misp-training/x.4-sharing-going-wild/content.tex

211 lines
9.9 KiB
TeX
Raw Normal View History

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP features}
\begin{itemize}
\item MISP\footnote{\url{https://github.com/MISP/MISP}} is a threat information sharing free \& open source software.
\item MISP has {\bf a host of functionalities} that assist users in creating, collaborating \& sharing threat information - e.g. flexible sharing groups, {\bf automatic correlation}, free-text import helper, event distribution \& proposals.
\item Many export formats which support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ).
\item A rich set of MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} to add expansion, import and export functionalities.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP and starting from a practical use-case}
\begin{itemize}
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
\item MISP is now {\bf a community-driven development}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Communities using MISP}
\begin{itemize}
\item Communities are groups of users sharing within a set of common objectives/values.
\item CIRCL operates multiple MISP instances with a significant user base (more than 950 organizations with more than 2400 users).
\item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
\item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
\item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
\item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Many objectives from different user-groups}
\begin{itemize}
\item Sharing indicators for a {\bf detection} matter.
\begin{itemize}
\item 'Do I have infected systems in my infrastructure or the ones I operate?'
\end{itemize}
\item Sharing indicators to {\bf block}.
\begin{itemize}
\item 'I use these attributes to block, sinkhole or divert traffic.'
\end{itemize}
\item Sharing indicators to {\bf perform intelligence}.
\begin{itemize}
\item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?'
\end{itemize}
\item $\rightarrow$ These objectives can be conflicting (e.g. False-positives have different impacts)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Project Overview}
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
\end{frame}
\begin{frame}
\frametitle{Getting some naming conventions out of the way...}
\begin{itemize}
\item Data layer
\begin{itemize}
\item {\bf Events} are encapsulations for contextually linked information
\item {\bf Attributes} are individual data points, which can be indicators or supporting data.
\item {\bf Objects} are custom templated Attribute compositions
\item {\bf Object references} are the relationships between other building blocks
\end{itemize}
\item Context layer
\begin{itemize}
\item {\bf Tags} are labels attached to events/attributes and can come from {\bf Taxonomies}
\item {\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{A rich data-model: telling stories via relationships}
\includegraphics[scale=0.24]{screenshots/bankaccount.png}
\includegraphics[scale=0.18]{screenshots/bankview.png}
\end{frame}
\begin{frame}
\frametitle{Contextualisation and aggregation}
\begin{itemize}
\item MISP integrates at the event and the attribute levels MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
\end{itemize}
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
\end{frame}
\begin{frame}
\frametitle{Sharing in MISP}
\begin{itemize}
\item Sharing via distribution lists - {\bf Sharing groups}
\item {\bf Delegation} for pseudo-anonymised information sharing
\item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
\item Synchronisation, Feed system, air-gapped sharing
\item User defined {\bf filtered sharing} for all the above mentioned methods
\item Cross-instance information {\bf caching} for quick lookups of large data-sets
\item Support for multi-MISP internal enclaves
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP core distributed sharing functionality}
\begin{itemize}
\item MISPs' core functionality is sharing where everyone can be a consumer and/or a contributor/producer."
\item Quick benefit without the obligation to contribute.
\item Low barrier access to get acquainted to the system.
\end{itemize}
\includegraphics[scale=0.9]{misp-distributed.pdf}
\end{frame}
\begin{frame}
\frametitle{Information quality management}
\begin{itemize}
\item Correlating data
\item Feedback loop from detections via {\bf Sightings}
\item {\bf False positive management} via the warninglist system
\item {\bf Enrichment system} via MISP-modules
\item {\bf Integrations} with a plethora of tools and formats
\item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
\item {\bf Timelines} and giving information a temporal context
\item Full chain for {\bf indicator life-cycle management}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Correlation features: a tool for analysts}
\includegraphics[scale=0.18]{screenshots/campaign.png}
\begin{itemize}
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sightings support}
\begin{columns}[t]
\column{5.0cm}
\begin{figure}
\includegraphics[scale=0.3]{screenshots/sighting-n.png}\\
\includegraphics[scale=0.34]{screenshots/Sightings2.PNG}
\end{figure}
\column{7cm}
\begin{itemize}
\item Has a data-point been {\bf sighted} by me or the community before?
\item Additionally, the sighting system supports negative sigthings (FP) and expiration sightings.
\item Sightings can be performed via the API or the UI.
\item Many use-cases for {\bf scoring indicators} based on users sighting.
\item For large quantities of data, {\bf SightingDB} by Devo
\end{itemize}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Timelines and giving information a temporal context}
\begin{itemize}
\item Recently introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} data points
\item All data-points can be placed in time
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Life-cycle management via decaying of indicators}
\includegraphics[width=1.00\linewidth]{decaying-event.png}
\begin{itemize}
\item \texttt{Decay score} toggle button
\begin{itemize}
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Decaying of indicators: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
Create, modify, visualise, perform mapping
\end{frame}
\begin{frame}
\frametitle{Decaying of indicators: simulation tool}
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
Simulate \textit{Attributes} with different \textit{Models}
\end{frame}
\begin{frame}
\frametitle{Conclusion}
\begin{itemize}
\item {\bf Information sharing practices come from usage} and by example (e.g. learning by imitation from the shared information).
\item MISP is just a tool. What matters is your sharing practices. The tool should be as transparent as possible to support you.
\item Enable users to customize MISP to meet their community's use-cases.
\item MISP project combines open source software, open standards, best practices and communities to make information sharing a reality.
\end{itemize}
\end{frame}