diff --git a/20241010-libreoffice/MISP_community.png b/20241010-libreoffice/MISP_community.png new file mode 100644 index 0000000..442389a Binary files /dev/null and b/20241010-libreoffice/MISP_community.png differ diff --git a/20241010-libreoffice/attack-screenshot.png b/20241010-libreoffice/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20241010-libreoffice/attack-screenshot.png differ diff --git a/20241010-libreoffice/bankaccount.png b/20241010-libreoffice/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20241010-libreoffice/bankaccount.png differ diff --git a/20241010-libreoffice/bankview.png b/20241010-libreoffice/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20241010-libreoffice/bankview.png differ diff --git a/20241010-libreoffice/blueprint.png b/20241010-libreoffice/blueprint.png new file mode 100644 index 0000000..ac96976 Binary files /dev/null and b/20241010-libreoffice/blueprint.png differ diff --git a/20241010-libreoffice/circl.png b/20241010-libreoffice/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20241010-libreoffice/circl.png differ diff --git a/20241010-libreoffice/content.tex b/20241010-libreoffice/content.tex new file mode 100755 index 0000000..4ac8bcf --- /dev/null +++ b/20241010-libreoffice/content.tex @@ -0,0 +1,211 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\section{MISP} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is an OSS {\bf threat information sharing} platform (TISP) + \item A tool used and deployed by CSIRTs, SOCs, Cyber threat researchers around the world + \item The main objective is {\bf collective defense} against threats +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP: Started from a practical use-case} + \begin{itemize} + \item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware. + \item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}. + \item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP. + \item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform. + \item MISP is now {\bf a community-driven development} supporting different intelligence communities. + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Development based on practical user feedback} +\begin{itemize} + \item Organic growth over time within security teams: + \begin{itemize} + \item {\bf Malware reversers}: share indicators of analysis with colleagues. + \item {\bf Security analysts} searching, validating and using indicators in ops. + \item {\bf Intelligence analysts} researching adversary groups. + \item {\bf Risk analysis teams} monitoring trends, threats, remediations. + \end{itemize} + \item Some examples of other communities picking up MISP: + \begin{itemize} + \item {\bf Financial sector}: sharing financial indicators, fraud information. + \item {\bf Law-enforcement}: bootstrapping DFIR cases, non-cyber-threats, border control, etc + \item {\bf Military} sharing highly specialised information. + \item {\bf Disinformation research}: Election interference, disinfo campaigns, etc. + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Objectives of MISP in more detail} +\begin{itemize} + \item A tool that {\bf collects threat information} from partners, your analysts, your tools, sensors, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Manages your processes and automates tasks such as {\bf notifications}, {\bf data flow management}, {\bf triaging} and so on + \item Allows teams and communities to {\bf collaborate} and rapidly {\bf exchange knowledge} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item {\bf Presents} both individualised and community centric facts, trends, reports of the intelligence +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{A bit more details about the MISP software} +\begin{itemize} + \item {\bf OSS}, hosted on github with a very active developer and user community behind it + \item Users can either: + \begin{itemize} + \item {\bf deploy their own MISPs} + \item {\bf Join an existing MISP instance} hosted by someone else + \end{itemize} + \item MISP instances can be {\bf interconnected}, creating networks with different topologies (mesh, hub/spoke, hybrid) +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Typical interconnection scenario} + \begin{center} + \includegraphics[width=1\linewidth]{MISP_community.png} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{What is the MISP-project?} +\begin{itemize} + \item Besides being a a web application, the MISP-project also contains the following: + \begin{itemize} + \item A set of {\bf open standards} (implemented by MISP and other tools) + \item An {\bf ecosystem} of libraries, supporting tools + \item A collection of guidance and best practice documentation by practitioners + \end{itemize} + \item All of these are free \& open source +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Information pipeline} + \begin{center} + \includegraphics[width=0.75\linewidth]{misp_data_flow.png} + \end{center} +\end{frame} + + +\section{How can this be relevant to you?} + +\begin{frame} +\frametitle{Why should you care?} + \begin{itemize} + \item You're looking to improve your security posture + \begin{itemize} + \item If you have a {\bf security team / operations team} looking for threat intel + \item If you would like to {\bf automate} your security processes + \item If you are dealing with security {\bf incidents} and would like to {\bf collaborate} + \end{itemize} + \item If you're looking for ways to overcome internal challenges + \begin{itemize} + \item We've been building this by now rather complex application since 2012 + \item Long list of {\bf libraries, techniques, ideas} that can be reused + \item Well established standards for information exchange + \item Can be adapted to completely {\bf different sharing use-cases} you may have + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Why rely on MISP, an open source platform for all of this?} + \begin{itemize} + \item Extremely mature and actively maintained + \item Continuously vetted + \begin{itemize} + \item Regular {\bf penetration tests} by multiple parties + \item Actively {\bf used across most sectors worldwide}, including military, governmental, private sector, NGOs, etc + \item Run by a {\bf CERT}: Open policy on {\bf vulnerability handling policy}, security is the top priority at all times + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Why rely on MISP, an open source platform for all of this?} + \begin{itemize} + \item We build our software with an {\bf open source mindset} + \item Make the tool fit your workflows, modify what you don't like + \begin{itemize} + \item We also make it a priority to {\bf incorporate code contributions} (after thorough analysis) + \item Provided are {\bf tooling, GUI based systems, plug-in systems and extensive APIs} for customisation + \item Guides, training materials, documentation to achieve the above + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Why rely on MISP, an open source platform for all of this?} + \begin{itemize} + \item {\bf Every cent of your TIP budget goes to what really matters}: + \begin{itemize} + \item Building {\bf competency} within your team + \item {\bf Infrastructure} for running MISP and other tooling + \end{itemize} + \item Interoperability + \begin{itemize} + \item {\bf Open standards}, support for a long list of other formats + \item Our {\bf objective isn't to lock you into a walled garden} + \end{itemize} + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Why do we develop all of this?} +\begin{itemize} + \item {\bf Main goal}: Make our own lives and the lives of our constituency easier + \begin{itemize} + \item Our central tool for ingesting, storing and disseminating information... + \item ...as well as to interact with organisations + \item By solving issues of other communities, we already have them prepared for information sharing with us when needed + \end{itemize} + \item {\bf Secondary}: Democratise threat intelligence for all + \item {\bf Stretch goal}: Build a full open-source tool-chain for CSIRTs / SoCs / etc +\end{itemize} +\end{frame} + +\section{To wrap it up...} + +\begin{frame} +\frametitle{How to get involved?} +\begin{itemize} + \item Simply {\bf use the tool} and give us feedback of what works or doesn't work for you + \item Get active in the {\bf MISP OSS community} + \item Join one, or {\bf start your own sharing community}! + \item Join the {\bf private sector MISP community hosted by CIRCL} to exchange threat intel with a massive community + \item Join us at \url{https://hack.lu} +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact me: + \begin{itemize} + \item andras.iklody@circl.lu \url{https://twitter.com/iglocska} \url{https://infosec.exchange/@iglocska} + \end{itemize} + \item Contact us: + \begin{itemize} + \item info@circl.lu \url{https://twitter.com/circl_lu} \url{https://www.circl.lu/} + \item \url{https://github.com/MISP} \url{https://www.misp-project.org/} + \item \url{https://twitter.com/MISPProject} \url{https://misp-community.org/@misp} + \item \url{https://github.com/cerebrate-project} \url{https://www.cerebrate-project.org/} + \end{itemize} + \end{itemize} +\end{frame} + diff --git a/20241010-libreoffice/creativity.png b/20241010-libreoffice/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/20241010-libreoffice/creativity.png differ diff --git a/20241010-libreoffice/dashboard-new.png b/20241010-libreoffice/dashboard-new.png new file mode 100644 index 0000000..24cb024 Binary files /dev/null and b/20241010-libreoffice/dashboard-new.png differ diff --git a/20241010-libreoffice/dashboard-trendings.png b/20241010-libreoffice/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/20241010-libreoffice/dashboard-trendings.png differ diff --git a/20241010-libreoffice/decaying-basescore.png b/20241010-libreoffice/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/20241010-libreoffice/decaying-basescore.png differ diff --git a/20241010-libreoffice/decaying-event.png b/20241010-libreoffice/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/20241010-libreoffice/decaying-event.png differ diff --git a/20241010-libreoffice/decaying-index.png b/20241010-libreoffice/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/20241010-libreoffice/decaying-index.png differ diff --git a/20241010-libreoffice/decaying-simulation.png b/20241010-libreoffice/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20241010-libreoffice/decaying-simulation.png differ diff --git a/20241010-libreoffice/decaying-tool.png b/20241010-libreoffice/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/20241010-libreoffice/decaying-tool.png differ diff --git a/20241010-libreoffice/en_cef.png b/20241010-libreoffice/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/20241010-libreoffice/en_cef.png differ diff --git a/20241010-libreoffice/galaxy-ransomware.png b/20241010-libreoffice/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/20241010-libreoffice/galaxy-ransomware.png differ diff --git a/20241010-libreoffice/governance.png b/20241010-libreoffice/governance.png new file mode 100644 index 0000000..389d250 Binary files /dev/null and b/20241010-libreoffice/governance.png differ diff --git a/20241010-libreoffice/misp-distributed.pdf b/20241010-libreoffice/misp-distributed.pdf new file mode 100644 index 0000000..9bacba7 Binary files /dev/null and b/20241010-libreoffice/misp-distributed.pdf differ diff --git a/20241010-libreoffice/misp-overview-simplified.pdf b/20241010-libreoffice/misp-overview-simplified.pdf new file mode 100644 index 0000000..021b252 Binary files /dev/null and b/20241010-libreoffice/misp-overview-simplified.pdf differ diff --git a/20241010-libreoffice/misp-overview.pdf b/20241010-libreoffice/misp-overview.pdf new file mode 100644 index 0000000..b1d92c8 Binary files /dev/null and b/20241010-libreoffice/misp-overview.pdf differ diff --git a/20241010-libreoffice/misp.pdf b/20241010-libreoffice/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20241010-libreoffice/misp.pdf differ diff --git a/20241010-libreoffice/misp_data_flow.png b/20241010-libreoffice/misp_data_flow.png new file mode 100644 index 0000000..88a3ff0 Binary files /dev/null and b/20241010-libreoffice/misp_data_flow.png differ diff --git a/20241010-libreoffice/misplogo.pdf b/20241010-libreoffice/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/20241010-libreoffice/misplogo.pdf differ diff --git a/20241010-libreoffice/notes.txt b/20241010-libreoffice/notes.txt new file mode 100644 index 0000000..6dad91d --- /dev/null +++ b/20241010-libreoffice/notes.txt @@ -0,0 +1,50 @@ +What is MISP? + +# SUBSECTION 1: intro + +## what is MISP? +- tisp +- oss +- ecosystem of tools and libraries +- a set of formats + +## Who are we and why does CIRCL develop it? +- national CSIRT +- central tool for our activities + - information dissemination + - incident handling + - collaboration + - data fusion + +## How does a TISP such as MISP do? +- graph showing the main functionalities + + +# SUBSECTION 2: ingestion + +## Manual data creation + +## Synchronisation from other communities + +## Feed ingestion + +## Ingestion from tools / sensors + + +# SUBSECTION 3: managing data and collaboration + +## + + +# SUBSECTION 4: Dissemination + +## Synchronisation +## Feed generation +## Automation +## dashboarding +## Reporting + + + + +# diff --git a/20241010-libreoffice/object.png b/20241010-libreoffice/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/20241010-libreoffice/object.png differ diff --git a/20241010-libreoffice/pipeline_chart.md b/20241010-libreoffice/pipeline_chart.md new file mode 100644 index 0000000..bacb0f5 --- /dev/null +++ b/20241010-libreoffice/pipeline_chart.md @@ -0,0 +1,31 @@ +```mermaid +flowchart + A[Analysts] --> MI[(MISP ingestion)] + S[Sensors] --> MI + OM[Other Communities] --> MI + F[Feeds] --> MI + IT[Internal tools] --> MI + MI --> IF[Input filters] + IF --> MP[(MISP processing)] + MP <--> E[Enrichment] + MP <--> Col[Collaboration] + MP --> MD[(MISP dissemination)] + MP <--> C[Correlation] + MP <--> Wo[Workflows] + MD --> W[Warninglists] + W --> APIs + W --> Ex[Export tools] + MD --> SF[Sync filtering] + SF --> MG[MISP Guard] + MG --> OM2[Other Communities] + MD ---> Analyst[Analyst tools] + MD --> UF[User filters] + UF --> Dashboard + UF --> Reporting + + + + style MI fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MP fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MD fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff +``` diff --git a/20241010-libreoffice/screenshots/Sightings1.PNG b/20241010-libreoffice/screenshots/Sightings1.PNG new file mode 100644 index 0000000..5546cf3 Binary files /dev/null and b/20241010-libreoffice/screenshots/Sightings1.PNG differ diff --git a/20241010-libreoffice/screenshots/Sightings2.PNG b/20241010-libreoffice/screenshots/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/20241010-libreoffice/screenshots/Sightings2.PNG differ diff --git a/20241010-libreoffice/screenshots/attack-screenshot.png b/20241010-libreoffice/screenshots/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20241010-libreoffice/screenshots/attack-screenshot.png differ diff --git a/20241010-libreoffice/screenshots/bankaccount.png b/20241010-libreoffice/screenshots/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20241010-libreoffice/screenshots/bankaccount.png differ diff --git a/20241010-libreoffice/screenshots/bankview.png b/20241010-libreoffice/screenshots/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20241010-libreoffice/screenshots/bankview.png differ diff --git a/20241010-libreoffice/screenshots/bhadra-matrix.png b/20241010-libreoffice/screenshots/bhadra-matrix.png new file mode 100644 index 0000000..74cfc4e Binary files /dev/null and b/20241010-libreoffice/screenshots/bhadra-matrix.png differ diff --git a/20241010-libreoffice/screenshots/campaign.png b/20241010-libreoffice/screenshots/campaign.png new file mode 100644 index 0000000..df5b653 Binary files /dev/null and b/20241010-libreoffice/screenshots/campaign.png differ diff --git a/20241010-libreoffice/screenshots/enrichment1.PNG b/20241010-libreoffice/screenshots/enrichment1.PNG new file mode 100644 index 0000000..4e7df5d Binary files /dev/null and b/20241010-libreoffice/screenshots/enrichment1.PNG differ diff --git a/20241010-libreoffice/screenshots/enrichment2.PNG b/20241010-libreoffice/screenshots/enrichment2.PNG new file mode 100644 index 0000000..5d1c4c4 Binary files /dev/null and b/20241010-libreoffice/screenshots/enrichment2.PNG differ diff --git a/20241010-libreoffice/screenshots/enrichment3.PNG b/20241010-libreoffice/screenshots/enrichment3.PNG new file mode 100644 index 0000000..e785f2c Binary files /dev/null and b/20241010-libreoffice/screenshots/enrichment3.PNG differ diff --git a/20241010-libreoffice/screenshots/enrichment4.PNG b/20241010-libreoffice/screenshots/enrichment4.PNG new file mode 100644 index 0000000..5f01cd9 Binary files /dev/null and b/20241010-libreoffice/screenshots/enrichment4.PNG differ diff --git a/20241010-libreoffice/screenshots/false-positive.png b/20241010-libreoffice/screenshots/false-positive.png new file mode 100644 index 0000000..7dd3dea Binary files /dev/null and b/20241010-libreoffice/screenshots/false-positive.png differ diff --git a/20241010-libreoffice/screenshots/freetext1.PNG b/20241010-libreoffice/screenshots/freetext1.PNG new file mode 100644 index 0000000..cb17c4c Binary files /dev/null and b/20241010-libreoffice/screenshots/freetext1.PNG differ diff --git a/20241010-libreoffice/screenshots/freetxt2.PNG b/20241010-libreoffice/screenshots/freetxt2.PNG new file mode 100644 index 0000000..4bfb092 Binary files /dev/null and b/20241010-libreoffice/screenshots/freetxt2.PNG differ diff --git a/20241010-libreoffice/screenshots/freetxt3.PNG b/20241010-libreoffice/screenshots/freetxt3.PNG new file mode 100644 index 0000000..6d348ee Binary files /dev/null and b/20241010-libreoffice/screenshots/freetxt3.PNG differ diff --git a/20241010-libreoffice/screenshots/normaltag.png b/20241010-libreoffice/screenshots/normaltag.png new file mode 100644 index 0000000..781182c Binary files /dev/null and b/20241010-libreoffice/screenshots/normaltag.png differ diff --git a/20241010-libreoffice/screenshots/sg-example.png b/20241010-libreoffice/screenshots/sg-example.png new file mode 100644 index 0000000..ade1252 Binary files /dev/null and b/20241010-libreoffice/screenshots/sg-example.png differ diff --git a/20241010-libreoffice/screenshots/sighting-n.png b/20241010-libreoffice/screenshots/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20241010-libreoffice/screenshots/sighting-n.png differ diff --git a/20241010-libreoffice/sighting-n.png b/20241010-libreoffice/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20241010-libreoffice/sighting-n.png differ diff --git a/20241010-libreoffice/sigint.png b/20241010-libreoffice/sigint.png new file mode 100644 index 0000000..560f5ed Binary files /dev/null and b/20241010-libreoffice/sigint.png differ diff --git a/20241010-libreoffice/slide.tex b/20241010-libreoffice/slide.tex new file mode 100644 index 0000000..e065d61 --- /dev/null +++ b/20241010-libreoffice/slide.tex @@ -0,0 +1,23 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + + +\title{Threat Information sharing for the masses - MISP} +\author{\small{\input{../includes/authors.txt}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + +\begin{document} +\include{content} +\end{document} + diff --git a/20241010-libreoffice/tags-2-4-70.png b/20241010-libreoffice/tags-2-4-70.png new file mode 100644 index 0000000..e1c6fbd Binary files /dev/null and b/20241010-libreoffice/tags-2-4-70.png differ diff --git a/20241010-libreoffice/taxonomy-workflow.png b/20241010-libreoffice/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20241010-libreoffice/taxonomy-workflow.png differ diff --git a/20241010-libreoffice/timeline-misp-overview.png b/20241010-libreoffice/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20241010-libreoffice/timeline-misp-overview.png differ diff --git a/20241010-libreoffice/warning-list-event.png b/20241010-libreoffice/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20241010-libreoffice/warning-list-event.png differ diff --git a/20241010-libreoffice/warning-list.png b/20241010-libreoffice/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20241010-libreoffice/warning-list.png differ diff --git a/20241010-libreoffice/workflow_initial.png b/20241010-libreoffice/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/20241010-libreoffice/workflow_initial.png differ diff --git a/20241010-libreoffice/workflow_initial2.png b/20241010-libreoffice/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/20241010-libreoffice/workflow_initial2.png differ diff --git a/20241010-libreoffice/x-isac-logo.png b/20241010-libreoffice/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/20241010-libreoffice/x-isac-logo.png differ