misp-training/attack-2020/content.tex

59 lines
2.7 KiB
TeX
Raw Normal View History

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{What changed since the last workshop?}
\begin{itemize}
\item ATT\&CK has been steadily on the rise
\item In cyber security MISP information sharing community, ATT\&CK is often attached on {\bf more than 70\%} of the events
\item The {\bf number of matrix-like galaxies increased} in MISP in addition to the ones published by MITRE
\begin{itemize}
\item Including {\bf Telecom} matrix (Bhadra framework), {\bf Election guidelines}, {\bf Misinformation patterns}, {\bf Segregation of Duties (LEA/CSIRT)}, {\bf Financial} (att4ck for fraud), {\bf Office 365} techniques.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP updates about ATT\&CK}
\begin{itemize}
\item Various improvements in ATT\&CK visualisations and export format such as {\bf attack-sightings}
\item {\bf ATT\&CK Sub-techniques} are now available MISP
\item MITRE ATT\&CK {\bf ICS} is available
\item Challenges with historical data and ATT\&CK techniques. Should MITRE provide UUID mapping tables for new and old/historical techniques?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP event report}
\begin{itemize}
\item Event report\footnote{\url{https://www.misp-project.org/2020/10/16/MISP.2.4.133.released.html}} is a new convenient mechanism to edit, visualize and share Markdown reports in MISP
\item Standardise and {\bf extend the Markdown format} to support references to MISP attributes, objects, galaxies or ATT\&CK matrix:
\end{itemize}
\includegraphics[scale=0.2]{report.png}
\end{frame}
\begin{frame}
\frametitle{MISP event report}
\begin{itemize}
\item Overall goal is to provide a standard Markdown format for reports which can be combined with structured elements
\item The importance of {\bf fixed references in MITRE ATT\&CK is critical} for long-term accessibility to information
\includegraphics[scale=0.25]{view.png}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Conclusion}
\begin{itemize}
\item Bridging the gap between structured and unstructured report is critical. Integrating tram\footnote{\url{https://github.com/mitre-attack/tram}} with MISP event report could be an option.
\item The matrix-like enhancement from the MISP galaxy format will be added in the default MISP galaxy standard format\footnote{\url{https://www.misp-standard.org/}}
\item ATT\&CK like matrices become more and more common and used, thanks the {\bf continuous work of the community}
\end{itemize}
\end{frame}