mirror of https://github.com/MISP/misp-training
chg: [event:AusCERT24] Slides rearrangements
- Switched the section on MISP features to the end - Satisfied my pickyness in regards to indentationpull/25/head
parent
6851dd5fb2
commit
0ecc273202
|
@ -14,9 +14,9 @@
|
|||
\item How to get going?
|
||||
\item Managing information sharing communities
|
||||
\item []
|
||||
\item Features for analysts
|
||||
\item The importance of contextualisation
|
||||
\item False-positive handling
|
||||
\item Features for analysts
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
@ -200,52 +200,52 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||||
\begin{itemize}
|
||||
\item \textbf{Lead by example} - the power of immitation
|
||||
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
|
||||
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||||
\begin{itemize}
|
||||
\item What should the information look like?
|
||||
\item How should it be contextualised?
|
||||
\item What do you consider as useful information?
|
||||
\item What tools did you use to get your conclusions?
|
||||
\item How the information could be used by the ISAC members?
|
||||
\end{itemize}
|
||||
\item Side effect is that you will end up \textbf{raising the capabilities of your constituents}
|
||||
\item \textbf{Lead by example} - the power of immitation
|
||||
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
|
||||
\begin{itemize}
|
||||
\item What should the information look like?
|
||||
\item How should it be contextualised?
|
||||
\item What do you consider as useful information?
|
||||
\item What tools did you use to get your conclusions?
|
||||
\item How the information could be used by the ISAC members?
|
||||
\end{itemize}
|
||||
\item Side effect is that you will end up \textbf{raising the capabilities of your constituents}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Managing your sharing \\ community}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{What counts as valuable data?}
|
||||
\begin{itemize}
|
||||
\item Sharing comes in many shapes and sizes
|
||||
\frametitle{What counts as valuable data?}
|
||||
\begin{itemize}
|
||||
\item Sharing results / reports is the classical example
|
||||
\item Sighting of indicators
|
||||
\item Sharing enhancements to existing data
|
||||
\item Validating data / flagging false positives
|
||||
\item Asking for support from the community
|
||||
\item Sharing comes in many shapes and sizes
|
||||
\begin{itemize}
|
||||
\item Sharing results / reports is the classical example
|
||||
\item Sighting of indicators
|
||||
\item Sharing enhancements to existing data
|
||||
\item Validating data / flagging false positives
|
||||
\item Asking for support from the community
|
||||
\end{itemize}
|
||||
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
|
||||
\end{itemize}
|
||||
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{How to deal with organisations that only "leech"?}
|
||||
\begin{itemize}
|
||||
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
|
||||
\item We have come across some communities with sharing requirements
|
||||
\item In our experience, this sets you up for failure because:
|
||||
\frametitle{How to deal with organisations that only "leech"?}
|
||||
\begin{itemize}
|
||||
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
|
||||
\item Organisations losing access are the ones who would possibily benefit the most from it
|
||||
\item You lose organisations that might turn into valuable contributors in the future
|
||||
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
|
||||
\item We have come across some communities with sharing requirements
|
||||
\item In our experience, this sets you up for failure because:
|
||||
\begin{itemize}
|
||||
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
|
||||
\item Organisations losing access are the ones who would possibily benefit the most from it
|
||||
\item You lose organisations that might turn into valuable contributors in the future
|
||||
\end{itemize}
|
||||
\item []
|
||||
\item Constituents have access to and can \textbf{use the data}
|
||||
\end{itemize}
|
||||
\item []
|
||||
\item Constituents have access to and can \textbf{use the data}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
|
@ -282,17 +282,17 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{A quick note on compliance...}
|
||||
\begin{itemize}
|
||||
\item MISP project collaborated with legal advisory services
|
||||
\frametitle{A quick note on compliance...}
|
||||
\begin{itemize}
|
||||
\item Information sharing and cooperation \textbf{enabled by GDPR}
|
||||
\item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications
|
||||
\item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities
|
||||
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO
|
||||
\item MISP project collaborated with legal advisory services
|
||||
\begin{itemize}
|
||||
\item Information sharing and cooperation \textbf{enabled by GDPR}
|
||||
\item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications
|
||||
\item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities
|
||||
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO
|
||||
\end{itemize}
|
||||
\item For more information: https://www.misp-project.org/compliance/
|
||||
\end{itemize}
|
||||
\item For more information: https://www.misp-project.org/compliance/
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{The tough choice of separating a community}
|
||||
|
@ -319,90 +319,56 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Interesting visual features \\ for analysts}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - correlation}
|
||||
\begin{itemize}
|
||||
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
|
||||
\item Getting a direct benefit from shared information by other ISAC members
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/correlation.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - event graph}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
|
||||
\item ISACs users can directly understand the information shared
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/event-graph.png}
|
||||
\end{frame}
|
||||
|
||||
\section{The importance of \\ contextualisation}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Contextualising the information}
|
||||
\begin{itemize}
|
||||
\item Sharing \textbf{technical information} is a \textbf{great start}
|
||||
\item However, to truly create valueable information for your community, always consider the context:
|
||||
\frametitle{Contextualising the information}
|
||||
\begin{itemize}
|
||||
\item Your IDS might not care why it should alert on a rule
|
||||
\item But your analysts will be interested in the threat landscape and the "big picture"
|
||||
\item Sharing \textbf{technical information} is a \textbf{great start}
|
||||
\item However, to truly create valueable information for your community, always consider the context:
|
||||
\begin{itemize}
|
||||
\item Your IDS might not care why it should alert on a rule
|
||||
\item But your analysts will be interested in the threat landscape and the "big picture"
|
||||
\end{itemize}
|
||||
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
|
||||
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
|
||||
\end{itemize}
|
||||
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
|
||||
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Choice of vocabularies}
|
||||
\begin{itemize}
|
||||
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
|
||||
\item However, this includes different vocabularies with obvious overlaps
|
||||
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
|
||||
\item Good idea to start with this process early
|
||||
\item If you don't find what you're looking for:
|
||||
\frametitle{Choice of vocabularies}
|
||||
\begin{itemize}
|
||||
\item Create your own (JSON format, no coding skills required)
|
||||
\item If it makes sense, share it with us via a pull request for redistribution
|
||||
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
|
||||
\item However, this includes different vocabularies with obvious overlaps
|
||||
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
|
||||
\item Good idea to start with this process early
|
||||
\item If you don't find what you're looking for:
|
||||
\begin{itemize}
|
||||
\item Create your own (JSON format, no coding skills required)
|
||||
\item If it makes sense, share it with us via a pull request for redistribution
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||||
\begin{itemize}
|
||||
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
|
||||
\item Can include information packages of different types, for example:
|
||||
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||||
\begin{itemize}
|
||||
\item Threat actor information
|
||||
\item Specialised information such as Ransomware, Exploit kits, etc
|
||||
\item Methodology information such as preventative actions
|
||||
\item Classification systems for methodologies used by adversaries - ATT\&CK
|
||||
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
|
||||
\item Can include information packages of different types, for example:
|
||||
\begin{itemize}
|
||||
\item Threat actor information
|
||||
\item Specialised information such as Ransomware, Exploit kits, etc
|
||||
\item Methodology information such as preventative actions
|
||||
\item Classification systems for methodologies used by adversaries - ATT\&CK
|
||||
\end{itemize}
|
||||
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
||||
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
|
||||
\item Pull requests are always welcome
|
||||
\end{itemize}
|
||||
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
||||
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
|
||||
\item Pull requests are always welcome
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{False-positive handling}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positives handling}
|
||||
\begin{itemize}
|
||||
\item You might often fall into the trap of discarding seemingly "junk" data
|
||||
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
|
||||
\begin{itemize}
|
||||
\item Be lenient when considering what to keep
|
||||
\item Be strict when you are feeding tools
|
||||
\end{itemize}
|
||||
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
|
||||
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Many objectives from different user-groups}
|
||||
\begin{itemize}
|
||||
|
@ -423,13 +389,47 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positive handling}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
|
||||
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
|
||||
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
|
||||
\end{itemize}
|
||||
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
|
||||
\frametitle{False-positives handling}
|
||||
\begin{itemize}
|
||||
\item You might often fall into the trap of discarding seemingly "junk" data
|
||||
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
|
||||
\begin{itemize}
|
||||
\item Be lenient when considering what to keep
|
||||
\item Be strict when you are feeding tools
|
||||
\end{itemize}
|
||||
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
|
||||
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{False-positive handling}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
|
||||
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
|
||||
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
|
||||
\end{itemize}
|
||||
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
|
||||
\end{frame}
|
||||
|
||||
\section{Interesting visual features \\ for analysts}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - correlation}
|
||||
\begin{itemize}
|
||||
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes
|
||||
\item Getting a direct benefit from shared information by other ISAC members
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/correlation.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP feature - event graph}
|
||||
\begin{itemize}
|
||||
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes
|
||||
\item ISACs users can directly understand the information shared
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.20]{../images/event-graph.png}
|
||||
\end{frame}
|
||||
|
||||
\section{Conclusion}
|
||||
|
|
Loading…
Reference in New Issue