2018-12-29 21:32:22 +01:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
\section { MISP ZeroMQ}
\begin { frame}
\frametitle { MISP ZeroMQ}
MISP includes a flexible publish-subscribe model to allow real-time integration of the MISP activities:
\begin { itemize}
\item Event publication
\item Attribute creation or removal
\item Sighting
\item User login
\end { itemize}
\begin { center}
$ \rightarrow $ Operates at global level in MISP
\end { center}
\end { frame}
\begin { frame}
\frametitle { MISP ZeroMQ}
MISP ZeroMQ functionality can be used for various model of integration or to extend MISP functionalities:
\begin { itemize}
\item Real-time search of indicators into a SIEM\footnote { Security Information \& Event Management}
\item Dashboard activities
\item Logging mechanisms
\item Continuous indexing
\item Custom software or scripting
\end { itemize}
\end { frame}
\section { MISP-Dashboard: An introduction}
\begin { frame}
\frametitle { MISP-Dashboard - Realtime activities and threat intelligence}
\vspace { -10px}
\begin { center}
\includegraphics [width=1.00\linewidth] { images/dashboard-live.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { MISP-Dashboard - Features}
\vskip -0.5em
\begin { center}
\centering
\includegraphics [scale=0.08] { images/dashboard-geo.png}
$ \; $
\includegraphics [scale=0.08] { images/dashboard-trendings.png}
\end { center}
\vskip -0.9em
\begin { itemize}
\item Subscribe to multiple \textbf { ZMQ} MISP instances
\item Provides historical geolocalised information
\item Present an experimental \textbf { Gamification of the platform}
\item Shows when and how MISP is used
\item Provides real time information showing current threats and activity
\end { itemize}
\end { frame}
\section { MISP-Dashboard: Architecture and development}
\lstset { style=bash}
\begin { frame} [fragile]
\frametitle { Setting up the dashboard}
\begin { enumerate}
\item Be sure to have a running redis server: e.g.
\begin { itemize}
\item \texttt { redis-server -p 6250}
\end { itemize}
\item Update your configuration in \texttt { config.cfg}
\item Activate your virtualenv:
\begin { itemize}
\item \texttt { . ./DASHENV/bin/activate}
\end { itemize}
\item Listen to the MISP feed by starting the zmq\_ subscriber:
\begin { itemize}
\item \texttt { ./zmq\_ subscriber.py}
\end { itemize}
\item Start the dispatcher to process received messages:
\begin { itemize}
\item \texttt { ./zmq\_ dispatcher.py}
\end { itemize}
\item Start the Flask server:
\begin { itemize}
\item \texttt { ./server.py}
\end { itemize}
\item Access the interface at \url { http://localhost:8001/}
\end { enumerate}
\end { frame}
\begin { frame}
\textbf { \large MISP-Dashboard architecture} \\
\begin { center}
\vskip -1.7em
\includegraphics [scale=0.195] { images/messagepassing.png}
\end { center}
\end { frame}
\lstset { style=code,language=python}
\lstset { basicstyle=\fontsize { 7} { 9} \ttfamily }
\begin { frame} [fragile]
\frametitle { Writing your handler}
\begin { lstlisting}
# Register your handler
dico_ action = {
"misp_ json": handler_ dispatcher,
"misp_ json_ event": handler_ event,
"misp_ json_ self": handler_ keepalive,
"misp_ json_ attribute": handler_ attribute,
"misp_ json_ object": handler_ object,
"misp_ json_ sighting": YOUR_ CUSTOM_ SIGHTINGS_ HANDLER,
"misp_ json_ organisation": handler_ log,
"misp_ json_ user": handler_ user,
"misp_ json_ conversation": handler_ conversation,
"misp_ json_ object_ reference": handler_ log,
}
\end { lstlisting}
\end { frame}
\begin { frame} [fragile]
\begin { lstlisting}
# Implement your handler
# e.g. user handler
def handler_ user(zmq_ name, jsondata):
# json action performed by the user
action = jsondata['action']
# user json data
json_ user = jsondata['User']
# organisation json data
json_ org = jsondata['Organisation']
# organisation name
org = json_ org['name']
# only consider user login
if action == 'login':
timestamp = time.time()
# users_ helper is a class to interact with the DB
users_ helper.add_ user_ login(timestamp, org)
\end { lstlisting}
\end { frame}
2019-11-14 09:44:34 +01:00
\begin { frame}
\frametitle { Recent changes in the misp-dashboard}
\begin { itemize}
\item MISP authentication can now be used in the misp-dashboard
\item Improved TLS/SSL support in the default misp-dashboard
\item Self-test tool to debug and test ZMQ connectivity
\end { itemize}
\end { frame}
2018-12-29 21:32:22 +01:00
\begin { frame}
\frametitle { Future development}
\begin { itemize}
\item [] \includegraphics [width=20px] { images/icons/joystick.png} \; Optimizing contribution scoring and model to encourage sharing and contributions enrichment
\item [] \includegraphics [width=20px] { images/icons/globe.png} \; Increasing geolocation coverage
\item [] \includegraphics [width=20px] { images/icons/zoom.png} \; Global filtering capabilities
\begin { itemize}
\item [] \quad - Geolocation: Showing wanted attribute or only on specific region
\item [] \quad - Trendings: Showing only specified taxonomies
\end { itemize}
\item [] \includegraphics [width=20px] { images/icons/MISP.png} \; Tighter integration with MISP
\begin { itemize}
\item [] \quad - Present in MISP by default
2019-11-14 09:44:34 +01:00
\item [] \quad - ACL enabled version
2018-12-29 21:32:22 +01:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Conclusion}
MISP-Dashboard can provides realtime information to support security teams, CSIRTs or SOC showing current threats and activity by providing:
\begin { itemize}
\item Historical geolocalised information
\item Geospatial information from specific regions
\item The most active events, categories, tags, attributes, ...
\end { itemize}
\vskip 0.5em
It also propose a prototype of gamification of the platform providing incentive to share and contribute to the community
\end { frame}
