Merge branch 'master' of github.com:MISP/misp-training
|
@ -34,6 +34,7 @@ given to the materials. We welcome contributions in order to improve the trainin
|
||||||
| [a.7-rest-API](https://www.misp-project.org/misp-training/a.7-rest-API.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.7-rest-API) |
|
| [a.7-rest-API](https://www.misp-project.org/misp-training/a.7-rest-API.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.7-rest-API) |
|
||||||
| [a.8-dev-hands-on.pdf](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) |
|
| [a.8-dev-hands-on.pdf](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) |
|
||||||
| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/best-practices-in-threat-intelligence)
|
| [b.1-best-practices-in-threat-intelligence](https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/best-practices-in-threat-intelligence)
|
||||||
|
| [b.2-turning-data-into-actionable-intelligence](https://www.misp-project.org/misp-training/b.2-turning-data-into-actionable-intelligence.pdf) | [source](https://github.com/MISP/misp-training/tree/master/b.2-turning-data-into-actionable-intelligence)
|
||||||
|
|
||||||
### Complementary materials
|
### Complementary materials
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,325 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Expiring IOCs: Why and How?}
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Sharing information} about threats {\bf is crucial}
|
||||||
|
\item Organisations are sharing more and more
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1em}
|
||||||
|
|
||||||
|
Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\
|
||||||
|
\vspace{1em}
|
||||||
|
\begin{minipage}{0.45\textwidth}
|
||||||
|
\begin{tabular}{ll}
|
||||||
|
\hline
|
||||||
|
Date & Unique Org \\
|
||||||
|
\hline
|
||||||
|
2013 & 17 \\
|
||||||
|
2014 & 43 \\
|
||||||
|
2015 & 82 \\
|
||||||
|
2016 & 105 \\
|
||||||
|
2017 & 118 \\
|
||||||
|
2018 & 125 \\
|
||||||
|
2019-10 & 135 \\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\vspace{0.5em}
|
||||||
|
\end{minipage}
|
||||||
|
\begin{minipage}{0.5\textwidth}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"distribution": [1, 2, 3]
|
||||||
|
}\end{lstlisting}
|
||||||
|
\end{minipage}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Various users and organisations can share data via MISP, multiple parties can be involved
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
|
||||||
|
\item Each user/organisation has \textbf{different use-cases} and interests
|
||||||
|
\begin{itemize}
|
||||||
|
\item Conflicting interests such as operational security, attribution,... (depends on the user)
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
|
||||||
|
\pause
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
|
||||||
|
\begin{itemize}
|
||||||
|
\item Partial info about their \textbf{freshness} (\textit{Sightings})
|
||||||
|
\item Partial info about their \textbf{validity} (last update)
|
||||||
|
\end{itemize}
|
||||||
|
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Requirements to enjoy the decaying feature in MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
|
||||||
|
\item Don't forget to update the decay models and enable the ones you want
|
||||||
|
\item The decaying feature has no impact on the information in MISP, it's just an overlay to be used in the user-interface and API
|
||||||
|
\item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{\textit{Sightings} - Refresher}
|
||||||
|
\textit{Sightings} add temporal context to indicators.
|
||||||
|
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
|
||||||
|
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textit{Sightings} give more credibility/visibility to indicators
|
||||||
|
\item This information can be used to {\bf prioritise and decay indicators}
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=1.00]{pics/sightings.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Organisations opt-in - setting a level of confidence}
|
||||||
|
MISP is a peer-to-peer system, information passes through multiple instances.
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Producers can add context} (such as tags from \textit{Taxonomies}, \textit{Galaxies}) about their asserted confidence or the reliability of the data
|
||||||
|
\item Consumers can have \textbf{different levels of trust} in the producers and/or analysts themselves
|
||||||
|
\item Users might have other contextual needs
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
$\rightarrow$ Achieved thanks to \textit{Taxonomies}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (1)}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/taxonomies.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Tagging is a simple way to attach a classification to an \textit{Event} or an \textit{Attribute}
|
||||||
|
\item Classification must be globally used to be efficient
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (2)}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png}
|
||||||
|
\begin{center}
|
||||||
|
$\rightarrow$ Cherry-pick allowed \textit{Tags}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (3)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Some taxonomies have \texttt{numerical\_value}
|
||||||
|
\begin{itemize}
|
||||||
|
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1cm}
|
||||||
|
|
||||||
|
\begin{footnotesize}
|
||||||
|
\begin{columns}[T] % align columns
|
||||||
|
\begin{column}{.40\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Completely reliable & 100\\
|
||||||
|
Usually reliable & 75\\
|
||||||
|
Fairly reliable & 50\\
|
||||||
|
Not usually reliable & 25\\
|
||||||
|
Unreliable & 0\\
|
||||||
|
Reliability cannot be judged & 50 \textbf{\color{red}?}\\
|
||||||
|
Deliberatly deceptive & 0 \textbf{\color{red}?}\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\hfill%
|
||||||
|
\begin{column}{.48\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Confirmed by other sources & 100\\
|
||||||
|
Probably true & 75\\
|
||||||
|
Possibly true & 50\\
|
||||||
|
Doubtful & 25\\
|
||||||
|
Improbable & 0\\
|
||||||
|
Truth cannot be judged & 50 \textbf{\color{red}?}\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\end{columns}
|
||||||
|
\end{footnotesize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Scoring Indicators: Our solution}
|
||||||
|
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
|
||||||
|
Where,\vspace{0.5cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{score} $ \in [0, +\infty $
|
||||||
|
\item \texttt{base\_score} $ \in [0, 100] $
|
||||||
|
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
|
||||||
|
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
|
||||||
|
\item \texttt{Model} Contains the \textit{Model}'s configuration
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Current implementation in MISP}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: \texttt{Event/view}}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{Decay score} toggle button
|
||||||
|
\begin{itemize}
|
||||||
|
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Implementation in MISP: API result}
|
||||||
|
\texttt{/attributes/restSearch}
|
||||||
|
\begin{lstlisting}
|
||||||
|
"Attribute": [
|
||||||
|
{
|
||||||
|
"category": "Network activity",
|
||||||
|
"type": "ip-src",
|
||||||
|
"to_ids": true,
|
||||||
|
"timestamp": "1565703507",
|
||||||
|
[...]
|
||||||
|
"value": "8.8.8.8",
|
||||||
|
"decay_score": [
|
||||||
|
{
|
||||||
|
"score": 54.475223849544456,
|
||||||
|
"decayed": false,
|
||||||
|
"DecayingModel": {
|
||||||
|
"id": "85",
|
||||||
|
"name": "NIDS Simple Decaying Model"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[...]
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Objectives}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Automatic scoring} based on default values
|
||||||
|
\item \textbf{User-friendly UI} to manually set \textit{Model} configuration (lifetime, decay, etc.)
|
||||||
|
\item \textbf{Simulation} tool
|
||||||
|
\item Interaction through the \textbf{API}
|
||||||
|
\item Opportunity to create your \textbf{own} formula or algorythm
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Models definition}
|
||||||
|
\hspace{190pt}
|
||||||
|
\raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $}
|
||||||
|
\textit{Models} are an instanciation of the formula where elements can be defined:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Parameters: \texttt{lifetime, decay\_rate, threshold}
|
||||||
|
\item \texttt{base\_score}
|
||||||
|
\item \texttt{default base\_score}
|
||||||
|
\item formula
|
||||||
|
\item associate \textit{Attribute} types
|
||||||
|
\item creator organisation
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Models Types}
|
||||||
|
Multiple model types are available
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item $\rightarrow$ Not editable
|
||||||
|
\end{itemize}
|
||||||
|
\item \textbf{Organisation Models}: Models created by a user belonging to an organisation
|
||||||
|
\begin{itemize}
|
||||||
|
\item These models can be hidden or shared to other organisation
|
||||||
|
\item $\rightarrow$ Editable
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Index}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
|
||||||
|
View, update, add, create, delete, enable, export, import
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Fine tuning tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
|
||||||
|
Create, modify, visualise, perform mapping
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png}
|
||||||
|
Adjust Taxonomies relative weights
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: simulation tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
|
||||||
|
Simulate \textit{Attributes} with different \textit{Models}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Implementation in MISP: API query body}
|
||||||
|
\texttt{/attributes/restSearch}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"includeDecayScore": 1,
|
||||||
|
"includeFullModel": 0,
|
||||||
|
"excludeDecayed": 0,
|
||||||
|
"decayingModel": [85],
|
||||||
|
"modelOverrides": {
|
||||||
|
"threshold": 30
|
||||||
|
}
|
||||||
|
"score": 30,
|
||||||
|
}
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Decaying Models 2.0}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Improved support of \textit{Sightings}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{False positive} \textit{Sightings} should somehow reduce the score
|
||||||
|
\item \texttt{Expiration} \textit{Sightings} should mark the attribute as decayed
|
||||||
|
\end{itemize}
|
||||||
|
\item Potential \textit{Model} improvements
|
||||||
|
\begin{itemize}
|
||||||
|
\item Instead of resetting the score to \texttt{base\_score} once a \textit{Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf{prioritizing surges} rather than infrequent \textit{Sightings}
|
||||||
|
\item Take into account related \textit{Tags} or \textit{Correlations} when computing score
|
||||||
|
\end{itemize}
|
||||||
|
\item Increase \textit{Taxonomy} coverage
|
||||||
|
\begin{itemize}
|
||||||
|
\item Users should be able to manually override the \texttt{numerical\_value} of \textit{Tags}
|
||||||
|
\end{itemize}
|
||||||
|
\item For specific type, take into account data from other services
|
||||||
|
\begin{itemize}
|
||||||
|
\item Could fetch data from \textit{BGP ranking}, \textit{Virus Total}, \textit{Passive X} for IP/domain/... and adapt the score
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
|
@ -0,0 +1,2 @@
|
||||||
|
all:
|
||||||
|
pdflatex -interaction nonstopmode -halt-on-error -file-line-error circl-introduction.tex
|
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 119 KiB |
After Width: | Height: | Size: 155 KiB |
After Width: | Height: | Size: 98 KiB |
After Width: | Height: | Size: 148 KiB |
After Width: | Height: | Size: 166 KiB |
After Width: | Height: | Size: 49 KiB |
After Width: | Height: | Size: 2.2 KiB |
After Width: | Height: | Size: 58 KiB |
After Width: | Height: | Size: 128 KiB |
|
@ -0,0 +1,143 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
\usepackage[utf8x]{inputenc}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{soul}
|
||||||
|
\usepackage{siunitx}
|
||||||
|
\usepackage{booktabs}
|
||||||
|
%\lstset{
|
||||||
|
% backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}
|
||||||
|
% basicstyle=\footnotesize, % the size of the fonts that are used for the code
|
||||||
|
% breakatwhitespace=false
|
||||||
|
%}
|
||||||
|
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usetikzlibrary{shapes,snakes,automata,positioning}
|
||||||
|
|
||||||
|
\usepackage{xcolor}
|
||||||
|
\usepackage{colortbl}
|
||||||
|
\definecolor{mygreen}{rgb}{0,0.6,0}
|
||||||
|
\definecolor{mygreen2}{rgb}{0,0.56,0.16}
|
||||||
|
\definecolor{myred}{rgb}{0.6,0.066,0.066}
|
||||||
|
\definecolor{redCIRCL}{RGB}{213,43,30}
|
||||||
|
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
|
||||||
|
\definecolor{mymauve}{rgb}{0.58,0,0.82}
|
||||||
|
\definecolor{mygray}{gray}{0.9}
|
||||||
|
\definecolor{mywhite}{rgb}{1,1,1}
|
||||||
|
\definecolor{myblack}{rgb}{0,0,0}
|
||||||
|
\definecolor{mybeige}{HTML}{eeeeee}
|
||||||
|
%\usepackage{tcolorbox}
|
||||||
|
\usepackage[listings]{tcolorbox}
|
||||||
|
\tcbuselibrary{listings}
|
||||||
|
|
||||||
|
\lstdefinestyle{code}{ %
|
||||||
|
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single, % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{blue}, % keyword style
|
||||||
|
language=Python, % the language of the code
|
||||||
|
morekeywords={*,...}, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{bash}{ %
|
||||||
|
backgroundcolor=\color{black!85}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{mywhite}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{mywhite}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{default}{ %
|
||||||
|
backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{black}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstset{style=code}
|
||||||
|
|
||||||
|
|
||||||
|
\AtBeginSection[]{
|
||||||
|
\begin{frame}
|
||||||
|
\vfill
|
||||||
|
\centering
|
||||||
|
\begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
|
||||||
|
{\color{white} \usebeamerfont{title}\insertsectionhead}\par%
|
||||||
|
\end{beamercolorbox}
|
||||||
|
\vfill
|
||||||
|
\end{frame}
|
||||||
|
}
|
||||||
|
|
||||||
|
\author{\small{Team CIRCL}}
|
||||||
|
|
||||||
|
\title{MISP and Decaying of Indicators}
|
||||||
|
\subtitle{Primer for indicator scoring in MISP}
|
||||||
|
\institute{info@circl.lu}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
\date{\today}
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
|
@ -6,6 +6,41 @@
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\section{Expiring IOCs: Why and How?}
|
\section{Expiring IOCs: Why and How?}
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Sharing information} about threats {\bf is crucial}
|
||||||
|
\item Organisations are sharing more and more
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1em}
|
||||||
|
|
||||||
|
Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\
|
||||||
|
\vspace{1em}
|
||||||
|
\begin{minipage}{0.45\textwidth}
|
||||||
|
\begin{tabular}{ll}
|
||||||
|
\hline
|
||||||
|
Date & Unique Org \\
|
||||||
|
\hline
|
||||||
|
2013 & 17 \\
|
||||||
|
2014 & 43 \\
|
||||||
|
2015 & 82 \\
|
||||||
|
2016 & 105 \\
|
||||||
|
2017 & 118 \\
|
||||||
|
2018 & 125 \\
|
||||||
|
2019-10 & 135 \\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\vspace{0.5em}
|
||||||
|
\end{minipage}
|
||||||
|
\begin{minipage}{0.5\textwidth}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"distribution": [1, 2, 3]
|
||||||
|
}\end{lstlisting}
|
||||||
|
\end{minipage}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Indicators - Problem Statement}
|
\frametitle{Indicators - Problem Statement}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -215,6 +250,7 @@
|
||||||
Current implentation ignores \texttt{source\_confidence}:
|
Current implentation ignores \texttt{source\_confidence}:
|
||||||
$$\rightarrow \texttt{base\_score} = tags$$
|
$$\rightarrow \texttt{base\_score} = tags$$
|
||||||
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
|
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
|
||||||
|
$\rightarrow$ The \texttt{base\_score} can be use to prioritize attribute based on their attached context and source
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
|
|
2
build.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
|
|
||||||
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on", "b.2-turning-data-into-actionable-intelligence")
|
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on" "b.2-turning-data-into-actionable-intelligence")
|
||||||
mkdir output
|
mkdir output
|
||||||
export TEXINPUTS=::`pwd`/themes/
|
export TEXINPUTS=::`pwd`/themes/
|
||||||
echo ${TEXINPUTS}
|
echo ${TEXINPUTS}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
export TEXINPUTS=::~/git/misp-training/themes/
|
||||||
|
echo ${TEXINPUTS}
|
||||||
|
pdflatex slide.tex
|
After Width: | Height: | Size: 12 KiB |
|
@ -0,0 +1,40 @@
|
||||||
|
\relax
|
||||||
|
\providecommand\hyper@newdestlabel[2]{}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
|
||||||
|
\@setckpt{content}{
|
||||||
|
\setcounter{page}{7}
|
||||||
|
\setcounter{equation}{0}
|
||||||
|
\setcounter{enumi}{0}
|
||||||
|
\setcounter{enumii}{0}
|
||||||
|
\setcounter{enumiii}{0}
|
||||||
|
\setcounter{enumiv}{0}
|
||||||
|
\setcounter{footnote}{4}
|
||||||
|
\setcounter{mpfootnote}{0}
|
||||||
|
\setcounter{beamerpauses}{1}
|
||||||
|
\setcounter{bookmark@seq@number}{0}
|
||||||
|
\setcounter{lecture}{0}
|
||||||
|
\setcounter{part}{0}
|
||||||
|
\setcounter{section}{0}
|
||||||
|
\setcounter{subsection}{0}
|
||||||
|
\setcounter{subsubsection}{0}
|
||||||
|
\setcounter{subsectionslide}{6}
|
||||||
|
\setcounter{framenumber}{5}
|
||||||
|
\setcounter{figure}{0}
|
||||||
|
\setcounter{table}{0}
|
||||||
|
\setcounter{parentequation}{0}
|
||||||
|
\setcounter{theorem}{0}
|
||||||
|
\setcounter{lstnumber}{1}
|
||||||
|
\setcounter{section@level}{0}
|
||||||
|
\setcounter{lstlisting}{0}
|
||||||
|
}
|
|
@ -0,0 +1,65 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{2019 - A successful year for the MISP project}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Improving and extending MISP project and information sharing practices} at a faster rate than expected
|
||||||
|
\item Increasing reach out to collect ideas and inspirations from EU CSIRTs, the private sector and security professionals while doing trainings/workshops (thanks to the CEF funding)
|
||||||
|
\item Integrate MISP at a rapid rate with {\bf other standards} (such as MITRE ATT\&CK sighting, STIX 2, GoAML and many others)
|
||||||
|
\item Increased pan-European collaboration and information exchanged compared to 2018\footnote{https://www.x-isac.org/publication.html}
|
||||||
|
\item Reaching the {\bf establishment of an European standard\footnote{\url{https://www.misp-standard.org/}} and open source toolset for threat intelligence and information sharing}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Major outcomes in 2019}
|
||||||
|
\begin{itemize}
|
||||||
|
\item 18 releases of the MISP core software which include more than 10 major new features. Attracting a large group of new users and contributors.
|
||||||
|
\end{itemize}
|
||||||
|
\includegraphics[scale=0.18]{cfd.png}
|
||||||
|
\includegraphics[scale=0.18]{objects-cfd.png}
|
||||||
|
\includegraphics[scale=0.18]{galaxy-cfd.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Increase of contributions during 2019 (MISP core, MISP objects and galaxy libraries).
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Major outcomes in 2019}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Improved external tools were created during 2019 such as {\bf misp-dashboard} (4 releases) - a new release is foreseen in the next weeks
|
||||||
|
\item The decaying model for indicators described as a academic paper in 2018 is now part of the core MISP software\footnote{\url{https://www.misp-project.org/2019/09/12/Decaying-Of-Indicators.html}}
|
||||||
|
\item {\bf All MISP training materials are released as open content}\footnote{\url{https://github.com/MISP/misp-training}} and contain more than 36 hours of training (e.g. MISP usage, administration, OSINT analysis and collection, building sharing communities)
|
||||||
|
\begin{itemize}
|
||||||
|
\item Source code is available and translation(s)/contribution(s) are welcome
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP object templates}
|
||||||
|
\begin{itemize}
|
||||||
|
\item From 89 (in 2018) to 147 (in 2019) object templates were added from many external contributors
|
||||||
|
\item Object templates include updated {\bf telecom objects} (such as SS7, GTP, Diameter or IMSI-catcher output), {\bf cyber security objects}, {\bf security objects} (such as vehicule, interpol-notice)
|
||||||
|
\item Objects are more and more used in different sharing communities and take over simple attributes in MISP to offer better contextualisation
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Conclusion}
|
||||||
|
\begin{itemize}
|
||||||
|
\item 2019 was a busy and successful year for the MISP project
|
||||||
|
\item The 2-year CEF grant was a bootstrap to improve MISP to its next level
|
||||||
|
\item New partnerships and projects are ongoing in 2020-2021 (such as the CEF VARIoT project or H2020 Enforce)
|
||||||
|
\item As the MISP project becomes larger, we improve the structure of the project (misp-standard.org is the first step)
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
|
@ -0,0 +1,314 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}{Agenda}
|
||||||
|
\input{../includes/agenda.txt}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP, bekeken vanuit een praktisch voorbeeld}
|
||||||
|
\begin{itemize}
|
||||||
|
\item In 2012 werd tijdens een werkgroep voor malware analyse duidelijk dat we werkten aan de analyse van dezelfde malware.
|
||||||
|
\item We wilden onze informatie op een eenvoudige en geautomatiseerde manier met elkaar delen {\bf om dubbel werk te voorkomen}.
|
||||||
|
\item Christophe Vandeplas (toen werkzaam bij het CERT voor de Belgische Defensie) toonde ons zijn werk aan een platform dat uiteindelijk MISP werd.
|
||||||
|
\item De eerste versie van het MISP-platform werd gebruikt door de MALWG en met hulp van {\bf de toenemende feedback van gebruikers} konden we een verbeterd platform bouwen.
|
||||||
|
\item MISP is nu uitgegroeid tot een platform waar de {\bf ontwikkeling gestuurd wordt vanuit de gemeenschap}.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{over CIRCL}
|
||||||
|
Het Computer Incident Response Centre Luxembourg (CIRCL) is een overheids initiatief om een antwoord te bieden op computerbeveiligingsbedreigingen en -incidenten. \break \newline
|
||||||
|
CIRCL is het CERT voor de particuliere sector, gemeenten en niet-gouvernementele entiteiten in Luxemburg en wordt beheerd door securitymadein.lu g.i.e.
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP en CIRCL}
|
||||||
|
\begin{itemize}
|
||||||
|
\item CIRCL is gemandateerd door het ministerie van Economische Zaken en treedt op als het Luxemburgse nationale CERT voor de particuliere sector.
|
||||||
|
\item CIRCL leidt de ontwikkeling van het Open Source MISP-platform voor het delen van dreigingsinformatie. Dit platform is wereldwijd gebruikt door veel militaire en inlichtingengemeenschappen, privébedrijven, de financiële sector, nationale CERT's en LEA's.
|
||||||
|
\item {\bf CIRCL beheert meerdere grote MISP-gemeenschappen die dagelijkse actief zijn in het delen van dreigingsinformatie}.
|
||||||
|
\end{itemize}
|
||||||
|
\includegraphics{en_cef.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ontwikkeling gebaseerd op praktische feedback van de gebruikers}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Er zijn veel verschillende soorten gebruikers van een informatie-uitwisselingsplatform zoals MISP:
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Malware-analysten} die bereid zijn om de indicatoren van hun analyse met collega's te delen.
|
||||||
|
\item {\bf Beveiligingsanalisten} die voor operationele beveiliging zoeken naar indicatoren, deze valideren en gebruiken.
|
||||||
|
\item {\bf Informatie-analysten} die informatie verzamelen over specifieke vijandige groepen.
|
||||||
|
\item De {\bf politie} die vertrouwt op indicatoren om digitale onderzoeken te ondersteunen of op te starten.
|
||||||
|
\item {\bf Risico analyse teams} die meer willen weten over nieuwe dreigingen, de waarschijnlijkheid van deze dreigingen en of deze dreigingen werden vastgesteld.
|
||||||
|
\item {\bf Fraude analysten} die bereid zijn om indicatoren te delen om financiële fraude op te sporen.
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Het beheermodel van MISP}
|
||||||
|
\includegraphics[scale=0.4]{governance.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Verschillende objectieven}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Delen van indicatoren voor {\bf detectie} doeleinden.
|
||||||
|
\begin{itemize}
|
||||||
|
\item 'Heb ik geïnfecteerde systemen in mijn infrastructuur of onder mijn beheer?'
|
||||||
|
\end{itemize}
|
||||||
|
\item Delen van indicatoren om te {\bf blokkeren}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item 'Ik gebruik deze attributen om verkeer te blokkeren of om verkeer om te leiden.'
|
||||||
|
\end{itemize}
|
||||||
|
\item Delen van indicatoren om {\bf informatie te verzamelen}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item 'Informatie verzamelen over campagnes en aanvallen. Zijn deze campagnes met elkaar verbonden? Zijn ze gericht op mij? Wie zijn de tegenstanders?'
|
||||||
|
\end{itemize}
|
||||||
|
\item $\rightarrow$ Deze doelstellingen kunnen soms tegenstrijdig zijn
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Moeilijkheden bij het delen}
|
||||||
|
\begin{itemize}
|
||||||
|
\item De problemen met het delen van informatie zijn vaak niet zozeer van technische aard maar eerder een kwestie van {\bf sociale interacties} (b.v. {\bf vertrouwen}).
|
||||||
|
\item Juridische restricties\footnote{\url{https://www.misp-project.org/compliance/}}
|
||||||
|
\begin{itemize}
|
||||||
|
\item "Ons wettelijk kader staat ons niet toe om informatie te delen."
|
||||||
|
\item "Het risico op een informatielek is te hoog en het is te riskant voor onze organisatie of partners."
|
||||||
|
\end{itemize}
|
||||||
|
\item Praktische beperkingen
|
||||||
|
\begin{itemize}
|
||||||
|
\item "We hebben geen informatie om te delen."
|
||||||
|
\item "We hebben geen tijd om indicatoren te verwerken of om er te delen."
|
||||||
|
\item "Ons classificatie model past niet in uw model."
|
||||||
|
\item "De middelen voor het delen van informatie zijn gebonden aan een specifiek formaat en we gebruiken een ander formaat."
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP Project Overzicht}
|
||||||
|
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
%\begin{frame}
|
||||||
|
% \frametitle{MISP Project Overview}
|
||||||
|
% \begin{columns}[t]
|
||||||
|
% \column{5.0cm}
|
||||||
|
% \begin{figure}
|
||||||
|
% \includegraphics[scale=0.20]{misp-overview.pdf}\\
|
||||||
|
% \end{figure}
|
||||||
|
% \column{7cm}
|
||||||
|
% \begin{itemize}
|
||||||
|
% \item The {\bf core project}\footnote{\url{http://github.com/MISP/}} (PHP/Python3) supports the backend, API \& UI.
|
||||||
|
% \item Modules (Python3) expand MISP functionalities.
|
||||||
|
% \item Taxonomies (JSON) to add categories \& global tagging.
|
||||||
|
% \item Warning-lists (JSON) help analysts to detect potential false-positives.
|
||||||
|
% \item Galaxy (JSON) to add threat-actors, tools or "intelligence".
|
||||||
|
% \item Objects (JSON) to allow for templated composition of security related atomic points of information.
|
||||||
|
% \end{itemize}
|
||||||
|
% \end{columns}
|
||||||
|
%\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP functies}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP\footnote{\url{https://github.com/MISP/MISP}} is open source software voor het delen van dreigings-informatie.
|
||||||
|
\item MISP heeft {\bf een groot aantal functionaliteiten} die gebruikers ondersteunen bij het maken, samen werken aan en het delen van bedreigingsinformatie - bijv. flexibele groepen voor het delen van informatie, {\bf automatische correlatie van gegevens}, importhulp, event distributie en voorstelling voor verbetering van attributen.
|
||||||
|
\item Er is ondersteuning voor diverse formaten van IDS / IPS systemen (b.v. Suricata, Bro, Snort), SIEMs (b.v. CEF), host scanners (b.v. OpenIOC, STIX, CSV, yara), analyse tools (b.v. Maltego) of om DNS policies te implementeren (b.v. RPZ).
|
||||||
|
\item Er is een breed aanbod aan MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} voor uitbreiding, import en export functionaliteiten.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Correlaties : een hulpmiddel voor analysten}
|
||||||
|
\includegraphics[scale=0.18]{screenshots/campaign.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Voor het {\bf bevestigen van een bevinding} (b.v. is dit dezelfde campagne?), {\bf of een analyse} (b.v. hebben andere analysten dezelfde hypothesis?), {\bf bevestigen van een specifiek aspect} (b.v. werden deze sinkhole IP adressen gebruikt voor een campagne?) of het simpelweg uitzoeken of een {\bf dreiging nieuw of onbekend is in je omgeving}.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Groepen die MISP gebruiken}
|
||||||
|
\begin{itemize}
|
||||||
|
\item In het algemeen gaan gebruikers informatie delen met een groep met dezelfde objectieven of waarden.
|
||||||
|
\item CIRCL beheert meerdere MISP-instanties met een aanzienlijke gebruikersbasis (meer dan 950 organisaties met meer dan 2400 gebruikers).
|
||||||
|
\item {\bf Vertrouwde} (gesloten) groepen die MISP gebruiken in een soort "eiland" modus (als een geïsoleerd systeem) of als een deels geconnecteerd systeem.
|
||||||
|
\item De {\bf financiële sector} (banken, ISACs, organisaties die betalingen verwerken) gebruikt MISP als een mechanisme voor het delen van informatie.
|
||||||
|
\item {\bf Militaire en internationale organisaties} (NATO, militaire CSIRTs, n/g CERTs,...).
|
||||||
|
\item {\bf Security bedrijven} die hun eigen gemeenschap starten (b.v. Fidelis) of een koppeling hebben met een MISP gemeenschap (b.v. OTX).
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP basisfuncties voor gedistribueerd delen}
|
||||||
|
\begin{itemize}
|
||||||
|
\item De kernfunctionaliteit van MISP is het delen van informatie waarbij iedereen zowel een consument als een producent (bijdrager) kan zijn.
|
||||||
|
\item Dit heeft als voordeel dat iedereen snel kan deelnemen, zonder de directe verplichting om zelf bij te dragen.
|
||||||
|
\item Er is een lage drempel om het systeem te leren kennen.
|
||||||
|
\end{itemize}
|
||||||
|
\includegraphics[scale=0.9]{misp-distributed.pdf}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Events, Objecten en Attributen in MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Een MISP event is een verzameling van contextueel verbonden informatie.
|
||||||
|
\item Attributen\footnote{attributen kunnen alles zijn zolang ze bijdragen aan het beschrijven van de intentie van het event, b.v. indicatoren, kwetsbaarheden ... } starten initieel met een standaard groep van "cyber security" indicatoren.
|
||||||
|
\item Attributen zijn puur {\bf gebaseerd op gebruik}. De verbetering gebeuren voornamelijk op basis van praktische noden ({\bf financiële indicatoren} in versie 2.4).
|
||||||
|
\item Objecten zijn samengestelde attributen die verschillende datapunten beschrijven, opgebouwd uit templates van de gemeenschap en de gebruikers.
|
||||||
|
\item Galaxies zorgen voor een granulaire context, classificatie en categorisatie van de gegevens gebaseerd op {\bf dreigings actoren}, {\bf preventie maatregelen} en de hulpmiddelen gebruikt door tegenstanders.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Delen van Technieken van Aanvallers}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP heeft integratie op zowel event als attribuut niveau voor MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
|
||||||
|
\end{itemize}
|
||||||
|
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuning voor een specifiek datamodel}
|
||||||
|
\includegraphics[scale=0.24]{screenshots/bankaccount.png}
|
||||||
|
\includegraphics[scale=0.18]{screenshots/bankview.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Terminilogie van indicatoren}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Indicatoren\footnote{IoC (Indicator of Compromise) zijn een onderdeel van de indicatoren}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Indicatoren beschrijven een patroon dat kan gebruikt worden om verdachte of kwaadaardige traffiek te detecteren.
|
||||||
|
\end{itemize}
|
||||||
|
\item Attributen in MISP kunnen netwerk indicatoren (b.v. IP adressen), systeem indicatoren (b.v. tekst in het geheugen) of zelfs bank gegevens zijn.
|
||||||
|
\begin{itemize}
|
||||||
|
\item Een {\bf type} (b.v. MD5, url) is hoe een attribuut is beschreven.
|
||||||
|
\end{itemize}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Een attribuut behoort altijd tot een categorie (b.v. Payload delivery). Deze categorie plaatst het attribuut in een bepaalde context.
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Een categorie bepaalt de context } van een attribuut.
|
||||||
|
\end{itemize}
|
||||||
|
\item De IDS instelling op een attribuut bepaald of {\bf dit attribuut automatisch} zal gebruikt worden voor {\bf detectie} doeleinden.
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuning voor het werken met MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Gebruikers kunnen events of attributen bijvoegen via zowel de web interface, de API als via een vrije tekst veld.
|
||||||
|
\begin{itemize}
|
||||||
|
\item Er zijn modules in Viper (een framework voor het analyseren van malware) om data in MISP in te vullen, via de vty of via IDA.
|
||||||
|
\end{itemize}
|
||||||
|
\item Een bijdrage kan gebeuren door rechtstreeks een event aan te maken maar gebruikers kunnen ook de eigenaar van een event een {\bf update voorstellen voor attributen}.
|
||||||
|
\item Gebruikers zijn {\bf niet gedwongen om één interface te gebruiken om gegevens aan MISP bij te voegen}.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Voorbeeld: Vrije tekst import in MISP}
|
||||||
|
\includegraphics[scale=0.3]{screenshots/freetext1.PNG}\\
|
||||||
|
\includegraphics[scale=0.3]{screenshots/freetxt2.PNG}\\
|
||||||
|
\includegraphics[scale=0.3]{screenshots/freetxt3.PNG}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuning voor classificaties}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Het gebruik van tags is een simpele manier om een classificatie toe te voegen aan een event of attribuut.
|
||||||
|
\item Een {\bf classificatie moet globaal} in gebruik zijn om ook efficient te zijn.
|
||||||
|
\item Gebruikers kunnen via een flexibel tagging systeem kiezen uit de meer dan 42 bestaande taxonomieën of ze kunnen hun eigen taxonomie bijvoegen.
|
||||||
|
\end{itemize}
|
||||||
|
\includegraphics[scale=0.20]{tags-2-4-70.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuning voor het delen in MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Delegeren van de publicatie van events naar andere organisaties (sinds MISP 2.4.18).
|
||||||
|
\begin{itemize}
|
||||||
|
\item Deze andere organisatie kan dan eigenaar worden van het event en op deze manier zorgen voor de {\bf pseudo-anonimiteit van de oorspronkelijke organisatie}.
|
||||||
|
\end{itemize}
|
||||||
|
\item Definiëren van groepen om specifieke informatie mee te delen (vanaf 2.4).
|
||||||
|
\begin{itemize}
|
||||||
|
\item De gemeenschappen om mee te delen kunnen lokaal of tussen verschillende MISP instanties gebruikt worden.
|
||||||
|
\item Het delen kan gebeuren op zowel {\bf event} als {\bf attribuut} niveau (b.v. financiële indicatoren met de financiële groepen en cyber security indicatoren met de CSIRT gemeenschap).
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuning voor waarnemingen}
|
||||||
|
\begin{columns}[t]
|
||||||
|
\column{5.0cm}
|
||||||
|
\begin{figure}
|
||||||
|
\includegraphics[scale=0.3]{screenshots/sighting-n.png}\\
|
||||||
|
\includegraphics[scale=0.34]{screenshots/Sightings2.PNG}
|
||||||
|
\end{figure}
|
||||||
|
\column{7cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Gebruikers kunnen via {\bf waarnemingen} de gemeenschap op de hoogte stellen van activiteit gerelateerd aan een indicator.
|
||||||
|
\item Het is mogelijk om negatieve waarnemingen (false positives) en waarnemingen met een vervaldatum in te geven.
|
||||||
|
\item Waarnemingen kunnen gebeuren via de web interface, de API of door STIX waarnemings-documenten te importeren.
|
||||||
|
\item Er zijn verschillende toepassingen om indicatoren te rangschikken op basis van waarnemingen.
|
||||||
|
\end{itemize}
|
||||||
|
\end{columns}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Verbeteringen voor het delen van informatie in MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Valse positiven (false-positive) blijven een terugkerende uitdaging bij het delen van informatie.
|
||||||
|
\item Vanaf MISP 2.4.39 hebben we het concept van misp-warninglists\footnote{\url{https://github.com/MISP/misp-warninglists}} geïntroduceerd om de analysten te ondersteunen bij hun dagtaak.
|
||||||
|
\item Dit zijn voorgedefinieerde lijsten van indicatoren die vaak een valse positieve zijn, zoals bijvoorbeeld RFC1918 netwerken of publieke DNS servers.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ondersteuninng voor het delen binnen en buiten een organisatie}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Zelfs binnen één en dezelfde omgeving kunnen er verschillende use cases zijn voor het gebruik van MISP (b.v. groepen die MISP gebruiken voor dynamische malware analyse en correlatie, andere groepen die het dan weer gebruiken voor het versturen van meldingen).
|
||||||
|
\item Vanaf MISP 2.4.51, is er de optie om {\bf lokale MISP} servers met elkaar te verbinden. Zo kan je verschillende niveaus van delen voorkomen en kan je van een gemengde synchronisatie gebruik maken, zowel binnen als buiten de organisatie.
|
||||||
|
\item Er is ondersteuning voor feeds voor synchronisatie tussen vertrouwde en niet vertrouwde netwerken.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Starten met MISP en indicatoren}
|
||||||
|
\begin{itemize}
|
||||||
|
\item We onderhouden de standaard CIRCL OSINT-feeds (TLP:WHITE geselecteerd uit onze gemeenschappen) zodat gebruikers snel aan de slag kunnen gaan met MISP.
|
||||||
|
\item Het formaat van de OSINT-feed is gebaseerd op standaard MISP JSON-uitvoer van een externe TLS / HTTP-server.
|
||||||
|
\item Aanvullende contentproviders kunnen hun eigen MISP-feeds leveren. (\url{https://botvrij.eu/}).
|
||||||
|
\item Dit laat gebruikers toe om hun MISP-installaties te {\bf testen en te synchroniseren met een echte gegevensset}.
|
||||||
|
\item Dit kan bijdragen aan andere bronnen van dreigings informatie en helpt ook bij de analyze naar overlappende data\footnote{Een steeds terugkerende uitdaging bij het delen van informatie}.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Conclusie}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf De manier van informatie delen onstaat voornamelijk uit het gebruik} en het volgen van bestaande voorbeelden.
|
||||||
|
\item MISP is uiteindelijk slechts een hulpmiddel, het belangrijkste is nog altijd de manier hoe je de informatie deelt. De tool moet u daarbij zo transparant mogelijk ondersteunen tijdens uw werk.
|
||||||
|
\item Gebruikers moeten MISP kunnen aanpassen zodat zij een oplossing hebben voor de noden van hun gemeenschap.
|
||||||
|
\item Het MISP project combineert open source software, open standaarden, best practices en gemeenschappen om informatie deling te realiseren.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 31 KiB |
After Width: | Height: | Size: 11 KiB |
|
@ -0,0 +1,26 @@
|
||||||
|
\relax
|
||||||
|
\providecommand\hyper@newdestlabel[2]{}
|
||||||
|
\providecommand\BKM@entry[2]{}
|
||||||
|
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
|
||||||
|
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
|
||||||
|
\global\let\oldcontentsline\contentsline
|
||||||
|
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
|
||||||
|
\global\let\oldnewlabel\newlabel
|
||||||
|
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
|
||||||
|
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
|
||||||
|
\AtEndDocument{\ifx\hyper@anchor\@undefined
|
||||||
|
\let\contentsline\oldcontentsline
|
||||||
|
\let\newlabel\oldnewlabel
|
||||||
|
\fi}
|
||||||
|
\fi}
|
||||||
|
\global\let\hyper@last\relax
|
||||||
|
\gdef\HyperFirstAtBeginDocument#1{#1}
|
||||||
|
\providecommand\HyField@AuxAddToFields[1]{}
|
||||||
|
\providecommand\HyField@AuxAddToCoFields[2]{}
|
||||||
|
\@input{content.aux}
|
||||||
|
\pgfsyspdfmark {pgfid1}{1398509}{16636717}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@partpages {1}{6}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{6}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{6}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@documentpages {6}}}
|
||||||
|
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {5}}}
|
|
@ -0,0 +1,17 @@
|
||||||
|
\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {1}{1}}
|
||||||
|
\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {2}{2}}
|
||||||
|
\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {3}{3}}
|
||||||
|
\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {4}{4}}
|
||||||
|
\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {5}{5}}
|
||||||
|
\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {6}{6}}
|
||||||
|
\headcommand {\beamer@partpages {1}{6}}
|
||||||
|
\headcommand {\beamer@subsectionpages {1}{6}}
|
||||||
|
\headcommand {\beamer@sectionpages {1}{6}}
|
||||||
|
\headcommand {\beamer@documentpages {6}}
|
||||||
|
\headcommand {\gdef \inserttotalframenumber {5}}
|
|
@ -0,0 +1,25 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
|
||||||
|
|
||||||
|
\title{ MISP Project - One Year of Improvements}
|
||||||
|
\subtitle{}
|
||||||
|
\author{MISP core team}
|
||||||
|
\date{MISP Summit 0x5 - 21st October 2019}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
After Width: | Height: | Size: 102 KiB |
|
@ -0,0 +1,21 @@
|
||||||
|
This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=pdflatex 2018.10.13) 20 OCT 2019 21:26
|
||||||
|
entering extended mode
|
||||||
|
restricted \write18 enabled.
|
||||||
|
%&-line parsing enabled.
|
||||||
|
**slides.tex
|
||||||
|
|
||||||
|
! Emergency stop.
|
||||||
|
<*> slides.tex
|
||||||
|
|
||||||
|
End of file on the terminal!
|
||||||
|
|
||||||
|
|
||||||
|
Here is how much of TeX's memory you used:
|
||||||
|
3 strings out of 492982
|
||||||
|
108 string characters out of 6134895
|
||||||
|
53913 words of memory out of 5000000
|
||||||
|
3671 multiletter control sequences out of 15000+600000
|
||||||
|
3640 words of font info for 14 fonts, out of 8000000 for 9000
|
||||||
|
1141 hyphenation exceptions out of 8191
|
||||||
|
0i,0n,0p,1b,6s stack positions out of 5000i,500n,10000p,200000b,80000s
|
||||||
|
! ==> Fatal error occurred, no output PDF file produced!
|