2024-05-16 11:31:19 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame}
\titlepage
\end { frame}
2024-05-16 13:10:26 +02:00
\begin { frame}
\frametitle { What is a MISP Galaxy?}
\begin { itemize}
\item MISP Galaxy is a feature in MISP and a MISP standard\footnote { \url { https://www.misp-standard.org/} } format to create { \bf contextualization libraries} .
\begin { itemize}
\item There are two main types: \textbf { combined list} or \textbf { matrix-like list} .
\end { itemize}
\item The first historical matrix-like galaxy was MITRE ATT\& CK\footnote { Presented at the first EU ATT\& CK community meeting in Luxembourg} .
\item Galaxies contain intelligence that can be \textbf { structured} in a matrix-like format. Relationships between models can be created, and implementation such as in MISP allows for the \textbf { forking and sharing of information} . This is typically attached to intelligence in threat intelligence platforms to add context.
\end { itemize}
\end { frame}
2024-05-16 13:59:03 +02:00
\begin { frame}
\frametitle { Origins and Evolution}
\begin { itemize}
\item Seeing the success of the ATT\& CK framework in MISP gave rise to a host of matrix-based models:
\begin { itemize}
\item Inflation? We don’ { \bf different models} because there are many { \bf different use cases to be represented} .
\item We found this to be good as long as those models are maintained.
\end { itemize}
\end { itemize}
\end { frame}
2024-05-16 11:31:19 +02:00
\begin { frame}
\frametitle { MISP galaxies over time}
\begin { center}
\includegraphics [scale=0.13] { ./screenshots/timeline.png}
\end { center}
\end { frame}
2024-05-16 13:59:03 +02:00
\begin { frame}
\frametitle { What Leads to Starting New Frameworks?}
\begin { itemize}
\item New frameworks try to { \bf fill gaps} .
\item New ideas in different areas/domains.
\item Small vs. large initiatives.
\item { \bf Collaboration is not always easy} .
\begin { itemize}
\item Small contributors vs. large organizations.
\item Absence of guidance to contribute.
\item Closed models.
\end { itemize}
\item Research \& publication vs. practical use.
\item Need for timely new data in a continuously evolving threat landscape.
\end { itemize}
\end { frame}
2024-05-16 14:13:13 +02:00
\begin { frame}
\frametitle { Conversion (or the Dirty Part)}
\begin { itemize}
\item Understand the topic.
\item Understand the users and their use cases.
\item Map to Matrix / Kill Chain.
\item Handle \textbf { various formats} :
\begin { itemize}
\item JSON, XLS, PDF, DOCX, Markdown, CSV, web scraping, Python, etc.
\end { itemize}
\item Reverse engineer the data model.
\item Manage UUIDs: existing vs. generating new.
\item Handle duplicate values\footnote { In other words, many organizations didn’ } :
\begin { itemize}
\item Interaction with the framework owner.
\end { itemize}
\item Create the conversion script.
\end { itemize}
\end { frame}
2024-05-16 13:59:03 +02:00
2024-05-16 15:26:01 +02:00
\begin { frame}
\frametitle { Relations (Where Are the Overlaps?)}
\begin { itemize}
\item Example relations: \texttt { similar} , \texttt { contains} , or lifecycle: \texttt { revoked-by} .
\item Frameworks might contain internal relations.
\item Relations between different frameworks:
\begin { itemize}
\item \textbf { Native relationships}
\item \textbf { 3rd party contributions}
\end { itemize}
\item Create specific tooling to help or partially automate the creation of relations.
\end { itemize}
\begin { center}
\includegraphics [scale=0.2] { ./screenshots/rel-gen-example.png}
\includegraphics [scale=0.2] { ./screenshots/rel-gen-help.png}
\end { center}
\end { frame}
2024-05-16 15:39:30 +02:00
\begin { frame}
\frametitle { Maintenance (Anyone on the Line?)}
\begin { itemize}
\item { \bf Frameworks have a lifecycle} - evolution of the model.
\item Know when there is an update.
\item { \bf Deprecate, revoke, delete entries} .
\item Change of UUID (UUIDv4 or UUIDv5) / value - may impact UUID.
\begin { itemize}
\item Breaks relationships with UUIDs.
\end { itemize}
\item Conversion script breaks.
\item Keeping contributed relationships.
\end { itemize}
\end { frame}
2024-05-16 11:31:19 +02:00
2024-05-16 15:47:29 +02:00
\begin { frame}
\frametitle { Opportunities (How Can It Help Me?)}
\begin { itemize}
\item Structure new models: { \bf Understand existing ones to identify gaps} and raise feature requests or pull requests on \texttt { misp-galaxy} .
\item MISP Galaxy:
\begin { itemize}
\item Open standard.
\item Data is CC0 - { \bf reusable in any software} .
\end { itemize}
\item Extend frameworks: Use one framework as a core library and build additional layers on top.
\item Marketing and promotion: The more tools that use it, the { \bf more widely the framework is adopted} .
\end { itemize}
\end { frame}
2024-05-16 11:31:19 +02:00
\begin { frame}
\frametitle { Get in touch if you have any questions}
\begin { itemize}
\item MISP galaxy website \url { https://www.misp-galaxy.org/}
\item Contact MISPProject
\begin { itemize}
\item \url { https://github.com/MISP}
\item \url { https://gitter.im/MISP/MISP}
\item \url { https://twitter.com/MISPProject}
\end { itemize}
\end { itemize}
\end { frame}
