From 12f01960e49202a4248a8c5ce54f80c287c29296 Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 27 Dec 2021 12:45:03 +0800 Subject: [PATCH] Added subtitle file for MISP General Usage Training - Part 1 of 2 (incomplete) --- ...P General Usage Training - Part 1 of 2.srt | 20701 ++++++++++++++++ 1 file changed, 20701 insertions(+) create mode 100644 x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt diff --git a/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt b/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt new file mode 100644 index 0000000..f6efa11 --- /dev/null +++ b/x.15-subtitles/MISP General Usage Training - Part 1 of 2.srt @@ -0,0 +1,20701 @@ +1 +00:00:00,880 --> 00:00:04,719 +and I'll pass over the mic all right + +2 +00:00:02,638 --> 00:00:07,278 +thank you + +3 +00:00:04,719 --> 00:00:09,599 +yeah great, good morning good afternoon + +4 +00:00:07,278 --> 00:00:12,719 +and even good evening for some of you + +5 +00:00:09,599 --> 00:00:14,879 +um so um i'm really glad and uh + +6 +00:00:12,718 --> 00:00:16,480 +we are glad to present about MISP today + +7 +00:00:14,880 --> 00:00:18,719 +and so it's a + +8 +00:00:16,480 --> 00:00:20,240 +double series of workshops so we start + +9 +00:00:18,719 --> 00:00:20,799 +with a workshop of the introduction and + +10 +00:00:20,239 --> 00:00:22,799 +we go + +11 +00:00:20,800 --> 00:00:23,839 +more deeper tomorrow in that second + +12 +00:00:22,800 --> 00:00:26,160 +workshop + +13 +00:00:23,839 --> 00:00:27,359 +um i'm alexander noah i do work for + +14 +00:00:26,160 --> 00:00:30,640 +CIRCL and + +15 +00:00:27,359 --> 00:00:34,800 +i work in the MISP {inaudible} + +16 +00:00:30,640 --> 00:00:37,520 +so today uh the agenda is the following + +17 +00:00:34,799 --> 00:00:38,78 +uh we will do a quick introduction to + +18 +00:00:37,520 --> 00:00:41,920 +MISP + +19 +00:00:38,79 --> 00:00:43,679 +a kind of of one-hour sessions with + +20 +00:00:41,920 --> 00:00:46,239 +all the detail about MISP and then a + +21 +00:00:43,679 --> 00:00:49,359 +more like kind of usage deep dive + +22 +00:00:46,238 --> 00:00:52,558 +of one hour where we do hands-on together + +23 +00:00:49,359 --> 00:00:55,519 +um for the logistic aspect um + +24 +00:00:52,558 --> 00:00:55,839 +in the chat room we will share with you + +25 +00:00:55,520 --> 00:00:57,520 +uh + +26 +00:00:55,840 --> 00:00:59,520 +all the details how to access the MISP + +27 +00:00:57,520 --> 00:01:00,399 +instance so during the sessions in the + +28 +00:00:59,520 --> 00:01:02,239 +workshop + +29 +00:01:00,399 --> 00:01:03,840 +you can connect to a dedicated MISP + +30 +00:01:02,238 --> 00:01:05,840 +system that we set up for you + +31 +00:01:03,840 --> 00:01:07,680 +and this one will be used for all the + +32 +00:01:05,840 --> 00:01:10,79 +hands-on that we will + +33 +00:01:07,680 --> 00:01:12,240 +we do as i just mentioned we have a + +34 +00:01:10,79 --> 00:01:14,158 +small short break of 15 minutes + +35 +00:01:12,239 --> 00:01:15,679 +and then we will continue in the end + +36 +00:01:14,159 --> 00:01:18,960 +{inaudible} + +37 +00:01:15,680 --> 00:01:20,880 +depending of how far we are today uh + +38 +00:01:18,959 --> 00:01:22,959 +we will maybe talk about the community + +39 +00:01:20,879 --> 00:01:24,719 +building aspect but this is a topic for + +40 +00:01:22,959 --> 00:01:26,239 +tomorrow obviously + +41 +00:01:24,719 --> 00:01:28,640 +but if we have some time remaining we + +42 +00:01:26,239 --> 00:01:29,280 +might uh talk about this and then we + +43 +00:01:28,640 --> 00:01:31,920 +have a + +44 +00:01:29,280 --> 00:01:33,280 +q&a sessions uh to discuss about the + +45 +00:01:31,920 --> 00:01:35,359 +different {inaudible} and so on + +46 +00:01:33,280 --> 00:01:37,439 +so don't hesitate to to put your + +47 +00:01:35,359 --> 00:01:39,438 +question to zoom + +48 +00:01:37,438 --> 00:01:42,319 +uh directly and we will try to answer live + +50 +00:01:40,799 --> 00:01:45,600 +all those questions that you are asking + +51 +00:01:42,319 --> 00:01:45,599 +during uh during this session + +52 +00:01:46,319 --> 00:01:50,239 +so first of all welcome all as well from + +53 +00:01:48,478 --> 00:01:53,519 +me so i'm Andras Iklody i'm + +54 +00:01:50,239 --> 00:01:56,798 +also working at CIRCL working on MISP + +55 +00:01:53,519 --> 00:01:57,280 +um to just kick things off um i think + +56 +00:01:56,799 --> 00:01:58,719 +it's a good + +57 +00:01:57,280 --> 00:02:00,79 +good moment to start a little bit about + +58 +00:01:58,718 --> 00:02:02,78 +the history of how this whole thing + +59 +00:02:00,78 --> 00:02:04,879 +started how MISP came about + +60 +00:02:02,78 --> 00:02:06,839 +so just a quick introduction of where we + +61 +00:02:04,879 --> 00:02:09,519 +came from and where where we are + +62 +00:02:06,840 --> 00:02:10,399 +nowadays uh initially this whole thing + +63 +00:02:09,520 --> 00:02:13,520 +for us with MISP + +64 +00:02:10,399 --> 00:02:14,959 +started as part of a of a series of + +65 +00:02:13,520 --> 00:02:17,360 +incidents that we had in + +66 +00:02:14,959 --> 00:02:19,759 +back in 2012 between national and + +67 +00:02:17,360 --> 00:02:22,480 +military CSIRTS at the time + +68 +00:02:19,759 --> 00:02:24,799 +where we were basically investigating umattacks + +70 +00:02:23,520 --> 00:02:27,120 +that were hitting several of the + +71 +00:02:24,800 --> 00:02:28,319 +institutions at the at the time + +72 +00:02:27,120 --> 00:02:30,400 +and one of the interesting things that + +73 +00:02:28,318 --> 00:02:31,759 +we found was that even though we had + +74 +00:02:30,400 --> 00:02:33,519 +something called the malware analysis + +75 +00:02:31,759 --> 00:02:35,120 +working group which was this which is a + +76 +00:02:33,519 --> 00:02:37,360 +group that was regularly meeting and + +77 +00:02:35,120 --> 00:02:39,680 +discussing ongoing incidents + +78 +00:02:37,360 --> 00:02:40,720 +we still had a massive gap in between + +79 +00:02:39,680 --> 00:02:42,80 +those meetings + +80 +00:02:40,719 --> 00:02:44,318 +where everyone was working in their own + +81 +00:02:42,80 --> 00:02:45,920 +silo on basically the same attack and + +82 +00:02:44,318 --> 00:02:47,759 +and doing reverse engineering of the + +83 +00:02:45,919 --> 00:02:50,0 +165.92 --> 170 +same attacks without + +84 +00:02:47,759 --> 00:02:53,439 +having the ways, the means or the processes + +86 +00:02:51,120 --> 00:02:55,39 +to directly share with our peers so we + +87 +00:02:53,439 --> 00:02:55,919 +ended up with a lot of duplication of + +88 +00:02:55,39 --> 00:02:57,759 +work which ended + +89 +00:02:55,919 --> 00:02:59,199 +which was obviously frustrating from uh + +90 +00:02:57,759 --> 00:03:01,439 +for many of us + +91 +00:02:59,199 --> 00:03:03,598 +so Christophe Vandeplas at the time he + +92 +00:03:01,439 --> 00:03:06,318 +was working at the belgian + +93 +00:03:03,598 --> 00:03:08,399 +ministry of defense um in his free time + +94 +00:03:06,318 --> 00:03:10,318 +wrote a platform called {inaudible} + +95 +00:03:08,400 --> 00:03:11,519 +that later on ended up becoming MISP so + +96 +00:03:10,318 --> 00:03:13,280 +the initial idea was + +97 +00:03:11,519 --> 00:03:14,800 +really for reverse engineers to share + +98 +00:03:13,280 --> 00:03:15,439 +the output of their work directly with + +99 +00:03:14,800 --> 00:03:18,719 +their peers + +100 +00:03:15,439 --> 00:03:22,158 +in a hosted platform and since then + +101 +00:03:18,719 --> 00:03:24,158 +obviously MISP has evolved and changed + +102 +00:03:22,158 --> 00:03:25,840 +the scope of what we were nowadays doing + +103 +00:03:24,158 --> 00:03:26,798 +with MISP and what sort of information + +104 +00:03:25,840 --> 00:03:28,640 +we're sharing + +105 +00:03:26,799 --> 00:03:30,159 +but it all started with this and since + +106 +00:03:28,639 --> 00:03:30,878 +then it has been an ongoing effort + +107 +00:03:30,158 --> 00:03:33,199 +basically by + +108 +00:03:30,878 --> 00:03:35,199 +a large community of different + +109 +00:03:33,199 --> 00:03:37,359 +requirements and different needs + +110 +00:03:35,199 --> 00:03:39,359 +and that has been building both the + +111 +00:03:37,360 --> 00:03:42,159 +ideas that go into MISP as well as the + +112 +00:03:39,360 --> 00:03:42,159 +software itself + +113 +00:03:43,919 --> 00:03:47,839 +next slide please + +114 +00:03:48,479 --> 00:03:51,919 +yeah so what is the background and why + +115 +00:03:51,199 --> 00:03:53,839 +we are doing + +116 +00:03:51,919 --> 00:03:56,79 +MISP it uh i think like Andras + +117 +00:03:53,840 --> 00:03:56,640 +mentioned it started from a with a kind + +118 +00:03:56,80 --> 00:03:59,40 +of + +119 +00:03:56,639 --> 00:04:00,479 +{inaudible} project for a small set of + +120 +00:03:59,39 --> 00:04:03,598 +CIRCL + +121 +00:04:00,479 --> 00:04:04,959 +CIRCL is nowadays + +122 +00:04:03,598 --> 00:04:07,359 +the CERT for the private sector, the + +123 +00:04:04,959 --> 00:04:08,959 +community {inaudible} in luxembourg + +124 +00:04:07,360 --> 00:04:11,200 +and we basically deal with the + +125 +00:04:08,959 --> 00:04:12,158 +development of MISP not only for our use + +126 +00:04:11,199 --> 00:04:15,359 +case but for many + +127 +00:04:12,158 --> 00:04:18,319 +different users so we are called as + +128 +00:04:15,360 --> 00:04:19,439 +a CERT we basically operate the + +129 +00:04:18,319 --> 00:04:22,478 +development and we operate + +130 +00:04:19,439 --> 00:04:22,478 +{inaudible} communities + +131 +00:04:23,600 --> 00:04:26,960 +so a little bit about our involvement + +132 +00:04:26,639 --> 00:04:28,478 +and + +133 +00:04:26,959 --> 00:04:30,79 +why we're doing this in the first place + +134 +00:04:28,478 --> 00:04:32,560 +so we as CIRCL we're funded by the + +135 +00:04:30,79 --> 00:04:35,680 +Ministry of Economy to basically build + +136 +00:04:32,560 --> 00:04:37,600 +security for the private sector uh and a + +137 +00:04:35,680 --> 00:04:39,199 +lot of what we do involves uh open + +138 +00:04:37,600 --> 00:04:39,840 +source software development so we're + +139 +00:04:39,199 --> 00:04:42,160 +basically + +140 +00:04:39,839 --> 00:04:44,79 +the funding that we get for the uh for + +141 +00:04:42,160 --> 00:04:45,199 +activities also cover our development + +142 +00:04:44,79 --> 00:04:47,918 +focus + +143 +00:04:45,199 --> 00:04:49,360 +we're also uh besides just building the + +144 +00:04:47,918 --> 00:04:50,159 +tools like {inaudible} mentioned we're + +145 +00:04:49,360 --> 00:04:52,479 +also + +146 +00:04:50,160 --> 00:04:53,919 +basically involved in a lot of sharing + +147 +00:04:52,478 --> 00:04:55,839 +activities as well as our day-to-day + +148 +00:04:53,918 --> 00:04:58,399 +operations we're users of the + +149 +00:04:55,839 --> 00:05:00,478 +tool primarily as well we basically host + +150 +00:04:58,399 --> 00:05:02,719 +a bunch of different communities for the + +151 +00:05:00,478 --> 00:05:05,439 +uh national C-Certs for the + +152 +00:05:02,720 --> 00:05:07,919 +luxembourgish private sector community + +153 +00:05:05,439 --> 00:05:09,680 +for law enforcement uh organizations + +154 +00:05:07,918 --> 00:05:10,959 +financial institutions and so on and so + +155 +00:05:09,680 --> 00:05:14,319 +forth + +156 +00:05:10,959 --> 00:05:16,239 +so so we're kind of uh + +157 +00:05:14,319 --> 00:05:18,240 +in the game on both sides so to say that + +158 +00:05:16,240 --> 00:05:21,120 +both as a + +159 +00:05:18,240 --> 00:05:22,0 +318.24 --> 322 +producer and as a consumer, also and the + +160 +00:05:21,120 --> 00:05:24,79 +project was + +161 +00:05:22,0 --> 00:05:25,759 +322 --> 325.759 +co-financed by the European Union + +162 +00:05:24,79 --> 00:05:29,120 +under the CEF project + +163 +00:05:25,759 --> 00:05:30,400 +uh so this is also one of the sources of + +164 +00:05:29,120 --> 00:05:33,120 +the income that we got basically to + +165 +00:05:30,399 --> 00:05:34,560 +build the tool and as a FIRST member you + +166 +00:05:33,120 --> 00:05:36,79 +have access to a MISP instance that is + +167 +00:05:34,560 --> 00:05:38,478 +operated and + +168 +00:05:36,79 --> 00:05:40,0 +336.08 --> 340 +co-maintained by FIRST and CIRCL that + +169 +00:05:38,478 --> 00:05:41,680 +you can get access to + +170 +00:05:40,0 --> 00:05:43,519 +340 --> 343.52 +so you just need to to use your + +171 +00:05:41,680 --> 00:05:45,680 +traditional credential or + +172 +00:05:43,519 --> 00:05:47,359 +access at first and you get access to + +173 +00:05:45,680 --> 00:05:49,600 +this instance with information + +174 +00:05:47,360 --> 00:05:51,439 +that you can use and so on we will talk + +175 +00:05:49,600 --> 00:05:54,160 +about that later on + +176 +00:05:51,439 --> 00:05:55,600 +so the main question and i think it's + +177 +00:05:54,160 --> 00:05:58,80 +coming from this story uh + +178 +00:05:55,600 --> 00:05:59,600 +as Andras mentioned from the early days + +179 +00:05:58,79 --> 00:06:01,758 +MISP was + +180 +00:05:59,600 --> 00:06:03,840 +focusing from a very specific aspect + +181 +00:06:01,759 --> 00:06:07,120 +which was malware reversing and so on + +182 +00:06:03,839 --> 00:06:08,799 +nowadays it's a threat intelligence sharing platforms we + +183 +00:06:07,120 --> 00:06:11,38 +are basically sharing any kind of + +184 +00:06:08,800 --> 00:06:13,38 +intelligence through uh through MISP + +185 +00:06:11,38 --> 00:06:14,478 +um because we had an evolution of the + +186 +00:06:13,38 --> 00:06:16,399 +time for the different things so + +187 +00:06:14,478 --> 00:06:18,879 +and our main goals and that's very + +188 +00:06:16,399 --> 00:06:21,439 +important for us it's an open source + +189 +00:06:18,879 --> 00:06:23,120 +software so that means MISP will always + +190 +00:06:21,439 --> 00:06:23,519 +remain an open source project we even + +191 +00:06:23,120 --> 00:06:26,0 +383.12 --> 386 +take + +192 +00:06:23,519 --> 00:06:26,879 +some decisions within the project to + +193 +00:06:26,0 --> 00:06:29,120 +386 --> 389.12 +keep it as + +194 +00:06:26,879 --> 00:06:30,639 +open source and that's that's really a + +195 +00:06:29,120 --> 00:06:32,720 +key for us so it's really uh + +196 +00:06:30,639 --> 00:06:34,800 +something that you can download yourself + +197 +00:06:32,720 --> 00:06:37,39 +run on your infrastructure and so on + +198 +00:06:34,800 --> 00:06:38,240 +you can really have the full control on + +199 +00:06:37,38 --> 00:06:40,639 +the software stack + +200 +00:06:38,240 --> 00:06:42,0 +398.24 --> 402 +when you are using MISP and one of the + +201 +00:06:40,639 --> 00:06:43,38 +goals of the software itself is to + +202 +00:06:42,0 --> 00:06:46,240 +402 --> 406.24 +collect information + +203 +00:06:43,38 --> 00:06:48,159 +from other partners, from in the {inaudible} + +204 +00:06:46,240 --> 00:06:49,280 +from automatic tools from different + +205 +00:06:48,160 --> 00:06:50,800 +fields and so on + +206 +00:06:49,279 --> 00:06:53,198 +that was really one of the initial goal + +207 +00:06:50,800 --> 00:06:55,680 +of MISP is like being able to collect + +208 +00:06:53,199 --> 00:06:57,360 +to get all this information into + +209 +00:06:55,680 --> 00:06:59,38 +one place + +210 +00:06:57,360 --> 00:07:00,560 +and then afterwards what you can do with + +211 +00:06:59,38 --> 00:07:02,719 +it is to normalize + +212 +00:07:00,560 --> 00:07:03,839 +correlate this information, extend the + +213 +00:07:02,720 --> 00:07:06,560 +information and enrich + +214 +00:07:03,839 --> 00:07:08,879 +information with more information and then + +216 +00:07:07,199 --> 00:07:10,800 +really benefit from the sharing aspect + +217 +00:07:08,879 --> 00:07:13,120 +of MISP and you can allow + +218 +00:07:10,800 --> 00:07:13,840 +teams and community to collaborate + +219 +00:07:13,120 --> 00:07:16,478 +and we have + +220 +00:07:13,839 --> 00:07:18,318 +seen MISP for example use not only + +221 +00:07:16,478 --> 00:07:20,159 +within different organizations but even + +222 +00:07:18,319 --> 00:07:21,759 +within a single organization you can, for + +223 +00:07:20,160 --> 00:07:24,240 +example run multiple MISP + +224 +00:07:21,759 --> 00:07:25,120 +to collaborate directly on different + +225 +00:07:24,240 --> 00:07:28,79 +investigations + +226 +00:07:25,120 --> 00:07:29,519 +incidents and cases and obviously when + +227 +00:07:28,79 --> 00:07:31,279 +you have all this information and all + +228 +00:07:29,519 --> 00:07:33,758 +these analytic platform into MISP + +229 +00:07:31,279 --> 00:07:34,638 +you are ready to use this information to + +230 +00:07:33,759 --> 00:07:36,960 +for example + +231 +00:07:34,639 --> 00:07:39,840 +feed your automatic protective tools + +232 +00:07:36,959 --> 00:07:42,0 +456.96 --> 462 +like intrusion detection systems, + +233 +00:07:39,839 --> 00:07:43,279 +firewalls whatever and to feed + +234 +00:07:42,0 --> 00:07:45,598 +462 --> 465.599 +automatically those + +235 +00:07:43,279 --> 00:07:46,799 +information to basically make protective + +236 +00:07:45,598 --> 00:07:50,319 +measures + +237 +00:07:46,800 --> 00:07:50,319 +in your environment + +238 +00:07:51,199 --> 00:07:55,840 +so, start from the starting point that we + +239 +00:07:54,478 --> 00:07:57,680 +already mentioned basically how we + +240 +00:07:55,839 --> 00:08:00,638 +started out with MISP + +241 +00:07:57,680 --> 00:08:02,800 +let's have a quick look at how uh the + +242 +00:08:00,639 --> 00:08:04,400 +user base of MISP evolved in terms of + +243 +00:08:02,800 --> 00:08:06,0 +482.8 --> 486 +the different types of stakeholders + +244 +00:08:04,399 --> 00:08:08,560 +within our own organizations and other organizations + +246 +00:08:07,120 --> 00:08:10,319 +the reason for that is obviously that + +247 +00:08:08,560 --> 00:08:12,560 +this drives the development process as well + +249 +00:08:10,800 --> 00:08:14,400 +so the way MISP grows over time really + +250 +00:08:12,560 --> 00:08:14,800 +depends on the type of users that are using + +252 +00:08:16,478 --> 00:08:18,319 +the type of users that are requesting new + +253 +00:08:16,478 --> 00:08:20,159 +features or that are providing pull + +254 +00:08:18,319 --> 00:08:22,639 +requests on the project and providing code + +256 +00:08:20,720 --> 00:08:23,759 +for the project so i said before + +257 +00:08:22,639 --> 00:08:26,160 +initially + +258 +00:08:23,759 --> 00:08:27,759 +the scope of MISP was very limited it + +259 +00:08:26,160 --> 00:08:29,360 +was basically just the output of malware + +260 +00:08:27,759 --> 00:08:31,199 +reversers which meant + +261 +00:08:29,360 --> 00:08:32,479 +raw indicators that we were extracting + +262 +00:08:31,199 --> 00:08:34,560 +during the process and that we're + +263 +00:08:32,479 --> 00:08:36,639 +sharing directly + +264 +00:08:34,559 --> 00:08:38,79 +with our partners, this meant very little + +265 +00:08:36,639 --> 00:08:39,519 +analysis was done on each of these + +266 +00:08:38,80 --> 00:08:41,599 +individual indicators there was very + +267 +00:08:39,519 --> 00:08:43,440 +little information in terms of + +268 +00:08:41,599 --> 00:08:45,200 +of why those data points are relevant in + +269 +00:08:43,440 --> 00:08:47,360 +the long term how they are meant to be used + +271 +00:08:45,759 --> 00:08:49,519 +from detection perspective they were + +272 +00:08:47,360 --> 00:08:52,480 +really just the raw output + +273 +00:08:49,519 --> 00:08:54,0 +529.519 --> 534 +from the analysis process or the + +274 +00:08:52,480 --> 00:08:56,80 +reversing process + +275 +00:08:54,0 --> 00:08:57,519 +534 --> 537.519 +now one of the side effects of this when + +276 +00:08:56,80 --> 00:08:59,440 +you start building a collection within + +277 +00:08:57,519 --> 00:09:01,360 +your organization of this information + +278 +00:08:59,440 --> 00:09:02,880 +the security analysts are feeding your + +279 +00:09:01,360 --> 00:09:04,320 +various protective tools become + +280 +00:09:02,879 --> 00:09:05,838 +interested in that data set + +281 +00:09:04,320 --> 00:09:08,0 +544.32 --> 548 +because obviously whatever is targeting + +282 +00:09:05,839 --> 00:09:10,160 +your organization or your direct peers + +283 +00:09:08,0 --> 00:09:11,360 +548 --> 551.36 +are probably the most relevant piece of + +284 +00:09:10,159 --> 00:09:13,39 +information that you can use for + +285 +00:09:11,360 --> 00:09:16,159 +detection + +286 +00:09:13,39 --> 00:09:19,39 +so one of the first steps that we opened + +288 +00:09:16,958 --> 00:09:20,479 +up to was basically involving our own + +289 +00:09:19,39 --> 00:09:23,278 +security analyst with our + +290 +00:09:20,480 --> 00:09:24,320 +own organizations so they can hook + +291 +00:09:23,278 --> 00:09:27,360 +the output of + +292 +00:09:24,320 --> 00:09:30,80 +of the reverse engineering team + +293 +00:09:27,360 --> 00:09:31,360 +up to their SIEMs to their IDSs to + +294 +00:09:30,80 --> 00:09:33,360 +their firewalls + +295 +00:09:31,360 --> 00:09:35,440 +and to feed this data directly into + +296 +00:09:33,360 --> 00:09:36,720 +their protective measures + +297 +00:09:35,440 --> 00:09:38,720 +now one of the interesting things when + +298 +00:09:36,720 --> 00:09:40,800 +you start doing that though is that you + +299 +00:09:38,720 --> 00:09:42,560 +generate a new type of output which is + +300 +00:09:40,799 --> 00:09:44,559 +timeliness for the data, freshness for + +301 +00:09:42,559 --> 00:09:45,838 +the data as well as feedback on how + +302 +00:09:44,559 --> 00:09:47,838 +useful the data was + +303 +00:09:45,839 --> 00:09:50,240 +so we're very often when you're + +304 +00:09:47,839 --> 00:09:53,40 +extracting information + +305 +00:09:50,240 --> 00:09:55,360 +by sandboxing for example a lot of the + +306 +00:09:53,39 --> 00:09:57,679 +data generated will be noise in the end + +307 +00:09:55,360 --> 00:09:59,759 +and this noise will generate false + +308 +00:09:57,679 --> 00:10:02,159 +positive alerts for example + +309 +00:09:59,759 --> 00:10:04,319 +in your detection tools. Now feeding this + +310 +00:10:02,159 --> 00:10:06,559 +information back + +311 +00:10:04,320 --> 00:10:10,559 +to data gave it a whole new type of value + +313 +00:10:07,519 --> 00:10:12,159 +we had freshness so if an older + +314 +00:10:10,559 --> 00:10:14,159 +indicator was reused + +315 +00:10:12,159 --> 00:10:15,439 +over time we saw that that is still + +316 +00:10:14,159 --> 00:10:18,160 +something that is actively to be monitored + +318 +00:10:16,559 --> 00:10:19,838 +and if we saw that something turned out + +319 +00:10:18,159 --> 00:10:21,199 +to be a cleaned up host + +320 +00:10:19,839 --> 00:10:23,440 +in the meanwhile or something was a + +321 +00:10:21,200 --> 00:10:25,200 +false positive from the get-go + +322 +00:10:23,440 --> 00:10:28,399 +we could feed that information back as well + +324 +00:10:27,399 --> 00:10:31,759 +so suddenly once you have timeliness as + +325 +00:10:28,399 --> 00:10:33,759 +well as the the raw data itself + +326 +00:10:31,759 --> 00:10:35,278 +you get the intelligence analyst + +327 +00:10:33,759 --> 00:10:36,399 +interested that are tracking the + +328 +00:10:35,278 --> 00:10:42,0 +movements and the changes of how attackers operate + +330 +00:10:39,519 --> 00:10:42,639 +uh over time so that means that usually + +332 +00:10:45,360 --> 00:10:47,199 +back then especially in 2012 in most of our + +333 +00:10:45,360 --> 00:10:48,560 +organizations the people that are doing + +334 +00:10:47,200 --> 00:10:50,560 +intelligence and the people that were + +335 +00:10:48,559 --> 00:10:52,239 +doing operations and security for the + +336 +00:10:50,559 --> 00:10:55,680 +operations were usually working in their own silos + +338 +00:10:53,440 --> 00:10:57,40 +so while there was obviously interaction + +339 +00:10:55,679 --> 00:10:58,958 +between the teams, it was not as + +340 +00:10:57,39 --> 00:11:01,919 +ingrained to work together + +341 +00:10:58,958 --> 00:11:03,599 +between those type of roles but this + +342 +00:11:01,919 --> 00:11:04,0 +661.92 --> 664 +changed over time and one of the changes + +344 +00:11:04,0 --> 00:11:08,78 +664 --> 668.079 +that we saw happened was that the output + +345 +00:11:06,240 --> 00:11:10,240 +of what the security analysts + +346 +00:11:08,78 --> 00:11:12,159 +and the reversers and the analysts were + +347 +00:11:10,240 --> 00:11:14,480 +outputting basically from the operation side + +349 +00:11:12,879 --> 00:11:16,399 +became more and more interesting for the + +350 +00:11:14,480 --> 00:11:17,839 +intelligence analysts that meant that + +351 +00:11:16,399 --> 00:11:19,919 +if they were tracking a certain threat + +352 +00:11:17,839 --> 00:11:21,600 +actor and they could attribute certain + +353 +00:11:19,919 --> 00:11:23,439 +actions that they were seen in the + +354 +00:11:21,600 --> 00:11:25,519 +network of the organization + +355 +00:11:23,440 --> 00:11:26,959 +to the certain threat actor they could + +356 +00:11:25,519 --> 00:11:29,278 +monitor for example how + +357 +00:11:26,958 --> 00:11:30,879 +the given actor was changing how fast + +358 +00:11:29,278 --> 00:11:32,78 +they were changing infrastructure + +359 +00:11:30,879 --> 00:11:34,0 +690.88 --> 694 +whether they were switching up their + +360 +00:11:32,78 --> 00:11:36,78 +methodology and this + +361 +00:11:34,0 --> 00:11:37,519 +694 --> 697.519 +gave them a lot of idea of useful data + +362 +00:11:36,78 --> 00:11:39,199 +of improving their libraries of the + +363 +00:11:37,519 --> 00:11:40,799 +threat actors that they were tracking + +364 +00:11:39,200 --> 00:11:41,920 +so suddenly we got this group interests + +365 +00:11:40,799 --> 00:11:43,838 +as well and they were obviously + +366 +00:11:41,919 --> 00:11:44,879 +producing data as well so nowadays if + +367 +00:11:43,839 --> 00:11:47,279 +you look at MISP + +368 +00:11:44,879 --> 00:11:49,200 +going from a raw indicator sharing platform + +369 +00:11:47,278 --> 00:11:50,399 +that MISP was initially + +370 +00:11:49,200 --> 00:11:52,160 +nowadays you have a lot of the high + +371 +00:11:50,399 --> 00:11:53,759 +level threat intel information included + +372 +00:11:52,159 --> 00:11:56,720 +with the data as well so you will see threat reports + +374 +00:11:54,879 --> 00:11:58,720 +you will see interconnected information + +375 +00:11:56,720 --> 00:12:04,399 +about threat actors modus operandi + +377 +00:12:01,839 --> 00:12:06,79 +infrastructure impact and so on so forth + +378 +00:12:04,399 --> 00:12:07,360 +these extra layers of information that + +379 +00:12:06,78 --> 00:12:08,719 +we were missing initially + +380 +00:12:07,360 --> 00:12:10,0 +727.36 --> 730 +so this was the biggest change that we + +381 +00:12:08,720 --> 00:12:11,440 +had over time within our own + +382 +00:12:10,0 --> 00:12:13,919 +730 --> 733.92 +organizations but + +383 +00:12:11,440 --> 00:12:15,519 +obviously as a CSIRT that has + +384 +00:12:13,919 --> 00:12:17,199 +different constituencies + +385 +00:12:15,519 --> 00:12:18,799 +we're also interacting with the security + +386 +00:12:17,200 --> 00:12:20,720 +teams of other organizations and one of + +387 +00:12:18,799 --> 00:12:22,319 +the things we noticed early on was + +388 +00:12:20,720 --> 00:12:24,160 +there's a lot of the issues that other + +389 +00:12:22,320 --> 00:12:25,600 +types of organizations had internally + +390 +00:12:24,159 --> 00:12:28,800 +with information sharing are very similar to ours + +392 +00:12:26,879 --> 00:12:30,958 +so initially the first use case that we + +393 +00:12:28,799 --> 00:12:32,799 +got that was different and from our + +394 +00:12:30,958 --> 00:12:36,719 +normal security use case + +395 +00:12:32,799 --> 00:12:38,399 +was basically the various financial + +396 +00:12:36,720 --> 00:12:39,920 +organizations reaching out to us saying + +397 +00:12:38,399 --> 00:12:41,759 +that their fraud teams were + +398 +00:12:39,919 --> 00:12:43,599 +running into similar sort of issues with + +399 +00:12:41,759 --> 00:12:45,759 +sharing between their teams, + +400 +00:12:43,600 --> 00:12:47,839 +sharing with other partner teams, + +401 +00:12:45,759 --> 00:12:50,319 +information about mule accounts and + +402 +00:12:47,839 --> 00:12:51,519 +about other fraud related information + +403 +00:12:50,320 --> 00:12:53,680 +so they reached out to us and + +404 +00:12:51,519 --> 00:12:54,480 +basically their security teams reached + +405 +00:12:53,679 --> 00:12:57,199 +out to us and said + +406 +00:12:54,480 --> 00:12:58,639 +can't we just try to help them also + +407 +00:12:57,200 --> 00:13:00,0 +777.2 --> 780 +to share that sort of information + +408 +00:12:58,639 --> 00:13:01,759 +through MISP directly, I mean we already + +409 +00:13:00,0 --> 00:13:03,200 +780 --> 783.2 +had the tooling in place + +410 +00:13:01,759 --> 00:13:05,200 +it was just a question of changing the data model + +412 +00:13:05,200 --> 00:13:08,639 +so we we started doing that for uh together + +413 +00:13:07,120 --> 00:13:10,480 +with the financial sector initially + +414 +00:13:08,639 --> 00:13:12,0 +788.639 --> 792 +where we expanded the data model of MISP + +415 +00:13:10,480 --> 00:13:13,519 +when we allowed for modeling of new + +416 +00:13:12,0 --> 00:13:15,919 +792 --> 795.92 +custom data types + +417 +00:13:13,519 --> 00:13:17,679 +and it's even surprising to us at the + +418 +00:13:15,919 --> 00:13:20,319 +time turned into a success + +419 +00:13:17,679 --> 00:13:21,599 +very rapidly so nowadays we're involved + +420 +00:13:20,320 --> 00:13:22,959 +with quite a few different types of + +421 +00:13:21,600 --> 00:13:25,519 +organizations out there + +422 +00:13:22,958 --> 00:13:26,879 +replicating the same scenario where for + +423 +00:13:25,519 --> 00:13:30,320 +example law enforcement, where we initially had + +425 +00:13:28,320 --> 00:13:32,79 +mostly contact with their security teams + +426 +00:13:30,320 --> 00:13:36,240 +and helping them build data sets for bootstrapping their forensic + +429 +00:13:34,399 --> 00:13:38,480 +investigations nowadays we have all + +430 +00:13:36,240 --> 00:13:40,959 +sorts of information sharing involving + +431 +00:13:38,480 --> 00:13:45,278 +uh for example uh seized goods information sharing from + +433 +00:13:42,639 --> 00:13:48,799 +border control agencies uh law enforcement agencies + +435 +00:13:46,879 --> 00:13:51,120 +sharing information about passenger information + +436 +00:13:48,799 --> 00:13:53,359 +so a lot of the type of data + +437 +00:13:51,120 --> 00:13:55,360 +sharing that was very unusual for us as + +438 +00:13:53,360 --> 00:13:58,79 +a CSIRT initially + +439 +00:13:55,360 --> 00:13:58,879 +now once you get all this data in a + +440 +00:13:58,78 --> 00:14:01,39 +system and you + +441 +00:13:58,879 --> 00:14:04,399 +started building a data set from your community + +443 +00:14:02,480 --> 00:14:06,79 +you start to see trends in the data set + +444 +00:14:04,399 --> 00:14:07,839 +and this is what gets + +445 +00:14:06,78 --> 00:14:09,759 +for example our risk analysis team + +446 +00:14:07,839 --> 00:14:11,440 +interested in it the moment that you're + +447 +00:14:09,759 --> 00:14:12,639 +seeing how attackers are changing their + +448 +00:14:11,440 --> 00:14:15,199 +trends over time + +449 +00:14:12,639 --> 00:14:18,719 +you can better advise your constituency your customers and so on + +451 +00:14:17,360 --> 00:14:22,160 +about the different risks that they might be facing and the + +453 +00:14:20,958 --> 00:14:24,879 +different risks that they should be preparing for + +455 +00:14:23,278 --> 00:14:26,958 +and preparing the organizations for + +456 +00:14:24,879 --> 00:14:29,519 +based on what the same sector is facing + +457 +00:14:26,958 --> 00:14:31,359 +perhaps in the same geographic location + +458 +00:14:29,519 --> 00:14:33,120 +so suddenly you get a lot of knowledge + +459 +00:14:31,360 --> 00:14:35,120 +out of the collected data as long as + +460 +00:14:33,120 --> 00:14:36,720 +data is well contextualized and i think + +461 +00:14:35,120 --> 00:14:38,78 +this will be one of the main topics that + +462 +00:14:36,720 --> 00:14:41,519 +we're going to be talking about quite a bit today and tomorrow + +464 +00:14:39,679 --> 00:14:43,599 +is contextualizing the information and + +465 +00:14:41,519 --> 00:14:47,600 +making the information actually usable + +466 +00:14:43,600 --> 00:14:47,600 +and turning data really into knowledge + +467 +00:14:49,600 --> 00:14:55,40 +yeah so like Andras mentioned + +468 +00:14:52,639 --> 00:14:56,240 +we have a pretty large set of different + +469 +00:14:55,39 --> 00:15:00,0 +895.04 --> 900 +communities using MISP + +470 +00:14:56,240 --> 00:15:02,159 +and over the time it became i think more + +471 +00:15:00,0 --> 00:15:03,759 +900 --> 903.76 +complicated to handle all those requests + +472 +00:15:02,159 --> 00:15:07,120 +from different organizations + +473 +00:15:03,759 --> 00:15:10,0 +903.76 --> 910 +um so we came with a model of governance + +474 +00:15:07,120 --> 00:15:12,240 +even if it's a very lightweight one we + +475 +00:15:10,0 --> 00:15:13,839 +910 --> 913.839 +decided to have this kind of models to + +476 +00:15:12,240 --> 00:15:15,680 +still benefit from the open source + +477 +00:15:13,839 --> 00:15:17,199 +community model and then + +478 +00:15:15,679 --> 00:15:19,278 +bring all the experience from a + +479 +00:15:17,198 --> 00:15:21,198 +different community into systems where + +480 +00:15:19,278 --> 00:15:22,720 +it allows us to develop and extend the + +481 +00:15:21,198 --> 00:15:24,958 +software so we decided to + +482 +00:15:22,720 --> 00:15:26,240 +create this kind of models where we + +483 +00:15:24,958 --> 00:15:28,879 +basically + +484 +00:15:26,240 --> 00:15:30,320 +take care of all the features and + +485 +00:15:28,879 --> 00:15:33,679 +requests that we receive from different organizations + +487 +00:15:31,679 --> 00:15:36,599 +so we use this kind of priority list of different features + +489 +00:15:35,600 --> 00:15:38,720 +and we get that feedback from {inaudible} + +491 +00:15:38,720 --> 00:15:42,879 +one of the {inaudible} one i would say is + +492 +00:15:40,639 --> 00:15:44,480 +Github so we get the feed from + +493 +00:15:42,879 --> 00:15:46,399 +the different issue that we receive from + +494 +00:15:44,480 --> 00:15:48,639 +Github i mean on the if you look at on + +495 +00:15:46,399 --> 00:15:50,320 +Github you'll see that we have a + +496 +00:15:48,639 --> 00:15:52,320 +significant number of issues and those + +497 +00:15:50,320 --> 00:15:54,800 +issue are usually for us a way to track down + +499 +00:15:52,799 --> 00:15:56,879 +all the different requests of features + +500 +00:15:54,639 --> 00:15:59,120 +in MISP and that's one way to get it. + +501 +00:15:56,879 --> 00:16:02,639 +Another way and this one is a quite a common one + +503 +00:16:00,639 --> 00:16:05,39 +is basically a training or session like + +504 +00:16:02,399 --> 00:16:06,799 +this where people are providing feedback, + +505 +00:16:05,39 --> 00:16:09,39 +bug reports, future requests and so on + +506 +00:16:06,799 --> 00:16:10,879 +directly during the training and for us + +507 +00:16:09,39 --> 00:16:12,958 +uh i think really practical and we can + +508 +00:16:10,879 --> 00:16:15,39 +get all this information needed for us + +509 +00:16:12,958 --> 00:16:16,0 +972.959 --> 976 +to improve the software. Another thing + +510 +00:16:15,39 --> 00:16:17,759 +that we do and + +511 +00:16:16,0 --> 00:16:19,839 +976 --> 979.839 +that's maybe for the audience some + +512 +00:16:17,759 --> 00:16:21,39 +people are interested in that one + +513 +00:16:19,839 --> 00:16:22,560 +we know that there are plenty of + +514 +00:16:21,39 --> 00:16:24,399 +different MISP of groups that we don't + +515 +00:16:22,559 --> 00:16:28,319 +control and that we don't manage that's + +516 +00:16:24,399 --> 00:16:29,679 +great we have for example ISACs, ISAO + +517 +00:16:28,320 --> 00:16:31,360 +doing really those kind of things where + +518 +00:16:29,679 --> 00:16:33,838 +you have those kind of user groups + +519 +00:16:31,360 --> 00:16:35,600 +and what we do we participate on a + +520 +00:16:33,839 --> 00:16:37,279 +regular basis to one of those groups for + +521 +00:16:35,600 --> 00:16:39,0 +995.6 --> 998 +example on a quarterly basis on a yearly basis + +523 +00:16:38,0 --> 00:16:41,759 +998 --> 1001.759 +and we do a collection of requirements + +524 +00:16:40,240 --> 00:16:44,240 +from those different groups + +525 +00:16:41,759 --> 00:16:46,720 +during one session and that's really + +527 +00:16:44,958 --> 00:16:48,799 +i think useful for us because it's a way + +528 +00:16:46,720 --> 00:16:50,720 +to to gather information so for example + +529 +00:16:48,799 --> 00:16:52,78 +Andras mentioned those + +530 +00:16:50,720 --> 00:16:53,519 +financial groups where people are + +531 +00:16:52,78 --> 00:16:54,559 +sharing information about bank account + +532 +00:16:53,519 --> 00:16:56,480 +detail and so on + +533 +00:16:54,559 --> 00:16:57,919 +and that's where we basically gather all + +534 +00:16:56,480 --> 00:16:59,278 +those requirements + +535 +00:16:57,919 --> 00:17:01,39 +so if you are setting up a group + +536 +00:16:59,278 --> 00:17:03,278 +somewhere in US or + +537 +00:17:01,39 --> 00:17:04,318 +in the world about sharing information + +538 +00:17:03,278 --> 00:17:06,0 +1023.279 --> 1026 +and so on and you want to + +539 +00:17:04,318 --> 00:17:07,759 +invite us at some point in time it's a + +540 +00:17:06,0 --> 00:17:12,160 +1026 --> 1028.959 +way for us to gather those kind of requirements + +542 +00:17:08,959 --> 00:17:13,759 +we do a summit which is a yearly event + +543 +00:17:12,160 --> 00:17:15,600 +usually it was physical but nowadays + +544 +00:17:13,759 --> 00:17:18,0 +1033.76 --> 1038 +it's virtual trainings + +545 +00:17:15,599 --> 00:17:19,918 +so it's basically every user or + +546 +00:17:18,0 --> 00:17:21,199 +1038 --> 1041.199 +organizations using MISP presenting what + +547 +00:17:19,919 --> 00:17:22,959 +they are doing + +548 +00:17:21,199 --> 00:17:24,558 +it's a way for us to to see the + +549 +00:17:22,959 --> 00:17:26,480 +interactions and see what + +550 +00:17:24,558 --> 00:17:28,480 +can be improved in MISP and see {inaudible} + +551 +00:17:26,480 --> 00:17:29,759 +in the community behind + +552 +00:17:28,480 --> 00:17:31,839 +and then we have a kind of 20% + +553 +00:17:29,759 --> 00:17:35,200 +project around in MISP + +554 +00:17:31,839 --> 00:17:38,558 +1051.84 --> 1056 +where we design new functionalities and we test + +556 +00:17:36,0 --> 00:17:39,919 +1056 --> 1059.919 +them out for example one of those is the + +557 +00:17:38,558 --> 00:17:41,200 +detailing of indicators + +558 +00:17:39,919 --> 00:17:42,400 +which was a request from different + +559 +00:17:41,200 --> 00:17:43,919 +organizations but it was kind of + +560 +00:17:42,400 --> 00:17:45,919 +difficult to design + +561 +00:17:43,919 --> 00:17:48,240 +and with this kind of models where we + +562 +00:17:45,919 --> 00:17:50,480 +designed first as a kind of prototype + +563 +00:17:48,240 --> 00:17:52,558 +multiple iterations uh we did a multiple + +564 +00:17:50,480 --> 00:17:56,0 +1070.48 --> 1076 +research paper on that and then finally + +565 +00:17:52,558 --> 00:17:57,918 +this become part of the MISP core software + +566 +00:17:56,0 --> 00:17:59,679 +1076 --> 1079.679 +we will show that later on but so we + +567 +00:17:57,919 --> 00:18:01,679 +have a lightweight governance model + +568 +00:17:59,679 --> 00:18:03,840 +but really the goal is to gather as + +569 +00:18:01,679 --> 00:18:05,280 +much feedback from the user so don't + +570 +00:18:03,839 --> 00:18:08,599 +hesitate if you have any bug reports, ideas and so on + +571 +00:18:05,279 --> 00:18:09,319 +either open an issue, + +573 +00:18:08,319 --> 00:18:11,918 +get in touch with us. + +575 +00:18:11,919 --> 00:18:16,400 +You are more than welcome to basically + +576 +00:18:13,279 --> 00:18:16,399 +share such kind of information. + +577 +00:18:17,119 --> 00:18:22,719 +Yeah, now addressing the elephant in the room + +579 +00:18:20,720 --> 00:18:24,160 +when you bring so many different + +580 +00:18:22,160 --> 00:18:25,759 +organizations together and build a large + +581 +00:18:24,160 --> 00:18:27,200 +community of sharing with different + +582 +00:18:25,759 --> 00:18:28,558 +needs and requirements + +583 +00:18:27,200 --> 00:18:31,200 +you're obviously going to have to run + +584 +00:18:28,558 --> 00:18:32,720 +into conflicting requirements as well + +585 +00:18:31,200 --> 00:18:34,240 +so one of the most obvious ones that + +586 +00:18:32,720 --> 00:18:36,640 +that we're dealing with very often with + +587 +00:18:34,240 --> 00:18:38,720 +information sharing and something that + +588 +00:18:36,640 --> 00:18:39,840 +that we're working on tackling , + +590 +00:18:38,839 --> 00:18:43,599 +basically since we started with MISP, is dealing + +591 +00:18:42,79 --> 00:18:45,279 +with a different requirement of + +592 +00:18:43,599 --> 00:18:46,879 +of what you count as valuable + +593 +00:18:45,279 --> 00:18:47,519 +information depending on your use case + +594 +00:18:46,880 --> 00:18:51,599 +so this is different also within + +596 +00:18:50,400 --> 00:18:53,360 +different analysts, different roles + +597 +00:18:51,599 --> 00:18:56,79 +within the same organization as + +598 +00:18:53,359 --> 00:18:58,720 +well so for example, for us as a CSIRT in general + +600 +00:18:57,38 --> 00:19:00,240 +uh detection is the most important + +601 +00:18:58,720 --> 00:19:04,640 +matter so we're interested + +602 +00:19:00,240 --> 00:19:08,880 +in in using indicators to detect if our constituency + +604 +00:19:06,880 --> 00:19:10,0 +1146.88 --> 1150 +is affected by something that the + +605 +00:19:08,880 --> 00:19:12,880 +information is being + +606 +00:19:10,0 --> 00:19:14,160 +1150 --> 1154.16 +shared about or whether uh any of the + +607 +00:19:12,880 --> 00:19:17,200 +the infrastructure that we're + +608 +00:19:14,160 --> 00:19:17,840 +responsible for is infected + +609 +00:19:17,200 --> 00:19:22,639 +on the other hand if you're talking to an isp + +611 +00:19:19,919 --> 00:19:22,640 +one of the large + +612 +00:19:22,720 --> 00:19:26,720 +requirements from an isp basically will + +613 +00:19:24,640 --> 00:19:29,38 +be able to protect their users + +614 +00:19:26,720 --> 00:19:30,79 +from potential harm so that means that + +616 +00:19:30,79 --> 00:19:34,480 +if there are any urls, websites, and so on + +618 +00:19:34,480 --> 00:19:38,480 +that they should block for their users they + +619 +00:19:36,880 --> 00:19:39,679 +need to be able to generate a block list + +620 +00:19:38,480 --> 00:19:41,440 +out of the data + +621 +00:19:39,679 --> 00:19:43,600 +that is considered to be malicious + +622 +00:19:41,440 --> 00:19:45,360 +enough now if you compare these two use cases + +623 +00:19:43,599 --> 00:19:48,240 +with each other detection versus blocking + +625 +00:19:46,240 --> 00:19:49,359 +you will immediately see that the effect + +627 +00:19:49,359 --> 00:19:53,359 +of having a false positive in the data + +628 +00:19:51,200 --> 00:19:56,160 +set or data that is no longer fresh + +629 +00:19:53,359 --> 00:19:57,119 +has a completely different impact + +630 +00:19:56,160 --> 00:19:58,960 +sure for us when + +631 +00:19:57,119 --> 00:20:00,719 +that are mostly in the detection game + +632 +00:19:58,960 --> 00:20:02,400 +it's annoying we get a false positive + +633 +00:20:00,720 --> 00:20:04,400 +alert it has to be handled + +634 +00:20:02,400 --> 00:20:05,759 +and it takes time and effort it also + +635 +00:20:04,400 --> 00:20:07,200 +introduces something called alert fatigue + +636 +00:20:05,759 --> 00:20:09,319 +that i'm sure many of you are familiar with + +638 +00:20:08,319 --> 00:20:12,79 +if you're getting a lot of false + +639 +00:20:09,440 --> 00:20:15,120 +positive alerts you're more likely to ignore the + +641 +00:20:13,119 --> 00:20:16,798 +next alert that you get but besides that + +642 +00:20:15,679 --> 00:20:20,879 +it has no real operational impact on us + +644 +00:20:19,119 --> 00:20:22,879 +on the other hand for an isp that ends up blocking + +645 +00:20:20,880 --> 00:20:24,880 +something that is uh + +646 +00:20:22,880 --> 00:20:27,400 +potentially a false positive might have a catastrophic impact + +648 +00:20:26,400 --> 00:20:33,600 +imagine if someone accidentally, for example shares + +650 +00:20:29,599 --> 00:20:35,759 +facebook.com as an indicator that might + +651 +00:20:33,279 --> 00:20:39,119 +basically cause a riot with their users or it might {inaudible} + +653 +00:20:37,279 --> 00:20:41,519 +but it's a different story + +654 +00:20:39,119 --> 00:20:44,479 +but with that in mind, you see that these + +655 +00:20:41,519 --> 00:20:47,679 +two use cases are already conflicting + +656 +00:20:44,480 --> 00:20:49,360 +now if you also take the perspective of + +657 +00:20:47,679 --> 00:20:52,400 +intelligence analysts that are tracking + +658 +00:20:49,359 --> 00:20:52,798 +threat actor movements in to account + +660 +00:20:52,798 --> 00:20:56,400 +that's an even more lax use case + +662 +00:20:56,400 --> 00:21:02,159 +where you care about whether something is a fresh indicator still or not + +664 +00:21:00,79 --> 00:21:03,439 +even less than the other two groups. + +665 +00:21:02,159 --> 00:21:04,880 +The reason for that is you're interested in + +666 +00:21:03,440 --> 00:21:07,120 +the historical movements of a threat actor, for example. + +668 +00:21:07,119 --> 00:21:11,439 +So even if something is no longer + +669 +00:21:08,240 --> 00:21:13,38 +an indicator because and an infected + +670 +00:21:11,440 --> 00:21:14,960 +website was cleaned up + +671 +00:21:13,38 --> 00:21:17,38 +since the time when the indicator was + +672 +00:21:14,960 --> 00:21:18,880 +shared they still want to see + +673 +00:21:17,38 --> 00:21:20,558 +how long, for example a threat actor was + +674 +00:21:18,880 --> 00:21:22,80 +using that infrastructure, + +675 +00:21:20,558 --> 00:21:25,119 +how quickly they changed to something + +676 +00:21:22,79 --> 00:21:27,519 +else and what methods they used + +677 +00:21:25,119 --> 00:21:28,239 +back when they were exploiting it. + +679 +00:21:27,240 --> 00:21:31,839 +So if you bring these different requirements on board on + +680 +00:21:30,480 --> 00:21:36,959 +the same platform is difficult and there are some + +682 +00:21:35,200 --> 00:21:38,960 +things that we can do to alleviate these + +683 +00:21:36,960 --> 00:21:40,720 +issues. For example what we do with + +684 +00:21:38,960 --> 00:21:42,798 +MISP + +685 +00:21:40,720 --> 00:21:44,480 +we have a system called warning list + +686 +00:21:42,798 --> 00:21:46,480 +system that allows us to filter out + +687 +00:21:44,480 --> 00:21:50,640 +obvious false positives + +688 +00:21:46,480 --> 00:21:54,798 +so we maintain these lists of + +689 +00:21:50,640 --> 00:21:56,720 +most common websites, empty hash lists, + +690 +00:21:54,798 --> 00:21:58,319 +public dns resolvers and all these + +691 +00:21:56,720 --> 00:22:00,558 +typical things that end up in + +692 +00:21:58,319 --> 00:22:04,399 +the sets while doing automatic extraction for example + +694 +00:22:02,400 --> 00:22:06,80 +that end up being false positives but + +695 +00:22:04,400 --> 00:22:07,720 +with that said this is just one part of the story + +697 +00:22:06,720 --> 00:22:10,79 +So if you're looking at the different + +698 +00:22:08,480 --> 00:22:12,880 +use cases up there that doesn't solve our issue + +700 +00:22:10,880 --> 00:22:15,600 +of having different requirements + +701 +00:22:14,0 --> 00:22:17,558 +1334 --> 1336.559 +from the data set based on what you do with it + +703 +00:22:16,558 --> 00:22:20,319 +and this is where contextualization + +704 +00:22:18,558 --> 00:22:22,158 +becomes more important again + +705 +00:22:20,319 --> 00:22:24,0 +1340.32 --> 1344 +if we can supply the information together with the data, + +707 +00:22:23,0 --> 00:22:26,880 +1344 --> 1346.88 +why this data is relevant and what context you're + +708 +00:22:25,440 --> 00:22:28,640 +supposed to be using it + +709 +00:22:26,880 --> 00:22:30,480 +then the consumers of the data can make + +710 +00:22:28,640 --> 00:22:33,440 +those decisions for themselves based on + +711 +00:22:30,480 --> 00:22:35,279 +whatever they want to use + +712 +00:22:33,440 --> 00:22:38,640 +the data for in any of those different use cases + +714 +00:22:36,640 --> 00:22:42,720 +so one of our main efforts with MISP has been + +716 +00:22:40,720 --> 00:22:44,0 +1360.72 --> 1364 +to be able to provide these different + +717 +00:22:42,400 --> 00:22:47,519 +structures together with the data and to + +718 +00:22:44,0 --> 00:22:48,519 +1364 --> 1367.52 +be able to label data well enough. Back to you. + +720 +00:22:48,880 --> 00:22:54,720 +Yeah so and that's iI think important regarding the + +721 +00:22:52,960 --> 00:22:56,720 +different kind of use cases and so on + +722 +00:22:54,720 --> 00:22:59,360 +and we try to support those different use cases and + +725 +00:22:59,759 --> 00:23:03,679 +that's sometimes challenging for us but luckily + +726 +00:23:01,679 --> 00:23:06,320 +we are at the same time + +727 +00:23:03,679 --> 00:23:07,840 +part of various community so we can see + +728 +00:23:06,319 --> 00:23:09,279 +the different use cases, especially + +729 +00:23:07,839 --> 00:23:13,480 +regarding the handling of false positive which is + +731 +00:23:12,480 --> 00:23:16,558 +an ongoing challenge but we will show + +732 +00:23:14,880 --> 00:23:17,840 +you how to handle that + +733 +00:23:16,558 --> 00:23:20,0 +1396.559 --> 1400 +and at the same time we basically + +734 +00:23:17,839 --> 00:23:22,79 +operate those different communities. + +735 +00:23:20,0 --> 00:23:24,159 +1400 --> 1404.159 +So for example we operate a pretty large + +736 +00:23:22,79 --> 00:23:26,798 +one for the private sector + +737 +00:23:24,159 --> 00:23:30,559 +where we have a lot of organizations, + +739 +00:23:28,558 --> 00:23:32,158 +more than 1200 organizations are basically connected there. + +740 +00:23:30,880 --> 00:23:35,440 +It's pretty large and we see an active + +742 +00:23:35,440 --> 00:23:38,400 +community sharing information and + +743 +00:23:36,798 --> 00:23:40,400 +there is plenty of different communities + +744 +00:23:38,400 --> 00:23:41,840 +some that we don't know even about + +745 +00:23:40,400 --> 00:23:43,278 +because you can even run your own + +746 +00:23:41,839 --> 00:23:44,558 +private communities without telling anyone, that's fine. + + +748 +00:23:44,558 --> 00:23:49,759 +That's part of the system but if you want to have different kind of communities + +750 +00:23:48,759 --> 00:23:55,839 +you can connect those automatically then you have I would say + +753 +00:23:54,240 --> 00:23:57,798 +different kind of model you have those kind of + +755 +00:23:56,798 --> 00:24:00,480 +fully island mode communities. + +756 +00:23:58,798 --> 00:24:01,679 +Those kind of trusted groups so for example for the + +758 +00:24:00,679 --> 00:24:05,519 +intelligence community it's very common for them to run MISP + +759 +00:24:03,759 --> 00:24:09,759 +in an island mode so having air gap system and so on + +761 +00:24:07,759 --> 00:24:11,919 +sometimes they are partially connected + +762 +00:24:09,759 --> 00:24:13,599 +with third parties to share partial + +763 +00:24:11,919 --> 00:24:15,400 +information so for example we know some organizations + +765 +00:24:14,400 --> 00:24:18,640 +or for example border controls or customs + +767 +00:24:18,640 --> 00:24:21,919 +are using MISP but they still need to + +768 +00:24:20,79 --> 00:24:24,319 +share some small information and that + +770 +00:24:22,319 --> 00:24:24,158 +partially connected system. + +771 +00:24:23,319 --> 00:24:28,0 +1464.32 --> 1468 +MISP freely supports those kind of models + +772 +00:24:26,159 --> 00:24:29,679 +and then you have community that are + +773 +00:24:28,0 --> 00:24:31,359 +1468 --> 1471.36 +more broad and more large + +774 +00:24:29,679 --> 00:24:33,278 +for example in the financial sector and + +775 +00:24:31,359 --> 00:24:35,240 +I think the CSIRT Luxembourg has some banks + +777 +00:24:34,240 --> 00:24:39,599 +we are involved in various sharing communities + +779 +00:24:37,599 --> 00:24:41,519 +at European level and worldwide level + +780 +00:24:40,480 --> 00:24:45,759 +where for example we know some ISACs that are dedicated to + +782 +00:24:43,759 --> 00:24:48,200 +the financial sector are using it as a sharing mechanism + +784 +00:24:47,200 --> 00:24:51,278 +you have some organizations that are really + +785 +00:24:49,38 --> 00:24:52,480 +dedicated to a payment processing system + +786 +00:24:51,278 --> 00:24:54,519 +that are using this to share automatically + +788 +00:24:53,519 --> 00:24:57,519 +information and so on or analysis + +790 +00:24:57,519 --> 00:25:01,519 +One of the i would say pretty large community too is + +791 +00:24:59,278 --> 00:25:04,960 +with the military organization and international organizations + +793 +00:25:02,960 --> 00:25:06,720 +FIRST for example, you have a lot of FIRST members using + +794 +00:25:05,359 --> 00:25:08,639 +MISP for sharing their information + +796 +00:25:08,640 --> 00:25:13,759 +but there are plenty of networks, national governmental networks + +798 +00:25:11,759 --> 00:25:15,278 +a military one intelligence, one or even NATO for example are using + +800 +00:25:15,278 --> 00:25:19,599 +using MISP so maybe some of you are eligible to access those ones + +802 +00:25:19,599 --> 00:25:23,399 +so we have on the MISP an interface a way to connect to those + +804 +00:25:22,400 --> 00:25:26,240 +community and you can reach out to the + +805 +00:25:24,319 --> 00:25:27,200 +different community by asking for access for example + +807 +00:25:27,200 --> 00:25:30,319 +then you have very specific communities + +808 +00:25:28,960 --> 00:25:33,720 +that are set up by security vendors it's not uncommon + +810 +00:25:32,720 --> 00:25:35,759 +tp see for example a security vendor + +811 +00:25:34,0 --> 00:25:37,359 +1534 --> 1537.36 +services their own MISP + +812 +00:25:35,759 --> 00:25:39,119 +we have seen for example some + +813 +00:25:37,359 --> 00:25:41,319 +{inaudible} agents vendors running a dedicated MISP + +815 +00:25:40,319 --> 00:25:44,480 +or even some operators of specific cloud + +816 +00:25:42,798 --> 00:25:46,400 +services running a MISP instance + +817 +00:25:44,480 --> 00:25:49,360 +to share information amongst + +818 +00:25:46,400 --> 00:25:49,320 +their different customers. + +819 +00:25:49,359 --> 00:25:52,798 +Then you have communities that are + +820 +00:25:50,319 --> 00:25:55,38 +i would say very specific on the topic + +821 +00:25:52,798 --> 00:25:59,79 +for example you have about sick information uh false news + +823 +00:25:58,79 --> 00:26:02,278 +and stuff like that you have communities doing that + +825 +00:26:01,278 --> 00:26:04,720 +for example we cooperate one called the COVID-19 MISP + +827 +00:26:04,720 --> 00:26:09,839 +which is really targeting COVID-19 as a topic + +828 +00:26:07,919 --> 00:26:10,720 +and then you have 10 different subtopics like + +829 +00:26:09,839 --> 00:26:12,399 +cyber security, health related topics and so on. + +831 +00:26:12,400 --> 00:26:15,679 +So you can see that MISP can be really used on + +832 +00:26:13,919 --> 00:26:17,440 +different model of communities + +833 +00:26:15,679 --> 00:26:19,440 +you can bridge those communities, + +834 +00:26:17,440 --> 00:26:21,360 +you can interconnect those with together, + +835 +00:26:19,440 --> 00:26:23,759 +you can keep it for yourself, so it's + +836 +00:26:21,359 --> 00:26:25,839 +really a matter of models. + +837 +00:26:23,759 --> 00:26:27,759 +Worldwide there are I would say a lot of + +838 +00:26:25,839 --> 00:26:31,199 +communities that we are not aware of + +839 +00:26:27,759 --> 00:26:33,599 +but we as CIRCL operates + +840 +00:26:31,200 --> 00:26:35,120 +around 20 communities nowadays, that you + +841 +00:26:33,599 --> 00:26:37,839 +can basically get access + +842 +00:26:35,119 --> 00:26:39,839 +and Andras just sharing in the chat the + +843 +00:26:37,839 --> 00:26:42,439 +access to the COVID-19 MISP and if you want to get access to + +845 +00:26:41,440 --> 00:26:46,320 +that one you can connect on the main page and self-register and + +847 +00:26:46,319 --> 00:26:49,519 +you can request access to that community + +849 +00:26:48,519 --> 00:26:53,38 +so you see that MISP has different groups different communities + +851 +00:26:53,38 --> 00:26:56,640 +and it's up to you at the end to decide + +852 +00:26:55,359 --> 00:26:58,879 +which kind of community you want to {inaudiable either be/visit} + +854 +00:27:01,38 --> 00:27:04,798 +So, a little bit besides all the technical things + +856 +00:27:04,798 --> 00:27:06,839 +that we talked about, that we do with MISP, + +857 +00:27:06,480 --> 00:27:09,919 +and that we try to solve with it. + +858 +00:27:07,839 --> 00:27:11,278 +In terms of sharing, there are obviously + +859 +00:27:09,919 --> 00:27:12,720 +going to be other hurdles that you have + +860 +00:27:11,278 --> 00:27:14,159 +to overcome whenever it comes to information sharing + +862 +00:27:14,159 --> 00:27:17,679 +one of the the toughest things to + +863 +00:27:16,0 --> 00:27:18,880 +1636 --> 1638.88 +overcome and this is where no tool can really help you + +865 +00:27:18,880 --> 00:27:23,679 +is to get enough trust in a community to + +866 +00:27:22,79 --> 00:27:24,319 +be able to share your information with them + +868 +00:27:24,319 --> 00:27:27,918 +So the only way to facilitate this is really social interactions + +870 +00:27:27,919 --> 00:27:32,0 +1647.919 --> 1652 +so sadly though we're living in times + +871 +00:27:30,398 --> 00:27:33,278 +where social interactions are tougher than usual + +873 +00:27:33,278 --> 00:27:37,440 +but for example events like FIRST conferences + +874 +00:27:35,679 --> 00:27:38,880 + are great ways to get to know your community and to + +876 +00:27:38,880 --> 00:27:43,200 +build this trust and build those + +877 +00:27:41,440 --> 00:27:44,159 +social relationships that you need + +879 +00:27:44,159 --> 00:27:47,679 +to be able to really exchange meaningful + +880 +00:27:45,839 --> 00:27:49,918 +information with the community + +881 +00:27:47,679 --> 00:27:52,0 +1667.679 --> 1672 +so i really encourage everyone that + +882 +00:27:49,919 --> 00:27:53,360 +wants to partake in information sharing communities + +884 +00:27:53,359 --> 00:27:57,278 +to be social, to reach out, and to get to know your community + +886 +00:27:57,278 --> 00:28:00,79 +because that's the biggest facilitator for sharing in the first place. + +888 +00:28:00,79 --> 00:28:03,599 +Other than that, there are obviously some + +889 +00:28:01,919 --> 00:28:05,360 +legal restrictions that you have + +890 +00:28:03,599 --> 00:28:06,398 +that might come up in the entire process. + +891 +00:28:05,359 --> 00:28:08,79 +We see this very often with organizations where the first + +893 +00:28:08,79 --> 00:28:10,918 +questions that they ask us when they join + +895 +00:28:09,919 --> 00:28:16,240 +in our communities okay how does this + +896 +00:28:13,38 --> 00:28:18,558 +fit into GDPR for example. + +897 +00:28:16,240 --> 00:28:21,38 +If my legal team asks me why I am sharing + +898 +00:28:18,558 --> 00:28:22,720 +an information out what can i + +899 +00:28:21,38 --> 00:28:24,798 +give them as an explanation of why i'm + +900 +00:28:22,720 --> 00:28:25,159 +supposed to or allowed to do this. + +901 +00:28:25,198 --> 00:28:28,319 +So if you need any help with that we + +902 +00:28:26,159 --> 00:28:29,840 +have a bunch of compliance documentation + +903 +00:28:28,319 --> 00:28:33,240 +and that we've been working on together with a bunch of partners + +905 +00:28:32,240 --> 00:28:36,798 +and so we have descriptions for how + +906 +00:28:34,640 --> 00:28:37,919 +MISP fits into the GDPR, the NIS directive + +908 +00:28:37,919 --> 00:28:41,360 +and some other frameworks so just + +909 +00:28:40,79 --> 00:28:43,119 +have a look there and if you have any + +910 +00:28:41,359 --> 00:28:44,0 +1721.36 --> 1724 +questions or if you feel that anything is not covered + +912 +00:28:44,0 --> 00:28:47,599 +1724 --> 1727.6 +let us know and we keep updating our documentation + +914 +00:28:47,599 --> 00:28:51,519 +based on on feedback of what's missing + +915 +00:28:49,679 --> 00:28:52,559 +or ideas that we should be incorporating in there + +917 +00:28:52,558 --> 00:29:00,640 +but generally , once your legal team is more + +919 +00:28:58,880 --> 00:29:01,360 +familiar with the process and why this + +920 +00:29:00,640 --> 00:29:02,80 +is {inaudiable done/tied} + +921 +00:29:01,359 --> 00:29:05,759 +why ensuring security for your + +922 +00:29:04,79 --> 00:29:06,798 +organization and for the data that you + +923 +00:29:05,759 --> 00:29:08,960 +have to secure is important then it's seen more as a + +925 +00:29:08,960 --> 00:29:13,360 +benefit than a hurdle really + +926 +00:29:10,640 --> 00:29:15,278 +but it obviously takes time to get + +927 +00:29:13,359 --> 00:29:16,240 +this into your processes to define why you're + +929 +00:29:16,240 --> 00:29:19,679 +doing what you're doing + +930 +00:29:18,398 --> 00:29:21,199 +your retention periods, + +931 +00:29:19,679 --> 00:29:22,960 +describing how you're going to handle data and so on + +933 +00:29:22,960 --> 00:29:26,399 +so this obviously has some ramp up time + +935 +00:29:26,398 --> 00:29:29,439 +but we have a lot of documentation that will help you with that. + +937 +00:29:29,440 --> 00:29:32,558 +There are also some practical restrictions that we hear from + +938 +00:29:30,960 --> 00:29:34,79 +organizations so very often when + +939 +00:29:32,558 --> 00:29:35,440 +organizations reach out to us + +940 +00:29:34,79 --> 00:29:37,199 +the first thing they say is we don't + +941 +00:29:35,440 --> 00:29:39,120 +really have any information to share, + +942 +00:29:37,200 --> 00:29:40,880 +we don't have the capability for example + +943 +00:29:39,119 --> 00:29:42,639 +to build those highly vetted threat reports that we're so used to + +945 +00:29:42,640 --> 00:29:46,960 +from feed providers and obviously very few organizations do. + +947 +00:29:46,960 --> 00:29:51,200 +With that said information sharing comes + +948 +00:29:49,919 --> 00:29:54,600 +in many different shapes and sizes for example going back + +950 +00:29:53,599 --> 00:29:58,558 +to the initial use case about + +951 +00:29:55,200 --> 00:30:00,0 +1795.2 --> 1800 +providing feedback from your analysts + +952 +00:29:58,558 --> 00:30:02,240 +about the data that you receive from + +953 +00:30:00,0 --> 00:30:03,839 +1800 --> 1803.84 +your community is already valuable + +954 +00:30:02,240 --> 00:30:05,599 +information sharing so if someone for + +955 +00:30:03,839 --> 00:30:07,278 +example provides sightings + +956 +00:30:05,599 --> 00:30:09,839 +I've also seen this indicator at this given time + +958 +00:30:09,839 --> 00:30:13,359 +that can already help you tune the data set + +960 +00:30:13,359 --> 00:30:16,879 +for what goes into your working data + +961 +00:30:15,119 --> 00:30:18,319 +sets for detection and blocking and so on. + +963 +00:30:18,319 --> 00:30:22,960 +Also providing information on false + +964 +00:30:20,839 --> 00:30:24,319 +positives and some information that + +965 +00:30:22,960 --> 00:30:26,640 +you provided to the community turns out to be false + +967 +00:30:26,640 --> 00:30:30,960 +or something that is no longer relevant + +968 +00:30:28,880 --> 00:30:33,39 +getting information that is valid as + +969 +00:30:30,960 --> 00:30:35,278 +well so pretty much everyone has + +970 +00:30:33,38 --> 00:30:36,398 +information to share by just using the information and running + +972 +00:30:36,398 --> 00:30:44,0 +1836.399 --> 1844 +into frustration with the data by itself. + +973 +00:30:40,720 --> 00:30:44,640 +Also besides not having information to share + +975 +00:30:44,640 --> 00:30:50,399 +there comes also the issue of time. + +976 +00:30:48,398 --> 00:30:51,759 +Most of us are overburdened with + +977 +00:30:50,398 --> 00:30:52,798 +the different tasks that we are facing nowadays + +979 +00:30:52,798 --> 00:30:57,599 +so taking extra time out of the day to + +981 +00:30:57,599 --> 00:31:02,38 +encode information and to share it out in the community + +983 +00:31:01,38 --> 00:31:04,558 +is obviously going to be an extra burden + +984 +00:31:02,640 --> 00:31:05,600 +there is no way around it. + +985 +00:31:03,558 --> 00:31:07,440 +What we try to do with MISP + +986 +00:31:05,599 --> 00:31:09,38 +is to make this process as minimal as + +987 +00:31:07,440 --> 00:31:11,0 +1867.44 --> 1870 +possible but it is going to be a time investment in the end, after all + +989 +00:31:10,0 --> 00:31:13,839 +1870 --> 1873.84 +especially if you want to vet the data if you want to ensure that + +992 +00:31:13,839 --> 00:31:19,240 +the right data reaches the right recipients + +994 +00:31:18,240 --> 00:31:26,240 +This always has a time drain on you as well but in return this + +996 +00:31:24,480 --> 00:31:29,79 +is offset by what you gain by sharing that information we're + +998 +00:31:28,79 --> 00:31:31,359 +going to talk about this a little bit + +999 +00:31:29,440 --> 00:31:33,759 +more during the community building part + +1000 +00:31:31,359 --> 00:31:35,278 +about what effects you're going to see + +1001 +00:31:33,759 --> 00:31:36,640 +if you're sharing information and why it is relevant for you + +1003 +00:31:36,640 --> 00:31:41,120 +but to basically sum it up in one sentence + +1005 +00:31:41,119 --> 00:31:44,239 +and whatever affects your organization + +1006 +00:31:42,960 --> 00:31:45,679 +is probably the most important information for you and if you get + +1008 +00:31:45,679 --> 00:31:49,759 +feedback on that, what you're seeing in your network + +1010 +00:31:49,759 --> 00:31:52,398 +and more eyes on it, more perspectives + +1013 +00:31:52,398 --> 00:31:58,159 +and perhaps more sophisticated methods of + +1014 +00:31:56,79 --> 00:31:59,519 +research from other organizations + +1015 +00:31:58,159 --> 00:32:01,600 +then that will probably just improve + +1016 +00:31:59,519 --> 00:32:03,519 +your own security posture the best way it can. + +1018 +00:32:03,519 --> 00:32:08,880 +Now, besides timeliness and basically having information to share + +1020 +00:32:07,519 --> 00:32:10,960 +there's also the issue of different + +1021 +00:32:08,880 --> 00:32:12,240 +classification models so classification + +1022 +00:32:10,960 --> 00:32:16,159 +not just in a sense of of deciding who we share information with + +1025 +00:32:16,159 --> 00:32:19,278 +but how we classify information really + +1026 +00:32:18,79 --> 00:32:22,798 +in terms of contextualizating it we are all used + +1029 +00:32:22,798 --> 00:32:28,159 +to naming things a certain way in our organizations in + +1030 +00:32:26,319 --> 00:32:31,38 +our communities and we've probably + +1031 +00:32:28,159 --> 00:32:35,839 +been doing it for longer than digital information systems exist + +1034 +00:32:34,558 --> 00:32:37,599 +so we're probably using a lot of those + +1035 +00:32:35,839 --> 00:32:38,639 +vocabularies that we've been using for decades + +1037 +00:32:38,640 --> 00:32:43,600 +and what one of the things that we + +1038 +00:32:41,119 --> 00:32:45,678 +wanted to avoid with MISP is to + +1039 +00:32:43,599 --> 00:32:46,639 +get these communities to switch to a + +1041 +00:32:46,640 --> 00:32:51,360 +different way of describing things so if you already + +1042 +00:32:49,119 --> 00:32:52,959 +have your set methods, your set processes + +1043 +00:32:51,359 --> 00:32:54,479 +how you define things, we don't want to alter that so one of + +1045 +00:32:54,480 --> 00:32:57,278 +the things that we do with MISP and we are + +1046 +00:32:55,839 --> 00:32:58,798 +going to talk a fair bit about, tomorrow mostly + +1048 +00:32:58,798 --> 00:33:03,679 +is that you have ways to describe your + +1049 +00:33:01,519 --> 00:33:06,0 +1981.519 --> 1986 +own taxonomies and your own vocabularies + +1050 +00:33:03,679 --> 00:33:07,120 +to use those in your community so very + +1051 +00:33:06,0 --> 00:33:08,558 +1986 --> 1988.559 +often when you're spinning up a + +1052 +00:33:07,119 --> 00:33:09,199 +community and when you're starting out + +1053 +00:33:08,558 --> 00:33:10,879 +with the sharing community, + +1055 +00:33:10,880 --> 00:33:14,320 +a national sharing community, sectorial one, whatever + +1056 +00:33:12,480 --> 00:33:16,399 +then one of the first tasks is basically + +1057 +00:33:14,319 --> 00:33:18,720 +defining those common vocabularies + +1058 +00:33:16,398 --> 00:33:20,639 +that you're going to be using + +1059 +00:33:18,720 --> 00:33:22,319 +now apart from the vocabularies + +1060 +00:33:20,640 --> 00:33:25,38 +themselves there is also the issue of + +1061 +00:33:22,319 --> 00:33:25,839 +of us speaking many different languages + +1063 +00:33:25,839 --> 00:33:29,519 +in terms of of our tools using different formats + +1065 +00:33:28,640 --> 00:33:33,919 +so that means even within our own organization which is + +1066 +00:33:32,79 --> 00:33:34,639 +rather small we have a set of different tools + +1068 +00:33:34,640 --> 00:33:38,559 +that will ingest data in different formats + +1070 +00:33:38,558 --> 00:33:42,240 +or will prefer to ingest data in given + +1071 +00:33:40,558 --> 00:33:43,119 +format so one of the things we also try to do with MISP + +1073 +00:33:43,119 --> 00:33:46,798 +is to act as a hub for all your different tools + +1075 +00:33:46,798 --> 00:33:51,519 +that will get their data translated into + +1076 +00:33:49,200 --> 00:33:52,960 +the format that they can best ingest. + +1077 +00:33:51,519 --> 00:33:55,839 +Obviously this is something where we cannot be completely + +1079 +00:33:55,839 --> 00:34:01,519 +100 percent covering all the other + +1080 +00:33:59,119 --> 00:34:02,879 +things that exist out there. + +1081 +00:34:01,519 --> 00:34:04,558 +So one of the things we try to do with MISP + +1082 +00:34:02,880 --> 00:34:06,399 +is make it as modular as possible and + +1083 +00:34:04,558 --> 00:34:07,278 +it's easy to encode your own formats as possible. + +1085 +00:34:07,278 --> 00:34:13,440 +We're not going to go deeply into how to do this during the training + +1087 +00:34:11,358 --> 00:34:15,39 +but if anyone is interested about that just + +1089 +00:34:15,39 --> 00:34:17,599 +let us know and we'll point you in the + +1090 +00:34:16,398 --> 00:34:19,598 +right direction where you can find + +1091 +00:34:17,599 --> 00:34:20,159 +documentation on how to modularize and + +1093 +00:34:19,599 --> 00:34:24,159 +how to build import and export in MISP. + +1094 +00:34:26,760 --> 00:34:30,560 +So just one side note, all the training + +1095 +00:34:28,639 --> 00:34:32,320 +materials are available online + +1096 +00:34:30,559 --> 00:34:33,599 +like {inaduiable} mentioned we have a Github + +1097 +00:34:32,320 --> 00:34:35,599 +repository with a pretty extensive README files with all + +1099 +00:34:35,599 --> 00:34:41,39 +the material that we provide, there is a MISP book too which includes a + +1101 +00:34:41,39 --> 00:34:45,838 +lot of reference to MISP as you know MISP has a + +1103 +00:34:45,838 --> 00:34:50,159 +pretty large topic coming from technical aspect and + +1105 +00:34:50,159 --> 00:34:54,480 +you will see that in a minute about the project overview. + +1107 +00:34:54,480 --> 00:34:57,519 +So don't hesitate to go there on the MISP training + +1109 +00:34:57,519 --> 00:35:00,639 +page on Github this one is a good + +1110 +00:34:59,358 --> 00:35:02,639 +reference because it's really pointing + +1111 +00:35:00,639 --> 00:35:05,920 +to the different elements + +1112 +00:35:02,639 --> 00:35:06,239 +that we have. We have a huge slide deck of + +1114 +00:35:06,239 --> 00:35:10,559 +close to 500 pages of slide deck on the + +1115 +00:35:08,559 --> 00:35:11,679 +MISP book we have close to 500 pages. I + +1116 +00:35:10,559 --> 00:35:13,440 +would not mention the number of pages + +1117 +00:35:11,679 --> 00:35:14,719 +for taxonomies, galaxies and so on. It's quite large too + +1119 +00:35:14,719 --> 00:35:19,39 +but really look at this as a kind of way + +1120 +00:35:17,519 --> 00:35:22,239 +to shape it to what you like. + +1121 +00:35:19,39 --> 00:35:23,519 +So it's really there to help you and if + +1122 +00:35:22,239 --> 00:35:25,439 +you see something missing + +1123 +00:35:23,519 --> 00:35:26,800 +let us know but we have slides, + +1125 +00:35:26,800 --> 00:35:31,200 +for example system requirements, things like + +1126 +00:35:29,838 --> 00:35:32,960 +for example building community that + +1127 +00:35:31,199 --> 00:35:35,439 +we'll talk tomorrow, that's + +1128 +00:35:32,960 --> 00:35:37,599 +part of it but for more the + +1129 +00:35:35,440 --> 00:35:40,320 +programmatic aspect, API + +1130 +00:35:37,599 --> 00:35:41,200 +how to integrate with MISP {inaduiable JSON/taxono}, + +1131 +00:35:40,320 --> 00:35:43,39 +how to extend it too + +1132 +00:35:41,199 --> 00:35:44,799 +there are plenty of slides regarding that + +1133 +00:35:43,39 --> 00:35:46,800 +so it's really a good reference + +1134 +00:35:44,800 --> 00:35:48,560 +and thanks to {inaduiable} to share this + +1135 +00:35:46,800 --> 00:35:50,800 +information on the chat + +1136 +00:35:48,559 --> 00:35:52,719 +so to just give a quick overview of the MISP project and really to show that + +1138 +00:35:52,719 --> 00:35:56,399 +the project is quite large nowadays + +1139 +00:35:55,199 --> 00:35:59,838 +we basically have like four pillars of things in MISP + +1141 +00:35:59,838 --> 00:36:03,199 +one is obviously the open software itself + +1143 +00:36:03,199 --> 00:36:08,78 +so the initial version in {inaduaible} it was + +1144 +00:36:06,239 --> 00:36:10,239 +the small first small block there + +1145 +00:36:08,79 --> 00:36:11,440 +the MISP core software which is like just the software + +1147 +00:36:11,440 --> 00:36:16,400 +mainly for the LMAP aspect where + +1148 +00:36:14,800 --> 00:36:17,920 +you have the backend, the web interface, + +1149 +00:36:16,400 --> 00:36:19,760 +and so on but over the time the project extended + +1151 +00:36:19,760 --> 00:36:23,40 +with multiple things so if you look on the Github + +1152 +00:36:20,960 --> 00:36:24,800 +repository of mid project we have around 50 repositories so + +1154 +00:36:24,800 --> 00:36:28,720 +it's pretty large. Just to summarize what + +1155 +00:36:27,519 --> 00:36:31,119 +are the different one + +1156 +00:36:28,719 --> 00:36:31,919 +we have for example the MISP modules um + +1158 +00:36:31,920 --> 00:36:35,119 +which is an easy way to extend MISP so the behavior of MISP + +1160 +00:36:35,119 --> 00:36:40,880 +on the expansion side on the import, export and so on by just writing + +1162 +00:36:40,880 --> 00:36:44,480 +python modules it's super easy to develop and use + +1164 +00:36:44,480 --> 00:36:47,920 +and the idea behind is obviously to + +1165 +00:36:46,0 --> 00:36:50,960 +2206 --> 2210.96 +extend MISP without knowing + +1166 +00:36:47,920 --> 00:36:51,440 +the core details about the system + +1167 +00:36:50,960 --> 00:36:55,358 +then we have a library called PyMISP and this + +1168 +00:36:53,440 --> 00:36:58,639 +PyMISP library is basically a + +1169 +00:36:55,358 --> 00:37:02,319 +python library to expose the new MISP platform API + +1171 +00:37:02,320 --> 00:37:07,39 +so MISP has a large REST api this one can be quite large but + +1173 +00:37:05,199 --> 00:37:11,679 +by MISP is really helping you to for example {inaduiable jest/Get} events + +1174 +00:37:09,599 --> 00:37:13,200 +create feeds and stuff like that so it's + +1175 +00:37:11,679 --> 00:37:15,358 +really important if you want to + +1176 +00:37:13,199 --> 00:37:17,39 +extend MISP to have a look at PyMISP that + +1177 +00:37:15,358 --> 00:37:18,480 +is not the only library for extending + +1179 +00:37:18,480 --> 00:37:23,440 +MISP some in golang you have some + +1180 +00:37:21,519 --> 00:37:24,639 +other in python too, you have others in java and so on + +1182 +00:37:24,639 --> 00:37:28,0 +2244.64 --> 2248 +but the PyMISP one is the one that + +1183 +00:37:26,400 --> 00:37:31,199 +is maintained by the author of MISP so it is maintained by us + +1186 +00:37:31,199 --> 00:37:34,399 +and you can have a look at this one it's + +1187 +00:37:32,480 --> 00:37:36,0 +2252.48 --> 2256 +really the one that's up to date it's + +1188 +00:37:34,400 --> 00:37:38,0 +2254.4 --> 2258 +really core and part of the system too + +1189 +00:37:36,0 --> 00:37:40,400 +2256 --> 2260.4 +because we use it for our own tests + +1190 +00:37:38,0 --> 00:37:42,320 +2258 --> 2262.32 +within MISP then we have different + +1191 +00:37:40,400 --> 00:37:43,358 +repository i will just mention one which is + +1193 +00:37:43,358 --> 00:37:46,559 +dashboard, the dashboard is an extension module + +1195 +00:37:46,559 --> 00:37:51,838 +in MISP using what we call the ZeroMQ feed in MISP + +1196 +00:37:49,838 --> 00:37:54,159 +so we have a kind of way to have kind of a real-time feed + +1198 +00:37:54,159 --> 00:37:58,799 +in MISP you can {inaudiable} and + +1199 +00:37:56,400 --> 00:38:00,639 +so on but we wanted to show an example + +1200 +00:37:58,800 --> 00:38:02,240 +application for that and the MISP + +1201 +00:38:00,639 --> 00:38:04,879 +dashboard is exactly that + +1202 +00:38:02,239 --> 00:38:06,559 +is a way to really get all the + +1203 +00:38:04,880 --> 00:38:08,960 +information that you have in MISP + +1204 +00:38:06,559 --> 00:38:09,920 +into a very nice dashboard and so on + +1205 +00:38:08,960 --> 00:38:11,760 +this is really to have a good example of what you can do + +1207 +00:38:11,760 --> 00:38:14,240 +with information within MISP and how you can use it + +1209 +00:38:14,239 --> 00:38:17,519 +so that's the main pillar you have + +1210 +00:38:15,519 --> 00:38:18,79 +plenty of other projects but those one are the main ones + +1212 +00:38:18,79 --> 00:38:22,400 +on top of that you have + +1213 +00:38:20,880 --> 00:38:23,358 +what we call the intelligent and knowledge database of + +1215 +00:38:23,358 --> 00:38:27,119 +MISP and just mentioned about the difficulty + +1217 +00:38:27,119 --> 00:38:31,280 +sometimes in some organizations to use a + +1218 +00:38:29,199 --> 00:38:33,519 +{inaudiable proper/corporate} classification and so on + +1219 +00:38:31,280 --> 00:38:35,40 +and we try to ease this in this + +1220 +00:38:33,519 --> 00:38:36,639 +different organization by having a kind + +1221 +00:38:35,39 --> 00:38:37,279 +of library of all the taxonomies that exist + +1223 +00:38:37,280 --> 00:38:41,519 +so we started as a very simple one where + +1224 +00:38:39,679 --> 00:38:43,358 +it was just including for example a + +1225 +00:38:41,519 --> 00:38:45,440 +taxonomy like the traffic light protocol one, FIRST is using it + +1227 +00:38:45,440 --> 00:38:49,119 +and it's a commonly used classification but over + +1228 +00:38:47,838 --> 00:38:50,320 +the time we have seen that many + +1229 +00:38:49,119 --> 00:38:52,720 +organizations have different + +1230 +00:38:50,320 --> 00:38:54,320 +classification and so on. So we already + +1231 +00:38:52,719 --> 00:38:55,838 +in advance we prepare all those taxonomies in + +1233 +00:38:55,838 --> 00:38:59,599 +possible information {inaudiable} expose MISP + +1234 +00:38:58,159 --> 00:39:02,399 +and you can enable the one that you want + +1235 +00:38:59,599 --> 00:39:05,39 +so we have around 150 libraries now + +1236 +00:39:02,400 --> 00:39:05,680 +ranging from classifications, specific one for + +1238 +00:39:05,679 --> 00:39:10,559 +intelligence communities and some + +1239 +00:39:08,159 --> 00:39:12,399 +other activities so this one is our + +1240 +00:39:10,559 --> 00:39:13,440 +really useful label and you can just + +1241 +00:39:12,400 --> 00:39:15,39 +{inaudiable share/pick} the one that you want and we maintain those one + +1243 +00:39:15,39 --> 00:39:18,880 +so we have some that are coming from + +1244 +00:39:16,960 --> 00:39:21,39 +third party, some that we are collecting + +1245 +00:39:18,880 --> 00:39:23,39 +as each projects are creating. + +1246 +00:39:21,39 --> 00:39:24,719 +It's really usually a good source to see + +1247 +00:39:23,39 --> 00:39:26,838 +how other communities are using + +1248 +00:39:24,719 --> 00:39:28,639 +classifying and contextualizing the + +1249 +00:39:26,838 --> 00:39:30,480 +information, there nevertheless the + +1250 +00:39:28,639 --> 00:39:35,759 +taxonomy itself was like kind of labels, those labels were quite small + +1253 +00:39:33,519 --> 00:39:36,960 +so it was not like completely extensive information so + +1255 +00:39:36,960 --> 00:39:41,39 +over the time we maintain a kind of more extensive one called the galaxy + +1257 +00:39:41,39 --> 00:39:47,279 +you will hear the term very often + +1258 +00:39:44,79 --> 00:39:49,200 +those galaxies are defining many things + +1259 +00:39:47,280 --> 00:39:51,40 +for example one of the most common one is the threat actor + +1261 +00:39:50,39 --> 00:39:54,400 +we have a huge database of threat actors but a lot of + +1262 +00:39:52,800 --> 00:39:56,400 +times it was extended + +1263 +00:39:54,400 --> 00:39:58,320 +for example, Microsoft is not using + +1264 +00:39:56,400 --> 00:39:59,358 +threat actors for example there is this activity group is part of the + +1266 +00:39:59,358 --> 00:40:05,119 +galaxy, it's really one that we + +1267 +00:40:02,400 --> 00:40:05,760 +use for different and you can represent whatever + +1269 +00:40:05,760 --> 00:40:09,280 +galaxy you want so you have a predefined + +1270 +00:40:07,358 --> 00:40:10,960 +set of existing one but you can create your own + +1272 +00:40:10,960 --> 00:40:14,400 +so if you have your own threat actor database + +1273 +00:40:12,880 --> 00:40:16,480 +you can create your own from scratch or + +1274 +00:40:14,400 --> 00:40:17,280 +you can reuse and fork existing ones so + +1275 +00:40:16,480 --> 00:40:18,480 +that's really those kind of things that we manage in + +1277 +00:40:18,480 --> 00:40:21,920 +the project is not only code and software + +1278 +00:40:20,318 --> 00:40:23,39 +we manage those kind of knowledge base + +1280 +00:40:23,39 --> 00:40:27,759 +for intelligent {inaudiable} organization + +1281 +00:40:26,79 --> 00:40:29,200 +we have some specific one like the notice list + +1283 +00:40:28,899 --> 00:40:32,480 +this one is a pretty small one that you use for the GDPR aspect + +1285 +00:40:32,480 --> 00:40:36,480 +but this one can be used for anything you want, + +1287 +00:40:35,480 --> 00:40:40,960 +It's for informing the analyst or the user of MISP when he + +1288 +00:40:39,358 --> 00:40:41,440 +touched some specific information in MISP + +1290 +00:40:41,440 --> 00:40:45,280 +that could impact for example the legal framework and so on + +1292 +00:40:44,280 --> 00:40:49,280 +it's actively use in the intelligence community, + +1293 +00:40:47,119 --> 00:40:50,960 +law enforcement and so on maybe less in + +1294 +00:40:49,280 --> 00:40:52,880 +security operation center but it's + +1295 +00:40:50,960 --> 00:40:54,880 +coming more and more due to the legal + +1296 +00:40:52,880 --> 00:40:56,240 +side of information sharing and + +1297 +00:40:54,880 --> 00:40:58,480 +especially storing information that might contain personal information + +1299 +00:40:58,480 --> 00:41:02,480 +then we have another one called the + +1300 +00:40:59,679 --> 00:41:08,159 +warning list and Andras quickly mentioned this kind of recurring problems or false positives + +1303 +00:41:06,559 --> 00:41:12,719 +and the one in MISP are basically list of existing potential false positives + +1305 +1306 +00:41:12,719 --> 00:41:17,439 +for example we have lists of well-known IP addresses from Microsoft, for example. + +1308 +00:41:17,440 --> 00:41:20,800 +We have list of things like domain names used by Google and so on + +1310 +00:41:20,800 --> 00:41:25,599 +that's already helping users to find out + +1311 +00:41:23,519 --> 00:41:27,119 +if something might be a false positive + +1312 +00:41:25,599 --> 00:41:28,559 +and we do that automatically and we + +1313 +00:41:27,119 --> 00:41:30,800 +maintain those libraries because one {inaudiable MISP/reason} they're automatically updated regularly + +1315 +00:41:30,800 --> 00:41:34,79 +I think we have around 50 lists nowadays + +1318 +00:41:34,79 --> 00:41:38,160 +It's really useful when you do on a day-to-day basis and creating events and + +1320 +00:41:38,159 --> 00:41:41,838 +so on you can really find and spot things that might be a false positive in advance + +1323 +00:41:41,838 --> 00:41:48,0 +2503.119 --> 2508 +by having those warning lists enabled + +1324 +00:41:45,280 --> 00:41:49,839 +and again it's up to the user to select + +1325 +00:41:48,0 --> 00:41:53,39 +2508 --> 2511.04 +one {inaudiable} warning list or to enable everything depending on the different use case + +1328 +00:41:52,800 --> 00:41:55,920 +so that's one of those {inaudiable} pillar + +1329 +00:41:54,480 --> 00:41:57,519 +knowledge base i mean a lot of + +1330 +00:41:55,920 --> 00:41:57,519 +contributions coming from threat parties + +1332 +00:41:57,519 --> 00:42:02,480 +are coming from that aspect so it's not really programmers + +1333 +00:42:00,719 --> 00:42:03,679 +or coders that are contributing there + +1334 +00:42:02,480 --> 00:42:05,599 +but it's more analysts and people doing really threat intelligence + +1336 +00:42:05,599 --> 00:42:10,160 +or classification and so on + +1337 +00:42:08,318 --> 00:42:12,79 +is really something that is useful for everyone + +1338 +00:42:10,159 --> 00:42:14,159 +without being your direct contributions on the code + +1340 +00:42:14,159 --> 00:42:18,719 +then over the times we we we became a kind of de facto standard and + +1342 +00:42:18,719 --> 00:42:22,480 +uh nowadays is even more than a de facto standard, is a standard + +1344 +00:42:22,480 --> 00:42:27,199 +We published as an interesting engineering task force draft + +1346 +00:42:27,199 --> 00:42:31,439 +all those documents especially the core format + +1348 +00:42:31,440 --> 00:42:35,200 +and to ease that for the development of external tools +1350 +00:42:35,199 --> 00:42:39,279 +integration and so on. + +1351 +00:42:38,0 --> 00:42:40,119 +2558 --> 2561.119 +So if you're interested you can go to the + +1352 +00:42:39,280 --> 00:42:42,319 +MISP platform website where we describe the different standards that we + +1354 +00:42:42,318 --> 00:42:47,199 +published. We even co-host standards that are for people + +1356 +00:42:47,199 --> 00:42:51,598 +integrating with MISP + +1357 +00:42:50,480 --> 00:42:53,599 +and we have specific standards for example for the object template + +1359 +00:42:53,599 --> 00:42:56,800 +and that's something that we will talkabout but that's something that was + +1360 +00:42:54,800 --> 00:42:58,79 + +1361 +00:42:56,800 --> 00:42:59,839 +really a need for us from the early beginning of MISP + +1363 +00:42:59,838 --> 00:43:02,799 +a lot of organizations want to have their own structure of information + +1365 +00:43:02,800 --> 00:43:06,880 +about objects and so on and we have a flexible model in MISP to + +1367 +00:43:06,880 --> 00:43:11,358 +really create your own data models and this one is standardized too + +1369 +00:43:11,358 --> 00:43:15,358 +and it's really helping sharing communities to + +1371 +00:43:15,358 --> 00:43:20,318 +extend MISP as they wish and their models without breaking the + +1373 +00:43:20,318 --> 00:43:24,79 +the standards itself so that's really interesting for for showing you new models + +1376 +00:43:24,79 --> 00:43:28,79 +and then next to that we will do everything possible to help community + +1378 +00:43:28,79 --> 00:43:31,359 +and Andras just mentioned the question of the + +1380 +00:43:31,358 --> 00:43:35,679 +legal aspect and i think maybe some of + +1381 +00:43:33,599 --> 00:43:38,640 +you already have this order to + +1382 +00:43:35,679 --> 00:43:40,399 +seek legal team about the information sharing policies and so on + +1384 +00:43:40,400 --> 00:43:44,880 +we try to make it easier so we publish this kind of compliance document + +1386 +00:43:44,880 --> 00:43:48,160 +and so on it's part of the MISP project + +1387 +00:43:46,719 --> 00:43:50,879 +everything is open source again so everything we do is open source and + +1389 +00:43:50,880 --> 00:43:55,760 +on open access. You can reuse it and so on. We have for example a specific + +1391 +00:43:55,760 --> 00:44:01,679 +document about building communities which is something that we do within the X-ISAC project + +1394 +00:44:01,679 --> 00:44:08,960 +and it's containing kind of best practices what are kind of agreement that you can + +1397 +00:44:08,960 --> 00:44:11,119 +use when doing a setup of sharing communities. + +1399 +00:44:11,119 --> 00:44:15,440 +Up to things about how to do contextualization and so on + +1400 +00:44:13,280 --> 00:44:17,40 +so that's that's maybe something that + +1401 +00:44:15,440 --> 00:44:17,519 +for an organization that wants to boost up an ISAC or sharing communities they can + +1404 +00:44:19,760 --> 00:44:23,760 +look at those documents and so on so it's again a thing that we try to help + +1406 +00:44:23,760 --> 00:44:30,800 +for example we produce kind of OSINT feeds of existing reports and so on to + +1408 +00:44:30,800 --> 00:44:36,880 +not only have software ready but to have some content and to show what kind of + +1411 +00:44:36,880 --> 00:44:42,559 +information can be shared within different MISP communities. + +1413 +00:44:42,559 --> 00:44:48,880 +So let us some get some of the naming conventions out of the way + +1415 +00:44:48,880 --> 00:44:52,880 +before we start with the hands-on stuff and + +1416 +00:44:50,400 --> 00:44:58,719 +just a quick explanation of the different uh data points and uh and naming conventions + +1419 +00:44:57,119 --> 00:45:00,400 +that we use for them so it's a bit easier afterwards + +1421 +00:45:00,400 --> 00:45:08,0 +this can be a bit overwhelming, don't worry we'll go through everything step by step also + +1424 +00:45:04,639 --> +during the hands-on part + +1426 +00:45:05,519 --> 00:45:13,440 +So basically all the data that goes into MISP, we separate into two main layers + +1427 +00:45:11,358 --> 00:45:14,880 +one we call data layer which is really everything it has to do with + +1429 +00:45:14,880 --> 00:45:22,0 +individual data points their compositioning and so on + +1432 +00:45:20,400 --> 00:45:23,358 +So everything that we share in MISP in general in this regard + +1433 +00:45:22,0 --> 00:45:25,199 +2722 --> 2725.2 +starts with something that we call an event, these are our general + +1435 +00:45:25,199 --> 00:45:28,559 +envelopes for information so that means that + +1437 +00:45:28,559 --> 00:45:32,960 +whenever we're describing an incident, we're describing a threat report + +1439 +00:45:32,960 --> 00:45:36,0 +2732.96 --> 2736 +we're describing a watch list that we recurringly update + +1441 +00:45:36,0 --> 00:45:40,400 +2736 --> 2740.4 +and they will all be grouped into something that we call an event + +1443 +00:45:40,400 --> 00:45:45,680 +So the name is a little bit controversial at times, we try to pick a name + +1445 +00:45:45,679 --> 00:45:49,519 +that is the least amount of a loaded term that we could find + +1448 +00:45:51,440 --> 00:45:56,240 +but obviously even with that there it can be a bit confusing but just consider + +1450 +00:45:56,239 --> +it as a generic container for data that has some contextual linking + +1453 +00:45:59,39 --> 00:46:06,318 +then each of these events is populated with lists of attributes. + +1455 +00:46:05,318 --> 00:46:09,838 +So attributes are the most basic data points in MISP + +1457 +00:46:09,838 --> 00:46:13,279 +an attribute can describe for example an IP address + +1459 +00:46:13,280 --> 00:46:21,199 +you can describe a file hash or it can describe a car plate number for example + +1462 +00:46:21,199 --> 00:46:27,759 +It's basically just an individual data point with some basic context around it + +1465 +00:46:27,760 --> 00:46:30,800 +such as describing in what context this was seen in + +1467 +00:46:30,800 --> 00:46:32,960 +what type we're using to describe the attribute, + +1469 +00:46:32,960 --> 00:46:39,679 +for example that we're using an MD5 hash to describe the hash of a file + +1471 +00:46:39,679 --> 00:46:44,318 +would be one of those descriptions, hopefully not used as much these days + +1473 +00:46:44,318 --> 00:46:51,920 +but that's just an example and then we can take these individual attributes + +1476 +00:46:49,599 --> 00:46:55,318 +and composite them into what we call objects that are describing multifaceted concepts. + +1478 +00:46:54,318 --> 00:46:59,440 +For example, a file object would be described by a list of attributes + +1480 +00:46:59,440 --> 00:47:05,760 +including a file name, different file hashes, maybe file entropy and so on and so forth. + +1484 +00:47:05,760 --> 00:47:11,440 +Each of these individual objects and attributes can then be further interlinked by what we call references. + +1487 +00:47:11,440 --> 00:47:15,119 +So that means that most of the time when we're describing data in MISP + +1489 +00:47:15,119 --> 00:47:20,0 +we're trying to tell a story so we're thinking graphs instead of individual data points + +1492 +00:47:20,0 --> 00:47:24,559 +2840 --> 2844.559 +that means that we can for example, describe the entire flow of an attack + +1494 +00:47:24,559 --> 00:47:28,79 +from the initial attack vector all the way to the exploitation + +1496 +00:47:28,79 --> 00:47:33,599 +using the interconnected graphs using these references so we could say + +1498 +00:47:33,599 --> 00:47:36,960 +initially it all started with an email that was received + +1500 +00:47:36,960 --> 00:47:40,559 +that contained for example a malicious sample which then had to send this effect + +1503 +00:47:42,480 --> 00:47:45,838 +in our infrastructure so all of these different steps can be then described + +1506 +00:47:45,0 --> 00:47:53,519 +2868 --> 2873.52 +via different references there then to aggregate this information + +1508 +00:47:53,519 --> 00:47:58,79 +into and aggregate the sightings of this information via structure + +1510 +00:47:58,79 --> 00:48:02,280 +that basically captures sightings from our different information sources + +1512 +00:48:01,280 --> 00:48:05,760 +that means if you have an IDS that is generating alerts + +1514 +00:48:05,760 --> 00:48:10,640 +you can feed information back on when individual attributes were seen + +1516 +00:48:10,639 --> 00:48:16,159 +in your network, in your premises or at your partners and so on + +1518 +00:48:16,159 --> 00:48:21,920 +so this is basically it for the data layer, these are our main building blocks for that. + +1521 +00:48:21,920 --> 00:48:27,599 +now in order to contextualize this information, we have different tools at our disposal. + +1523 +00:48:27,599 --> 00:48:32,160 +The most simple one is what we call tags these are basic text labels that + +1525 +00:48:31,159 --> 00:48:35,598 +we attach on individual data points or entire events + +1527 +00:48:35,599 --> 00:48:39,440 +and these can either be created freely or most commonly they come from what we call taxonomies. + +1530 +00:48:41,519 --> 00:48:46,400 +They're basically standardized vocabularies and that are either shared + +1532 +00:48:46,400 --> 00:48:54,880 +by us so the MISP project at large or by individual communities to their members so + +1535 +00:48:53,119 --> 00:48:57,39 +these vocabularies can include anything from for example something is simple and + +1537 +00:48:57,39 --> 00:49:01,279 +and commonly used as TLP to national classifications + +1540 +00:49:01,279 --> 00:49:08,719 +to various different sectoral classifications and so on + +1541 +00:49:06,318 --> 00:49:12,79 +now if you wanted to provide more high-level information instead of just simple + +1544 +00:49:12,559 --> 00:49:16,640 +labels for the information we can use what we call galaxy clusters + +1546 +00:49:16,639 --> 00:49:20,400 +so galaxy cluster is basically a knowledge based element that we use as a label + +1549 +00:49:21,199 --> 00:49:24,879 +these can be either coming from standard libraries + +1551 +00:49:24,880 --> 00:49:28,480 +such as the ones that we maintain or you can create them ad-hoc in MISP. + +1553 +00:49:28,480 --> 00:49:30,0 +That means if you're describing a threat actor + +1555 +00:49:30,0 --> 00:49:35,358 +you could create create a threat actor galaxy cluster that describes the various metadata + +1557 +00:49:35,358 --> 00:49:38,558 +about the threat actor and then use this to label your data whenever you think + +1560 +00:49:38,880 --> 00:49:42,160 +that whatever you're describing is associated with a threat actor + +1562 +00:49:42,159 --> 00:49:46,480 +you can also create for example a galaxy cluster describing the different + +1564 +00:49:46,480 --> 00:49:53,760 +target sectors and then interlink using cluster relationships + +1566 +00:49:53,760 --> 00:50:04,559 +the threat actor galaxy clusters with target sectors with exploited TTP and so on and so forth + +1569 +00:50:03,440 --> 00:50:07,39 +So these are the high level structures that you can put on top of your data + +1572 +00:50:06,719 --> 00:50:14,838 +basically to further contextualize it. Alex + +1574 +00:50:15,119 --> 00:50:21,39 +Yeah, so just to summarize it and that's always a lot of people are asking about it + +1577 +00:50:21,199 --> 00:50:26,319 +how do you summarize it about, for example in easy way you have to see really + +1580 +00:50:26,318 --> 00:50:29,838 +MISP {inaudiable environment/development} as an envelope and then you + +1581 +00:50:28,79 --> 00:50:32,318 +have information inside and then what Andras describe is basically + +1583 +00:50:32,318 --> 00:50:34,800 +different component that you have within that envelope and then you have + +1586 +00:50:35,760 --> 00:50:42,480 +contextual layers on that envelope and relationship that are basically based on on that. + +1589 +00:50:42,880 --> 00:50:50,400 +So, another thing that is very often and I think it is good to explain it, is about the + +1592 +00:50:48,960 --> 00:50:53,119 +terminology between indicators, attributes, and so on that is + +1594 +00:50:53,119 --> 00:50:57,358 +a different especially indicator of compromise and so on + +1596 +00:50:57,358 --> 00:51:01,440 +In MISP, an attribute is close to an indicator + +1598 +00:51:01,440 --> 00:51:05,599 +and we have this kind of flexible models where + +1600 +00:51:05,599 --> 00:51:09,200 +maybe some of you are familiar with observables in MISP + +1602 +00:51:09,199 --> 00:51:13,440 +we call it attributes and those observables are basically depending on the type + +1605 +00:51:13,440 --> 00:51:20,0 +So, we have a specific flag in attributes which is basically defining + +1608 +00:51:20,0 --> 00:51:23,599 +3080 --> 3083.599 +if information can be used automatically for detection + +1610 +00:51:23,599 --> 00:51:29,960 +and that's i think one of the most important aspects when we talk about attribute in MISP + +1613 +00:51:28,880 --> 00:51:34,119 +an attribute can become an observable or become an indicator of compromise + +1615 +00:51:33,119 --> 00:51:37,880 +depending on the simple flag and this is quite important because + +1618 +00:51:37,280 --> 00:51:43,599 +a lot of analysis and so on will depend on that and especially all you will use that afterwards + +1621 +00:51:43,599 --> 00:51:48,39 +if you plan for example to use the data into a protective systems and so on + +1624 +00:51:48,39 --> 00:51:54,79 +the IDS flags need to be set so the thing is if i take an example + +1626 +00:51:54,79 --> 00:51:56,480 +you reverse the malware and this malware is connected to google.com for testing the connectivity + +1629 +00:51:59,519 --> 00:52:04,79 +obviously you will have an attribute for example www.google.com + +1632 +00:52:03,79 --> 00:52:09,440 +and this one is an interesting indicator for information for the analyst + +1634 +00:52:09,440 --> 00:52:14,0 +so like that you can for example maybe cluster those kind of malware together as in this kind of behavior + +1637 +00:52:14,0 --> 00:52:19,279 +3134 --> 3136.64 +nevertheless you are not really interested in that information as an indicator of compromise + +1641 +00:52:19,280 --> 00:52:23,480 +because it will generate a huge amount of false positive + +1644 +00:52:23,480 --> 00:52:28,640 +but if for example at some point you have an IP address that is really dedicated to that malware + +1646 +00:52:28,639 --> 00:52:39,719 +then you will set the IDS flag, so the thing is when you define in MISP these flags + +1649 +00:52:38,760 --> 00:52:41,599 +and we will show you later on it's very important because it will define what you can do + +1652 +00:52:41,599 --> 00:52:48,639 +3164 --> 3166.64 +with information later on if you're going to automate and so on like + +1655 +00:52:48,159 --> 00:52:52,239 +In MISP, what we try to do too instead of having just indicators + +1657 +00:52:52,239 --> 00:52:57,280 +it's very common and i think many of you know about it you might see for example + +1660 +00:52:57,280 --> 00:53:01,599 +a list of hashes so like for example MD5 hashes without any context + +1662 +00:53:01,599 --> 00:53:05,280 +and sometimes it's difficult to know exactly what we are talking about + +1664 +00:53:05,280 --> 00:53:11,599 +Are we talking about MD5 of malicious sample, are we talking about md5 of legitimate software, + +1667 +00:53:11,599 --> 00:53:17,39 +are we talking about the MD5 value of the X.509 certificate, + +1669 +00:53:17,39 --> 00:53:29,719 +are we talking about an MD5 as a mutex in memory + +1670 +00:53:19,679 --> 00:53:25,759 +we have plenty of way of seeing those kind of MD5 so we try in MISP to have what we call the + +1673 +00:53:25,759 --> 00:53:30,318 +kind of i would not say {inaudiable keep shine/kill shine} but at least contextualization a category that + +1675 +00:53:30,318 --> 00:53:35,279 +help to see in which context this has been seen + +1677 +00:53:35,280 --> 00:53:41,119 +and as for example if 1 MD5 might have a payload delivery, telling that in which scope this has been set + +1680 +00:53:40,559 --> 00:53:45,440 +So that means in MISP we have always and complementary type + +1682 +00:53:45,440 --> 00:53:52,639 +so for example for an MD5 files you can say that this one is from a file or is an md5 of a fingerprint thing + +1686 +00:53:52,639 --> 00:53:59,679 +So that means, always in MISP try to have as an indicator all those three information together + +1689 +00:53:59,679 --> 00:54:06,639 +so it is giving at least more context and if you cannot set this context MISP will try to automatically set it. + +1692 +00:54:05,639 --> 00:54:12,239 +So attributes are equal to indicators but with a bit more of information which is useful for you + +1695 +00:54:12,239 --> 00:54:19,358 +At least being in a way to understand what is in a position to understand what you have in front of you + +1699 +00:54:19,358 --> 00:54:28,400 +when you have to treat those attributes. + +1700 +00:54:25,358 --> 00:54:29,920 +So this is just a brief view of what this looks like. + +1702 +00:54:29,920 --> 00:54:36,239 +We're going to see this more in practice basically the idea is that all the data that we have in MISP + +1705 +00:54:36,239 --> 00:54:43,798 +if it's well defined allows us to draw a graph out of the data and allows us to tell a story more easily + +1708 +00:54:42,880 --> 00:54:55,798 +So here we see a simple example that basically shows the bank account that is associated with the threat actor + +1712 +00:54:54,480 --> 00:55:00,679 +With all the various different data points with it and then we can basically relate these + +1715 +00:54:59,280 --> 00:55:03,200 +different data points to each other and give the relationship a term as well + +1718 +00:55:04,880 --> 00:55:08,160 +So in this case we see from the chart immediately there that that person is the owner of that + +1720 +00:55:08,159 --> 00:55:13,119 +bank account with all those different data points for us as humans it's it's generally much more + +1724 +00:55:13,119 --> 00:55:18,839 +easily understood if we look at a graph like that and tell the story that way + +1727 +00:55:17,839 --> 00:55:22,480 +then if we look at a tabularized view of the data. + +1728 +00:55:20,798 --> 00:55:24,239 +So one of the goals and something that we hope that we get out of + +1731 +00:55:24,239 --> 00:55:32,480 +going through trainings like these is to really convert also the participants + +1732 +00:55:29,679 --> 00:55:38,558 +to to see the value of producing data in that way instead of just sharing raw indicator lists for example. + +1735 +00:55:40,0 --> 00:55:45,199 +3340 --> 3343.2 +And that's again what we think that's really important is the contextualization again. + +1738 +00:55:45,280 --> 00:55:50,480 +So i mentioned we have the galaxies in MISP and we have plenty of representation + +1741 +00:55:50,318 --> 00:55:55,838 +threat actors and so on and obviously one that is quite important is the MITRE Attack one + +1744 +00:55:54,719 --> 00:55:57,759 +so MITRE Attack is {inaduiable stored/performed} as a galaxy + +1746 +00:55:57,760 --> 00:56:01,520 +and we have this flexible {inaduiable mosaic/table} in MISP that you can represent those kind of + +748 +00:56:01,519 --> 00:56:07,39 +matrix-like model which is a case for Attack which is a very convenient way of representing the + +1752 +00:56:07,679 --> 00:56:14,480 +different techniques in a progressive way used by the attackers and that's exactly what we can do in MISP. + +1755 +00:56:14,159 --> 00:56:22,79 +So you have this kind of model and we have different model formats so again we have an advanced + +1758 +00:56:22,79 --> 00:56:30,838 +i would say integration with Attack but you can extend it with multiple different kinds of galaxies which are + +1762 +00:56:30,0 --> 00:56:33,838 +3390 --> 3393.839 +similar to Attack or complementary for example we have the Industrial Control System of Attack, + +1765 +00:56:34,400 --> 00:56:39,440 +it's a separated galaxy, you can even create a custom one directly in the system + +1768 +00:56:39,440 --> 00:56:46,519 +and then you can filter out your data and so on and that's exactly the thing why we are i would say + +1771 +00:56:46,880 --> 00:56:51,480 +in bracket pushing people to do more contextualization, it would be useful forthem at the end + +1774 +00:56:51,599 --> 00:56:58,960 +because this kind of information is really showing you for example your gap in your defense + +1778 +00:56:58,960 --> 00:57:02,720 +your specific things that the techniques that are not used by an attacker + +1780 +00:57:02,719 --> 00:57:05,279 +you might ask why, maybe because you are missing a specific detection point that you cannot + +1783 +00:57:05,279 --> 00:57:12,239 +detect this kind of attacks or things like that so it's really actively using the data + +1786 +00:57:12,239 --> 00:57:15,759 +to show something meaningful with it and i think Attack is one of the way + +1788 +00:57:15,760 --> 00:57:19,119 +but if you can combine this with additional information like site links, + +1789 +00:57:19,119 --> 00:57:22,239 +contextualization of the relationship between different objects and so on + +1792 +00:57:22,239 --> 00:57:26,558 +basically everything in hand to improve your posture and secure it. + +1794 +00:57:26,559 --> 00:57:29,0 +Yeah perhaps something to add to this as well, + +1796 +00:57:29,0 --> 00:57:33,838 +some of the additional advantages is the moment that you encode all this information along + +1798 +00:57:33,838 --> 00:57:39,39 +with the data you can start asking those those questions from your tool basically + +1800 +00:57:39,39 --> 00:57:47,838 +for example show me what sort of threats my constituency is facing over the past year + +1804 +00:57:45,760 --> 00:57:49,760 +and overlayed over how what sort of threats it was facing a year ago + +1806 +00:57:49,760 --> 00:57:52,319 +what are the trends that have evolved since then + +1808 +00:57:52,318 --> 00:57:58,960 +the other thing that it really helps with is it also gives you a high level overview of individual reports + +1811 +00:57:56,400 --> 00:58:06,78 +that means if I'm looking at an event in MISP and it has 800 different attributes described in there + +1815 +00:58:06,79 --> 00:58:10,719 +making any sense out of that quickly is very difficult, but getting a high level overview using MITRE Attack + +1818 +00:58:10,719 --> 00:58:16,239 +where you say oh okay this has to deal with spearphishing, it has to deal with information exfiltration, + +1821 +00:58:16,239 --> 00:58:22,79 +so these immediately tell me the story of what i'm dealing with without having to dig deeper into the data itself + +1825 +00:58:22,79 --> 00:58:27,480 +so it is incredibly useful for an analyst that is trying to make sense of the data that you're sharing. + +1828 +00:58:27,480 --> 00:58:36,0 +Also, as for the sharing itself i mean one of the main goals with MISP is obviously to share information, + +1831 +00:58:36,0 --> 00:58:43,280 +We haven't really talked about the sharing mechanisms yet, we basically have a bunch of different functionalities in MISP + +1834 +00:58:42,880 --> 00:58:48,639 +that we're going to see over the next two days the deal with distributing the information. + +1838 +00:58:48,639 --> 00:58:55,280 +One of the most obvious ones to tackle is basically who is to be the recipient of information that we're sharing + +1842 +00:58:55,280 --> 00:59:04,400 +so basically MISP, we can basically set the distribution settings for each individual data point individually + +1846 +00:59:04,400 --> 00:59:10,760 +or for entire collections of data in one shot so that means if we create an event we can decide who we share the event with + +1849 +00:59:09,760 --> 00:59:15,160 +but we can further restrict individual attributes or objects further. + +1854 +00:59:14,838 --> 00:59:26,79 +Now, who we share the information with gets decided on using one of two different means, + +1857 +00:59:25,79 --> 00:59:29,39 +one of them is a simple system where we tell MISP you are allowed to distribute it to everyone + +1858 +00:59:28,440 --> 00:59:31,280 +that has access to this community, for example. + +1860 +00:59:31,280 --> 00:59:39,440 +Or to everyone that is directly connected to my community but you can also define more strict distribution lists + +1863 +00:59:37,838 --> 00:59:44,400 +what we call sharing groups where you individually name the organizations that are to be the recipients. + +1868 +00:59:44,400 --> 00:59:52,159 +Now on top of that, one of the things that we often struggle with is especially if you're in some of those communities + +1872 +00:59:51,159 --> 01:00:01,39 +or you're taking part or assisting some of the communities where sharing any information might lead to reputation or financial loss. + +1876 +01:00:01,39 --> 01:00:04,318 +For example in the financial sector we have these worries very often + +1878 +01:00:04,318 --> 01:00:08,318 +where if a financial organization were to share any information out + +1880 +01:00:08,318 --> 01:00:11,838 +it could be misconstrued as a successful attack against them. + +1882 +01:00:11,838 --> 01:00:15,719 +So instead, they choose to basically even if it was something completely benign + +1884 +01:00:14,719 --> 01:00:20,239 +that they caught in their sandboxes, in their honeypots, whatever + +1887 +01:00:19,199 --> 01:00:24,399 +and they decide not to share it out of fear of incurring this reputation loss. + +1889 +01:00:24,399 --> 01:00:29,440 +So one of the things that we have in MISP is this system called Delegation + +1891 +01:00:29,440 --> 01:00:31,920 +where you can, for example appoint your ISAC, + +1892 +01:00:29,679 --> 01:00:38,558 +your central authority for a community, a national CSIRT, whatever + +1893 +01:00:38,558 --> 01:00:41,599 +with the responsibility of taking over the data that you produce + +1898 +01:00:41,599 --> 01:00:43,480 +and to share it out in their name + +1900 +01:00:43,480 --> 01:00:48,838 +so that way, it's basically a semi anonymized information sharing + +1901 +01:00:48,559 --> 01:00:50,880 +where you are completely removed from the data that is shared out + +1903 +01:00:50,880 --> 01:00:55,500 +so the only two parties that will know who the originator of the data is you + +1904 +01:00:55,500 --> 01:01:01,500 +and whoever is taking over the data and taking over responsibility for the data. + +1909 +01:01:02,0 --> 01:01:05,280 +On top of that, one of the things that we wanted to achieve with MISP + +1911 +01:01:05,280 --> 01:01:08,720 +was basically to build a collaboration with our different partners + +1913 +01:01:08,719 --> 01:01:11,519 +so it means that whenever we're sharing information we don't want it to + +1915 +01:01:11,519 --> 01:01:14,358 +be a one-way communication, so we don't want to have + +1916 +01:01:13,358 --> 01:01:17,500 +this whole feed, provider and consumers relationship + +1919 +01:01:17,500 --> 01:01:20,798 +but we want everyone to be able to chip in with their ideas + +1920 +01:01:20,798 --> 01:01:24,559 +so while anything that you produce in MISP will only be tied and editable + +1921 +01:01:24,559 --> 01:01:28,719 +by your organization, others can make proposals or counter analysis to it. + +1924 +01:01:28,719 --> 01:01:32,919 +So proposals are a system where you can basically flag information + +1926 +01:01:32,919 --> 01:01:37,0 +as incorrect and provide feedback on how to improve it + +1928 +01:01:37,0 --> 01:01:40,0 +or how you can add your own perspective to an event, + +1930 +01:01:40,0 --> 01:01:42,0 +so if you receive an event from a third party you can say + +1931 +01:01:42,0 --> 01:01:44,400 +oh i can improve it and {inaudiable listen/discern} this way + +1932 +01:01:44,400 --> 01:01:46,8 +please incorporate these changes in the event + +1933 +01:01:46,318 --> 01:01:49,500 +and then the original producer can make the decision + +1935 +01:01:48,500 --> 01:01:51,519 +whether to incorporate it or discard your changes. + +1936 +01:01:51,519 --> 01:01:55,358 +As for counter analysis, this is what we call extend events. + +1938 +01:01:55,358 --> 01:01:59,358 +You can basically create an event that latches onto an original + +1940 +01:01:59,358 --> 01:02:03,38 +shared by a third party and provide your own perspective of it. + +1942 +01:02:03,0 --> 01:02:06,160 +and then you keep full control of the data and you become the owner + +1945 +01:02:06,160 --> 01:02:09,440 +of whatever the extension is that you produce to the original event. + +1946 +01:02:09,440 --> 01:02:17,280 +This happens very often for us, for example when a vendor shares out a report. + +1949 +01:02:17,280 --> 01:02:21,0 +For example, we get a report from say kaspersky and we have additional information + +1951 +01:02:20,0 --> 01:02:25,519 +or we have a different opinion on something, + +1954 +01:02:25,519 --> 01:02:29,960 +then we might create an extended event that we share out to our constituency + +1957 +01:02:28,960 --> 01:02:33,358 +which if they have access to the original report will latch onto it + +1958 +01:02:33,358 --> 01:02:37,0 +and it will show our perspective on top of the original. + +1960 +01:02:37,519 --> 01:02:41,440 +Now as for the exchange itself, every organization is free to host their own + +1962 +01:02:41,440 --> 01:02:44,960 +MISP instance and then they can decide who they want to interconnect with + +1964 +01:02:44,960 --> 01:02:48,240 +if both parties agree, a synchronization link is established + +1966 +01:02:48,239 --> 01:02:51,838 +between the two MISP instance and sharing can start flowing between them. + +1968 +01:02:51,838 --> 01:02:55,0 +Now this sharing is still governed by those distribution lists + +1970 +01:02:54,500 --> 01:02:59,199 +and by some other mechanism that we'll talk about more tomorrow + +1972 +01:02:59,199 --> 01:03:04,0 +but basically MISP exchanges information between the individual nodes + +1974 +01:03:02,798 --> 01:03:06,880 +in kind of a mesh network way. + +1976 +01:03:06,880 --> 01:03:10,0 +We also have feed system that allows us to generate feeds + +1977 +01:03:10,0 --> 01:03:11,960 +and to share those feeds with larger communities. + +1979 +01:03:11,960 --> 01:03:15,559 +So we as CIRCL we provide another SIEM feed, for example + +1980 +01:03:15,280 --> 01:03:20,0 +that we make freely available in our infrastructure + +1981 +01:03:20,0 --> 01:03:22,440 +anyone can just point their MISP to it and adjust the data + +1983 +01:03:22,440 --> 01:03:26,119 +and keep it updated using the feed system, this is also great + +1985 +01:03:26,119 --> 01:03:30,0 +if you have ever have the need of sharing information between air gap systems. + +1986 +01:03:29,559 --> 01:03:37,0 +You can just generate a feed based on certain filter rules and basically + +1989 +01:03:37,0 --> 01:03:43,0 +share it through say a flash drive or something like that, with an internal system + +1993 +01:03:44,0 --> 01:03:48,720 +Now all of these filtering options are basically user defined + +1994 +01:03:48,0 --> 01:03:50,880 +and they rely heavily also on the contextualization + +1997 +01:03:50,880 --> 01:03:54,0 +so very often what we're doing and especially + +1998 +01:03:53,639 --> 01:03:57,0 +if you were ever signing up for the COVID instance that i mentioned before + +2000 +01:03:57,0 --> 01:04:00,559 +is you can also make those decisions based on the context, + +2002 +01:04:00,559 --> 01:04:02,960 +what data you're interested in, what date you're interested in sharing out. + +2004 +01:04:02,960 --> 01:04:06,400 +For example, if you connect to COVID instance, we categorize all of the + +2006 +01:04:06,400 --> 01:04:10,79 +information into three categories, health related information + +2008 +01:04:9,79 --> 01:04:12,720 +so basically information about the spread of the pandemic, + +2010 +01:04:12,719 --> 01:04:16,399 +information about misinformation targeting COVID, + +2012 +01:04:16,400 --> 01:04:22,0 +and also cyber security threats that are targeting, that are now basically + +2014 +01:04:21,0 --> 01:04:27,0 +abusing the whole COVID situation with remote work and so on. + +2016 +01:04:27,0 --> 01:04:30,0 +so if you're only interested in one or two of these three different topics, + +2019 +01:04:30,0 --> 01:04:36,0 +then you can set up your filters to only ingest data coming from a subset of the data set + +2021 +01:04:36,0 --> 01:04:39,0 +Very often what we do as well is we have these internal MISP clusters + +2023 +01:04:38,480 --> 01:04:44,0 +in our own organization as well, where we collect information from different sources + +2026 +01:04:43,798 --> 01:04:48,798 +so we have a dedicated MISP instance where we purely collect spam information for example + +2029 +01:04:48,798 --> 01:04:52,0 +So for a constituency, anyone can forward their spam to us + +2031 +01:04:52,0 --> 01:04:55,358 +and we'll just generate events out of those in that MISP. + +2032 +01:04:55,358 --> 01:04:56,38 +Generally this information + +2033 +01:04:56,38 --> 01:05:00,480 +is really not interesting for a day-to-day detection use, for example. + +2036 +01:05:00,480 --> 01:05:03,679 +But what we do is we cache this information and we can cross-correlate + +2038 +01:05:03,679 --> 01:05:05,759 +this information with our operational instance + +2040 +01:05:05,760 --> 01:05:11,839 +that means if we start the analysis process and we start an investigation + +2042 +01:05:11,839 --> 01:05:14,239 +then we immediately see the moment we start encoding data points + +2044 +01:05:14,239 --> 01:05:18,598 +oh this is something that was already flagged once in our spam instance + +2046 +01:05:18,598 --> 01:05:210,359 +this information that that instance knows about, + +2048 +01:05:210,359 --> 01:05:24,840 +then we can pivot over to that instance and fetch the information + +2049 +01:05:24,840 --> 01:05:28,400 +related to that same data point that we're also seeing in our current incident + +2052 +01:05:28,400 --> 01:05:32,0 +and perhaps get more information that is relevant for us from there. + +2054 +01:05:32,0 --> 01:05:35,79 +3932 --> 3936.079 +So basically very often we have these multi MISP internal enclaves + +2057 +01:05:35,79 --> 01:05:42,0 +that help us basically to separate different concerns and + +2058 +01:05:41,0 --> 01:05:44,0 +different collection mechanisms into their own instances. + +2060 +01:05:45,440 --> 01:05:49,39 +Just in that scope and I think is linked to the question that we had + +2062 +01:05:49,39 --> 01:05:52,799 +regarding the multi MISP internal enclave + +2064 +01:05:52,798 --> 01:05:57,599 +someone was asking about synchronizing with an existing MISP and so. + +2066 +01:05:57,599 --> 01:06:00,720 +You have this kind of local enclave options, where you can synchronize to MISP + +2068 +01:06:00,719 --> 01:06:05,199 +like they behave in the same organization, that's one of the interesting options. + +2071 +01:06:05,199 --> 01:06:09,358 +By the way, I would just give the mic to Josh that will explain a bit more about + +2074 +01:06:09,358 --> 01:06:16,0 +the question and answer in zoom, to have directly the ability to answer the question answering the Zoom {inaudiable} + +2077 +01:06:18,400 --> 01:06:20,639 +I just want to jump in real quick, yeah if you have any questions + +2080 +01:06:20,639 --> 01:06:26,400 +please direct them at the Q&A board versus the chat room + +2081 +01:06:26,400 --> 01:06:28,0 +that way we can kind of keep a monitor of that + +2082 +01:06:28,0 --> 01:06:32,0 +and other people can actually see the questions and the answer directly in that area + +2085 +01:06:32,0 --> 01:06:38,0 +so if you have questions feel free to use the Q&A board and that's all + +2086 +01:06:38,0 --> 01:06:43,199 +thank you josh that's very useful so we can keep track of them and we can answer live or + +2090 +01:06:43,199 --> 01:06:44,700 +directly in the chat. + +2091 +01:06:44,700 --> 01:06:49,520 +Okay great, so you see that the sharing aspect of MISP is like pretty extensive + +2094 +01:06:49,520 --> 01:06:53,279 +and you have different models of of usage of MISP + +2097 +01:06:53,279 --> 01:06:58,318 +some people have this pre-conception about MISP being like oh I need to share with MISP + +2099 +01:06:58,318 --> 01:07:01,119 +no, it's depending on what you want to do with your MISP instance + +2101 +01:07:01,119 --> 01:07:05,500 +and the core functionality of MISP is really to give, I would say the freedom + +2104 +01:07:05,500 --> 01:07:11,0 +to each of the organizations to decide what to do with the data, if they want to share or not + +2106 +01:07:11,0 --> 01:07:17,359 +and we always design MISP that everyone can be kind of consumers + +2109 +01:07:17,359 --> 01:07:21,838 +so that basically getting data from different fields or producer or contributors + +2110 +01:07:21,838 --> 01:07:29,0 +Andras mentioned a different way of contributing like sightings, making proposals, things like that + +2114 +01:07:29,0 --> 01:07:34,240 +but it's up to the original contributors to decide if they want to share + +2117 +01:07:34,240 --> 01:07:41,119 +that's really the thing, with MISP you can set up a MISP for like just pulling data, getting the data and that's it + +2120 +01:07:41,119 --> 01:07:46,480 +and if at one point in time you want to like push some data you can just enable it and that's it + +2123 +01:07:46,480 --> 01:07:51,0 +so it's really, it's just a matter of just tuning the configuration , + +2126 +01:07:51,0 --> 01:07:53,0 +the filtering really on the synchronization, if you want to share. + +2128 +01:07:53,0 --> 01:07:55,838 +So you don't have to change anything in your MISP instance + +2129 +01:07:55,838 --> 01:07:59,0 +it's just a matter of of what you decide and what you need to share + +2132 +01:07:59,0 --> 01:08:01,500 +and then the thing that is really important in MISP + +2133 +01:08:01,500 --> 01:08:05,760 +everything can be in flex. I mean even for example that we were mentioning + +2135 +01:08:05,760 --> 01:08:10,240 +so those kind of envelope information might change over time + +2137 +01:08:10,239 --> 01:08:15,0 +we have seen for example some past or incident report that has been updated like + +2140 +01:08:15,0 --> 01:08:19,0 +two years later because they discover who was the target or the threat actor behind + +2142 +01:08:19,0 --> 01:08:24,0 +and that's the thing that's really in MISP that we really want to be flexible + +2145 +01:08:24,0 --> 01:08:29,500 +you can really expand the information either internally, add some comment and so on + +2147 +01:08:29,500 --> 01:08:35,359 +and to share this information in your different MISP instances and share with partners, + +2150 +01:08:35,359 --> 01:08:37,200 +your teams and so on so. + +2151 +01:08:37,200 --> 01:08:42,0 +Really, MISP the core functionality of MISP is distributing information + +2153 +01:08:42,0 --> 01:08:46,500 +but if you don't want to use it it's fine you just don't enable synchronization + +2156 +01:08:46,500 --> 01:08:50,0 +but if you want to use partially, part of synchronization and so on + +2158 +01:08:50,0 --> 01:08:53,838 +you just set up this kind of parameters. + +2160 +01:08:55,0 --> 01:09:00,0 +So on top of collecting all this information + +2161 +01:09:00,0 --> 01:09:03,0 +and synchronizing the information that we talked about before + +2162 +01:09:03,0 --> 01:09:06,0 +we basically do a bunch of different stuff to improve + +2164 +01:09:06,0 --> 01:09:08,0 +to handle the quality management of the information as well. + +2165 +01:09:08,0 --> 01:09:11,0 +So one of the first things we do, this is something we mentioned a bit before + +2167 +01:09:11,0 --> 01:09:16,0 +is we correlate information so we're interested in data that we've already seen before + +2170 +01:09:16,0 --> 01:09:18,559 +we also have the feedback loop that we mentioned before with sightings + +2172 +01:09:18,560 --> 01:09:22,0 +that means we really want to get timeliness to the information as well + +2175 +01:09:22,0 --> 01:09:27,439 +so that we can but make better decisions on what we keep in our working data set for detection, + +2177 +01:09:27,439 --> 01:09:29,5 +for blocking and so on. + +2178 +01:09:29,520 --> 01:09:33,679 +The false positive management is a huge part so the warning list system + +2180 +01:09:33,679 --> 01:09:37,0 +where we basically exclude those typical false positives + +2182 +01:09:37,0 --> 01:09:41,440 +plays a very important role in the legal equation and this is also a community driven effort + +2184 +01:09:41,439 --> 01:09:46,0 +so if you want to get involved with that and build and include your own infrastructure + +2187 +01:09:46,0 --> 01:09:48,399 +for example in the warning list and so on, + +2189 +01:09:48,399 --> 01:09:53,0 +either do it internally for your MISP or just share it with the open source community as well + +2191 +01:09:53,0 --> 01:09:56,719 +so let us know if you want to have that included as well + +2193 +01:09:56,719 --> 01:09:58,500 +we haven't talked about enrichment systems yet + +2195 +01:09:58,500 --> 01:10:00,880 +but basically one of the things that we do in MISP is + +2196 +01:10:00,880 --> 01:10:05,238 +we have connectors to all those different services that you might already be subscribed to + +2199 +01:10:05,238 --> 01:10:11,439 +so if you have domain tools, passive total or what way or any of the other services + +2202 +01:10:11,439 --> 01:10:15,439 +intel 471, and so on that you already subscribed to, then you can use + +2205 +01:10:15,439 --> 01:10:19,600 +those services to enrich the data that you're working on + +2208 +01:10:19,600 --> 01:10:22,0 +so if you have an incident and you're encoding information + +2209 +01:10:22,0 --> 01:10:24,640 +you go out to all the services that you connect, that you have access to + +2210 +01:10:24,640 --> 01:10:29,600 +4224.64 --> 4228 +and fetch the information on what else those systems know about the different data points that you're encoding + +2213 +01:10:29,600 --> 01:10:33,679 +so that you basically get a jump start on your investigation. + +2215 +01:10:33,679 --> 01:10:37,119 +Now one of the most important things that we have to deal with and this is probably + +2217 +01:10:37,119 --> 01:10:42,559 +i think about 50% of the code base of MISP + +2219 +01:10:42,560 --> 01:10:46,560 +is basically the APIs and the libraries that deal with integrating MISP with other tools + +2221 +01:10:46,560 --> 01:10:50,580 +so everything that we can do by the UI, MISP is also exposed to the api + +2223 +01:10:50,580 --> 01:10:54,960 +and one of the most important things for us is to make sure that + +2225 +01:10:54,960 --> 01:11:00,0 +you can use MISP as simply a backend for another tool as opposed to just directly using MISP itself. + +2228 +01:11:00,0 --> 01:11:04,640 +As for timeliness, we haven't really touched on that yet. + +2230 +01:11:04,640 --> 01:11:10,480 +Besides the sighting aspect, you can also encode information about time ranges when something was seen + +2233 +01:11:10,480 --> 01:11:19,200 +and you can build a full timeline of the events that occurred during a cyber incident for example. + +2237 +01:11:19,200 --> 01:11:22,719 +So if you encode this information together with all your data points + +2239 +01:11:22,719 --> 01:11:26,960 +then you get an additional graph out of it that tells you when what happens + +2241 +01:11:26,960 --> 01:11:30,0 +and time-based correlations are really important as well. + +2243 +01:11:30,0 --> 01:11:33,599 +So very often when you're seeing two things happening at the same time + +2245 +01:11:33,600 --> 01:11:35,800 +they might be related with each other and + +2248 +01:11:35,800 --> 01:11:40,960 +they might be worth digging into whether there is a link between those two things that happened. + +2250 +01:11:40,960 --> 01:11:43,480 +So something else that we will touch on more tomorrow + +2251 +01:11:43,480 --> 01:11:47,200 +is we have a full indicator lifecycle management system in MISP. + +2254 +01:11:47,200 --> 01:11:50,0 +That means you can define your own rules and tune your own rules + +2256 +01:11:50,0 --> 01:11:53,500 +on how you're going to be scoring and decaying indicators + +2257 +01:11:53,500 --> 01:11:57,119 +based on all the contextualization that you have, + +2258 +01:11:57,119 --> 01:11:58,719 +based on the type of the data that you have, + +2259 +01:11:58,719 --> 01:12:02,439 +based on source of the information that you have and so on and so forth. + +2260 +01:12:02,439 --> 01:12:09,0 +So we're going to go into much more detail on that tomorrow. Alex. + +2265 +01:12:15,359 --> 01:12:20,359 +Yeah, so I was just answering a question and then I will make it public in a minute + +2267 +01:12:20,359 --> 01:12:25,639 +that's a question about the API and using MISP. + +2270 +01:12:25,639 --> 01:12:30,0 +There are different ways to evaluate the quality of the information that you share in MISP. + +2273 +01:12:30,0 --> 01:12:35,238 +One of those is obviously to look at statistics, There is a statistics version in MISP to see + +2276 +01:12:35,238 --> 01:12:40,238 +for example, the kind of indicator shared by organization and so on. + +2278 +01:12:40,238 --> 01:12:43,279 +In addition to that, there is for example + +2279 +01:12:43,279 --> 01:12:46,279 +MISP dashboard which includes a kind of gamification of the platforms + +2281 +01:12:46,279 --> 01:12:53,600 +and which is giving badges per organization depending on the kind of information that you share + +2284 +01:12:53,600 --> 01:12:59,520 +and that's a nice way to to find out if you are reaching a certain level of capabilities when using MISP + +2287 +01:12:59,520 --> 01:13:02,360 +where you basically have for example information like + +2289 +01:13:02,360 --> 01:13:08,960 +are you using sightings, do you use objects and stuff like that. + +2292 +01:13:08,960 --> 01:13:12,0 +For example, thing that you can really look at if you want to see + +2293 +01:13:12,0 --> 01:13:14,480 +if the quality of information that you create in MISP + +2296 +01:13:14,480 --> 01:13:19,560 +i would just following the standards what is following the best practices in the different organization + +2297 +01:13:19,560 --> 01:13:22,640 +is to compare with the {inaudiable} feed + +2300 +01:13:22,640 --> 01:13:25,198 +there are some goods even in the OSINT feed and + +2301 +01:13:25,198 --> 01:13:29,519 +for example, things that are really a good indicator is to see + +2303 +01:13:29,520 --> 01:13:32,880 +are you just using indicators and using objects, + +2305 +01:13:32,880 --> 01:13:35,0 +are those objects linked together by using the relationship to it, + +2306 +01:13:35,0 --> 01:13:40,199 +are you using galaxies, are those galaxies at the event level, {inaudiable} level, + +2308 +01:13:40,198 --> 01:13:46,0 +do you have tags, labels on specific objects or specific attributes and so on + +2311 +01:13:46,0 --> 01:13:52,960 +that's different parameters and i think the question from {inaudiable} is pretty good. + +2315 +01:13:52,960 --> 01:14:00,39 +and if you really want to dive into the KPI aspect of MISP and quality of information. + +2316 +01:14:00,39 --> 01:14:03,239 +In addition to what Andras just said + +2320 +01:14:03,239 --> 01:14:07,600 +there are some other things about the quality of information shared within the community + +2321 +01:14:07,600 --> 01:14:11,920 +and there's some good examples in the MISP dashboard about the different badges + +2324 +01:14:11,920 --> 01:14:16,0 +there is even a model for sharing such kind of information. + +2326 +01:14:16,0 --> 01:14:19,0 +So another thing that is i think quite useful and + +2329 +01:14:19,0 --> 01:14:23,520 +it was one of the core functionality of MISP was the correlation features. + +2330 +01:14:23,520 --> 01:14:29,119 +This one is, it looks like obvious but it's not always obvious + +2332 +01:14:29,119 --> 01:14:32,800 +I mean a lot of tools in the security field exist but they don't do automatic correlations. + +2334 +01:14:32,800 --> 01:14:35,679 +For example, at the {inaudiable} we are using ticketing system + +2337 +01:14:37,119 --> 01:14:39,0 +and sometimes it's very difficult to find if we have two correlating events + +2338 +01:14:39,0 --> 01:14:42,820 +and what we decided in MISP which covers the cost. + +2339 +01:14:42,820 --> 01:14:48,800 +I mean the correlation engine is maybe one of the costly aspects of using MISP on a database level. + +2341 +01:14:48,800 --> 01:14:49,919 +but it's really useful. + +2342 +01:14:49,919 --> 01:14:52,500 +For example, here we just have an example of + +2343 +01:14:52,500 --> 01:15:00,500 +information about some malware spam that are used to share uh information about + +2348 +01:15:00,500 --> 01:15:04,239 +target campaigns for the financial malware + +2351 +01:15:04,239 --> 01:15:09,819 +and what we can see there is basically correlation on similar points + +2352 +01:15:09,819 --> 01:15:12,880 +and those ones are mainly IP addresses of the infrastructure + +2355 +01:15:12,880 --> 01:15:16,0 +but you can really spot interesting things there. + +2357 +01:15:16,0 --> 01:15:19,679 +For example, you see that the third {inaudiable bone/bin} in Germany share indicators, + +2360 +01:15:19,679 --> 01:15:24,0 +you have a polish bank sharing the same kind of indicators + +2361 +01:15:24,0 --> 01:15:26,560 +we were sharing such kind of indicators too + +2362 +01:15:26,560 --> 01:15:30,640 +and even if they have different names or different contextualization + +2365 +01:15:30,640 --> 01:15:33,439 +we can really spot similar infrastructure + +2366 +01:15:33,439 --> 01:15:39,198 +so we can see okay, it's maybe the same actors using an infrastructure for different kind of things + +2369 +01:15:39,198 --> 01:15:45,679 +or for example we can actually see here that we have different names of the similar malware + +2372 +01:15:45,679 --> 01:15:48,0 +so really this is important for example another thing that is interesting is + +2374 +01:15:48,0 --> 01:15:53,739 +for example if you have a sinkhole IP address setup by a antivirus company for example, + +2377 +01:15:53,739 --> 01:15:57,560 +you can directly spot it. I mean if you have, I don't know, APT 29 + +2380 +01:15:57,560 --> 01:16:01,840 +and you have like three different criminals malware going on that one and so on + +2383 +01:16:01,840 --> 01:16:05,600 +obviously it's usually not the same infrastructures but on the other hand + +2385 +01:16:05,600 --> 01:16:08,39 +you can directly spot, okay this one is already take down + +2386 +01:16:08,39 --> 01:16:12,159 +it's handled by this antivirus company and you can really handle it + +2388 +01:16:12,158 --> 01:16:20,679 +so it's really a way to quickly find if it's a new threat or something that is already known in the infrastructure + +2392 +01:16:22,439 --> 01:16:28,640 +So a little bit of the sightings themselves so we're going to see this more in practice + +2395 +01:16:28,640 --> 01:16:36,79 +basically we have a very simple interfacing list that allows us to to tell the community + +2398 +01:16:36,79 --> 01:16:40,158 +that we've seen an indicator, as well as when we've seen it + +2401 +01:16:40,158 --> 01:16:46,238 +and perhaps also include information on what tool we've picked up, what context we've seen, + +2402 +01:16:46,238 --> 01:16:50,359 +so sightings can have some metadata on top of just being a sighting. + +2406 +01:16:50,359 --> 01:16:54,79 +We can also flag something that we call negative sightings which is a false positive sighting + +2409 +01:16:54,79 --> 01:16:59,0 +where we indicate that we've seen it but it produced issues for us so it was a false positive. + +2412 +01:16:59,0 --> 01:17:05,520 +We can also indicate that something is potentially going to be expired at a certain date, + +2415 +01:17:05,520 --> 01:17:10,0 +so this is interesting, for example, if we're in talks with a provider + +2418 +01:17:10,0 --> 01:17:11,519 +and we know that there is going to be a takedown + +2420 +01:17:11,519 --> 01:17:17,0 +then we can already indicate that okay, this is no longer an indicator after a certain point in time. + +2422 +01:17:17,0 --> 01:17:21,679 +Apart from that if you are ever dealing with bulk sightings, + +2424 +01:17:21,679 --> 01:17:28,0 +so if you want to for example just capture any IP address seen in your network or something like that + +2427 +01:17:28,0 --> 01:17:34,560 +there is another tool called SightingDB, which is developed by Devo, it's also an open source tool. + +2430 +01:17:34,560 --> 01:17:38,79 +It's really recommended to use that, it allows you to to capture massive massive amounts of data + +2432 +01:17:38,79 --> 01:17:45,539 +so if you're capturing the entire network flow of your constituency and or your organization + +2436 +01:17:45,539 --> 01:17:49,920 +and just dumping all the data somewhere this is a great place to do it + +2439 +01:17:49,920 --> 01:17:53,760 +and it's a very fast lookup database that is integrated with MISP + +2441 +01:17:53,760 --> 01:17:58,500 +where MISP can automatically just query it for any of the indicators that you're seeing in MISP, + +2445 +01:17:58,500 --> 01:18:05,359 +and whether it was seen in your network, and in which time range it was seen in. + +2446 +01:18:03,0 --> 01:18:07,500 +interesting thing with that is it's also for historical values + +2448 +01:18:07,500 --> 01:18:14,238 +so if you're just doing bulk collection of all the observables in your network + +2451 +01:18:14,238 --> 01:18:26,500 +and then even half a year later if it turns out that a indicator is being shared with you + +2454 +01:18:26,500 --> 01:18:27,0 +that correlates with an observable that SightingDB from half a year ago + +2456 +01:18:27,0 --> 01:18:30,0 +then you know that you might need to launch an investigation into something + +2459 +01:18:30,0 --> 01:18:34,0 +that happened half a year ago in logs and so on based on the historic look up. + +2460 +01:18:38,0 --> 01:18:41,0 +Alex + +2462 +01:18:41,0 --> 01:18:44,500 +Just complementary notes regarding sightings and + +2464 +01:18:44,500 --> 01:18:49,439 +that's something that is basically maybe the easiest way of sharing additional information + +2467 +01:18:49,439 --> 01:18:53,839 +it costs nothing and if you are connected to a MISP instance + +2468 +01:18:53,839 --> 01:18:56,319 +and you can tell someone else that you have seen it + +2469 +01:18:56,319 --> 01:18:59,900 +it's really a quick thing that can be useful for many organizations. + +2473 +01:18:59,900 --> 01:19:04,500 +So the sighting itself sounds like a very small feature + +2474 +01:19:04,500 --> 01:19:10,399 +but at the end, it's a an easy one for contributing and helping the others to know + +2478 +01:19:10,399 --> 01:19:15,0 +if an indicator is still valuable and so on, so sighting is really something that + +2481 +01:19:15,0 --> 01:19:22,920 +can basically be a kind of of entry-level things to do when sharing information + +2484 +01:19:22,920 --> 01:19:28,500 +Something else that we have in MISP, this one is I think becoming more and more important + +2487 +01:19:28,500 --> 01:19:32,239 +and we will do a quick demo later regarding that. + +2489 +01:19:32,238 --> 01:19:37,0 +It's a timeline, i mean when we do analysis and so on, + +2490 +01:19:37,0 --> 01:19:40,0 +it's really i would say common to have a first seen, last seen + +2492 +01:19:40,0 --> 01:19:42,159 +to see the evolution of things over time. + +2494 +01:19:42,159 --> 01:19:45,198 +In the example that you see on the screen there + +2496 +01:19:45,198 --> 01:19:47,319 +It's based on specific threat actors + +2497 +01:19:47,319 --> 01:19:54,839 +that sends a significant numbers of spear phishing + +2499 +01:19:54,839 --> 01:20:00,0 +and those spear phishing are very well known when we collect those timestamps and so on. + +2503 +01:20:00,0 --> 01:20:03,0 +So you can really see and trace the evolution of a specific group and so on. + +2506 +01:20:03,0 --> 01:20:07,500 +This can be done automatically, for example passive dns records + +2507 +01:20:07,500 --> 01:20:13,0 +I have very often the first seen, last seen and automatically you can really build + +2510 +01:20:13,0 --> 01:20:18,0 +and create this kind of timeline because it can be really cumbersome if you have to do it manually + +2514 +01:20:18,0 --> 01:20:22,239 +So we have a nice view like that so that means every time you set a first seen, last seen + +2516 +01:20:22,239 --> 01:20:26,0 +on any attribute, object, and so on; it automatically populate on the timeline + +2518 +01:20:26,0 --> 01:20:31,7 +and it's an easy way to to see evolution, trend and so on for your analysis + +2521 +01:20:31,700 --> 01:20:39,280 +and this is a completely interactive so you can navigate over that. + +2522 +01:20:39,280 --> 01:20:42,0 +We will show that later. + +2524 +01:20:43,0 --> 01:20:47,39 +So for life cycle management, again this is something that we show briefly but + +2527 +01:20:47,39 --> 01:20:49,480 +we're going to way more depth about that tomorrow + +2528 +01:20:49,480 --> 01:20:53,519 +is basically here we see some examples of some attributes + +2531 +01:20:53,519 --> 01:20:58,800 +that have scores applied to them coming from different scoring models. + +2532 +01:20:58,800 --> 01:21:03,0 +So we see there an IDS simple decaying model and then a custom model + +2533 +01:21:03,0 --> 01:21:08,800 +titled "Model 5" that are basically running on each of those indicators + +2535 +01:21:08,800 --> 01:21:13,500 +and they generate a score taking into account for things such as labels that are attached to them, + +2536 +01:21:13,500 --> 01:21:17,0 +the timestamp on when the attribute was created + +2537 +01:21:17,0 --> 01:21:21,0 +as well as the timestamp of the different sightings that came in so generally + +2544 +01:21:21,0 --> 01:21:24,0 +if something is still being actively seen in your network + +2545 +01:21:24,0 --> 01:21:28,0 +that is still relevant despite the indicator itself being perhaps older + +2546 +01:21:28,0 --> 01:21:33,520 +and then using the score that gets generated from these different models that you define + +2551 +01:21:33,520 --> 01:21:37,500 +you can basically then make those decisions when you're exporting data to only include + +2554 +01:21:37,500 --> 01:21:43,0 +data above a certain threshold when you're feeding your SIEM for example. + +2556 +01:21:44,79 --> 01:21:48,500 +Yeah, and this one is quite interesting because you can really define + +2557 +01:21:48,500 --> 01:21:52,159 +so the thing that is really important with the decaying of indicators + +2559 +01:21:52,159 --> 01:21:58,920 +you are not modifying that actually you are really just updating and overlapping + +2564 +01:21:58,920 --> 01:22:01,759 +and you can just define those kind of models so that means for example + +2566 +01:22:01,759 --> 01:22:05,39 +even within a team where you don't agree on a specific model, you can have both models. + +2569 +01:22:05,39 --> 01:22:09,679 +It's very common, for example, to have models for intrusion detection systems + +2571 +01:22:09,679 --> 01:22:16,719 +and specific models for i don't know, endpoint, {inaudiable} or endpoint protection device + +2574 +01:22:16,719 --> 01:22:20,639 +and in MISP you have even a models or kind of simulator + +2575 +01:22:20,639 --> 01:22:25,500 +where you can simulate the different model that you want to apply + +2578 +01:22:25,500 --> 01:22:28,920 +and to see what kind of lifetime you want to apply, + +2579 +01:22:28,920 --> 01:22:32,0 +when it decay, when for example you have a specific threshold where + +2582 +01:22:32,0 --> 01:22:39,500 +basically say okay you don't use anymore those kind of data and you can do the mapping with + +2583 +01:22:39,500 --> 01:22:45,500 +specific taxonomies you can with the different types, attributes, and so on + +2585 +01:22:45,500 --> 01:22:49,0 +directly in MISP and it is really a quick win. + +2588 +01:22:49,0 --> 01:22:53,500 +So you are not bound, for example, we know that some TIPs for example + +2591 +01:22:53,500 --> 01:22:58,479 +have a kind of system-wide decaying models in MISP it is not like that, + +2593 +01:22:56,880 --> 01:23:02,679 +everyone has their models, we are sharing some models + +2594 +01:23:02,679 --> 01:23:06,0 +and you can define what you want to use without really altering the data. + +2598 +01:23:06,0 --> 01:23:10,238 +So that means this kind of of information there is just an overlay + +2599 +01:23:10,238 --> 01:23:15,0 +and you actually keep your own data in the systems without having any modification. + +2601 +01:23:17,0 --> 01:23:24,0 +And you can simulate that one. + +2605 +01:23:27,0 --> 01:23:31,0 +So when it comes to starting out, one of the trickiest things obviously is + +2606 +01:23:31,0 --> 01:23:34,0 +when you're starting out with MISP is if you're staring as an empty instance + +2607 +01:23:34,0 --> 01:23:37,198 +then getting started and encoding information is really tough + +2610 +01:23:37,198 --> 01:23:40,0 +because you don't know what is really expected from the communities out there, you don't know how. + +2612 +01:23:40,0 --> 01:23:44,0 +It's a new tool, you don't really know how to get started. + +2616 +01:23:44,0 --> 01:23:50,239 +So in order to ease this a little bit there are a bunch of different feeds some of those that we also provide ourselves + +2619 +01:23:50,239 --> 01:23:54,500 +which is obviously operational information something that you can use directly + +2622 +01:23:54,500 --> 01:24:00,799 +so these are OSINT feeds that we produce as well from our TLP white data set + +2623 +01:24:00,799 --> 01:24:04,0 +and the idea is that this will really help with bootstrapping your processes. + +2625 +01:24:04,0 --> 01:24:08,0 +Look at the data we consider that generally well-formed + +2629 +01:24:08,0 --> 01:24:12,500 +and well contextualized. It should give you an idea of what data generally looks like in MISP. + +2631 +01:24:12,500 --> 01:24:15,500 +So don't start out with a fresh instance, + +2632 +01:24:15,500 --> 01:24:18,0 +just go to your feed menu in your MISP when you're installing it + +2633 +01:24:18,0 --> 01:24:22,500 +and pull in some of these OSINT feeds so that you see the information already. + +2636 +01:24:23,500 --> 01:24:27,359 +Also it's a great way to test your internal tooling + +2637 +01:24:27,359 --> 01:24:31,119 +so if you want to test the APIs, if you want to test internal synchronization, + +2640 +01:24:31,119 --> 01:24:33,500 +it's good to have larger data set already from the get go + +2641 +01:24:33,500 --> 01:24:38,679 +so that you already see that the movement of the data is working as expected. + +2645 +01:24:38,679 --> 01:24:44,500 +Yeah, the other thing that you can do and where we're going to talk about that quite a bit tomorrow + +2648 +01:24:44,500 --> 01:24:50,500 +is basically figuring out which feeds are worth ingesting, + +2650 +01:24:50,500 --> 01:24:55,719 +how the feeds compare to each other, running overlap analysis between them and so on + +2653 +01:24:55,719 --> 01:25:00,0 +So this is something that this is quite a heavy topic for tomorrow. + +2656 +01:25:05,0 --> 01:25:08,0 +You're muted alex. + +2657 +01:25:08,0 --> 01:25:09,500 +Yeah just discover {inaudiable this/MISP}. + +2658 +01:25:09,500 --> 01:25:12,0 +So as you can see for MISP, + +2659 +01:25:12,0 --> 01:25:15,300 +it's the development of MISP already done over the years, + +2661 +01:25:15,300 --> 01:25:19,760 +based on the feedback of users and that's really one of the key elements for us. + +2663 +01:25:19,760 --> 01:25:22,0 +We wanted a tool for us that works + +2665 +01:25:22,0 --> 01:25:28,879 +and it's key and based on that we wanted something that works for others too + +2667 +01:25:28,880 --> 01:25:33,679 +and i mean the tool is evolving over time so you see that we have plenty of functionalities + +2670 +01:25:33,679 --> 01:25:37,79 +On those two days of workshop we'll try to cover a part of it, + +2672 +01:25:37,79 --> 01:25:41,679 +we had already some good questions regarding how to customize this and so on. + +2675 +01:25:41,679 --> 01:25:45,119 +We might give you some hints how to do it and and so on, + +2677 +01:25:45,119 --> 01:25:47,0 +so we won't be able to cover everything in those two days + +2678 +01:25:47,0 --> 01:25:54,0 +but you'll see that you can really update MISP based on your specific use cases and so on. + +2679 +01:25:54,0 --> 01:26:00,500 +So MISP is there as a tool, what really usually matters and are the successful, + +2680 +01:26:00,500--> 01:26:07,0 +I would say, sharing communities depends on the practices or you do that and so on + +2687 +01:26:07,0 --> 01:26:11,0 +and we really want at least at the end, even if it's a complex tool and so on + +2690 +01:26:11,0 --> 01:26:15,520 +to be as easy as possible for covering different use case + +2691 +01:26:15,520 --> 01:26:17,500 +and that's really the thing that we want to do, + +2693 +01:26:17,500 --> 01:26:19,520 +is for example for a lot of things that we have in MISP + +2694 +01:26:19,520 --> 01:26:23,700 +and someone just asked the questions about how can you customize MISP + +2697 +01:26:23,700 --> 01:26:27,119 +a lot of things in MISP can be customized by just modifying some JSON files. + +2700 +01:26:27,119 --> 01:26:32,519 +It's the case for MISP objects so if you want to create a new object you just update the json files, + +2701 +01:26:32,519 --> 01:26:39,500 +if you want to, for example, create a new taxonomies or create a new galaxy + +2706 +01:26:39,50 --> 01:26:41,839 +you just create those kind of json files. + +2708 +01:26:41,839 --> 01:26:45,500 +You have other ways to update and change the behavior of MISP. + +2709 +01:26:45,500 --> 01:26:48,158 +it's based for example on MISP modules + +2710 +01:26:48,158 --> 01:26:51,439 +so if you want to change the behavior of the expansion and so on + +2712 +01:26:51,439 --> 01:26:58,800 +you can just play with MISP modules and we will quickly show you some examples on these modules + +2716 +01:26:58,800 --> 01:27:02,80 +but that's really simple i mean there's no {inaudiable} + +2719 +01:27:02,80 --> 01:27:10,239 +and that's the thing that you have to understand with MISP project is not just a small open source software somewhere + +2720 +01:27:10,239 --> 01:27:16,800 +it's really a set of combination of tool, software, packages, open standards, + +2721 +01:27:16,800 --> 01:27:23,799 +various best practices, shared knowledge base and obviously the community is using it. + +2728 +01:27:23,799 --> 01:27:26,500 +So that's really the thing that we will have we love with FIRST for example. + +2731 +01:27:26,500 --> 01:27:31,0 +it is to have this kind of community, learning together, sharing information, + +2732 +01:27:31,0 --> 01:27:33,119 +and so that's that's really a key for us. + +2735 +01:27:33,119 --> 01:27:41,500 +We have, I think more than 500 contributors on the MISP project with even more nowadays. + +2738 +01:27:41,500 --> 01:27:45,500 +So if you want to become one of the contributors it's really straightforward i mean + +2739 +01:27:45,500 --> 01:27:48,800 +if you have something, a problem that you want to solve, + +2742 +01:27:48,800 --> 01:27:51,400 +for example on an object, you just do a pull request and + +2743 +01:27:51,400 --> 01:27:55,840 +it will be in MISP immediately and you become a contributor in the project + +2747 +01:27:57,679 --> 01:27:58,0 +so really for us, it's really key in MISP + +2748 +01:27:58,0 --> 01:28:02,0 +is to have a kind of tool that is supporting the different use cases + +2749 +01:28:02,0 --> 01:28:06,238 +Okay so before that, we do a break i will share you with you + +2750 +01:28:06,238 --> 01:28:12,759 +some practical details on accessing the MISP training instance because there were some questions regarding that + +2755 +01:28:12,759 --> 01:28:20,0 +and after the break, we will do the hands-on practical session + +2756 +01:28:20,0 --> 01:28:25,359 +with an example, so we will with a real example, so you will create the full event + +2757 +01:28:25,359 --> 01:28:27,359 +based on some information that you receive. + +2759 +01:28:27,359 --> 01:28:36,500 +So first of all, I will give you some details about how to access the MISP instance. + + +2763 +01:28:36,500 --> 01:28:42,500 +S0, first of all we have a {inaudiable acting/active} page + +2764 +01:28:42,500 --> 01:28:48,500 +which I obviously share at some point in time and i will share it again. + +2766 +01:28:48,500 --> 01:28:54,799 +Yes. So there's a page with some pages that you can even edit. + +2769 +01:28:54,799 --> 01:29:00,0 +I will paste the link again in the chat for everyone. + +2772 +01:29:05,639 --> 01:29:11,319 +That's the link, so we have a 50 account on the training instance. + +2773 +01:29:11,319 --> 01:29:14,159 +Pick randomly one + +2775 +01:29:14,158 --> 01:29:18,0 +it doesn't matter if you are multiple one using the same account but be careful + +2777 +01:29:18,0 --> 01:29:22,119 +don't change the password because maybe some people will complain, + +2780 +01:29:22,119 --> 01:29:30,800 +and then we have a "TrainingFIRST2021" password so super simple + +2782 +01:29:30,800 --> 01:29:33,600 +not so secure but that's fine it's a training instance. + +2785 +01:29:33,600 --> 01:29:41,0 +Just for the reference, for the one that doesn't want to use the training instance + +2786 +01:29:41,0 --> 01:29:44,0 +sometimes for whatever reason you want to use your own instance. + +2788 +01:29:44,0 --> 01:29:50,238 +We have different images, virtual box and VMware images for MISP. + +2791 +01:29:50,238 --> 01:29:54,158 +So if you want to play with MISP locally and so on. + +2793 +01:29:54,158 --> 01:29:57,279 +If you want to play with synchronization too, you can even connect those two + +2794 +01:29:59,500 --> 01:30:05,280 +So and during the sessions we will connect to that instance so the instant is "iglocska.eu" + +2796 +01:30:05,280 --> 01:30:14,0 +and when you connect, you will get access to the instance. + +2799 +01:30:14,0 --> 01:30:18,158 +So you enter your training password so I will enter with my specific account + +2802 +01:30:18,158 --> 01:30:23,500 +and we will use that instance for the hands-on that we will do just after the break. + +2804 +01:30:23,500 --> 01:30:31,0 +So what i propose now is to do a 15 minute break and we start at 45, if it's fine for everyone + +2808 +01:30:31,0 --> 01:30:39,600 +and we will start by with the practical sessions with a specific email + +2811 +01:30:39,600 --> 01:30:43,600 +that we will share in the {inaudiable} as a practical example + + 2813 +01:30:43,600 --> 01:30:51,300 +so thank you for the one that join us now and we will start again at 45 + +2814 +01:30:51,300 --> 01:30:54,500 +to do the hands-on session. Thank you very much. + +2817 +01:30:55,500 --> 01:30:57,500 +Thank you. + +TODO +2819 +01:44:10,399 --> 01:44:15,118 +okay and shall we get started + +2820 +01:44:16,238 --> 01:44:22,559 +sure welcome back everyone + +2821 +01:44:20,79 --> 01:44:24,399 +okay so now what we're going to be doing + +2822 +01:44:22,560 --> 01:44:26,80 +is we're going to look a little bit + +2823 +01:44:24,399 --> 01:44:27,679 +at miss pizza so we've talked plenty + +2824 +01:44:26,79 --> 01:44:28,960 +about it but we haven't actually done + +2825 +01:44:27,679 --> 01:44:30,560 +anything with it yet + +2826 +01:44:28,960 --> 01:44:32,560 +so i really encourage everyone that has + +2827 +01:44:30,560 --> 01:44:35,199 +a misfits to also play along + +2828 +01:44:32,560 --> 01:44:36,800 +and to create your own events what we're + +2829 +01:44:35,198 --> 01:44:37,439 +going to be doing is we're going to go + +2830 +01:44:36,800 --> 01:44:40,639 +through as + +2831 +01:44:37,439 --> 01:44:41,359 +any fictional little exercise assume + +2832 +01:44:40,639 --> 01:44:44,0 +6280.639 --> 6284 +that you + +2833 +01:44:41,359 --> 01:44:44,799 +that you receive an email from uh in + +2834 +01:44:44,0 --> 01:44:46,560 +6284 --> 6286.56 +this case + +2835 +01:44:44,800 --> 01:44:49,840 +luxembourg english telco this is certain + +2836 +01:44:46,560 --> 01:44:52,80 +of them describing an incident of a very + +2837 +01:44:49,840 --> 01:44:53,520 +simplistic incident + +2838 +01:44:52,79 --> 01:44:56,479 +of what happened what we're going to be + +2839 +01:44:53,520 --> 01:44:59,280 +trying to do now is to model this a miss + +2840 +01:44:56,479 --> 01:45:00,839 +and to explain how you can further + +2841 +01:44:59,279 --> 01:45:02,800 +improve it and contextualize this + +2842 +01:45:00,840 --> 01:45:05,39 +information + +2843 +01:45:02,800 --> 01:45:06,239 +so before we start uh once you're logged + +2844 +01:45:05,39 --> 01:45:08,639 +into the + +2845 +01:45:06,238 --> 01:45:09,678 +into miss pinsons such as the hosted + +2846 +01:45:08,639 --> 01:45:11,359 +training instance + +2847 +01:45:09,679 --> 01:45:13,840 +this is what you're going to be seeing + +2848 +01:45:11,359 --> 01:45:15,198 +so it's a it's a little bit squeezed on + +2849 +01:45:13,840 --> 01:45:18,639 +alex's screen + +2850 +01:45:15,198 --> 01:45:21,599 +but the idea is that you have a list of + +2851 +01:45:18,639 --> 01:45:23,279 +events that are listed on the main page + +2852 +01:45:21,600 --> 01:45:25,280 +so we're in the event index this is our + +2853 +01:45:23,279 --> 01:45:26,719 +landing page when we load up misp + +2854 +01:45:25,279 --> 01:45:28,79 +and each of these individual lines + +2855 +01:45:26,719 --> 01:45:30,158 +represents an event so they're + +2856 +01:45:28,79 --> 01:45:33,519 +describing either an attack + +2857 +01:45:30,158 --> 01:45:34,960 +or perhaps a report recurring + +2858 +01:45:33,520 --> 01:45:38,800 +distribution + +2859 +01:45:34,960 --> 01:45:40,0 +6334.96 --> 6340 +or a certain type of of indicator lists + +2860 +01:45:38,800 --> 01:45:41,600 +and so on + +2861 +01:45:40,0 --> 01:45:43,439 +6340 --> 6343.44 +so what you're seeing here is you have + +2862 +01:45:41,600 --> 01:45:45,679 +each of these events having an id + +2863 +01:45:43,439 --> 01:45:47,359 +and some metadata around it so these are + +2864 +01:45:45,679 --> 01:45:48,960 +this metadata can be either coming from + +2865 +01:45:47,359 --> 01:45:50,719 +this galaxy cluster + +2866 +01:45:48,960 --> 01:45:52,639 +system that we mentioned for example + +2867 +01:45:50,719 --> 01:45:55,679 +describing different + +2868 +01:45:52,639 --> 01:45:56,880 +attacker techniques the different types + +2869 +01:45:55,679 --> 01:45:58,560 +of + +2870 +01:45:56,880 --> 01:46:00,560 +ransomwares in this case or attack + +2871 +01:45:58,560 --> 01:46:02,0 +6358.56 --> 6362 +patterns that are leveraged + +2872 +01:46:00,560 --> 01:46:03,520 +and then if we scroll a bit further + +2873 +01:46:02,0 --> 01:46:04,319 +6362 --> 6364.32 +right so this is a bit lower resolution + +2874 +01:46:03,520 --> 01:46:06,800 +there that we see + +2875 +01:46:04,319 --> 01:46:07,920 +but uh you should have it visible on the + +2876 +01:46:06,800 --> 01:46:12,159 +same page + +2877 +01:46:07,920 --> 01:46:14,239 +um you see the information about uh + +2878 +01:46:12,158 --> 01:46:15,439 +what this event is trying to describe to + +2879 +01:46:14,238 --> 01:46:17,198 +us + +2880 +01:46:15,439 --> 01:46:19,599 +it's simple to understand text-based + +2881 +01:46:17,198 --> 01:46:21,198 +representation now this instance is used + +2882 +01:46:19,600 --> 01:46:22,719 +for trainings in general so it's going + +2883 +01:46:21,198 --> 01:46:24,559 +to be filled with a lot of junk + +2884 +01:46:22,719 --> 01:46:27,39 +interspersed with real data that is + +2885 +01:46:24,560 --> 01:46:28,800 +coming from our tlp wide feed + +2886 +01:46:27,39 --> 01:46:31,679 +so you're going to see some obviously + +2887 +01:46:28,800 --> 01:46:33,840 +weird events in there + +2888 +01:46:31,679 --> 01:46:35,840 +these are just there for testing just + +2889 +01:46:33,840 --> 01:46:37,199 +players playing during an exercise and + +2890 +01:46:35,840 --> 01:46:40,159 +so on + +2891 +01:46:37,198 --> 01:46:41,439 +but also some real events there so what + +2892 +01:46:40,158 --> 01:46:43,118 +we're going to be doing now is we're + +2893 +01:46:41,439 --> 01:46:44,879 +going to create our own event based on + +2894 +01:46:43,118 --> 01:46:45,759 +that email that we received it's also on + +2895 +01:46:44,880 --> 01:46:47,600 +the hackamd + +2896 +01:46:45,760 --> 01:46:48,880 +page so just have a look at email + +2897 +01:46:47,600 --> 01:46:51,119 +exactly + +2898 +01:46:48,880 --> 01:46:52,239 +and we need to start encoding with that + +2899 +01:46:51,118 --> 01:46:54,319 +event + +2900 +01:46:52,238 --> 01:46:55,839 +so before we include anything in misp + +2901 +01:46:54,319 --> 01:46:57,920 +the first thing that we need to do + +2902 +01:46:55,840 --> 01:47:00,239 +is we need to create a new event so this + +2903 +01:46:57,920 --> 01:47:02,399 +is where everything starts + +2904 +01:47:00,238 --> 01:47:04,238 +way to do it is to just click on add + +2905 +01:47:02,399 --> 01:47:05,359 +event on the left side of the menu + +2906 +01:47:04,238 --> 01:47:07,359 +and then you start with a very + +2907 +01:47:05,359 --> 01:47:11,198 +simplistic form that where we can + +2908 +01:47:07,359 --> 01:47:13,679 +describe the event in a very high level + +2909 +01:47:11,198 --> 01:47:15,118 +so here you see it's it's the first step + +2910 +01:47:13,679 --> 01:47:16,399 +is very straightforward + +2911 +01:47:15,118 --> 01:47:17,920 +the import the things that we have to + +2912 +01:47:16,399 --> 01:47:18,479 +watch out for or here is we already + +2913 +01:47:17,920 --> 01:47:20,239 +decide + +2914 +01:47:18,479 --> 01:47:22,638 +who gets to see the event so this is the + +2915 +01:47:20,238 --> 01:47:23,279 +distribution level and that we need to + +2916 +01:47:22,639 --> 01:47:25,520 +set and + +2917 +01:47:23,279 --> 01:47:27,599 +basically a basic description of it as + +2918 +01:47:25,520 --> 01:47:30,159 +for the distribution itself + +2919 +01:47:27,600 --> 01:47:32,159 +you have different uh ways of + +2920 +01:47:30,158 --> 01:47:33,679 +interacting with the data here already + +2921 +01:47:32,158 --> 01:47:35,359 +so one of the decisions that you have to + +2922 +01:47:33,679 --> 01:47:35,760 +make even if you're going to share to + +2923 +01:47:35,359 --> 01:47:37,759 +the + +2924 +01:47:35,760 --> 01:47:40,0 +6455.76 --> 6460 +wider community out there is do i keep + +2925 +01:47:37,760 --> 01:47:41,119 +this internal until i'm ready to share + +2926 +01:47:40,0 --> 01:47:43,118 +6460 --> 6463.119 +it with the community + +2927 +01:47:41,118 --> 01:47:44,719 +or do i already make it visible to + +2928 +01:47:43,118 --> 01:47:46,559 +anyone that has access to the data in + +2929 +01:47:44,719 --> 01:47:48,960 +the community + +2930 +01:47:46,560 --> 01:47:50,800 +now keep in mind that we have a + +2931 +01:47:48,960 --> 01:47:52,79 +publishing process in misp so until an + +2932 +01:47:50,800 --> 01:47:54,320 +event is published + +2933 +01:47:52,79 --> 01:47:55,118 +it is not propagated out to other missed + +2934 +01:47:54,319 --> 01:47:56,639 +instances + +2935 +01:47:55,118 --> 01:47:58,158 +that means anyone on the current miss + +2936 +01:47:56,639 --> 01:47:59,679 +pencils can see the data + +2937 +01:47:58,158 --> 01:48:02,0 +6478.159 --> 6482 +but it will not jump to a different + +2938 +01:47:59,679 --> 01:48:04,319 +misspen since at this point in any way + +2939 +01:48:02,0 --> 01:48:05,439 +6482 --> 6485.44 +but if you if you're creating it on a + +2940 +01:48:04,319 --> 01:48:07,679 +hosted instance + +2941 +01:48:05,439 --> 01:48:08,799 +for example if you if your isak is + +2942 +01:48:07,679 --> 01:48:10,319 +running a miss pinstance and you're + +2943 +01:48:08,800 --> 01:48:11,840 +creating it on that one directly + +2944 +01:48:10,319 --> 01:48:14,0 +6490.32 --> 6494 +then this already has an impact on who + +2945 +01:48:11,840 --> 01:48:16,400 +can see the data + +2946 +01:48:14,0 --> 01:48:18,0 +6494 --> 6498 +so the option here either go with your + +2947 +01:48:16,399 --> 01:48:19,519 +organization only and then + +2948 +01:48:18,0 --> 01:48:21,679 +6498 --> 6501.679 +raise the distribution level once it's + +2949 +01:48:19,520 --> 01:48:23,840 +ready to be released or you already + +2950 +01:48:21,679 --> 01:48:25,440 +involve addressing the process and you + +2951 +01:48:23,840 --> 01:48:27,279 +pick something like community only where + +2952 +01:48:25,439 --> 01:48:28,319 +others can chip in with their ideas from + +2953 +01:48:27,279 --> 01:48:30,960 +the get-go + +2954 +01:48:28,319 --> 01:48:32,559 +so this is up to you it's a risk versus + +2955 +01:48:30,960 --> 01:48:34,719 +efficiency question + +2956 +01:48:32,560 --> 01:48:35,600 +do i want to share the information and + +2957 +01:48:34,719 --> 01:48:37,760 +potentially + +2958 +01:48:35,600 --> 01:48:39,199 +overshare a bit by including by + +2959 +01:48:37,760 --> 01:48:40,960 +accidentally uploading information that + +2960 +01:48:39,198 --> 01:48:43,198 +is not yet + +2961 +01:48:40,960 --> 01:48:45,679 +confirmed that it can be shared out + +2962 +01:48:43,198 --> 01:48:47,439 +versus losing out on perhaps others + +2963 +01:48:45,679 --> 01:48:49,118 +immediately jumping on board and saying + +2964 +01:48:47,439 --> 01:48:50,399 +okay this is also something we've seen + +2965 +01:48:49,118 --> 01:48:51,599 +we've already done the analysis of it + +2966 +01:48:50,399 --> 01:48:53,599 +here you go + +2967 +01:48:51,600 --> 01:48:54,960 +so you have to balance those two things + +2968 +01:48:53,600 --> 01:48:59,39 +out so let's start + +2969 +01:48:54,960 --> 01:49:01,920 +no for example for example what + +2970 +01:48:59,39 --> 01:49:03,359 +you have is when people are working on a + +2971 +01:49:01,920 --> 01:49:06,960 +case by default they say + +2972 +01:49:03,359 --> 01:49:08,79 +it's organization and at one point in + +2973 +01:49:06,960 --> 01:49:10,79 +time + +2974 +01:49:08,79 --> 01:49:11,840 +the team lead for example decide at some + +2975 +01:49:10,79 --> 01:49:13,359 +point it's okay no you can share it + +2976 +01:49:11,840 --> 01:49:16,239 +to a wider community and then you change + +2977 +01:49:13,359 --> 01:49:17,839 +the distribution level + +2978 +01:49:16,238 --> 01:49:19,519 +yeah indeed so let's start with the + +2979 +01:49:17,840 --> 01:49:20,800 +organization only for now uh + +2980 +01:49:19,520 --> 01:49:22,560 +for different reasons that we'll get + +2981 +01:49:20,800 --> 01:49:24,0 +6560.8 --> 6564 +back to later on it allows us to show + +2982 +01:49:22,560 --> 01:49:25,119 +off another feature afterwards that is + +2983 +01:49:24,0 --> 01:49:26,800 +6564 --> 6566.8 +handy + +2984 +01:49:25,118 --> 01:49:28,639 +so we start with that then we have to + +2985 +01:49:26,800 --> 01:49:29,199 +describe this the threat level so this + +2986 +01:49:28,639 --> 01:49:31,840 +is + +2987 +01:49:29,198 --> 01:49:33,598 +a very subjective question uh threat + +2988 +01:49:31,840 --> 01:49:34,800 +level will depend a lot on what sort of + +2989 +01:49:33,599 --> 01:49:36,560 +an organization you are + +2990 +01:49:34,800 --> 01:49:38,0 +6574.8 --> 6578 +versus who you're sharing it with so we + +2991 +01:49:36,560 --> 01:49:40,400 +all have different interpretations of + +2992 +01:49:38,0 --> 01:49:41,760 +6578 --> 6581.76 +what we consider a high threat level + +2993 +01:49:40,399 --> 01:49:43,679 +we have some descriptions for each of + +2994 +01:49:41,760 --> 01:49:45,520 +these fields uh + +2995 +01:49:43,679 --> 01:49:46,800 +predefined if you click on the little + +2996 +01:49:45,520 --> 01:49:49,199 +information box + +2997 +01:49:46,800 --> 01:49:51,520 +it will tell you that hi is uh + +2998 +01:49:49,198 --> 01:49:53,519 +sophisticated apt malware or zero day + +2999 +01:49:51,520 --> 01:49:55,40 +attack + +3000 +01:49:53,520 --> 01:49:57,599 +please just freely disregard this + +3001 +01:49:55,39 --> 01:49:58,479 +because nowadays a lot of information + +3002 +01:49:57,599 --> 01:50:00,159 +sharing + +3003 +01:49:58,479 --> 01:50:02,79 +happens in completely different domains + +3004 +01:50:00,158 --> 01:50:03,598 +so if a fraud team is sharing + +3005 +01:50:02,79 --> 01:50:06,880 +information about + +3006 +01:50:03,599 --> 01:50:08,400 +fraudster their definition of high + +3007 +01:50:06,880 --> 01:50:08,719 +threat level would be very different + +3008 +01:50:08,399 --> 01:50:11,439 +from + +3009 +01:50:08,719 --> 01:50:13,198 +those in cyber security for example so + +3010 +01:50:11,439 --> 01:50:15,519 +generally it's just a subjective + +3011 +01:50:13,198 --> 01:50:17,198 +first measure but a lot of organizations + +3012 +01:50:15,520 --> 01:50:19,40 +users use this to briefly filter out + +3013 +01:50:17,198 --> 01:50:21,439 +what they should tackle first + +3014 +01:50:19,39 --> 01:50:22,960 +so still use it with care if you don't + +3015 +01:50:21,439 --> 01:50:25,759 +want to use this field + +3016 +01:50:22,960 --> 01:50:27,679 +picking undefined is fine too analysis + +3017 +01:50:25,760 --> 01:50:30,560 +the next field describes how far along + +3018 +01:50:27,679 --> 01:50:33,39 +you've come with the analysis process + +3019 +01:50:30,560 --> 01:50:34,480 +so basically uh with this what you're + +3020 +01:50:33,39 --> 01:50:36,158 +telling the communities i'm just + +3021 +01:50:34,479 --> 01:50:39,118 +starting out with the analysis + +3022 +01:50:36,158 --> 01:50:40,719 +these are my initial findings versus for + +3023 +01:50:39,118 --> 01:50:41,839 +example saying that my analysis process + +3024 +01:50:40,719 --> 01:50:44,960 +is already complete + +3025 +01:50:41,840 --> 01:50:48,0 +6641.84 --> 6648 +i'm not going to be digging more for now + +3026 +01:50:44,960 --> 01:50:50,840 +i consider this complete if you have + +3027 +01:50:48,0 --> 01:50:54,960 +6648 --> 6654.96 +additional information then obviously + +3028 +01:50:50,840 --> 01:50:56,880 +uh already start collaborating with us + +3029 +01:50:54,960 --> 01:50:58,399 +so just pick whichever is most + +3030 +01:50:56,880 --> 01:50:59,840 +appropriate for you let's just go with + +3031 +01:50:58,399 --> 01:51:01,679 +initial for now + +3032 +01:50:59,840 --> 01:51:04,159 +and then comes the most important part + +3033 +01:51:01,679 --> 01:51:06,319 +of this form which is + +3034 +01:51:04,158 --> 01:51:08,319 +describing the event info so this is a + +3035 +01:51:06,319 --> 01:51:10,158 +brief description for analysts that are + +3036 +01:51:08,319 --> 01:51:12,79 +looking at the data that describe + +3037 +01:51:10,158 --> 01:51:13,198 +the best described the event that you're + +3038 +01:51:12,79 --> 01:51:16,719 +basically uh + +3039 +01:51:13,198 --> 01:51:17,678 +sharing now be brief here and be careful + +3040 +01:51:16,719 --> 01:51:20,480 +about + +3041 +01:51:17,679 --> 01:51:22,639 +including very domain or organization + +3042 +01:51:20,479 --> 01:51:23,279 +specific information one of the mistakes + +3043 +01:51:22,639 --> 01:51:25,279 +that + +3044 +01:51:23,279 --> 01:51:26,319 +that people often make here is for + +3045 +01:51:25,279 --> 01:51:29,359 +example uh + +3046 +01:51:26,319 --> 01:51:30,479 +typing a ticket number or ticket id in + +3047 +01:51:29,359 --> 01:51:32,158 +there + +3048 +01:51:30,479 --> 01:51:33,759 +so if you have a ticketing system and + +3049 +01:51:32,158 --> 01:51:35,198 +you basically start your investigation + +3050 +01:51:33,760 --> 01:51:36,800 +from your ticketing system + +3051 +01:51:35,198 --> 01:51:38,719 +sharing out something like what alex has + +3052 +01:51:36,800 --> 01:51:40,239 +typed there is not very handy for anyone + +3053 +01:51:38,719 --> 01:51:41,679 +else nobody will have a clue what you + +3054 +01:51:40,238 --> 01:51:43,198 +mean with that + +3055 +01:51:41,679 --> 01:51:44,639 +another mistake that can happen here + +3056 +01:51:43,198 --> 01:51:46,0 +6703.199 --> 6706 +very often is especially if you're + +3057 +01:51:44,639 --> 01:51:47,840 +starting out small and + +3058 +01:51:46,0 --> 01:51:49,760 +6706 --> 6709.76 +in turn initially you're only keeping + +3059 +01:51:47,840 --> 01:51:51,520 +the events for yourself + +3060 +01:51:49,760 --> 01:51:53,760 +and then perhaps later on you decide + +3061 +01:51:51,520 --> 01:51:56,159 +that you want to maybe perhaps + +3062 +01:51:53,760 --> 01:51:57,520 +after all share it out to a community + +3063 +01:51:56,158 --> 01:51:58,960 +then one of the things that can really + +3064 +01:51:57,520 --> 01:52:00,719 +hurt you at that point is if you've + +3065 +01:51:58,960 --> 01:52:02,319 +used different language for example to + +3066 +01:52:00,719 --> 01:52:03,520 +describe the event info so we've seen + +3067 +01:52:02,319 --> 01:52:06,639 +this very often + +3068 +01:52:03,520 --> 01:52:07,360 +we instead of describing the things in + +3069 +01:52:06,639 --> 01:52:10,480 +english we + +3070 +01:52:07,359 --> 01:52:10,479 +choose our own languages + +3071 +01:52:14,479 --> 01:52:18,79 +and myself is hungarian we are we're + +3072 +01:52:16,719 --> 01:52:21,599 +pretty prone to doing this + +3073 +01:52:18,79 --> 01:52:22,639 +in general uh and this is generally + +3074 +01:52:21,599 --> 01:52:24,400 +something that will hurt us + +3075 +01:52:22,639 --> 01:52:25,920 +in the long term because uh once you + +3076 +01:52:24,399 --> 01:52:28,399 +share it out with a more + +3077 +01:52:25,920 --> 01:52:30,79 +international community you either have + +3078 +01:52:28,399 --> 01:52:32,799 +to go through the effort of translating + +3079 +01:52:30,79 --> 01:52:34,399 +it or basically make it illegible for + +3080 +01:52:32,800 --> 01:52:36,800 +the recipient + +3081 +01:52:34,399 --> 01:52:37,839 +so stick to something simple simple + +3082 +01:52:36,800 --> 01:52:41,199 +phrasing + +3083 +01:52:37,840 --> 01:52:45,840 +be as concise as possible + +3084 +01:52:41,198 --> 01:52:45,839 +but make sure that it's still understood + +3085 +01:52:51,920 --> 01:52:55,440 +we know that it's targeting the telco + +3086 +01:52:53,359 --> 01:52:57,198 +sector in luxembourg and we know that we + +3087 +01:52:55,439 --> 01:52:57,598 +have a malware sample so that's a pretty + +3088 +01:52:57,198 --> 01:52:59,598 +nice + +3089 +01:52:57,599 --> 01:53:01,39 +short explanation of what the event is + +3090 +01:52:59,599 --> 01:53:02,560 +about + +3091 +01:53:01,39 --> 01:53:04,800 +so once we click submit we have our + +3092 +01:53:02,560 --> 01:53:06,480 +event created and we already see that + +3093 +01:53:04,800 --> 01:53:08,400 +that our event suddenly has a lot of + +3094 +01:53:06,479 --> 01:53:09,39 +data that we didn't intentionally put in + +3095 +01:53:08,399 --> 01:53:11,39 +there yet + +3096 +01:53:09,39 --> 01:53:13,359 +so we see a bunch of tags that are + +3097 +01:53:11,39 --> 01:53:15,840 +applied to the event we see that + +3098 +01:53:13,359 --> 01:53:16,799 +the event already has information about + +3099 +01:53:15,840 --> 01:53:18,639 +uh + +3100 +01:53:16,800 --> 01:53:20,0 +6796.8 --> 6800 +who created the information who the + +3101 +01:53:18,639 --> 01:53:22,0 +6798.639 --> 6802 +local owners and + +3102 +01:53:20,0 --> 01:53:24,238 +6800 --> 6804.239 +information and so on so this basically + +3103 +01:53:22,0 --> 01:53:25,439 +6802 --> 6805.44 +takes a lot of local settings from uh + +3104 +01:53:24,238 --> 01:53:27,519 +from the instance + +3105 +01:53:25,439 --> 01:53:28,960 +and it uses the event when it is created + +3106 +01:53:27,520 --> 01:53:31,199 +with these basic datasets + +3107 +01:53:28,960 --> 01:53:33,439 +a lot of these also involve the + +3108 +01:53:31,198 --> 01:53:35,118 +contextualization that we start out with + +3109 +01:53:33,439 --> 01:53:36,559 +so it might seem a little bit pointless + +3110 +01:53:35,118 --> 01:53:38,479 +to immediately + +3111 +01:53:36,560 --> 01:53:40,0 +6816.56 --> 6820 +label something that we have not even + +3112 +01:53:38,479 --> 01:53:42,79 +started working on yet + +3113 +01:53:40,0 --> 01:53:43,359 +6820 --> 6823.36 +but also keep in mind that very often + +3114 +01:53:42,79 --> 01:53:45,118 +what we do internally in our + +3115 +01:53:43,359 --> 01:53:46,79 +organizations is we have several missed + +3116 +01:53:45,118 --> 01:53:49,359 +instances + +3117 +01:53:46,79 --> 01:53:51,198 +that are uh that already are domain + +3118 +01:53:49,359 --> 01:53:52,799 +specific so for example we have our spam + +3119 +01:53:51,198 --> 01:53:56,0 +6831.199 --> 6836 +collector instance we have our + +3120 +01:53:52,800 --> 01:53:58,639 +our sandboxing ignis vincents and so on + +3121 +01:53:56,0 --> 01:54:00,479 +6836 --> 6840.48 +these these already are uh define the + +3122 +01:53:58,639 --> 01:54:00,960 +scope of the information that go into + +3123 +01:54:00,479 --> 01:54:02,879 +them + +3124 +01:54:00,960 --> 01:54:04,960 +so we can already decide okay if we if + +3125 +01:54:02,880 --> 01:54:05,599 +we are on our spam collector miss + +3126 +01:54:04,960 --> 01:54:07,279 +vincent + +3127 +01:54:05,599 --> 01:54:08,880 +anything that goes in there will be + +3128 +01:54:07,279 --> 01:54:10,719 +related to spam so in this case we can + +3129 +01:54:08,880 --> 01:54:12,159 +remove these tags because we don't + +3130 +01:54:10,719 --> 01:54:14,880 +we don't actually want to include those + +3131 +01:54:12,158 --> 01:54:15,679 +just yet maybe we can keep that one + +3132 +01:54:14,880 --> 01:54:17,520 +because it's still + +3133 +01:54:15,679 --> 01:54:20,319 +a draft so that means we will do an + +3134 +01:54:17,520 --> 01:54:23,599 +evaluation of this famous email accuracy + +3135 +01:54:20,319 --> 01:54:24,238 +and then um so we have some defined + +3136 +01:54:23,599 --> 01:54:25,920 +taxonomy + +3137 +01:54:24,238 --> 01:54:27,439 +misplan on this instance we enabled for + +3138 +01:54:25,920 --> 01:54:29,520 +example the workflow one + +3139 +01:54:27,439 --> 01:54:31,39 +uh this one is maybe of interest from + +3140 +01:54:29,520 --> 01:54:33,280 +different organizations is + +3141 +01:54:31,39 --> 01:54:35,599 +a generic one about workflow uh what is + +3142 +01:54:33,279 --> 01:54:37,920 +the current state or other thing so + +3143 +01:54:35,599 --> 01:54:39,279 +don't forget uh in the initial event + +3144 +01:54:37,920 --> 01:54:40,560 +when we created the event we have + +3145 +01:54:39,279 --> 01:54:42,960 +information about + +3146 +01:54:40,560 --> 01:54:44,639 +uh the state and stuff like that now + +3147 +01:54:42,960 --> 01:54:46,158 +with this what we do is recommend to + +3148 +01:54:44,639 --> 01:54:46,880 +have taxonomies and you can you can + +3149 +01:54:46,158 --> 01:54:49,359 +really + +3150 +01:54:46,880 --> 01:54:51,440 +set up whatever you like and in the misp + +3151 +01:54:49,359 --> 01:54:52,319 +event to define the current state of + +3152 +01:54:51,439 --> 01:54:55,839 +this event + +3153 +01:54:52,319 --> 01:54:55,840 +so we keep draft from this case + +3154 +01:54:57,39 --> 01:55:01,840 +yeah indeed so we keep it at this and we + +3155 +01:55:00,238 --> 01:55:03,598 +scroll further down and we see that miss + +3156 +01:55:01,840 --> 01:55:05,119 +warns us about a few things first of all + +3157 +01:55:03,599 --> 01:55:06,639 +data is not published + +3158 +01:55:05,118 --> 01:55:08,639 +and second of all if we scroll a bit + +3159 +01:55:06,639 --> 01:55:10,239 +further down we see that mispo also + +3160 +01:55:08,639 --> 01:55:11,920 +tells us that there are no attributes in + +3161 +01:55:10,238 --> 01:55:12,399 +here so this is still an empty envelope + +3162 +01:55:11,920 --> 01:55:14,319 +that we + +3163 +01:55:12,399 --> 01:55:15,519 +are about to share so list tells us + +3164 +01:55:14,319 --> 01:55:18,719 +don't share this just yet + +3165 +01:55:15,520 --> 01:55:19,119 +fill it up with data first so at this + +3166 +01:55:18,719 --> 01:55:22,319 +point + +3167 +01:55:19,118 --> 01:55:26,0 +6919.119 --> 6926 +we can start populating the information + +3168 +01:55:22,319 --> 01:55:26,0 +6922.32 --> 6926 +so if you if you look at the + +3169 +01:55:27,439 --> 01:55:31,919 +initial document that we that we use as + +3170 +01:55:29,840 --> 01:55:32,800 +a starting point we see in there that we + +3171 +01:55:31,920 --> 01:55:35,760 +have a lot of + +3172 +01:55:32,800 --> 01:55:37,679 +information in there described we see + +3173 +01:55:35,760 --> 01:55:38,400 +for example that we are dealing with + +3174 +01:55:37,679 --> 01:55:40,319 +spearfishing + +3175 +01:55:38,399 --> 01:55:41,598 +we see that we have an email that was + +3176 +01:55:40,319 --> 01:55:44,880 +received at a certain + +3177 +01:55:41,599 --> 01:55:47,199 +point in time and we also see that + +3178 +01:55:44,880 --> 01:55:48,319 +we have an attacker that pretends to be + +3179 +01:55:47,198 --> 01:55:51,678 +um + +3180 +01:55:48,319 --> 01:55:54,0 +6948.32 --> 6954 +working at the ceo's uh uh daughter + +3181 +01:55:51,679 --> 01:55:55,440 +and sending the email address from + +3182 +01:55:54,0 --> 01:55:57,198 +6954 --> 6957.199 +spoofed uh + +3183 +01:55:55,439 --> 01:55:59,359 +the email from a spoofed email address + +3184 +01:55:57,198 --> 01:56:00,719 +so we can start by by describing this + +3185 +01:55:59,359 --> 01:56:01,759 +information by including this + +3186 +01:56:00,719 --> 01:56:03,279 +information + +3187 +01:56:01,760 --> 01:56:04,800 +so perhaps one of the things that we can + +3188 +01:56:03,279 --> 01:56:06,880 +take here is let's start with the most + +3189 +01:56:04,800 --> 01:56:09,119 +basic thing we're describing an email + +3190 +01:56:06,880 --> 01:56:10,880 +so let's start with an email object so + +3191 +01:56:09,118 --> 01:56:15,839 +we're going to add an object + +3192 +01:56:10,880 --> 01:56:15,840 +and we're going to select email + +3193 +01:56:18,479 --> 01:56:22,479 +so here we see that this is coming from + +3194 +01:56:20,639 --> 01:56:26,400 +the templating system where you can + +3195 +01:56:22,479 --> 01:56:28,79 +define uh pre different concepts with + +3196 +01:56:26,399 --> 01:56:30,79 +different fields that have to be then + +3197 +01:56:28,79 --> 01:56:31,760 +populated using this object templating + +3198 +01:56:30,79 --> 01:56:33,359 +system + +3199 +01:56:31,760 --> 01:56:35,440 +so we have a bunch of information that + +3200 +01:56:33,359 --> 01:56:37,39 +we can fill out here we see the spoofed + +3201 +01:56:35,439 --> 01:56:43,839 +address so we see a from address that we + +3202 +01:56:37,39 --> 01:56:43,840 +can encode + +3203 +01:56:45,439 --> 01:56:52,879 +okay we also have um + +3204 +01:56:50,399 --> 01:56:55,118 +a sample that i don't know if you if + +3205 +01:56:52,880 --> 01:56:58,960 +i've uploaded anywhere alex if not just + +3206 +01:56:55,118 --> 01:57:00,880 +pick any file for now because + +3207 +01:56:58,960 --> 01:57:02,319 +i think that's something i forgot to do + +3208 +01:57:00,880 --> 01:57:03,679 +yeah i don't know where the sample is + +3209 +01:57:02,319 --> 01:57:06,719 +yeah maybe we should add it + +3210 +01:57:03,679 --> 01:57:11,840 +yeah just put putty dot x or something + +3211 +01:57:06,719 --> 01:57:11,840 +if you have it + +3212 +01:57:12,800 --> 01:57:15,119 +oops + +3213 +01:57:16,639 --> 01:57:19,599 +or we can do it as a separate object we + +3214 +01:57:18,158 --> 01:57:21,39 +can we can just do this separately yeah + +3215 +01:57:19,599 --> 01:57:24,400 +we can do a separate objective + +3216 +01:57:21,39 --> 01:57:25,118 +yeah indeed indeed okay so what we can + +3217 +01:57:24,399 --> 01:57:27,118 +already + +3218 +01:57:25,118 --> 01:57:28,238 +describe here is we can we can still add + +3219 +01:57:27,118 --> 01:57:31,839 +the name of the + +3220 +01:57:28,238 --> 01:57:34,158 +uh attachment that we had in there + +3221 +01:57:31,840 --> 01:57:34,159 +um + +3222 +01:57:35,359 --> 01:57:39,839 +just to fast track it a bit + +3223 +01:57:40,639 --> 01:57:42,880 +good + +3224 +01:57:46,79 --> 01:57:49,760 +so we have a timestamp too which is + +3225 +01:57:47,679 --> 01:57:52,319 +interesting so um + +3226 +01:57:49,760 --> 01:57:54,239 +this one has been received as a specific + +3227 +01:57:52,319 --> 01:57:56,639 +so it was a third + +3228 +01:57:54,238 --> 01:57:58,479 +of so the first scene is basically + +3229 +01:57:56,639 --> 01:58:03,440 +something that you can you can really uh + +3230 +01:57:58,479 --> 01:58:03,439 +set up so it was the third of february + +3231 +01:58:03,920 --> 01:58:10,158 +we had a specific time if i'm misleading + +3232 +01:58:07,198 --> 01:58:11,39 +um so in this one we have uh this one + +3233 +01:58:10,158 --> 01:58:14,349 +has been + +3234 +01:58:11,39 --> 01:58:16,880 +sent on received on + +3235 +01:58:14,350 --> 01:58:21,840 +[Music] + +3236 +01:58:16,880 --> 01:58:21,840 +16 so i can + +3237 +01:58:27,439 --> 01:58:34,158 +we also see that that basically + +3238 +01:58:30,639 --> 01:58:37,199 +the attachment was spoofing + +3239 +01:58:34,158 --> 01:58:39,598 +the document uh + +3240 +01:58:37,198 --> 01:58:40,638 +about the report about the ceo's + +3241 +01:58:39,599 --> 01:58:42,719 +daughter's + +3242 +01:58:40,639 --> 01:58:44,79 +progress in school so we can pick the + +3243 +01:58:42,719 --> 01:58:47,279 +file name for the + +3244 +01:58:44,79 --> 01:58:50,639 +uh attachment and that is under the + +3245 +01:58:47,279 --> 01:58:50,639 +attachment section in the object + +3246 +01:58:54,560 --> 01:59:01,199 +good i'm just clicking it + +3247 +01:58:58,158 --> 01:59:02,960 +yeah it is called report.x attacks i + +3248 +01:59:01,198 --> 01:59:04,319 +mean maybe it's not in the text right + +3249 +01:59:02,960 --> 01:59:06,639 +now okay it might not be in the text + +3250 +01:59:04,319 --> 01:59:12,319 +might be just the original file + +3251 +01:59:06,639 --> 01:59:12,319 +about that so yeah report.x dot x + +3252 +01:59:12,800 --> 01:59:15,360 +attachment + +3253 +01:59:21,198 --> 01:59:24,879 +and then we also know that it was + +3254 +01:59:22,399 --> 01:59:24,879 +received + +3255 +01:59:25,39 --> 01:59:28,800 +that we have received header ip so we + +3256 +01:59:27,279 --> 01:59:29,198 +can include that as well that's also in + +3257 +01:59:28,800 --> 01:59:33,440 +the + +3258 +01:59:29,198 --> 01:59:33,439 +stated email it's 137.221 + +3259 +01:59:41,599 --> 01:59:44,639 +and we even have the hostname if you + +3260 +01:59:42,960 --> 01:59:47,198 +want to include that that was also + +3261 +01:59:44,639 --> 01:59:47,199 +included in + +3262 +01:59:48,880 --> 01:59:51,679 +or in the report + +3263 +01:59:54,960 --> 01:59:59,679 +perfect so this is as you can see here + +3264 +01:59:58,79 --> 02:00:01,198 +we did not fill everything out because + +3265 +01:59:59,679 --> 02:00:03,118 +we don't know everything based on the + +3266 +02:00:01,198 --> 02:00:04,158 +report but we knew some of the fields we + +3267 +02:00:03,118 --> 02:00:05,839 +also see that + +3268 +02:00:04,158 --> 02:00:07,839 +each of these objects basically have + +3269 +02:00:05,840 --> 02:00:08,639 +some requirements and we satisfy those + +3270 +02:00:07,840 --> 02:00:10,560 +in this case + +3271 +02:00:08,639 --> 02:00:12,239 +so if you scroll all the way to the top + +3272 +02:00:10,560 --> 02:00:12,880 +you will see that that this object had a + +3273 +02:00:12,238 --> 02:00:14,559 +requirement + +3274 +02:00:12,880 --> 02:00:16,0 +7212.88 --> 7216 +any of those fields have to be filled + +3275 +02:00:14,560 --> 02:00:18,80 +we've definitely met that + +3276 +02:00:16,0 --> 02:00:21,359 +7216 --> 7221.36 +so we can just click submit and we can + +3277 +02:00:18,79 --> 02:00:21,359 +create our object in this case + +3278 +02:00:23,198 --> 02:00:26,799 +so here we see mrs telling us if we + +3279 +02:00:25,359 --> 02:00:27,519 +create this object that's what it will + +3280 +02:00:26,800 --> 02:00:28,880 +look like + +3281 +02:00:27,520 --> 02:00:30,719 +so we have in this case created our + +3282 +02:00:28,880 --> 02:00:31,359 +object and now it is attached to the + +3283 +02:00:30,719 --> 02:00:33,840 +event and + +3284 +02:00:31,359 --> 02:00:34,960 +suddenly stuff happened here so we see + +3285 +02:00:33,840 --> 02:00:37,119 +that each of these + +3286 +02:00:34,960 --> 02:00:38,480 +attributes already start correlating + +3287 +02:00:37,118 --> 02:00:40,799 +with existing events + +3288 +02:00:38,479 --> 02:00:42,718 +now we read this uh this little exercise + +3289 +02:00:40,800 --> 02:00:44,159 +before we didn't correlate with some of + +3290 +02:00:42,719 --> 02:00:46,880 +those previous events + +3291 +02:00:44,158 --> 02:00:50,238 +but normally uh if this was a real case + +3292 +02:00:46,880 --> 02:00:50,239 +if you get a correlation + +3293 +02:00:50,319 --> 02:00:54,399 +that is either something very similar + +3294 +02:00:52,319 --> 02:00:56,639 +that already happened before or is it + +3295 +02:00:54,399 --> 02:00:58,719 +something that simply + +3296 +02:00:56,639 --> 02:01:00,400 +might be a coincidence but it's still + +3297 +02:00:58,719 --> 02:01:02,239 +close for investigation + +3298 +02:01:00,399 --> 02:01:04,559 +to check is this something that might + +3299 +02:01:02,238 --> 02:01:07,439 +help me bootstrap my investigation + +3300 +02:01:04,560 --> 02:01:08,719 +or is it just noise that is not maybe a + +3301 +02:01:07,439 --> 02:01:09,279 +side note because we have often the + +3302 +02:01:08,719 --> 02:01:12,560 +questions + +3303 +02:01:09,279 --> 02:01:14,319 +um when you create such object in + +3304 +02:01:12,560 --> 02:01:15,840 +you see that can be cumbersome to create + +3305 +02:01:14,319 --> 02:01:17,439 +it manually + +3306 +02:01:15,840 --> 02:01:20,79 +so don't forget that everything that we + +3307 +02:01:17,439 --> 02:01:22,479 +do right now can be done through the api + +3308 +02:01:20,79 --> 02:01:23,519 +so you can use pymisp automatically do + +3309 +02:01:22,479 --> 02:01:26,319 +it and so on so + +3310 +02:01:23,520 --> 02:01:27,840 +what we show there um i think if you + +3311 +02:01:26,319 --> 02:01:29,599 +think on the api level + +3312 +02:01:27,840 --> 02:01:31,119 +it can be done automatically so if you + +3313 +02:01:29,599 --> 02:01:33,119 +have two that are extracting emails + +3314 +02:01:31,118 --> 02:01:35,39 +automatically from the + +3315 +02:01:33,118 --> 02:01:36,559 +pc mailbox whatever you can + +3316 +02:01:35,39 --> 02:01:37,760 +automatically do it in mist + +3317 +02:01:36,560 --> 02:01:39,679 +we just show the complete process + +3318 +02:01:37,760 --> 02:01:41,39 +manually but you can never mix things + +3319 +02:01:39,679 --> 02:01:42,399 +for some event + +3320 +02:01:41,39 --> 02:01:44,158 +maybe some might be created + +3321 +02:01:42,399 --> 02:01:46,638 +automatically and then update it + +3322 +02:01:44,158 --> 02:01:47,839 +manually and so on + +3323 +02:01:46,639 --> 02:01:49,520 +something else that might be interesting + +3324 +02:01:47,840 --> 02:01:50,960 +here at this point is we've encoded this + +3325 +02:01:49,520 --> 02:01:54,560 +object and we look at it + +3326 +02:01:50,960 --> 02:01:56,880 +and perhaps we we might want to + +3327 +02:01:54,560 --> 02:01:58,400 +to change the distribution settings + +3328 +02:01:56,880 --> 02:01:59,279 +based on the different data points that + +3329 +02:01:58,399 --> 02:02:02,238 +we have in there + +3330 +02:01:59,279 --> 02:02:04,79 +so most of these such as the malicious + +3331 +02:02:02,238 --> 02:02:05,759 +host that email is sent from + +3332 +02:02:04,79 --> 02:02:07,279 +are technical information that we can + +3333 +02:02:05,760 --> 02:02:10,320 +share with the broader community + +3334 +02:02:07,279 --> 02:02:12,399 +but perhaps the name of the + +3335 +02:02:10,319 --> 02:02:13,599 +school that our ceo's daughter attends + +3336 +02:02:12,399 --> 02:02:15,118 +is something that we don't need to share + +3337 +02:02:13,599 --> 02:02:17,679 +with the entire community + +3338 +02:02:15,118 --> 02:02:20,0 +7335.119 --> 7340 +so we could reduce the distribution of + +3339 +02:02:17,679 --> 02:02:21,760 +that individual attribute in this object + +3340 +02:02:20,0 --> 02:02:23,520 +7340 --> 7343.52 +so that we keep that for example only + +3341 +02:02:21,760 --> 02:02:24,639 +for our own organization and for our own + +3342 +02:02:23,520 --> 02:02:26,0 +7343.52 --> 7346 +internal records + +3343 +02:02:24,639 --> 02:02:27,599 +so one of the things you can do in this + +3344 +02:02:26,0 --> 02:02:28,158 +7346 --> 7348.159 +case is you can edit that individual + +3345 +02:02:27,599 --> 02:02:32,960 +attribute + +3346 +02:02:28,158 --> 02:02:34,799 +so the from address in the object + +3347 +02:02:32,960 --> 02:02:36,399 +and you can set a distribution level to + +3348 +02:02:34,800 --> 02:02:38,560 +your organization only + +3349 +02:02:36,399 --> 02:02:40,479 +in this case once we release the uh the + +3350 +02:02:38,560 --> 02:02:43,440 +event to a broader audience + +3351 +02:02:40,479 --> 02:02:45,198 +it will keep this individual attribute + +3352 +02:02:43,439 --> 02:02:46,0 +7363.44 --> 7366 +for an organization and it will not + +3353 +02:02:45,198 --> 02:02:49,598 +share it out with + +3354 +02:02:46,0 --> 02:02:51,279 +7366 --> 7371.28 +uh with other constituencies okay + +3355 +02:02:49,599 --> 02:02:53,39 +so some other stuff that happened at + +3356 +02:02:51,279 --> 02:02:54,479 +this point we see that + +3357 +02:02:53,39 --> 02:02:55,679 +several of you are creating events so + +3358 +02:02:54,479 --> 02:02:57,359 +that's great the correlation account + +3359 +02:02:55,679 --> 02:02:59,440 +really went up all of the sudden + +3360 +02:02:57,359 --> 02:03:00,479 +so it's good to see something else that + +3361 +02:02:59,439 --> 02:03:03,439 +happened at this point + +3362 +02:03:00,479 --> 02:03:05,198 +is uh is the event itself got correlated + +3363 +02:03:03,439 --> 02:03:06,158 +to other events as well so if you scroll + +3364 +02:03:05,198 --> 02:03:07,598 +up all the way + +3365 +02:03:06,158 --> 02:03:09,519 +we see that the attributes that we've + +3366 +02:03:07,599 --> 02:03:11,360 +added are also showing us what other + +3367 +02:03:09,520 --> 02:03:12,159 +events we're correlating in so this is a + +3368 +02:03:11,359 --> 02:03:13,598 +summary of + +3369 +02:03:12,158 --> 02:03:15,359 +all the individual attributes + +3370 +02:03:13,599 --> 02:03:17,119 +correlations from the event + +3371 +02:03:15,359 --> 02:03:18,639 +that means that if you have if this + +3372 +02:03:17,118 --> 02:03:20,79 +object is correlating or + +3373 +02:03:18,639 --> 02:03:21,920 +these attributes within the object are + +3374 +02:03:20,79 --> 02:03:23,840 +correlating to it with a certain event + +3375 +02:03:21,920 --> 02:03:25,359 +and certain other objects are + +3376 +02:03:23,840 --> 02:03:27,119 +correlating with other events + +3377 +02:03:25,359 --> 02:03:29,359 +then this would be a full summary of all + +3378 +02:03:27,118 --> 02:03:31,920 +the events that you're correlating with + +3379 +02:03:29,359 --> 02:03:33,198 +you can also draw a graph out of that if + +3380 +02:03:31,920 --> 02:03:35,199 +you click on the correlation graph you + +3381 +02:03:33,198 --> 02:03:37,118 +will see how the events are interlinked + +3382 +02:03:35,198 --> 02:03:38,719 +and you can further explore this by + +3383 +02:03:37,118 --> 02:03:41,519 +selecting any of the notes + +3384 +02:03:38,719 --> 02:03:42,639 +and pressing x on that to further expand + +3385 +02:03:41,520 --> 02:03:46,159 +it with + +3386 +02:03:42,639 --> 02:03:46,159 +with it with its own correlations + +3387 +02:03:46,960 --> 02:03:52,78 +okay let's go back to event + +3388 +02:03:52,238 --> 02:03:56,399 +yeah i don't think we have a lot of + +3389 +02:03:55,679 --> 02:03:58,399 +correlations + +3390 +02:03:56,399 --> 02:03:59,679 +there for the other events they're all + +3391 +02:03:58,399 --> 02:04:02,960 +the same + +3392 +02:03:59,679 --> 02:04:03,920 +uh okay now going back to a little + +3393 +02:04:02,960 --> 02:04:06,319 +example uh + +3394 +02:04:03,920 --> 02:04:07,440 +we have now created four attributes all + +3395 +02:04:06,319 --> 02:04:10,319 +together out of + +3396 +02:04:07,439 --> 02:04:11,759 +uh of the object template but we could + +3397 +02:04:10,319 --> 02:04:12,880 +have done this differently as well what + +3398 +02:04:11,760 --> 02:04:14,800 +we could have done + +3399 +02:04:12,880 --> 02:04:16,480 +is we could also have created those + +3400 +02:04:14,800 --> 02:04:17,39 +attributes individually and added those + +3401 +02:04:16,479 --> 02:04:20,319 +to the + +3402 +02:04:17,39 --> 02:04:21,920 +uh to the um event directly + +3403 +02:04:20,319 --> 02:04:24,319 +so one of the things that we can do now + +3404 +02:04:21,920 --> 02:04:25,920 +is we can go back to our report and + +3405 +02:04:24,319 --> 02:04:27,359 +tackle the next thing that is described + +3406 +02:04:25,920 --> 02:04:28,480 +there and let's do it slightly + +3407 +02:04:27,359 --> 02:04:31,198 +differently + +3408 +02:04:28,479 --> 02:04:31,759 +so we also see that basically uh the + +3409 +02:04:31,198 --> 02:04:34,479 +person + +3410 +02:04:31,760 --> 02:04:36,840 +uh that this is impersonated is also + +3411 +02:04:34,479 --> 02:04:40,959 +described so that is basically + +3412 +02:04:36,840 --> 02:04:40,960 +um in this case + +3413 +02:04:41,118 --> 02:04:45,359 +john doe the teacher of the student so + +3414 +02:04:43,520 --> 02:04:47,40 +let's just create a personal object and + +3415 +02:04:45,359 --> 02:04:50,78 +describe that + +3416 +02:04:47,39 --> 02:04:53,519 +so what we can do now is instead of + +3417 +02:04:50,78 --> 02:04:54,158 +directly describing it as an object we + +3418 +02:04:53,520 --> 02:04:57,520 +can first + +3419 +02:04:54,158 --> 02:04:58,78 +add those different fields at least a + +3420 +02:04:57,520 --> 02:05:00,0 +7497.52 --> 7500 +name + +3421 +02:04:58,78 --> 02:05:01,599 +as individual attributes so let's let's + +3422 +02:05:00,0 --> 02:05:03,279 +7500 --> 7503.28 +see how adding individual attributes + +3423 +02:05:01,599 --> 02:05:05,39 +work so we click on the little plus icon + +3424 +02:05:03,279 --> 02:05:08,880 +above the attribute list + +3425 +02:05:05,39 --> 02:05:08,880 +and we simply select category person + +3426 +02:05:09,439 --> 02:05:13,598 +and from person we select first name + +3427 +02:05:11,439 --> 02:05:15,39 +first name is john + +3428 +02:05:13,599 --> 02:05:17,39 +and here we can already define is this + +3429 +02:05:15,39 --> 02:05:19,198 +an indicator do we want to + +3430 +02:05:17,39 --> 02:05:21,599 +set the for intrusion detection system + +3431 +02:05:19,198 --> 02:05:22,879 +flag no definitely not this in itself is + +3432 +02:05:21,599 --> 02:05:24,880 +not an indicator + +3433 +02:05:22,880 --> 02:05:26,719 +in fact we want to also disable + +3434 +02:05:24,880 --> 02:05:27,679 +correlation on this as this is a pretty + +3435 +02:05:26,719 --> 02:05:31,840 +common + +3436 +02:05:27,679 --> 02:05:34,719 +uh name that is definitely not something + +3437 +02:05:31,840 --> 02:05:36,0 +7531.84 --> 7536 +to we don't need a comment for enough + +3438 +02:05:34,719 --> 02:05:38,800 +but now we're going to convert it into + +3439 +02:05:36,0 --> 02:05:41,439 +7536 --> 7541.44 +an object anyway + +3440 +02:05:38,800 --> 02:05:42,880 +uh so what we can do is we can also + +3441 +02:05:41,439 --> 02:05:44,158 +disable correlation on this we don't + +3442 +02:05:42,880 --> 02:05:47,520 +want to correlate on john + +3443 +02:05:44,158 --> 02:05:51,39 +okay okay doesn't matter + +3444 +02:05:47,520 --> 02:05:53,360 +actually we can do it uh + +3445 +02:05:51,39 --> 02:05:55,279 +the same thing for the last name though + +3446 +02:05:53,359 --> 02:05:57,198 +and we can basically say that this is + +3447 +02:05:55,279 --> 02:05:58,960 +now + +3448 +02:05:57,198 --> 02:06:00,399 +last name now we've added these two + +3449 +02:05:58,960 --> 02:06:01,599 +things in there now the problem with + +3450 +02:06:00,399 --> 02:06:03,679 +this is if we just had + +3451 +02:06:01,599 --> 02:06:04,719 +attributes instead of objects is we + +3452 +02:06:03,679 --> 02:06:06,399 +don't really see that + +3453 +02:06:04,719 --> 02:06:08,78 +john and do in this case are the first + +3454 +02:06:06,399 --> 02:06:10,559 +name and last name belong together + +3455 +02:06:08,78 --> 02:06:12,238 +so if i were to describe several people + +3456 +02:06:10,560 --> 02:06:13,599 +in the same event you would have a list + +3457 +02:06:12,238 --> 02:06:17,118 +of first names and a list of + +3458 +02:06:13,599 --> 02:06:17,520 +last names with no connection between + +3459 +02:06:17,118 --> 02:06:20,399 +the + +3460 +02:06:17,520 --> 02:06:21,920 +two things so it's better to use objects + +3461 +02:06:20,399 --> 02:06:24,399 +in general whenever you're describing + +3462 +02:06:21,920 --> 02:06:26,158 +multiple aspects of the same thing + +3463 +02:06:24,399 --> 02:06:27,920 +obviously if you just have a list of + +3464 +02:06:26,158 --> 02:06:29,359 +file hashes that you got from a feed and + +3465 +02:06:27,920 --> 02:06:30,719 +you just encode those and you don't have + +3466 +02:06:29,359 --> 02:06:32,0 +7589.36 --> 7592 +any other information with them you + +3467 +02:06:30,719 --> 02:06:33,279 +might as well just create flat + +3468 +02:06:32,0 --> 02:06:34,479 +7592 --> 7594.48 +attributes out of them + +3469 +02:06:33,279 --> 02:06:36,880 +because there is nothing else to + +3470 +02:06:34,479 --> 02:06:38,399 +describe from your perspective + +3471 +02:06:36,880 --> 02:06:39,679 +but even in that case it's arguable + +3472 +02:06:38,399 --> 02:06:40,799 +whether you don't want to start an + +3473 +02:06:39,679 --> 02:06:42,399 +object + +3474 +02:06:40,800 --> 02:06:44,0 +7600.8 --> 7604 +from the get go but what we can do in + +3475 +02:06:42,399 --> 02:06:45,598 +this case if we did start with this way + +3476 +02:06:44,0 --> 02:06:47,520 +7604 --> 7607.52 +or if you receive information in this + +3477 +02:06:45,599 --> 02:06:48,719 +format or your tools parse the data out + +3478 +02:06:47,520 --> 02:06:50,560 +in this format is + +3479 +02:06:48,719 --> 02:06:51,920 +you can select those two attributes by + +3480 +02:06:50,560 --> 02:06:52,960 +clicking the little check marks next + +3481 +02:06:51,920 --> 02:06:54,800 +there are little + +3482 +02:06:52,960 --> 02:06:56,560 +tick boxes next to them and then + +3483 +02:06:54,800 --> 02:06:58,79 +clicking on group selected attributes + +3484 +02:06:56,560 --> 02:06:59,920 +into an object + +3485 +02:06:58,78 --> 02:07:01,599 +and here miss will propose okay these + +3486 +02:06:59,920 --> 02:07:03,440 +are the different object templates that + +3487 +02:07:01,599 --> 02:07:04,719 +satisfy + +3488 +02:07:03,439 --> 02:07:06,960 +the list of attributes that you've + +3489 +02:07:04,719 --> 02:07:07,920 +selected there's a person object that we + +3490 +02:07:06,960 --> 02:07:11,118 +can use so let's + +3491 +02:07:07,920 --> 02:07:11,118 +just pick that one for now + +3492 +02:07:11,599 --> 02:07:15,199 +so here we see if we were to combine + +3493 +02:07:13,679 --> 02:07:16,800 +these two things they would be merged + +3494 +02:07:15,198 --> 02:07:19,198 +into an object + +3495 +02:07:16,800 --> 02:07:20,560 +uh that is fine with us we see first + +3496 +02:07:19,198 --> 02:07:23,359 +name will become + +3497 +02:07:20,560 --> 02:07:24,480 +the the first name of the object last + +3498 +02:07:23,359 --> 02:07:27,839 +name the last name + +3499 +02:07:24,479 --> 02:07:27,839 +so let's merge it + +3500 +02:07:28,960 --> 02:07:34,239 +now we basically have a personality now + +3501 +02:07:32,238 --> 02:07:36,718 +we also know that this person that we're + +3502 +02:07:34,238 --> 02:07:38,638 +dealing with here is impersonating uh + +3503 +02:07:36,719 --> 02:07:40,560 +the teacher of the ceo's or daughter so + +3504 +02:07:38,639 --> 02:07:42,400 +the same person impersonated person is a + +3505 +02:07:40,560 --> 02:07:44,480 +teacher of the of the ceo's author + +3506 +02:07:42,399 --> 02:07:45,679 +so we added the object and we also see + +3507 +02:07:44,479 --> 02:07:48,78 +that there is a um + +3508 +02:07:45,679 --> 02:07:50,239 +that we can add just another text field + +3509 +02:07:48,78 --> 02:07:53,439 +yeah just text field works + +3510 +02:07:50,238 --> 02:07:54,879 +where we can describe it i just want to + +3511 +02:07:53,439 --> 02:07:57,598 +first disable the correlation because + +3512 +02:07:54,880 --> 02:07:57,599 +different means + +3513 +02:08:06,840 --> 02:08:10,800 +okay + +3514 +02:08:08,238 --> 02:08:12,319 +yeah that works and we just add a text + +3515 +02:08:10,800 --> 02:08:13,440 +description of the identity of the + +3516 +02:08:12,319 --> 02:08:22,319 +person we can just say + +3517 +02:08:13,439 --> 02:08:26,0 +7693.44 --> 7706 +teacher of the ceo's daughter + +3518 +02:08:22,319 --> 02:08:27,439 +okay now we're done we have now added + +3519 +02:08:26,0 --> 02:08:28,960 +7706 --> 7708.96 +the additional attribute and now now we + +3520 +02:08:27,439 --> 02:08:31,118 +know what this object is actually about + +3521 +02:08:28,960 --> 02:08:32,880 +without having a description in there + +3522 +02:08:31,118 --> 02:08:34,960 +but we still just have an email and a + +3523 +02:08:32,880 --> 02:08:36,239 +person described in here but we don't + +3524 +02:08:34,960 --> 02:08:37,760 +know anything else we + +3525 +02:08:36,238 --> 02:08:39,279 +don't know that this email is proofing + +3526 +02:08:37,760 --> 02:08:41,119 +to be that person so we should add a + +3527 +02:08:39,279 --> 02:08:43,118 +relationship between the two + +3528 +02:08:41,118 --> 02:08:44,639 +now for this we can switch over to the + +3529 +02:08:43,118 --> 02:08:46,719 +event graph view + +3530 +02:08:44,639 --> 02:08:48,400 +so that is a little bit further up this + +3531 +02:08:46,719 --> 02:08:50,239 +one allows us to create + +3532 +02:08:48,399 --> 02:08:52,0 +7728.4 --> 7732 +connected graphs out of our individual + +3533 +02:08:50,238 --> 02:08:54,559 +data points so we see that we have + +3534 +02:08:52,0 --> 02:08:55,279 +7732 --> 7735.28 +two unreferenced objects so we explode + +3535 +02:08:54,560 --> 02:08:58,639 +that mode + +3536 +02:08:55,279 --> 02:09:00,719 +by pressing x and we can we can draw + +3537 +02:08:58,639 --> 02:09:02,639 +an edge between those two nodes by + +3538 +02:09:00,719 --> 02:09:04,319 +clicking edit and add reference + +3539 +02:09:02,639 --> 02:09:05,760 +and drawing a line between the two from + +3540 +02:09:04,319 --> 02:09:08,880 +the + +3541 +02:09:05,760 --> 02:09:08,880 +email to the person + +3542 +02:09:09,39 --> 02:09:12,880 +when you do that miss will propose a + +3543 +02:09:11,118 --> 02:09:15,39 +list of relationship + +3544 +02:09:12,880 --> 02:09:16,480 +types between these two two different + +3545 +02:09:15,39 --> 02:09:18,158 +nodes + +3546 +02:09:16,479 --> 02:09:19,439 +there is also a custom one there so if + +3547 +02:09:18,158 --> 02:09:21,198 +you don't want to select anything from + +3548 +02:09:19,439 --> 02:09:24,559 +the list that is fine too but for now + +3549 +02:09:21,198 --> 02:09:26,238 +we can just use the impersonates + +3550 +02:09:24,560 --> 02:09:28,79 +relationship which already exists in the + +3551 +02:09:26,238 --> 02:09:31,39 +default library + +3552 +02:09:28,78 --> 02:09:31,39 +just click on submit + +3553 +02:09:31,760 --> 02:09:34,880 +and now we have a relationship set + +3554 +02:09:33,198 --> 02:09:36,78 +between those two so we started telling + +3555 +02:09:34,880 --> 02:09:37,520 +our story by basically having a + +3556 +02:09:36,78 --> 02:09:40,399 +connected graph between the + +3557 +02:09:37,520 --> 02:09:40,880 +these two points now let's further look + +3558 +02:09:40,399 --> 02:09:43,920 +at our + +3559 +02:09:40,880 --> 02:09:47,520 +original email and see what else we can + +3560 +02:09:43,920 --> 02:09:49,520 +get out of the text from there + +3561 +02:09:47,520 --> 02:09:51,199 +we also see that the malicious file was + +3562 +02:09:49,520 --> 02:09:54,0 +7789.52 --> 7794 +contained in the email as + +3563 +02:09:51,198 --> 02:09:55,519 +well as an attachment so let's upload an + +3564 +02:09:54,0 --> 02:09:57,198 +7794 --> 7797.199 +attachment now to ms + +3565 +02:09:55,520 --> 02:09:58,880 +i hope you have put in the text there or + +3566 +02:09:57,198 --> 02:10:01,359 +something because i forgot to clearly + +3567 +02:09:58,880 --> 02:10:01,359 +i've + +3568 +02:10:02,880 --> 02:10:07,279 +so as an attachment and this is where + +3569 +02:10:05,439 --> 02:10:08,719 +things become a little bit tricky + +3570 +02:10:07,279 --> 02:10:10,158 +uh there's there's a quick question + +3571 +02:10:08,719 --> 02:10:11,920 +there on the chat i'll just quickly + +3572 +02:10:10,158 --> 02:10:14,78 +answer that then we can get back to this + +3573 +02:10:11,920 --> 02:10:15,679 +where can i create a reference if you go + +3574 +02:10:14,78 --> 02:10:17,519 +above the attribute list there is an + +3575 +02:10:15,679 --> 02:10:18,960 +event graph button if you click on that + +3576 +02:10:17,520 --> 02:10:20,719 +you get the event graph + +3577 +02:10:18,960 --> 02:10:22,800 +and on the top left side you click on + +3578 +02:10:20,719 --> 02:10:24,239 +edit and then add reference + +3579 +02:10:22,800 --> 02:10:26,639 +like i can show it again nowadays oh + +3580 +02:10:24,238 --> 02:10:29,279 +yeah that's a bit better here + +3581 +02:10:26,639 --> 02:10:30,319 +so have this kind of gray bar there with + +3582 +02:10:29,279 --> 02:10:32,719 +even graph + +3583 +02:10:30,319 --> 02:10:33,679 +so you can basically collapse or expand + +3584 +02:10:32,719 --> 02:10:36,880 +it + +3585 +02:10:33,679 --> 02:10:37,359 +uh and then there you can select one of + +3586 +02:10:36,880 --> 02:10:40,480 +those + +3587 +02:10:37,359 --> 02:10:41,39 +reference objects you press x to expand + +3588 +02:10:40,479 --> 02:10:44,638 +all those + +3589 +02:10:41,39 --> 02:10:47,679 +reference objects then you can just + +3590 +02:10:44,639 --> 02:10:51,39 +select one object that you want + +3591 +02:10:47,679 --> 02:10:53,39 +to add and then you can edit add the + +3592 +02:10:51,39 --> 02:10:54,78 +references and then you can add specific + +3593 +02:10:53,39 --> 02:10:55,599 +references + +3594 +02:10:54,78 --> 02:10:56,960 +in case it doesn't make sense to make a + +3595 +02:10:55,599 --> 02:10:57,760 +second reference but that's basically + +3596 +02:10:56,960 --> 02:10:59,279 +how you do it + +3597 +02:10:57,760 --> 02:11:01,280 +then you select your relationship type + +3598 +02:10:59,279 --> 02:11:03,759 +and you can add your reference + +3599 +02:11:01,279 --> 02:11:04,479 +uh it's not the only way to do it + +3600 +02:11:03,760 --> 02:11:06,79 +there's a + +3601 +02:11:04,479 --> 02:11:07,198 +i would say current-based representation + +3602 +02:11:06,78 --> 02:11:09,118 +where you can do it because we can't + +3603 +02:11:07,198 --> 02:11:11,519 +even show it + +3604 +02:11:09,118 --> 02:11:13,39 +so you have to go it's it's much more + +3605 +02:11:11,520 --> 02:11:16,480 +difficult to understand what happens + +3606 +02:11:13,39 --> 02:11:18,238 +yeah so so there the referendum that you + +3607 +02:11:16,479 --> 02:11:20,959 +created through the even graph + +3608 +02:11:18,238 --> 02:11:22,479 +is represented here so you see that this + +3609 +02:11:20,960 --> 02:11:24,399 +object + +3610 +02:11:22,479 --> 02:11:25,598 +has a reference so from email to + +3611 +02:11:24,399 --> 02:11:27,39 +impersonate + +3612 +02:11:25,599 --> 02:11:28,960 +and here's the opposite relationship + +3613 +02:11:27,39 --> 02:11:30,399 +that you can describe the reference buy + +3614 +02:11:28,960 --> 02:11:32,560 +and you have the reference buy + +3615 +02:11:30,399 --> 02:11:33,679 +on this object so another niche mention + +3616 +02:11:32,560 --> 02:11:37,840 +is i think + +3617 +02:11:33,679 --> 02:11:40,0 +7893.679 --> 7900 +less uh i would say 54 for + +3618 +02:11:37,840 --> 02:11:41,199 +and so on but sometimes you just when + +3619 +02:11:40,0 --> 02:11:43,39 +7900 --> 7903.04 +you are in the object you just want to + +3620 +02:11:41,198 --> 02:11:47,39 +see if you have any reference or + +3621 +02:11:43,39 --> 02:11:47,39 +a sign and you can quickly see that + +3622 +02:11:48,639 --> 02:11:54,880 +so let's add an attachment now + +3623 +02:11:53,39 --> 02:11:56,319 +and upload the sample that was uh + +3624 +02:11:54,880 --> 02:11:59,118 +included in the + +3625 +02:11:56,319 --> 02:12:00,559 +original uh email so we just click on + +3626 +02:11:59,118 --> 02:12:01,839 +add attachment + +3627 +02:12:00,560 --> 02:12:04,880 +we select the file that you want to + +3628 +02:12:01,840 --> 02:12:05,599 +upload yeah so for the attachment uh in + +3629 +02:12:04,880 --> 02:12:07,279 +this you have + +3630 +02:12:05,599 --> 02:12:08,400 +really two models you have the model + +3631 +02:12:07,279 --> 02:12:09,679 +that an attachment is basically + +3632 +02:12:08,399 --> 02:12:12,479 +something completely + +3633 +02:12:09,679 --> 02:12:13,118 +uh being safe and you can basically + +3634 +02:12:12,479 --> 02:12:16,479 +share it + +3635 +02:12:13,118 --> 02:12:17,359 +uh directly so for example you have + +3636 +02:12:16,479 --> 02:12:20,399 +attachment like + +3637 +02:12:17,359 --> 02:12:21,920 +reports and stuff in our case um + +3638 +02:12:20,399 --> 02:12:23,598 +what we want to share here it's a + +3639 +02:12:21,920 --> 02:12:25,760 +malicious number um + +3640 +02:12:23,599 --> 02:12:27,199 +so and that's i will take i will take + +3641 +02:12:25,760 --> 02:12:30,560 +which one + +3642 +02:12:27,198 --> 02:12:30,559 +take a sample somewhere + +3643 +02:12:32,840 --> 02:12:36,560 +um + +3644 +02:12:34,639 --> 02:12:38,78 +press on one what we are interesting + +3645 +02:12:36,560 --> 02:12:42,320 +there + +3646 +02:12:38,78 --> 02:12:44,158 +uh by the windows executables + +3647 +02:12:42,319 --> 02:12:45,599 +and then you have to select if the + +3648 +02:12:44,158 --> 02:12:46,799 +sample is malicious if you don't do + +3649 +02:12:45,599 --> 02:12:48,239 +anything + +3650 +02:12:46,800 --> 02:12:50,880 +what it will be it will be something + +3651 +02:12:48,238 --> 02:12:51,519 +like same uh report a pdf report + +3652 +02:12:50,880 --> 02:12:54,78 +something that's + +3653 +02:12:51,520 --> 02:12:55,599 +like supporting you in contextualization + +3654 +02:12:54,78 --> 02:12:56,238 +could be a screenshot for example things + +3655 +02:12:55,599 --> 02:12:58,400 +like that + +3656 +02:12:56,238 --> 02:12:59,279 +but if you share a sample you have to + +3657 +02:12:58,399 --> 02:13:02,158 +select + +3658 +02:12:59,279 --> 02:13:03,920 +uh it's a sample because like that mist + +3659 +02:13:02,158 --> 02:13:05,679 +will encrypt + +3660 +02:13:03,920 --> 02:13:07,679 +and hash a file so that means you have a + +3661 +02:13:05,679 --> 02:13:08,719 +zip file encrypted with a default + +3662 +02:13:07,679 --> 02:13:11,679 +password + +3663 +02:13:08,719 --> 02:13:12,560 +infected but i got to avoid classical + +3664 +02:13:11,679 --> 02:13:15,359 +mistake of + +3665 +02:13:12,560 --> 02:13:17,360 +clicking on a link executing binaries on + +3666 +02:13:15,359 --> 02:13:18,799 +your analysis machines and so on and so + +3667 +02:13:17,359 --> 02:13:20,639 +on you don't want to do that so + +3668 +02:13:18,800 --> 02:13:22,0 +7998.8 --> 8002 +if it's malicious always click malware + +3669 +02:13:20,639 --> 02:13:23,440 +samples + +3670 +02:13:22,0 --> 02:13:25,599 +8002 --> 8005.599 +then you have one below which will + +3671 +02:13:23,439 --> 02:13:27,919 +advance the extraction + +3672 +02:13:25,599 --> 02:13:30,0 +8005.599 --> 8010 +uh mist can do a lot of things behind + +3673 +02:13:27,920 --> 02:13:31,599 +the scene when you receive a file in + +3674 +02:13:30,0 --> 02:13:34,800 +8010 --> 8014.8 +this case it's a window + +3675 +02:13:31,599 --> 02:13:36,480 +of windows portable executable files so + +3676 +02:13:34,800 --> 02:13:37,920 +we have particular advanced extraction + +3677 +02:13:36,479 --> 02:13:40,158 +for those files and we can + +3678 +02:13:37,920 --> 02:13:41,199 +expand completely the files including + +3679 +02:13:40,158 --> 02:13:44,799 +resources + +3680 +02:13:41,198 --> 02:13:48,0 +8021.199 --> 8028 +code segment and stuff again + +3681 +02:13:44,800 --> 02:13:48,0 +8024.8 --> 8028 +so i will upload the files + +3682 +02:13:53,359 --> 02:13:57,439 +okay in this case this one was just like + +3683 +02:13:55,39 --> 02:14:00,78 +a very simple one + +3684 +02:13:57,439 --> 02:14:01,279 +so in this case what do we have we have + +3685 +02:14:00,78 --> 02:14:04,319 +an object + +3686 +02:14:01,279 --> 02:14:06,559 +with the file names the size invite and + +3687 +02:14:04,319 --> 02:14:08,158 +then the hash file so automatically miss + +3688 +02:14:06,560 --> 02:14:08,880 +will do the hashing of the different + +3689 +02:14:08,158 --> 02:14:11,519 +files + +3690 +02:14:08,880 --> 02:14:12,0 +8048.88 --> 8052 +the sample itself is attached so you can + +3691 +02:14:11,520 --> 02:14:14,880 +basically + +3692 +02:14:12,0 --> 02:14:16,880 +8052 --> 8056.88 +use it and some additional ones like ssd + +3693 +02:14:14,880 --> 02:14:18,880 +for example my type are automatically + +3694 +02:14:16,880 --> 02:14:20,480 +extracted + +3695 +02:14:18,880 --> 02:14:22,239 +just maybe for the sake of it i will + +3696 +02:14:20,479 --> 02:14:25,359 +just take maybe another + +3697 +02:14:22,238 --> 02:14:25,839 +binary just for showing you what could + +3698 +02:14:25,359 --> 02:14:28,479 +happen + +3699 +02:14:25,840 --> 02:14:30,0 +8065.84 --> 8070 +with other binaries maybe that's for + +3700 +02:14:28,479 --> 02:14:32,559 +later for different events so + +3701 +02:14:30,0 --> 02:14:33,439 +8070 --> 8073.44 +okay the objectives because it's easier + +3702 +02:14:32,560 --> 02:14:35,360 +to see for the + +3703 +02:14:33,439 --> 02:14:37,359 +photograph that's fine too you can show + +3704 +02:14:35,359 --> 02:14:39,39 +it afterwards yeah + +3705 +02:14:37,359 --> 02:14:41,39 +okay so now we have this again this kind + +3706 +02:14:39,39 --> 02:14:42,719 +of object attached and there's a + +3707 +02:14:41,39 --> 02:14:46,238 +relationship to create objections + +3708 +02:14:42,719 --> 02:14:48,0 +8082.719 --> 8088 +indeed so so in this case the + +3709 +02:14:46,238 --> 02:14:50,158 +relationship is to the email itself so + +3710 +02:14:48,0 --> 02:14:52,319 +8088 --> 8092.32 +we know that the email contained + +3711 +02:14:50,158 --> 02:14:53,920 +this file so what we can do is we can + +3712 +02:14:52,319 --> 02:14:54,479 +just create relationship between the + +3713 +02:14:53,920 --> 02:14:56,158 +email + +3714 +02:14:54,479 --> 02:14:58,718 +and the file and see that email contain + +3715 +02:14:56,158 --> 02:14:58,719 +that file + +3716 +02:15:00,719 --> 02:15:04,800 +do you see it it's again the same model + +3717 +02:15:02,639 --> 02:15:04,800 +so + +3718 +02:15:06,880 --> 02:15:09,840 +contains + +3719 +02:15:15,439 --> 02:15:19,839 +there we go so now what we can do is if + +3720 +02:15:18,319 --> 02:15:21,39 +you look further in the email we see + +3721 +02:15:19,840 --> 02:15:22,480 +that there is a bunch of other stuff + +3722 +02:15:21,39 --> 02:15:23,198 +still described so what we can do is we + +3723 +02:15:22,479 --> 02:15:27,598 +can just + +3724 +02:15:23,198 --> 02:15:30,238 +now for exercise sake just take um + +3725 +02:15:27,599 --> 02:15:30,880 +at least a next few lines or the next + +3726 +02:15:30,238 --> 02:15:33,198 +paragraph + +3727 +02:15:30,880 --> 02:15:35,118 +and drop the entire paragraph into + +3728 +02:15:33,198 --> 02:15:37,118 +something called the free text importer + +3729 +02:15:35,118 --> 02:15:38,319 +what this will do is it will try to + +3730 +02:15:37,118 --> 02:15:40,238 +parse this uh + +3731 +02:15:38,319 --> 02:15:41,679 +this text blob and it will try to + +3732 +02:15:40,238 --> 02:15:43,678 +extract anything that looks like an + +3733 +02:15:41,679 --> 02:15:44,319 +indicator out of that so this is another + +3734 +02:15:43,679 --> 02:15:46,78 +method of + +3735 +02:15:44,319 --> 02:15:49,39 +of basically entering attribute + +3736 +02:15:46,78 --> 02:15:51,679 +synthesis so free text import + +3737 +02:15:49,39 --> 02:15:54,319 +we just paste it in there and we just + +3738 +02:15:51,679 --> 02:15:54,319 +hit submit + +3739 +02:15:54,399 --> 02:15:57,679 +so this will tell us in this case it + +3740 +02:15:55,760 --> 02:15:59,280 +didn't extract everything actually so we + +3741 +02:15:57,679 --> 02:16:00,158 +need to still go back to it and refined + +3742 +02:15:59,279 --> 02:16:01,920 +a bit more + +3743 +02:16:00,158 --> 02:16:03,118 +but it extracted some of those things + +3744 +02:16:01,920 --> 02:16:05,39 +that were in there already so that's + +3745 +02:16:03,118 --> 02:16:07,598 +fine we can just already add those + +3746 +02:16:05,39 --> 02:16:07,599 +to the event + +3747 +02:16:08,238 --> 02:16:12,479 +so how does it work in in behind the + +3748 +02:16:10,238 --> 02:16:13,519 +scenes uh we have a bunch of regex + +3749 +02:16:12,479 --> 02:16:15,198 +images + +3750 +02:16:13,520 --> 02:16:17,199 +automatically extracting information + +3751 +02:16:15,198 --> 02:16:18,719 +from from natural text + +3752 +02:16:17,198 --> 02:16:20,559 +it's one way to do it there's another + +3753 +02:16:18,719 --> 02:16:21,760 +tool for doing it which is part of the + +3754 +02:16:20,560 --> 02:16:24,639 +even report + +3755 +02:16:21,760 --> 02:16:26,159 +um but it's usually it's a quick way to + +3756 +02:16:24,639 --> 02:16:28,880 +automatically extract information and to + +3757 +02:16:26,158 --> 02:16:31,198 +see if it's already known for example + +3758 +02:16:28,880 --> 02:16:32,318 +so what we see here already is that evil + +3759 +02:16:31,198 --> 02:16:35,119 +provider + +3760 +02:16:32,318 --> 02:16:36,79 +was basically according to the email + +3761 +02:16:35,120 --> 02:16:38,800 +text + +3762 +02:16:36,79 --> 02:16:40,959 +and the place that was uh used to + +3763 +02:16:38,799 --> 02:16:43,920 +download the secondary payload from + +3764 +02:16:40,959 --> 02:16:44,558 +so we can take evil provider and we also + +3765 +02:16:43,920 --> 02:16:46,719 +know that + +3766 +02:16:44,558 --> 02:16:47,920 +we got an ipv6 address to it so we're + +3767 +02:16:46,718 --> 02:16:51,39 +going to add that to it as well and + +3768 +02:16:47,920 --> 02:16:52,879 +convert this into an object again + +3769 +02:16:51,40 --> 02:16:54,880 +so we're going to to just select that + +3770 +02:16:52,879 --> 02:16:55,438 +one convert to object and the object + +3771 +02:16:54,879 --> 02:16:58,159 +that we're + +3772 +02:16:55,439 --> 02:17:01,599 +going to convert it to is going to be a + +3773 +02:16:58,159 --> 02:17:04,799 +url object + +3774 +02:17:01,599 --> 02:17:07,120 +yep all the way down there perfect + +3775 +02:17:04,799 --> 02:17:08,558 +let's just do the conversion and then we + +3776 +02:17:07,120 --> 02:17:09,920 +edit the object afterwards and we add + +3777 +02:17:08,558 --> 02:17:12,318 +the additional information that we have + +3778 +02:17:09,920 --> 02:17:12,318 +about it + +3779 +02:17:12,638 --> 02:17:18,318 +so we have an ipv6 that we can that it + +3780 +02:17:15,840 --> 02:17:18,318 +resolves to + +3781 +02:17:24,239 --> 02:17:29,840 +we also have a port so once we're done + +3782 +02:17:26,959 --> 02:17:29,839 +with that + +3783 +02:17:31,280 --> 02:17:34,639 +happy destination perfect + +3784 +02:17:36,159 --> 02:17:43,840 +we can also add the port it was + +3785 +02:17:38,799 --> 02:17:43,840 +communicating on port 443 + +3786 +02:17:46,558 --> 02:17:50,239 +and again everything i'm currently doing + +3787 +02:17:48,799 --> 02:17:53,920 +there can be done through + +3788 +02:17:50,239 --> 02:17:57,840 +api obviously yeah and and finally we + +3789 +02:17:53,920 --> 02:17:57,840 +also have a domain evilprovider.com + +3790 +02:18:02,638 --> 02:18:08,79 +now let's deal with with referencing the + +3791 +02:18:05,840 --> 02:18:09,40 +this to the other objects later on we + +3792 +02:18:08,79 --> 02:18:11,280 +can still + +3793 +02:18:09,40 --> 02:18:12,960 +still add the additional information + +3794 +02:18:11,280 --> 02:18:15,439 +that we have in there and then we do the + +3795 +02:18:12,959 --> 02:18:17,358 +linking afterwards again we we have the + +3796 +02:18:15,439 --> 02:18:20,159 +same problem here on this one because + +3797 +02:18:17,359 --> 02:18:21,760 +you see that the command has a the part + +3798 +02:18:20,159 --> 02:18:23,679 +it has a command so that means we can + +3799 +02:18:21,760 --> 02:18:25,359 +just convert it as an object again + +3800 +02:18:23,679 --> 02:18:27,679 +yeah and the ip belongs to that one as + +3801 +02:18:25,359 --> 02:18:30,719 +well by the way okay great + +3802 +02:18:27,679 --> 02:18:31,679 +it's even better yeah exactly just my + +3803 +02:18:30,718 --> 02:18:39,839 +screen that is a bit + +3804 +02:18:31,679 --> 02:18:39,840 +smaller okay + +3805 +02:18:40,318 --> 02:18:43,920 +so in this case it's again a url + +3806 +02:18:49,359 --> 02:18:54,719 +and the things that we have this time + +3807 +02:18:52,718 --> 02:18:56,239 +the port is actually a high port so + +3808 +02:18:54,718 --> 02:18:58,79 +while in the other one we do not + +3809 +02:18:56,239 --> 02:18:59,519 +correlate on on the port because port + +3810 +02:18:58,79 --> 02:19:01,359 +443 is common + +3811 +02:18:59,519 --> 02:19:03,40 +this is one of those ports that we might + +3812 +02:19:01,359 --> 02:19:04,639 +want to correlate on already + +3813 +02:19:03,40 --> 02:19:07,840 +so we want we don't want to disable + +3814 +02:19:04,638 --> 02:19:07,839 +correlation for this one + +3815 +02:19:09,840 --> 02:19:13,120 +once for the other one we we should + +3816 +02:19:11,679 --> 02:19:15,439 +disable the correlation for the other + +3817 +02:19:13,120 --> 02:19:15,439 +part + +3818 +02:19:18,840 --> 02:19:25,280 +443 + +3819 +02:19:21,280 --> 02:19:27,280 +okay now the other thing that we have at + +3820 +02:19:25,280 --> 02:19:28,719 +this point is we have a secondary sample + +3821 +02:19:27,280 --> 02:19:30,719 +so if you can you have a second one that + +3822 +02:19:28,718 --> 02:19:34,959 +you can upload yeah i just just add the + +3823 +02:19:30,718 --> 02:19:39,279 +domain so i get it + +3824 +02:19:34,959 --> 02:19:41,358 +okay so what do you want + +3825 +02:19:39,280 --> 02:19:42,479 +so we still have another file to update + +3826 +02:19:41,359 --> 02:19:45,359 +and we have a cv + +3827 +02:19:42,478 --> 02:19:48,318 +that was also mentioned in the okay cv + +3828 +02:19:45,359 --> 02:19:50,559 +it's an interesting one um + +3829 +02:19:48,318 --> 02:19:51,519 +we have we have single attributes for cd + +3830 +02:19:50,559 --> 02:19:53,119 +but + +3831 +02:19:51,520 --> 02:19:55,680 +sometimes you want to have some more + +3832 +02:19:53,120 --> 02:19:56,160 +information so what you could do there + +3833 +02:19:55,680 --> 02:19:58,960 +is + +3834 +02:19:56,159 --> 02:20:02,719 +to create a simple attribute um so the + +3835 +02:19:58,959 --> 02:20:05,438 +cv is much better delivery in this case + +3836 +02:20:02,719 --> 02:20:08,79 +we have type which is vulnerability and + +3837 +02:20:05,439 --> 02:20:11,200 +usually a venerability is defined by cv + +3838 +02:20:08,79 --> 02:20:12,719 +you can you can use other value but + +3839 +02:20:11,200 --> 02:20:14,880 +the best practice is the obviously to + +3840 +02:20:12,719 --> 02:20:17,119 +use cd + +3841 +02:20:14,879 --> 02:20:19,39 +it's very old cv those kind of attackers + +3842 +02:20:17,120 --> 02:20:21,120 +are always reusing those kind of old + +3843 +02:20:19,40 --> 02:20:22,640 +things but you know it works you know + +3844 +02:20:21,120 --> 02:20:25,439 +never people never patch i + +3845 +02:20:22,639 --> 02:20:26,799 +know this one is interesting because you + +3846 +02:20:25,439 --> 02:20:29,439 +know it was exploited + +3847 +02:20:26,799 --> 02:20:31,199 +so i would add the ideas flag because it + +3848 +02:20:29,439 --> 02:20:32,159 +may be interesting to look into your + +3849 +02:20:31,200 --> 02:20:35,40 +system for + +3850 +02:20:32,159 --> 02:20:36,398 +additional ones so in this case what do + +3851 +02:20:35,40 --> 02:20:39,439 +we have we have again + +3852 +02:20:36,398 --> 02:20:41,358 +a single attribute which is not the nice + +3853 +02:20:39,439 --> 02:20:43,520 +thing that you want to have is basically + +3854 +02:20:41,359 --> 02:20:44,318 +you want to have as much context as you + +3855 +02:20:43,520 --> 02:20:47,600 +want + +3856 +02:20:44,318 --> 02:20:48,0 +8444.319 --> 8448 +for such kind of investigation luckily + +3857 +02:20:47,600 --> 02:20:51,40 +on + +3858 +02:20:48,0 --> 02:20:53,359 +8448 --> 8453.359 +this instance we have one of those + +3859 +02:20:51,40 --> 02:20:58,479 +expansion modules + +3860 +02:20:53,359 --> 02:21:00,559 +and why the cv advantage is okay + +3861 +02:20:58,478 --> 02:21:02,79 +great so and then you have some + +3862 +02:21:00,559 --> 02:21:03,840 +additional information in this case we + +3863 +02:21:02,79 --> 02:21:06,959 +have some some description + +3864 +02:21:03,840 --> 02:21:07,920 +um so what i can do in this in this one + +3865 +02:21:06,959 --> 02:21:11,358 +is + +3866 +02:21:07,920 --> 02:21:14,639 +so you see that we have either the + +3867 +02:21:11,359 --> 02:21:16,318 +overlay uh thing so in these modules uh + +3868 +02:21:14,639 --> 02:21:16,959 +someone was asking about extension of + +3869 +02:21:16,318 --> 02:21:18,719 +this + +3870 +02:21:16,959 --> 02:21:19,759 +is one way you have this overlay things + +3871 +02:21:18,719 --> 02:21:20,639 +where you can basically just do + +3872 +02:21:19,760 --> 02:21:23,680 +expansions + +3873 +02:21:20,639 --> 02:21:25,119 +and see okay contextual information but + +3874 +02:21:23,680 --> 02:21:26,960 +sometimes you just want to be + +3875 +02:21:25,120 --> 02:21:29,190 +to have a bit more than just contextual + +3876 +02:21:26,959 --> 02:21:31,199 +information uh you want to have + +3877 +02:21:29,190 --> 02:21:33,920 +[Music] + +3878 +02:21:31,200 --> 02:21:36,240 +the uh associated object then so there + +3879 +02:21:33,920 --> 02:21:38,159 +you have this this kind of + +3880 +02:21:36,239 --> 02:21:40,879 +kind of explosion there and you can add + +3881 +02:21:38,159 --> 02:21:42,79 +the enrichment i'll give a try on that + +3882 +02:21:40,879 --> 02:21:44,79 +one + +3883 +02:21:42,79 --> 02:21:45,920 +okay great so there's something wrong on + +3884 +02:21:44,79 --> 02:21:48,478 +this machine that's great + +3885 +02:21:45,920 --> 02:21:49,840 +i'll take the other one but this this + +3886 +02:21:48,478 --> 02:21:53,199 +it's not an object for that + +3887 +02:21:49,840 --> 02:21:55,120 +that's fine we can just like yeah can + +3888 +02:21:53,200 --> 02:21:56,399 +summon the attribute in this case + +3889 +02:21:55,120 --> 02:21:58,560 +so we have basically the description + +3890 +02:21:56,398 --> 02:22:01,599 +then coming from the enrichment + +3891 +02:21:58,559 --> 02:22:04,239 +and what we can do is to uh + +3892 +02:22:01,600 --> 02:22:05,520 +then make an object called vulnerability + +3893 +02:22:04,239 --> 02:22:07,920 +then + +3894 +02:22:05,520 --> 02:22:09,359 +id credit in this case is the + +3895 +02:22:07,920 --> 02:22:12,398 +descriptions + +3896 +02:22:09,359 --> 02:22:14,559 +and make an object of it usually you + +3897 +02:22:12,398 --> 02:22:16,639 +should have a full + +3898 +02:22:14,559 --> 02:22:19,39 +expansion there but i didn't test it on + +3899 +02:22:16,639 --> 02:22:22,559 +the training instance maybe something is + +3900 +02:22:19,40 --> 02:22:23,280 +broken on that instance okay so now what + +3901 +02:22:22,559 --> 02:22:25,920 +do we have is + +3902 +02:22:23,280 --> 02:22:27,840 +it's more contextual information we we + +3903 +02:22:25,920 --> 02:22:29,520 +start with a story and there + +3904 +02:22:27,840 --> 02:22:31,920 +we see that we have an emails we have a + +3905 +02:22:29,520 --> 02:22:34,640 +first url a second one which is a + +3906 +02:22:31,920 --> 02:22:36,239 +download and a specific cv so maybe no + +3907 +02:22:34,639 --> 02:22:38,79 +we can go back to the uh + +3908 +02:22:36,239 --> 02:22:39,280 +we still miss one thing which was a + +3909 +02:22:38,79 --> 02:22:42,239 +secondary file that was + +3910 +02:22:39,280 --> 02:22:43,40 +downloaded oh okay from the secondary + +3911 +02:22:42,239 --> 02:22:46,799 +files yes + +3912 +02:22:43,40 --> 02:22:47,280 +yeah so according to story what happens + +3913 +02:22:46,799 --> 02:22:50,318 +was + +3914 +02:22:47,280 --> 02:22:52,319 +uh the initial sample was uh + +3915 +02:22:50,318 --> 02:22:54,239 +when executed was downloading a + +3916 +02:22:52,318 --> 02:22:56,559 +secondary + +3917 +02:22:54,239 --> 02:22:57,680 +sample and that one was basically then + +3918 +02:22:56,559 --> 02:23:00,719 +used to + +3919 +02:22:57,680 --> 02:23:01,40 +exfiltrate data from from the system yes + +3920 +02:23:00,719 --> 02:23:03,519 +so + +3921 +02:23:01,40 --> 02:23:05,200 +this was a new railway download the + +3922 +02:23:03,520 --> 02:23:08,479 +interest files okay + +3923 +02:23:05,200 --> 02:23:09,600 +then i will add a yeah just another file + +3924 +02:23:08,478 --> 02:23:11,599 +and we just + +3925 +02:23:09,600 --> 02:23:13,200 +pretend it's the one that we were + +3926 +02:23:11,600 --> 02:23:14,239 +supposed to use why is this one it makes + +3927 +02:23:13,200 --> 02:23:17,280 +sense it's an emote that's one + +3928 +02:23:14,239 --> 02:23:17,280 +downloaded form in your eyes + +3929 +02:23:17,439 --> 02:23:20,159 +that makes sense + +3930 +02:23:21,359 --> 02:23:24,399 +so now we have all these different + +3931 +02:23:22,959 --> 02:23:25,919 +objects in our event and it's time to + +3932 +02:23:24,398 --> 02:23:27,439 +build the story out of it as alex has + +3933 +02:23:25,920 --> 02:23:33,840 +mentioned so it's time to go back to our + +3934 +02:23:27,439 --> 02:23:33,840 +event graph + +3935 +02:23:34,879 --> 02:23:38,0 +8614.88 --> 8618 +and basically uh so far the story is + +3936 +02:23:37,200 --> 02:23:39,920 +that we got + +3937 +02:23:38,0 --> 02:23:42,559 +8618 --> 8622.56 +an email the email was impersonating a + +3938 +02:23:39,920 --> 02:23:44,799 +person and we basically got + +3939 +02:23:42,559 --> 02:23:45,840 +a primary sample out of the that primary + +3940 +02:23:44,799 --> 02:23:50,398 +sample then reaches + +3941 +02:23:45,840 --> 02:23:50,398 +out to evilprovider.com + +3942 +02:23:50,559 --> 02:23:55,600 +to download a secondary sample so we + +3943 +02:23:53,680 --> 02:23:59,120 +have a relationship + +3944 +02:23:55,600 --> 02:24:02,239 +between the file + +3945 +02:23:59,120 --> 02:24:02,240 +which downloads from + +3946 +02:24:02,318 --> 02:24:09,119 +downloads from yeah perfect + +3947 +02:24:06,959 --> 02:24:10,799 +from evil provider and then evil + +3948 +02:24:09,120 --> 02:24:15,840 +provider downloads + +3949 +02:24:10,799 --> 02:24:15,840 +the secondary sample + +3950 +02:24:19,200 --> 02:24:29,840 +which is in this case index dot html one + +3951 +02:24:33,359 --> 02:24:43,840 +and this one then exfiltrates to the + +3952 +02:24:36,398 --> 02:24:43,840 +another evil provider url + +3953 +02:24:52,239 --> 02:24:55,600 +now there's one thing we missed in the + +3954 +02:24:53,520 --> 02:24:57,40 +story here is that the first one try so + +3955 +02:24:55,600 --> 02:25:00,159 +in this case trilogy + +3956 +02:24:57,40 --> 02:25:03,40 +was actually abusing the cve that uh + +3957 +02:25:00,159 --> 02:25:04,398 +that alex has already expanded so we + +3958 +02:25:03,40 --> 02:25:08,560 +have an abuser's + +3959 +02:25:04,398 --> 02:25:08,559 +relationship from trilogothexa to + +3960 +02:25:08,840 --> 02:25:11,840 +vulnerability + +3961 +02:25:13,680 --> 02:25:17,359 +so and once we're done with this we + +3962 +02:25:15,760 --> 02:25:19,439 +already see the entire store in this car + +3963 +02:25:17,359 --> 02:25:20,800 +so even if you if you have no idea about + +3964 +02:25:19,439 --> 02:25:22,800 +what happened in the report and you + +3965 +02:25:20,799 --> 02:25:24,318 +don't read the original report + +3966 +02:25:22,799 --> 02:25:26,478 +by just looking at this graph you can + +3967 +02:25:24,318 --> 02:25:29,519 +clearly read it out + +3968 +02:25:26,478 --> 02:25:31,519 +in in in simple sentences we see email + +3969 +02:25:29,520 --> 02:25:34,960 +in person later first and john + +3970 +02:25:31,520 --> 02:25:36,159 +email contains trilogy exploits + +3971 +02:25:34,959 --> 02:25:39,159 +vulnerability + +3972 +02:25:36,159 --> 02:25:40,318 +downloads from evoprovider.com + +3973 +02:25:39,159 --> 02:25:43,680 +index.html1 + +3974 +02:25:40,318 --> 02:25:45,760 +which exfiltrates to a url so it's a + +3975 +02:25:43,680 --> 02:25:46,79 +very simple story to comprehend without + +3976 +02:25:45,760 --> 02:25:48,239 +us + +3977 +02:25:46,79 --> 02:25:50,0 +8746.08 --> 8750 +knowing the original data information + +3978 +02:25:48,239 --> 02:25:50,318 +and without us having even having to + +3979 +02:25:50,0 --> 02:25:52,0 +8750 --> 8752 +look + +3980 +02:25:50,318 --> 02:25:53,359 +at the individual indicators further + +3981 +02:25:52,0 --> 02:25:55,760 +8752 --> 8755.76 +below + +3982 +02:25:53,359 --> 02:25:56,800 +so this is when we're talking about + +3983 +02:25:55,760 --> 02:25:59,40 +information sharing + +3984 +02:25:56,799 --> 02:26:00,478 +we're basically sharing on two layers + +3985 +02:25:59,40 --> 02:26:02,640 +one of the layers is sharing with + +3986 +02:26:00,478 --> 02:26:04,79 +machines so informing an ids about + +3987 +02:26:02,639 --> 02:26:05,599 +things to alert on + +3988 +02:26:04,79 --> 02:26:07,280 +and at the same time we're sharing with + +3989 +02:26:05,600 --> 02:26:09,40 +analysts that want to really understand + +3990 +02:26:07,280 --> 02:26:09,600 +what the introductory was doing in this + +3991 +02:26:09,40 --> 02:26:11,760 +case + +3992 +02:26:09,600 --> 02:26:13,120 +and what happened during the incident + +3993 +02:26:11,760 --> 02:26:15,600 +however at this stage + +3994 +02:26:13,120 --> 02:26:17,520 +we have described our event but we're + +3995 +02:26:15,600 --> 02:26:20,479 +still missing something at this point + +3996 +02:26:17,520 --> 02:26:21,760 +we still haven't actually contextualized + +3997 +02:26:20,478 --> 02:26:23,39 +the information with everything else + +3998 +02:26:21,760 --> 02:26:26,159 +that we know about it + +3999 +02:26:23,40 --> 02:26:27,40 +so we have we have vocabularies at our + +4000 +02:26:26,159 --> 02:26:28,879 +disposal + +4001 +02:26:27,40 --> 02:26:30,399 +we have at the attack matrix at our + +4002 +02:26:28,879 --> 02:26:31,679 +disposal so let's + +4003 +02:26:30,398 --> 02:26:33,760 +start going through the individual + +4004 +02:26:31,680 --> 02:26:34,559 +attributes and let's start to attach + +4005 +02:26:33,760 --> 02:26:37,520 +those different + +4006 +02:26:34,559 --> 02:26:38,79 +labels to the data so first of all if we + +4007 +02:26:37,520 --> 02:26:41,120 +look at + +4008 +02:26:38,79 --> 02:26:42,318 +uh perhaps which one which one should we + +4009 +02:26:41,120 --> 02:26:44,79 +start with + +4010 +02:26:42,318 --> 02:26:45,760 +let's not do everything let's look at + +4011 +02:26:44,79 --> 02:26:47,520 +the original email for example + +4012 +02:26:45,760 --> 02:26:49,120 +we know that the original email deals + +4013 +02:26:47,520 --> 02:26:51,120 +with fishing now + +4014 +02:26:49,120 --> 02:26:52,720 +attack has a pattern that describes + +4015 +02:26:51,120 --> 02:26:55,760 +fishing so we can just attach + +4016 +02:26:52,719 --> 02:26:59,279 +the galaxy cluster of attack to + +4017 +02:26:55,760 --> 02:27:02,960 +and to the attributes in there so + +4018 +02:26:59,280 --> 02:27:04,800 +we use cluster yeah and we can just use + +4019 +02:27:02,959 --> 02:27:07,759 +the text + +4020 +02:27:04,799 --> 02:27:08,318 +magic perfect and we can click on attack + +4021 +02:27:07,760 --> 02:27:11,200 +pattern + +4022 +02:27:08,318 --> 02:27:12,79 +then we get the attack matrix and here + +4023 +02:27:11,200 --> 02:27:16,290 +we can select + +4024 +02:27:12,79 --> 02:27:19,120 +uh phishing it should be in + +4025 +02:27:16,290 --> 02:27:20,880 +[Music] + +4026 +02:27:19,120 --> 02:27:23,359 +you see yeah there it is perfect so we + +4027 +02:27:20,879 --> 02:27:23,358 +attach it + +4028 +02:27:23,840 --> 02:27:27,359 +we refresh and there we see it is now + +4029 +02:27:26,318 --> 02:27:30,0 +8846.319 --> 8850 +attached to the + +4030 +02:27:27,359 --> 02:27:31,680 +attribute and if we if we generate a + +4031 +02:27:30,0 --> 02:27:32,879 +8850 --> 8852.88 +heat pack now out of the events if we + +4032 +02:27:31,680 --> 02:27:35,680 +scroll up + +4033 +02:27:32,879 --> 02:27:37,39 +we have an attack matrix view next to + +4034 +02:27:35,680 --> 02:27:39,520 +the event graph + +4035 +02:27:37,40 --> 02:27:40,399 +if we click on that one now we now see + +4036 +02:27:39,520 --> 02:27:43,200 +that + +4037 +02:27:40,398 --> 02:27:44,0 +8860.399 --> 8864 +as a first overview already we know + +4038 +02:27:43,200 --> 02:27:45,520 +without looking + +4039 +02:27:44,0 --> 02:27:47,359 +8864 --> 8867.359 +at any of the details we see that we're + +4040 +02:27:45,520 --> 02:27:48,800 +dealing with positioning here so this is + +4041 +02:27:47,359 --> 02:27:49,600 +one of the attack patterns that we've + +4042 +02:27:48,799 --> 02:27:50,879 +described + +4043 +02:27:49,600 --> 02:27:52,399 +let's see what other attack patterns + +4044 +02:27:50,879 --> 02:27:53,920 +from attack we can describe you also see + +4045 +02:27:52,398 --> 02:27:55,599 +that there is automated + +4046 +02:27:53,920 --> 02:27:57,520 +exfiltration happening so if we go to + +4047 +02:27:55,600 --> 02:28:01,840 +the secondary url + +4048 +02:27:57,520 --> 02:28:01,840 +so another evilprovider.com + +4049 +02:28:03,280 --> 02:28:06,960 +we can attach the pattern there as well + +4050 +02:28:05,520 --> 02:28:08,560 +now we can choose to do + +4051 +02:28:06,959 --> 02:28:10,159 +a single attribute what we're doing or + +4052 +02:28:08,559 --> 02:28:11,760 +we can just select all four and attach + +4053 +02:28:10,159 --> 02:28:12,0 +8890.16 --> 8892 +the cluster tool for let's just do one + +4054 +02:28:11,760 --> 02:28:15,120 +for + +4055 +02:28:12,0 --> 02:28:19,760 +8892 --> 8899.76 +now it's it's it's enough + +4056 +02:28:15,120 --> 02:28:19,760 +uh watch out it's uh yeah perfect + +4057 +02:28:21,40 --> 02:28:24,399 +and just pick automated exfiltration + +4058 +02:28:23,600 --> 02:28:27,840 +it's the + +4059 +02:28:24,398 --> 02:28:27,840 +first one on the yeah + +4060 +02:28:30,79 --> 02:28:33,120 +okay so now we've attached some attack + +4061 +02:28:32,0 --> 02:28:35,280 +8912 --> 8915.28 +patterns uh + +4062 +02:28:33,120 --> 02:28:36,720 +we we could attach it to the sample as + +4063 +02:28:35,280 --> 02:28:38,479 +well what the sample is doing but we're + +4064 +02:28:36,719 --> 02:28:40,478 +not going to go through + +4065 +02:28:38,478 --> 02:28:42,239 +all that effort let's look at some type + +4066 +02:28:40,478 --> 02:28:45,679 +of contextualization + +4067 +02:28:42,239 --> 02:28:47,119 +for example maybe this + +4068 +02:28:45,680 --> 02:28:49,200 +then it's a matter of test again + +4069 +02:28:47,120 --> 02:28:50,560 +regarding the at which level you want to + +4070 +02:28:49,200 --> 02:28:53,840 +attach + +4071 +02:28:50,559 --> 02:28:54,959 +the galaxy there is the topic is a + +4072 +02:28:53,840 --> 02:28:57,439 +matter of fishing + +4073 +02:28:54,959 --> 02:29:00,398 +at a global level usually we can add a + +4074 +02:28:57,439 --> 02:29:04,239 +galaxy there and then for example + +4075 +02:29:00,398 --> 02:29:07,519 +add my tray attack directly there + +4076 +02:29:04,239 --> 02:29:09,840 +and select the pattern fishing then + +4077 +02:29:07,520 --> 02:29:11,600 +the techniques there directly so you + +4078 +02:29:09,840 --> 02:29:13,760 +have different options + +4079 +02:29:11,600 --> 02:29:15,760 +usually we recommend to make it as + +4080 +02:29:13,760 --> 02:29:17,200 +attribute level + +4081 +02:29:15,760 --> 02:29:18,880 +but in some case you don't even know + +4082 +02:29:17,200 --> 02:29:22,79 +which attribute level it applies + +4083 +02:29:18,879 --> 02:29:24,318 +then you select the even level exactly + +4084 +02:29:22,79 --> 02:29:25,840 +so so that's indeed a good point if you + +4085 +02:29:24,318 --> 02:29:26,959 +know that the entire chain of what + +4086 +02:29:25,840 --> 02:29:29,680 +you're describing + +4087 +02:29:26,959 --> 02:29:32,0 +8966.96 --> 8972 +referring to the single uh + +4088 +02:29:29,680 --> 02:29:34,559 +contextualization beta label be it a + +4089 +02:29:32,0 --> 02:29:36,398 +8972 --> 8976.399 +galaxy cluster then indeed what we + +4090 +02:29:34,559 --> 02:29:38,719 +assume is anything that you label on the + +4091 +02:29:36,398 --> 02:29:41,439 +event level is inherited by all + +4092 +02:29:38,719 --> 02:29:42,398 +uh data contained in unless explicitly + +4093 +02:29:41,439 --> 02:29:45,760 +overwritten by + +4094 +02:29:42,398 --> 02:29:48,478 +the opposite tag basically so + +4095 +02:29:45,760 --> 02:29:49,439 +so indeed that's the case uh in this + +4096 +02:29:48,478 --> 02:29:51,39 +case + +4097 +02:29:49,439 --> 02:29:52,720 +we're kind of in a weird situation + +4098 +02:29:51,40 --> 02:29:54,560 +because we're describing the full chain + +4099 +02:29:52,719 --> 02:29:56,719 +of the attack which includes initial + +4100 +02:29:54,559 --> 02:29:58,559 +phishing attempt but also includes the + +4101 +02:29:56,719 --> 02:29:59,358 +secondary payload and the exfiltration + +4102 +02:29:58,559 --> 02:30:00,959 +and so on + +4103 +02:29:59,359 --> 02:30:02,479 +and if we if you do this on the + +4104 +02:30:00,959 --> 02:30:03,39 +attribute level i suppose the event + +4105 +02:30:02,478 --> 02:30:05,519 +level + +4106 +02:30:03,40 --> 02:30:06,560 +then you're really really only + +4107 +02:30:05,520 --> 02:30:08,479 +describing + +4108 +02:30:06,559 --> 02:30:10,398 +which part deals with the fishing which + +4109 +02:30:08,478 --> 02:30:11,39 +part deals with the actual exfiltration + +4110 +02:30:10,398 --> 02:30:12,799 +and so on + +4111 +02:30:11,40 --> 02:30:14,640 +so this is really up to you what we + +4112 +02:30:12,799 --> 02:30:16,398 +generally recommend is + +4113 +02:30:14,639 --> 02:30:18,398 +don't just do it on the event level so + +4114 +02:30:16,398 --> 02:30:19,439 +if you're describing more concepts in a + +4115 +02:30:18,398 --> 02:30:20,719 +single event + +4116 +02:30:19,439 --> 02:30:22,559 +make sure that you contextualize + +4117 +02:30:20,719 --> 02:30:23,920 +individual parts of it + +4118 +02:30:22,559 --> 02:30:25,840 +because one of one of the things that we + +4119 +02:30:23,920 --> 02:30:27,359 +use these labels for as well is searches + +4120 +02:30:25,840 --> 02:30:28,318 +so if i were to search for all + +4121 +02:30:27,359 --> 02:30:30,800 +indicators + +4122 +02:30:28,318 --> 02:30:32,159 +that relate to phishing i might not want + +4123 +02:30:30,799 --> 02:30:35,920 +to get the secondary + +4124 +02:30:32,159 --> 02:30:37,760 +payloads effects uh included in that + +4125 +02:30:35,920 --> 02:30:39,359 +response because that was just the + +4126 +02:30:37,760 --> 02:30:41,200 +initial vector of getting into the + +4127 +02:30:39,359 --> 02:30:42,880 +network of the victim + +4128 +02:30:41,200 --> 02:30:44,720 +whatever happens afterwards is not + +4129 +02:30:42,879 --> 02:30:46,959 +directly related to the phishing + +4130 +02:30:44,719 --> 02:30:48,478 +so keep that in mind as well something + +4131 +02:30:46,959 --> 02:30:50,559 +else + +4132 +02:30:48,478 --> 02:30:52,799 +yeah so some just just something that + +4133 +02:30:50,559 --> 02:30:54,639 +you have to keep in mind too it's about + +4134 +02:30:52,799 --> 02:30:56,79 +which classification to choose or which + +4135 +02:30:54,639 --> 02:30:56,799 +contractualization source you have to + +4136 +02:30:56,79 --> 02:30:59,600 +want to + +4137 +02:30:56,799 --> 02:31:00,79 +to use um on this instance we have + +4138 +02:30:59,600 --> 02:31:02,800 +already + +4139 +02:31:00,79 --> 02:31:04,639 +a lot of things enabled and if for + +4140 +02:31:02,799 --> 02:31:06,79 +example you go for taxonomy + +4141 +02:31:04,639 --> 02:31:08,478 +you have a lot of taxonomy that is + +4142 +02:31:06,79 --> 02:31:10,719 +describing fishing + +4143 +02:31:08,478 --> 02:31:11,760 +for for example you have even a complete + +4144 +02:31:10,719 --> 02:31:14,959 +taxonomy + +4145 +02:31:11,760 --> 02:31:15,680 +about the kind of fishing you have and + +4146 +02:31:14,959 --> 02:31:18,639 +so on + +4147 +02:31:15,680 --> 02:31:21,280 +so when you install your miss pinstance + +4148 +02:31:18,639 --> 02:31:23,358 +and you start to make it operational + +4149 +02:31:21,280 --> 02:31:24,800 +you really have to decide what kind of + +4150 +02:31:23,359 --> 02:31:26,720 +taxonomy you want to use + +4151 +02:31:24,799 --> 02:31:29,920 +in this case we have already a lot of + +4152 +02:31:26,719 --> 02:31:32,478 +things are available by default + +4153 +02:31:29,920 --> 02:31:35,200 +so the fishing taxonomy itself is a + +4154 +02:31:32,478 --> 02:31:37,358 +complete one coming from a finger + +4155 +02:31:35,200 --> 02:31:39,840 +towards academic paper where we have all + +4156 +02:31:37,359 --> 02:31:41,600 +the techniques that are used so + +4157 +02:31:39,840 --> 02:31:44,239 +for example you can say that this one is + +4158 +02:31:41,600 --> 02:31:44,239 +coming from a + +4159 +02:31:44,559 --> 02:31:51,439 +spearfishing which was described there + +4160 +02:31:48,318 --> 02:31:54,0 +9108.319 --> 9114 +and you have the different techniques + +4161 +02:31:51,439 --> 02:31:55,520 +so in this case it's email spoofing and + +4162 +02:31:54,0 --> 02:31:57,760 +9114 --> 9117.76 +you can go deeper there + +4163 +02:31:55,520 --> 02:31:58,720 +into the description of what is exactly + +4164 +02:31:57,760 --> 02:32:01,840 +the decision + +4165 +02:31:58,719 --> 02:32:04,0 +9118.72 --> 9124 +and you can mix match both i mean under + +4166 +02:32:01,840 --> 02:32:06,478 +selectively attack + +4167 +02:32:04,0 --> 02:32:07,200 +9124 --> 9127.2 +fishing techniques at specific indicator + +4168 +02:32:06,478 --> 02:32:09,438 +level + +4169 +02:32:07,200 --> 02:32:10,560 +maybe another analyst would want to + +4170 +02:32:09,439 --> 02:32:12,239 +classify it + +4171 +02:32:10,559 --> 02:32:14,559 +and and maybe the objectives might be + +4172 +02:32:12,239 --> 02:32:16,719 +different maybe on one for example + +4173 +02:32:14,559 --> 02:32:18,719 +it's more specific for tools but if you + +4174 +02:32:16,719 --> 02:32:20,639 +want to run out statistics + +4175 +02:32:18,719 --> 02:32:22,0 +9138.72 --> 9142 +at the end of i don't know quite early + +4176 +02:32:20,639 --> 02:32:23,840 +meetings and say okay + +4177 +02:32:22,0 --> 02:32:25,600 +9142 --> 9145.6 +how many spearfishing that you receive + +4178 +02:32:23,840 --> 02:32:27,200 +or many emails proofing + +4179 +02:32:25,600 --> 02:32:29,840 +for example if you can control better + +4180 +02:32:27,200 --> 02:32:30,720 +emails proofing uh the spf record and so + +4181 +02:32:29,840 --> 02:32:32,960 +on you can + +4182 +02:32:30,719 --> 02:32:34,719 +just look at the current uh technique + +4183 +02:32:32,959 --> 02:32:35,599 +that are used by by the attacker so you + +4184 +02:32:34,719 --> 02:32:38,239 +see that + +4185 +02:32:35,600 --> 02:32:40,79 +those kind of it's full of taxonomies + +4186 +02:32:38,239 --> 02:32:42,799 +that are can be used + +4187 +02:32:40,79 --> 02:32:44,559 +and obviously we usually recommend to + +4188 +02:32:42,799 --> 02:32:46,639 +not enable everything but just + +4189 +02:32:44,559 --> 02:32:47,680 +pick what you really want and some are + +4190 +02:32:46,639 --> 02:32:50,79 +very generic + +4191 +02:32:47,680 --> 02:32:51,40 +some are more advanced but that's maybe + +4192 +02:32:50,79 --> 02:32:54,559 +something that you + +4193 +02:32:51,40 --> 02:32:56,319 +we dig into more afterwards but + +4194 +02:32:54,559 --> 02:32:57,840 +just be careful of which kind of + +4195 +02:32:56,318 --> 02:32:58,799 +taxonomy you want to use because it will + +4196 +02:32:57,840 --> 02:33:01,280 +be the language + +4197 +02:32:58,799 --> 02:33:02,478 +that you use with the community and your + +4198 +02:33:01,280 --> 02:33:07,840 +partners + +4199 +02:33:02,478 --> 02:33:07,840 +for sharing this information + +4200 +02:33:09,200 --> 02:33:12,640 +maybe something interesting to look into + +4201 +02:33:10,879 --> 02:33:14,478 +the email and that's linked to + +4202 +02:33:12,639 --> 02:33:16,0 +9192.64 --> 9196 +classifications but there's this comment + +4203 +02:33:14,478 --> 02:33:17,840 +there please + +4204 +02:33:16,0 --> 02:33:19,520 +9196 --> 9199.52 +please be mindful that this is an + +4205 +02:33:17,840 --> 02:33:22,0 +9197.84 --> 9202 +ongoing investigation and we would like + +4206 +02:33:19,520 --> 02:33:23,920 +to avoid + +4207 +02:33:22,0 --> 02:33:25,439 +9202 --> 9205.439 +informing the attacker or the detection + +4208 +02:33:23,920 --> 02:33:28,478 +and can we ask you to + +4209 +02:33:25,439 --> 02:33:32,318 +to only use the content information + +4210 +02:33:28,478 --> 02:33:34,0 +9208.479 --> 9214 +to to protect your constituents so + +4211 +02:33:32,318 --> 02:33:35,519 +this is kind of that you are language + +4212 +02:33:34,0 --> 02:33:37,600 +9214 --> 9217.6 +describing to you what kind of + +4213 +02:33:35,520 --> 02:33:40,640 +classification it is + +4214 +02:33:37,600 --> 02:33:44,479 +um and so no + +4215 +02:33:40,639 --> 02:33:46,799 +which one should we use so um if we are + +4216 +02:33:44,478 --> 02:33:48,639 +first members if we are using the first + +4217 +02:33:46,799 --> 02:33:50,159 +community obviously the classification + +4218 +02:33:48,639 --> 02:33:52,398 +that we will use + +4219 +02:33:50,159 --> 02:33:53,600 +is not the nato one or the ministry of + +4220 +02:33:52,398 --> 02:33:57,920 +defense in whatever + +4221 +02:33:53,600 --> 02:34:01,840 +country it's really tlp so then again + +4222 +02:33:57,920 --> 02:34:05,920 +based on that we will look into + +4223 +02:34:01,840 --> 02:34:09,200 +different taxonomy that we have + +4224 +02:34:05,920 --> 02:34:12,719 +we can look for for tlp + +4225 +02:34:09,200 --> 02:34:15,280 +and i should not do that like that + +4226 +02:34:12,719 --> 02:34:17,39 +i go for the tlp library and then i have + +4227 +02:34:15,280 --> 02:34:21,120 +the + +4228 +02:34:17,40 --> 02:34:22,240 +specific taxonomy tlp and then you have + +4229 +02:34:21,120 --> 02:34:24,560 +the different one + +4230 +02:34:22,239 --> 02:34:27,280 +in this case they say you have to share + +4231 +02:34:24,559 --> 02:34:29,840 +it with your confusion only so + +4232 +02:34:27,280 --> 02:34:30,800 +tlp amber seems to be the most + +4233 +02:34:29,840 --> 02:34:33,280 +appropriate + +4234 +02:34:30,799 --> 02:34:34,879 +one we say that the lpm bill information + +4235 +02:34:33,280 --> 02:34:36,399 +is given to organization + +4236 +02:34:34,879 --> 02:34:38,0 +9274.88 --> 9278 +sharing limited within organization to + +4237 +02:34:36,398 --> 02:34:40,639 +basically act upon + +4238 +02:34:38,0 --> 02:34:41,439 +9278 --> 9281.439 +if we have the extended classifications + +4239 +02:34:40,639 --> 02:34:44,478 +from first + +4240 +02:34:41,439 --> 02:34:47,200 +it includes the constituent + +4241 +02:34:44,478 --> 02:34:48,559 +too so i will just use a tmp but i + +4242 +02:34:47,200 --> 02:34:50,159 +mentioned something else that is + +4243 +02:34:48,559 --> 02:34:52,959 +interesting + +4244 +02:34:50,159 --> 02:34:53,600 +in the email they mentioned that this is + +4245 +02:34:52,959 --> 02:34:57,199 +an ongoing + +4246 +02:34:53,600 --> 02:35:00,479 +association to avoid + +4247 +02:34:57,200 --> 02:35:02,479 +informing the attacker in this case + +4248 +02:35:00,478 --> 02:35:03,760 +or would you inform the attacker but if + +4249 +02:35:02,478 --> 02:35:06,79 +you do actions + +4250 +02:35:03,760 --> 02:35:08,79 +on specific indicators and attributes + +4251 +02:35:06,79 --> 02:35:10,239 +you might want to restrict that + +4252 +02:35:08,79 --> 02:35:13,200 +so there is a another classification i + +4253 +02:35:10,239 --> 02:35:16,398 +don't know if this one is enabled + +4254 +02:35:13,200 --> 02:35:19,840 +it's called pap which is exactly that + +4255 +02:35:16,398 --> 02:35:22,559 +it's similar to tlp but describing + +4256 +02:35:19,840 --> 02:35:24,159 +what you can do with this information if + +4257 +02:35:22,559 --> 02:35:26,799 +we don't want to + +4258 +02:35:24,159 --> 02:35:27,439 +at least notify the attacker that we are + +4259 +02:35:26,799 --> 02:35:29,679 +doing some + +4260 +02:35:27,439 --> 02:35:31,40 +further investigations maybe we want to + +4261 +02:35:29,680 --> 02:35:34,0 +9329.68 --> 9334 +restrict that + +4262 +02:35:31,40 --> 02:35:35,840 +and the prp is really telling you what + +4263 +02:35:34,0 --> 02:35:37,200 +9334 --> 9337.2 +are the permissive action that you can + +4264 +02:35:35,840 --> 02:35:40,239 +do + +4265 +02:35:37,200 --> 02:35:42,479 +in our case for example + +4266 +02:35:40,239 --> 02:35:43,520 +non-detectable actions only and that's + +4267 +02:35:42,478 --> 02:35:46,398 +really what he wants + +4268 +02:35:43,520 --> 02:35:48,239 +because the supporters say okay we have + +4269 +02:35:46,398 --> 02:35:49,519 +an ongoing investigation so you don't + +4270 +02:35:48,239 --> 02:35:51,600 +want to be here + +4271 +02:35:49,520 --> 02:35:53,120 +um other parties are informed so in this + +4272 +02:35:51,600 --> 02:35:56,800 +case i will use + +4273 +02:35:53,120 --> 02:35:58,800 +red and again this is used at even level + +4274 +02:35:56,799 --> 02:36:00,478 +and that's something quite important + +4275 +02:35:58,799 --> 02:36:02,719 +because myth will take care of that + +4276 +02:36:00,478 --> 02:36:04,639 +um you don't need to set pp rate on + +4277 +02:36:02,719 --> 02:36:07,920 +every single attribute + +4278 +02:36:04,639 --> 02:36:09,279 +behind it's really at even level so it's + +4279 +02:36:07,920 --> 02:36:12,239 +automatically + +4280 +02:36:09,280 --> 02:36:14,0 +9369.28 --> 9374 +irritating on all attributes we don't + +4281 +02:36:12,239 --> 02:36:16,0 +9372.24 --> 9376 +show it on the interface + +4282 +02:36:14,0 --> 02:36:18,239 +9374 --> 9378.24 +because it will be two clamps to you + +4283 +02:36:16,0 --> 02:36:21,600 +9376 --> 9381.6 +know overload it with information + +4284 +02:36:18,239 --> 02:36:23,280 +but we do it in a way that's on the api + +4285 +02:36:21,600 --> 02:36:26,0 +9381.6 --> 9386 +level if you do section of search for + +4286 +02:36:23,280 --> 02:36:28,319 +example on even level or attribute level + +4287 +02:36:26,0 --> 02:36:30,318 +9386 --> 9390.319 +pip red will be included there if you + +4288 +02:36:28,318 --> 02:36:32,318 +have an attribute + +4289 +02:36:30,318 --> 02:36:34,799 +containing some information + +4290 +02:36:32,318 --> 02:36:38,559 +automatically tags like papers will be + +4291 +02:36:34,799 --> 02:36:40,0 +9394.8 --> 9400 +then included into the information so + +4292 +02:36:38,559 --> 02:36:41,840 +that's something to keep in mind when we + +4293 +02:36:40,0 --> 02:36:43,359 +9400 --> 9403.359 +have information from third party + +4294 +02:36:41,840 --> 02:36:45,439 +is to to wonder okay what is a + +4295 +02:36:43,359 --> 02:36:46,559 +classification scheme so sometimes they + +4296 +02:36:45,439 --> 02:36:48,398 +don't say + +4297 +02:36:46,559 --> 02:36:50,478 +a specific classification to use that + +4298 +02:36:48,398 --> 02:36:53,439 +you just use natural language or + +4299 +02:36:50,478 --> 02:36:56,159 +just a normal sentence to describe all + +4300 +02:36:53,439 --> 02:36:57,760 +the information should be shared + +4301 +02:36:56,159 --> 02:36:59,200 +so the interesting thing here is that + +4302 +02:36:57,760 --> 02:37:00,800 +what we've seen now is we've + +4303 +02:36:59,200 --> 02:37:02,399 +contextualized information in many + +4304 +02:37:00,799 --> 02:37:05,519 +different aspects and this is just + +4305 +02:37:02,398 --> 02:37:08,159 +scraping the uh + +4306 +02:37:05,520 --> 02:37:09,760 +the top layer basically we could go much + +4307 +02:37:08,159 --> 02:37:11,680 +much further with contextualization + +4308 +02:37:09,760 --> 02:37:13,359 +imagine for example describing + +4309 +02:37:11,680 --> 02:37:15,120 +how this information is relevant to + +4310 +02:37:13,359 --> 02:37:16,239 +whether it's used what sort of + +4311 +02:37:15,120 --> 02:37:17,920 +mechanisms they should + +4312 +02:37:16,239 --> 02:37:19,760 +have in place to be able to block this + +4313 +02:37:17,920 --> 02:37:20,879 +information how can you make this useful + +4314 +02:37:19,760 --> 02:37:22,159 +think of different maturity + +4315 +02:37:20,879 --> 02:37:23,679 +organizations as well when you're + +4316 +02:37:22,159 --> 02:37:25,280 +sharing information + +4317 +02:37:23,680 --> 02:37:26,639 +you could also describe information + +4318 +02:37:25,280 --> 02:37:27,840 +about who's behind it what the + +4319 +02:37:26,639 --> 02:37:29,920 +motivations are + +4320 +02:37:27,840 --> 02:37:31,760 +so we did not describe the threat actor + +4321 +02:37:29,920 --> 02:37:33,359 +because we we haven't done any analysis + +4322 +02:37:31,760 --> 02:37:34,318 +yet this is the initial information we + +4323 +02:37:33,359 --> 02:37:36,640 +got from + +4324 +02:37:34,318 --> 02:37:38,959 +a cser that just reported an incident to + +4325 +02:37:36,639 --> 02:37:41,39 +us but we could go further and we + +4326 +02:37:38,959 --> 02:37:42,799 +if we did our analysis we would find + +4327 +02:37:41,40 --> 02:37:44,960 +who's behind this we could go for it + +4328 +02:37:42,799 --> 02:37:47,119 +for uh for information with threat actor + +4329 +02:37:44,959 --> 02:37:49,279 +we could look at target sectors + +4330 +02:37:47,120 --> 02:37:51,600 +we could look at a lot of different + +4331 +02:37:49,280 --> 02:37:52,960 +information in regards to + +4332 +02:37:51,600 --> 02:37:55,439 +to further contextualizing the + +4333 +02:37:52,959 --> 02:37:55,438 +information + +4334 +02:37:58,239 --> 02:38:01,439 +so in this case we could also for + +4335 +02:37:59,600 --> 02:38:02,479 +example say that's in the truth where + +4336 +02:38:01,439 --> 02:38:03,680 +because we we know that this is + +4337 +02:38:02,478 --> 02:38:05,119 +something that was targeting an + +4338 +02:38:03,680 --> 02:38:07,760 +organization luxembourg + +4339 +02:38:05,120 --> 02:38:08,720 +we know it was there is also a sector uh + +4340 +02:38:07,760 --> 02:38:11,359 +taxonomy + +4341 +02:38:08,719 --> 02:38:12,639 +that you can use so that's not a galaxy + +4342 +02:38:11,359 --> 02:38:14,720 +but the taxonomy + +4343 +02:38:12,639 --> 02:38:16,398 +so we can also add uh for example + +4344 +02:38:14,719 --> 02:38:17,438 +information about the financial sector + +4345 +02:38:16,398 --> 02:38:20,79 +we know the ceo + +4346 +02:38:17,439 --> 02:38:21,600 +is a ceo financial sector organization + +4347 +02:38:20,79 --> 02:38:23,760 +so we could also say that it's + +4348 +02:38:21,600 --> 02:38:25,120 +it probably has to do with that as well + +4349 +02:38:23,760 --> 02:38:29,840 +maybe it's not enabled + +4350 +02:38:25,120 --> 02:38:29,840 +sorry about that yeah this is + +4351 +02:38:31,200 --> 02:38:35,200 +exactly there if you just search for + +4352 +02:38:33,840 --> 02:38:37,680 +sector it should be there + +4353 +02:38:35,200 --> 02:38:38,319 +yeah but i'm i'm yeah there's something + +4354 +02:38:37,680 --> 02:38:41,600 +that you can do + +4355 +02:38:38,318 --> 02:38:46,79 +talk about about later but it's uh + +4356 +02:38:41,600 --> 02:38:48,159 +just a sector so we have different one + +4357 +02:38:46,79 --> 02:38:49,680 +you did find that so if you there was + +4358 +02:38:48,159 --> 02:38:51,840 +one for finance you can just pick that + +4359 +02:38:49,680 --> 02:38:51,840 +yeah + +4360 +02:38:52,639 --> 02:38:57,519 +something else you can you can do and + +4361 +02:38:54,879 --> 02:38:59,39 +this one is important too it's it's + +4362 +02:38:57,520 --> 02:39:01,280 +going a bit further than the email so + +4363 +02:38:59,40 --> 02:39:02,560 +for example as a source we receive + +4364 +02:39:01,280 --> 02:39:04,79 +emails from various people + +4365 +02:39:02,559 --> 02:39:05,359 +i mean if i receive an email from i + +4366 +02:39:04,79 --> 02:39:05,920 +don't know from an analyst from i don't + +4367 +02:39:05,359 --> 02:39:08,720 +know + +4368 +02:39:05,920 --> 02:39:10,478 +he set mcafee and found that i'm working + +4369 +02:39:08,719 --> 02:39:12,719 +with them for years + +4370 +02:39:10,478 --> 02:39:13,679 +my confidence on this information is + +4371 +02:39:12,719 --> 02:39:16,79 +quite high + +4372 +02:39:13,680 --> 02:39:17,600 +on the other hand if i receive an email + +4373 +02:39:16,79 --> 02:39:19,39 +from someone unknown + +4374 +02:39:17,600 --> 02:39:20,880 +maybe my confidence will be a bit + +4375 +02:39:19,40 --> 02:39:22,479 +different so + +4376 +02:39:20,879 --> 02:39:24,478 +in myths you have plenty of taxonomies + +4377 +02:39:22,478 --> 02:39:26,239 +to express confidence + +4378 +02:39:24,478 --> 02:39:28,799 +for example the one that is actively + +4379 +02:39:26,239 --> 02:39:32,0 +9566.24 --> 9572 +used for empowering the military + +4380 +02:39:28,799 --> 02:39:34,799 +network is scale or nato scale + +4381 +02:39:32,0 --> 02:39:35,920 +9572 --> 9575.92 +where you can basically define the + +4382 +02:39:34,799 --> 02:39:37,438 +credibility of the + +4383 +02:39:35,920 --> 02:39:39,600 +of the source in this case we can say + +4384 +02:39:37,439 --> 02:39:40,639 +that we are we know the source and is + +4385 +02:39:39,600 --> 02:39:43,40 +usually really + +4386 +02:39:40,639 --> 02:39:45,358 +reliable so that's the source itself and + +4387 +02:39:43,40 --> 02:39:46,80 +we can say for this specific information + +4388 +02:39:45,359 --> 02:39:49,280 +that is + +4389 +02:39:46,79 --> 02:39:51,39 +um probably true + +4390 +02:39:49,280 --> 02:39:53,439 +because they send us some evidence now + +4391 +02:39:51,40 --> 02:39:53,760 +if i have like three emails taking about + +4392 +02:39:53,439 --> 02:39:57,840 +this + +4393 +02:39:53,760 --> 02:39:59,760 +talking about the same case maybe my + +4394 +02:39:57,840 --> 02:40:01,120 +level of credibility will increase + +4395 +02:39:59,760 --> 02:40:03,359 +because we have multiple people that + +4396 +02:40:01,120 --> 02:40:04,640 +have seen exactly the same kind of thing + +4397 +02:40:03,359 --> 02:40:07,120 +so in this case i will have those kind + +4398 +02:40:04,639 --> 02:40:07,920 +of information there again it's it's a + +4399 +02:40:07,120 --> 02:40:10,0 +9607.12 --> 9610 +way to + +4400 +02:40:07,920 --> 02:40:12,639 +really contextualize information and the + +4401 +02:40:10,0 --> 02:40:15,760 +9610 --> 9615.76 +quality of the information + +4402 +02:40:12,639 --> 02:40:17,599 +and you have for example + +4403 +02:40:15,760 --> 02:40:19,760 +additional one like for example we have + +4404 +02:40:17,600 --> 02:40:22,720 +one called estimative language + +4405 +02:40:19,760 --> 02:40:23,520 +so this one is more coming from dna and + +4406 +02:40:22,719 --> 02:40:25,599 +the cias + +4407 +02:40:23,520 --> 02:40:27,439 +it's like the likelihood of probability + +4408 +02:40:25,600 --> 02:40:28,960 +that this happen + +4409 +02:40:27,439 --> 02:40:30,720 +so we can say that this one has been + +4410 +02:40:28,959 --> 02:40:31,599 +almost certain and then we can even + +4411 +02:40:30,719 --> 02:40:34,639 +qualify + +4412 +02:40:31,600 --> 02:40:36,880 +or own an analytic judgment on this + +4413 +02:40:34,639 --> 02:40:37,680 +and i can say that it was like quickly + +4414 +02:40:36,879 --> 02:40:39,920 +done and it's + +4415 +02:40:37,680 --> 02:40:40,880 +not perfect i will just say low for + +4416 +02:40:39,920 --> 02:40:42,318 +example + +4417 +02:40:40,879 --> 02:40:43,920 +so then you can have this kind of + +4418 +02:40:42,318 --> 02:40:46,318 +information and you can + +4419 +02:40:43,920 --> 02:40:48,159 +either use it as an even level again or + +4420 +02:40:46,318 --> 02:40:50,0 +9646.319 --> 9650 +a specific review so for example if one + +4421 +02:40:48,159 --> 02:40:52,239 +of the emails it was like + +4422 +02:40:50,0 --> 02:40:54,159 +9650 --> 9654.16 +not properly collected or it was skirts + +4423 +02:40:52,239 --> 02:40:55,840 +or someone modified leather and so on + +4424 +02:40:54,159 --> 02:40:58,959 +maybe you can reduce + +4425 +02:40:55,840 --> 02:41:00,0 +9655.84 --> 9660 +the summative language of the confidence + +4426 +02:40:58,959 --> 02:41:02,0 +9658.96 --> 9662 +level that you have + +4427 +02:41:00,0 --> 02:41:03,359 +9660 --> 9663.359 +in the analytic judgment of the specific + +4428 +02:41:02,0 --> 02:41:06,79 +9662 --> 9666.08 +evidence or element + +4429 +02:41:03,359 --> 02:41:06,960 +by tagging that at attribute level so + +4430 +02:41:06,79 --> 02:41:08,239 +again + +4431 +02:41:06,959 --> 02:41:10,0 +9666.96 --> 9670 +those kind of information that we are + +4432 +02:41:08,239 --> 02:41:10,639 +putting there are factors and so on are + +4433 +02:41:10,0 --> 02:41:12,799 +9670 --> 9672.8 +more like + +4434 +02:41:10,639 --> 02:41:15,199 +even level but if you have really + +4435 +02:41:12,799 --> 02:41:17,278 +specific things that need to be changed + +4436 +02:41:15,200 --> 02:41:19,439 +or that are specific to the attribute or + +4437 +02:41:17,279 --> 02:41:24,239 +object then you can + +4438 +02:41:19,439 --> 02:41:24,239 +change it in the at the absolute level + +4439 +02:41:26,79 --> 02:41:29,200 +just some other thing on the user + +4440 +02:41:27,520 --> 02:41:31,120 +interface that might be useful too that + +4441 +02:41:29,200 --> 02:41:33,520 +we skipped + +4442 +02:41:31,120 --> 02:41:35,840 +on the metadata of the event you have + +4443 +02:41:33,520 --> 02:41:37,359 +plenty of information there + +4444 +02:41:35,840 --> 02:41:39,359 +why that is interesting regarding + +4445 +02:41:37,359 --> 02:41:40,960 +organization only and distribution + +4446 +02:41:39,359 --> 02:41:42,399 +in this case we just distribute to the + +4447 +02:41:40,959 --> 02:41:44,239 +organization but + +4448 +02:41:42,398 --> 02:41:45,920 +if you have pretty large even at some + +4449 +02:41:44,239 --> 02:41:47,760 +point in time and you want to distribute + +4450 +02:41:45,920 --> 02:41:49,359 +you have this kind of overview there + +4451 +02:41:47,760 --> 02:41:51,40 +which is helping you to + +4452 +02:41:49,359 --> 02:41:53,359 +see at which level you share this + +4453 +02:41:51,40 --> 02:41:55,200 +information in this case it's super easy + +4454 +02:41:53,359 --> 02:41:56,960 +we just distribute it to the training + +4455 +02:41:55,200 --> 02:41:58,960 +organization that's fine + +4456 +02:41:56,959 --> 02:42:00,879 +but if you have a pretty large instance + +4457 +02:41:58,959 --> 02:42:02,959 +with a lot of organization and so on + +4458 +02:42:00,879 --> 02:42:04,719 +it will display you a full graph of + +4459 +02:42:02,959 --> 02:42:07,759 +where the information will flow + +4460 +02:42:04,719 --> 02:42:07,760 +and will be distributed + +4461 +02:42:08,478 --> 02:42:12,239 +okay now going back to our event uh + +4462 +02:42:11,439 --> 02:42:13,840 +basically + +4463 +02:42:12,239 --> 02:42:15,520 +the reason why we went so deeply into + +4464 +02:42:13,840 --> 02:42:16,318 +the contextualization part is looking at + +4465 +02:42:15,520 --> 02:42:20,0 +9735.52 --> 9740 +this event + +4466 +02:42:16,318 --> 02:42:21,680 +we can already uh use this right away + +4467 +02:42:20,0 --> 02:42:22,639 +9740 --> 9742.64 +when feeding our tools when doing our + +4468 +02:42:21,680 --> 02:42:24,159 +searches + +4469 +02:42:22,639 --> 02:42:25,760 +to basically search for anything + +4470 +02:42:24,159 --> 02:42:26,478 +targeting the financial sector for + +4471 +02:42:25,760 --> 02:42:29,439 +example + +4472 +02:42:26,478 --> 02:42:30,159 +we can search for anything related to + +4473 +02:42:29,439 --> 02:42:33,359 +phishing + +4474 +02:42:30,159 --> 02:42:35,119 +and find the data contained in this + +4475 +02:42:33,359 --> 02:42:37,600 +particular event so this already helps + +4476 +02:42:35,120 --> 02:42:41,40 +us with our filtering mechanisms + +4477 +02:42:37,600 --> 02:42:42,960 +as for pap and tlp those + +4478 +02:42:41,40 --> 02:42:45,120 +tags we can use when we make decisions + +4479 +02:42:42,959 --> 02:42:47,438 +on which tools we feed + +4480 +02:42:45,120 --> 02:42:49,279 +the data to or which partners we share + +4481 +02:42:47,439 --> 02:42:49,840 +the information within the case of tlp + +4482 +02:42:49,279 --> 02:42:51,200 +so + +4483 +02:42:49,840 --> 02:42:52,719 +we're going to see that more tomorrow + +4484 +02:42:51,200 --> 02:42:54,319 +when we're creating synchronization + +4485 +02:42:52,719 --> 02:42:57,278 +links with other instances + +4486 +02:42:54,318 --> 02:42:57,920 +we can for example set restrictions on + +4487 +02:42:57,279 --> 02:43:00,79 +tlp + +4488 +02:42:57,920 --> 02:43:01,600 +when we're pushing data to another node + +4489 +02:43:00,79 --> 02:43:04,159 +and we can say okay + +4490 +02:43:01,600 --> 02:43:06,0 +9781.6 --> 9786 +no matter what distribution setting + +4491 +02:43:04,159 --> 02:43:07,520 +don't send anything tlp amber in this + +4492 +02:43:06,0 --> 02:43:09,439 +9786 --> 9789.439 +direction for example + +4493 +02:43:07,520 --> 02:43:11,279 +yeah as an example as an example there's + +4494 +02:43:09,439 --> 02:43:12,398 +a very good open source tool um called + +4495 +02:43:11,279 --> 02:43:15,520 +the hive + +4496 +02:43:12,398 --> 02:43:17,119 +for serending and they use pap to + +4497 +02:43:15,520 --> 02:43:19,120 +know which kind of actions they can do + +4498 +02:43:17,120 --> 02:43:22,560 +on the data so if you synchronize them + +4499 +02:43:19,120 --> 02:43:25,680 +with the hive instance you can + +4500 +02:43:22,559 --> 02:43:28,318 +really be sure that what you set + +4501 +02:43:25,680 --> 02:43:29,120 +as pep for example red on the lisp + +4502 +02:43:28,318 --> 02:43:30,959 +instance + +4503 +02:43:29,120 --> 02:43:33,120 +will not generate issues when you are + +4504 +02:43:30,959 --> 02:43:35,438 +starting to expansion within + +4505 +02:43:33,120 --> 02:43:37,359 +cortex on the ice to be sure that the + +4506 +02:43:35,439 --> 02:43:40,559 +information is not basically flowing + +4507 +02:43:37,359 --> 02:43:42,880 +somewhere else so at this point + +4508 +02:43:40,559 --> 02:43:43,840 +something that we didn't do so far is we + +4509 +02:43:42,879 --> 02:43:45,839 +did not include the + +4510 +02:43:43,840 --> 02:43:47,680 +on the initial email so what we're going + +4511 +02:43:45,840 --> 02:43:48,960 +to do now is we're going to use another + +4512 +02:43:47,680 --> 02:43:51,200 +functionality of this that we haven't + +4513 +02:43:48,959 --> 02:43:54,79 +talked much about called the report + +4514 +02:43:51,200 --> 02:43:55,760 +the event report we can also include + +4515 +02:43:54,79 --> 02:43:58,639 +clear text + +4516 +02:43:55,760 --> 02:44:00,398 +information such as a report description + +4517 +02:43:58,639 --> 02:44:01,599 +and so on together with the event + +4518 +02:44:00,398 --> 02:44:03,439 +so what we're going to do now is + +4519 +02:44:01,600 --> 02:44:05,200 +something very simple we're not going to + +4520 +02:44:03,439 --> 02:44:06,720 +write our own report we have a report + +4521 +02:44:05,200 --> 02:44:07,439 +already available from the original + +4522 +02:44:06,719 --> 02:44:09,119 +source + +4523 +02:44:07,439 --> 02:44:11,439 +so we're just going to paste that entire + +4524 +02:44:09,120 --> 02:44:11,439 +email + +4525 +02:44:14,398 --> 02:44:19,840 +okay just submit for now + +4526 +02:44:21,579 --> 02:44:24,770 +[Music] + +4527 +02:44:26,239 --> 02:44:29,920 +so now if you look at our email + +4528 +02:44:30,318 --> 02:44:34,0 +9870.319 --> 9874 +report we just have a simple report + +4529 +02:44:31,920 --> 02:44:35,359 +during gear text we're going to see an + +4530 +02:44:34,0 --> 02:44:36,879 +9874 --> 9876.88 +example what you can do with this so + +4531 +02:44:35,359 --> 02:44:39,359 +this is all in markdown + +4532 +02:44:36,879 --> 02:44:41,438 +so you could go into edit mode and + +4533 +02:44:39,359 --> 02:44:41,920 +pretty it up add additional information + +4534 +02:44:41,439 --> 02:44:43,600 +there + +4535 +02:44:41,920 --> 02:44:45,40 +we're not going to do that now because + +4536 +02:44:43,600 --> 02:44:46,0 +9883.6 --> 9886 +we're going to just look at an example + +4537 +02:44:45,40 --> 02:44:47,920 +that already has that + +4538 +02:44:46,0 --> 02:44:49,520 +9886 --> 9889.52 +but before we do that let's get back to + +4539 +02:44:47,920 --> 02:44:51,279 +our event and let's assume that we're + +4540 +02:44:49,520 --> 02:44:51,680 +done with it with this entire process we + +4541 +02:44:51,279 --> 02:44:53,520 +have our + +4542 +02:44:51,680 --> 02:44:54,800 +report we have our event we have + +4543 +02:44:53,520 --> 02:44:56,560 +contextualized all + +4544 +02:44:54,799 --> 02:44:57,920 +our data and let's publish it now to the + +4545 +02:44:56,559 --> 02:44:59,840 +community + +4546 +02:44:57,920 --> 02:45:01,520 +so when it comes to publishing we have + +4547 +02:44:59,840 --> 02:45:05,120 +different uh + +4548 +02:45:01,520 --> 02:45:06,720 +uh ways of achieving that ms by default + +4549 +02:45:05,120 --> 02:45:08,640 +when we create an event like this at + +4550 +02:45:06,719 --> 02:45:10,159 +this stage we have all the data + +4551 +02:45:08,639 --> 02:45:11,439 +contained that we want to share out and + +4552 +02:45:10,159 --> 02:45:13,520 +that we want to use + +4553 +02:45:11,439 --> 02:45:14,639 +however misconsiders this to be + +4554 +02:45:13,520 --> 02:45:17,279 +non-final + +4555 +02:45:14,639 --> 02:45:19,358 +it is not to be used by automation tools + +4556 +02:45:17,279 --> 02:45:20,960 +connected to this + +4557 +02:45:19,359 --> 02:45:22,479 +it is not going to be synchronized out + +4558 +02:45:20,959 --> 02:45:25,759 +to other instances + +4559 +02:45:22,478 --> 02:45:28,959 +and uh and so on + +4560 +02:45:25,760 --> 02:45:31,279 +what we can do now is first of all + +4561 +02:45:28,959 --> 02:45:34,318 +we need to decide how we shared it out + +4562 +02:45:31,279 --> 02:45:35,840 +it is the organization only for now + +4563 +02:45:34,318 --> 02:45:38,639 +so even if we were to publish it it + +4564 +02:45:35,840 --> 02:45:40,719 +would still only be pushed to our own + +4565 +02:45:38,639 --> 02:45:42,239 +tools that connect to our miss but it + +4566 +02:45:40,719 --> 02:45:44,159 +would not be made visible to other + +4567 +02:45:42,239 --> 02:45:45,119 +organizations but we want to change this + +4568 +02:45:44,159 --> 02:45:48,0 +9944.16 --> 9948 +in this case + +4569 +02:45:45,120 --> 02:45:49,520 +however let's assume that uh that when + +4570 +02:45:48,0 --> 02:45:52,398 +9948 --> 9952.399 +we're an organization + +4571 +02:45:49,520 --> 02:45:53,840 +that does not wish to reveal who we uh + +4572 +02:45:52,398 --> 02:45:56,159 +that we were involved in + +4573 +02:45:53,840 --> 02:45:58,239 +in this entire incident we just want to + +4574 +02:45:56,159 --> 02:46:00,318 +entrust the third party with doing it + +4575 +02:45:58,239 --> 02:46:01,600 +so as you see there where alex is + +4576 +02:46:00,318 --> 02:46:02,318 +hovering we basically have several + +4577 +02:46:01,600 --> 02:46:03,840 +options here + +4578 +02:46:02,318 --> 02:46:06,559 +we can either publish the event which + +4579 +02:46:03,840 --> 02:46:08,79 +means we initiate the entire exchange + +4580 +02:46:06,559 --> 02:46:10,559 +with other instances if the + +4581 +02:46:08,79 --> 02:46:12,159 +distribution allows it it will it will + +4582 +02:46:10,559 --> 02:46:12,719 +alert everyone that we have published + +4583 +02:46:12,159 --> 02:46:14,799 +this + +4584 +02:46:12,719 --> 02:46:16,478 +or alternatively we can we can delegate + +4585 +02:46:14,799 --> 02:46:18,159 +the publishing to third party and stay + +4586 +02:46:16,478 --> 02:46:20,879 +anonymous ourselves so let's do that + +4587 +02:46:18,159 --> 02:46:22,159 +option for now + +4588 +02:46:20,879 --> 02:46:24,0 +9980.88 --> 9984 +so what we're doing now is we're + +4589 +02:46:22,159 --> 02:46:26,478 +entrusting a third party to take over + +4590 +02:46:24,0 --> 02:46:28,559 +9984 --> 9988.56 +this event for us so let's say that we + +4591 +02:46:26,478 --> 02:46:30,478 +would entrust for example circle to take + +4592 +02:46:28,559 --> 02:46:32,398 +over this event + +4593 +02:46:30,478 --> 02:46:34,79 +and we tell circle that we want to share + +4594 +02:46:32,398 --> 02:46:36,840 +this event to be shared with + +4595 +02:46:34,79 --> 02:46:39,840 +uh the entire community so we've + +4596 +02:46:36,840 --> 02:46:39,840 +collected + +4597 +02:46:45,600 --> 02:46:49,359 +yeah you can see this community only for + +4598 +02:46:47,359 --> 02:46:50,840 +example or a sharing group whatever you + +4599 +02:46:49,359 --> 02:46:53,520 +prefer + +4600 +02:46:50,840 --> 02:46:55,279 +okay so this is again a suggestion to + +4601 +02:46:53,520 --> 02:46:56,960 +the other organization saying okay we + +4602 +02:46:55,279 --> 02:46:57,760 +want you to share this out and we want + +4603 +02:46:56,959 --> 02:47:00,959 +you to share this + +4604 +02:46:57,760 --> 02:47:02,0 +10017.76 --> 10022 +to this community once we click yes + +4605 +02:47:00,959 --> 02:47:04,0 +10020.96 --> 10024 +even though the event was your + +4606 +02:47:02,0 --> 02:47:05,439 +10022 --> 10025.439 +organizational and only visible to us + +4607 +02:47:04,0 --> 02:47:07,680 +10024 --> 10027.68 +it now becomes visible to two + +4608 +02:47:05,439 --> 02:47:08,960 +organizations ourselves + +4609 +02:47:07,680 --> 02:47:10,720 +and the other organization that we + +4610 +02:47:08,959 --> 02:47:12,0 +10028.96 --> 10032 +entrust in this case circle so circle + +4611 +02:47:10,719 --> 02:47:14,318 +would get an email + +4612 +02:47:12,0 --> 02:47:16,79 +10032 --> 10036.08 +saying okay there's this delegation + +4613 +02:47:14,318 --> 02:47:17,119 +request someone wants you to take over + +4614 +02:47:16,79 --> 02:47:18,398 +their event + +4615 +02:47:17,120 --> 02:47:19,920 +are you willing to take it over and + +4616 +02:47:18,398 --> 02:47:21,199 +publish it under your name this will + +4617 +02:47:19,920 --> 02:47:23,120 +look something like this with slightly + +4618 +02:47:21,200 --> 02:47:25,920 +different text we're cheating here now + +4619 +02:47:23,120 --> 02:47:27,600 +since we're doing a training we're site + +4620 +02:47:25,920 --> 02:47:28,478 +administrators and we see both sides of + +4621 +02:47:27,600 --> 02:47:30,239 +the story + +4622 +02:47:28,478 --> 02:47:31,599 +so we can either accept or discard this + +4623 +02:47:30,239 --> 02:47:33,920 +request keep in mind + +4624 +02:47:31,600 --> 02:47:35,200 +if you accept such a request the event + +4625 +02:47:33,920 --> 02:47:38,559 +becomes your event + +4626 +02:47:35,200 --> 02:47:40,960 +a copy of it is created under your name + +4627 +02:47:38,559 --> 02:47:42,639 +and basically you are taking + +4628 +02:47:40,959 --> 02:47:44,239 +responsibility for the event from down + +4629 +02:47:42,639 --> 02:47:46,719 +so also make sure that you're not + +4630 +02:47:44,239 --> 02:47:49,39 +pushing junk under your name so in this + +4631 +02:47:46,719 --> 02:47:50,799 +case let's just discard it + +4632 +02:47:49,40 --> 02:47:53,920 +but we could have accepted it and then + +4633 +02:47:50,799 --> 02:47:57,358 +it would have become our event + +4634 +02:47:53,920 --> 02:47:57,359 +okay let's go back to the event + +4635 +02:48:00,79 --> 02:48:04,719 +okay so now the other alternative is if + +4636 +02:48:03,200 --> 02:48:06,240 +you want to publish it under our name + +4637 +02:48:04,719 --> 02:48:07,840 +what you would need to do is you would + +4638 +02:48:06,239 --> 02:48:08,398 +need to raise the distribution level + +4639 +02:48:07,840 --> 02:48:10,639 +first + +4640 +02:48:08,398 --> 02:48:11,599 +if you wanted to uh to involve any other + +4641 +02:48:10,639 --> 02:48:13,39 +parties + +4642 +02:48:11,600 --> 02:48:15,680 +so we need to edit the event in that + +4643 +02:48:13,40 --> 02:48:18,240 +case and raise the distribution level to + +4644 +02:48:15,680 --> 02:48:19,439 +say this community or connected + +4645 +02:48:18,239 --> 02:48:20,318 +communities let's go with connected + +4646 +02:48:19,439 --> 02:48:22,639 +communities + +4647 +02:48:20,318 --> 02:48:24,639 +connected communities means anyone that + +4648 +02:48:22,639 --> 02:48:26,478 +has access to my miss pinsons + +4649 +02:48:24,639 --> 02:48:28,478 +and all the directly interconnected + +4650 +02:48:26,478 --> 02:48:29,199 +instances including all their members as + +4651 +02:48:28,478 --> 02:48:32,478 +well + +4652 +02:48:29,200 --> 02:48:33,920 +so in the case for example + +4653 +02:48:32,478 --> 02:48:36,239 +of us publishing something like this in + +4654 +02:48:33,920 --> 02:48:37,439 +the first instance we as circle have our + +4655 +02:48:36,239 --> 02:48:39,439 +instance connected to it + +4656 +02:48:37,439 --> 02:48:40,960 +so all the members of the circle + +4657 +02:48:39,439 --> 02:48:42,800 +instance will automatically also be + +4658 +02:48:40,959 --> 02:48:46,79 +included in the exchange here we see a + +4659 +02:48:42,799 --> 02:48:47,759 +graph of that so we see the event would + +4660 +02:48:46,79 --> 02:48:49,279 +be also visible to all the directly + +4661 +02:48:47,760 --> 02:48:51,120 +connected instances + +4662 +02:48:49,279 --> 02:48:53,40 +which we only have one of which is a + +4663 +02:48:51,120 --> 02:48:56,640 +loopback + +4664 +02:48:53,40 --> 02:48:57,520 +connection to exchange so not that + +4665 +02:48:56,639 --> 02:48:59,119 +interesting + +4666 +02:48:57,520 --> 02:49:00,960 +and to everyone that has access to this + +4667 +02:48:59,120 --> 02:49:04,160 +current instance + +4668 +02:49:00,959 --> 02:49:04,639 +okay once we're done we can click + +4669 +02:49:04,159 --> 02:49:08,159 +publish + +4670 +02:49:04,639 --> 02:49:08,159 +and then the event gets synchronized + +4671 +02:49:08,639 --> 02:49:12,0 +10148.64 --> 10152 +so what happens at this stage is first + +4672 +02:49:10,639 --> 02:49:14,799 +of all the event will jump + +4673 +02:49:12,0 --> 02:49:16,559 +10152 --> 10156.56 +over to directly connected instances + +4674 +02:49:14,799 --> 02:49:18,239 +miss will send out a bunch of emails to + +4675 +02:49:16,559 --> 02:49:20,559 +everyone that subscribes to + +4676 +02:49:18,239 --> 02:49:22,959 +publish alerts that there is a new event + +4677 +02:49:20,559 --> 02:49:25,760 +with all the data contained within + +4678 +02:49:22,959 --> 02:49:27,759 +it will push the event down various + +4679 +02:49:25,760 --> 02:49:32,478 +local channels to other tools + +4680 +02:49:27,760 --> 02:49:34,0 +10167.76 --> 10174 +using xeromq kafka and so on and syslog + +4681 +02:49:32,478 --> 02:49:35,679 +so if you have any tools that are + +4682 +02:49:34,0 --> 02:49:37,600 +10174 --> 10177.6 +subscribed to these + +4683 +02:49:35,680 --> 02:49:38,800 +published feeds and they will ingest the + +4684 +02:49:37,600 --> 02:49:40,559 +data + +4685 +02:49:38,799 --> 02:49:42,478 +and it will also make it available to + +4686 +02:49:40,559 --> 02:49:44,0 +10180.56 --> 10184 +the api and to make it available to all + +4687 +02:49:42,478 --> 02:49:47,119 +the integration + +4688 +02:49:44,0 --> 02:49:49,359 +10184 --> 10189.359 +tools out there so if you have your + +4689 +02:49:47,120 --> 02:49:51,359 +your scene connected to miss it will now + +4690 +02:49:49,359 --> 02:49:54,559 +be able to fetch the data + +4691 +02:49:51,359 --> 02:49:55,200 +contained in this event so this is + +4692 +02:49:54,559 --> 02:49:57,600 +basically + +4693 +02:49:55,200 --> 02:49:58,319 +the publishing process however there is + +4694 +02:49:57,600 --> 02:50:00,79 +uh + +4695 +02:49:58,318 --> 02:50:01,840 +if at this point we noticed that okay + +4696 +02:50:00,79 --> 02:50:03,600 +we've now shared this event out + +4697 +02:50:01,840 --> 02:50:06,840 +but we've actually made a typo in the + +4698 +02:50:03,600 --> 02:50:10,0 +10203.6 --> 10210 +title we we wanted to include + +4699 +02:50:06,840 --> 02:50:13,760 +uh um i don't know + +4700 +02:50:10,0 --> 02:50:16,239 +10210 --> 10216.24 +a trailing period at the end of the + +4701 +02:50:13,760 --> 02:50:16,239 +sentence + +4702 +02:50:19,279 --> 02:50:23,279 +in the title and we edit the event what + +4703 +02:50:21,439 --> 02:50:24,639 +happens now is there is a modification + +4704 +02:50:23,279 --> 02:50:26,800 +to the event so even though it was + +4705 +02:50:24,639 --> 02:50:30,79 +published it becomes unpublished again + +4706 +02:50:26,799 --> 02:50:31,920 +and it needs to be to be republished now + +4707 +02:50:30,79 --> 02:50:33,760 +the reason why we do this is + +4708 +02:50:31,920 --> 02:50:37,680 +uh whenever there is a change we need to + +4709 +02:50:33,760 --> 02:50:39,920 +synchronize it out to + +4710 +02:50:37,680 --> 02:50:40,720 +and if you have a publishing process in + +4711 +02:50:39,920 --> 02:50:42,478 +place where + +4712 +02:50:40,719 --> 02:50:44,159 +so only certain users have access to + +4713 +02:50:42,478 --> 02:50:45,760 +publishing rights for example + +4714 +02:50:44,159 --> 02:50:47,359 +then anytime your organization is + +4715 +02:50:45,760 --> 02:50:49,120 +pushing out information + +4716 +02:50:47,359 --> 02:50:50,800 +it can go through the irregular vetting + +4717 +02:50:49,120 --> 02:50:52,319 +process so any change will unset the + +4718 +02:50:50,799 --> 02:50:54,318 +publishing of the event + +4719 +02:50:52,318 --> 02:50:55,840 +now in this case this is a very small + +4720 +02:50:54,318 --> 02:50:57,519 +change that we've made so we don't want + +4721 +02:50:55,840 --> 02:50:59,920 +to actually send out events to all their + +4722 +02:50:57,520 --> 02:51:03,40 +users we don't want to spam them with + +4723 +02:50:59,920 --> 02:51:03,920 +data that is pretty relevant for them so + +4724 +02:51:03,40 --> 02:51:05,520 +we can publish + +4725 +02:51:03,920 --> 02:51:09,279 +do the publishing again but this time + +4726 +02:51:05,520 --> 02:51:11,40 +using the publish no email option + +4727 +02:51:09,279 --> 02:51:12,640 +so it will also synchronize the data it + +4728 +02:51:11,40 --> 02:51:13,439 +will again make it available to all + +4729 +02:51:12,639 --> 02:51:16,318 +different + +4730 +02:51:13,439 --> 02:51:19,600 +means of ingesting the data but it will + +4731 +02:51:16,318 --> 02:51:22,159 +not spam our users with emails + +4732 +02:51:19,600 --> 02:51:23,120 +okay so that's basically it for the + +4733 +02:51:22,159 --> 02:51:24,398 +publishing + +4734 +02:51:23,120 --> 02:51:26,399 +and perhaps one thing that is + +4735 +02:51:24,398 --> 02:51:27,680 +interesting and that we didn't talk much + +4736 +02:51:26,398 --> 02:51:29,119 +about is + +4737 +02:51:27,680 --> 02:51:30,479 +we have now raised the distribution + +4738 +02:51:29,120 --> 02:51:31,520 +level of this event to connected + +4739 +02:51:30,478 --> 02:51:34,79 +communities + +4740 +02:51:31,520 --> 02:51:35,439 +so the event is synchronized out but we + +4741 +02:51:34,79 --> 02:51:36,398 +actually had an attribute if you look + +4742 +02:51:35,439 --> 02:51:37,760 +further down + +4743 +02:51:36,398 --> 02:51:40,398 +that's had a different distribution + +4744 +02:51:37,760 --> 02:51:41,840 +level uh so that one is actually going + +4745 +02:51:40,398 --> 02:51:43,39 +to be removed from the synchronized + +4746 +02:51:41,840 --> 02:51:45,520 +button + +4747 +02:51:43,40 --> 02:51:49,279 +uh so we had one that the the + +4748 +02:51:45,520 --> 02:51:49,279 +impersonated person's email address + +4749 +02:51:49,359 --> 02:51:52,0 +10309.359 --> 10312 +that was set to organization only so + +4750 +02:51:51,40 --> 02:51:53,120 +whenever we're talking about + +4751 +02:51:52,0 --> 02:51:54,639 +10312 --> 10314.64 +synchronization + +4752 +02:51:53,120 --> 02:51:56,479 +that thing will in this case not + +4753 +02:51:54,639 --> 02:51:59,39 +synchronize out so that will be redacted + +4754 +02:51:56,478 --> 02:51:59,39 +from the event + +4755 +02:51:59,279 --> 02:52:03,680 +okay something else that we can do at + +4756 +02:52:02,239 --> 02:52:05,520 +this point once we have created our + +4757 +02:52:03,680 --> 02:52:06,960 +event is we can also extract it in + +4758 +02:52:05,520 --> 02:52:09,40 +different formats so if you click on + +4759 +02:52:06,959 --> 02:52:10,398 +download s on the left side + +4760 +02:52:09,40 --> 02:52:12,80 +you will see that we can basically + +4761 +02:52:10,398 --> 02:52:13,519 +convert this automatically to a bunch of + +4762 +02:52:12,79 --> 02:52:14,799 +different formats and extract it in + +4763 +02:52:13,520 --> 02:52:16,560 +those formats directly + +4764 +02:52:14,799 --> 02:52:18,639 +this is also what we would be accessing + +4765 +02:52:16,559 --> 02:52:20,959 +by the api if you were to search for + +4766 +02:52:18,639 --> 02:52:23,519 +this event we can also mark whatever + +4767 +02:52:20,959 --> 02:52:25,199 +response format we want just very + +4768 +02:52:23,520 --> 02:52:26,560 +briefly we won't go very deeply into + +4769 +02:52:25,200 --> 02:52:30,0 +10345.2 --> 10350 +this these formats + +4770 +02:52:26,559 --> 02:52:31,600 +are coming partially from our predefined + +4771 +02:52:30,0 --> 02:52:33,520 +10350 --> 10353.52 +hard-coded list of formats that we + +4772 +02:52:31,600 --> 02:52:35,600 +support in miss + +4773 +02:52:33,520 --> 02:52:36,800 +but some of these formats also come from + +4774 +02:52:35,600 --> 02:52:40,0 +10355.6 --> 10360 +the different exp + +4775 +02:52:36,799 --> 02:52:41,920 +export modules that we have so if you + +4776 +02:52:40,0 --> 02:52:43,439 +10360 --> 10363.439 +want you can either build your own + +4777 +02:52:41,920 --> 02:52:44,799 +native modules for exporting and + +4778 +02:52:43,439 --> 02:52:47,840 +converting data + +4779 +02:52:44,799 --> 02:52:50,159 +or you can build modules + +4780 +02:52:47,840 --> 02:52:51,279 +that are sitting in another tool called + +4781 +02:52:50,159 --> 02:52:53,39 +miss modules + +4782 +02:52:51,279 --> 02:52:54,560 +side by side with mist that will ingest + +4783 +02:52:53,40 --> 02:52:55,439 +the data and then convert it to other + +4784 +02:52:54,559 --> 02:52:58,159 +formats + +4785 +02:52:55,439 --> 02:53:00,0 +10375.439 --> 10380 +so here's a pdf report that was created + +4786 +02:52:58,159 --> 02:53:03,439 +directly out of the event + +4787 +02:53:00,0 --> 02:53:05,680 +10380 --> 10385.68 +uh and that you can just + +4788 +02:53:03,439 --> 02:53:07,40 +share out directly from the event + +4789 +02:53:05,680 --> 02:53:09,600 +something else that you can do + +4790 +02:53:07,40 --> 02:53:11,520 +is uh anything that we do in misp so all + +4791 +02:53:09,600 --> 02:53:13,760 +the process of adding attributes + +4792 +02:53:11,520 --> 02:53:14,720 +all the process of viewing data you can + +4793 +02:53:13,760 --> 02:53:16,478 +also do uh + +4794 +02:53:14,719 --> 02:53:18,318 +so do that in a machine partial way by + +4795 +02:53:16,478 --> 02:53:19,920 +just spending.json at the end of any of + +4796 +02:53:18,318 --> 02:53:21,278 +the url + +4797 +02:53:19,920 --> 02:53:23,120 +so in that case in this event we're + +4798 +02:53:21,279 --> 02:53:23,680 +going to get the json representation of + +4799 +02:53:23,120 --> 02:53:27,760 +the + +4800 +02:53:23,680 --> 02:53:27,760 +event okay + +4801 +02:53:28,79 --> 02:53:32,318 +so that's basically for creating an + +4802 +02:53:30,0 --> 02:53:32,318 +10410 --> 10412.319 +event + +4803 +02:53:33,359 --> 02:53:36,720 +just maybe one thing that is interesting + +4804 +02:53:35,40 --> 02:53:40,80 +we have a very good question from + +4805 +02:53:36,719 --> 02:53:43,119 +martin it's a + +4806 +02:53:40,79 --> 02:53:46,239 +quite complex one but maybe we can + +4807 +02:53:43,120 --> 02:53:49,520 +already partially answer it + +4808 +02:53:46,239 --> 02:53:50,959 +so when you create an event and in this + +4809 +02:53:49,520 --> 02:53:54,79 +case a creator or + +4810 +02:53:50,959 --> 02:53:55,199 +is the training people can contribute on + +4811 +02:53:54,79 --> 02:53:57,680 +that one + +4812 +02:53:55,200 --> 02:53:59,520 +but if you have an isaac and you want to + +4813 +02:53:57,680 --> 02:54:00,318 +distribute back the information and so + +4814 +02:53:59,520 --> 02:54:02,560 +on + +4815 +02:54:00,318 --> 02:54:04,559 +one of the options that you have is to + +4816 +02:54:02,559 --> 02:54:05,760 +try to create extended events for + +4817 +02:54:04,559 --> 02:54:08,879 +example out of it + +4818 +02:54:05,760 --> 02:54:10,398 +so you can um out of an event you can + +4819 +02:54:08,879 --> 02:54:13,358 +create a new one + +4820 +02:54:10,398 --> 02:54:14,478 +um which would be for example with + +4821 +02:54:13,359 --> 02:54:18,0 +10453.359 --> 10458 +additional information + +4822 +02:54:14,478 --> 02:54:18,959 +like validations uh additional things + +4823 +02:54:18,0 --> 02:54:21,520 +10458 --> 10461.52 +that you want you + +4824 +02:54:18,959 --> 02:54:22,799 +you want to add so you have this kind of + +4825 +02:54:21,520 --> 02:54:24,159 +extend even and you will create + +4826 +02:54:22,799 --> 02:54:27,358 +automatically a + +4827 +02:54:24,159 --> 02:54:33,920 +new event based on that + +4828 +02:54:27,359 --> 02:54:34,800 +um thing that is interesting there um + +4829 +02:54:33,920 --> 02:54:36,559 +the + +4830 +02:54:34,799 --> 02:54:38,398 +the thing is you can really create + +4831 +02:54:36,559 --> 02:54:40,398 +something completely new + +4832 +02:54:38,398 --> 02:54:42,239 +out of it and then see so for example + +4833 +02:54:40,398 --> 02:54:45,358 +for this case i can say that we + +4834 +02:54:42,239 --> 02:54:47,279 +uh we did a kind of session with + +4835 +02:54:45,359 --> 02:54:50,0 +10485.359 --> 10490 +additional information + +4836 +02:54:47,279 --> 02:54:52,960 +um there the distribution is your + +4837 +02:54:50,0 --> 02:54:52,959 +10490 --> 10492.96 +organization only + +4838 +02:54:53,120 --> 02:54:57,680 +and i would add for example a specific + +4839 +02:54:55,600 --> 02:55:02,159 +attribute + +4840 +02:54:57,680 --> 02:55:05,600 +which is for example targeting data + +4841 +02:55:02,159 --> 02:55:09,359 +and i can say target user uh the son + +4842 +02:55:05,600 --> 02:55:11,439 +of the prime minister + +4843 +02:55:09,359 --> 02:55:12,479 +so it may be information that you really + +4844 +02:55:11,439 --> 02:55:16,159 +don't want to share + +4845 +02:55:12,478 --> 02:55:18,159 +with others so this one is basically + +4846 +02:55:16,159 --> 02:55:19,200 +a normal event with additional + +4847 +02:55:18,159 --> 02:55:21,760 +information there + +4848 +02:55:19,200 --> 02:55:24,79 +and it's only shared within your + +4849 +02:55:21,760 --> 02:55:26,239 +organization + +4850 +02:55:24,79 --> 02:55:27,600 +nevertheless if you go to the original + +4851 +02:55:26,239 --> 02:55:29,119 +event + +4852 +02:55:27,600 --> 02:55:31,279 +you have this kind of extended view + +4853 +02:55:29,120 --> 02:55:35,279 +there and we can have + +4854 +02:55:31,279 --> 02:55:38,560 +what we call an extended view and not an + +4855 +02:55:35,279 --> 02:55:41,600 +atomic view and the two information + +4856 +02:55:38,559 --> 02:55:43,760 +so the is combined and you can see there + +4857 +02:55:41,600 --> 02:55:46,159 +that we have one with the information + +4858 +02:55:43,760 --> 02:55:49,760 +about the son of the prime minister + +4859 +02:55:46,159 --> 02:55:52,478 +which is the extended event there so + +4860 +02:55:49,760 --> 02:55:53,200 +just to answer the question of martin + +4861 +02:55:52,478 --> 02:55:56,559 +about + +4862 +02:55:53,200 --> 02:55:58,880 +the question about + +4863 +02:55:56,559 --> 02:56:00,239 +adding information on existing event is + +4864 +02:55:58,879 --> 02:56:03,278 +one way of doing it + +4865 +02:56:00,239 --> 02:56:05,840 +so using extended event is a way to + +4866 +02:56:03,279 --> 02:56:07,200 +qualify or extend even with additional + +4867 +02:56:05,840 --> 02:56:09,600 +information and so on + +4868 +02:56:07,200 --> 02:56:10,479 +um it's actively used for example for + +4869 +02:56:09,600 --> 02:56:12,559 +when you have + +4870 +02:56:10,478 --> 02:56:14,318 +two different view of the information + +4871 +02:56:12,559 --> 02:56:15,519 +because one is distributed and another + +4872 +02:56:14,318 --> 02:56:17,920 +one is like + +4873 +02:56:15,520 --> 02:56:19,120 +likely like the private information like + +4874 +02:56:17,920 --> 02:56:21,120 +the forensic evidence + +4875 +02:56:19,120 --> 02:56:22,800 +that you cannot share for example you + +4876 +02:56:21,120 --> 02:56:24,399 +can create this kind of thing + +4877 +02:56:22,799 --> 02:56:25,599 +it's one way of doing it it's not + +4878 +02:56:24,398 --> 02:56:26,959 +answering companies the question of + +4879 +02:56:25,600 --> 02:56:29,439 +martin but we can + +4880 +02:56:26,959 --> 02:56:31,358 +even go deeper later on that but it's + +4881 +02:56:29,439 --> 02:56:32,559 +it's one way of + +4882 +02:56:31,359 --> 02:56:34,559 +because tomorrow we talk about + +4883 +02:56:32,559 --> 02:56:36,0 +10592.56 --> 10596 +synchronization there are some specific + +4884 +02:56:34,559 --> 02:56:37,920 +options for isaac like + +4885 +02:56:36,0 --> 02:56:39,359 +10596 --> 10599.359 +and publishing events if we do + +4886 +02:56:37,920 --> 02:56:41,439 +synchronization and so on + +4887 +02:56:39,359 --> 02:56:43,200 +that can be used in some some cases for + +4888 +02:56:41,439 --> 02:56:45,520 +isaac's + +4889 +02:56:43,200 --> 02:56:47,760 +there are many options but that's one + +4890 +02:56:45,520 --> 02:56:50,319 +way of of partially solving + +4891 +02:56:47,760 --> 02:56:51,279 +this kind of issues of not owning the + +4892 +02:56:50,318 --> 02:56:55,600 +data + +4893 +02:56:51,279 --> 02:56:57,359 +is to extend the information + +4894 +02:56:55,600 --> 02:56:59,200 +so i know you have something you want to + +4895 +02:56:57,359 --> 02:57:02,640 +add on rashford + +4896 +02:56:59,200 --> 02:57:02,640 +no no that makes sense + +4897 +02:57:04,239 --> 02:57:08,639 +again for the collaboration on this one + +4898 +02:57:07,40 --> 02:57:11,279 +we can do various things so + +4899 +02:57:08,639 --> 02:57:13,760 +in the case of um you have a typo for + +4900 +02:57:11,279 --> 02:57:15,920 +example in the specifications and so on + +4901 +02:57:13,760 --> 02:57:17,439 +you can make proposal another thing with + +4902 +02:57:15,920 --> 02:57:19,920 +uh + +4903 +02:57:17,439 --> 02:57:21,120 +on the interface here you see that you + +4904 +02:57:19,920 --> 02:57:23,680 +can + +4905 +02:57:21,120 --> 02:57:24,880 +basically make either an edit or you see + +4906 +02:57:23,680 --> 02:57:28,398 +that you can make + +4907 +02:57:24,879 --> 02:57:28,879 +a proposed edit so what is the use case + +4908 +02:57:28,398 --> 02:57:30,719 +of that + +4909 +02:57:28,879 --> 02:57:32,398 +it's it's not like for fundamental + +4910 +02:57:30,719 --> 02:57:34,959 +changes but for i would say minor + +4911 +02:57:32,398 --> 02:57:37,119 +challenges on a specific import + +4912 +02:57:34,959 --> 02:57:38,879 +imagine that you don't agree on this one + +4913 +02:57:37,120 --> 02:57:42,720 +on this idea of season + +4914 +02:57:38,879 --> 02:57:46,398 +there's a typo and it's not d5 but e5 + +4915 +02:57:42,719 --> 02:57:48,639 +in the ipv6 rs so you propose the change + +4916 +02:57:46,398 --> 02:57:49,680 +in this case i'm playing both holes here + +4917 +02:57:48,639 --> 02:57:51,920 +but + +4918 +02:57:49,680 --> 02:57:53,120 +what do i have here it's basically an + +4919 +02:57:51,920 --> 02:57:55,520 +attribute + +4920 +02:57:53,120 --> 02:57:56,800 +with a proposal of the church and i'm + +4921 +02:57:55,520 --> 02:57:59,439 +playing the boss roles for the + +4922 +02:57:56,799 --> 02:58:02,799 +contributor roles and + +4923 +02:57:59,439 --> 02:58:05,760 +the original creator then i can say okay + +4924 +02:58:02,799 --> 02:58:07,679 +i accept the change indeed this this + +4925 +02:58:05,760 --> 02:58:10,960 +proposal makes sense + +4926 +02:58:07,680 --> 02:58:14,0 +10687.68 --> 10694 +or are basically discounted and this is + +4927 +02:58:10,959 --> 02:58:18,0 +10690.96 --> 10698 +a way to get updates from + +4928 +02:58:14,0 --> 02:58:19,439 +10694 --> 10699.439 +um from supportive other members other + +4929 +02:58:18,0 --> 02:58:21,40 +10698 --> 10701.04 +organizations and so on + +4930 +02:58:19,439 --> 02:58:22,880 +it's one way to to update the + +4931 +02:58:21,40 --> 02:58:26,960 +information in this case i will + +4932 +02:58:22,879 --> 02:58:28,879 +discuss it because it's not correct + +4933 +02:58:26,959 --> 02:58:30,879 +we were talking about contributions this + +4934 +02:58:28,879 --> 02:58:32,79 +another way of contributing is the site + +4935 +02:58:30,879 --> 02:58:35,679 +things itself + +4936 +02:58:32,79 --> 02:58:37,39 +so for example for this specifications + +4937 +02:58:35,680 --> 02:58:38,398 +if for example we have an expression + +4938 +02:58:37,40 --> 02:58:39,40 +detection system and we have seen it + +4939 +02:58:38,398 --> 02:58:42,719 +like + +4940 +02:58:39,40 --> 02:58:47,279 +three times in a row we can add + +4941 +02:58:42,719 --> 02:58:48,639 +on on the interface with the api + +4942 +02:58:47,279 --> 02:58:50,640 +through the user interface and so on + +4943 +02:58:48,639 --> 02:58:53,920 +that you have seen that um + +4944 +02:58:50,639 --> 02:58:55,920 +multiple times and like that you can + +4945 +02:58:53,920 --> 02:58:59,200 +share this kind of details about + +4946 +02:58:55,920 --> 02:59:01,200 +the sharing aspect + +4947 +02:58:59,200 --> 02:59:02,800 +so we what we have seen that at this + +4948 +02:59:01,200 --> 02:59:05,359 +specific amount of times we have + +4949 +02:59:02,799 --> 02:59:06,239 +the three counts saying this uh this is + +4950 +02:59:05,359 --> 02:59:07,920 +a site + +4951 +02:59:06,239 --> 02:59:09,520 +and you have seen it and you can do it + +4952 +02:59:07,920 --> 02:59:11,840 +per organization + +4953 +02:59:09,520 --> 02:59:13,439 +or it could be even anonymously you get + +4954 +02:59:11,840 --> 02:59:15,439 +different configuration in the model of + +4955 +02:59:13,439 --> 02:59:18,159 +cycling in mist + +4956 +02:59:15,439 --> 02:59:19,279 +but it's a way to see that an indicator + +4957 +02:59:18,159 --> 02:59:22,799 +has been seen + +4958 +02:59:19,279 --> 02:59:23,680 +or not if one specific are generating + +4959 +02:59:22,799 --> 02:59:25,599 +for example a + +4960 +02:59:23,680 --> 02:59:28,318 +false positive you can see the negative + +4961 +02:59:25,600 --> 02:59:30,960 +one negative sightings which + +4962 +02:59:28,318 --> 02:59:33,840 +basically tell others that okay this one + +4963 +02:59:30,959 --> 02:59:35,839 +is generating a lot of false positives + +4964 +02:59:33,840 --> 02:59:37,200 +sometimes not every organization agrees + +4965 +02:59:35,840 --> 02:59:38,719 +on the first positive because they have + +4966 +02:59:37,200 --> 02:59:40,800 +different views + +4967 +02:59:38,719 --> 02:59:42,799 +coming from different networks and so on + +4968 +02:59:40,799 --> 02:59:46,318 +that's a way to + +4969 +02:59:42,799 --> 02:59:49,358 +provide feedback so one is delegations + +4970 +02:59:46,318 --> 02:59:57,519 +proposals or another way is to + +4971 +02:59:49,359 --> 02:59:59,760 +basically get affected + +4972 +02:59:57,520 --> 02:59:59,760 +okay + +4973 +03:00:01,439 --> 03:00:04,479 +i'm just trying to go through the + +4974 +03:00:02,719 --> 03:00:07,278 +questions yeah + +4975 +03:00:04,478 --> 03:00:08,478 +maybe yes maybe there are some yeah + +4976 +03:00:07,279 --> 03:00:10,560 +there are some that are repeating so + +4977 +03:00:08,478 --> 03:00:12,799 +perhaps it's good to call them out + +4978 +03:00:10,559 --> 03:00:13,680 +uh so there was a bit of confusion about + +4979 +03:00:12,799 --> 03:00:16,0 +10812.8 --> 10816 +how to add the + +4980 +03:00:13,680 --> 03:00:17,40 +uh the email object so it uh checked it + +4981 +03:00:16,0 --> 03:00:19,200 +10816 --> 10819.2 +is a little bit + +4982 +03:00:17,40 --> 03:00:20,880 +uh confusing so when you're in an event + +4983 +03:00:19,200 --> 03:00:22,960 +and you click on add objects first you + +4984 +03:00:20,879 --> 03:00:24,559 +need to select the scope + +4985 +03:00:22,959 --> 03:00:26,478 +from which you choose from so it's going + +4986 +03:00:24,559 --> 03:00:28,559 +to be climate file and so on just click + +4987 +03:00:26,478 --> 03:00:30,159 +on all objects if you're unsure + +4988 +03:00:28,559 --> 03:00:31,680 +and then you can search for whatever so + +4989 +03:00:30,159 --> 03:00:32,398 +after you click on all objects and you + +4990 +03:00:31,680 --> 03:00:35,920 +type email + +4991 +03:00:32,398 --> 03:00:38,0 +10832.399 --> 10838 +it's going to show your email object + +4992 +03:00:35,920 --> 03:00:39,520 +here the first step is more like finding + +4993 +03:00:38,0 --> 03:00:41,680 +10838 --> 10841.68 +out the category of an object + +4994 +03:00:39,520 --> 03:00:43,200 +yeah so so some sometimes you just know + +4995 +03:00:41,680 --> 03:00:44,880 +the category but you don't know what is + +4996 +03:00:43,200 --> 03:00:46,800 +really available there for you + +4997 +03:00:44,879 --> 03:00:48,719 +so you you want to see okay what sort of + +4998 +03:00:46,799 --> 03:00:50,398 +objects can i use in network contacts + +4999 +03:00:48,719 --> 03:00:52,799 +and i would click on network first + +5000 +03:00:50,398 --> 03:00:54,159 +and then you get a list of of all + +5001 +03:00:52,799 --> 03:00:55,438 +tangently related + +5002 +03:00:54,159 --> 03:00:57,279 +objects that will have to do with + +5003 +03:00:55,439 --> 03:01:00,159 +network connectivity but + +5004 +03:00:57,279 --> 03:01:01,520 +not necessarily describing the same + +5005 +03:01:00,159 --> 03:01:04,639 +concept at all + +5006 +03:01:01,520 --> 03:01:06,319 +uh but if you don't know or + +5007 +03:01:04,639 --> 03:01:08,239 +which the domain you want to pick it + +5008 +03:01:06,318 --> 03:01:10,0 +10866.319 --> 10870 +from or if you know + +5009 +03:01:08,239 --> 03:01:11,600 +exactly already what you want and you + +5010 +03:01:10,0 --> 03:01:13,120 +10870 --> 10873.12 +just want to search by name just click + +5011 +03:01:11,600 --> 03:01:14,159 +on all objects first + +5012 +03:01:13,120 --> 03:01:17,680 +and then you will find what you're + +5013 +03:01:14,159 --> 03:01:20,879 +looking for by just typing it so email + +5014 +03:01:17,680 --> 03:01:25,40 +is easy to find that way + +5015 +03:01:20,879 --> 03:01:25,39 +okay so just type email and that's it + +5016 +03:01:25,359 --> 03:01:33,359 +okay um other questions + +5017 +03:01:28,639 --> 03:01:35,920 +that were there okay perfect + +5018 +03:01:33,359 --> 03:01:37,359 +and there there were a few other + +5019 +03:01:35,920 --> 03:01:38,398 +questions that i answered in the + +5020 +03:01:37,359 --> 03:01:41,40 +meanwhile maybe it's + +5021 +03:01:38,398 --> 03:01:42,318 +a good idea to read soft about yeah + +5022 +03:01:41,40 --> 03:01:44,240 +indeed there was a good one + +5023 +03:01:42,318 --> 03:01:45,680 +about correlation graph and and + +5024 +03:01:44,239 --> 03:01:47,199 +filtering on it + +5025 +03:01:45,680 --> 03:01:49,40 +indeed we don't have a way to filter the + +5026 +03:01:47,200 --> 03:01:50,479 +correlation graph but it's something + +5027 +03:01:49,40 --> 03:01:52,0 +10909.04 --> 10912 +that we that we've discussed for a while + +5028 +03:01:50,478 --> 03:01:52,398 +already and we want to do it at one + +5029 +03:01:52,0 --> 03:01:54,79 +10912 --> 10914.08 +point + +5030 +03:01:52,398 --> 03:01:56,0 +10912.399 --> 10916 +so that you can add some filter rules in + +5031 +03:01:54,79 --> 03:01:58,79 +there yes + +5032 +03:01:56,0 --> 03:01:59,760 +10916 --> 10919.76 +the only way to to do it here at least + +5033 +03:01:58,79 --> 03:02:01,39 +through the api so that means you you + +5034 +03:01:59,760 --> 03:02:03,840 +done the + +5035 +03:02:01,40 --> 03:02:04,640 +decorating one and then you have to do a + +5036 +03:02:03,840 --> 03:02:07,279 +filtering + +5037 +03:02:04,639 --> 03:02:07,920 +priority but it needs something that's + +5038 +03:02:07,279 --> 03:02:11,279 +uh + +5039 +03:02:07,920 --> 03:02:12,719 +yeah it will be to be added i don't know + +5040 +03:02:11,279 --> 03:02:17,40 +if you have an issue on that one + +5041 +03:02:12,719 --> 03:02:19,199 +um yeah i think we do yes yes + +5042 +03:02:17,40 --> 03:02:21,760 +so maybe you know what sometimes what we + +5043 +03:02:19,200 --> 03:02:21,760 +do is + +5044 +03:02:21,840 --> 03:02:26,159 +just just to add the one on this one um + +5045 +03:02:24,559 --> 03:02:27,359 +if i'm finding his back + +5046 +03:02:26,159 --> 03:02:29,359 +so i guess you can see what kind of + +5047 +03:02:27,359 --> 03:02:31,40 +issue that we have and so on + +5048 +03:02:29,359 --> 03:02:32,880 +a lot of the issue that we have is more + +5049 +03:02:31,40 --> 03:02:34,960 +like i mean + +5050 +03:02:32,879 --> 03:02:36,318 +around 25 percent 30 percent our basic + +5051 +03:02:34,959 --> 03:02:38,719 +installation problem + +5052 +03:02:36,318 --> 03:02:39,920 +um that's something that you can discuss + +5053 +03:02:38,719 --> 03:02:42,559 +maybe tomorrow about + +5054 +03:02:39,920 --> 03:02:43,359 +about recommendation on on on the + +5055 +03:02:42,559 --> 03:02:45,199 +systems + +5056 +03:02:43,359 --> 03:02:46,559 +we don't need a lot of requirements but + +5057 +03:02:45,200 --> 03:02:48,240 +at least um + +5058 +03:02:46,559 --> 03:02:49,760 +you need to have a lamp system working + +5059 +03:02:48,239 --> 03:02:52,879 +for mariadb + +5060 +03:02:49,760 --> 03:02:56,318 +linux systems and ready running + +5061 +03:02:52,879 --> 03:02:57,759 +so obviously for example an ubuntu + +5062 +03:02:56,318 --> 03:02:59,439 +distribution out of the box is working + +5063 +03:02:57,760 --> 03:03:02,79 +without any problems + +5064 +03:02:59,439 --> 03:03:02,800 +now if you try to install a missponder + +5065 +03:03:02,79 --> 03:03:05,359 +mac os + +5066 +03:03:02,799 --> 03:03:05,920 +you might turn into troubles obviously + +5067 +03:03:05,359 --> 03:03:07,920 +but + +5068 +03:03:05,920 --> 03:03:09,840 +what we recommend is we have install + +5069 +03:03:07,920 --> 03:03:12,159 +automatic install script for + +5070 +03:03:09,840 --> 03:03:14,239 +for ubuntu for example and this one + +5071 +03:03:12,159 --> 03:03:18,239 +works works quite well + +5072 +03:03:14,239 --> 03:03:18,239 +i wanted to search the issue for + +5073 +03:03:18,398 --> 03:03:22,559 +you just search your correlation for + +5074 +03:03:20,79 --> 03:03:25,840 +correlation yeah + +5075 +03:03:22,559 --> 03:03:26,239 +creation filtering now that will be a + +5076 +03:03:25,840 --> 03:03:29,279 +bit + +5077 +03:03:26,239 --> 03:03:31,439 +too specific i think no really not + +5078 +03:03:29,279 --> 03:03:40,640 +maybe yes we're filtering by correlation + +5079 +03:03:31,439 --> 03:03:43,520 +on feedback + +5080 +03:03:40,639 --> 03:03:43,519 +yeah that's easy + +5081 +03:03:44,719 --> 03:03:55,840 +oh this one maybe yes yeah yeah okay + +5082 +03:03:47,840 --> 03:03:55,840 +this one okay so + +5083 +03:04:03,200 --> 03:04:06,960 +so that's how we work so if you see a + +5084 +03:04:05,200 --> 03:04:08,560 +component issue that + +5085 +03:04:06,959 --> 03:04:10,239 +or a feature that is really interesting + +5086 +03:04:08,559 --> 03:04:11,359 +for you don't hesitate to take an + +5087 +03:04:10,239 --> 03:04:13,600 +existing issue + +5088 +03:04:11,359 --> 03:04:14,479 +about specific requests and add some + +5089 +03:04:13,600 --> 03:04:16,318 +comments there + +5090 +03:04:14,478 --> 03:04:18,0 +11054.479 --> 11058 +like for example it's really the issue + +5091 +03:04:16,318 --> 03:04:20,159 +the feature that you want + +5092 +03:04:18,0 --> 03:04:22,79 +11058 --> 11062.08 +uh is it important for you why and so on + +5093 +03:04:20,159 --> 03:04:25,200 +and then we use that as a source of + +5094 +03:04:22,79 --> 03:04:26,959 +of doing a pd request as an example we + +5095 +03:04:25,200 --> 03:04:29,40 +do + +5096 +03:04:26,959 --> 03:04:30,559 +a release of miss every three weeks + +5097 +03:04:29,40 --> 03:04:34,560 +usually + +5098 +03:04:30,559 --> 03:04:35,359 +and there are many new features on each + +5099 +03:04:34,559 --> 03:04:38,398 +release + +5100 +03:04:35,359 --> 03:04:40,318 +as an example we had a request like that + +5101 +03:04:38,398 --> 03:04:43,599 +sami just fixed uh + +5102 +03:04:40,318 --> 03:04:44,559 +two days ago about the events oh we + +5103 +03:04:43,600 --> 03:04:48,640 +didn't even show it + +5104 +03:04:44,559 --> 03:04:50,398 +even timeline and then + +5105 +03:04:48,639 --> 03:04:52,159 +we wanted to have something that is easy + +5106 +03:04:50,398 --> 03:04:52,478 +to set the number of days and then he + +5107 +03:04:52,159 --> 03:04:54,719 +has + +5108 +03:04:52,478 --> 03:04:56,318 +the new feature so sometimes it makes a + +5109 +03:04:54,719 --> 03:04:57,39 +lot of sense so don't hesitate to create + +5110 +03:04:56,318 --> 03:05:00,79 +a + +5111 +03:04:57,40 --> 03:05:01,359 +an issue and and propose a new new + +5112 +03:05:00,79 --> 03:05:05,600 +feature + +5113 +03:05:01,359 --> 03:05:08,79 +which remind me of showing you the even + +5114 +03:05:05,600 --> 03:05:09,520 +timeline because we didn't really show + +5115 +03:05:08,79 --> 03:05:13,359 +it + +5116 +03:05:09,520 --> 03:05:17,840 +so you see that on on this one + +5117 +03:05:13,359 --> 03:05:20,239 +we we have nearly everything + +5118 +03:05:17,840 --> 03:05:21,120 +same time which is basically the time + +5119 +03:05:20,239 --> 03:05:24,79 +when we + +5120 +03:05:21,120 --> 03:05:27,760 +create a different object we just set + +5121 +03:05:24,79 --> 03:05:31,439 +the time for four for one + +5122 +03:05:27,760 --> 03:05:33,120 +so and then i can + +5123 +03:05:31,439 --> 03:05:35,120 +basically look at this one and this one + +5124 +03:05:33,120 --> 03:05:37,760 +is like the + +5125 +03:05:35,120 --> 03:05:40,319 +yeah i don't know why we don't have the + +5126 +03:05:37,760 --> 03:05:41,600 +expansion on that one + +5127 +03:05:40,318 --> 03:05:43,359 +so for you for example if you have a + +5128 +03:05:41,600 --> 03:05:44,960 +specific time we can + +5129 +03:05:43,359 --> 03:05:46,318 +expand it and even change it in the + +5130 +03:05:44,959 --> 03:05:47,679 +graph so that means if we have for + +5131 +03:05:46,318 --> 03:05:50,559 +example this email + +5132 +03:05:47,680 --> 03:05:51,120 +a thing with that we can we can expand + +5133 +03:05:50,559 --> 03:05:54,0 +11150.56 --> 11154 +it + +5134 +03:05:51,120 --> 03:05:56,240 +and change when when this has been seen + +5135 +03:05:54,0 --> 03:05:58,559 +11154 --> 11158.56 +and we can even uh + +5136 +03:05:56,239 --> 03:06:00,239 +change at which time this specific + +5137 +03:05:58,559 --> 03:06:04,79 +specifically + +5138 +03:06:00,239 --> 03:06:07,439 +but that's again a good point to do + +5139 +03:06:04,79 --> 03:06:10,959 +is to automatically create + +5140 +03:06:07,439 --> 03:06:13,200 +a first thing last scene on your element + +5141 +03:06:10,959 --> 03:06:14,959 +because every time you do that you will + +5142 +03:06:13,200 --> 03:06:16,880 +get an automatic timeline + +5143 +03:06:14,959 --> 03:06:20,478 +and actually a quick i would say quick + +5144 +03:06:16,879 --> 03:06:20,478 +win when you do analysis + +5145 +03:06:21,510 --> 03:06:25,439 +[Music] + +5146 +03:06:23,760 --> 03:06:27,120 +so if there are no more questions about + +5147 +03:06:25,439 --> 03:06:28,800 +event creation perhaps one of the things + +5148 +03:06:27,120 --> 03:06:33,200 +we can do is show the searching + +5149 +03:06:28,799 --> 03:06:33,199 +how to search for stuff in your risk + +5150 +03:06:36,398 --> 03:06:40,239 +okay so this is something that we're + +5151 +03:06:38,799 --> 03:06:42,398 +going to show very briefly now and we're + +5152 +03:06:40,239 --> 03:06:43,199 +going to go a bit more detail into this + +5153 +03:06:42,398 --> 03:06:44,959 +tomorrow + +5154 +03:06:43,200 --> 03:06:47,40 +when we're also going to look at the api + +5155 +03:06:44,959 --> 03:06:47,679 +but generally whenever you're searching + +5156 +03:06:47,40 --> 03:06:49,40 +in miss + +5157 +03:06:47,680 --> 03:06:50,800 +the main question you need to ask + +5158 +03:06:49,40 --> 03:06:52,960 +yourself is + +5159 +03:06:50,799 --> 03:06:54,719 +what scope am i searching on am i + +5160 +03:06:52,959 --> 03:06:56,879 +searching for individual attributes + +5161 +03:06:54,719 --> 03:06:58,559 +or am i searching for events the search + +5162 +03:06:56,879 --> 03:07:01,278 +filters very often overlapping + +5163 +03:06:58,559 --> 03:07:02,318 +or aren't necessarily almost the same + +5164 +03:07:01,279 --> 03:07:04,79 +but one of the things you need to keep + +5165 +03:07:02,318 --> 03:07:04,398 +in mind is for example if i'm searching + +5166 +03:07:04,79 --> 03:07:06,879 +for + +5167 +03:07:04,398 --> 03:07:09,39 +bitcoin addresses in my miss vincent's + +5168 +03:07:06,879 --> 03:07:11,278 +bitcoin wallets + +5169 +03:07:09,40 --> 03:07:12,640 +am i searching for any event that + +5170 +03:07:11,279 --> 03:07:16,0 +11231.279 --> 11236 +contains at least one + +5171 +03:07:12,639 --> 03:07:18,239 +bitcoin address or am i searching for + +5172 +03:07:16,0 --> 03:07:19,920 +11236 --> 11239.92 +just the bitcoin addresses themselves + +5173 +03:07:18,239 --> 03:07:21,439 +so this is when we decide between + +5174 +03:07:19,920 --> 03:07:23,520 +different scopes so + +5175 +03:07:21,439 --> 03:07:25,200 +generally attribute scope will only give + +5176 +03:07:23,520 --> 03:07:26,399 +you the individual attributes that match + +5177 +03:07:25,200 --> 03:07:27,840 +the criteria + +5178 +03:07:26,398 --> 03:07:29,439 +and the event scope will give you + +5179 +03:07:27,840 --> 03:07:32,239 +everything that contains + +5180 +03:07:29,439 --> 03:07:34,318 +at least one matching value so here what + +5181 +03:07:32,239 --> 03:07:36,639 +what alex did he just searched + +5182 +03:07:34,318 --> 03:07:37,760 +using the attribute search for all the + +5183 +03:07:36,639 --> 03:07:39,519 +bitcoin addresses + +5184 +03:07:37,760 --> 03:07:40,880 +in the air in the instance and we see we + +5185 +03:07:39,520 --> 03:07:42,560 +get a bunch of them from different + +5186 +03:07:40,879 --> 03:07:44,559 +sources we see which events there + +5187 +03:07:42,559 --> 03:07:46,239 +they're from which organization has + +5188 +03:07:44,559 --> 03:07:47,439 +created that information and so on and + +5189 +03:07:46,239 --> 03:07:49,199 +so forth + +5190 +03:07:47,439 --> 03:07:51,520 +uh if we're happy with the search + +5191 +03:07:49,200 --> 03:07:53,600 +results and we've set up all our + +5192 +03:07:51,520 --> 03:07:55,120 +features and we're getting exactly what + +5193 +03:07:53,600 --> 03:07:57,279 +we were looking for + +5194 +03:07:55,120 --> 03:07:59,120 +maybe even several pages of it like here + +5195 +03:07:57,279 --> 03:08:01,200 +we can download the results in any of + +5196 +03:07:59,120 --> 03:08:02,640 +these supported formats so we could say + +5197 +03:08:01,200 --> 03:08:04,560 +okay now we have all these bitcoin + +5198 +03:08:02,639 --> 03:08:05,278 +addresses out there generate the csv out + +5199 +03:08:04,559 --> 03:08:08,398 +of it + +5200 +03:08:05,279 --> 03:08:10,640 +and it will generate a massive csv + +5201 +03:08:08,398 --> 03:08:13,199 +with all the attribute information for + +5202 +03:08:10,639 --> 03:08:13,199 +each of these + +5203 +03:08:13,840 --> 03:08:18,559 +i hope you're not running my timings + +5204 +03:08:15,760 --> 03:08:18,559 +inside of memory + +5205 +03:08:19,520 --> 03:08:23,120 +there it is + +5206 +03:08:21,760 --> 03:08:26,159 +[Music] + +5207 +03:08:23,120 --> 03:08:28,0 +11303.12 --> 11308 +so if you open it just to see the + +5208 +03:08:26,159 --> 03:08:31,279 +results quickly + +5209 +03:08:28,0 --> 03:08:34,159 +11308 --> 11314.16 +there we go so in this case uh + +5210 +03:08:31,279 --> 03:08:34,960 +we now downloaded our search results as + +5211 +03:08:34,159 --> 03:08:36,559 +csv + +5212 +03:08:34,959 --> 03:08:39,119 +now keep in mind whenever you're dealing + +5213 +03:08:36,559 --> 03:08:39,439 +with integration of mis with other tools + +5214 +03:08:39,120 --> 03:08:41,439 +or + +5215 +03:08:39,439 --> 03:08:43,680 +exports keep in mind that certain + +5216 +03:08:41,439 --> 03:08:45,200 +formats don't really cater to exporting + +5217 +03:08:43,680 --> 03:08:47,600 +certain types of data so + +5218 +03:08:45,200 --> 03:08:49,439 +if you're searching for ransomware + +5219 +03:08:47,600 --> 03:08:51,920 +payout + +5220 +03:08:49,439 --> 03:08:52,800 +wallets you could for example specify as + +5221 +03:08:51,920 --> 03:08:55,120 +a tag + +5222 +03:08:52,799 --> 03:08:56,398 +all the different ransomware related + +5223 +03:08:55,120 --> 03:08:58,880 +tags that you have + +5224 +03:08:56,398 --> 03:09:00,559 +and uh as a type select btc like what + +5225 +03:08:58,879 --> 03:09:02,239 +alex has done here and exported + +5226 +03:09:00,559 --> 03:09:03,920 +information now when you're deciding + +5227 +03:09:02,239 --> 03:09:05,760 +what format to download in + +5228 +03:09:03,920 --> 03:09:07,920 +again some don't make any sense so don't + +5229 +03:09:05,760 --> 03:09:10,239 +download bitcoin addresses in sticks + +5230 +03:09:07,920 --> 03:09:11,920 +format because sticks doesn't have a + +5231 +03:09:10,239 --> 03:09:13,359 +way to express bitcoin addresses for + +5232 +03:09:11,920 --> 03:09:15,439 +example + +5233 +03:09:13,359 --> 03:09:17,120 +so just make sure that you also take + +5234 +03:09:15,439 --> 03:09:19,760 +that into consideration and exporting + +5235 +03:09:17,120 --> 03:09:22,160 +data so that it's not wasting + +5236 +03:09:19,760 --> 03:09:23,680 +uh besides that we can do the same on + +5237 +03:09:22,159 --> 03:09:24,559 +the event level we can also do searches + +5238 +03:09:23,680 --> 03:09:26,800 +on the event level + +5239 +03:09:24,559 --> 03:09:29,39 +if we go back to our event index we have + +5240 +03:09:26,799 --> 03:09:29,358 +a little magnifying glass icon where you + +5241 +03:09:29,40 --> 03:09:31,600 +can + +5242 +03:09:29,359 --> 03:09:32,479 +add additional filter options to the + +5243 +03:09:31,600 --> 03:09:34,720 +index + +5244 +03:09:32,478 --> 03:09:35,519 +and filter the database on that so let's + +5245 +03:09:34,719 --> 03:09:38,159 +just do + +5246 +03:09:35,520 --> 03:09:39,520 +simple we're going to just filter on + +5247 +03:09:38,159 --> 03:09:41,200 +events coming from circle + +5248 +03:09:39,520 --> 03:09:42,960 +and we can also add for example events + +5249 +03:09:41,200 --> 03:09:45,439 +that are not published + +5250 +03:09:42,959 --> 03:09:47,358 +if you wanted to do some final checks on + +5251 +03:09:45,439 --> 03:09:50,960 +whether + +5252 +03:09:47,359 --> 03:09:52,399 +uh we need to add the organization again + +5253 +03:09:50,959 --> 03:09:54,79 +whether we have any events that need to + +5254 +03:09:52,398 --> 03:09:55,840 +be vetted for example for our own + +5255 +03:09:54,79 --> 03:09:57,39 +organization then we could use this + +5256 +03:09:55,840 --> 03:09:58,799 +filter for it + +5257 +03:09:57,40 --> 03:10:00,479 +on the event index all of these search + +5258 +03:09:58,799 --> 03:10:02,559 +filters that you apply + +5259 +03:10:00,478 --> 03:10:03,519 +generate a specific url and you can + +5260 +03:10:02,559 --> 03:10:05,359 +bookmark it + +5261 +03:10:03,520 --> 03:10:06,560 +so if you have recurring queries that + +5262 +03:10:05,359 --> 03:10:08,399 +you want to monitor + +5263 +03:10:06,559 --> 03:10:09,680 +then you can just bookmark the url and + +5264 +03:10:08,398 --> 03:10:11,358 +you can go back to it + +5265 +03:10:09,680 --> 03:10:12,960 +later on and see if there is anything + +5266 +03:10:11,359 --> 03:10:16,880 +that popped up that matches your + +5267 +03:10:12,959 --> 03:10:19,839 +search criteria now generally + +5268 +03:10:16,879 --> 03:10:21,199 +like i think 90 of our searches do not + +5269 +03:10:19,840 --> 03:10:23,600 +actually happen via the ui + +5270 +03:10:21,200 --> 03:10:25,200 +they happen via the api so very often + +5271 +03:10:23,600 --> 03:10:26,79 +you have tools that you search through + +5272 +03:10:25,200 --> 03:10:28,479 +so if you have a + +5273 +03:10:26,79 --> 03:10:30,238 +tool that acts as a front-end for your + +5274 +03:10:28,478 --> 03:10:32,0 +11428.479 --> 11432 +miss for certain searches that works as + +5275 +03:10:30,238 --> 03:10:33,439 +well + +5276 +03:10:32,0 --> 03:10:34,959 +11432 --> 11434.96 +we're going to talk more about those + +5277 +03:10:33,439 --> 03:10:37,120 +type of searches and how you integrate + +5278 +03:10:34,959 --> 03:10:39,599 +with other tools tomorrow more + +5279 +03:10:37,120 --> 03:10:41,279 +when we go into the api a bit is a + +5280 +03:10:39,600 --> 03:10:42,960 +question about soft delete attribute + +5281 +03:10:41,279 --> 03:10:45,600 +search + +5282 +03:10:42,959 --> 03:10:47,199 +i just lost the q and a so some martin + +5283 +03:10:45,600 --> 03:10:48,559 +asks is there a way to do a global + +5284 +03:10:47,200 --> 03:10:51,840 +search for software + +5285 +03:10:48,559 --> 03:10:54,318 +attributes yes sorry where is it + +5286 +03:10:51,840 --> 03:10:56,478 +there for software attachments yes there + +5287 +03:10:54,318 --> 03:10:59,359 +is + +5288 +03:10:56,478 --> 03:11:00,879 +uh so not via the ui but via the api uh + +5289 +03:10:59,359 --> 03:11:02,238 +which you can also access + +5290 +03:11:00,879 --> 03:11:03,759 +by the way we have two we have a + +5291 +03:11:02,238 --> 03:11:04,799 +built-in tool we can even show it show + +5292 +03:11:03,760 --> 03:11:08,639 +this example there + +5293 +03:11:04,799 --> 03:11:08,639 +we didn't show the delete i + +5294 +03:11:10,639 --> 03:11:15,39 +and let's start with the question first + +5295 +03:11:12,639 --> 03:11:16,639 +and then we go to the delete + +5296 +03:11:15,40 --> 03:11:18,560 +so we have this built-in tool called the + +5297 +03:11:16,639 --> 03:11:22,478 +rest client that allows us to run + +5298 +03:11:18,559 --> 03:11:24,318 +searches directly from the interface so + +5299 +03:11:22,478 --> 03:11:26,0 +11482.479 --> 11486 +generally indeed we have a software + +5300 +03:11:24,318 --> 03:11:29,119 +delete mechanism in bisp + +5301 +03:11:26,0 --> 03:11:30,79 +11486 --> 11490.08 +that allows you to to not fully remove + +5302 +03:11:29,120 --> 03:11:32,239 +an attribute but + +5303 +03:11:30,79 --> 03:11:33,920 +mark is for it for deletion the reason + +5304 +03:11:32,238 --> 03:11:36,159 +why we do this in general is + +5305 +03:11:33,920 --> 03:11:37,439 +whenever we're synchronizing information + +5306 +03:11:36,159 --> 03:11:38,799 +and we delete an attribute + +5307 +03:11:37,439 --> 03:11:40,880 +we want to inform all the leather + +5308 +03:11:38,799 --> 03:11:42,159 +instances attribute needs to be removed + +5309 +03:11:40,879 --> 03:11:44,238 +it is revoked + +5310 +03:11:42,159 --> 03:11:45,680 +so this is why we do the soft delete + +5311 +03:11:44,238 --> 03:11:48,478 +when we hide it from the interface + +5312 +03:11:45,680 --> 03:11:50,639 +behind it from the exports + +5313 +03:11:48,478 --> 03:11:52,0 +11508.479 --> 11512 +but we still keep the data and we inform + +5314 +03:11:50,639 --> 03:11:54,0 +11510.64 --> 11514 +the other instances that they need to + +5315 +03:11:52,0 --> 03:11:57,120 +11512 --> 11517.12 +also market for deletion + +5316 +03:11:54,0 --> 03:11:58,799 +11514 --> 11518.8 +now if the question is how do we do a + +5317 +03:11:57,120 --> 03:12:00,319 +global search for all the soft deleted + +5318 +03:11:58,799 --> 03:12:00,799 +attributes so first of all what we need + +5319 +03:12:00,318 --> 03:12:04,478 +to do + +5320 +03:12:00,799 --> 03:12:06,799 +yeah using our little research too + +5321 +03:12:04,478 --> 03:12:08,719 +is by the way we have the modern apis + +5322 +03:12:06,799 --> 03:12:11,438 +here to create a new api unless you know + +5323 +03:12:08,719 --> 03:12:11,438 +yours by heart + +5324 +03:12:12,0 --> 03:12:17,200 +11532 --> 11537.2 +so alex because you it's very good + +5325 +03:12:17,359 --> 03:12:20,479 +so so just quickly that's so uh so in + +5326 +03:12:19,439 --> 03:12:22,318 +the meanwhile what + +5327 +03:12:20,478 --> 03:12:24,238 +alex is doing now is uh he's going to + +5328 +03:12:22,318 --> 03:12:26,959 +generate a new api key for himself + +5329 +03:12:24,238 --> 03:12:29,359 +so that we can actually test the api uh + +5330 +03:12:26,959 --> 03:12:33,839 +queries + +5331 +03:12:29,359 --> 03:12:33,840 +oh that's one word yeah + +5332 +03:12:35,279 --> 03:12:47,840 +yeah you can add enough key from here as + +5333 +03:12:36,719 --> 03:12:47,840 +well this will work yeah that works + +5334 +03:12:54,129 --> 03:12:57,279 +[Music] + +5335 +03:12:59,680 --> 03:13:16,238 +a global action my profile by the way if + +5336 +03:13:01,520 --> 03:13:16,238 +you want to find your profile okay + +5337 +03:13:17,359 --> 03:13:21,760 +so now we have our api key now we go to + +5338 +03:13:20,159 --> 03:13:22,398 +rest client we just paste it in there + +5339 +03:13:21,760 --> 03:13:25,680 +now + +5340 +03:13:22,398 --> 03:13:25,680 +in the authorization field + +5341 +03:13:27,439 --> 03:13:30,639 +here we go and now what we're going to + +5342 +03:13:28,799 --> 03:13:32,79 +do is we're going to uh to run a search + +5343 +03:13:30,639 --> 03:13:32,478 +for all software attributes so we're + +5344 +03:13:32,79 --> 03:13:35,680 +going to + +5345 +03:13:32,478 --> 03:13:37,519 +search for attribute rest search so that + +5346 +03:13:35,680 --> 03:13:38,960 +is a scope that allows us to search on + +5347 +03:13:37,520 --> 03:13:41,120 +the attribute level we'll do we'll see + +5348 +03:13:38,959 --> 03:13:44,0 +11618.96 --> 11624 +more of this tomorrow + +5349 +03:13:41,120 --> 03:13:47,600 +just a small example for return format + +5350 +03:13:44,0 --> 03:13:47,600 +11624 --> 11627.6 +let's pick something like json + +5351 +03:13:53,520 --> 03:13:59,520 +and perhaps set a page under limit or + +5352 +03:13:56,719 --> 03:14:01,119 +date one limit 100 or something like + +5353 +03:13:59,520 --> 03:14:02,479 +that + +5354 +03:14:01,120 --> 03:14:04,640 +i don't know how much was deleted here + +5355 +03:14:02,478 --> 03:14:07,199 +but it might be a lot and uh + +5356 +03:14:04,639 --> 03:14:11,840 +then just uh add another key deleted + +5357 +03:14:07,200 --> 03:14:11,840 +there we go + +5358 +03:14:12,159 --> 03:14:15,439 +and then deleted september + +5359 +03:14:16,398 --> 03:14:19,680 +and we don't need anything else + +5360 +03:14:20,318 --> 03:14:24,478 +and this will return the first 100 hits + +5361 +03:14:23,279 --> 03:14:28,238 +from the instance + +5362 +03:14:24,478 --> 03:14:28,238 +of attributes that are deleted + +5363 +03:14:30,398 --> 03:14:35,278 +there we go and now if you if you wanted + +5364 +03:14:33,600 --> 03:14:36,720 +to paginate through all these attributes + +5365 +03:14:35,279 --> 03:14:37,359 +you would have to just raise the page + +5366 +03:14:36,719 --> 03:14:40,0 +11676.72 --> 11680 +number + +5367 +03:14:37,359 --> 03:14:40,800 +go back and and get page 2 page 3 page 4 + +5368 +03:14:40,0 --> 03:14:42,799 +11680 --> 11682.8 +and so on + +5369 +03:14:40,799 --> 03:14:44,959 +or if we have enough memory certainly my + +5370 +03:14:42,799 --> 03:14:46,318 +training instance definitely doesn't + +5371 +03:14:44,959 --> 03:14:49,278 +then we could just say give us + +5372 +03:14:46,318 --> 03:14:49,278 +everything in one shot + +5373 +03:14:49,600 --> 03:14:53,840 +okay so i hope that answers your + +5374 +03:14:52,79 --> 03:14:56,559 +question martin + +5375 +03:14:53,840 --> 03:14:58,559 +um there is also a question is there an + +5376 +03:14:56,559 --> 03:15:01,600 +official miss docker image + +5377 +03:14:58,559 --> 03:15:04,318 +um and there are actually several uh + +5378 +03:15:01,600 --> 03:15:05,439 +they're not maintained by us but by + +5379 +03:15:04,318 --> 03:15:08,0 +11704.319 --> 11708 +contributors + +5380 +03:15:05,439 --> 03:15:09,200 +that are very active and working closely + +5381 +03:15:08,0 --> 03:15:11,680 +11708 --> 11711.68 +with us + +5382 +03:15:09,200 --> 03:15:13,279 +so i've pasted one example in the zoom + +5383 +03:15:11,680 --> 03:15:14,960 +group chat + +5384 +03:15:13,279 --> 03:15:16,560 +i don't know if maybe it's not visible + +5385 +03:15:14,959 --> 03:15:19,119 +to everyone + +5386 +03:15:16,559 --> 03:15:20,719 +i can just drop it as an answer here + +5387 +03:15:19,120 --> 03:15:24,160 +yeah it's better + +5388 +03:15:20,719 --> 03:15:26,79 +so this one is done by cool acid so why + +5389 +03:15:24,159 --> 03:15:29,600 +there are so many docker myths + +5390 +03:15:26,79 --> 03:15:32,398 +that's i think the the + +5391 +03:15:29,600 --> 03:15:35,200 +speciality of docker not everyone agrees + +5392 +03:15:32,398 --> 03:15:37,760 +on a model with docker so there are + +5393 +03:15:35,200 --> 03:15:39,520 +at least as far as i know four or five + +5394 +03:15:37,760 --> 03:15:41,760 +different dockers there's one managed by + +5395 +03:15:39,520 --> 03:15:45,40 +dcso one by cool assist + +5396 +03:15:41,760 --> 03:15:47,359 +one by xavier mcpens and one by + +5397 +03:15:45,40 --> 03:15:48,479 +harvard security and i'm sure i'm + +5398 +03:15:47,359 --> 03:15:51,520 +missing some + +5399 +03:15:48,478 --> 03:15:54,159 +um so the thing is um for + +5400 +03:15:51,520 --> 03:15:55,840 +for the docker images it's depending of + +5401 +03:15:54,159 --> 03:15:57,600 +i would say your test + +5402 +03:15:55,840 --> 03:15:59,439 +so have a look at what the different + +5403 +03:15:57,600 --> 03:16:02,0 +11757.6 --> 11762 +contributors are doing + +5404 +03:15:59,439 --> 03:16:02,800 +and you'll see that you pick the one + +5405 +03:16:02,0 --> 03:16:05,200 +11762 --> 11765.2 +that is + +5406 +03:16:02,799 --> 03:16:06,159 +matching what you really want to do with + +5407 +03:16:05,200 --> 03:16:08,720 +docker + +5408 +03:16:06,159 --> 03:16:09,359 +some are really more separated container + +5409 +03:16:08,719 --> 03:16:11,199 +wise + +5410 +03:16:09,359 --> 03:16:12,800 +some are more like one single container + +5411 +03:16:11,200 --> 03:16:14,399 +with everything um + +5412 +03:16:12,799 --> 03:16:16,79 +again it's a maker of taste and all you + +5413 +03:16:14,398 --> 03:16:18,398 +want to to operate one + +5414 +03:16:16,79 --> 03:16:19,359 +we don't maintain one as this project + +5415 +03:16:18,398 --> 03:16:21,519 +but there are + +5416 +03:16:19,359 --> 03:16:24,399 +some that are under our missed project + +5417 +03:16:21,520 --> 03:16:24,399 +guitar position + +5418 +03:16:27,200 --> 03:16:33,120 +someone is asking about api key to + +5419 +03:16:29,920 --> 03:16:33,120 +invoke cortex analyzer + +5420 +03:16:33,520 --> 03:16:37,40 +for the cortex analyzer it's a separate + +5421 +03:16:36,398 --> 03:16:40,398 +tool set + +5422 +03:16:37,40 --> 03:16:44,319 +of part of of the i've project + +5423 +03:16:40,398 --> 03:16:46,799 +and then you have specific api keys + +5424 +03:16:44,318 --> 03:16:48,879 +cortex extension is like this module so + +5425 +03:16:46,799 --> 03:16:51,39 +it works for the expansion services + +5426 +03:16:48,879 --> 03:16:52,238 +uh beaker full cortex analyzer are not + +5427 +03:16:51,40 --> 03:16:53,840 +supporting + +5428 +03:16:52,238 --> 03:16:55,600 +objects and stuff like that which is the + +5429 +03:16:53,840 --> 03:16:57,600 +case for its modules + +5430 +03:16:55,600 --> 03:16:59,120 +so you might have expansion on the + +5431 +03:16:57,600 --> 03:17:01,120 +interface but if you want full-blown + +5432 +03:16:59,120 --> 03:17:03,520 +expansion with relationship and so on + +5433 +03:17:01,120 --> 03:17:05,359 +then you can use these modules a lot of + +5434 +03:17:03,520 --> 03:17:06,800 +organizations are mixing both so you can + +5435 +03:17:05,359 --> 03:17:09,359 +have cortex-enabled and + +5436 +03:17:06,799 --> 03:17:10,238 +it's modulus enabled on the same missed + +5437 +03:17:09,359 --> 03:17:11,680 +instance + +5438 +03:17:10,238 --> 03:17:13,920 +but going back to the question if you + +5439 +03:17:11,680 --> 03:17:16,159 +already have the cortex api encoded in + +5440 +03:17:13,920 --> 03:17:18,960 +your misspen you want to invoke + +5441 +03:17:16,159 --> 03:17:20,959 +a lookup uh through the api through misp + +5442 +03:17:18,959 --> 03:17:22,238 +then you can use your misspik to tell + +5443 +03:17:20,959 --> 03:17:27,438 +your misp to + +5444 +03:17:22,238 --> 03:17:29,520 +run a query against cortex + +5445 +03:17:27,439 --> 03:17:33,200 +but with the new api key models usually + +5446 +03:17:29,520 --> 03:17:33,200 +it's better to have dedicated api + +5447 +03:17:35,600 --> 03:17:42,569 +okay um there is something else easy + +5448 +03:17:39,680 --> 03:17:44,479 +you know that we had it already um + +5449 +03:17:42,569 --> 03:17:46,159 +[Music] + +5450 +03:17:44,478 --> 03:17:48,159 +could you touch on how we could use one + +5451 +03:17:46,159 --> 03:17:50,639 +event to add multiple attributes and how + +5452 +03:17:48,159 --> 03:17:52,398 +would correlation work here uh configure + +5453 +03:17:50,639 --> 03:17:53,358 +event one to fetch all records from a + +5454 +03:17:52,398 --> 03:17:54,799 +fishing feed + +5455 +03:17:53,359 --> 03:17:56,800 +would this work with correlation show + +5456 +03:17:54,799 --> 03:17:58,719 +all instances where any of those + +5457 +03:17:56,799 --> 03:17:59,759 +attributes match with other events from + +5458 +03:17:58,719 --> 03:18:02,799 +other organization + +5459 +03:17:59,760 --> 03:18:03,760 +events well okay if i understand it + +5460 +03:18:02,799 --> 03:18:06,318 +correctly indeed + +5461 +03:18:03,760 --> 03:18:08,318 +so if you if you do that you create an + +5462 +03:18:06,318 --> 03:18:09,920 +event for a fishing feed + +5463 +03:18:08,318 --> 03:18:11,920 +and you have those attributes in there + +5464 +03:18:09,920 --> 03:18:14,879 +and you have cross you have cached + +5465 +03:18:11,920 --> 03:18:16,879 +other instances then within that that + +5466 +03:18:14,879 --> 03:18:17,519 +feeds event you will see correlations + +5467 +03:18:16,879 --> 03:18:19,278 +both to + +5468 +03:18:17,520 --> 03:18:21,359 +other events created locally on your + +5469 +03:18:19,279 --> 03:18:23,359 +instance by other organizations + +5470 +03:18:21,359 --> 03:18:24,720 +as well as links to other instances that + +5471 +03:18:23,359 --> 03:18:26,960 +have the + +5472 +03:18:24,719 --> 03:18:27,760 +data as long as you have cached those + +5473 +03:18:26,959 --> 03:18:29,438 +events + +5474 +03:18:27,760 --> 03:18:31,120 +so we're going to talk more about that + +5475 +03:18:29,439 --> 03:18:31,840 +tomorrow about the synchronization but + +5476 +03:18:31,120 --> 03:18:33,439 +when you're + +5477 +03:18:31,840 --> 03:18:34,880 +interconnecting with another instance + +5478 +03:18:33,439 --> 03:18:36,639 +you can do it in two ways + +5479 +03:18:34,879 --> 03:18:38,398 +one i want to start exchanging data + +5480 +03:18:36,639 --> 03:18:40,639 +pushing data pooling data + +5481 +03:18:38,398 --> 03:18:42,318 +or two i can just tell my mist to go + +5482 +03:18:40,639 --> 03:18:44,799 +crawl that other instance + +5483 +03:18:42,318 --> 03:18:46,559 +uh hash all the values that they have + +5484 +03:18:44,799 --> 03:18:48,559 +and if i ever get the correlation + +5485 +03:18:46,559 --> 03:18:50,79 +then it flags it for me that it shows me + +5486 +03:18:48,559 --> 03:18:52,79 +and then that the + +5487 +03:18:50,79 --> 03:18:54,238 +instance already knows about this value + +5488 +03:18:52,79 --> 03:18:55,920 +and i can pivot over to previewing the + +5489 +03:18:54,238 --> 03:18:58,398 +data + +5490 +03:18:55,920 --> 03:19:00,79 +so i hope that answers that yeah and + +5491 +03:18:58,398 --> 03:19:01,358 +then the correlation of + +5492 +03:19:00,79 --> 03:19:03,600 +for example if you just enable the + +5493 +03:19:01,359 --> 03:19:05,760 +caching you just see that it's + +5494 +03:19:03,600 --> 03:19:08,479 +correlating with specific values without + +5495 +03:19:05,760 --> 03:19:09,279 +providing the full fit sometimes it's + +5496 +03:19:08,478 --> 03:19:11,519 +it's quite + +5497 +03:19:09,279 --> 03:19:13,40 +handy when you have for example see that + +5498 +03:19:11,520 --> 03:19:15,920 +you cannot show the data but you can + +5499 +03:19:13,40 --> 03:19:15,920 +show the correlation + +5500 +03:19:16,159 --> 03:19:19,680 +there's another one do you recommend + +5501 +03:19:17,439 --> 03:19:22,398 +using miss palone or using the hive + +5502 +03:19:19,680 --> 03:19:22,800 +miss cortex integration i mean generally + +5503 +03:19:22,398 --> 03:19:24,478 +yeah + +5504 +03:19:22,799 --> 03:19:26,318 +if you need a case management tool then + +5505 +03:19:24,478 --> 03:19:29,920 +then using the hive for that is great + +5506 +03:19:26,318 --> 03:19:31,439 +and so it makes absolute sense to you to + +5507 +03:19:29,920 --> 03:19:33,920 +use them together + +5508 +03:19:31,439 --> 03:19:34,880 +and integration is really smoothly done + +5509 +03:19:33,920 --> 03:19:36,639 +so that means that + +5510 +03:19:34,879 --> 03:19:38,238 +that no matter where you start your your + +5511 +03:19:36,639 --> 03:19:40,398 +process whether you start + +5512 +03:19:38,238 --> 03:19:41,840 +by creating an event in misp or whether + +5513 +03:19:40,398 --> 03:19:44,79 +you start by creating a + +5514 +03:19:41,840 --> 03:19:46,0 +11981.84 --> 11986 +case in the hive you can basically + +5515 +03:19:44,79 --> 03:19:46,639 +propagate the data to the other tool and + +5516 +03:19:46,0 --> 03:19:49,200 +11986 --> 11989.2 +work on + +5517 +03:19:46,639 --> 03:19:50,79 +on both tools and data so so yeah + +5518 +03:19:49,200 --> 03:19:52,79 +absolutely + +5519 +03:19:50,79 --> 03:19:54,559 +yeah absolutely it's pretty smooth just + +5520 +03:19:52,79 --> 03:19:56,159 +just be careful if you use the expansion + +5521 +03:19:54,559 --> 03:19:58,799 +on mist and you have miss modules + +5522 +03:19:56,159 --> 03:20:00,318 +enabled i would prefer to have + +5523 +03:19:58,799 --> 03:20:03,199 +modules enabled because you you + +5524 +03:20:00,318 --> 03:20:06,318 +basically have all the features of mixed + +5525 +03:20:03,200 --> 03:20:08,159 +like relationship objects and so on + +5526 +03:20:06,318 --> 03:20:09,439 +with the cortex integration is basically + +5527 +03:20:08,159 --> 03:20:11,600 +just the over with + +5528 +03:20:09,439 --> 03:20:12,559 +the vortex yeah but one of the things + +5529 +03:20:11,600 --> 03:20:14,79 +that you can do is + +5530 +03:20:12,559 --> 03:20:16,0 +12012.56 --> 12016 +if you start for example from the hive + +5531 +03:20:14,79 --> 03:20:17,279 +perspective and you push the data + +5532 +03:20:16,0 --> 03:20:18,799 +12016 --> 12018.8 +afterwards to misp + +5533 +03:20:17,279 --> 03:20:20,640 +you can then go through this process + +5534 +03:20:18,799 --> 03:20:21,759 +like what we've done here with enriching + +5535 +03:20:20,639 --> 03:20:24,159 +the information + +5536 +03:20:21,760 --> 03:20:25,760 +creating objects that affect attributes + +5537 +03:20:24,159 --> 03:20:27,200 +so you can do it as a secondary step + +5538 +03:20:25,760 --> 03:20:28,0 +12025.76 --> 12028 +before you share it out to community to + +5539 +03:20:27,200 --> 03:20:30,79 +refine the data + +5540 +03:20:28,0 --> 03:20:31,920 +12028 --> 12031.92 +in mis that you've created in the i for + +5541 +03:20:30,79 --> 03:20:33,439 +example and the same thing if you've + +5542 +03:20:31,920 --> 03:20:34,719 +used cortex to fetch additional + +5543 +03:20:33,439 --> 03:20:36,398 +information in the hive + +5544 +03:20:34,719 --> 03:20:38,0 +12034.72 --> 12038 +you can then take that data and further + +5545 +03:20:36,398 --> 03:20:38,959 +enrich it with miss modules once it's a + +5546 +03:20:38,0 --> 03:20:40,959 +12038 --> 12040.96 +message + +5547 +03:20:38,959 --> 03:20:42,79 +yeah this is a good question from + +5548 +03:20:40,959 --> 03:20:45,278 +muammar + +5549 +03:20:42,79 --> 03:20:47,120 +junaid about when i try to import the + +5550 +03:20:45,279 --> 03:20:49,40 +data from six to five it's called + +5551 +03:20:47,120 --> 03:20:50,880 +lazy like can you please explain that a + +5552 +03:20:49,40 --> 03:20:52,640 +bit and this one is interesting + +5553 +03:20:50,879 --> 03:20:54,398 +because it's it's i was saying a long + +5554 +03:20:52,639 --> 03:20:57,358 +long long discussion and that + +5555 +03:20:54,398 --> 03:21:00,0 +12054.399 --> 12060 +that's even influence or miss people + +5556 +03:20:57,359 --> 03:21:03,40 +than the standard behind missed + +5557 +03:21:00,0 --> 03:21:04,0 +12060 --> 12064 +so sticks is really uh focusing on cyber + +5558 +03:21:03,40 --> 03:21:07,279 +security and + +5559 +03:21:04,0 --> 03:21:10,318 +12064 --> 12070.319 +cyber studies religion and + +5560 +03:21:07,279 --> 03:21:11,920 +the the problem is you might have at + +5561 +03:21:10,318 --> 03:21:13,760 +some point in time + +5562 +03:21:11,920 --> 03:21:15,120 +data that are basically not defined + +5563 +03:21:13,760 --> 03:21:17,760 +anywhere + +5564 +03:21:15,120 --> 03:21:20,160 +so it's more for the export of data so + +5565 +03:21:17,760 --> 03:21:23,40 +for example if you export in a mixed + +5566 +03:21:20,159 --> 03:21:23,439 +event and you have for example an object + +5567 +03:21:23,40 --> 03:21:25,520 +with + +5568 +03:21:23,439 --> 03:21:28,479 +the person and stuff like that it won't + +5569 +03:21:25,520 --> 03:21:31,600 +be in the sticks to export for example + +5570 +03:21:28,478 --> 03:21:33,519 +so it means that in misprevent you get + +5571 +03:21:31,600 --> 03:21:35,200 +all the information but it's bound to + +5572 +03:21:33,520 --> 03:21:36,238 +the limitation of the standards and the + +5573 +03:21:35,200 --> 03:21:37,600 +format + +5574 +03:21:36,238 --> 03:21:39,520 +where you export and it's exactly the + +5575 +03:21:37,600 --> 03:21:42,238 +same for any format i mean if you + +5576 +03:21:39,520 --> 03:21:43,760 +um export a person in theory cata format + +5577 +03:21:42,238 --> 03:21:46,799 +obviously you don't have any + +5578 +03:21:43,760 --> 03:21:47,600 +um field or things like that with person + +5579 +03:21:46,799 --> 03:21:49,438 +and so on so + +5580 +03:21:47,600 --> 03:21:51,439 +that's why we call it losing because uh + +5581 +03:21:49,439 --> 03:21:55,840 +sometimes when you import data + +5582 +03:21:51,439 --> 03:21:55,840 +it's bound to a specific set of + +5583 +03:21:55,920 --> 03:21:58,960 +fields that are supported and so on + +5584 +03:21:58,0 --> 03:22:01,359 +12118 --> 12121.359 +another thing that is + +5585 +03:21:58,959 --> 03:22:02,719 +quite important with sticks you might + +5586 +03:22:01,359 --> 03:22:05,279 +have a lot of + +5587 +03:22:02,719 --> 03:22:06,639 +peculiarities or specialities depending + +5588 +03:22:05,279 --> 03:22:08,479 +on the vendor + +5589 +03:22:06,639 --> 03:22:09,840 +some vendors are adding some some + +5590 +03:22:08,478 --> 03:22:11,679 +specific custom objects + +5591 +03:22:09,840 --> 03:22:13,359 +things like that that are not bound to + +5592 +03:22:11,680 --> 03:22:15,600 +any existing one + +5593 +03:22:13,359 --> 03:22:16,960 +so we are importing them as kind of you + +5594 +03:22:15,600 --> 03:22:20,238 +know generic one but + +5595 +03:22:16,959 --> 03:22:22,238 +it is basically like uh lucy again so + +5596 +03:22:20,238 --> 03:22:23,760 +you have to be careful when you you use + +5597 +03:22:22,238 --> 03:22:26,318 +a specific format + +5598 +03:22:23,760 --> 03:22:27,40 +to be sure that you properly uh map an + +5599 +03:22:26,318 --> 03:22:29,199 +existing + +5600 +03:22:27,40 --> 03:22:31,200 +different one so it's more for the + +5601 +03:22:29,200 --> 03:22:33,520 +export is quite flexible on that so you + +5602 +03:22:31,200 --> 03:22:36,239 +can basically have any object you like + +5603 +03:22:33,520 --> 03:22:36,880 +but when we explore for example in 61 we + +5604 +03:22:36,238 --> 03:22:39,840 +just + +5605 +03:22:36,879 --> 03:22:41,39 +support what is existing in sticks even + +5606 +03:22:39,840 --> 03:22:43,359 +if we start we add + +5607 +03:22:41,40 --> 03:22:45,840 +some some custom objects too which are + +5608 +03:22:43,359 --> 03:22:47,840 +on to the missed object + +5609 +03:22:45,840 --> 03:22:49,680 +but some tools will not recognize + +5610 +03:22:47,840 --> 03:22:50,79 +obviously the custom object because they + +5611 +03:22:49,680 --> 03:22:52,79 +are + +5612 +03:22:50,79 --> 03:22:53,840 +just having a profile for a specific set + +5613 +03:22:52,79 --> 03:22:56,398 +of known uh updates + +5614 +03:22:53,840 --> 03:22:56,960 +yeah i think that's exactly the point uh + +5615 +03:22:56,398 --> 03:22:58,238 +that + +5616 +03:22:56,959 --> 03:23:00,959 +maybe is different from when we + +5617 +03:22:58,238 --> 03:23:02,0 +12178.239 --> 12182 +described the text in those import and + +5618 +03:23:00,959 --> 03:23:04,159 +export fields + +5619 +03:23:02,0 --> 03:23:06,159 +12182 --> 12186.16 +we say lossy but in reality what we do + +5620 +03:23:04,159 --> 03:23:07,119 +is we do try to capture everything and + +5621 +03:23:06,159 --> 03:23:08,959 +we do try to map + +5622 +03:23:07,120 --> 03:23:10,479 +everything but a lot of it will end up + +5623 +03:23:08,959 --> 03:23:13,39 +in custom objects now + +5624 +03:23:10,478 --> 03:23:14,959 +now what alex mentioned is the problem + +5625 +03:23:13,40 --> 03:23:16,399 +even if we export bitcoin + +5626 +03:23:14,959 --> 03:23:18,238 +addresses for example whenever we're + +5627 +03:23:16,398 --> 03:23:20,478 +pushing in sticks to format + +5628 +03:23:18,238 --> 03:23:21,359 +as custom objects no other two will pick + +5629 +03:23:20,478 --> 03:23:23,840 +up on it because + +5630 +03:23:21,359 --> 03:23:25,439 +it's if we're just using custom objects + +5631 +03:23:23,840 --> 03:23:27,40 +that unless the other two + +5632 +03:23:25,439 --> 03:23:28,720 +specifically looks for them they will + +5633 +03:23:27,40 --> 03:23:31,120 +just either store it as is + +5634 +03:23:28,719 --> 03:23:32,238 +or not know what to do with it yeah and + +5635 +03:23:31,120 --> 03:23:35,439 +that + +5636 +03:23:32,238 --> 03:23:35,680 +that's why we recommend a feed provider + +5637 +03:23:35,439 --> 03:23:38,79 +of + +5638 +03:23:35,680 --> 03:23:39,40 +anderson son to actively support the + +5639 +03:23:38,79 --> 03:23:41,39 +misformat + +5640 +03:23:39,40 --> 03:23:42,840 +then they can they can really impose a + +5641 +03:23:41,40 --> 03:23:44,239 +full set of objects and so that already + +5642 +03:23:42,840 --> 03:23:46,159 +exists + +5643 +03:23:44,238 --> 03:23:47,760 +yeah in some cases however you don't + +5644 +03:23:46,159 --> 03:23:49,439 +really care about having the full set + +5645 +03:23:47,760 --> 03:23:50,960 +and that's where for example specialized + +5646 +03:23:49,439 --> 03:23:53,40 +formats are really cool + +5647 +03:23:50,959 --> 03:23:55,199 +so whenever we're feeding for example an + +5648 +03:23:53,40 --> 03:23:56,560 +ids for example we don't care about + +5649 +03:23:55,200 --> 03:23:59,359 +bitcoin addresses + +5650 +03:23:56,559 --> 03:23:59,760 +so in those cases uh so sticks and misp + +5651 +03:23:59,359 --> 03:24:04,79 +both + +5652 +03:23:59,760 --> 03:24:05,760 +are very expressive uh exchange formats + +5653 +03:24:04,79 --> 03:24:07,920 +but whenever you're dealing with feeding + +5654 +03:24:05,760 --> 03:24:10,238 +tools for example you don't care about + +5655 +03:24:07,920 --> 03:24:11,200 +uh about losing ninety percent even of + +5656 +03:24:10,238 --> 03:24:13,680 +the data set + +5657 +03:24:11,200 --> 03:24:15,120 +as long as you capture those type of + +5658 +03:24:13,680 --> 03:24:17,680 +data points that your tool can + +5659 +03:24:15,120 --> 03:24:19,40 +process in the end so this is why + +5660 +03:24:17,680 --> 03:24:20,559 +generally what we recommend is if you + +5661 +03:24:19,40 --> 03:24:21,200 +have the option for example to export + +5662 +03:24:20,559 --> 03:24:23,39 +data from + +5663 +03:24:21,200 --> 03:24:24,800 +is for your ideas for your scene and so + +5664 +03:24:23,40 --> 03:24:27,359 +on and you have the option between for + +5665 +03:24:24,799 --> 03:24:29,519 +example sticks or snort or surikata + +5666 +03:24:27,359 --> 03:24:31,279 +go with snorter sturikata because + +5667 +03:24:29,520 --> 03:24:33,760 +because those are much more + +5668 +03:24:31,279 --> 03:24:35,40 +uh catering to what your two can + +5669 +03:24:33,760 --> 03:24:37,200 +actually understand + +5670 +03:24:35,40 --> 03:24:40,80 +yeah for example for yards the same you + +5671 +03:24:37,200 --> 03:24:41,680 +prefer to have like a good yara who will + +5672 +03:24:40,79 --> 03:24:43,279 +say that you can run into another + +5673 +03:24:41,680 --> 03:24:44,0 +12281.68 --> 12284 +barista or your endpoint protection + +5674 +03:24:43,279 --> 03:24:46,159 +device + +5675 +03:24:44,0 --> 03:24:49,840 +12284 --> 12289.84 +and having a generic one that will not + +5676 +03:24:46,159 --> 03:24:49,840 +help you to lose the detection + +5677 +03:24:52,559 --> 03:24:55,840 +other questions + +5678 +03:24:56,79 --> 03:24:59,120 +you already took that one that is there + +5679 +03:24:58,639 --> 03:25:00,879 +it is + +5680 +03:24:59,120 --> 03:25:03,920 +longer i think we took most of them + +5681 +03:25:00,879 --> 03:25:06,238 +unless they missed one + +5682 +03:25:03,920 --> 03:25:08,398 +and yeah perhaps we should show the + +5683 +03:25:06,238 --> 03:25:09,199 +deletions because we we didn't actually + +5684 +03:25:08,398 --> 03:25:11,760 +show it indeed + +5685 +03:25:09,200 --> 03:25:11,760 +yeah exactly + +5686 +03:25:13,760 --> 03:25:17,40 +okay oh and now we have some more + +5687 +03:25:16,79 --> 03:25:20,159 +questions + +5688 +03:25:17,40 --> 03:25:22,479 +but we can take those after yeah let's + +5689 +03:25:20,159 --> 03:25:23,920 +quickly show the deletions so if we go + +5690 +03:25:22,478 --> 03:25:25,199 +to an event + +5691 +03:25:23,920 --> 03:25:27,279 +yeah i'll take i'll take a hundred + +5692 +03:25:25,200 --> 03:25:30,800 +members so this is a massive + +5693 +03:25:27,279 --> 03:25:32,319 +gotcha basic basically missed + +5694 +03:25:30,799 --> 03:25:33,840 +uh which we have some protective + +5695 +03:25:32,318 --> 03:25:34,799 +measures in place to avoid this but one + +5696 +03:25:33,840 --> 03:25:37,439 +of the things that you really need to + +5697 +03:25:34,799 --> 03:25:39,759 +watch out for is + +5698 +03:25:37,439 --> 03:25:40,479 +when you when you add data to misspen + +5699 +03:25:39,760 --> 03:25:42,398 +you notice + +5700 +03:25:40,478 --> 03:25:44,238 +oh crap i should not have added a piece + +5701 +03:25:42,398 --> 03:25:45,920 +of information that is + +5702 +03:25:44,238 --> 03:25:47,359 +either confidential information + +5703 +03:25:45,920 --> 03:25:49,520 +information about the victim that i + +5704 +03:25:47,359 --> 03:25:51,760 +should share and so on + +5705 +03:25:49,520 --> 03:25:53,279 +the attribute that attribute might still + +5706 +03:25:51,760 --> 03:25:55,200 +be contained in the event in a + +5707 +03:25:53,279 --> 03:25:57,200 +in a soft deleted format you can always + +5708 +03:25:55,200 --> 03:26:00,319 +toggle and see the deleted attributes + +5709 +03:25:57,200 --> 03:26:00,319 +uh within an event + +5710 +03:26:00,879 --> 03:26:05,39 +so i will create i will create an even + +5711 +03:26:02,559 --> 03:26:05,39 +from scratch + +5712 +03:26:05,840 --> 03:26:10,799 +okay so before i move forward on that so + +5713 +03:26:09,200 --> 03:26:13,120 +we have two protective measures in place + +5714 +03:26:10,799 --> 03:26:16,799 +to avoid accidental information leakage + +5715 +03:26:13,120 --> 03:26:18,479 +violation one is basically that + +5716 +03:26:16,799 --> 03:26:20,318 +that by default we do not use the + +5717 +03:26:18,478 --> 03:26:21,519 +software method for anything that was + +5718 +03:26:20,318 --> 03:26:23,519 +unpublished uh + +5719 +03:26:21,520 --> 03:26:24,960 +at first so we're going to show it as an + +5720 +03:26:23,520 --> 03:26:25,760 +example so here's some sensitive + +5721 +03:26:24,959 --> 03:26:27,599 +information + +5722 +03:26:25,760 --> 03:26:30,559 +if alex were to delete this now this + +5723 +03:26:27,600 --> 03:26:32,720 +attribute this would get our deleted + +5724 +03:26:30,559 --> 03:26:33,920 +so this will not create a soft deletion + +5725 +03:26:32,719 --> 03:26:35,760 +uh miss pareto + +5726 +03:26:33,920 --> 03:26:37,200 +tells us are you sure you want to hard + +5727 +03:26:35,760 --> 03:26:38,318 +delete the attribute so when you read + +5728 +03:26:37,200 --> 03:26:40,79 +the text you will see the see the + +5729 +03:26:38,318 --> 03:26:42,0 +12398.319 --> 12402 +difference there in the wording + +5730 +03:26:40,79 --> 03:26:43,520 +uh the reason for that is the event it + +5731 +03:26:42,0 --> 03:26:44,879 +12402 --> 12404.88 +has not been published yet we know that + +5732 +03:26:43,520 --> 03:26:46,79 +it has not probably been propagated to + +5733 +03:26:44,879 --> 03:26:48,0 +12404.88 --> 12408 +other instances + +5734 +03:26:46,79 --> 03:26:50,318 +there is absolutely no reason to inform + +5735 +03:26:48,0 --> 03:26:52,159 +12408 --> 12412.16 +anyone that this has been deleted + +5736 +03:26:50,318 --> 03:26:54,559 +so we can immediately just hard delete + +5737 +03:26:52,159 --> 03:26:56,559 +it so when we do that + +5738 +03:26:54,559 --> 03:26:58,238 +it will get hard deleted however if the + +5739 +03:26:56,559 --> 03:26:59,840 +event has already been published + +5740 +03:26:58,238 --> 03:27:01,760 +this has already been shared out to + +5741 +03:26:59,840 --> 03:27:03,920 +other instances potentially + +5742 +03:27:01,760 --> 03:27:05,439 +so in this case if we were to delete it + +5743 +03:27:03,920 --> 03:27:06,799 +miss will tell us oh + +5744 +03:27:05,439 --> 03:27:08,720 +are you sure you want to soft delete + +5745 +03:27:06,799 --> 03:27:10,79 +this attribute because this is already a + +5746 +03:27:08,719 --> 03:27:12,639 +published event + +5747 +03:27:10,79 --> 03:27:14,159 +now it looks like our event is empty but + +5748 +03:27:12,639 --> 03:27:15,519 +if you look at the deleted flag you will + +5749 +03:27:14,159 --> 03:27:16,318 +see that the sensitive attribute is + +5750 +03:27:15,520 --> 03:27:18,479 +still there + +5751 +03:27:16,318 --> 03:27:20,478 +and if i were to publish the event now + +5752 +03:27:18,478 --> 03:27:22,0 +12438.479 --> 12442 +this sensitive attribute would + +5753 +03:27:20,478 --> 03:27:25,39 +it would get propagated along with the + +5754 +03:27:22,0 --> 03:27:27,359 +12442 --> 12447.359 +event if you want to avoid this + +5755 +03:27:25,40 --> 03:27:29,200 +altogether there is a way to mangle any + +5756 +03:27:27,359 --> 03:27:31,680 +attribute that gets self-deleted + +5757 +03:27:29,200 --> 03:27:32,800 +what happens in that case is a category + +5758 +03:27:31,680 --> 03:27:34,800 +will be set to other + +5759 +03:27:32,799 --> 03:27:36,639 +type will be set to other and value will + +5760 +03:27:34,799 --> 03:27:38,639 +be set to redacted + +5761 +03:27:36,639 --> 03:27:39,920 +this is a server-wide setting so your + +5762 +03:27:38,639 --> 03:27:41,519 +administrator or if you are the + +5763 +03:27:39,920 --> 03:27:44,318 +administrator and yourself can set this + +5764 +03:27:41,520 --> 03:27:46,159 +setting in the server settings + +5765 +03:27:44,318 --> 03:27:47,519 +the downside of that is if you are + +5766 +03:27:46,159 --> 03:27:49,200 +mangling attributes that you're soft + +5767 +03:27:47,520 --> 03:27:51,279 +deleting it will still inform the other + +5768 +03:27:49,200 --> 03:27:52,880 +instances they will still + +5769 +03:27:51,279 --> 03:27:55,40 +remove the data software the data + +5770 +03:27:52,879 --> 03:27:57,278 +because the uid is reserved + +5771 +03:27:55,40 --> 03:27:58,239 +however you cannot recover the attribute + +5772 +03:27:57,279 --> 03:28:00,238 +anymore so if + +5773 +03:27:58,238 --> 03:28:01,760 +so in this case right now we deleted + +5774 +03:28:00,238 --> 03:28:02,799 +attribute alex could now click on the + +5775 +03:28:01,760 --> 03:28:04,639 +recover button + +5776 +03:28:02,799 --> 03:28:06,79 +and the attribute will be recovered as a + +5777 +03:28:04,639 --> 03:28:07,920 +normal attribute so if you made a + +5778 +03:28:06,79 --> 03:28:11,39 +mistake you can recover it + +5779 +03:28:07,920 --> 03:28:12,879 +so there are two different mindsets i + +5780 +03:28:11,40 --> 03:28:14,960 +want to make my data recoverable + +5781 +03:28:12,879 --> 03:28:17,278 +versus and i want to always inform + +5782 +03:28:14,959 --> 03:28:20,79 +others versus i want to always + +5783 +03:28:17,279 --> 03:28:21,359 +hard delete data that i delete both of + +5784 +03:28:20,79 --> 03:28:23,520 +them have a setting + +5785 +03:28:21,359 --> 03:28:25,40 +so just pick and choose which whichever + +5786 +03:28:23,520 --> 03:28:27,680 +makes sense for your community + +5787 +03:28:25,40 --> 03:28:28,479 +whether you prefer secrecy or prefer + +5788 +03:28:27,680 --> 03:28:32,79 +convenience + +5789 +03:28:28,478 --> 03:28:34,159 +uh basically so it's basically + +5790 +03:28:32,79 --> 03:28:35,200 +yeah that's delete for that review so if + +5791 +03:28:34,159 --> 03:28:38,318 +we delete an + +5792 +03:28:35,200 --> 03:28:41,120 +event that's another story yeah and this + +5793 +03:28:38,318 --> 03:28:42,398 +this one is interesting because now we + +5794 +03:28:41,120 --> 03:28:44,640 +have these options where we say + +5795 +03:28:42,398 --> 03:28:46,79 +i want to delete this event and + +5796 +03:28:44,639 --> 03:28:46,799 +obviously it will be deleted on your + +5797 +03:28:46,79 --> 03:28:49,200 +instance + +5798 +03:28:46,799 --> 03:28:50,159 +nevertheless this even has been already + +5799 +03:28:49,200 --> 03:28:52,159 +synchronized + +5800 +03:28:50,159 --> 03:28:53,200 +copy and develop different misc + +5801 +03:28:52,159 --> 03:28:54,398 +instances + +5802 +03:28:53,200 --> 03:28:56,239 +so that means as the next + +5803 +03:28:54,398 --> 03:28:57,39 +synchronizations the event should be + +5804 +03:28:56,238 --> 03:28:59,920 +pulled + +5805 +03:28:57,40 --> 03:29:01,680 +but to avoid such kind of of issue mist + +5806 +03:28:59,920 --> 03:29:05,520 +is automatically generating + +5807 +03:29:01,680 --> 03:29:07,359 +a block list of all those elite events + +5808 +03:29:05,520 --> 03:29:09,600 +so if you are the administrator you can + +5809 +03:29:07,359 --> 03:29:12,238 +see at the block list of events + +5810 +03:29:09,600 --> 03:29:13,120 +you can see the the one that i just + +5811 +03:29:12,238 --> 03:29:16,238 +deleted + +5812 +03:29:13,120 --> 03:29:18,720 +so why we do that it's very simple + +5813 +03:29:16,238 --> 03:29:20,238 +we don't want to re-import the event + +5814 +03:29:18,719 --> 03:29:21,358 +that has been deleted because luckily we + +5815 +03:29:20,238 --> 03:29:23,680 +don't want this event + +5816 +03:29:21,359 --> 03:29:25,520 +so it's a it's a block list of all the + +5817 +03:29:23,680 --> 03:29:28,720 +cgas + +5818 +03:29:25,520 --> 03:29:30,399 +but this this catch there uh sometimes + +5819 +03:29:28,719 --> 03:29:31,760 +we have people oh i'm doing some tests + +5820 +03:29:30,398 --> 03:29:33,439 +and so on i'm synchronizing with miss + +5821 +03:29:31,760 --> 03:29:35,439 +but i can't see my even back + +5822 +03:29:33,439 --> 03:29:36,479 +and obviously yes because it's there in + +5823 +03:29:35,439 --> 03:29:37,840 +this block list + +5824 +03:29:36,478 --> 03:29:39,358 +so if you have some tests and you're + +5825 +03:29:37,840 --> 03:29:40,398 +running some tests don't forget to look + +5826 +03:29:39,359 --> 03:29:44,159 +at the block list + +5827 +03:29:40,398 --> 03:29:46,318 +and maybe you want to just remove + +5828 +03:29:44,159 --> 03:29:48,719 +the event for the block keys and then + +5829 +03:29:46,318 --> 03:29:50,478 +you can synchronize back the event + +5830 +03:29:48,719 --> 03:29:52,559 +there's something to keep in mind it's + +5831 +03:29:50,478 --> 03:29:54,79 +there it's done automatically but in + +5832 +03:29:52,559 --> 03:29:54,799 +some cases you want to manage the + +5833 +03:29:54,79 --> 03:29:58,0 +12594.08 --> 12598 +blockly + +5834 +03:29:54,799 --> 03:30:01,519 +so that's something to keep in mind + +5835 +03:29:58,0 --> 03:30:04,478 +12598 --> 12604.479 +yep something else + +5836 +03:30:01,520 --> 03:30:06,79 +that we perhaps should uh touch on here + +5837 +03:30:04,478 --> 03:30:08,799 +is is + +5838 +03:30:06,79 --> 03:30:09,760 +for the event deletions besides just a + +5839 +03:30:08,799 --> 03:30:11,119 +blockless part + +5840 +03:30:09,760 --> 03:30:12,800 +there is one thing that comes up as a + +5841 +03:30:11,120 --> 03:30:15,40 +question very often is how do i inform + +5842 +03:30:12,799 --> 03:30:16,639 +others that an event needs to be removed + +5843 +03:30:15,40 --> 03:30:19,40 +we don't have a mechanism in place for + +5844 +03:30:16,639 --> 03:30:21,519 +that so while we can revoke attributes + +5845 +03:30:19,40 --> 03:30:23,120 +for events uh we don't have that and + +5846 +03:30:21,520 --> 03:30:25,279 +there's a reason for that + +5847 +03:30:23,120 --> 03:30:26,239 +in general uh whenever it comes to + +5848 +03:30:25,279 --> 03:30:29,200 +events uh + +5849 +03:30:26,238 --> 03:30:30,639 +we don't want to give the power to just + +5850 +03:30:29,200 --> 03:30:33,439 +outright delete + +5851 +03:30:30,639 --> 03:30:34,719 +events uh remotely this way so this + +5852 +03:30:33,439 --> 03:30:36,238 +might change in the future + +5853 +03:30:34,719 --> 03:30:37,920 +we we're having discussions on that + +5854 +03:30:36,238 --> 03:30:40,79 +whether we want to enable that or not + +5855 +03:30:37,920 --> 03:30:41,840 +but currently that's not the case yeah + +5856 +03:30:40,79 --> 03:30:44,398 +and usually we take as an example + +5857 +03:30:41,840 --> 03:30:46,0 +12641.84 --> 12646 +emails i mean you can remove emails from + +5858 +03:30:44,398 --> 03:30:47,358 +your personal mailbox but from the + +5859 +03:30:46,0 --> 03:30:49,120 +12646 --> 12649.12 +remote mailbox if someone already + +5860 +03:30:47,359 --> 03:30:51,279 +receives the emails + +5861 +03:30:49,120 --> 03:30:53,120 +you want to have the control over third + +5862 +03:30:51,279 --> 03:30:58,79 +parties on the mailbox that + +5863 +03:30:53,120 --> 03:31:00,239 +might be one of the drawback i would say + +5864 +03:30:58,79 --> 03:31:01,760 +so there are two two new questions one + +5865 +03:31:00,238 --> 03:31:03,439 +of them is basically can you demonstrate + +5866 +03:31:01,760 --> 03:31:05,200 +the progressive enrichments of events + +5867 +03:31:03,439 --> 03:31:06,559 +by the shared communities over time with + +5868 +03:31:05,200 --> 03:31:08,960 +correlations + +5869 +03:31:06,559 --> 03:31:10,398 +this one is tough i mean i'm not sure + +5870 +03:31:08,959 --> 03:31:11,278 +how we could demonstrate that because + +5871 +03:31:10,398 --> 03:31:14,159 +we're not dealing with + +5872 +03:31:11,279 --> 03:31:14,560 +live instances with live data sets and + +5873 +03:31:14,159 --> 03:31:17,279 +act + +5874 +03:31:14,559 --> 03:31:17,278 +active sharing + +5875 +03:31:17,840 --> 03:31:23,40 +but perhaps for tomorrow we will prepare + +5876 +03:31:19,680 --> 03:31:25,520 +an example where we can show it off + +5877 +03:31:23,40 --> 03:31:28,640 +when and choose an event that we can + +5878 +03:31:25,520 --> 03:31:31,120 +show on one of the operational instances + +5879 +03:31:28,639 --> 03:31:33,119 +but i i can't show one on uh you know + +5880 +03:31:31,120 --> 03:31:36,560 +what i can't go on + +5881 +03:31:33,120 --> 03:31:38,79 +just one thing i'm i'm going on an + +5882 +03:31:36,559 --> 03:31:41,760 +instance + +5883 +03:31:38,79 --> 03:31:43,760 +okay so so it was + +5884 +03:31:41,760 --> 03:31:45,200 +oh we are flexible so it's not super fun + +5885 +03:31:43,760 --> 03:31:48,318 +to do it no but + +5886 +03:31:45,200 --> 03:31:49,359 +um so it's maybe some some something + +5887 +03:31:48,318 --> 03:31:52,0 +12708.319 --> 12712 +interesting there + +5888 +03:31:49,359 --> 03:31:52,720 +um so um i'm connecting an instance + +5889 +03:31:52,0 --> 03:31:55,760 +12712 --> 12715.76 +where i have + +5890 +03:31:52,719 --> 03:31:57,278 +more expansion services uh active and so + +5891 +03:31:55,760 --> 03:31:59,200 +on + +5892 +03:31:57,279 --> 03:32:01,40 +i'll just keep it for my organization + +5893 +03:31:59,200 --> 03:32:05,520 +only so i'm creating + +5894 +03:32:01,40 --> 03:32:07,600 +an event there so what happens on + +5895 +03:32:05,520 --> 03:32:08,960 +progressively enriching even by shared + +5896 +03:32:07,600 --> 03:32:10,479 +communities i mean + +5897 +03:32:08,959 --> 03:32:12,159 +it's going back and forth to different + +5898 +03:32:10,478 --> 03:32:14,559 +communities but i can i can imitate what + +5899 +03:32:12,159 --> 03:32:18,159 +the community is doing usually + +5900 +03:32:14,559 --> 03:32:21,600 +so if i'm facing an attribute + +5901 +03:32:18,159 --> 03:32:26,398 +for example i will i will say it + +5902 +03:32:21,600 --> 03:32:26,399 +hostname with some network activity + +5903 +03:32:32,959 --> 03:32:36,879 +so we have specifically a test that we + +5904 +03:32:35,680 --> 03:32:39,439 +created with this + +5905 +03:32:36,879 --> 03:32:40,559 +kind of thing so what would be your + +5906 +03:32:39,439 --> 03:32:41,920 +community and + +5907 +03:32:40,559 --> 03:32:43,600 +sharing so it could be for example in + +5908 +03:32:41,920 --> 03:32:45,680 +the same organization in my case it's + +5909 +03:32:43,600 --> 03:32:48,800 +just clear to the organization so + +5910 +03:32:45,680 --> 03:32:50,0 +12765.68 --> 12770 +if i publish event here it will be + +5911 +03:32:48,799 --> 03:32:51,519 +shared with + +5912 +03:32:50,0 --> 03:32:53,520 +12770 --> 12773.52 +all different instances maybe the + +5913 +03:32:51,520 --> 03:32:57,680 +different members of circle + +5914 +03:32:53,520 --> 03:33:01,840 +uh and um one of my colleagues + +5915 +03:32:57,680 --> 03:33:04,720 +is taking one of the indicators + +5916 +03:33:01,840 --> 03:33:05,760 +and then he's going on the far side + +5917 +03:33:04,719 --> 03:33:07,599 +database + +5918 +03:33:05,760 --> 03:33:09,120 +doing a full-blown expansion so that + +5919 +03:33:07,600 --> 03:33:10,159 +means he's basically doing a full-bone + +5920 +03:33:09,120 --> 03:33:13,760 +extension + +5921 +03:33:10,159 --> 03:33:16,959 +um what do i have here i have a + +5922 +03:33:13,760 --> 03:33:18,719 +a complete set of objects for a specific + +5923 +03:33:16,959 --> 03:33:22,318 +domain so you see again + +5924 +03:33:18,719 --> 03:33:25,39 +i'm going to the event graph + +5925 +03:33:22,318 --> 03:33:25,680 +now i enter my domain name and i have + +5926 +03:33:25,40 --> 03:33:27,359 +all the + +5927 +03:33:25,680 --> 03:33:28,960 +passive dns free curve associated to + +5928 +03:33:27,359 --> 03:33:31,760 +that one + +5929 +03:33:28,959 --> 03:33:33,199 +and in this one i think i will have the + +5930 +03:33:31,760 --> 03:33:35,520 +even timeline i have a completely + +5931 +03:33:33,200 --> 03:33:38,960 +different timeline of the different uh + +5932 +03:33:35,520 --> 03:33:42,238 +expansion and so on so then i will have + +5933 +03:33:38,959 --> 03:33:42,879 +one of my i will it will be published + +5934 +03:33:42,238 --> 03:33:45,209 +again + +5935 +03:33:42,879 --> 03:33:46,719 +with the uh with the data + +5936 +03:33:45,209 --> 03:33:48,879 +[Music] + +5937 +03:33:46,719 --> 03:33:50,79 +if it's a collaboration i would say in + +5938 +03:33:48,879 --> 03:33:52,799 +the same team + +5939 +03:33:50,79 --> 03:33:53,359 +that's a thing so it's sometimes it's + +5940 +03:33:52,799 --> 03:33:55,119 +it's + +5941 +03:33:53,359 --> 03:33:57,439 +people are working on the same event and + +5942 +03:33:55,120 --> 03:33:59,359 +publishing it sometimes they are + +5943 +03:33:57,439 --> 03:34:01,359 +sharing it and doing additional + +5944 +03:33:59,359 --> 03:34:04,880 +expansion on the uh + +5945 +03:34:01,359 --> 03:34:08,79 +on the um things until to reach a + +5946 +03:34:04,879 --> 03:34:11,39 +specific point that is like i would say + +5947 +03:34:08,79 --> 03:34:12,398 +accessible or at least publishable in a + +5948 +03:34:11,40 --> 03:34:16,0 +12851.04 --> 12856 +publishing state that is + +5949 +03:34:12,398 --> 03:34:18,318 +acceptable by various people + +5950 +03:34:16,0 --> 03:34:19,520 +12856 --> 12859.52 +now we can make proposal too so that + +5951 +03:34:18,318 --> 03:34:22,79 +means + +5952 +03:34:19,520 --> 03:34:24,880 +if we are again on a different with a + +5953 +03:34:22,79 --> 03:34:26,478 +different organization + +5954 +03:34:24,879 --> 03:34:28,79 +i don't know if in this example it will + +5955 +03:34:26,478 --> 03:34:30,719 +work but i can + +5956 +03:34:28,79 --> 03:34:32,879 +take do i have something interesting + +5957 +03:34:30,719 --> 03:34:32,879 +there + +5958 +03:34:33,760 --> 03:34:37,680 +yeah for example i see an interesting + +5959 +03:34:35,359 --> 03:34:37,680 +ipl + +5960 +03:34:37,840 --> 03:34:43,840 +this one so what i could do is + +5961 +03:34:41,279 --> 03:34:43,840 +i could + +5962 +03:34:44,398 --> 03:34:46,719 +add + +5963 +03:34:49,600 --> 03:34:52,479 +what's going on here + +5964 +03:34:53,40 --> 03:34:57,40 +i will add what + +5965 +03:35:04,159 --> 03:35:14,0 +12904.16 --> 12914 +okay just a demo effect + +5966 +03:35:10,799 --> 03:35:18,238 +it's a great typical + +5967 +03:35:14,0 --> 03:35:18,238 +12914 --> 12918.239 +what's going on here okay + +5968 +03:35:19,439 --> 03:35:25,40 +just going back to this one i just want + +5969 +03:35:21,600 --> 03:35:28,0 +12921.6 --> 12928 +to add a proposal + +5970 +03:35:25,40 --> 03:35:28,0 +12925.04 --> 12928 +yes i cannot just + +5971 +03:35:28,959 --> 03:35:35,839 +you wanted but your admin yeah + +5972 +03:35:33,200 --> 03:35:36,479 +yeah then i don't you can cheat whether + +5973 +03:35:35,840 --> 03:35:38,478 +you + +5974 +03:35:36,478 --> 03:35:40,0 +12936.479 --> 12940 +really want you can do it yeah wait fine + +5975 +03:35:38,478 --> 03:35:43,39 +it's just like okay so + +5976 +03:35:40,0 --> 03:35:44,799 +12940 --> 12944.8 +i i don't know for for hong kong if we + +5977 +03:35:43,40 --> 03:35:47,840 +answer your question but i mean + +5978 +03:35:44,799 --> 03:35:49,519 +a full-blown step would be like that if + +5979 +03:35:47,840 --> 03:35:50,559 +you work on an event it's not a single + +5980 +03:35:49,520 --> 03:35:52,399 +person obviously + +5981 +03:35:50,559 --> 03:35:54,238 +when you do an investigation you do like + +5982 +03:35:52,398 --> 03:35:54,799 +multiple steps but the question is more + +5983 +03:35:54,238 --> 03:35:56,879 +like + +5984 +03:35:54,799 --> 03:35:58,799 +if you do it within a team usually you + +5985 +03:35:56,879 --> 03:36:00,0 +12956.88 --> 12960 +edit the current even the same + +5986 +03:35:58,799 --> 03:36:03,519 +organizations + +5987 +03:36:00,0 --> 03:36:05,760 +12960 --> 12965.76 +if you do enter team you do proposal + +5988 +03:36:03,520 --> 03:36:07,680 +extend it even like we showed before and + +5989 +03:36:05,760 --> 03:36:09,359 +then you start to work on this uh + +5990 +03:36:07,680 --> 03:36:11,279 +thing so it's here depending on the case + +5991 +03:36:09,359 --> 03:36:13,600 +so uh + +5992 +03:36:11,279 --> 03:36:15,680 +so i hope you can you can you can see + +5993 +03:36:13,600 --> 03:36:18,318 +what are the capabilities there but it's + +5994 +03:36:15,680 --> 03:36:20,398 +really uh the progressive approach of + +5995 +03:36:18,318 --> 03:36:22,559 +collaboration usually depends of + +5996 +03:36:20,398 --> 03:36:24,478 +how people are working together if they + +5997 +03:36:22,559 --> 03:36:25,680 +are really external it's more proposal + +5998 +03:36:24,478 --> 03:36:28,79 +extended event + +5999 +03:36:25,680 --> 03:36:29,279 +if it's within the same team it could be + +6000 +03:36:28,79 --> 03:36:31,439 +extended event + +6001 +03:36:29,279 --> 03:36:33,920 +or within the same event that's usually + +6002 +03:36:31,439 --> 03:36:37,120 +the two way of working + +6003 +03:36:33,920 --> 03:36:39,680 +if you want to add something no yeah + +6004 +03:36:37,120 --> 03:36:39,680 +that's perfect + +6005 +03:36:39,760 --> 03:36:43,279 +perhaps another question if you're okay + +6006 +03:36:42,639 --> 03:36:46,719 +with + +6007 +03:36:43,279 --> 03:36:48,0 +13003.279 --> 13008 +switching yeah when speaking of feeding + +6008 +03:36:46,719 --> 03:36:49,840 +tools what would be the automatic + +6009 +03:36:48,0 --> 03:36:51,120 +13008 --> 13011.12 +way of doing it so normally when we're + +6010 +03:36:49,840 --> 03:36:52,639 +talking about feeding tools there are + +6011 +03:36:51,120 --> 03:36:54,720 +two separate ways of doing it and we'll + +6012 +03:36:52,639 --> 03:36:56,159 +go way way deeper into this tomorrow + +6013 +03:36:54,719 --> 03:36:58,238 +when we talk about integration but + +6014 +03:36:56,159 --> 03:36:58,959 +generally tools can either fetch data + +6015 +03:36:58,238 --> 03:37:00,559 +from miss + +6016 +03:36:58,959 --> 03:37:02,799 +so this is a more common way where a + +6017 +03:37:00,559 --> 03:37:05,119 +tool would use rest search api that we + +6018 +03:37:02,799 --> 03:37:07,278 +mentioned before where you define yours + +6019 +03:37:05,120 --> 03:37:09,40 +your search patterns for example give me + +6020 +03:37:07,279 --> 03:37:12,159 +everything that is newer than + +6021 +03:37:09,40 --> 03:37:12,880 +30 days everything that uh that contains + +6022 +03:37:12,159 --> 03:37:15,760 +at least + +6023 +03:37:12,879 --> 03:37:16,398 +that is not coming from say oh since the + +6024 +03:37:15,760 --> 03:37:18,719 +sources + +6025 +03:37:16,398 --> 03:37:19,599 +or perhaps not something nothing that + +6026 +03:37:18,719 --> 03:37:21,760 +comes + +6027 +03:37:19,600 --> 03:37:23,520 +uh related to a certain topic for + +6028 +03:37:21,760 --> 03:37:25,600 +example i'm not interested in ransomware + +6029 +03:37:23,520 --> 03:37:26,399 +when feeding my tools just a stupid + +6030 +03:37:25,600 --> 03:37:28,640 +example + +6031 +03:37:26,398 --> 03:37:30,159 +so you set up your filter options and + +6032 +03:37:28,639 --> 03:37:32,318 +then your tool would fetch + +6033 +03:37:30,159 --> 03:37:33,680 +data from misp every 60 minutes for + +6034 +03:37:32,318 --> 03:37:36,159 +example + +6035 +03:37:33,680 --> 03:37:37,359 +and then replace the data set there you + +6036 +03:37:36,159 --> 03:37:40,318 +can also do + +6037 +03:37:37,359 --> 03:37:42,79 +sliding time window searches where you + +6038 +03:37:40,318 --> 03:37:43,760 +say give me everything from the past 60 + +6039 +03:37:42,79 --> 03:37:45,359 +minutes that is new + +6040 +03:37:43,760 --> 03:37:48,0 +13063.76 --> 13068 +and then you keep concatenating your + +6041 +03:37:45,359 --> 03:37:49,40 +data set on the seam side ids side + +6042 +03:37:48,0 --> 03:37:51,200 +13068 --> 13071.2 +whatever tool you're + +6043 +03:37:49,40 --> 03:37:52,880 +feeding the alternative if you want to + +6044 +03:37:51,200 --> 03:37:53,680 +have the data push automatically as it + +6045 +03:37:52,879 --> 03:37:55,199 +comes in + +6046 +03:37:53,680 --> 03:37:57,40 +you have different channels and mist + +6047 +03:37:55,200 --> 03:37:58,560 +that your tools can latch on to + +6048 +03:37:57,40 --> 03:38:00,720 +the downside being that you still need + +6049 +03:37:58,559 --> 03:38:03,199 +to do the conversion + +6050 +03:38:00,719 --> 03:38:04,959 +in those cases so if you were not using + +6051 +03:38:03,200 --> 03:38:08,159 +the + +6052 +03:38:04,959 --> 03:38:11,199 +the apis to fetch the data from bisp + +6053 +03:38:08,159 --> 03:38:11,680 +then mis can push using the miss json + +6054 +03:38:11,200 --> 03:38:13,680 +format + +6055 +03:38:11,680 --> 03:38:16,0 +13091.68 --> 13096 +data down via different channels serum + +6056 +03:38:13,680 --> 03:38:16,0 +13093.68 --> 13096 +queue + +6057 +03:38:16,79 --> 03:38:19,760 +or the kafka channel or this blog and so + +6058 +03:38:19,279 --> 03:38:21,279 +on + +6059 +03:38:19,760 --> 03:38:23,40 +and then your tools automatically feed + +6060 +03:38:21,279 --> 03:38:24,0 +13101.279 --> 13104 +on that data so you have these two + +6061 +03:38:23,40 --> 03:38:26,399 +different + +6062 +03:38:24,0 --> 03:38:27,520 +13104 --> 13107.52 +ways of interacting with it there's also + +6063 +03:38:26,398 --> 03:38:28,959 +a third way + +6064 +03:38:27,520 --> 03:38:31,760 +where you can basically either build an + +6065 +03:38:28,959 --> 03:38:34,0 +13108.96 --> 13114 +export module or an enrichment module + +6066 +03:38:31,760 --> 03:38:35,760 +where an analyst can trigger a direct + +6067 +03:38:34,0 --> 03:38:38,559 +13114 --> 13118.56 +push of a certain data point + +6068 +03:38:35,760 --> 03:38:39,920 +to another tool so that's another option + +6069 +03:38:38,559 --> 03:38:41,840 +we'll talk about these different + +6070 +03:38:39,920 --> 03:38:45,199 +strategies when to use which + +6071 +03:38:41,840 --> 03:38:49,199 +which and how to mix those tomorrow more + +6072 +03:38:45,199 --> 03:38:52,399 +so i hope that answers it in a + +6073 +03:38:49,199 --> 03:38:54,159 +brief fashion yeah what i'm showing here + +6074 +03:38:52,398 --> 03:38:57,840 +is it's just like + +6075 +03:38:54,159 --> 03:38:59,359 +on the on the rest uh search client + +6076 +03:38:57,840 --> 03:39:01,760 +for example you want to feed your your + +6077 +03:38:59,359 --> 03:39:04,800 +storikata and so on uh just + +6078 +03:39:01,760 --> 03:39:09,840 +take page um + +6079 +03:39:04,799 --> 03:39:09,840 +on a specific limit + +6080 +03:39:13,359 --> 03:39:17,199 +so what you can do is if you have a + +6081 +03:39:15,600 --> 03:39:19,120 +python script and so on you can pull + +6082 +03:39:17,199 --> 03:39:22,159 +directly the data so + +6083 +03:39:19,120 --> 03:39:23,199 +the rest client so you see in this case + +6084 +03:39:22,159 --> 03:39:26,159 +i have the + +6085 +03:39:23,199 --> 03:39:26,880 +shurikata rule set but if you want to + +6086 +03:39:26,159 --> 03:39:29,359 +feed your + +6087 +03:39:26,879 --> 03:39:31,358 +specific tools and and so on uh + +6088 +03:39:29,359 --> 03:39:34,960 +automatically we are generating + +6089 +03:39:31,359 --> 03:39:36,399 +uh curl and python card so it could be a + +6090 +03:39:34,959 --> 03:39:38,639 +bootstrap to see okay + +6091 +03:39:36,398 --> 03:39:41,119 +how should i create my own tool for + +6092 +03:39:38,639 --> 03:39:42,639 +feeding my ideas and so on uh for for + +6093 +03:39:41,120 --> 03:39:44,399 +study cata for example + +6094 +03:39:42,639 --> 03:39:45,840 +a lot of management interface have + +6095 +03:39:44,398 --> 03:39:47,760 +already missed connector + +6096 +03:39:45,840 --> 03:39:49,120 +so you can even like feed the data + +6097 +03:39:47,760 --> 03:39:51,600 +directly from + +6098 +03:39:49,120 --> 03:39:52,319 +the from the interface if they have the + +6099 +03:39:51,600 --> 03:39:54,720 +ability + +6100 +03:39:52,318 --> 03:39:56,639 +splunk for example there's a specific + +6101 +03:39:54,719 --> 03:40:00,79 +application + +6102 +03:39:56,639 --> 03:40:02,799 +which is an external tools part of the + +6103 +03:40:00,79 --> 03:40:04,79 +app store of splunk that you can install + +6104 +03:40:02,799 --> 03:40:05,759 +for doing the connection + +6105 +03:40:04,79 --> 03:40:08,639 +and some other people are using their + +6106 +03:40:05,760 --> 03:40:12,159 +own python script to feed other cm + +6107 +03:40:08,639 --> 03:40:14,238 +so again it's a matter of taste + +6108 +03:40:12,159 --> 03:40:16,0 +13212.16 --> 13216 +if you are curious about the different + +6109 +03:40:14,238 --> 03:40:18,79 +kind of integrations + +6110 +03:40:16,0 --> 03:40:20,79 +13216 --> 13220.08 +or you can do it in python for example + +6111 +03:40:18,79 --> 03:40:24,79 +in on payments + +6112 +03:40:20,79 --> 03:40:26,478 +itself there are plenty of examples + +6113 +03:40:24,79 --> 03:40:28,959 +so if you go in the example directory of + +6114 +03:40:26,478 --> 03:40:28,959 +palmist + +6115 +03:40:30,799 --> 03:40:38,0 +13230.8 --> 13238 +you have a quite significant + +6116 +03:40:34,799 --> 03:40:41,438 +set of default scripts + +6117 +03:40:38,0 --> 03:40:43,40 +13238 --> 13243.04 +that you can use uh and that's uh + +6118 +03:40:41,439 --> 03:40:46,159 +i think usually a good basis if you want + +6119 +03:40:43,40 --> 03:40:48,720 +to start to to write your own custom + +6120 +03:40:46,159 --> 03:40:49,520 +custom tool set for for feeding your + +6121 +03:40:48,719 --> 03:40:51,278 +feeding + +6122 +03:40:49,520 --> 03:40:53,920 +systems or existing software in your + +6123 +03:40:51,279 --> 03:40:53,920 +infrastructure + +6124 +03:40:57,199 --> 03:41:03,760 +yep um + +6125 +03:41:01,680 --> 03:41:05,359 +i don't know if it's if we should jump + +6126 +03:41:03,760 --> 03:41:07,600 +on a new topic or we just push the + +6127 +03:41:05,359 --> 03:41:10,479 +copalos example for tomorrow + +6128 +03:41:07,600 --> 03:41:12,79 +yeah i think i think uh we can we can do + +6129 +03:41:10,478 --> 03:41:14,398 +it maybe tomorrow i think + +6130 +03:41:12,79 --> 03:41:15,920 +if we can i think that would be + +6131 +03:41:14,398 --> 03:41:17,519 +stretching it a little bit if we were to + +6132 +03:41:15,920 --> 03:41:21,40 +start with that yeah + +6133 +03:41:17,520 --> 03:41:22,0 +13277.52 --> 13282 +so um quick quick summary of today so + +6134 +03:41:21,40 --> 03:41:25,40 +today we we + +6135 +03:41:22,0 --> 03:41:26,79 +13282 --> 13286.08 +show uh how to create an event the basis + +6136 +03:41:25,40 --> 03:41:28,319 +of misplay + +6137 +03:41:26,79 --> 03:41:29,840 +what is an attribute an object and so on + +6138 +03:41:28,318 --> 03:41:32,959 +how to create it so to + +6139 +03:41:29,840 --> 03:41:34,79 +make proposal delete uh and and and + +6140 +03:41:32,959 --> 03:41:36,238 +stuff like that + +6141 +03:41:34,79 --> 03:41:37,840 +so it's really a simple example tomorrow + +6142 +03:41:36,238 --> 03:41:40,639 +we want to show you + +6143 +03:41:37,840 --> 03:41:42,639 +more the uh even report aspect and the + +6144 +03:41:40,639 --> 03:41:45,439 +automatic imports into + +6145 +03:41:42,639 --> 03:41:46,879 +into mist with a practical example of an + +6146 +03:41:45,439 --> 03:41:49,920 +ocean report + +6147 +03:41:46,879 --> 03:41:51,438 +and we will discuss tomorrow about + +6148 +03:41:49,920 --> 03:41:53,40 +how to build sharing communities and + +6149 +03:41:51,439 --> 03:41:55,840 +especially we will share + +6150 +03:41:53,40 --> 03:41:57,279 +our experience of things that worked and + +6151 +03:41:55,840 --> 03:41:59,520 +things that didn't work + +6152 +03:41:57,279 --> 03:42:01,359 +uh in the past years when creating + +6153 +03:41:59,520 --> 03:42:03,40 +sharing communities so if you are + +6154 +03:42:01,359 --> 03:42:04,479 +isaac members or creating your own + +6155 +03:42:03,40 --> 03:42:05,600 +sharing community even within your + +6156 +03:42:04,478 --> 03:42:07,39 +organization + +6157 +03:42:05,600 --> 03:42:09,40 +uh it's it's something good to + +6158 +03:42:07,40 --> 03:42:10,560 +participate because you we will share + +6159 +03:42:09,40 --> 03:42:12,479 +with you some some of the things that + +6160 +03:42:10,559 --> 03:42:14,238 +are interesting of building a + +6161 +03:42:12,478 --> 03:42:17,519 +bootstrapping such kind of + +6162 +03:42:14,238 --> 03:42:19,279 +of community um + +6163 +03:42:17,520 --> 03:42:20,800 +i don't know honestly you want to add + +6164 +03:42:19,279 --> 03:42:24,319 +something no + +6165 +03:42:20,799 --> 03:42:25,920 +and that's basically it thanks for + +6166 +03:42:24,318 --> 03:42:27,278 +everyone for sticking through + +6167 +03:42:25,920 --> 03:42:29,120 +through this it's a very condensed + +6168 +03:42:27,279 --> 03:42:30,880 +session so + +6169 +03:42:29,120 --> 03:42:32,560 +we said we didn't make as much progress + +6170 +03:42:30,879 --> 03:42:33,920 +as we hoped so we have quite a bit left + +6171 +03:42:32,559 --> 03:42:37,198 +for tomorrow + +6172 +03:42:33,920 --> 03:42:39,120 +and hope to see you all here tomorrow + +6173 +03:42:37,199 --> 03:42:40,800 +thank you very much uh take care and + +6174 +03:42:39,120 --> 03:42:43,279 +don't hesitate to ask questions + +6175 +03:42:40,799 --> 03:42:44,318 +uh either later on directly contact us + +6176 +03:42:43,279 --> 03:42:48,79 +thank you very much + +6177 +03:42:44,318 --> 03:42:48,79 +see you tomorrow thank you all see you + +6178 +03:42:49,318 --> 03:42:52,318 +tomorrow \ No newline at end of file