Improving cyber-attack response capabilities with MISP!

With the increase in cyber-attacks, a huge amount of threat intelligence is required for response. It is important to quickly acquire and manage threat intelligence, and to reflect and replace it in security devices. We will introduce how the introduction of MISP (Malware Information Sharing Platform) has improved cyber-attack response capabilities and facilitated information cooperation internally and externally.

Index

Challenges of using IoC
Introduction of a MISP
A More Advanced Utilization of IoC
Global IoC Sharing
Summary

Challenges of using IoC

NTTDATA-CERT collects threat intelligence on a daily basis to prevent security incidents and quickly detect them. Within threat intelligence, information called IoC (Indicator of Compromise) can be used to block and detect malware and unauthorized communications. Therefore, IoC is extracted from threat intelligence and provided to security devices such as firewalls and SIEMs.

NTTDATA-CERT had the following issues in processing IoC.

Although attacks are increasing, the number of IoC used is not increasing. There may be interception or undetected cyber-attacks.
It takes time to collect IoCs and apply them to security devices because they are applied manually. Even if urgent IoCs are obtained at night or on holidays, they cannot be applied to security devices. Due to the time difference, it is impossible to send and receive IoCs to overseas group companies immediately.
Manual work is prone to errors. The greater the number of IoCs to be processed, the greater the workload and the higher the personnel costs.

In order to improve its ability to respond to ever-increasing cyber-attacks, NTTDATA-CERT has introduced a MISP (^*1) to improve its IoC processing operations.

(^*1) MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

Introduction of a MISP

MISP is an open-source software (OSS) for managing and sharing threat intelligence. For an overview of MISP, see the official document of the MISP project (^*1).

Figure 1 compares the IoC processing flow before and after the introduction of MISP at NTTDATA-CERT.

Figure 1: IoC processing flow before and after the introduction of MISP at NTTDATA-CERT

As a result of the introduction of MISP, we were able to resolve the issues mentioned earlier and improve the IoC processing capacity as shown below.

Connect with MISPs of other organizations to obtain large amounts of IoC
MISP has a Feed function (^*2) that makes it easy to automatically collect IoC distributed by other organizations. This function enables CSIRTs (abbreviation for Security Incident Response Team) and security organizations around the world to collect fresh, high-quality IoC provided by MISP.
Immediately share IoC with overseas group companies
Previously, it took two to three days to share IoC with domestic and overseas group companies, but with the introduction of MISP, it can now be shared within a few minutes.
Able to process and accumulate large amounts of IoC
As the number of IoCs that can be processed has increased significantly, the range of cyber-attacks that can be dealt with has expanded, including the latest threats.
Improved usability of the Web UI for searching and browsing IoC
Reduced work errors and labor costs during IoC processing through automation

(^*2) MISP Default Feeds

A More Advanced Utilization of IoC

As a result of the introduction of MISP, the following initiatives for more advanced IoC utilization have become possible.

Adoption of high-quality IoC

We want to reduce false positives as much as possible by using high-quality IoC. Therefore, we researched several papers (^*3, ^*4) and found a quality assessment model for IoC information sources. However, if using as it is, the number of items used for evaluation is large, and it takes time to calculate the evaluation. Therefore, we created our own practical quality assessment model based on the paper's model. Our own quality assessment model mainly uses the following items:

Amount, frequency, and continuity of IoC delivery
Presence or absence of additional information other than the source/destination, such as IP address/domain/URL
Detection/false detection accuracy of IoC (IoC content of malignant sites and whitelisted/legitimate sites)
Necessity of machine processing of data format and possibility of automatic processing

Using this unique quality assessment model, we evaluated multiple IoC information sources and adopted three new high-quality IoC information sources.

(^*3) References: Schaberreiter, T., Kupfersberger, V., Rantos, K., Ilioudis, C., et al.: A Quantitative Evaluation of Trust in the Quality of Cyber Threat Intelligence Sources, Proc. ARES '19: Proceedings of the 14th International Conference on Availability, Canterbury CA United Kingdom, (2019).
(^*4) References: Ermerins, J., Noort, v, N., Velasco, L., Marques, N, J.: Scoring model for IoCs by combining open intelligence feeds to reduce false positives, Security and Network Engineering, UNIVERSITY OF AMSTERDAM, (2020).

Introduction to the IoC Lifecycle

As a result of adopting these 3 new sources of high-quality IoC information, the number of IoCs collected daily has increased. However, there is a limit to the number of IoCs that can be applied to security equipment. On the other hand, in recent cyber-attacks, IP addresses and URLs used for attacks are quickly discarded. In other words, the lifetime of IoCs such as IP addresses and URLs is short, and they quickly become ineffective for protection and detection. In addition, the probability of false positives increases.

IoCs registered in security devices should be replaced frequently rather than accumulated and used continuously. We created and introduced an IoC lifecycle model that collects, uses and discards large amounts of IoCs in a rapid cycle.

Global IoC Sharing

NTTDATA-CERT is promoting IoC sharing among NTT Data Group companies in Japan and overseas. As shown in Figure 2, we have achieved global IoC sharing. MISP has a Synchronization function (^*5) to easily share IoC with other MISPs. With this function, IoC that was closed off to group companies in each country can now be shared within the entire group.

Figure 2: Global IoC Sharing in the NTT DATA Group

CSIRTs, security organizations, and the MISP community (^*6) around the world use MISP to actively share IoC. By using MISP to connect with these organizations, we can acquire more IoC. NTTDATA-CERT is working with other organizations to provide IoC and we also contribute to the MISP community by reporting MISP bugs.

Summary

This article introduced an example of how NTTDATA-CERT improved its IoC processing operations by introducing MISP. The introduction of MISP not only improved operational efficiency, but also expanded the scope of cyber-attack response and increased the speed of response, thereby improving the overall ability to respond to cyber-attacks.

We hope that this article will help promote the spread of MISP and help readers improve the ability of their CSIRTs to respond to cyber-attacks!

Fukusuke Takahashi

NTT DATA Group Corporation

After joining NTT DATA, he was responsible of building an automation platform for CSIRT operations. Currently, he is mainly engaged in threat information coordination within OSINT and NTT DATA.