realtime communication of misp zeek and siems
play

Realtime Communication of MISP , Zeek, and SIEMs Matthias - PowerPoint PPT Presentation

Feb 12, 2024 •305 likes •520 views

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir CERN Intelligence in Zeek Architecture Intel::Item represents intelligence Intel::Type one of ADDR, SUBNET, URL, SOFTWARE, EMAIL, DOMAIN,

  1. Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vâlsan Tenzir CERN

  2. Intelligence in Zeek • Architecture • Intel::Item represents intelligence • Intel::Type one of ADDR, SUBNET, URL, SOFTWARE, EMAIL, DOMAIN, USER_NAME, CERT_HASH, PUBKEY_HASH, FILE_HASH, FILE_NAME • Cluster • Manager holds full intel data, disseminates minimal subset to workers • Workers report back matches to master

  3. Intelligence in MISP • MISP: Open-Source Threat Intelligence Sharing Platform • Zeek’s Intel::Item = MISP attribute • Can download a snapshot of MISP intel via REST API • ZeroMQ pub/sub for all MISP activity • Publisher (MISP): stream of (topic, JSON) data • Subscriber (User): consume and process data

  4. Related Work: dovehawk • https://github.com/tylabs/dovehawk • Direct use of MISP’s REST API • Can report Zeek intel matches • Back to MISP as sightings • To Slack channel • Implementation • Via Zeek’s ActiveHTTP framework • Periodic download of intel snapshot • Intel framework weeds out duplicates • Limitations • Snapshot-based • No real-time feed of deltas

  5. A new approach: The Robo Investigator

  6. Historical Intel Matching

  7. Robo Investigator - Architecture • Pluggable producer / consumer architecture : • Producers: MISP (candidates: IntelMQ, STIX, passive DNS) • Consumers: Zeek, VAST/Tenzir (candidates: Sigma) • Bidirectional communication channels • Written in Python 3 • pymisp, broker, confluent_kafka, pyzmq • asyncio for coroutine-based concurrency

  8. Robo Investigator - Benefits • Real-time processing of new / changing intel • No need to wait for next snapshot • Only delta requires processing: constant-time work -> finally scales! • New Kafka interface from CERN enables reliable intel delivery • Integration of SIEM context • Historic sightings reconstruct full picture of incident • Decoupled components improves flexibility and maintainability • Can add different intel providers • Zeek scripts are agnostic to intel format

  9. Zeek Consumer • Broker-based communication • Supports standalone and cluster mode • Can ask for intel snapshot at startup • Noisy intel feature: • Handling matches of heavy hitters causes high CPU load • Zeek sends special event if intel matches exceed a certain rate • Zeek then removes intel locally (high CPU load otherwise) • Robo sends a proposal to remove IDS flag from corresponding MISP attribute

  10. VAST / Tenzir Consumer • Example of SIEM integration • Translates intel into historical queries • Extracts timestamps from results • Reports sighting times for given intel • Efficient control and data channel* • Fast communication via CAF • Zero-copy data sharing via Apache Arrow *under development

  11. CERN SOC

  12. Zeek @ CERN

  13. Zeek @ CERN • Zeek as the primary Intrusion Detection System • Monitoring all traffic passing at the borders: • Between CERN and the public Internet • Guest WiFi network • Between specific CERN network domains • 200 Gbps total bandwidth • 16 Zeek servers in total • 10 production active nodes • 2 production backups • 4 QA

  14. MISP @ CERN • MISP as the sole threat intelligence platform • A total of 4 MISP instances • All instances behind Single Sign On • Main instance • > 1.3 million IoCs (MISP attributes) • > 400 contributing organizations • Most intel coming from other MISP instances • Importing of special purpose, private intel feeds

  15. MISP & Zeek @ CERN • Periodic export from MISP into Zeek intel framework format • IoCs from events (re)published in the past 30 days • IoCs from events with specific tags • On average 100 000 IoCs being actively used • Issues: • Full export every time • High load of the small VM hosting MISP • Delay before intel gets added / remove from Zeek • Intel used only for realtime detection • Sightings are not reported back to MISP

  16. Extending MISP • MISP support for ZeroMQ publishing since 2015 (MISP v2.3.87) • ZeroMQ implementation does not fit into our setup • Attributes published as soon as they are added to MISP • CERN contributed Kafka support in MISP • Available starting from MISP v2.4.104 • Feature equivalent to ZeroMQ support • Kafka topic for (re)published MISP events

  17. Deployment of Robo Investigator @ CERN • Deployment on one of the QA Zeek node • Receiving an exact copy of the traffic going to a production Zeek instance • Connected to our development MISP instance • Successfully validated core functionality: • Real-time ingestion / removal of intel items • Dump of all intel items from Zeek • Removal of noisy intel items • Proposal added to MISP for removing the IDS flag • Intel sightings from Zeek to MISP

  18. Next steps for Robo Investigator @ CERN • Perform exhaustive loading of intel database • Trigger historical searches for newly added IoCs • Add new intel consumer • Transition into production deployment

  19. Summary • Intelligence is a key driver for threat hunting and incident response • For maximum efficacy: feed intel to detection and forensics tools • Demonstrated an integrated solution to do this in real time • MISP + Zeek + SIEM • Key benefit: reduced time to detect critical intel • Operational validation at CERN SOC • Core features add value • Next step: transition into production deployment

  20. Questions? Matthias Vallentin Liviu Vâlsan matthias@tenzir.com liviu.valsan@cern.ch

Recommend

Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project

Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project

Improving Intelligence Community MISP as an enabler for intelligence analysis MISP Project https://www.misp-project.org/ 20181117 Threat Sharing Alexandre Dulaunoy @adulau @MISPProject MISP and CIRCL CIRCL is mandated by the Ministry of

348 views • 23 slides
MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat

MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat

MISP Workbench - Because you know better MISP - Malware Information Sharing Platform & Threat Sharing Marion Marschalek - Rapha el Vinot - TLP:WHITE July 6, 2016 MISP and starting from a practical use-case During a malware analysis

357 views • 18 slides
Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro -> zeek broctl -> zeekctl bro-cut -> zeek-cut bro-pkg -> zkg /usr/local/bro -> /usr/local/zeek *.bro -> *.zeek bro_{init,done} ->

907 views • 13 slides
GTFS-realtime What is GTFS-realtime GTFS-realtime is an extension of the General Transit Feed

GTFS-realtime What is GTFS-realtime GTFS-realtime is an extension of the General Transit Feed

GTFS-realtime What is GTFS-realtime GTFS-realtime is an extension of the General Transit Feed Specification( GTFS ) that gives public transportation agencies the capability to provide realtime updates about their fleet. Feed Types There are

521 views • 35 slides
How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

Run, Zeek, RUN! How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October 11, 2019 ESNet Goals for this presentation The Quest for Efficiency started Long Ago Can Zeek run faster without code

791 views • 25 slides
Realtime Hair Rendering Erik Sintorn - erik.sintorn@chalmers.se State of the art (realtime) In

Realtime Hair Rendering Erik Sintorn - erik.sintorn@chalmers.se State of the art (realtime) In

Realtime Hair Rendering Erik Sintorn - erik.sintorn@chalmers.se State of the art (realtime) In recent games In recent research State of the art (realtime) A few hundred Half a million individual line textured polygons segments What makes

636 views • 51 slides
WebRTC Plugin-free realtime communication Sam Dutton Developer Advocate, Google Chrome @sw12

WebRTC Plugin-free realtime communication Sam Dutton Developer Advocate, Google Chrome @sw12

WebRTC Plugin-free realtime communication Sam Dutton Developer Advocate, Google Chrome @sw12 gowebrtc.appspot.com github.com/samdutton/gowebrtc WebRTC is a new front in the long war for an open and unencumbered web Brendan Eich

1.67k views • 110 slides
FRET: FOG COMPUTING FOR REALTIME EXOTIC TRADES 1 FRET: FOG COMPUTING FOR REALTIME EXOTIC

FRET: FOG COMPUTING FOR REALTIME EXOTIC TRADES 1 FRET: FOG COMPUTING FOR REALTIME EXOTIC

FAISAL HABIB CSC 2228 PROJECT PRESENTATION DECEMBER 4, 2019 FRET: FOG COMPUTING FOR REALTIME EXOTIC TRADES 1 FRET: FOG COMPUTING FOR REALTIME EXOTIC TRADES INTRODUCTION Quick Overview of Financial Instruments Problem Description

262 views • 12 slides
Realtime Water Simulation Benjamin Harry CS148 Final Project Project Goal Create a realtime

Realtime Water Simulation Benjamin Harry CS148 Final Project Project Goal Create a realtime

Realtime Water Simulation Benjamin Harry CS148 Final Project Project Goal Create a realtime water simulation that exhibits characteristics of a real body of water. Generate believable waves in realtime Light reflection and transmission

179 views • 14 slides
Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi Brent Second Prize Intel-Limiter Package - Jan GrasHoefer Third Prize zeek-sniffpass Package - Andrew Klaus Fourth Prize Known-hosts-with-dns -

177 views • 7 slides
OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other recent improvements on the platform Rapha el Vinot - TLP:WHITE info@circl.lu RMLL 2017 TL;DR Started in 2012 by Christophe Vandeplas (Belgian

793 views • 31 slides
Realtime Data Processing at Facebook Abhay Venkatesh Actionable reports Why e.g. Chorus:

Realtime Data Processing at Facebook Abhay Venkatesh Actionable reports Why e.g. Chorus:

Realtime Data Processing at Facebook Abhay Venkatesh Actionable reports Why e.g. Chorus: what is trending right now? Realtime monitoring Streaming at e.g. dashboard queries Facebook? Hybrid realtime-batch pipelines e.g.

301 views • 18 slides
Equinox: A C++11 platform for realtime SDR applications Equinox: A C++11 platform for realtime SDR

Equinox: A C++11 platform for realtime SDR applications Equinox: A C++11 platform for realtime SDR

Equinox: A C++11 platform for realtime SDR applications Equinox: A C++11 platform for realtime SDR applications GSA 2019 Manolis Surligas surligas@csd.uoc.gr Computer Science Department, University of Crete Equinox Equinox is a C++11

422 views • 14 slides
Physical processes affecting stratocumulus Siems et al. 1993 Lecture 15, Slide 1 Sc physical

Physical processes affecting stratocumulus Siems et al. 1993 Lecture 15, Slide 1 Sc physical

Physical processes affecting stratocumulus Siems et al. 1993 Lecture 15, Slide 1 Sc physical processes: Radiation Net upward radiative flux Strong longwave cooling at cloud top destabilizes SCBL, creating turbulence Shortwave heating in cloud

132 views • 10 slides
CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC

THE cloud data feed CC - Elisa Azzali CC - Tim Morgan CC - Quinn Dombrowski Public domain - Theodore C. Marceau CC - Erik Christensen Damn-fast and effective malware info sharing with MISP by Christophe Vandeplas http://misp-project.org

692 views • 47 slides
Shareholder Protection: A Leximetric Approach Mathias Siems & Priya Lele Centre for Business

Shareholder Protection: A Leximetric Approach Mathias Siems & Priya Lele Centre for Business

Comparative Company Law Shareholder Protection: A Leximetric Approach Mathias Siems & Priya Lele Centre for Business Research University of Cambridge CBR Summit: 29-30 March 2006 Innovation and Governance I. Shareholder protection index

257 views • 15 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
Realtime Search with Lucene Michael Busch @michibusch michael@twitter.com buschmi@apache.org

Realtime Search with Lucene Michael Busch @michibusch michael@twitter.com buschmi@apache.org

Realtime Search with Lucene Michael Busch @michibusch michael@twitter.com buschmi@apache.org Monday, June 7, 2010 1 Realtime Search with Lucene Agenda Introduction - Near-realtime Search (NRT) - Searching DocumentsWriters RAM buffer

1.06k views • 87 slides
Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats Woah-2-la-wits If you were confused by all of the consonants jammed together PROPRIETARY AND CONFIDENTIAL Talking today about how to open pull requests

574 views • 18 slides
XMPP and Android Florian Schmaus Ignite Realtime 2015-01-31 Florian Schmaus (Ignite Realtime)

XMPP and Android Florian Schmaus Ignite Realtime 2015-01-31 Florian Schmaus (Ignite Realtime)

XMPP and Android Florian Schmaus Ignite Realtime 2015-01-31 Florian Schmaus (Ignite Realtime) XMPP and Android 2015-01-31 1 / 19 Technology Overview XMPP e X tensible M essaging and P resence P rotocol Allows to exchange data in form of

546 views • 39 slides
Rtosc Realtime Open Sound Control Mark McCurry 2018 Rtosc Realtime Open Sound Control

Rtosc Realtime Open Sound Control Mark McCurry 2018 Rtosc Realtime Open Sound Control

Rtosc Realtime Open Sound Control Rtosc Realtime Open Sound Control Mark McCurry 2018 Rtosc Realtime Open Sound Control Motivation What is OSC? Path + argument types + argument data Types include: i : int32 , s : string , b :

704 views • 35 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
LUCAS VASCONCELOS SANTANA IME-USP APACHE STORM is a free and open source distributed realtime

LUCAS VASCONCELOS SANTANA IME-USP APACHE STORM is a free and open source distributed realtime

LUCAS VASCONCELOS SANTANA IME-USP APACHE STORM is a free and open source distributed realtime computation system. Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch

448 views • 18 slides
Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

505 views • 24 slides

More recommend