Using the workflow taxonomy in MISP

Using the workflow taxonomy in MISP

In the context of MISP, intelligence handling usually requires a set of stages for that information to be handled effectively. This can be addressed procedurally through a workflow.

Understanding how a taxonomy may be implemented in MISP to assist this process is handy.

The context for which I will be describing this taxonomy is for the consumption, production and distribution of Threat Intelligence. Namely, what workflow states would need to be implemented to effectively consume, enrich, review and release threat intelligence.

Workflow stages within the MISP taxonomy are as listed below:

  • Todo
    • expansion
    • review
    • review-for-privacy
    • review-before-publication
    • release-requested
    • review-for-false-positive
    • review-the-source-credibility
    • add-missing-misp-galaxy-cluster-values
    • create-missing-misp-galaxy-cluster
    • create-missing-misp-galaxy-cluster-relationship
    • create-missing-misp-galaxy
    • create-missing-relationship
    • add-context
    • add-tagging
    • check-passive-dns-for-shared-hosting
    • review-classification
    • review-the-grammar
    • do-not-delete
    • add-mitre-attack-cluster
    • additional-task
    • create-event
    • preserve-evidence
  • State
    • incomplete
    • complete
    • draft
    • ongoing

As you can see from the above list, there is a lot of Todo items within this taxonomy, and partly this is because there are a number of factors to consider when consuming and producing Cyber Threat Intelligence.

Considering the use cases of Consuming and Producing Threat Intelligence, we go into more detail in the following sections.

Consuming Threat Intelligence

When consuming Threat Intelligence from an external (or even internal source) you would like to have some assurances to the quality and the reliability of that information before implementing it into the production environment. Part of this validation may involve a sequence of tasks which would need to be performed to determine if the intelligence would have a detrimental impact to that environment (beyond that of preventing a malicious actor from affecting your environment).

From the workflow taxonomy, a sequence of tasks should be performed prior to that intelligence being introduced into the production environment. An example of one such sequence would be depicted below.

  • Review the Source Credibility
  • Review of False Positives
  • Check Passive DNS for Shared Hosting
  • Add Tagging
  • Review
  • Release Requested

Producing Threat Intelligence

Producing Cyber Threat Intelligence is a bit different, and it usually requires a considerable investment of time and effort to make the intelligence useful. There is also an element of risk being staked as well in producing this intelligence – because if you get it wrong, it’s your reputation at stake.

It goes without saying, when producing Cyber Threat Intelligence, more effort is required at the originator’s end to make sure the information is factual, repeatable, verifiable, and does not contain false-positives.

Using the workflow taxonomy, a suggested sequence of tasks to be performed include the following processes:

  • Create Event
  • Add Context
  • Expansion
  • Add Tagging
  • Add missing MISP galaxy cluster values
  • Add MITRE Attack Cluster
  • Review
    • Review Grammar
    • Review Classification
    • Review Before Publication
    • Release Requested

In subsequent posts I will be describing how to build out a MISP event in a manner which is actionable where it is consumed by external parties. However, the aim of the above processes is to create an event, add context, expand on that content, tag the attributes appropriately, and then create relationships to external frameworks.

At the conclusion of this build up, the intelligence is then reviewed for it’s voracity, and then assessed for it’s sensitivity. Only after all of this, is the intelligence considered approved for distribution, as a highly refined product.

Leave a Reply

10 − 2 =