diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex index 64ce486..a65c2cd 100644 --- a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex @@ -14,9 +14,9 @@ \item How to get going? \item Managing information sharing communities \item [] - \item Features for analysts \item The importance of contextualisation \item False-positive handling + \item Features for analysts \end{itemize} \end{frame} @@ -200,52 +200,52 @@ \end{frame} \begin{frame} -\frametitle{Rely on our instincts to immitate over expecting adherence to rules} -\begin{itemize} - \item \textbf{Lead by example} - the power of immitation - \item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls + \frametitle{Rely on our instincts to immitate over expecting adherence to rules} \begin{itemize} - \item What should the information look like? - \item How should it be contextualised? - \item What do you consider as useful information? - \item What tools did you use to get your conclusions? - \item How the information could be used by the ISAC members? - \end{itemize} - \item Side effect is that you will end up \textbf{raising the capabilities of your constituents} + \item \textbf{Lead by example} - the power of immitation + \item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls + \begin{itemize} + \item What should the information look like? + \item How should it be contextualised? + \item What do you consider as useful information? + \item What tools did you use to get your conclusions? + \item How the information could be used by the ISAC members? + \end{itemize} + \item Side effect is that you will end up \textbf{raising the capabilities of your constituents} \end{itemize} \end{frame} \section{Managing your sharing \\ community} \begin{frame} -\frametitle{What counts as valuable data?} -\begin{itemize} - \item Sharing comes in many shapes and sizes + \frametitle{What counts as valuable data?} \begin{itemize} - \item Sharing results / reports is the classical example - \item Sighting of indicators - \item Sharing enhancements to existing data - \item Validating data / flagging false positives - \item Asking for support from the community + \item Sharing comes in many shapes and sizes + \begin{itemize} + \item Sharing results / reports is the classical example + \item Sighting of indicators + \item Sharing enhancements to existing data + \item Validating data / flagging false positives + \item Asking for support from the community + \end{itemize} + \item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... \end{itemize} -\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... -\end{itemize} \end{frame} \begin{frame} -\frametitle{How to deal with organisations that only "leech"?} -\begin{itemize} - \item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data} - \item We have come across some communities with sharing requirements - \item In our experience, this sets you up for failure because: + \frametitle{How to deal with organisations that only "leech"?} \begin{itemize} - \item Organisations that want to stay above the thresholds will start sharing junk / fake data - \item Organisations losing access are the ones who would possibily benefit the most from it - \item You lose organisations that might turn into valuable contributors in the future + \item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data} + \item We have come across some communities with sharing requirements + \item In our experience, this sets you up for failure because: + \begin{itemize} + \item Organisations that want to stay above the thresholds will start sharing junk / fake data + \item Organisations losing access are the ones who would possibily benefit the most from it + \item You lose organisations that might turn into valuable contributors in the future + \end{itemize} + \item [] + \item Constituents have access to and can \textbf{use the data} \end{itemize} - \item [] - \item Constituents have access to and can \textbf{use the data} -\end{itemize} \end{frame} \begin{frame} @@ -282,17 +282,17 @@ \end{frame} \begin{frame} -\frametitle{A quick note on compliance...} -\begin{itemize} - \item MISP project collaborated with legal advisory services + \frametitle{A quick note on compliance...} \begin{itemize} - \item Information sharing and cooperation \textbf{enabled by GDPR} - \item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications - \item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities - \item Guidelines to setting up an information sharing community such as an ISAC or ISAO + \item MISP project collaborated with legal advisory services + \begin{itemize} + \item Information sharing and cooperation \textbf{enabled by GDPR} + \item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications + \item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities + \item Guidelines to setting up an information sharing community such as an ISAC or ISAO + \end{itemize} + \item For more information: https://www.misp-project.org/compliance/ \end{itemize} - \item For more information: https://www.misp-project.org/compliance/ -\end{itemize} \end{frame} \section{The tough choice of separating a community} @@ -319,90 +319,56 @@ \end{itemize} \end{frame} -\section{Interesting visual features \\ for analysts} - -\begin{frame} - \frametitle{MISP feature - correlation} - \begin{itemize} - \item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes - \item Getting a direct benefit from shared information by other ISAC members - \end{itemize} - \includegraphics[scale=0.20]{../images/correlation.png} -\end{frame} - -\begin{frame} - \frametitle{MISP feature - event graph} - \begin{itemize} - \item \textbf{Analysts can create stories} based on graph relationships between objects, attributes - \item ISACs users can directly understand the information shared - \end{itemize} - \includegraphics[scale=0.20]{../images/event-graph.png} -\end{frame} - \section{The importance of \\ contextualisation} \begin{frame} -\frametitle{Contextualising the information} -\begin{itemize} - \item Sharing \textbf{technical information} is a \textbf{great start} - \item However, to truly create valueable information for your community, always consider the context: + \frametitle{Contextualising the information} \begin{itemize} - \item Your IDS might not care why it should alert on a rule - \item But your analysts will be interested in the threat landscape and the "big picture" + \item Sharing \textbf{technical information} is a \textbf{great start} + \item However, to truly create valueable information for your community, always consider the context: + \begin{itemize} + \item Your IDS might not care why it should alert on a rule + \item But your analysts will be interested in the threat landscape and the "big picture" + \end{itemize} + \item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them} + \item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense} \end{itemize} - \item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them} - \item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense} -\end{itemize} \end{frame} \begin{frame} -\frametitle{Choice of vocabularies} -\begin{itemize} - \item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data - \item However, this includes different vocabularies with obvious overlaps - \item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community - \item Good idea to start with this process early - \item If you don't find what you're looking for: + \frametitle{Choice of vocabularies} \begin{itemize} - \item Create your own (JSON format, no coding skills required) - \item If it makes sense, share it with us via a pull request for redistribution + \item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data + \item However, this includes different vocabularies with obvious overlaps + \item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community + \item Good idea to start with this process early + \item If you don't find what you're looking for: + \begin{itemize} + \item Create your own (JSON format, no coding skills required) + \item If it makes sense, share it with us via a pull request for redistribution + \end{itemize} \end{itemize} -\end{itemize} \end{frame} \begin{frame} -\frametitle{Shared libraries of meta-information (Galaxies)} -\begin{itemize} - \item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information} - \item Can include information packages of different types, for example: + \frametitle{Shared libraries of meta-information (Galaxies)} \begin{itemize} - \item Threat actor information - \item Specialised information such as Ransomware, Exploit kits, etc - \item Methodology information such as preventative actions - \item Classification systems for methodologies used by adversaries - ATT\&CK + \item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information} + \item Can include information packages of different types, for example: + \begin{itemize} + \item Threat actor information + \item Specialised information such as Ransomware, Exploit kits, etc + \item Methodology information such as preventative actions + \item Classification systems for methodologies used by adversaries - ATT\&CK + \end{itemize} + \item Consider improving the default libraries or contributing your own (simple JSON format) + \item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners + \item Pull requests are always welcome \end{itemize} - \item Consider improving the default libraries or contributing your own (simple JSON format) - \item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners - \item Pull requests are always welcome -\end{itemize} \end{frame} \section{False-positive handling} -\begin{frame} -\frametitle{False-positives handling} -\begin{itemize} - \item You might often fall into the trap of discarding seemingly "junk" data - \item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation: - \begin{itemize} - \item Be lenient when considering what to keep - \item Be strict when you are feeding tools - \end{itemize} -\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools -\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users} -\end{itemize} -\end{frame} - \begin{frame} \frametitle{Many objectives from different user-groups} \begin{itemize} @@ -423,13 +389,47 @@ \end{frame} \begin{frame} -\frametitle{False-positive handling} -\begin{itemize} - \item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time} - \item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse) - \item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets -\end{itemize} -\centering\includegraphics[scale=0.8]{../images/false-positive.png} + \frametitle{False-positives handling} + \begin{itemize} + \item You might often fall into the trap of discarding seemingly "junk" data + \item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation: + \begin{itemize} + \item Be lenient when considering what to keep + \item Be strict when you are feeding tools + \end{itemize} + \item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools + \item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{False-positive handling} + \begin{itemize} + \item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time} + \item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse) + \item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets + \end{itemize} + \centering\includegraphics[scale=0.8]{../images/false-positive.png} +\end{frame} + +\section{Interesting visual features \\ for analysts} + +\begin{frame} + \frametitle{MISP feature - correlation} + \begin{itemize} + \item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes + \item Getting a direct benefit from shared information by other ISAC members + \end{itemize} + \includegraphics[scale=0.20]{../images/correlation.png} +\end{frame} + +\begin{frame} + \frametitle{MISP feature - event graph} + \begin{itemize} + \item \textbf{Analysts can create stories} based on graph relationships between objects, attributes + \item ISACs users can directly understand the information shared + \end{itemize} + \includegraphics[scale=0.20]{../images/event-graph.png} \end{frame} \section{Conclusion}