mirror of https://github.com/MISP/misp-training
146 lines
6.4 KiB
TeX
146 lines
6.4 KiB
TeX
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||
|
% This is included by the other .tex files.
|
||
|
|
||
|
\begin{frame}[t,plain]
|
||
|
\titlepage
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}{The bright side of information sharing}
|
||
|
\begin{itemize}
|
||
|
\item We build various information sharing communities (one is more than 1500 organisations with more than 4000 users). {\bf sharing and updating daily cybersecurity indicators, financial indicators or threats in both ways}
|
||
|
\item To achieve this we actively develop, maintain and support MISP (an open source threat sharing\footnote{also called TIP, CTI platform. \url{http://www.misp-project.org}} platform)
|
||
|
\item Beside the tools, {\bf practices, standard formats and classifications} play an important role
|
||
|
\item These practices need to be shared among the communities to support efficient collaboration
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{How to be successful in building an information sharing community?}
|
||
|
{\center \it \Huge There was never a plan. There was just a series of mistakes.\\}
|
||
|
\begin{flushright}
|
||
|
Robert Caro, journalist.
|
||
|
\end{flushright}
|
||
|
\end{frame}
|
||
|
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{MISP and starting from a practical use-case}
|
||
|
\begin{itemize}
|
||
|
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same threat actor
|
||
|
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}
|
||
|
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP
|
||
|
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
|
||
|
\item MISP is now {\bf a community-driven development}
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{How to succeed in your sharing community?}
|
||
|
{\center \it \Huge Don't be abused by the legal framework.\\ Use the legal the framework.\\}
|
||
|
\begin{flushright}
|
||
|
MISP Project\footnote{https://www.misp-project.org/compliance/}
|
||
|
\end{flushright}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||
|
\begin{itemize}
|
||
|
\item {\bf Lead by example} - the power of immitation
|
||
|
\item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
|
||
|
\begin{itemize}
|
||
|
\item What should the information look like?
|
||
|
\item How should it be contextualise
|
||
|
\item What do you consider as useful information?
|
||
|
\item What tools did you use to get your conclusions?
|
||
|
\end{itemize}
|
||
|
\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{How to deal with organisations that only "leech"?}
|
||
|
\begin{itemize}
|
||
|
\item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
|
||
|
\item We have come across some communities with sharing requirements
|
||
|
\item In our experience, this sets you up for failure because:
|
||
|
\begin{itemize}
|
||
|
\item Organisations losing access are the ones who would possibily benefit the most from it
|
||
|
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
|
||
|
\item You lose organisations that might turn into valuable contributors in the future
|
||
|
\end{itemize}
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||
|
\begin{itemize}
|
||
|
\item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
|
||
|
\item Can include information packages of different types, for example:
|
||
|
\begin{itemize}
|
||
|
\item Threat actor information
|
||
|
\item Specialised information such as Ransomware, Exploit kits, etc
|
||
|
\item Methodology information such as preventative actions
|
||
|
\item Classification systems for methodologies used by adversaries - ATT\&CK or Misinformation Pattern
|
||
|
\end{itemize}
|
||
|
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
||
|
\item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
|
||
|
\item Pull requests are always welcome
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{COVID-19 MISP sharing community example}
|
||
|
\begin{itemize}
|
||
|
\item COVID-19 MISP is a MISP instance retrofitted for COVID-19\footnote{\url{https://www.misp-project.org/covid-19-misp/}} info sharing
|
||
|
\item We are focusing on two areas of sharing:
|
||
|
\begin{itemize}
|
||
|
\item {\bf Medical} information
|
||
|
\item {\bf Cyber threats} related to / abusing COVID-19
|
||
|
\item {\bf Misinformation} related to COVID-19
|
||
|
\end{itemize}
|
||
|
\item Low barrier of entry, aiming for wide spread
|
||
|
\item Already a {\bf massive community}
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{Why?}
|
||
|
\begin{itemize}
|
||
|
\item We are obviously interested on a personal level, as is everyone
|
||
|
\item {\bf Information sharing is what we do anyway}
|
||
|
\item The tools that we are building are expanding our capabilities for the future
|
||
|
\item Bridging different domains affected in different ways can reveal correlations
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{Modelling new data structures for COVID-19}
|
||
|
\includegraphics[width=1.00\linewidth]{covidobject.png}
|
||
|
We are rapidly building new models for the different COVID-19 related information sources
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{What kind of information sharing communities exist relying on MISP?}
|
||
|
\begin{itemize}
|
||
|
\item {\bf A plethora of "cyber security"-related} communities in CSIRTs, SOC and private exchange groups
|
||
|
\item Specific {\bf financial} sharing communities in the banking sector
|
||
|
\item {\bf Border control information} sharing communities
|
||
|
\item {\bf Vulnerability disclosure} sharing communities
|
||
|
\item {\bf Intelligence community} sharing community
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
\begin{frame}
|
||
|
\frametitle{Contact us if you want to build your sharing community}
|
||
|
\begin{itemize}
|
||
|
\item \url{https://www.misp-project.org/}
|
||
|
\item \url{https://www.misp-standard.org/}
|
||
|
\item \url{https://github.com/MISP}
|
||
|
\item \url{info@misp-project.org}
|
||
|
\item \url{https://twitter.com/MISPProject}
|
||
|
\end{itemize}
|
||
|
\end{frame}
|
||
|
|
||
|
|