FOSStering an ISAC: Enabling a Community with Open-Source Tools
10-16, 15:00–15:30 (Europe/Luxembourg), Salle Europe

Defending against the latest threats requires timely, actionable intelligence. In an active sharing community that has members of varying maturity, resources, and team staffing, you need a way to collect, normalize, enrich, and vet the shared intelligence at scale. Most will have different intelligence requirements, so flexibility is demanded to tailor to the disparate use-cases and existing workflows they may have. This presentation shows how the Retail & Hospitality ISAC leverages MISP as a community instance for their members and incorporates other free and open-source software to address these topics and more!

• Brief overview of MISP architecture
• RH-ISAC custom taxonomy
o Categorizing intelligence:
▪ Source where intelligence was shared
▪ Sector of member who shared intelligence
▪ Threat type (e.g., ATO, info stealer, credential harvester, etc.)
• RH-ISAC custom galaxy
o Threat actor profiles/clusters
▪ Prioritizing threat actors
▪ Data sources
▪ Custom cluster elements
• Intel Sharing and Normalization
o mail2misp
o Sharing templates
o MISP objects
o PDF/video documentation resources
• Enriching and vetting attributes
o Automating enrichment with PyOTI
o Enrichment services
o Enrichment tags
o Vetted attributes “feed”
• Intel Interoperability
o RH-ISAC developed integrations
o Existing 3rd party integrations
o MISP Sync
• What’s next!

JJ Josing is the Principal Threat Researcher at the Retail & Hospitality ISAC. Over the last 5 years in the retail space he has had a strong focus on automation and tool development with Python and using free and open source software to assist in his research. He likes to design networks, automate the tools and break all the things. Author of PyOTI - the python open threat intelligence library.