search

melicertes / csp

The Cyber Security Platform MeliCERTes is part of the European Strategy for Cyber Security. MeliCERTes is a network for establishing confidence and trust among the national Computer Security Incident Response Teams (CSIRTs) of the Member States and for promoting swift and effective operational cooperation.
Other
30 stars 7 forks source link

MISP connector potential issues #1

Open iglocska opened 5 years ago

iglocska commented 5 years ago

https://github.com/melicertes/csp/blob/master/csp-apps/misp/misp-adapter-emitter/src/main/java/com/intrasoft/csp/misp/service/impl/MispTcSyncServiceImpl.java#L164

This is extremely worrying. Organisations that are not in the list of melicertes teams are absolutely normal and should not be flagged in any way. The comment that deletion is not an option for now is concerning - it shows a misunderstanding of what an organisation is in MISP and the purpose of having them.

  1. You cannot have sharing groups without having the organisation objects on your instance for anyone you want to share with. Meaning if orgx is not in the melicertes team list, I need to have it known for my instance to include them in any sharing.
  2. Organisation objects are shared automatically. Unless we want to restrict the pulling of any feeds in MISP format, fetching from any other non melicertes MISP instances, pushing any non melicertes team created data to MISP, we will get those organisation objects on our instance.
  3. Many CERTs operate MISP instances that are interconnected with other organisations. Sharing Groups handle the distribution of data that is not meant for all participants of an instance, but without giving access to other organisations, synchronisation is not feasible. This means that any interconnections with other organisations would be flagged as orphaned organisations.
adulau commented 5 years ago

@iglocska What would be the best approach from a CSP perspective? Ensuring that the TC are standard MISP sharing groups? To ensure that the organisations are propagated as is?

iglocska commented 5 years ago

Creating organisations is fine, generally never remove organisations in MISP.

  1. Organisations are objects in MISP that are linked to several containers (Events, proposals, users, sharing groups). This means that all of these objects would potentially become orphaned.
  2. Organisations can arrive on an instance even if they are in "island" mode or in a strictly controlled network (via feeds for example). Removing these would cause issues.

The recommendation would be: If the melicertes team registry has members removed, simply remove the organisation from the sharing groups, no need to remove the organisation. If they get renamed / updated simply update the existing object referencing that team. If two organisations merge, use the organisation merge tool in MISP. There should never be a need to delete an organisation.

There should also never be a need to confuse users by warning them of orphaned organisations just because they got a new organisation object by pulling a feed.

Hope this makes sense!

thanosa75 commented 5 years ago

Hello @iglocska

Thank you for the insight and explanation. The approach used at creation of this adapter was to create a CRUD interface, and now your response and ensuing discussion cleared this out. We will remove the option to delete orphans.

Thanks again Thanos