2022-10-10 22:43:10 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
2022-10-12 23:48:01 +02:00
\begin { frame}
\frametitle { Summary}
\begin { itemize}
\item Past \& current status
\item Recent changes
\item Continuous improvement \& future roadmap
\item Organisational \& philosophical aspects
\item Demo (?)
\end { itemize}
\end { frame}
2022-10-10 22:43:10 +02:00
\begin { frame}
\frametitle { MISP \& STIX}
\begin { itemize}
\item { \bf Built-in integration}
\item Export \& Import features
\begin { itemize}
\item Export MISP Events collections
\item Import STIX files
\end { itemize}
\item Supported version
\begin { itemize}
\item STIX 1.1.1
\item STIX 2.0
\end { itemize}
\item Accessible via restSearch
\end { itemize}
\end { frame}
\begin { frame}
2022-10-11 23:59:41 +02:00
\frametitle { STIX conversion usage in MISP}
2022-10-12 23:48:01 +02:00
\centering
\includegraphics [scale=0.19] { images/simple_ rest_ query.png}
\end { frame}
\begin { frame}
\frametitle { STIX conversion usage in MISP}
\centering
\includegraphics [scale=0.2] { images/simple_ rest_ results.png}
\end { frame}
\begin { frame}
\frametitle { STIX conversion usage in MISP}
\centering
\includegraphics [scale=0.235] { images/simple_ rest_ curl.png} \\
\includegraphics [scale=0.235] { images/simple_ rest_ pymisp.png}
2022-10-11 23:59:41 +02:00
\end { frame}
\begin { frame}
2022-10-14 15:40:23 +02:00
\frametitle { Former feature limitations}
2022-10-12 23:48:01 +02:00
\begin { minipage} { 0.45\textwidth }
2022-10-10 22:43:10 +02:00
\begin { itemize}
2022-10-12 23:48:01 +02:00
\item { \bf Supported versions}
\begin { itemize}
\item 1.1.1 XML (\& JSON)
\item 2.0
\end { itemize}
\item Data type support
2022-10-10 22:43:10 +02:00
\end { itemize}
2022-10-12 23:48:01 +02:00
\end { minipage} %
\begin { minipage} { 0.55\textwidth }
\centering
\includegraphics [width=\textwidth] { images/limited_ version.jpg}
\end { minipage}
2022-10-11 23:59:41 +02:00
\end { frame}
\begin { frame}
2022-10-14 15:40:23 +02:00
\frametitle { Former feature limitations}
2022-10-12 23:48:01 +02:00
\begin { minipage} { 0.5\textwidth }
\begin { itemize}
\item Supported versions
\begin { itemize}
\item 1.1.1 XML (\& JSON)
\item 2.0
\end { itemize}
\item { \bf Data type support}
\end { itemize}
\end { minipage} %
\begin { minipage} { 0.5\textwidth }
\centering
\includegraphics [width=\textwidth] { images/limited_ data_ type.jpg}
\end { minipage}
\end { frame}
\begin { frame}
2022-10-14 15:40:23 +02:00
\frametitle { Former practical \& Organisational limitations}
2022-10-11 23:59:41 +02:00
\begin { itemize}
2022-10-12 23:48:01 +02:00
\item Export and import features only available via MISP
\begin { itemize}
\item Need an automation key (and/or to deal with the UI)
\end { itemize}
2022-10-10 22:43:10 +02:00
\item []
2022-10-11 23:59:41 +02:00
\item { \bf Github} : STIX issues lost within the MISP core issues
2022-10-12 23:48:01 +02:00
\pause
\vspace { 4em}
\begin { center}
\includegraphics [scale=0.4] { images/issues.png}
\end { center}
2022-10-10 22:43:10 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { The solution}
\begin { center}
\includegraphics [scale=0.3] { images/solution.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Key features}
\begin { itemize}
\item Support all the STIX versions
\begin { itemize}
\item { \bf STIX 2.1 Support}
\item 1.1.1, 1.2, 2.0 Support enhanced
\end { itemize}
\item Various MISP data collection supported
\item []
\item { \bf Mapping documentation}
\end { itemize}
\end { frame}
\begin { frame}
2022-10-11 23:59:41 +02:00
\frametitle { Handling the conversion with a python library}
2022-10-10 22:43:10 +02:00
\begin { itemize}
2022-10-11 23:59:41 +02:00
\item Used in MISP built-in export modules
\item []
2022-10-12 23:48:01 +02:00
\item Enable a { \bf stand-alone} use of the python code\footnote { i.e command line}
2022-10-10 22:43:10 +02:00
\begin { itemize}
2022-10-11 23:59:41 +02:00
\item Pass filenames \& get the converted content written in 1 or more result file(s)
2022-10-10 22:43:10 +02:00
\end { itemize}
2022-10-11 23:59:41 +02:00
\item Possible integration within python code
2022-10-10 22:43:10 +02:00
\begin { itemize}
2022-10-11 23:59:41 +02:00
\item Give it a list of filenames
\item MISP standard format <-> STIX
\begin { itemize}
\item JSON or PyMISP
\end { itemize}
2022-10-10 22:43:10 +02:00
\end { itemize}
2022-10-11 23:59:41 +02:00
\end { itemize}
\end { frame}
\begin { frame}
2022-10-12 23:48:01 +02:00
\frametitle { Library usage - Command line}
\centering
\includegraphics [scale=0.145] { images/stand_ alone_ usage.png}
\end { frame}
\begin { frame}
\frametitle { Library usage - Python integration}
\centering
\includegraphics [scale=0.12] { images/python_ usage.png}
2022-10-11 23:59:41 +02:00
\end { frame}
\begin { frame}
\frametitle { Mapping documentation}
\begin { itemize}
\item Mapping overview
\begin { itemize}
\item Quick overview on how MISP data structures are mapped with STIX objects
\end { itemize}
2022-10-12 23:48:01 +02:00
\item []
2022-10-11 23:59:41 +02:00
\item Detailed mapping
\begin { itemize}
\item Extended explanation on how each granular data is mapped with STIX objects fields
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Work in Progress}
\begin { itemize}
\item { \bf STIX 2 -> MISP import feature}
\item []
2022-10-14 15:39:24 +02:00
\item New MISP object templates \& Galaxy clusters
\item []
\item Better support for Custom Galaxy clusters
\item []
\end { itemize}
\pause
\begin { minipage} { 0.5\textwidth }
2022-10-10 22:43:10 +02:00
\begin { itemize}
2022-10-14 15:39:24 +02:00
\item { \bf TAXII integration}
2022-10-10 22:43:10 +02:00
\end { itemize}
2022-10-14 15:39:24 +02:00
\end { minipage} %
\begin { minipage} { 0.5\textwidth }
\includegraphics [scale=0.2] { images/surprise.jpg}
\end { minipage}
2022-10-10 22:43:10 +02:00
\end { frame}
2022-10-11 23:59:41 +02:00
\begin { frame}
\frametitle { Continuous development}
\begin { itemize}
2022-10-14 15:40:23 +02:00
\item Better support of existing STIX objects libraries\footnote { \url { https://github.com/mitre/cti} }
2022-10-11 23:59:41 +02:00
\item Support custom STIX format\footnote { Especially while importing STIX data, { \bf and as long as we can implement support of well defined versions} }
\item []
\item Mapping improvement
\begin { itemize}
\item MISP object templates -> STIX
\item Improve the STIX 2 patterns \& Observable objects -> MISP
\end { itemize}
\end { itemize}
\end { frame}
2022-10-12 23:48:01 +02:00
\begin { frame}
2022-10-14 15:40:23 +02:00
\frametitle { What comes next?}
2022-10-11 23:59:41 +02:00
\begin { itemize}
\item Extend the export feature to any kind of data collection
2022-10-12 23:48:01 +02:00
\item []
2022-10-11 23:59:41 +02:00
\item Add notes on any data structure
2022-10-12 23:48:01 +02:00
\item Sightings on context layers
\item []
\item Port the STIX 1 -> MISP import feature
2022-10-11 23:59:41 +02:00
\end { itemize}
\end { frame}
2022-10-13 20:47:54 +02:00
\begin { frame}
\frametitle { Handling different STIX content creation designs}
\begin { minipage} { 0.6\textwidth }
\begin { itemize}
\item Impossible to control the content created by external parties
\item We want to keep UUIDs
\pause
\item []
\item Facing UUIDs validation issues
\begin { itemize}
\item Loading error
\end { itemize}
\end { itemize}
\end { minipage} %
\begin { minipage} { 0.4\textwidth }
\includegraphics [scale=0.25] { images/two_ buttons_ dilemna.jpg}
\end { minipage}
\end { frame}
\begin { frame}
2022-10-14 15:40:23 +02:00
\frametitle { An easy fix: a STIX 2 python library fork\footnote { \url { https://github.com/MISP/cti-python-stix2} \& \url { https://pypi.org/project/misp-lib-stix2/} } }
2022-10-13 20:47:54 +02:00
\begin { minipage} { 0.62\textwidth }
\begin { itemize}
\item No change on the content validation
\begin { itemize}
\item Differs only on the UUIDs validation process
\end { itemize}
\item MISP has now the same UUIDs requirements
\begin { itemize}
\item We keep a reference to the initial UUID
\item A UUID v5 is generated
\end { itemize}
\end { itemize}
\end { minipage} %
\begin { minipage} { 0.38\textwidth }
\includegraphics [scale=0.25] { images/two_ buttons_ solution.jpg}
\end { minipage}
\end { frame}
2022-10-14 15:39:24 +02:00
\begin { frame}
\frametitle { Minding the gap between formats}
\begin { itemize}
\item From a sharing platform to an threat intelligence exchange format
\begin { itemize}
\item Custom STIX objects
\item Custom fields in existing objects
\item STIX extensions
\end { itemize}
\item Handling the infinite possibilities of a patterning language
\begin { itemize}
\item Importing STIX 2 patterns in separate MISP objects
\end { itemize}
\end { itemize}
\pause
\vspace { 1em}
\includegraphics [scale=0.15] { images/patterns.png}
\end { frame}
\begin { frame}
\frametitle { Mapping challenges}
\includegraphics [scale=0.285] { images/challenges.png}
\end { frame}
\begin { frame}
\frametitle { Evolution perspectives}
\begin { center}
\includegraphics [scale=0.1] { images/oasis.png}
\end { center}
\vspace { 1em}
\begin { itemize}
\item Members of the Oasis CTI TC
\begin { itemize}
\item Our involvement
\begin { itemize}
\item Participating to the development process
\end { itemize}
\item []
\item Our proposal: Go for the open source way
\begin { itemize}
\item Make the contribution process more accessible \\
=> Bring more contributers / contributions
\item Easier access to the resources \\
=> More visibility
\end { itemize}
\end { itemize}
\end { itemize}
\end { frame}
2022-10-10 22:43:10 +02:00
\begin { frame}
\frametitle { How to report bugs/issues}
\begin { itemize}
\item Github issues
\begin { itemize}
2022-10-14 15:40:23 +02:00
\item { \bf \url { https://github.com/MISP/misp-stix/issues} }
\item \url { https://github.com/MISP/MISP/issues}
2022-10-10 22:43:10 +02:00
\end { itemize}
\item []
\item Please provide details
\begin { itemize}
\item How did the issue happen
\item { \bf Recommendation} : provide samples
\end { itemize}
\item []
\item Any feedback welcome
\end { itemize}
\end { frame}
\begin { frame}
2022-10-11 23:59:41 +02:00
\frametitle { Useful links}
2022-10-10 22:43:10 +02:00
\begin { itemize}
\item \url { https://github.com/MISP/misp-stix}
\item \url { https://github.com/MISP/misp-stix/tree/main/documentation}
\item []
\item \url { https://github.com/MISP}
\item \url { https://www.misp-project.org/}
\item \url { https://twitter.com/MISPProject}
\item \url { https://twitter.com/chrisred_ 68}
\end { itemize}
\end { frame}
2022-10-13 20:47:54 +02:00
\begin { frame}
\frametitle { Demo time}
\centering
\includegraphics [scale=0.45] { images/demo.jpg}
\end { frame}
