Presentation Material
Abstract
Arctic builds on the open-source MISP platform to enable threat intelligence based correlation of indicators of compromise using multiple sources like internally collected intelligence, intelligence filtered through free and paid feeds, cloud feeds from Guardduty and Route53,etc. and gives a relevance score to each IOC (Indicator of Compromise) which is specific to the organisation.
It uses MISP to further enrich the IOC and maps it with the MITRE TTPs which can be used to identify the suspected APTs involved in the attack
AI Generated Summarymay contain errors
Here is a summarized version of the content:
The Arctic platform is integrated with Shoreline to reduce false positives from an Incident Detection System (ISD). Shoreline provides two important use cases:
- Auto-remediation: Critical alerts can be directly auto-remediated through a Shoreline notebook, , and
- Introducing manual analysis: A layer of manual check can be introduced for IOC reputation before remediation takes place.
The demo showcases two scenarios:
Scenario 1: True Positive
- Internal feed captures an IOC/IP with high confidence score (above threshold)
- Ticket is created in Jira with contextual information
Scenario 2: False Positive
- Internal feed captures an IOC/IP, Iwith low confidence score (below threshold)
- No ticket is created in Jira
The final piece of the demo shows auto-remediation through Shoreline, where a collected IP is added to the egress layer (e.g., Security Group) by clicking a button, allowing for control over communication.