MISP\/misp-objects\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/MISP\/misp-objects<\/a><\/p>\n<p><a href=\"https:\/\/www.misp-project.org\/2022\/12\/26\/MISP.2.4.167.released.html\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.misp-project.org\/2022\/12\/26\/MISP.2.4.167.released.html\/<\/a><\/p>\n<p><a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\">https:\/\/attack.mitre.org\/<\/a><\/p>\n<p><a href=\"https:\/\/itk.mitre.org\/toolkit-tools\/personas\/\" target=\"_blank\" rel=\"noopener\">https:\/\/itk.mitre.org\/toolkit-tools\/personas\/<\/a><\/p>\n<p><a href=\"https:\/\/apt.etda.or.th\/cgi-bin\/aptgroups.cgi\" target=\"_blank\" rel=\"noopener\">https:\/\/apt.etda.or.th\/cgi-bin\/aptgroups.cgi<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>&nbsp; The other side (not the dark side) of CTI &#8211; our contribution to MISP 2.4.167 All this year we have talked a lot and often about two things. The first is Cyber Threat Intelligence (CTI) and then our main topic, Active Cyber Defense (ACD). Overall, our longstanding dedication to this topic culminated in a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":7127,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"image","meta":[],"categories":[110,109,121,108,123],"tags":[113,111,119,120,112,122,115,116,117],"_links":{"self":[{"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7112"}],"collection":[{"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/comments?post=7112"}],"version-history":[{"count":26,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7112\/revisions"}],"predecessor-version":[{"id":7147,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/posts\/7112\/revisions\/7147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/media\/7127"}],"wp:attachment":[{"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/media?parent=7112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/categories?post=7112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dcg420.org\/en\/wp-json\/wp\/v2\/tags?post=7112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}