mirror of https://github.com/MISP/misp-training
chg: [event:AusCERT24] Slides rearrangements
- Switched the section on MISP features to the end - Satisfied my pickyness in regards to indentationpull/25/head
Christian Studer
parent
6851dd5fb2
commit
0ecc273202
|
|
@ -14,9 +14,9 @@
|
|||
\item How to get going?
|
||||
\item Managing information sharing communities
|
||||
\item []
|
||||
\item Features for analysts
|
||||
\item The importance of contextualisation
|
||||
\item False-positive handling
|
||||
\item Features for analysts
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
|
@ -200,8 +200,8 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||||
\begin{itemize}
|
||||
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||||
\begin{itemize}
|
||||
\item \textbf{Lead by example} - the power of immitation
|
||||
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
|
||||
\begin{itemize}
|
||||
|
|
@ -218,8 +218,8 @@
|
|||
\section{Managing your sharing \\ community}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{What counts as valuable data?}
|
||||
\begin{itemize}
|
||||
\frametitle{What counts as valuable data?}
|
||||
\begin{itemize}
|
||||
\item Sharing comes in many shapes and sizes
|
||||
\begin{itemize}
|
||||
\item Sharing results / reports is the classical example
|
||||
|
|
@ -228,13 +228,13 @@
|
|||
\item Validating data / flagging false positives
|
||||
\item Asking for support from the community
|
||||
\end{itemize}
|
||||
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
|
||||
\end{itemize}
|
||||
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{How to deal with organisations that only "leech"?}
|
||||
\begin{itemize}
|
||||
\frametitle{How to deal with organisations that only "leech"?}
|
||||
\begin{itemize}
|
||||
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
|
||||
\item We have come across some communities with sharing requirements
|
||||
\item In our experience, this sets you up for failure because:
|
||||
|
|
@ -245,7 +245,7 @@
|
|||
\end{itemize}
|
||||
\item []
|
||||
\item Constituents have access to and can \textbf{use the data}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
|
|
@ -282,8 +282,8 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{A quick note on compliance...}
|
||||
\begin{itemize}
|
||||
\frametitle{A quick note on compliance...}
|
||||
\begin{itemize}
|
||||
\item MISP project collaborated with legal advisory services
|
||||
\begin{itemize}
|
||||
\item Information sharing and cooperation \textbf{enabled by GDPR}
|
||||
|
|
@ -292,7 +292,7 @@
|
|||
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO
|
||||
\end{itemize}
|
||||
\item For more information: https://www.misp-project.org/compliance/
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{The tough choice of separating a community}
|
||||
|
|
@ -319,31 +319,11 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Interesting visual features \\ for analysts}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - correlation}
|
||||
\begin{itemize}
|
||||
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
|
||||
\item Getting a direct benefit from shared information by other ISAC members
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/correlation.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - event graph}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
|
||||
\item ISACs users can directly understand the information shared
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/event-graph.png}
|
||||
\end{frame}
|
||||
|
||||
\section{The importance of \\ contextualisation}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Contextualising the information}
|
||||
\begin{itemize}
|
||||
\frametitle{Contextualising the information}
|
||||
\begin{itemize}
|
||||
\item Sharing \textbf{technical information} is a \textbf{great start}
|
||||
\item However, to truly create valueable information for your community, always consider the context:
|
||||
\begin{itemize}
|
||||
|
|
@ -352,12 +332,12 @@
|
|||
\end{itemize}
|
||||
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
|
||||
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Choice of vocabularies}
|
||||
\begin{itemize}
|
||||
\frametitle{Choice of vocabularies}
|
||||
\begin{itemize}
|
||||
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
|
||||
\item However, this includes different vocabularies with obvious overlaps
|
||||
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
|
||||
|
|
@ -367,12 +347,12 @@
|
|||
\item Create your own (JSON format, no coding skills required)
|
||||
\item If it makes sense, share it with us via a pull request for redistribution
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||||
\begin{itemize}
|
||||
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||||
\begin{itemize}
|
||||
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
|
||||
\item Can include information packages of different types, for example:
|
||||
\begin{itemize}
|
||||
|
|
@ -384,25 +364,11 @@
|
|||
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
||||
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
|
||||
\item Pull requests are always welcome
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{False-positive handling}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positives handling}
|
||||
\begin{itemize}
|
||||
\item You might often fall into the trap of discarding seemingly "junk" data
|
||||
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
|
||||
\begin{itemize}
|
||||
\item Be lenient when considering what to keep
|
||||
\item Be strict when you are feeding tools
|
||||
\end{itemize}
|
||||
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
|
||||
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Many objectives from different user-groups}
|
||||
\begin{itemize}
|
||||
|
|
@ -423,13 +389,47 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positive handling}
|
||||
\begin{itemize}
|
||||
\frametitle{False-positives handling}
|
||||
\begin{itemize}
|
||||
\item You might often fall into the trap of discarding seemingly "junk" data
|
||||
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
|
||||
\begin{itemize}
|
||||
\item Be lenient when considering what to keep
|
||||
\item Be strict when you are feeding tools
|
||||
\end{itemize}
|
||||
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
|
||||
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positive handling}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
|
||||
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
|
||||
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
|
||||
\end{itemize}
|
||||
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
|
||||
\end{itemize}
|
||||
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
|
||||
\end{frame}
|
||||
|
||||
\section{Interesting visual features \\ for analysts}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - correlation}
|
||||
\begin{itemize}
|
||||
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
|
||||
\item Getting a direct benefit from shared information by other ISAC members
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/correlation.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - event graph}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
|
||||
\item ISACs users can directly understand the information shared
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/event-graph.png}
|
||||
\end{frame}
|
||||
|
||||
\section{Conclusion}
|
||||
|
|
|
|||
Loading…
Reference in New Issue