Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • [Part 1] Building a Threat Integration and Testing Lab Build
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response
  • Building CCCS’ AssemblyLine for Static Analysis Static Analysis
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Using MISP in an air-gapped environment Design
  • Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks. Digital Forensics & Incident Response
  • OSINT for Threat Intelligence Blog
  • Hardening TheHive4 and Cortex for public deployment Build

Using the workflow taxonomy in MISP

Posted on May 23, 2021 By A.McHugh No Comments on Using the workflow taxonomy in MISP

In the context of MISP, intelligence handling usually requires a set of stages for that information to be handled effectively. This can be addressed procedurally through a workflow.

Understanding how a taxonomy may be implemented in MISP to assist this process is handy.

The context for which I will be describing this taxonomy is for the consumption, production and distribution of Threat Intelligence. Namely, what workflow states would need to be implemented to effectively consume, enrich, review and release threat intelligence.

Workflow stages within the MISP taxonomy are as listed below:

  • Todo
    • expansion
    • review
    • review-for-privacy
    • review-before-publication
    • release-requested
    • review-for-false-positive
    • review-the-source-credibility
    • add-missing-misp-galaxy-cluster-values
    • create-missing-misp-galaxy-cluster
    • create-missing-misp-galaxy-cluster-relationship
    • create-missing-misp-galaxy
    • create-missing-relationship
    • add-context
    • add-tagging
    • check-passive-dns-for-shared-hosting
    • review-classification
    • review-the-grammar
    • do-not-delete
    • add-mitre-attack-cluster
    • additional-task
    • create-event
    • preserve-evidence
  • State
    • incomplete
    • complete
    • draft
    • ongoing

As you can see from the above list, there is a lot of Todo items within this taxonomy, and partly this is because there are a number of factors to consider when consuming and producing Cyber Threat Intelligence.

Considering the use cases of Consuming and Producing Threat Intelligence, we go into more detail in the following sections.

Consuming Threat Intelligence

When consuming Threat Intelligence from an external (or even internal source) you would like to have some assurances to the quality and the reliability of that information before implementing it into the production environment. Part of this validation may involve a sequence of tasks which would need to be performed to determine if the intelligence would have a detrimental impact to that environment (beyond that of preventing a malicious actor from affecting your environment).

From the workflow taxonomy, a sequence of tasks should be performed prior to that intelligence being introduced into the production environment. An example of one such sequence would be depicted below.

  • Review the Source Credibility
  • Review of False Positives
  • Check Passive DNS for Shared Hosting
  • Add Tagging
  • Review
  • Release Requested

Producing Threat Intelligence

Producing Cyber Threat Intelligence is a bit different, and it usually requires a considerable investment of time and effort to make the intelligence useful. There is also an element of risk being staked as well in producing this intelligence – because if you get it wrong, it’s your reputation at stake.

It goes without saying, when producing Cyber Threat Intelligence, more effort is required at the originator’s end to make sure the information is factual, repeatable, verifiable, and does not contain false-positives.

Using the workflow taxonomy, a suggested sequence of tasks to be performed include the following processes:

  • Create Event
  • Add Context
  • Expansion
  • Add Tagging
  • Add missing MISP galaxy cluster values
  • Add MITRE Attack Cluster
  • Review
    • Review Grammar
    • Review Classification
    • Review Before Publication
    • Release Requested

In subsequent posts I will be describing how to build out a MISP event in a manner which is actionable where it is consumed by external parties. However, the aim of the above processes is to create an event, add context, expand on that content, tag the attributes appropriately, and then create relationships to external frameworks.

At the conclusion of this build up, the intelligence is then reviewed for it’s voracity, and then assessed for it’s sensitivity. Only after all of this, is the intelligence considered approved for distribution, as a highly refined product.

Related

MISP - Open Source Threat Intelligence Platform Tags:taxonomies, workflow

Post navigation

Previous Post: Using the Estimative Language Taxonomy in MISP
Next Post: [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

Related Posts

  • Using the Course of Action Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Using MISP in an air-gapped environment Design
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Building Structured Threat Intelligence (STIX) from FBI notices MISP - Open Source Threat Intelligence Platform
  • Using MISP in a TraceLabs Missing Persons engagement Blog

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

3 × 2 =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • Building a parallel-analysis Cuckoo server Digital Forensics & Incident Response
  • Using the Course of Action Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks. Digital Forensics & Incident Response
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • Building the Assemblyline Analyzer for TheHive’s Cortex. Digital Forensics & Incident Response

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme