\frametitle{MISP: Started from a practical use-case}
\begin{itemize}
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
\item MISP is now {\bf a community-driven development}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{about CIRCL}
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg and is operated by securitymadein.lu g.i.e.
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
\item CIRCL leads the development of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
\item{\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
\end{itemize}
\includegraphics{en_cef.png}
\end{frame}
\begin{frame}
\frametitle{Many objectives from different user-groups}
\begin{itemize}
\item Sharing indicators for a {\bf detection} matter.
\begin{itemize}
\item\textit{Do I have infected systems in my infrastructure or the ones I operate?}
\end{itemize}
\item Sharing indicators to {\bf block}.
\begin{itemize}
\item\textit{I use these attributes to block, sinkhole or divert traffic}
\end{itemize}
\item Sharing indicators to {\bf perform intelligence}.
\begin{itemize}
\item Gathering information about campaigns and attacks. \textit{Are they related? Who is targeting me? Who are the adversaries?}
\end{itemize}
\end{itemize}
\vspace{1em}
\begin{center}
$\rightarrow$ These objectives can be {\bf conflicting}
(e.g. False-positives have different impacts)
\end{center}
\end{frame}
\begin{frame}
\frametitle{Sharing Difficulties}
\begin{itemize}
\item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
\item{\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}. Basically a taxonomy with additional meta-information.
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Contextualisation and aggregation}
\begin{itemize}
\item MISP integrates at the event and the attribute levels MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).