Using and abusing MISP to track campaigns

Keyboard shortcuts

Action

Key

Play / Pause

K or space

Mute / Unmute

Toggle fullscreen mode

Select next subtitles

Select next audio track

Show slide in full page or toggle automatic source change

Seek 5s backward

left arrow

Seek 5s forward

right arrow

Seek 10s backward

shift + left arrow or J

Seek 10s forward

shift + right arrow or L

Seek 60s backward

control + left arrow

Seek 60s forward

control + right arrow

Decrease volume

shift + down arrow

Increase volume

shift + up arrow

Decrease playback rate

Increase playback rate

Seek to end

end

Seek to beginning

beginning

Loading Click here to add:

Subscribe to notifications

When subscribed to notifications, an email will be sent to you for all added annotations.

Your user account has no email address.

Information on this media

129 views

The security landscape evolves very fast and every day comes a new report about a brand new attacker, scarier than the day before and we have short memory so we tend to forget about what happened a few month ago.
As of now, MISP is mostly a repository for incident responders where you can easily add new events and correlate them efficiently but not much work has been put into grouping the events together following different indicators (type of target, technical indicators in the binaries, …) after the fact.
We already presented our initial findings at Troopers a few month ago. We will investigate further on that topic and present the tools we developed in order to make the life of the analyst easier.

Marion Marschalek

Marion Marschalek is a Principal Malware Researcher at G DATA Advanced Analytics, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and frequently contributes to articles and papers. She has spoken at international conferences around the globe, among others Blackhat, RSA, SyScan, hack.lu and Troopers. Marion came off as winner of the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. She practices martial arts and has a vivid passion to take things apart.

Raphaël Vinot

Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools (Github personnal account, work account, MISP account, write a MISP module) to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities. Another big part of his activities is to administrate the biggest MISP instance in Europe (information on how to get access to the platform) with >250 companies, 600 users and more than 300.000 attributes. This is the source used in this research project.

https://sec2016.rmll.info

Creation date: July 6, 2016

Speakers: Marion Marschalek & Raphaël Vinot

Company: RMLL

License: CC BY SA v4

Links:

Latest annotations RSS feed

Information on this media

Marion Marschalek

Raphaël Vinot

Other media in the channel "Sécurité"