Warning: Undefined array key 0 in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Attempt to read property "ID" on null in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Undefined array key 0 in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048

Warning: Attempt to read property "ID" on null in /data/www/22702/dcg420_org/www/wp-content/themes/eventim/functions.php on line 1048
(ENG) The other side (not the dark side) of CTI – our contribution to MISP 2.4.167 – DCG420
   

Search

Active Cyber DefenseADSBlackhatDetectionMISP

(ENG) The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

4.1.2023
MISP_addon_misp-objects-1200x479.png

 

The other side (not the dark side) of CTI – our contribution to MISP 2.4.167

All this year we have talked a lot and often about two things. The first is Cyber Threat Intelligence (CTI) and then our main topic, Active Cyber Defense (ACD). Overall, our longstanding dedication to this topic culminated in a presentation by our members at the BlackHat Europe 2022 conference.

Everything that was said there (and there was very little of it) was basically about two open-source platforms – MISP and VECTR.

In our testing of CTI’s capabilities, we encountered several obstacles that did not allow us to continue our activities in a way that would remain transparent and, above all, ensure the sustainability of our data and its preservation. Overall, managing structured data related to CTI is a big challenge for us.

It is for this reason that we have created 3 new objects for the MISP platform to address this issue.

These new objects have been released in MISP 2.4.167 – release notes.

 

MISP addons by DCG420:

#1 ADS+ object

Most native CTI platforms do not address the flip side of CTI, i.e. how to detect shared IoCs or behaviors. Although it is logical that just the detection part and the binding to it must be part of one platform.
The ADS or Alerting and Detection Strategy was published by PALANTIR in 2017. We have added two more categories to the original ten, namely:
  1. The detection rule (SIGMA, Generic rule)
  2. Active Cyber Defence (ACD) elements use for Blind spots
Read more about our custom ADS framework here.
What it looks like in MISP:

#2 PersNOna object

When creating fake profiles, we often run into the problem of managing them. There is also the problem of managing their connections and activities. Here we have taken inspiration from the Fake PersNOna template by MITRE, which exists only as a pdf template, which is totally inadequate for managing more than one identity.

Therefore, we have created a fake persona definition that can be used both for known fake adversary profiles and as a fake profile manager, for example to monitor social media or profiles required to register on various services.

What it looks like in MISP:

#3 Groups object

This object is inspired by ThaiCERT’s Threat Group Cards project. The Object itself allows to create an adversary profile according to a template. Thus, CTI does not depend only on defined threat groups, for example according to MITRE ATT&CK.

What it looks like in MISP:

Sources:

https://www.blackhat.com/eu-22/briefings/schedule/index.html#strengthening-cyber-resiliency-in-a-time-of-geopolitical-crises-applying-threat-intelligence–active-defense-to-protecting-critical-information-infrastructures-29400

https://dcg420.org/eng-custom-methodology-for-dem-and-ads-with-acd-elements-use/

https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2

https://github.com/MISP/misp-objects

https://www.misp-project.org/2022/12/26/MISP.2.4.167.released.html/

https://attack.mitre.org/

https://itk.mitre.org/toolkit-tools/personas/

https://apt.etda.or.th/cgi-bin/aptgroups.cgi

 

 

previous(ENG) Custom methodology for DEM and ADS with ACD elements use

cs_CZCzech
en_GBEnglish cs_CZCzech