We were happy to recently participate in a workshop organized by the Japan International Cooperation Agency (JICA) for national CERTs in the region (Laos, Myanmar, Cambodia, Viet Nam and Indonesia).
As mentioned in a previous blog post, the workshop is a part of a series of trainings covering topics relevant to the operation of a functional security response team. They include different aspects – technical, management, tools and collaboration.
In terms of collaboration, I think having team representatives from various countries in one room is super perfect for translating collaboration ideas into action!
For this workshop, I spoke about threat intelligence – what it is, how it is relevant to incident handling and response, how to get it, and how we can share it with each other.
I also spoke about standards like STIX and TAXII, and tools or platforms used by the security response community. We did a couple of exercises with two tools (or some may say they are ‘platforms’) for malware analysis.
The first one was Viper – an open source binary analysis and management framework that helps analysts (or teams) organize their collection of malware and exploit samples. (CERTs normally look at malware samples from incidents and one of the challenges in my experience is collecting information about the samples in one place.) In addition, Viper has a lot of useful modules for performing analysis on malware samples.
Now that you have performed the malware analysis, you gain understanding on the how, what, when or maybe even who. All of the different pieces of information (or intelligence / indicators) are very important to further mitigate the threats. Shouldn’t they be shared for the greater good?
So, the second item that we looked at was the Malware Analysis Sharing Platform (aka MISP), which is a “platform for sharing, storing and correlating Indicators of Compromises of targeted attacks“. It is an open source project with a lot of active community support. It was also great to see there is a module integrating Viper with MISP.
For the workshop we went through the process of installing and running MISP, looked at a couple of practical use-cases, and discussed how to go about creating a community MISP instance for sharing threat information.
If you are interested to get a more complete MISP training, the good folks at CIRC.lu do this from time to time and have also kindly published the training materials.
All in all, it was a fun workshop with friendly (and funny) CERT friends from the region. APNIC is always very happy to support activities that will improve security, and enhance regional and global collaboration. Finally, thank you to the hard-working JICA team in Jakarta for putting together another successful workshop!
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.