Damn-fast and effective malware info sharing with MISP

Speaker(s) : Christophe Vandeplas (MISP)

  • Language : Anglais
  • Level : Confirmed
  • Nature : Conference
  • Date : Tuesday 7 July 2015
  • Schedule : 15h20
  • Duration : 40 minutes
  • Place : 202

Video : https://rmll.ubicast.tv/permalink/v1253b3dbac8behemjmu

Today a huge amount of information about malware, threats, campaigns and compromises is shared. Unfortunately it happens way too often over the same techniques the Neanderthals used: stone-carving, email, pdf-reports or even on paper.

The malware analyst then has the immense joy of heading to his beloved keyboard and mouse and starts extracting IOCs from those reports to a text file on his desktop. After an hour or two, when he’s halfway through, he looks to his right and sees that his colleague did exactly the same thing and is finished right now. However he only took the IPs because he can’t search for hostnames in his firewall logs...and of course you also need the other IOCs.

Bye bye to prehistoric times, welcome to the world where the ’homo sapiens informaticus’ uses MISP.
With MISP - the Open Source Malware Information Sharing Platform - this can finally be done a lot more efficiently.
First of all, thanks to the synchronisation features of MISP someone else might already have encoded all the IOCs and they are already stored and synchronised in your local, private MISP instance. You can now export the data to the format you want (OpenIOC, csv, STIX, text, snort/suricata, ...) and search your network to check if you will have to work late and clean up the mess at work.

MISP is not only about sharing OSINT reports, it’s also about storing your own technical data of malware and attacks, and sharing the parts you are allowed to share with the trusted partners.

MISP is also about creating communities. Communities that discover that they are studying the same malware and start working together; Communities that can run MISP themselves and don’t have to "trust" their data to a "cloud vendor" hosting a closed platform. If you have the functional need, you can also run MISP on our local or air-gapped network.

MISP is also about making your life easier. Importing from various formats like free-text, MISP-JSON/XML, OpenIOC or even from your sandbox. Exporting to many formats so it can be loaded automatically in your NIDS, SIEM or other custom tool.

During this presentation we will quickly have a look at the main challenges we face in exchanging information about malware and attacks. We will talk about MISP’s strengths (functional and technical), and weaknesses are and how we would like to make it better.

We will not use buzzwords like threat landscape, cyber intelligence and ’in the cloud’. But the words ’open source’, ’feel free to use’, ’share the love’ and ’contribute’ or even ’help fund us’ might be mentioned.

Christophe Vandeplas
Christophe is an incident handler and malware analyst working in various high-security organisations. He focuses on network forensics, malware reverse engineering as well as computer forensics.
His main contributions to the community were the creation of MISP, pystemon and the organisation of the FOSDEM conference for many years.

Slides (PDF - 25.8 Mb)