Mastering the Craft: Producing and Sharing Top-tier Cyber Threat Intelligence (CTI) in MISP
Agenda
Location
Speakers
Synopsis
The goal of this workshop is to instruct and prepare participants on the creation and dissemination of top-tier Cyber Threat Intelligence (CTI) using MISP. Top-tier CTI is not only rich in context, informative, and consistently structured, but it also narrates a story.
The workshop will be set against the backdrop of an internal CTI team responsible for generating intelligence in MISP for internal defence teams like the SOC, threat hunting, or red team, and sharing that intelligence with external organisations to help them protect themselves from similar threats or campaigns.
Before the workshop begins, a concise overview of how the MISP data model can be used to narrate a story will be shared with the class and used as a reference throughout the workshop.
This workshop is designed to provide participants with practical experience, a framework, useful tips, and guidelines on how to narrate that story within MISP events. It will include a MISP environment accessible to each participant. This MISP environment will be a distributed infrastructure across two different organisations, enabling participants to push and share Cyber Threat Intelligence packages between them. Each organisations will review the other’s shared CTI and offer suggestions for improvement.
Participants will be placed in various situations where they will need to analyse threats in four different contexts: completed intelligence reports, malware email campaigns, an incident response incident, or threat research. In each context, they will be tasked with producing CTI within MISP in a manner that articulates the threat and the context, ensuring that the receiving organisations or team can understand and act upon that intelligence.
Participants will be guided through each context and coached on how to perform basic threat analysis and gather details related to the situation. They will then create an event in MISP and start populating the event with relevant artifacts related to the situation, while adhering to the framework and guidelines for producing CTI . Once participants have completed the event in MISP, they will share it with the organisation.
By the end of the workshop, each participant should not only understand what top-tier CTI looks like but also what it takes to produce it.
Prerequisites
- The course is not going to be a primer for how to use MISP for the first time. (It’s going to teach you how to think about what needs to be created in MISP to tell a story and share internally and externally.)
- Working Knowledge of MISP functionality, data model and platform
- Working knowledge of malware sandboxes (ideally Tria.ge or appy.any.run))
- Understanding of how network and security controls works/function
- Understanding and application of Mitre Att&ck and attack paths
- An Outlook/Microsoft account
- A Google/Gmail account