2020-09-12 11:24:49 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame}
\titlepage
\end { frame}
\begin { frame}
\frametitle { MISP and CIRCL}
\begin { center}
2020-09-13 04:19:48 +02:00
\includegraphics [scale=0.45] { circl.png}
2020-09-12 11:24:49 +02:00
\hspace { 2.5em}
2020-09-13 04:19:48 +02:00
\includegraphics [scale=0.35] { misp.pdf}
2020-09-12 11:24:49 +02:00
\end { center}
\begin { itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg { \bf National CERT for the private sector} .
\item CIRCL runs multiple large MISP communities performing { \bf active daily threat-intelligenge sharing}
\item CIRCL leads the development of { \bf MISP and many other open source softwares} \footnote { AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo} .
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { The aim of this presentation}
\begin { itemize}
2020-09-13 13:21:13 +02:00
\item Provide a quick intro what MISP is and what issues we try to tackle
2020-09-12 11:24:49 +02:00
\item A small update of what has happened around MISP's development over the past year
\item Where we're headed from here
\end { itemize}
\end { frame}
2020-09-13 13:21:13 +02:00
\section { Intro on MISP}
2020-09-12 11:24:49 +02:00
\begin { frame}
2020-09-13 13:21:13 +02:00
\frametitle { Objectives of MISP}
2020-09-12 11:24:49 +02:00
\begin { itemize}
\item MISP is a { \bf threat information sharing} platform that is free \& open source software
\item A tool that { \bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, { \bf correlates} , { \bf enriches} the data
\item Allows teams and communities to { \bf collaborate}
\item { \bf Feeds} automated protective tools and analyst tools with the output
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { MISP Features Highlights}
\begin { itemize}
\item Extensive Rest { \bf API}
\item Automatic { \bf correlation}
\item Granular distribution levels and { \bf synchronisation} systems
\item A wide range of { \bf ingestion systems}
\item { \bf Visualisation tools} for dashboarding, graphing, statistics
\item A host of { \bf export formats} , covering a wide range of use-cases
\begin { itemize}
\item { \bf IDSes / IPSes} : \texttt { Suricata, Bro/Zeek, Snort}
\item { \bf SIEMs} : \texttt { CEF, STIX}
\item { \bf Host scanners} : \texttt { OpenIOC, STIX, CSV, Yara}
\item { \bf Analysis tools} : \texttt { Maltego}
\item { \bf DNS policies} : \texttt { RPZ}
\end { itemize}
\end { itemize}
\end { frame}
2020-09-13 13:21:13 +02:00
\section { High level overview of the past year's changes}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { MISP's evolution since the last AusCERT}
\begin { itemize}
\item Since the AusCERT 2019 (31/05/2019) we've had:
\begin { itemize}
\item 34 releases
\item 4398 commits
\item 97 contributors contributing to the core software and its components
\end { itemize}
\item COVID-19 didn't negatively impact the progress made all that much
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { So what were the main changes?}
\begin { itemize}
2020-09-13 13:21:13 +02:00
\item Loads of { \bf bug fixes}
2020-09-12 11:24:49 +02:00
\item A host of improvements to how MISP behaves in general
2020-09-13 13:21:13 +02:00
\item { \bf Security fixes} , including several CVEs (keep your MISP up to date!)
\item { \bf Internal tuning} for better scaling and performance altogether
\item Massively expanding { \bf context libraries}
2020-09-12 11:24:49 +02:00
\item Several major features (let's talk about these)
\end { itemize}
\end { frame}
2020-09-13 13:21:13 +02:00
\section { Major features since last year}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { Timelining in MISP}
\begin { itemize}
\item The goal was to capture activity timelines
\item All attributes and objects can have first-seen/last-seen data
\end { itemize}
\includegraphics [scale=0.25] { images/timeline.png}
\end { frame}
\begin { frame}
\frametitle { Timelining in MISP}
\begin { itemize}
\item Why is this interesting?
\item { \bf IoC lifecycle management} is one of the biggest challenges we face
\item Timeline information allows us to better { \bf express a story} , rather than { \bf share dumps of IoCs}
\item { \bf Time-based correlation} of certain actions helps us understand an incident
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Dashboarding}
\begin { itemize}
\item Outcome of our personal initiatives to track the COVID-19 spread
\item New built-in { \bf dashboarding system} directly available in MISP
\item Dashboard widgets are modular and { \bf easy to build}
\item Create widgets that are { \bf ACL aware}
\item The COVID-19 MISP community turned out to be a massive success
2020-09-13 13:26:23 +02:00
\begin { itemize}
\item Just register if you would like to have access at \url { https://covid-19.iglocska.eu}
\end { itemize}
\item COVID-19 use-cases are just an example though (admin widgets, trend widgets, gamification, etc)
2020-09-12 11:24:49 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Dashboarding}
\includegraphics [scale=0.25] { images/dashboard.png}
\end { frame}
\begin { frame}
\frametitle { Decaying indicators v2}
\begin { itemize}
\item Further improvement on our indicator { \bf life-cycle management} tool
\item { \bf User settings} are now taken into account when crafting queries
\item { \bf Tool specific} user accounts can be pre-configured with decaying settings
\item { \bf Taxonomy} numerical values can be re-mapped to fit internal needs
\item { \bf Sightings} factor into the decay scores
\end { itemize}
\end { frame}
2020-09-13 14:34:03 +02:00
\begin { frame}
\frametitle { Convert attributes to objects}
\begin { itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end { itemize}
\begin { center}
2020-09-13 23:25:53 +02:00
\includegraphics [scale=0.15] { attributes_ to_ object_ 1.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Convert attributes to objects}
\begin { itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end { itemize}
\begin { center}
\includegraphics [scale=0.15] { attributes_ to_ object_ 2.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Convert attributes to objects}
\begin { itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end { itemize}
\begin { center}
\includegraphics [scale=0.15] { attributes_ to_ object_ 3.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Convert attributes to objects}
\begin { itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end { itemize}
\begin { center}
\includegraphics [scale=0.15] { attributes_ to_ object_ 4.png}
2020-09-13 14:34:03 +02:00
\end { center}
\end { frame}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { Massive rewrite of PyMISP}
\begin { itemize}
\item Python 3.6+ is a minimum since the modern PyMISP rework
\item Use of { \bf objects} with a { \bf long list of helpers} allows for easy creation/modification of MISP data
\item PyMISP's { \bf CI testing} suite has grown massively, allowing us to catch more and more issues as we commit changes
\item Automated testing { \bf including synchronising} several MISP instances
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Community management improvements}
\begin { itemize}
\item { \bf User configurations} - manage per user rule sets to alter MISP's behaviour ({ \bf alerting rules} , { \bf dashboard configuration} , etc)
\item { \bf Community listings} - to help users find the right communities and negotiate access
\item Various improvements to authorization systems - { \bf E-mail based OTP} , { \bf further integrations with SSO systems}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Integrations}
\begin { itemize}
\item Long list of { \bf integrations} , both via our export system and module systems and by other tools integrating with MISP
\item Continuous iterations of our connectors using other formats (a massive STIX 2 rework has just dropped)
\item Integrations with analysis tools, such as with { \bf Maltego}
\item Tighter integration with other { \bf OSS frameworks we develop in-house} (AIL, D4)
\item Mapping of libraries to taxonomies/galaxies/object templates
\item ATT\& CK like matrices from other domains (disinformation via AMITT, various sectorial groups)
\end { itemize}
\end { frame}
2020-09-13 04:19:48 +02:00
\begin { frame}
\frametitle { MISP format modules}
\begin { itemize}
\item Initial modules
\begin { itemize}
2020-09-13 13:33:22 +02:00
\item Return { \bf single attributes} only
\item As { \bf light-weight} as possible
\item Good to handle { \bf simple queries}
2020-09-13 04:19:48 +02:00
\end { itemize}
\item MISP format modules
\begin { itemize}
2020-09-13 13:33:22 +02:00
\item Return { \bf MISP standard format}
\item { \bf Backward compatible}
\item Much better results with { \bf complex data}
2020-09-13 04:19:48 +02:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { MISP format modules}
\begin { center}
\includegraphics [width=0.7\linewidth] { cve_ module.png}
\end { center}
\end { frame}
2020-09-13 13:21:13 +02:00
\section { The road ahead}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { So that's where we are now}
\begin { itemize}
\item Let's have a brief look at what is on our immediate and long-term roadmaps
\item For the long-term ones, priorities shift rapidly
\end { itemize}
\end { frame}
2020-09-13 04:19:48 +02:00
\begin { frame}
\frametitle { Going further with the MISP modules}
\begin { itemize}
2020-09-13 13:33:22 +02:00
\item { \bf Expansion modules} for the event scope
2020-09-13 23:25:53 +02:00
\item Enable import modules to be able to { \bf generate entire events}
\item Move the export modules to the { \bf built-in export library}
2020-09-13 04:19:48 +02:00
\end { itemize}
\begin { itemize}
2020-09-13 13:33:22 +02:00
\item Move the modules to { \bf background processes} with a
2020-09-13 04:19:48 +02:00
messaging system
2020-09-13 13:33:22 +02:00
\item Avoid the results preview when applicable
2020-09-13 04:19:48 +02:00
\begin { itemize}
\item Preview page can be very heavy
2020-09-13 13:33:22 +02:00
\item Difficulty is { \bf dealing with uncertain results} (without the user
2020-09-13 04:19:48 +02:00
having final say)
\end { itemize}
\end { itemize}
\end { frame}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { MISP galaxy 2.0}
\begin { itemize}
\item MISP galaxies will be fully managed via MISP directly
\item Create, modify, { \bf share your custom galaxies} with the usual sync / ACL mechanisms
\item Fork and { \bf provide your own perspective} to already existing knowledge-base items
\item Build { \bf relationships between galaxy clusters} (Threat actor A uses Tool B and targets Sector C)
2020-09-13 13:26:23 +02:00
\item Already available in beta
2020-09-12 11:24:49 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Reports}
\begin { itemize}
\item Create { \bf markdown reports} and share them along with your events
\item Structured information is great for automation, but sometimes plain prose helps telling a story
2020-09-13 13:26:23 +02:00
\item Shared along with events, distribution per report item configurable
2020-09-12 11:24:49 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Community management at scale}
\begin { itemize}
2020-09-13 13:33:22 +02:00
\item { \bf Cerebrate} is a new OSS frameworks that we're building
\item Manage { \bf organisation, sharing group, encryption key} data for communities
\item { \bf Instrument} MISP instances and the interconnectivity between them via Cerebrate
\item Introduce { \bf information signing} by validating signatures / ownership via trusted Cerebrate nodes
2020-09-13 13:26:23 +02:00
\item Early alpha already available
2020-09-12 11:24:49 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Rework of the MISP internals}
\begin { itemize}
\item We are planning on moving MISP to a { \bf more modern stack} (cake4/bs4)
\item Cerebrate also acts as a { \bf test-bed} for this move and relies on MISP internals that have already been ported
\item We have been silently { \bf reworking a lot of the internals} of MISP to make the migration possible (UI generator systems for example)
\end { itemize}
\end { frame}
2020-09-13 13:26:23 +02:00
\section { Conclusion}
2020-09-12 11:24:49 +02:00
\begin { frame}
\frametitle { To sum it all up...}
\begin { itemize}
\item Many interesting things are happening
\item We are following { \bf several routes} of development (internal improvements, contextualisation, integrations, operational improvements, community building)
2020-09-13 13:26:23 +02:00
\item We have many more ideas, but sadly days are only 24 hours long
\item There are { \bf many ways to get involved}
2020-09-12 11:24:49 +02:00
\item Prioritisation is hard. { \bf Let us know what you think we should focus on} !
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Get in touch if you have any questions}
\begin { itemize}
\item Contact CIRCL
\begin { itemize}
\item info@circl.lu
\item \url { https://twitter.com/circl_ lu}
\item \url { https://www.circl.lu/}
\end { itemize}
\item Contact MISPProject
\begin { itemize}
\item \url { https://github.com/MISP}
\item \url { https://gitter.im/MISP/MISP}
\item \url { https://twitter.com/MISPProject}
\end { itemize}
\item Join the COVID-19 MISP community
\begin { itemize}
\item \url { https://covid-19.iglocska.eu}
\end { itemize}
\end { itemize}
\end { frame}
