MISP Exercise 5

MISP LAB05: Event Graph | MITRE ATT&CK

1. Introduction

In this Lab you are going to learn about visualisation in MISP. The sharing model of MISP is quite useful, but only if every investigator is able to quickly read the reports. Nobody wants to read through a long documentation, if he or she is just looking for an overview about the occurred security event.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://instance-a.misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the following credentials:

User: investigator@misp-lab5.com Password: compass

3. Overview

After login you'll see a event called Spear Phising Mail with malware attached. View the details to get more informations about the event.

Scroll down and try to get any information about what exactly happened in your company. As you properly noticed, it isn't that easy to understand without any context. What did John Doe exactly? Is he an attacker or a victim, and what do all these files and weblinks do?

4. Event Graph

Your college gave you a quick description what happened:

Your company received an email from John Doe. John Doe is an employee at your business. That means, that someone tried to impersonate him. The email contained a malicious document, which exploited a Common Vulnerability and Exposure (CVE). The document started via remote code execution a download from a website, hosted by the attacker. The site itself then starts downloading a malicious file. Later, the malicious file tried to execute a pass the hash attack (like Mimikatz it does). If the script was successful, it uploads the stolen data back to the attackers site.

In this step we are going to create an event graph which should help you and any other researcher to get a quick overview, without composing a full documentation.

Please open the the event graph by clicking the Event graph button.

The event graph is currently almost empty. Right-click with your mouse on the Unreferenced Objects tile and select Expand. Unreferenced Objects is a group of objects that have not been associated or placed in relationship with other objects. In the following screenshot you will see that there are no objects showing up yet.

All your MISP Objects will be displayed

The author of the email tried to impersonate John Doe, which is an employee in your enterprise. To create this relation between them, drag and drop the arrow from the email to the person object.

Your task is it now, to reference the other objects between each other. Read through the description that you received from your college and try to relate the remaining objects in the correct direction. If you need any assistance, open the next step and take a look at a possible solution.

5. Connecting the dots

As you can see, displaying attack tactics and techniques is quite difficult with the event graph. In the next step, you going to cover that too.

6. MISP Galaxies - MITRE ATT&CK Framework

MISP galaxies are a method used to express a large object called cluster that can be attached to MISP events or attributes. There are default vocabularies available in MISP galaxy from existing standards (like STIX, Veris, ATT&CK, ...) or your MISP site administrator can create custom ones for you.

Please go back to your event and scroll down until you are able to see the malicious_document.docx object. Then click on the right world icon, choose mitre-attack from the dropdown window and click on the Attack Pattern button.

Select Spear Phising Attack and click submit

Please go back to your event and scroll down until you are able to see the malicious_file.exe object. Then click again on the right world icon, choose mitre-attack from the dropdown window and click on the Attack Pattern button.

7. Conclusion

Now, you have successfully added the MITRE ATT&CK Framework to your MISP event. If a researcher now wants to know more about the attack tactics and techniques used here, he can view them directly.

Go back to your event and and click on the ATT&CK matrix button.

3. Security Questions

  1. What do you have learned in this lab?

  2. What are advantages of using the MISP event graph?

  3. You didn't used the left world icon in step 6. This would add tags to your attribute. What is the difference between tags and galaxies in MISP?

4. Answers

  1. In this exercise I've learned howto visualize a MISP Event by creating an Event Graph. Further I've learned to work with MISP Galaxies by tagging specific attributes with the MITRE ATT&CK patterns

  2. You will get a better overview how the different objects stands in relation to each other.

  3. MISP Taxonomies is a set of common classification libraries to tag, classify and organise information. MISP galaxies are a method used to express a large object called cluster that can be attached to MISP events or attributes.

PreviousMISP Exercise 4NextMISP Exercise 6

Last updated