The Unbearable Weight of Commercial Licensing: Combining Closed Systems with Open Source Defense

Good morning everyone. We're about to get started with our first talk of the day. I'd like to remind you all to silence your cell phones and there's no photography at all in the conference space. Um and without further ado, here's Kia. >> Thanks. >> Good morning. Thanks for attending this talk. Uh this is a start of an exciting week out of the year where we all get to come converge on Las Vegas and learn and do a bunch of really cool things. So this talk, can you hear me? Okay. This talk is the unbearable weight of commercial licensing combining closed systems with open-source defense. Who am I? I'm Kia Ard. I've been working in infosc for about 10 years. I started

out with a vendor neutral security consulting company where we did a little bit of everything. Um they would say things like, "Hey Kia, go into this network and check the status of monitoring. Figure out how to get in. This is the VPN you need to use. Uh go and check if OS is working on these devices. Uh no stress. It is a production environment and lives can be lost if something goes wrong. So but no stress, but get it done within the next two days, please." Um from there I went on to endpoint detection um looking at various types of events investigating if an event is malicious or suspicious and working with within the detection

engineering space. From there I went on to be yet another security analyst in doing all the things. Um when you work for a consulting company you essentially do whatever they ask you to do. Um, so well-rounded um, experience, but it is opinionated and these opinions are my own after working within the security space. It's not necessarily for or against open or closed source, even though it may seem that way. Um, we'll jump in. So, this is me. Who are you? You can just yell it out or you can raise your hand. How many people are security analysts or consider themselves that? How many people work with incident response? Cool. How many people are researchers? So why this talk again back? We're going

to go really fast through this open background of the internet open source current state and MISP. Why use it? So in the past, and it wasn't too terribly long ago, they were trying to figure out how to send packets through the network. So going from this handdrawn thing of four nodes, going to skip past the stories of it. The background of the internet is based in open source. So we have three heavyweights here. Richard Stallman, uh, Lionus Torvald and Elizabeth Jocelyn Jake Feiner who so we have the person who developed the Linux kernel along with git. Uh, Elizabeth Feinler wrote the resource book for Arponet. Um, she also made it possible to navigate it. So she was behind the

DNS system. um and wrote the wrote and created the first two who wiz and any of those protocols are also driven by RFC so request for comment where they put it out to the community and get everybody's input and the internet slowly grew from uh this was three or four years later a logical map of ARPA which went on to become DARPANET but you can see some of the universities in here are Illinois or Utah some companies that are quite older. Uh Xerox I think is in there, Carnegie, Harvard Aberdine. At this time the internet was used only for uh the purposes of communication. So there were some rules in place like you couldn't you couldn't use it for

personal use kind of like ham radio. Um, and so somebody made a joke I looking back that they attended a conference in England, left his his shaver there, and so he asked for it back and he was like, "Haha, I was the first one who abused the internet." And we think about where we are today and the many nodes. This is from the opta.org website. It's really nice. it it sort of diagrams and puts the nodes of the uh different nodes in the internet throughout uh time and it's put to really nice music. If you feel a little bit overwhelmed, you can go to your hotel room or watch this on YouTube and it is really beautiful. But it has

really come a long way. How we use it and what we connect to it has also grown exponentially. The average US household now has 17 internet connected devices. We probably have more working in this space. So it has cyber security has grown. I wanted to find one one slide that would show this but essentially when I did a Google search I found that every one of these are very similar. There's a lot of money to be spent in this space. And the main point is that it's it's growing. It's expanding. So when you go to a conference like RSA, this was from this spring, all the commercial vendors are represented and there's a lot of really

good products out there. Uh but open source often isn't as is promoted as much in these security spaces. So, I'm going to cover a few things that could be seen as being prohibited toward blue team or protecting uh protecting ourselves. You may have seen this if you're familiar with any sort of Microsoft licensing. This is made by Aaron Denage um who according to his LinkedIn does work for Microsoft but in Australia. this he he runs a really great site that does a good job of helping people try and understand what it is that they want to get. Also in his site, now this is just one section of it. Like you have to scroll down through it. This is like one

of 10 scrolls to try and figure out which thing that you need to get. Point being that increased complexity can also while it increases revenue, it can also lead to security emissions and errors. So when we're looking at security products, we uh have to often get past sales into the technical talks before we can start to really understand how a product works. But another thing that I think is quite difficult as an analyst is that you get these alerts and sometimes there's not that much context. Whack attack. What is whack attack? This is something that's plagued me for a very long time. If you search for it, you find legitimate businesses who are like, "Yeah, this false POS, we make software,

but and we've done all the right things that you've asked us to do, but you still detect on it. Like, this is impacting our business." You also find other people who are like, "Oh, it's just detected on my machine. Like, what do I do? I downloaded all these other AV products to try and figure out what it is." And you're like, "Oh, you got you probably got malware in the process of trying to figure out what this detection was." Uh, but ultimately I would get back to Microsoft marketing that tells me that Defender will detect it and stop it, but I still don't know what it is. Licensing can be another sore point in the sense that when you're locked in as

a company for one to three years, sometimes you're not able to really find solutions. And when that particular company comes up with another type of product, you might sort of be locked into only checking out that one product. And after going through that, I think that similar to the worlds of Marvel and DC, sort of dueling, but we're really all trying to defend. So trying to find the right things, uh, the right tools that can integrate with it. And what would be awesome? It would be awesome to see patterns of alerts over time. So when when you have any sort of SAS solution, EDR, NDR, often the data will time out. So after say 30 days, 90 days,

even half a year, you won't be able to get to your data anymore. So would be cool to see the correlation between the entities if they don't time out. So be to be able to see the threats over even years of time would be awesome. Um as well as increased efficacy of those security tools so that uh you can trust what you what kind of alerts you get. So for that whack attack F5 was also like that's that's one of our products. Sorry it's a false positive but do check the hash when you before you use it. Um so being able to trust the alerts is also I think really important. So there is something that works in that

way and it is MISP. Um I was talking to some security colleagues um earlier last week and I was like hey have you guys looked have you guys looked at MISP and they're like h no I don't even I've tried to do it before and I like I no I don't know. So I was like, "No, it's really awesome." And it is. It is open source as this slide can kind of show. Um, but it can do a lot. And I want to jump into a little bit of the history and then what it can do. And I have a running demo that will al hopefully work. It started in 2011 when Christopher Vanlass he wanted to make the process of

malware research more efficient. So he found that he was like, "Hey, I'm looking at this malware. What are you seeing?" and he's like, "Oh, colleagues, I I did exactly the same thing and came up with the same hash, came up with the same thing." So, we wanted to create something that would avoid duplicative work. Um, he was pondering the inefficiencies of the current system and at the time he was working for the Office of Belgium Defense. Um, news spread about it and pretty soon NATO got in touch with him and was interested in it. Who knows what NATO is? Oh, great. What is it? Just yell it out. >> Yes, it is a treaty organization that came

out of World War II. It's made up of 30 European countries and two other North American ones, Canada and the United States. NATO looked around and saw what was available for threat intelligence and was like, hm, this is actually filling a void. This is the most efficient system that we've seen thus far. And so NATO, which this picture was from a joint exercise last year with 900,000 troops, so they do know something about defense. NATO funded the Mist project. They they essentially exist to defend. MISP is now managed by the European Union uh and an organization called Circle out of Luxembourg. It's a community. It's fully community project. It's and it's led by volunteers and

driven by feedback from the users. So when you actually see what what is inside of there because they're like, "Ah, we're open. Other other people from other industries can even use MISP." Um so there's really interesting things when you do the default when you load up MISP. It's actively supported and the latest release was last month um in July of 2025. But I wanted to understand who's using it and it turns out it is about 6,000 organization. This is a map from showdown and it's if you you know you can export the results of who has MISP in their name. There are a lot of governmental organizations there's a lot of huge security companies. A lot of the

companies that are down the down a few blocks for black hat also have their own misp instances. You can just see it by domain name. There are also a lot of ISACs. Do you know what ISACs are? Information sharing and analysis centers. Turns out in uh one in 1999 there was a presidential directive um that came out that said, "Hey, we want to be able to have industries work together." So defense works together, retail and hospitality works together, ICS has their own ISAC. Um we want to build our security ups. So we want you all to create these ISAs so you can share information. Um it's hosted on a mix of things. It's on GCP, Azure, AWS, uh Lenode. It also

can be airgapped. So it has many different uses. A lot of its uses are as a database because of their trusted IoC's and then the various companies can then push it off to their SIMs or EDR firewalls to take action. So there is a lot of automation in it. But before MISP it was essentially an email or a list serve. So people would this is from Obsidian. And so people essentially the ISAC would manually maintain the email thread. It would like list IPs and URLs. Then it would be emailed out to the different businesses. The different businesses would then some probably didn't do anything. EDR was barely even a thing at that point, but they would put it toward their

firewalls, but it was even if they had a script, it would be a still an automated process of being able to take action on them. But with MIS because each MIS instance has a lot of built-in features to because you're sharing IoC's and because automation is happening they want to have a system in place and they do have a very good system in place where IoC's have already been vetted and they are feeding into the firewall and immediately taking action or feeding into EDR be it defender or Sentinel or CrowdStrike. I found this handy dandy diagram and this is kind of so it does all of this after when I first looked at this I was like oh god this doesn't make

any sense but after learning about it and playing with it it really does make sense so you have all these closed source or commercial vendors there's some open source ones in there as well so it feeds that thread intelligence into mist at the same time there's a sock or some sort of team that's looking at the indicators and they are then like oh this is a true positive this is an OC that then goes into a trustbased sharing and then it's also fed via REST API a web hook to these other devices services that can then take action bunch of different use cases but I want to just point out some very cool things about it um when you're adding different

attributes or objects, there's a little check box that says for intrusion system for IDS. If that's checked, then other you it's it's an indicator that it's something that's serious and should be blocked. Other people can and should take action on it. Um, this is within a an event and the different blue blocks are objects. So there are things that can be grouped together. You can see that there's an inherit that has to do with the sharing that can be done. So if you have something that's private and the main event is private or say red uh TL TLP red traffic like protocol red then it'll stay private within your organization because you could put a lot

of information in here like you could put in social security numbers you can put in bank account numbers routing for analysis it can be associated with the user um and there's also a correlate checkbox box and it's really intuitive like you can take whole blocks of text and IoC's stick it in as a te text blob into mist and it'll intelligently group it out like oh this is a URL this this can be an IOC so it's already checked for you it's really smart I want to try and get to the demo but also wanted to focus on a few things that are really smart about it under taxonomy There's it's already integrated in with

the MITER attack framework and about 80 other ones that you can automatically pull in and associate with a particular event based on the tags. Then you as an organization can also take action on it. So correlation can also happen automatically which is nice because I had that use case where uh you have a user that typically clicks on events and you're like yeah I feel like this guy like I feel like he just did it like seven months ago but it's aged out of the the SAS platform so you can't remember like but did he really do it in here. It'll automatically make a correlation on the the object type. So there's a person object type. So you can

plug in their name and you're like, "Oh yeah, he's done it three other times in the last 18 months." Galaxies are another way of organizing information. Um it's a container that can group together context by type. So this if you can read at the very top it's other organizations have gotten into using it as an as a platform that can provide the structure for their data that they're working with. So the the top one I think it's 9099 that's uh different bacterial types like so that other hospitals and other organizations that are looking at germs can make sense of it. It's still heavily rooted in infosc and so it it has a v vocabulary already within it.

This is for say the ICS the people who are working with industrial control systems like again the vocabulary is already there. Um all of these little icons in there do amazing things of correlation. uh more of the MITER attack. I'm going to skip through now because it's an active um it's actively being developed. People can add their opinions. So they found the analysts sometimes when they get an OC, they're like, I don't know about this OC. This this probably shouldn't be within here. So they can then put their opinion. That opinion then gets attached to the object and it also travels and gets synced to the other trusting MISP instances. Then after a while so that

gets sent back to the original person as well as all the other sharing organizations and they can take action on it. So the original organization can look at it and say oh yeah that's yeah maybe I should change that. Um the other thing about this platform is that it can make your offsec better in the sense that once you integrate with say Joe's sandbox or any other any other activity that you want it to the analyst can then be work within it and do instead of going to Joe's sandbox or instead of going to virus total like in a separate b browser window potentially uploading something that they shouldn't it's already can be integrated in with

MIS. Um, all of these little buttons in there are huge dropdowns of various clusters or various tags that you can put in and associate with that object. >> Uh, more on taxonomies. Uh, another type of tagging. So, it's all within there. You can just start the actions the column over to the very uh right hand side. You can there it makes it easy to set up because you can start clicking on things and it'll automatically be brought in like the frameworks are already integrated. You can mess up though which I've also done. Um if you click the little arrow or the triangle for play, it can bring in all of the indicators that another organization has added in as events. So

that's why in the demo instance all mine numbers start at like four or 500 because I deleted a whole bunch of other ones. We want to know about the roles and permissions there. It's really welldeveloped and you can also create your own and give say a service its own limited permission set. Makes it really easy to create your own roles. App logging is also very good. This happens to be the application logs from a few days ago. Anything that's internet exposed is going to get pounded. So there's various APIs and other things that are trying to get in. Um but logging every single change is logged. Every single change associated with a user is also logged and you can modify

that depending on whether I think they have paranoid mode of logging. So you can get all the things if you want to see them. workflows and automation. There's workflows and automation inherently within MISP that you can uh harness to do simple things or you can do a web anything that has a web hook that's exposed you can also hook into and do

cross instance information. This is another cool thing that allows you can essentially cache indicators. So you probably may have heard of MISP as a threat intelligence feed tool because a lot of organizations uh purchase intelligence feeds or they use the open source ones and feed it into another like say their firewall to take action. What you can do within MISP is instead of putting it in your own database, you can just cache it and it starts to do instant it starts to do any lookup with any object or attribute that you put in with an event so that you can see oh hey this threat that we have in our environment there are other three other

organizations who say that this is a true posit positive. Okay, I'm going to try and show you NISP. We can drive around within it if I can get to it. Ah, okay. Uh, I need to share a different screen.

And I may need help. Can I >> Can I show this one? >> Oh, >> are you going back to the presentation afterwards? >> I am, but maybe I should just do it right now. >> Yeah, because then you go back to your display and set it to uh duplicate and then it'll show the same thing I did. >> Uh yeah, let's just do duplicate now. Okay. So, go back to your settings, your display settings. >> Sorry, I'm technically I usually don't use this device. >> So, just change that back to uh uh duplicate. >> Duplicate. >> And then you'll see the same thing on both screens. >> Uh keep keep. >> Okay, cool. Thank you.

Okay. So, this is MISP. This is uh self-hosted. It's on the internet. Um, and I wanted to see how it does correlations. So, here you can see the different attributes that are in this column. Well, we'll get past the colorful tags one and the dates are all fairly recent, but you can see that under correlation there's a number here. And so,

Mr. Pink, let's look at this one. Looks like Mr. pink has has gotten fished and gotten down there down uh downloaded malware a couple of times. So, let's just take a look at this.

Oh, in Okay, great. Um so you can this has already been published but over here in sorry over here in the on the right hand side under related events you can see Mr. Orange downloads malware and Mr. Pink does a copy and paste PowerShell compromise. Uh these are the different indicators of compromise that are associated with that user. This one's Mr. Pink. Um, the IDS is appropriately checked for things that you would want your firewall probably not to go to this domain. The feed hits you can also see that there's related events as well as related feed hits. So other organizations, URL house in this case have also said this is a really malicious URL. So this is open

source and it's just built into the platform.

If you are working with any sort of file when you upload that file I mean you have to think of opsec as well like you don't necessarily want analysts downloading malware on their device and then uploading it. They really should be doing this on a different device. But when any sort of binary is uploaded, MISP will automatically create the hash. If you check the box that says it is malicious, then it will create the hash for you. It'll encrypt it and it'll give you a password that you need you need to use. You can also do things like populate from and I tried a free text import earlier and I just grabbed a whole swath of IOC's from the

unit 42 uh the unit 42 research group. Um and I it they're they're defamed in the writeup. It automatically cleaned it up. automatically tagged what it was, IP, URL, whatever, and it brought it in appropriately, like, oh, this is something that should be blocked on an IDS.

>> We're getting close to time because I just started off not really that well. But if you're interested in this, I'm happy to give you a login so you can check it out. Um, if you have any questions, feel free to ask. Let me go back to Oh, this is where we are actually in the the presentation. So there are many awesome open source tools but uh and and there's a lot of cool commercialization of open source tools like Zeke is uh sponsored by Cororite now. Um so there's a lot of integration. Um there are also a lot of really cool closed source commercial tools as well. A lot of them are out there.

Oh, I'm stuck now. But do you have any questions or comments? Thanks for sitting through my talk because it was had a bit of a rough start. >> Thank you. [applause] >> Yes. >> Okay. Uh how long have you had it up and what's the maintenance running? >> Uh the question was how long has it been running and how what's the maintenance? The maintenance is really cool. It actually audits itself and so it told me I did the default Ubuntu install. Um I hardened the server like you know don't let root log in anymore. Um, and I thought I took all the right steps, but when I audited it, it told me that the PHP config was world readable, and I was

like, "Oh, I should." So then, you know, you go into the server and like, "Let's change the permissions on that." Um, so, so, so far it's only been up for about a week, but it's I think regular maintenance of a server. >> Yes. How is trust established?

>> That's a really good question. How is trust established? So, Isax already have that trust established between organizations. Um, I felt really alone when I launched mine because I didn't have anybody to trust or work with. Um, the MISP organization, they have their own feeds that they're like, "Here, these are open. this is TLP clear or white like you can take our feeds and there's a lot of other open source feeds but trust needs to be established so if there was another sock out there that uh trusted that I well I'm not if if if I was a threat researcher then you can create that by essentially um adding a key and that establishing that trust

>> so maybe for those don't directly actually have Yeah. So the question or comment is like so it would be a good idea to review those IOC's before you automatically start pushing. Yes. Absolutely. You need to trust the organizations that you're working with. If they're if I think the relationship has been long established and they can trust each other and they're like, "Yeah, that's a really good analyst team over there." Um we trust them and they're open to our feedback. Um, I think that helps. Um, but yeah, you need to have trust in this relationship, in any relationship. Any other questions? Have a great week. Thank you to those that helped me with my presentation.

[applause] Thanks,