chg: [event:AusCERT24] Slides rearrangements

- Switched the section on MISP features to the end
- Satisfied my pickyness in regards to indentation
pull/25/head
Christian Studer 2024-05-08 10:34:36 +02:00
parent 6851dd5fb2
commit 0ecc273202
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 114 additions and 114 deletions

View File

@ -14,9 +14,9 @@
\item How to get going?
\item Managing information sharing communities
\item []
\item Features for analysts
\item The importance of contextualisation
\item False-positive handling
\item Features for analysts
\end{itemize}
\end{frame}
@ -200,52 +200,52 @@
\end{frame}
\begin{frame}
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
\begin{itemize}
\item \textbf{Lead by example} - the power of immitation
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
\begin{itemize}
\item What should the information look like?
\item How should it be contextualised?
\item What do you consider as useful information?
\item What tools did you use to get your conclusions?
\item How the information could be used by the ISAC members?
\end{itemize}
\item Side effect is that you will end up \textbf{raising the capabilities of your constituents}
\item \textbf{Lead by example} - the power of immitation
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
\begin{itemize}
\item What should the information look like?
\item How should it be contextualised?
\item What do you consider as useful information?
\item What tools did you use to get your conclusions?
\item How the information could be used by the ISAC members?
\end{itemize}
\item Side effect is that you will end up \textbf{raising the capabilities of your constituents}
\end{itemize}
\end{frame}
\section{Managing your sharing \\ community}
\begin{frame}
\frametitle{What counts as valuable data?}
\begin{itemize}
\item Sharing comes in many shapes and sizes
\frametitle{What counts as valuable data?}
\begin{itemize}
\item Sharing results / reports is the classical example
\item Sighting of indicators
\item Sharing enhancements to existing data
\item Validating data / flagging false positives
\item Asking for support from the community
\item Sharing comes in many shapes and sizes
\begin{itemize}
\item Sharing results / reports is the classical example
\item Sighting of indicators
\item Sharing enhancements to existing data
\item Validating data / flagging false positives
\item Asking for support from the community
\end{itemize}
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\end{itemize}
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{How to deal with organisations that only "leech"?}
\begin{itemize}
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
\item We have come across some communities with sharing requirements
\item In our experience, this sets you up for failure because:
\frametitle{How to deal with organisations that only "leech"?}
\begin{itemize}
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
\item Organisations losing access are the ones who would possibily benefit the most from it
\item You lose organisations that might turn into valuable contributors in the future
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
\item We have come across some communities with sharing requirements
\item In our experience, this sets you up for failure because:
\begin{itemize}
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
\item Organisations losing access are the ones who would possibily benefit the most from it
\item You lose organisations that might turn into valuable contributors in the future
\end{itemize}
\item []
\item Constituents have access to and can \textbf{use the data}
\end{itemize}
\item []
\item Constituents have access to and can \textbf{use the data}
\end{itemize}
\end{frame}
\begin{frame}
@ -282,17 +282,17 @@
\end{frame}
\begin{frame}
\frametitle{A quick note on compliance...}
\begin{itemize}
\item MISP project collaborated with legal advisory services
\frametitle{A quick note on compliance...}
\begin{itemize}
\item Information sharing and cooperation \textbf{enabled by GDPR}
\item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications
\item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO
\item MISP project collaborated with legal advisory services
\begin{itemize}
\item Information sharing and cooperation \textbf{enabled by GDPR}
\item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications
\item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO
\end{itemize}
\item For more information: https://www.misp-project.org/compliance/
\end{itemize}
\item For more information: https://www.misp-project.org/compliance/
\end{itemize}
\end{frame}
\section{The tough choice of separating a community}
@ -319,90 +319,56 @@
\end{itemize}
\end{frame}
\section{Interesting visual features \\ for analysts}
\begin{frame}
\frametitle{MISP feature - correlation}
\begin{itemize}
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
\item Getting a direct benefit from shared information by other ISAC members
\end{itemize}
\includegraphics[scale=0.20]{../images/correlation.png}
\end{frame}
\begin{frame}
\frametitle{MISP feature - event graph}
\begin{itemize}
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
\item ISACs users can directly understand the information shared
\end{itemize}
\includegraphics[scale=0.20]{../images/event-graph.png}
\end{frame}
\section{The importance of \\ contextualisation}
\begin{frame}
\frametitle{Contextualising the information}
\begin{itemize}
\item Sharing \textbf{technical information} is a \textbf{great start}
\item However, to truly create valueable information for your community, always consider the context:
\frametitle{Contextualising the information}
\begin{itemize}
\item Your IDS might not care why it should alert on a rule
\item But your analysts will be interested in the threat landscape and the "big picture"
\item Sharing \textbf{technical information} is a \textbf{great start}
\item However, to truly create valueable information for your community, always consider the context:
\begin{itemize}
\item Your IDS might not care why it should alert on a rule
\item But your analysts will be interested in the threat landscape and the "big picture"
\end{itemize}
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
\end{itemize}
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Choice of vocabularies}
\begin{itemize}
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
\item However, this includes different vocabularies with obvious overlaps
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
\item Good idea to start with this process early
\item If you don't find what you're looking for:
\frametitle{Choice of vocabularies}
\begin{itemize}
\item Create your own (JSON format, no coding skills required)
\item If it makes sense, share it with us via a pull request for redistribution
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
\item However, this includes different vocabularies with obvious overlaps
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
\item Good idea to start with this process early
\item If you don't find what you're looking for:
\begin{itemize}
\item Create your own (JSON format, no coding skills required)
\item If it makes sense, share it with us via a pull request for redistribution
\end{itemize}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
\item Can include information packages of different types, for example:
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
\item Threat actor information
\item Specialised information such as Ransomware, Exploit kits, etc
\item Methodology information such as preventative actions
\item Classification systems for methodologies used by adversaries - ATT\&CK
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
\item Can include information packages of different types, for example:
\begin{itemize}
\item Threat actor information
\item Specialised information such as Ransomware, Exploit kits, etc
\item Methodology information such as preventative actions
\item Classification systems for methodologies used by adversaries - ATT\&CK
\end{itemize}
\item Consider improving the default libraries or contributing your own (simple JSON format)
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
\item Pull requests are always welcome
\end{itemize}
\item Consider improving the default libraries or contributing your own (simple JSON format)
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
\item Pull requests are always welcome
\end{itemize}
\end{frame}
\section{False-positive handling}
\begin{frame}
\frametitle{False-positives handling}
\begin{itemize}
\item You might often fall into the trap of discarding seemingly "junk" data
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
\begin{itemize}
\item Be lenient when considering what to keep
\item Be strict when you are feeding tools
\end{itemize}
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Many objectives from different user-groups}
\begin{itemize}
@ -423,13 +389,47 @@
\end{frame}
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
\end{itemize}
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
\frametitle{False-positives handling}
\begin{itemize}
\item You might often fall into the trap of discarding seemingly "junk" data
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
\begin{itemize}
\item Be lenient when considering what to keep
\item Be strict when you are feeding tools
\end{itemize}
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
\end{itemize}
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
\end{frame}
\section{Interesting visual features \\ for analysts}
\begin{frame}
\frametitle{MISP feature - correlation}
\begin{itemize}
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
\item Getting a direct benefit from shared information by other ISAC members
\end{itemize}
\includegraphics[scale=0.20]{../images/correlation.png}
\end{frame}
\begin{frame}
\frametitle{MISP feature - event graph}
\begin{itemize}
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
\item ISACs users can directly understand the information shared
\end{itemize}
\includegraphics[scale=0.20]{../images/event-graph.png}
\end{frame}
\section{Conclusion}