added missing presentations

20200623-NATO-MUG-update/content.tex

@@ -0,0 +1,198 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{The aim of this presentation}
+  \begin{itemize}
+     \item A small update of what has happened around MISP's development over the past few months
+     \item Our initial scope
+     \item Why is {\bf contextualisation} important?
+     \item What options do we have in MISP?
+     \item How can we {\bf leverage} this in the end?
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{MISP's evolution since the last MUG}
+  \begin{itemize}
+    \item Since the last MUG (05/12/2019) we've had:
+    \begin{itemize}
+        \item 8 releases
+        \item 2196 commits
+        \item 85 contributors contributing to the core software and its components
+    \end{itemize}
+    \item COVID-19 didn't negatively impact the progress made all that much
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{So what were the main changes?}
+  \begin{itemize}
+     \item Loads of bug fixes
+     \item A host of improvements to how MISP functions
+     \item Security fixes, including several CVEs (keep your MISP up to date!)
+     \item Generally loads of internal improvements (in large part thanks to Jakub Onderka)
+     \item Massively expanding context libraries
+     \item Several major features (let's talk about these)
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Timelining in MISP}
+\begin{itemize}
+	\item The goal was to capture activity timelines
+        \item All attributes and objects can have first-seen/last-seen data       
+\end{itemize}
+\includegraphics[scale=0.25]{images/timeline.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Timelining in MISP}
+\begin{itemize}
+	\item Why is this interesting?
+        \item {\bf IoC lifecycle management} is one of the biggest challenges we face
+        \item Timeline information allows us to better {\bf express a story}, rather than {\bf share dumps of IoCs}
+        \item {\bf Time-based correlation} of certain actions helps us understand an incident
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Dashboarding}
+\begin{itemize}
+	\item Outcome of our personal initiatives to track the COVID-19 spread
+        \item New built-in {\bf dashboarding system} directly available in MISP
+        \item Dashboard widgets are modular and {\bf easy to build}
+        \item Create widgets that are {\bf ACL aware}
+        \item The COVID-19 MISP community turned out to be a massive success
+        \item COVID-19 use-cases are just an example though (admin widgets, trend widgets, etc)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Dashboarding}
+\includegraphics[scale=0.25]{images/dashboard.png}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Decaying indicators v2}
+\begin{itemize}
+	\item {\bf User settings} are now taken into account when crafting queries
+        \item {\bf Tool specific} user accounts can be pre-configured with decaying settings
+        \item {\bf Taxonomy} numerical values can be re-mapped to fit internal needs
+        \item {\bf Sightings} factor into the decay scores
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Massive rewrite of PyMISP}
+\begin{itemize}
+	\item Python 3.6+ is a minimum since the modern PyMISP rework
+        \item Use of {\bf objects} with a {\bf long list of helpers} allows for easy creation/modification of MISP data
+        \item PyMISP's {\bf CI testing} suite has grown massively, allowing us to catch more and more issues as we commit changes
+        \item Automated testing {\bf including synchronising} several MISP instances
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Community management improvements}
+\begin{itemize}
+	\item {\bf User configurations} allow users to manage different aspects of how they use MISP (for example {\bf alerting rules})
+        \item {\bf Community listings} directly in MISP help new users find the right points of contact (perhaps something for NATO to consider?)
+        \item {\bf E-mail based OTP} - Implemented by NCIA's very own Loïc Fortemps
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Integrations}
+\begin{itemize}
+	\item Long list of {\bf integrations}, both via our export system and module systems and by other tools integrating with MISP
+        \item Continuous iterations of our connectors using other formats (a massive STIX 2 rework has just dropped)
+        \item Integrations with analysis tools, such as with Maltego (thanks to Christophe Vandeplas)
+        \item Tighter integration with other OSS frameworks we develop in-house (AIL, D4)
+        \item Mapping of libraries to taxonomies/galaxies/object templates
+        \item ATT\&CK like matrices from other domains (disinformation via AMITT, various sectorial groups)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{So that's where we are now}
+\begin{itemize}
+	\item Let's have a brief look at what is on our immediate and long-term roadmaps
+        \item For the long-term ones, priorities shift rapidly
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{MISP galaxy 2.0}
+\begin{itemize}
+	\item MISP galaxies will be fully managed via MISP directly
+        \item Create, modify, {\bf share your custom galaxies} with the usual sync / ACL mechanisms
+        \item Fork and {\bf provide your own perspective} to already existing knowledge-base items
+        \item Build {\bf relationships between galaxy clusters} (Threat actor A uses Tool B and targets Sector C)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Reports}
+\begin{itemize}
+	\item Create {\bf markdown reports} and share them along with your events
+        \item Structured information is great for automation, but sometimes plain prose helps telling a story
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Community management at scale}
+\begin{itemize}
+	\item Cerebrate is a new OSS frameworks that we're building
+        \item Manage organisation, sharing group, encryption key data for communities
+        \item Instrument MISP instances and the interconnectivity between them via Cerebrate
+        \item Introduce information signing by validating signatures / ownership via trusted Cerebrate nodes
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Rework of the MISP internals}
+\begin{itemize}
+	\item We are planning on moving MISP to a {\bf more modern stack} (cake4/bs4)
+        \item Cerebrate also acts as a {\bf test-bed} for this move and relies on MISP internals that have already been ported
+        \item We have been silently {\bf reworking a lot of the internals} of MISP to make the migration possible (UI generator systems for example)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{To sum it all up...}
+  \begin{itemize}
+     \item Many interesting things are happening
+     \item We are following {\bf several routes} of development (internal improvements, contextualisation, integrations, operational improvements, community building)
+     \item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved}
+     \item Prioritisation is hard. {\bf Let us know what you think we should focus on}!
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item Contact CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item Contact MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+    \item Join the COVID-19 MISP community
+    \begin{itemize}
+      \item \url{https://covid-19.iglocska.eu}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

20200623-NATO-MUG-update/makefile

@@ -0,0 +1,5 @@
+all:
+	pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
+
+clean:
+	rm *.aux *.nav *.log *.snm *.toc *.vrb

20200623-NATO-MUG-update/slide.tex

@@ -0,0 +1,25 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{\input{../includes/authors.txt}}}
+\title{MISP status update}
+\subtitle{Improvements since the last MUG and the future roadmap}
+\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
+\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
+
+\date{\input{../includes/location.txt}}
+\begin{document}
+\include{content}
+\end{document}
+

20200923-BNLSec/content.tex

@@ -0,0 +1,377 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{MISP and CIRCL}
+  \begin{center}
+    \includegraphics[scale=0.45]{pics/circl.png}
+    \hspace{2.5em}
+    \includegraphics[scale=0.35]{pics/misp.pdf}
+  \end{center}
+  \begin{itemize}
+    \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. 
+    \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
+    \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{The aim of this presentation}
+  \begin{itemize}
+     \item Brief introduction to MISP
+     \item Why is {\bf contextualisation} important?
+     \item What options do we have in MISP?
+     \item How can we {\bf leverage} this in the end?
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{What is MISP?}
+\begin{itemize}
+       \item MISP is a {\bf threat information sharing} platform that is free \& open source software
+       \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
+       \item Normalises, {\bf correlates}, {\bf enriches} the data
+       \item Allows teams and communities to {\bf collaborate}
+       \item {\bf Feeds} automated protective tools and analyst tools with the output
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP Features Highlights}
+    \begin{itemize}
+        \item Functionalities to assist users in {\bf creating, collaborating and sharing}
+        \begin{itemize}
+            \item A wide range of imports
+            \item Rest API
+            \item Automatic correlation
+            \item Proposals
+            \item Granular distribution levels and sharing groups
+            \item Advanced synchronisation mechanisms
+        \end{itemize}
+        \item A host of export formats
+        \begin{itemize}
+            \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
+            \item {\bf SIEMs}: \texttt{CEF, STIX} 
+            \item {\bf Host scanners}:  \texttt{OpenIOC, STIX, CSV, Yara}
+            \item {\bf Analysis tools}: \texttt{Maltego}
+            \item {\bf DNS policies}: \texttt{RPZ}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Sharing Difficulties}
+\begin{itemize}
+    \item Not really a technical issue, but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
+    \item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}}
+    \begin{itemize}
+        \item \textit{Our legal framework doesn't allow us to share information}
+        \item \textit{Risk of information-leak is too high and it's too risky for our organization or partners.}
+    \end{itemize}
+    \item Practical restriction
+    \begin{itemize}
+        \item \textit{We don't have information to share.}
+        \item \textit{We don't have time to process or contribute indicators.}
+        \item \textit{Our model of classification doesn't fit your model.}
+        \item \textit{Tools for sharing information are tied to a specific format, we use a different one.}
+    \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{The growing need to contextualise data}
+\begin{itemize}
+    \item Contextualisation became more and more important as communities matured
+    \begin{itemize}
+        \item Support {\bf Diversification} of communities
+        \item {\bf Distinguish} between information of interest and raw data
+        \item {\bf False-positive} management, data {\bf quality} and {\bf relevance}
+    \end{itemize}
+    \item Classification practices need to be shared among the communities to support efficient collaboration
+\end{itemize}
+\end{frame}
+
+\section{contextualising data points}
+
+\begin{frame}
+\frametitle{Base level of contextualisation}
+{\centering Differentiation between {\bf indicators} and {\bf supporting data}}
+\begin{itemize}
+       \item An IP address by itself is barely ever interesting
+       \item Relevance of the data must be explicit
+       \item Bare minimum context required
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{More contextualisation}
+\begin{itemize}
+    \item {\bf Who} can receive our data? {\bf What} can they do with it?
+    \item {\bf Data accuracy, source reliability}
+    \item {\bf Why} is this data relevant to us?
+\end{itemize}
+\vspace{1em}
+But we can go further,
+
+\pause
+\begin{itemize}
+    \item {\bf Who} is behind it? What are their {\bf Motivations}? Who are the {\bf targets}
+    \item {\bf What tools} were used? What {\bf impacts} are we dealing with?
+    \item How can we {\bf block/detect/remediate} the attack?
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Tagging and taxonomies}
+\begin{itemize}
+       \item Simple labels
+       \item {\bf Standardising} on vocabularies
+       \item Different community cultures require different nomenclatures
+       \item Libraries that can easily be extended
+\end{itemize}
+\vspace{1em}
+\includegraphics[width=1.0\linewidth]{pics/taxonomy-workflow.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Tagging and taxonomies - The missing part}
+\begin{itemize}
+    \item Taxonomy tags are often {\bf self-explanatory}
+    \begin{itemize}
+        \item \texttt{tlp:green}
+        \item \texttt{workflow:state="complete"}
+        \item \texttt{priority-level:high}
+    \end{itemize}
+\end{itemize}
+\vspace{1em}
+
+\begin{itemize}
+    \item For more complex classification this is ill-suited
+    \begin{itemize}
+        \item \texttt{APT 28}
+        \item \texttt{Locky}
+        \item \texttt{Mirai}
+        \item \texttt{Mitre's Att\&ck patterns} and co
+    \end{itemize}
+    \item Support of synonyms, metadata, preventive measures, ... 
+\end{itemize}
+
+\begin{center}
+    $\rightarrow$ Something more complex is needed
+\end{center}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Enriched tags - MISP Galaxies}
+    \begin{itemize}
+        \item Community driven \textbf{knowledge-base libraries}
+        \item Including {\it descriptions}, {\it links}, {\it synonyms} and other {\it meta} information 
+        \item Can be used as {\bf pivot} when performing searches
+    \end{itemize}
+    \begin{center}
+        \includegraphics[scale=0.34]{pics/galaxy}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP Galaxies benefits}
+    \begin{itemize}
+        \item Standardising on high-level {\bf TTPs} solved a variety of issues
+        \item Tools producing {\bf ATT\&CK} data and {\bf kill-chain} phases in general
+        \item Integrates into our {\bf filtering} and {\bf situational awareness} needs extremely well
+        \item Gave rise to other, ATT\&CK-like systems tackling other concerns
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{More complex data-structures for a modern age}
+    \begin{itemize}
+        \item Atomic data points are often useful, but can be lacking in many aspects
+        \item {\bf MISP Objects}\footnote{\url{https://github.com/MISP/misp-objects}} system
+        \begin{itemize}
+            \item Simple: {\bf templating} approach to build more complex structures
+            \item Flexible: allows users to {\bf define their own}
+            \item {\bf Relational}: interlink data-points to tell a story
+            \item Examples: \texttt{Domain-IP}, \texttt{File}, \texttt{VT-Report}, \texttt{Person}
+        \end{itemize}
+    \end{itemize}
+    \begin{center}
+        \includegraphics[scale=0.25]{pics/domain-ip}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+\frametitle{Graphs are worth a thousands words}
+    \begin{itemize}
+        \item Relationships allow to easily describe process or event
+        \begin{itemize}
+            \item \texttt{Word file} drops an \texttt{Hancitor} malware, that will download a \texttt{Zeus-Panda} Banker that will later connect to \texttt{IP}
+        \end{itemize}
+    \end{itemize}
+    \vspace{1em}
+    \includegraphics[width=1.0\linewidth]{pics/eventgraph}
+\end{frame}
+
+
+\begin{frame}
+    \frametitle{False Positive Handling}
+    \begin{itemize}
+        \item Low quality data and false positives lead to {\bf alert fatigue}
+        \item False positives are often obvious, thus can be encoded
+        \begin{itemize}
+            \item {\bf Warninglists} of well-known indicators which are obvious false positives
+            \item RFC1918 networks, empty hashes, ...
+        \end{itemize}
+    \end{itemize}
+    \vspace{1em}
+    \begin{center}
+        \includegraphics[width=0.49\linewidth]{pics/warning-list.png}
+        \includegraphics[width=0.49\linewidth]{pics/warning-list-event.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+\frametitle{Continuous feedback loop}
+    \begin{itemize}
+        \item {\bf Vital component} for IoC lifecycle management
+        \item Involves the output of detection tools to prioritise IoCs
+        \item {\bf Sighting system}
+        \begin{itemize}
+            \item Community can sight indicators and convey the time of sighting or detection
+            \item Can be used as a {\bf continuous reporting} stream between detection tools and MISP
+        \end{itemize}
+    \end{itemize}
+    
+    \begin{center}
+        \begin{tikzpicture}[shorten >=2pt,node distance=13em,semithick, auto]
+            \node[state] (MISP) {\includegraphics[scale=0.12]{pics/misp.pdf}};
+            \node[state] (IDS) [right=of MISP]  {Tool};
+            \path[->] 
+                (MISP) edge [bend left=20] node {Push relevant IoCS} (IDS)
+                (IDS) edge [bend left=20] node {Report Sightings} (MISP);
+        \end{tikzpicture}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Adding temporality}
+    \begin{itemize}
+        \item {\bf First seen} and {\bf Last seen} on data points
+        \item Enables {\bf visualisation} and improves IoC lifecycle 
+    \end{itemize}
+    \begin{center}
+        \includegraphics[width=1.0\linewidth]{pics/timeline-misp-overview.png}
+    \end{center}
+\end{frame}
+
+\section{Leveraging classifications}
+
+\begin{frame}
+  \frametitle{Making use of all this context}
+  \begin{itemize}
+    \item Providing advanced ways of querying data
+    \begin{itemize}
+      \item Unified {\bf export APIs}
+      \begin{itemize}
+        \item \texttt{Suricata}, \texttt{Snort}, \texttt{STIX}, \texttt{Yara}, \texttt{Maltego}, ...
+      \end{itemize}
+      \item Incorporating all contextualisation options into {\bf API filters}
+      \item {\bf On-demand} filters for {\bf excluding} potential false positives and expired data
+      \item Rich set of modules to add {\bf expansions}, {\bf imports} and {\bf exports}
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+    \frametitle{Example query}
+    \begin{lstlisting}
+/attributes/restSearch
+{
+    "returnFormat": "netfilter",
+    "enforceWarninglist": true,
+    "excludeDecayed": true,
+    "tags": {
+        "NOT": [
+            "tlp:white",
+            "type:OSINT"
+        ],
+        "OR": [
+            "misp-galaxy:threat-actor=\"Sofacy\"",
+            "misp-galaxy:sector=\"Chemical\"",
+        ]
+    },
+    "galaxy.cfr-suspected-victims": ["China", "Japan"],
+}\end{lstlisting}
+\end{frame}
+
+\begin{frame}[fragile]
+    \frametitle{Example query to generate ATT\&CK heatmaps}
+    \texttt{/events/restSearch}
+    \begin{lstlisting}
+{
+    "returnFormat": "attack",
+    "tags": [
+        "misp-galaxy:sector=\"Chemical\""
+    ],
+    "timestamp": "365d"
+}
+    \end{lstlisting}
+\end{frame}
+
+\begin{frame}
+  \frametitle{A sample result for the above query}
+  \begin{center}
+    \includegraphics[scale=0.2]{pics/attack-screenshot.png}
+  \end{center}
+\end{frame}
+
+\begin{frame}
+\frametitle{Indicator lifecycle management}
+    \begin{itemize}
+        \item Built-in tool to {\bf filter out} IoCs marked as {\bf expired} by default and user-defined models
+        \item Overwhelmingly relies on proper classifications
+    \end{itemize}
+    \hspace{-1.5em}
+    \includegraphics[width=1.1\linewidth]{pics/decaying-simulation}
+\end{frame}
+
+\begin{frame}
+  \frametitle{To sum it all up...}
+  \begin{itemize}
+     \item Massive rise in {\bf user capabilities}
+     \item Growing need for truly {\bf actionable threat intel}
+     \item Lessons learned:
+     \begin{itemize}
+	\item {\bf Context is king} - Enables better decision making
+        \item {\bf Intelligence and situational awareness} are natural by-products of context
+     \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item Contact us
+    \begin{itemize}
+      \item \url{https://twitter.com/mokaddem_sami}
+      \item \url{https://twitter.com/iglocska}
+    \end{itemize}
+    \item Contact CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item Contact MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

20200923-BNLSec/makefile

@@ -0,0 +1,5 @@
+all:
+	pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
+
+clean:
+	rm *.aux *.nav *.log *.snm *.toc *.vrb

20200923-BNLSec/slide.tex

@@ -0,0 +1,55 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+\definecolor{mybeige}{HTML}{eeeeee}
+\definecolor{mymauve}{rgb}{0.58,0,0.82}
+\definecolor{myblack}{rgb}{0,0,0}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usetikzlibrary{shapes,snakes,automata,positioning}
+\usepackage{listings}
+\usepackage{adjustbox}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{Team MISP Project}}
+\title{MISP - Sharing is Caring}
+\date{Benelux Cyber Summit 2020}
+\subtitle{Powering up information sharing}
+\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
+
+\lstdefinestyle{code}{ %
+  backgroundcolor=\color{mybeige},   % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
+  basicstyle=\footnotesize\ttfamily,        % the size of the fonts that are used for the code
+  breakatwhitespace=false,         % sets if automatic breaks should only happen at whitespace
+  breaklines=true,                 % sets automatic line breaking
+  captionpos=b,                    % sets the caption-position to bottom
+  commentstyle=\color{mygreen},    % comment style
+  deletekeywords={...},            % if you want to delete keywords from the given language
+  escapeinside={\%*}{*)},          % if you want to add LaTeX within your code
+  extendedchars=true,              % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
+  frame=single,	                   % adds a frame around the code
+  keepspaces=true,                 % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
+  keywordstyle=\color{blue},       % keyword style
+  language=Python,                 % the language of the code
+  morekeywords={*,...},           % if you want to add more keywords to the set
+  numbers=left,                    % where to put the line-numbers; possible values are (none, left, right)
+  numbersep=5pt,                   % how far the line-numbers are from the code
+  numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
+  rulecolor=\color{black},         % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
+  showspaces=false,                % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
+  showstringspaces=false,          % underline spaces within strings only
+  showtabs=false,                  % show tabs within strings adding particular underscores
+  stepnumber=1,                    % the step between two line-numbers. If it's 1, each line will be numbered
+  stringstyle=\color{mymauve},     % string literal style
+  tabsize=2,	                   % sets default tabsize to 2 spaces
+  title=\lstname                   % show the filename of files included with \lstinputlisting; also try caption instead of title
+}
+\lstset{style=code}
+
+\begin{document}
+\include{content}
+\end{document}
+

20200924-TW/content.tex

@@ -0,0 +1,128 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{The aim of this presentation}
+  \begin{itemize}
+     \item Who are we (CIRCL)?
+     \item Brief introduction to MISP
+     \item What sort of communities are using MISP?
+     \item How to get started
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{MISP and CIRCL}
+  \begin{center}
+    \includegraphics[scale=0.45]{pics/circl.png}
+    \hspace{2.5em}
+    \includegraphics[scale=0.35]{pics/misp.pdf}
+  \end{center}
+  \begin{itemize}
+    \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. 
+    \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
+    \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{What is MISP?}
+\begin{itemize}
+       \item MISP is a {\bf threat information sharing} platform that is free \& open source software
+       \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
+       \item Normalises, {\bf correlates}, {\bf enriches} the data
+       \item Allows teams and communities to {\bf collaborate}
+       \item {\bf Feeds} automated protective tools and analyst tools with the output
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{What are some key objectives of communities?}
+\begin{itemize}
+       \item To build "herd immunity" by sharing {\bf community relevant} threat information
+       \item By allowing to share data both for {\bf automation} and to {\bf tell a story}
+       \item {\bf Standardise} on how we {\bf express} and {\bf contextualise} threat information
+       \item {\bf Monitor trends} about attacks against your community
+       \item Rely on the shared data to {\bf bootstrap your investigations}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP Features Highlights}
+    \begin{itemize}
+        \item Functionalities to assist users in {\bf creating, collaborating and sharing}
+        \begin{itemize}
+            \item A wide range of imports
+            \item Rest API
+            \item Automatic correlation
+            \item Proposals
+            \item Granular distribution levels and sharing groups
+            \item Advanced synchronisation mechanisms
+        \end{itemize}
+        \item A host of export formats
+        \begin{itemize}
+            \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
+            \item {\bf SIEMs}: \texttt{CEF, STIX} 
+            \item {\bf Host scanners}:  \texttt{OpenIOC, STIX, CSV, Yara}
+            \item {\bf Analysis tools}: \texttt{Maltego}
+            \item {\bf DNS policies}: \texttt{RPZ}
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{What sort of MISP communities are there?}
+\begin{itemize}
+       \item {\bf Generalist} cyber securitity communities (CIRCL's Private sector community, FIRST, etc)
+       \item {\bf Sectorial} communities (Financial, ISPs, GSMs, Law enforcement, Military, etc)
+       \item {\bf Geographic communities} such as national, regional (Nordic, South American, etc)
+       \item Communities centered around {\bf international organisations} (EU, NATO, etc)
+       \item {\bf Topical} communities (disinformation, RATs, COVID-19, climate)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{An example community in numbers: The CIRCL Private sector community}
+\begin{itemize}
+       \item {\bf Users}: 3.4k
+       \item {\bf Organisations}: 1.6k
+       \item {\bf Organisations having shared events}: 441
+       \item {\bf Events}: ~77k
+       \item {\bf Data points}: 12M
+       \item {\bf Correlations}: 9M
+       \item {\bf Proposals}: 78k
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Getting started}
+\begin{itemize}
+       \item Simplest: {\bf join an existing community} hosted by a trusted peer, use their instance
+       \item {\bf Run your own} instance (simply install the OSS) and {\bf connect to} established communities
+       \item {\bf Start your own} community with your own guidelines
+       \item None of the above are exclusive
+       \item {\bf Organic growth} from one to the other is expected
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item Contact CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item Contact MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

20200924-TW/makefile

@@ -0,0 +1,5 @@
+all:
+	pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
+
+clean:
+	rm *.aux *.nav *.log *.snm *.toc *.vrb

20200924-TW/slide.tex

@@ -0,0 +1,55 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+\definecolor{mybeige}{HTML}{eeeeee}
+\definecolor{mymauve}{rgb}{0.58,0,0.82}
+\definecolor{myblack}{rgb}{0,0,0}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usetikzlibrary{shapes,snakes,automata,positioning}
+\usepackage{listings}
+\usepackage{adjustbox}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{Team MISP Project}}
+\title{MISP - a Brief Intro}
+\date{2020-09-24}
+\subtitle{Getting started with information sharing}
+\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
+
+\lstdefinestyle{code}{ %
+  backgroundcolor=\color{mybeige},   % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
+  basicstyle=\footnotesize\ttfamily,        % the size of the fonts that are used for the code
+  breakatwhitespace=false,         % sets if automatic breaks should only happen at whitespace
+  breaklines=true,                 % sets automatic line breaking
+  captionpos=b,                    % sets the caption-position to bottom
+  commentstyle=\color{mygreen},    % comment style
+  deletekeywords={...},            % if you want to delete keywords from the given language
+  escapeinside={\%*}{*)},          % if you want to add LaTeX within your code
+  extendedchars=true,              % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
+  frame=single,	                   % adds a frame around the code
+  keepspaces=true,                 % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
+  keywordstyle=\color{blue},       % keyword style
+  language=Python,                 % the language of the code
+  morekeywords={*,...},           % if you want to add more keywords to the set
+  numbers=left,                    % where to put the line-numbers; possible values are (none, left, right)
+  numbersep=5pt,                   % how far the line-numbers are from the code
+  numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
+  rulecolor=\color{black},         % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
+  showspaces=false,                % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
+  showstringspaces=false,          % underline spaces within strings only
+  showtabs=false,                  % show tabs within strings adding particular underscores
+  stepnumber=1,                    % the step between two line-numbers. If it's 1, each line will be numbered
+  stringstyle=\color{mymauve},     % string literal style
+  tabsize=2,	                   % sets default tabsize to 2 spaces
+  title=\lstname                   % show the filename of files included with \lstinputlisting; also try caption instead of title
+}
+\lstset{style=code}
+
+\begin{document}
+\include{content}
+\end{document}
+

20201027-ITBN-communities/content.tex

@@ -0,0 +1,236 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{whoami}
+  \begin{itemize}
+    \item Iklódy András
+    \item CIRCL operator
+    \item 2012 óta vezetem a MISP core fejlesztését
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Kik is vagyunk mi - CIRCL, MISP}
+  \begin{center}
+    \includegraphics[scale=0.45]{pics/circl.png}
+    \hspace{2.5em}
+    \includegraphics[scale=0.35]{pics/misp.pdf}
+  \end{center}
+  \begin{itemize}
+    \item {\bf CIRCL} - a luxemburgi állami, privát-szektorért felelős CERT
+    \item Gazdasági minisztérium finanszíroz minket, hogy a Luxemburgban honos cégeknek segítsünk mindennel ami cyber-security témakörbe esik
+    \item Illetve, hogy toolokkal és információval lássuk el a közösséget
+    \item Mi állunk javarészt a {\bf MISP-project} mögött is, illetve aktívan megosztunk threat intelligence-t a közösséggel MISPen keresztül
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Megosztó közösségek}
+  \begin{itemize}
+    \item Feladatköreink közé tartozik különböző {\bf megosztó közösségek üzemeltetése}
+    \item Illetve résztvevői vagyunk mások által üzemeltetett közösségeknek
+    \item Mindenekelött {\bf napi teendőinkhez nélkülözhetetlen eszköz a MISP}
+    \item Egyben mi vagyunk a {\bf fő fejlesztői} is a toolnak, de ugyanakkor az egyik legnagyobb {\bf felhasználói is}
+    \item A sokféle közösségnek mind {\bf más igényei és elvárásai} vannak
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{A prezentáció céljai}
+  \begin{itemize}
+    \item Rövid MISP bevezető
+    \item Különböző community-k bemutatása
+    \item Tapasztalatok, kihívások, kudarcok, tippek
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Mi is az a MISP?}
+  \begin{itemize}
+     \item Threat intelligence sharing platform (TISP)
+     \item {\bf Open-source} és ingyenes
+     \item {\bf Threat-intel begyűjtése} saját incidensekből, partnerektől, feedekből
+     \item {\bf Harmonizálása és korrelációja} az adatoknak
+     \item {\bf Kollaborácio} partnerekkel, áldozatokkal illetve az ügyészséggel koordinálás, stb
+     \item {\bf Automatikus védelem} építése, partnerek {\bf informálása}, stb
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Milyen jellegű közösségeket üzemeltetünk?}
+  \begin{itemize}
+    \item Általános megosztó közösség a privát szektornak
+    \begin{itemize}
+      \item 1200 szervezet és 3500 felhasználó
+      \item {\bf Általános központi hub}, különböző közösségek összecsatolása
+      \item {\bf Cégek, CERT-ek, SoCok, kutatók}, a világ minden részéről
+      \item Ekkora community építése {\bf időbe telik} (éves növekedés):
+    \end{itemize}
+  \end{itemize}
+  \begin{center}
+      \includegraphics[scale=0.5]{pics/org_growth.png}
+  \end{center}
+
+\end{frame}
+
+\begin{frame}
+  \frametitle{Milyen jellegű közösségeket üzemeltetünk?}
+  \begin{itemize}
+    \item {\bf Nemzeti} illetve {\bf katonai CERT}ek community-jei
+    \item {\bf Regionális és szektoriális} ISAC-ek MISP közösségei
+    \item Különböző {\bf témakörökkel} foglalkozó közösségek (pl GSM, financial fraud, stb)
+    \item Röviden: sokféle közösség létezik, van, amelyik sikeresebb, van amelyik kevésbé
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Egy új közösség létrehozása}
+  \begin{itemize}
+      \item A technikai kivitelezés nagyon egyszerű
+      \item Egy {\bf központi MISP server telepítése} elegendő a folyamat megindításához, ezt bárki megteheti
+      \item Első lépésben a partnereink használhatják a mi MISP-ünket
+      \item Ha idővel növekedni akarnak, {\bf saját MISPet telepíthetnek es összeköthetik} a miénkkel
+      \item De az igazi kihívás nem ebben van
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Közösségi célok és elvárások}
+  \begin{itemize}
+      \item Akárhogy is nézzük, maga az információ elkészítése mindig is {\bf időigényes} lesz
+      \item Első lépés: {\bf elérhető és egyértelmű célok és szabályok} felállítása
+      \begin{itemize}
+          \item Milyen információ {\bf releváns} az adott csoportnak?
+          \item {\bf Kiket} akarunk felvenni a tagok közé (Szektor? Régió? ISAC? NGOk? Technikai képességek?)
+          \item Milyen {\bf szótárakat} használjunk az adatok {\bf kontextualizálásához}?
+          \item Mit csinálhatunk az adatokkal, amiket megosztunk?
+      \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Játekszabályok}
+  \begin{itemize}
+      \item Ha túl sok a feltétel, {\bf elijesztjük a usereinket}
+      \item 20 oldalas jogi szöveg helyett pár mondatba foglalt szabályok
+      \item A cél: első ránézésre tudjuk, hogy valamit megoszthatunk-e
+      \item Készüljünk fel: A jogi csapatunk elsőre valószínűleg meg fog ijedni az ötlettől
+      \begin{itemize}
+          \item Mi van, ha túl sokat osztunk meg?
+          \item Jogi alapja a megosztásnak (compliance dokumentumok: https://github.com/CIRCL/compliance)
+      \end{itemize}
+      \item Procedúrák felállítása {\bf anonym megosztáshoz}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Adatok struktúrálása}
+  \begin{itemize}
+      \item Milyen kifejezéseket használjunk {\bf kontextualizálásra}?
+      \item Taxonómiák kiválasztása, létrehozása
+      \item {\bf IoC listák vs komplex kontextualizált gráfok}
+      \item {\bf IoC lifecycle management}
+      \item A legfontosabb: {\bf Imitáció} - első prioritás a helyes content gyártása
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Adatok struktúrálása}
+  \begin{center}
+    \includegraphics[scale=0.3]{pics/eventgraph.png}
+  \end{center}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{Legyünk befogadóak}
+  \begin{itemize}
+      \item {\bf Homogén közösségek nem léteznek}
+      \item Különböző technikai fejlettség, csapat méretek, igények, use-case-ek, megosztási akarat
+      \item Ezek a tulajdonságok {\bf idővel változnak}, ha valakit kirekesztünk késöbb lehet, hogy megbánjuk
+      \item Fogadjuk el a különbségeket és használjuk előnyként
+      \item Ha egy szervezet csak felhasználja az adatainkat és nem ad vissza semmit a közösségnek, az is lehet előny
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Legyünk befogadóak}
+  \begin{itemize}
+      \item Egy {\bf fejlettebb, összetartó közösség minket is véd}, javítsunk a helyzeten:
+      \begin{itemize}
+          \item Workshopok, trainingek
+          \item Összejövetelek
+          \item Kommunikációs csatornák
+      \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Kudarcok}
+  \begin{itemize}
+      \item Az első próbálkozásunk: Bomba-biztos {\bf Terms and Conditions}
+      \item Üres megosztó közösségek
+      \item Megosztási {\bf kvóták}
+      \item Emberi {\bf tévedések} kezelése
+      \item {\bf Kitartás} hiánya (ellenpélda, CIRCL privát szektor):
+      \begin{itemize}
+         \item Szervezetek: 1214
+         \item Legalább egy "event" létrehozása: 160
+         \item Átlagos idő első megosztásig: 210 nap
+      \end{itemize}
+      \item Adjuk meg a {\bf kellő elismerést} azoknak, akik megosztanak információt
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{De hogyan is vegyük rá a közösségünket az aktiv megosztásra?}
+  \begin{itemize}
+      \item Organikus növekedés
+      \item {\bf Mindenki önző} - és ez nem feltétlenül probléma
+      \item A legfontosabb kérdés - {\bf milyen threat intel a legfontosabb a szervezetünknek}?
+  \end{itemize}
+  \begin{center}
+    \includegraphics[scale=0.2]{pics/informacio-forrasok.png}
+  \end{center}
+  \begin{itemize}
+      \item Visszajelzés, kollaboráció a saját incidenseknél
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Konklúzió}
+  \begin{itemize}
+      \item Röviden láttuk, {\bf miről szól a MISP}
+      \item Azt is, hogy egy megosztó {\bf közösség létrehozása egyszerű}
+      \item De ahhoz, hogy sikeres is legyen, fontos az {\bf átgondolt community management}
+      \item Illetve még fontosabb a {\bf kitartás és a pozitív hozzáállás}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Kapcsolat}
+  \begin{itemize}
+    \item Iklódy András
+    \begin{itemize}
+      \item \url{https://twitter.com/iglocska}
+      \item andras.iklody@circl.lu
+    \end{itemize}
+    \item CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

20201027-ITBN-communities/makefile

@@ -0,0 +1,5 @@
+all:
+	pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
+
+clean:
+	rm *.aux *.nav *.log *.snm *.toc *.vrb

20201027-ITBN-communities/slide.tex

@@ -0,0 +1,55 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+\definecolor{mybeige}{HTML}{eeeeee}
+\definecolor{mymauve}{rgb}{0.58,0,0.82}
+\definecolor{myblack}{rgb}{0,0,0}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usetikzlibrary{shapes,snakes,automata,positioning}
+\usepackage{listings}
+\usepackage{adjustbox}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{Iklódy András}}
+\title{Cyber-threat információ-megosztó közösségek építése}
+\date{ITBN 2020}
+\subtitle{8 év tanulságai}
+\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
+
+\lstdefinestyle{code}{ %
+  backgroundcolor=\color{mybeige},   % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
+  basicstyle=\footnotesize\ttfamily,        % the size of the fonts that are used for the code
+  breakatwhitespace=false,         % sets if automatic breaks should only happen at whitespace
+  breaklines=true,                 % sets automatic line breaking
+  captionpos=b,                    % sets the caption-position to bottom
+  commentstyle=\color{mygreen},    % comment style
+  deletekeywords={...},            % if you want to delete keywords from the given language
+  escapeinside={\%*}{*)},          % if you want to add LaTeX within your code
+  extendedchars=true,              % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
+  frame=single,	                   % adds a frame around the code
+  keepspaces=true,                 % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
+  keywordstyle=\color{blue},       % keyword style
+  language=Python,                 % the language of the code
+  morekeywords={*,...},           % if you want to add more keywords to the set
+  numbers=left,                    % where to put the line-numbers; possible values are (none, left, right)
+  numbersep=5pt,                   % how far the line-numbers are from the code
+  numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
+  rulecolor=\color{black},         % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
+  showspaces=false,                % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
+  showstringspaces=false,          % underline spaces within strings only
+  showtabs=false,                  % show tabs within strings adding particular underscores
+  stepnumber=1,                    % the step between two line-numbers. If it's 1, each line will be numbered
+  stringstyle=\color{mymauve},     % string literal style
+  tabsize=2,	                   % sets default tabsize to 2 spaces
+  title=\lstname                   % show the filename of files included with \lstinputlisting; also try caption instead of title
+}
+\lstset{style=code}
+
+\begin{document}
+\include{content}
+\end{document}
+

20201203-NATO-MUG-update/content.tex

@@ -0,0 +1,222 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+  \frametitle{The aim of this presentation}
+  \begin{itemize}
+     \item A small update on the state of MISP's ongoing development
+     \item Some insight into what new tools we have at our disposal
+     \item What can we expect in the coming months
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{MISP's evolution since the last MUG}
+  \begin{itemize}
+    \item Since the last MUG (18/06/2020) we've had:
+    \begin{itemize}
+        \item 8 releases
+        \item 2170 commits
+        \item 50 contributors contributing to the core software and its components
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{So what were the main changes?}
+  \begin{itemize}
+     \item The usual {\bf bug- and usability-fixes, quality of life improvements}
+     \item Constant internal refactors to prepare us for moving to a more {\bf modern software stack}
+     \item Security fixes, including {\bf several CVEs} (keep your MISP up to date!)
+     \item Constantly evolving {\bf context libraries and integrations}
+     \item Several major features (some that were in development for most of the year)
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Event Reports}
+\begin{itemize}
+	\item MISP's strength has always been {\bf structured information sharing}
+        \item {\bf Analyst to Analyst} sharing has been somewhat neglected
+        \item The new {\bf Event Report system} aims to address this!
+        \item Create {\bf markdown reports} manually...
+        \item ...or ingest reports as a starting point
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Event Reports}
+\includegraphics[scale=0.18]{images/eventreport.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Event Reports}
+\begin{itemize}
+	\item Style the text via a live markdown editor
+        \item Use custom MISP syntax to {\bf reference MISP attributes/objects}
+        \item {\bf Share} the reports along with events
+        \item {\bf Restrict the distribution} to subsets of recipients as you would with attributes
+        \item Massive toolkit for crafting {\bf complex, rich reports}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Galaxy 2.0}
+\begin{itemize}
+	\item Historically, {\bf higher level contextualisation was quite rigid} in MISP
+        \item Galaxies functioned as "tags with extra metadata"
+        \item Whilst we could use it to associate our technical data with higher level context...
+        \item ...we had no way of redefining the context
+        \item We also had no way of encoding our knowledge about how these {\bf concepts were interlinked}
+        \item For the past year, our colleague Sami Mokaddem has been working on a solution
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Galaxy 2.0 - create, modify, fork}
+\begin{itemize}
+	\item In Galaxy 2.0, in addition to the standard libraries, we introduce the concept of {\bf custom galaxies}
+        \item Create {\bf new libraries}, add {\bf new elements} to existing ones, or create {\bf counter-analyses / forks}
+        \item Galaxy clusters now follow similar {\bf distribution rules} as all other first class citizens in MISP
+\end{itemize}
+\noindent\makebox[\textwidth]{%
+\includegraphics[scale=0.15]{images/galaxy20.png}}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Cerebrate}
+\begin{itemize}
+	\item A new open-source tool that we're working on
+        \item Central component of the {\bf Melicertes} project
+        \item {\bf Management and orchestration} tool for communities
+        \item Manage {\bf organisations, contact information, sharing groups, tool peering}
+        \item First integration with MISP is available already, allows MISP to lookup organisation information
+        \item We are launching a {\bf misp-project instance} to centralise organisation uuid management/validation
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Dashboarding}
+\noindent\makebox[\textwidth]{%
+\includegraphics[scale=0.19]{images/cerebrate.png}}
+\noindent\makebox[\textwidth]{%
+\includegraphics[scale=0.19]{images/mispcerebrate.png}}
+\end{frame}
+
+\begin{frame}
+\frametitle{Cerebrate}
+\begin{itemize}
+	\item In the future we'll expand the use-cases and integrations with MISP
+        \item Ease the {\bf interconnection of MISPs} for synchronisation
+        \item Manage {\bf MISPs and MISP users} for organisations with multiple MISPs
+        \item Lookup system for public keys for {\bf information veracity validation}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{New API key system}
+\begin{itemize}
+	\item {\bf On-demand} functionality
+        \item Stores API keys hashed
+        \item {\bf Multiple keys per user} account
+        \item Individual {\bf expiration} and {\bf descriptions} for the API keys
+        \item Tooling for a painless transition to the modern API key system
+\end{itemize}
+\noindent\makebox[\textwidth]{%
+\includegraphics[scale=0.32]{images/authkey.png}}
+\end{frame}
+
+\begin{frame}
+\frametitle{Interoperability}
+\begin{itemize}
+	\item Constant co-operation with vendors
+        \item We've had several new integrations contributed by 3rd parties and developed in-house
+        \item Several more integrations in the pipe, both with proprietary and OSS tools
+        \item New integrations are supporting the {\bf rich MISP standard format} going beyond simple IoC sharing
+        \begin{itemize}
+            \item Some notable ones: Intel 471 MISP feeds, Farsight dnsdb 2 misp-modules, etc
+        \end{itemize}
+        \item Constant improvements for {\bf standard specific} integrations (such as STIX 2.1)
+        \item Collaboration with other CSIRTs on building a larger {\bf eco-system of OSS tools} (Melicertes)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Knowledge base and classification libraries}
+\begin{itemize}
+	\item Constant flow of new libraries and improvements
+        \item Many topical libraries, some examples:
+        \begin{itemize}
+            \item China Defence Universities Tracker
+            \item SoD-Matrix (Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary)
+        \end{itemize}
+	\item ATT\&CK sub-techniques have been mapped (Thanks to Christophe Vandeplas!)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{SoD matrix example}
+\begin{itemize}
+	\item Describe domain specific libraries using the ATT\&CK methodology
+        \item Lends itself to a lot of different use-cases
+\end{itemize}
+\noindent\makebox[\textwidth]{%
+\includegraphics[scale=0.21]{images/SoD.png}}
+\end{frame}
+
+\begin{frame}
+\frametitle{What's in the pipe?}
+\begin{itemize}
+	\item Long overdue move to a more {\bf modern stack} - in progress behind the scenes for a while
+        \item Cerebrate also acts as our playground for the modern stack
+        \item Larger focus on {\bf community management}
+        \item Cryptographic {\bf signing of data}
+        \item MISP over the past 2 years has heavily shifted focus to also include higher level threat intel sharing
+        \item Even though we now have the systems in place, we expect to capitalise on and improve these features heavily
+        \item {\bf New release pipeline} that we've switched to right now (to accomodate the additional testing)
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{To sum it all up...}
+  \begin{itemize}
+     \item The MISP {\bf developer community is constantly growing} and improvements are coming in at a crazy rate
+     \item We have {\bf wrapped up several longer projects} that have been underway for over a year recently
+     \item The main focus this year has been {\bf fleshing out threat intelligence and contextual} information sharing
+     \item As well as {\bf community management} to tackle our growing and more interconnected community networks
+     \item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved}
+     \item Prioritisation is hard. {\bf Let us know what you think we should focus on}!
+  \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item Contact CIRCL
+    \begin{itemize}
+      \item info@circl.lu
+      \item \url{https://twitter.com/circl_lu}
+      \item \url{https://www.circl.lu/}
+    \end{itemize}
+    \item Contact MISPProject 
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+    \item Cerebrate project
+    \begin{itemize}
+      \item \url{https://github.com/cerebrate-project}
+      \item \url{https://github.com/cerebrate-project/cerebrate}
+    \end{itemize}
+    \item Join the COVID-19 MISP community
+    \begin{itemize}
+      \item \url{https://covid-19.iglocska.eu}
+    \end{itemize}
+  \end{itemize}
+\end{frame}