MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [decaying-light] Updated slides to fit the current state

master
mokaddem 2020-09-11 10:24:46 +02:00
parent 731ab6714f
commit 13d981756d
1 changed files with 108 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
a.5-bis-decaying-indicators-light-version/content.tex
View File

@ -10,13 +10,12 @@
\begin{itemize} \begin{itemize}
\item Present the components used in MISP to expire IOCs \item Present the components used in MISP to expire IOCs
\item Present the current state of Indicators life-cycle management in MISP \item Present the current state of Indicators life-cycle management in MISP
\item Present the current state of Indicators life-cycle management in MISP
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\section{Expiring IOCs: Why and How?} \section{Expiring IOCs: Why and How?}
\begin{frame}[fragile] \begin{frame}[fragile]
\frametitle{Indicators - Problem Statement} \frametitle{Indicators lifecycle - Problem Statement}
\begin{itemize} \begin{itemize}
\item {\bf Sharing information} about threats {\bf is crucial} \item {\bf Sharing information} about threats {\bf is crucial}
\item Organisations are sharing more and more \item Organisations are sharing more and more
@ -51,51 +50,62 @@
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Indicators - Problem Statement} \frametitle{Indicators lifecycle - Problem Statement}
\begin{itemize} \begin{itemize}
\item Various users and organisations can share data via MISP, multiple parties can be involved \item Various users and organisations can share data via MISP, multiple parties can be involved
\begin{itemize} \begin{itemize}
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues \item \textbf{Trust}, \textbf{data quality} and \textbf{relevance} issues
\item Each user/organisation has \textbf{different use-cases} and interests \item Each user/organisation have \textbf{different use-cases} and interests
\begin{itemize} \begin{itemize}
\item Conflicting interests such as operational security, attribution,... (depends on the user) \item Conflicting interests: Operational security VS attribution
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies} \item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
\pause \pause
\vspace{0.5cm} \vspace{0.5cm}
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV}) \item Attributes can be shared in large quantities \small{(more than 12M on \texttt{MISPPRIV} - Sept. 2020)}
\begin{itemize} \begin{itemize}
\item Partial info about their \textbf{freshness} (\textit{Sightings}) \item Partial info about their \textbf{freshness} (\textit{Sightings})
\item Partial info about their \textbf{validity} (last update) \item Partial info about their \textbf{validity} (\textit{last\_seen})
\end{itemize} \end{itemize}
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model} \item[] $\rightarrow$ Can be partially solved with our \textit{Data model}
\end{itemize} \end{itemize}
\begin{center}
MISP's \textit{Decaying model} combines the two
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Requirements to enjoy the decaying feature in MISP} \frametitle{Requirements to enjoy the decaying feature in MISP}
\begin{itemize} \begin{itemize}
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available \item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
\item Don't forget to \textbf{update the decay models} and \textbf{enable} the ones you want \item \textbf{Update} decay models and \textbf{enable} some
\item The decaying feature has no impact on the information in MISP, it's just an \textbf{overlay} to be used in the user-interface and API \item MISP Decaying strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
\item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration \end{itemize}
\end{itemize} \vspace{0.7cm}
Note: The decaying feature has no impact on the information stored in MISP, it's just an \textbf{overlay} to be used in the user-interface and API
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{\textit{Sightings} - Refresher} \frametitle{\textit{Sightings} - Refresher (1)}
\textit{Sightings} add \textbf{temporal context} to indicators. \textit{Sightings} add a \textbf{temporal context} to indicators.
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that \begin{itemize}
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive} \item \textit{Sightings} can be used to represent that you saw the IoC
\vspace{0.5cm} \item \textbf{Usecase:} Continuous feedback loop MISP $\leftrightarrow$ IDS
\end{itemize}
\begin{center}
\includegraphics[scale=1.00]{pics/sightings.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{\textit{Sightings} - Refresher (2)}
\textit{Sightings} add a \textbf{temporal context} to indicators.
\begin{itemize} \begin{itemize}
\item \textit{Sightings} give more credibility/visibility to indicators \item \textit{Sightings} give more credibility/visibility to indicators
\item This information can be used to {\bf prioritise and decay indicators} \item This information can be used to {\bf prioritise and decay indicators}
\end{itemize} \end{itemize}
\begin{center}
\includegraphics[scale=1.00]{pics/sightings.png}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
@ -118,14 +128,56 @@
\begin{frame} \begin{frame}
\frametitle{Taxonomies - Refresher (3)} \frametitle{Taxonomies - Refresher (3)}
\begin{itemize} \begin{itemize}
\item Some taxonomies have \texttt{numerical\_value} \item Some taxonomies have a \texttt{numerical\_value}
\item Allows concepts to be used in an mathematical expression
\begin{itemize} \begin{itemize}
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes} \item[$\rightarrow$] Can be used to prioritise IoCs
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\vspace{0.5cm} \vspace{0.5cm}
\begin{footnotesize} \begin{footnotesize}
\texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}}
\begin{columns}[T] % align columns
\begin{column}{.40\textwidth}
\begin{tabular}{|ll|}
\hline
\textbf{Description} & \textbf{Value}\\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
Reliability cannot be judged & 50\\
Deliberatly deceptive & 0\\
\hline
\end{tabular}
\end{column}%
\hfill%
\begin{column}{.48\textwidth}
\begin{tabular}{|ll|}
\hline
\textbf{Description} & \textbf{Value}\\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
Truth cannot be judged & 50\\
\hline
\end{tabular}
\end{column}%
\end{columns}
\end{footnotesize}
\end{frame}
\begin{frame}
\frametitle{Taxonomies - Refresher (3)}
\begin{footnotesize}
\texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}}
\begin{columns}[T] % align columns \begin{columns}[T] % align columns
\begin{column}{.40\textwidth} \begin{column}{.40\textwidth}
\begin{tabular}{|ll|} \begin{tabular}{|ll|}
@ -161,21 +213,7 @@
\end{footnotesize} \end{footnotesize}
\vspace{0.5cm} \vspace{0.5cm}
$\rightarrow$ In next version, Users will be able to override these \texttt{numerical\_value} $\rightarrow$ Users can override tag \texttt{numerical\_value}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: Our solution}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
Where,\vspace{0.5cm}
\begin{itemize}
\item \texttt{score} $ \in [0, +\infty $
\item \texttt{base\_score} $ \in [0, 100] $
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
\item \texttt{Model} Contains the \textit{Model}'s configuration
\end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
@ -184,16 +222,31 @@
\begin{itemize} \begin{itemize}
\item \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \item \texttt{base\_score}(\texttt{\tiny Attribute, Model})
\begin{itemize} \begin{itemize}
\item Initial score of the \textit{Attribute} only considering the context (i.e. \textit{Tags}) \item Initial score of the \textit{Attribute} only considering the context (\textit{Attribute's type}, \textit{Tags})
\end{itemize} \end{itemize}
\vspace{1cm} \vspace{1cm}
\item \texttt{decay}(\texttt{\tiny Model, time}) \item \texttt{decay}(\texttt{\tiny Model, time})
\begin{itemize} \begin{itemize}
\item Function composed of the \textbf{lifetime} and \textbf{Decay speed} decreasing the \texttt{base\_score} over time \item Function composed of the \textbf{lifetime} and \textbf{decay speed}
\item Decreases the \texttt{base\_score} over time
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Scoring Indicators: Our solution}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
\begin{center}
\begin{tikzpicture}
\draw[->] (-1, 0) -- (4.5, 0) node[right] {$time$};
\draw[->] (0, -1) -- (0, 4.2) node[left] {$score$};
\node at (-1, 2.6) {\footnotesize base\_score};
\draw[scale=0.5, domain=0:8, smooth, variable=\y, blue] plot ({\y}, {5 * (1 - (\y/8)^(3.5))});
\end{tikzpicture}
\end{center}
\end{frame}
\section{Current implementation in MISP} \section{Current implementation in MISP}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: \texttt{Event/view}} \frametitle{Implementation in MISP: \texttt{Event/view}}
@ -247,29 +300,30 @@
\frametitle{Implementation in MISP: Models definition} \frametitle{Implementation in MISP: Models definition}
\hspace{190pt} \hspace{190pt}
\raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $} \raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $}
\textit{Models} are an instanciation of the formula where elements can be defined: \textit{Models} are an instanciation of the formula with configurable parameters:
\begin{itemize} \begin{itemize}
\item Parameters: \texttt{lifetime, decay\_rate, threshold} \item Parameters: \texttt{lifetime, decay\_rate, threshold}
\item \texttt{base\_score} \item \texttt{base\_score} computation
\item \texttt{default base\_score} \item \texttt{default base\_score}
\item formula
\item associate \textit{Attribute} types \item associate \textit{Attribute} types
\item formula
\item creator organisation \item creator organisation
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: Models Types} \frametitle{Implementation in MISP: Models Types}
Multiple model types are available Two types of model are available
\begin{itemize} \begin{itemize}
\item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}. \item \textbf{Default Models}: Created and shared by the community. Coming from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
\begin{itemize} \begin{itemize}
\item $\rightarrow$ Not editable \item[$\rightarrow$] Not editable
\end{itemize} \end{itemize}
\item \textbf{Organisation Models}: Models created by a user belonging to an organisation \vspace{0.5cm}
\item \textbf{Organisation Models}: Created by a user on MISP
\begin{itemize} \begin{itemize}
\item These models can be hidden or shared to other organisation \item Can be hidden or shared to other organisation
\item $\rightarrow$ Editable \item[$\rightarrow$] Editable
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -277,13 +331,13 @@
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: Index} \frametitle{Implementation in MISP: Index}
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png} \includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
View, update, add, create, delete, enable, export, import Standard CRUD operations: View, update, add, create, delete, enable, export, import
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: Fine tuning tool} \frametitle{Implementation in MISP: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png} \includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
Create, modify, visualise, perform mapping Configure models: Create, modify, visualise, perform mapping
\end{frame} \end{frame}
\begin{frame} \begin{frame}
@ -295,7 +349,7 @@
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: simulation tool} \frametitle{Implementation in MISP: simulation tool}
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png} \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
Simulate \textit{Attributes} with different \textit{Models} Simulate decay on \textit{Attributes} with different \textit{Models}
\end{frame} \end{frame}
\begin{frame}[fragile] \begin{frame}[fragile]