Ensuring IoC quality at CERT-FR
10-16, 16:30–17:00 (Europe/Luxembourg), Salle Europe

Keeping IoCs usable and the base where they are stored clean over time is an important challenge. ANSSI/CERT-FR will present the tooling developed internally and used by CTI analysts in order to verify their quality and normalization before they are pushed into MISP.

Thanks to its central position in the French cybersecurity ecosystem, CERT-FR has access to a lot of information and thus, a lot of IoCs. For internal usage and further sharing, these IoCs must reach a certain level of quality and remain usable over time. In order to manage this, CERT-FR provides its analysts with a library and a set of Python scripts. Analysts have to use these scripts in order to push data into the production MISP instance.

The tools are based on an internal library, itself based on pymisp. It provides a set of functions, superseding pymisp’s ones, to create, update and delete attributes and tags in MISP. It does so both to apply more verification in order to guarantee their quality and to ensure that the input of the different types of IoCs will be consistent over time. This consistency is also essential for further automated exploitation by other internal tools. Thus, the scripts used by the analysts ensure that the data in IoC is normalized, following CERT-FR standards and that the tools consuming it will have access to the necessary data. It also ensures that the IoC lifecycle is correctly followed limiting analyst errors.

The presentation will first cover what we call a quality IoC at CERT-FR. Then we will detail the normalization we apply to the data and the rules that need to be applied on IoCs before they can be pushed into MISP and why we need to apply these rules.

Finally the internal library will be presented, to show some of the provided functions. Analysts can rely on these functions in their own tools or they can use the set of tools provided with the library to push their IoC into MISP. This set of tools will be also presented, in order to show how the normalization and rules are applied at CERT-FR. We will also give a brief feedback on how we want to improve the tools, following (constructive) criticism we have from analysts and other works we are currently carrying out regarding normalization and storing of technical IoCs.

In a nutshell, this presentation will provide a feedback on the challenges encountered by CERT-FR on its IoCs usage and the solutions developed to keep the base as clean as possible over time.

Working at the French Cybersecurity Agency (ANSSI) in the IOC management unit.