
261 lines
8.2 KiB
Raw Normal View History

2019-12-13 15:06:40 +01:00
% This is included by the other .tex files.
\frametitle{What happened in the past 6 months?}
\item {\bf 13} new MISP {\bf releases} - on track for ~2 / month
\item Over {\bf 2000 commits} for the core alone from {\bf 34 contributors}
\item Progress on a massive rework that is underways
\item Before we get to the highlights...
\frametitle{Standardisation for open source formats}
\item \url{https://www.misp-standard.org}
\item Standardising the {\bf MISP related} and {\bf other open source} formats
\item We want a vehicle for publishing standards {\bf without giving up control}
\item Let us know if you would like to be listed!
\frametitle{Steady growth in efforts to share refined information}
\item Both on a {\bf data} and a {\bf context} level
\item Growth in the {\bf community's} and {\bf tooling's} maturity
\item {\bf ATT\&CK}'s quick adoption is partially to blame for recent surge
\item Also a side effect of MISP becoming a sharing tool for completely {\bf different domains}
\frametitle{Object relations}
\frametitle{ATT\&CK like matrices}
\frametitle{Community management}
\item Sectorial, regional, topical groupings becoming more organised
\item Inherently more difficult to find the right communities
\item We're starting to build an opt-in {\bf community registry}
\item Still very early days, but let us know if you would like to {\bf announce yourselves}!
\frametitle{Community request}
\frametitle{Sightings improved}
\item More organisations involved in the feedback-loop of reporting back sightings
\item Sighting synchronisation improved
\item Alternate sighting back-end for heavy, bulk sightings
\item SightingDB, open source, developed by Devo
\item Experimental for now, but fully functional.
\item SightingDB standard for alternate implementations via misp-standard.org
\frametitle{Various improvements to taxonomies}
\item Tag exclusivity allows for taxonomies with inherent rules
\item For example: It makes no sense to have multiple TLP tags on an event
\item You can also restrict on a predicate level
\item Require taxonomies to be set
\item Certain taxonomies can be set as requirements for publishing in a community
\item Example: No TLP/PAP? No right to publish.
\frametitle{Alerting rules}
\item First steps for our user settings system
\item Customise the rules that decide what you want to get alerted on
\frametitle{Decaying of indicators}
\item MISP has a powerful toolbox that allows users to filter their dataset based on their needs
\item We were still missing a way to use all of these systems in combination to decay indicators
\item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models}
\item Decay models would take into account various \textbf{taxonomies}, \textbf{sightings}, the \textbf{type} of each indicator \textbf{Sightings} and \textbf{Creation date}
\item The first iteration of what we have in MISP now took:
\item 2 years of research
\item 3 published research papers
\item A lot of prototyping
\frametitle{Scoring Indicators: Our solution}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
\item \texttt{score} $ \in [0, 100] $
\item \texttt{base\_score} $ \in [0, 100] $
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
\item \texttt{Model} Contains the \textit{Model}'s configuration
\frametitle{Implementation in MISP: \texttt{Event/view}}
\item \texttt{Decay score} toggle button
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
\frametitle{Implementation in MISP: API result}
"Attribute": [
"category": "Network activity",
"type": "ip-src",
"to_ids": true,
"timestamp": "1565703507",
"value": "",
"decay_score": [
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
\frametitle{Implementation in MISP: Index}
View, update, add, create, delete, enable, export, import
\frametitle{Implementation in MISP: Fine tuning tool}
Create, modify, visualise, perform mapping
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
Adjust Taxonomies relative weights
\frametitle{Implementation in MISP: simulation tool}
Simulate \textit{Attributes} with different \textit{Models}
\frametitle{Implementation in MISP: API query body}
"includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
"score": 30,
\frametitle{Where do we go from here?}
\item Massive list of features/todos
\item Most immediate ones we're working on:
\item {\bf Community management} via a new, related tool called {\bf Cerebrate} coming 2020
\item {\bf Custom galaxies}, editing in MISP directly
\item Massive {\bf rework} moving MISP to a more modern version of the framework
\item Internal refactor / deprecation of old baggage
\item {\bf New UI}
\frametitle{Get in touch if you have any questions}
\item Contact CIRCL
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\item Contact MISPProject
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\item Poke me directly
\item \url{https://twitter.com/iglocska}