Using MISP in a TraceLabs Missing Persons engagement

Using MISP in a TraceLabs Missing Persons engagement

MISP is certainly intended to be used like this, however, with some creativity and some technical effort, the MISP Threat Intelligence Platform could be utilized as a missing person’s intelligence database.

In this post, I will discuss a methodology in using MISP as the Intelligence Platform, and more traditional applications such as Maltego (and some custom transforms) to collect, enrich, and manage your intelligence.

If you haven’t heard of TraceLabs, it is a not-for-profit organization specializing in crowd-sourced and open-source intelligence gathering for active missing person cases across the globe.

MISP (formerly Malware Information Sharing Platform) is a Threat Sharing Platform that is geared more toward threat event intelligence, and threat actor tracking events. But for this setup, I will be talking about using MISP as a missing person platform.

I will be using Maltego as an investigation platform for this write-up, and leveraging some more custom transforms I have prepared based on a previous article I wrote on the matter.

Tracelabs Missing Persons Attributes

Part of collecting intelligence and submitting it to the platform involves collecting evidence from several categories. The evidence once submitted against these categories and worth points which help to gamify the process, but also gets a team further up the scoreboard and potentially win prizes in the process.

One of the biggest frustrations I have seen previously from teams is incorrectly classifying their evidence submissions, and identifying evidence that can be submitted.

The categories available for submission being:

  • Friends
  • Employment
  • Family
  • Home
  • Basic Subject Info
  • Advanced Subject Info
  • Day Last Seen
  • Dark Web
  • Location

Within each of these categories, attributes can be associated so long as they can be related to the missing person.

So in the example of Friends, you could submit names, birthdays, phone numbers, email addresses, social media handles, etc of people who would be associated with the search subject as a friend.

What defines a friend however could either work for or against your evidence. This is where context needs to be added for evidence to describe why this piece is relevant.

Information which needs to be submitted as part of each piece needs to include:

  • The evidence
  • Where it can be found (not behind a paywall)
  • How the evidence relates to the missing person case

Importantly, attributes may only be submitted and accepted once per team. Again this can work for or against a team in their submissions.

So using a hypothetical example of a missing person with a Facebook account that is public. Potentially, all Friends which are publicly viewable would be considered evidence.

A profile with 100 Facebook friends would have names of each person admissible, along with whichever profiles had email addresses posted along with birthdays and phone numbers. Immediately there are potentially 1,000 points achievable here (just in names alone), but you do need to justify these submissions with the judges.

Using Maltego transforms to accelerate attribute collection

There are several Local Transforms available already as part of Maltego, but more can be created and added using code that is already written, or customized modules to query bespoke databases.

Interesting data sources I have seen integrated through Maltego include:

  • Steam Affiliations
  • Twitter Affiliations
  • Facebook Affiliations

All of which contain linkages to other people (could also be defined as Friends) and may be cross-referenced from other data sources (i.e. common user handles in Steam and Facebook which would increase the quality of submission and possibly prove the actual identity of a user handle).

Conclusion

In conclusion, using MISP as an Intelligence Platform to capture Missing Person’ information may be quite useful where there is a large amount of data needing to be correlated. In combination with Maltego transforms and MISP integration with Maltego, using graphical node tools and link analysis tools may be enhanced all the more.

Leave a Reply

17 + 18 =