Strategic role of MISP on the regional exchange information model used by CSIRTAmericas

Interview: Chile’s National CSIRT on OAS’ MISP Project with CSIRTAmericas

The OAS launched the first stage of the Malware Information Sharing Platform (MISP) node in 2018 through the four Pacific alliance members: Colombia, Chile, Mexico and Peru. The MISP plays a leading role in the operational framework of the hemispheric network of CSIRTs of OAS Member States (CSIRTAmericas) platform by seeking to boost a harmonized and multidirectional exchange of cybersecurity incident commitment indicators that affect Member States. This interview provides further insight on the significance of the MISP, how it is used by CSIRTs, the challenges in implementing the MISP model and more.

Q: Why is the OAS’ MISP project with CSIRTAmericas important and what challenge is it trying to address?

A: The 2017 WannaCry ransomware attack demonstrated some of the major shortfalls of the global community in the sharing of cybersecurity information. The attack affected over 200,000 computers in 150 countries. This was difficult to mitigate due to the duplicity of information, the diversity of formats in shared reports, the lack of homogenization in the categorization of incidents, and above all the absence of a collaborative, knowledge-sharing mechanism. Faced with this challenge, the need to strengthen mechanisms for the exchange of actionable information arose in the Americas region.

One of the main objectives of the OAS through their Hemispheric network of Computer Incident Response Teams of OAS Member States (CSIRTAmericas). This is in order to generate early alerts, prevent and minimize the response times to incidents that affect technological platforms and systems within the region.
That said, MISP enters into a leading role within the operational framework of the CSIRTAmericas platform, as a service for the region that seeks to boost a harmonized and multidirectional exchange of cybersecurity incident commitment indicators that affect our the Member States.

Q: What do the CSIRTs use MISP for?

A: MISP is a free and open source project co-financed by CSIRT.lu and the European Union. The project was conceived out of the day-to-day operation of a typical CSIRT. Therefore, MISP has perfect computability with the working modalities of response teams, facilitating peer-to-peer (P2P) sharing of IOCs and cyber-threat indicators between CSIRTs.
Proof of its success is the large number of MISP multi-sector operating communities that are generated around the world. Among them, the FIRST MISP Community, NATO MISP Community, CIRCL MISP Community and all X-ISACs in different regions.
In the case of Latin America and the Caribbean, the MISP project is very attractive as it provides a collaborative, knowledge-sharing regional mechanism that is of great benefit for the countries of the region. Especially for the countries’ response teams, faced with limited human resources and financial constraints. The collective analysis and the correlation of indicators that MISP provides in the detection of attack patterns from emerging hacker groups further consolidates the work of the CSIRTAmericas community by increasing regional operational coordination and generating trust spaces between members of the CSIRTs of the OAS Member States.

Q: How is the launch of the MISP significant for your region?

A: The OAS has been successful in launching the first stage of a regional MISP node through the four members of the Pacific Alliance: Colombia, Chile, Mexico and Peru. In April 2018, in Bogota, Colombia, these four countries gathered to establish the operational guidelines in the exchange of information among their respective CSIRTs.
The Inter-American Committee against Terrorism (CICTE), through its Cybersecurity Program and its CSIRTAmericas Hemispheric Network (CSIRTAmericas.org), was able to establish a common cybersecurity incident taxonomy to be used in CSIRTAmericas network and looks to facilitate the exchange of information and notification of incidents through different communication channels (e.g. MISP) between Member States in order to contribute to the harmonization of taxonomies across the Americas region and improvement of the development of statistics on the tendencies of cyber incidents in the region.

This taxonomy allows the Pacific Alliance countries to increase the exchange of indicators of Compromise (IOCs) through MISP. Most of the cases shared have been associated with incidents such as spear-phishing and ransomware directed at government entities, as well as BEC attacks targeting economic conglomerate companies of each respective country

Q: What are the challenges in implementing the MISP project?

A: The main objective of the OAS is to integrate various stakeholders and improve their means of communication particularly to garner and share information. With the overarching goal of creating a sustainable model that is readily able to respond to the current and future needs of each of our Member States. Therefore, the creation and establishment of a Regional Exchange Information Model has been a permanent priority for the CICTE/Cybersecurity Program.

Some of the major challenges faced by CSIRTAmericas in the implementation of MISP have been primarily two: (1) levelling technical knowledge and overall capacities, and (2) supporting an adequate level of CSIRT management. The first can be attributed to the fact that information is generally scattered, information is not centrally located making it difficult to provide guides or case-studies that are applicable to the contexts of each country and sector that seek to share information both internally
and abroad. The second challenge is due to the high turnover and retention rates of the personnel within the CSIRT teams of the region. Thus, causing a lack of corporate knowledge within the CSIRTs and compromising sustainability of the overall operability of the CSIRT.

To address these challenges in facilitating sharing information in CSIRTs of the Americas region, the CSIRTAmericas Hemispheric Network has focused on a model structured around five strategic pillars: (1) Stakeholders, (2) Taxonomy,(3) Information Levels, (4) Communication Channels, and (5) Dissemination Levels. The implementation of MISP has been particularly beneficial in complementing and strengthening our fourth pillar: Communication Channels. MISP, being a model, which seeks to be flexible and harmonious, and that can be scalable to offer different services, has been useful in improving the exchange of information by allowing it to be more dynamic. This has been reflected in the share of the low-level information (“Actionable Information for Security Incident Response November 2014 – ENISA”). Easing the flow records and full packet, captures, application logs, samples of executable files, documents, and email messages between CSIRTAmericas members.

Q: In what ways can the MISP project help to build cyber capacity in the region?

A: The MISP project has facilitated in levelling the capacities of our Member States in multiple ways. MISP has been integral in the creation of viable tools, the creation of flexible rules, taxonomies and formats to facilitate information sharing in different contexts and conditions. The standardization of these rules has eased the demand for the exchange of information across the region, and has incentivized greater collaboration among Member States.

Q: In what areas can the MISP be improved?

A: We have identified some areas for improvement, particularly in the presentation of case studies to design models to deploy a MISP project into a national/sectorial that requires custom contexts. This would allow a faster adoption of the tool with a multi-sectoral and broad-scale approach. We have also noticed that in the training we have delivered, the learning curve is severely discreet, this is due to the lack of an understanding of the process map or global interaction that is applied to all of the MISP components.

Q: How has your CSIRT benefitted from the MISP?

A: In the experience of Chile’s National CSIRT, the adoption of the MISP has been regarded as highly beneficial. The malwares information sharing platform has allows us to access key information to take preventive measures and thus protect our computer systems.
Each of the shared commitment indicators helps reduce the security risks that are affecting other societies. The main advantage is its immediacy, which allows quick action. If one plans well, a MISP not only delivers valuable information, but also enables trust between organizations to be fostered through the platform. Its use is therefore a huge responsibility. The MISP forces [them] to have expert technicians, experienced people and bilingual professionals that can supervise or accompany its operation 24 hours a day. It is a new form of dialogue between organizations, and especially between countries. The process of coordinating the exchange links of national professionals with international ones is an interaction greatly valued and that will allows us to receive knowledge and best practices from countries that have greater capabilities. It also forces us to collaborate with those that are using our development model as a guide. The MISP project is therefore a bridge to much broader communication than the exchange of data and our vision is to promote and intensify it in that sense.

 

From the Global Cyber Expertise Magazine (April, 2020)