added missing presentations

exercise-movie
iglocska 2021-01-28 08:23:56 +01:00
parent 8c56e9388f
commit 4e5701a78b
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
125 changed files with 1401 additions and 0 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 115 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

View File

@ -0,0 +1,198 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item A small update of what has happened around MISP's development over the past few months
\item Our initial scope
\item Why is {\bf contextualisation} important?
\item What options do we have in MISP?
\item How can we {\bf leverage} this in the end?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP's evolution since the last MUG}
\begin{itemize}
\item Since the last MUG (05/12/2019) we've had:
\begin{itemize}
\item 8 releases
\item 2196 commits
\item 85 contributors contributing to the core software and its components
\end{itemize}
\item COVID-19 didn't negatively impact the progress made all that much
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{So what were the main changes?}
\begin{itemize}
\item Loads of bug fixes
\item A host of improvements to how MISP functions
\item Security fixes, including several CVEs (keep your MISP up to date!)
\item Generally loads of internal improvements (in large part thanks to Jakub Onderka)
\item Massively expanding context libraries
\item Several major features (let's talk about these)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Timelining in MISP}
\begin{itemize}
\item The goal was to capture activity timelines
\item All attributes and objects can have first-seen/last-seen data
\end{itemize}
\includegraphics[scale=0.25]{images/timeline.png}
\end{frame}
\begin{frame}
\frametitle{Timelining in MISP}
\begin{itemize}
\item Why is this interesting?
\item {\bf IoC lifecycle management} is one of the biggest challenges we face
\item Timeline information allows us to better {\bf express a story}, rather than {\bf share dumps of IoCs}
\item {\bf Time-based correlation} of certain actions helps us understand an incident
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding}
\begin{itemize}
\item Outcome of our personal initiatives to track the COVID-19 spread
\item New built-in {\bf dashboarding system} directly available in MISP
\item Dashboard widgets are modular and {\bf easy to build}
\item Create widgets that are {\bf ACL aware}
\item The COVID-19 MISP community turned out to be a massive success
\item COVID-19 use-cases are just an example though (admin widgets, trend widgets, etc)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding}
\includegraphics[scale=0.25]{images/dashboard.png}
\end{frame}
\begin{frame}
\frametitle{Decaying indicators v2}
\begin{itemize}
\item {\bf User settings} are now taken into account when crafting queries
\item {\bf Tool specific} user accounts can be pre-configured with decaying settings
\item {\bf Taxonomy} numerical values can be re-mapped to fit internal needs
\item {\bf Sightings} factor into the decay scores
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Massive rewrite of PyMISP}
\begin{itemize}
\item Python 3.6+ is a minimum since the modern PyMISP rework
\item Use of {\bf objects} with a {\bf long list of helpers} allows for easy creation/modification of MISP data
\item PyMISP's {\bf CI testing} suite has grown massively, allowing us to catch more and more issues as we commit changes
\item Automated testing {\bf including synchronising} several MISP instances
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Community management improvements}
\begin{itemize}
\item {\bf User configurations} allow users to manage different aspects of how they use MISP (for example {\bf alerting rules})
\item {\bf Community listings} directly in MISP help new users find the right points of contact (perhaps something for NATO to consider?)
\item {\bf E-mail based OTP} - Implemented by NCIA's very own Loïc Fortemps
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Integrations}
\begin{itemize}
\item Long list of {\bf integrations}, both via our export system and module systems and by other tools integrating with MISP
\item Continuous iterations of our connectors using other formats (a massive STIX 2 rework has just dropped)
\item Integrations with analysis tools, such as with Maltego (thanks to Christophe Vandeplas)
\item Tighter integration with other OSS frameworks we develop in-house (AIL, D4)
\item Mapping of libraries to taxonomies/galaxies/object templates
\item ATT\&CK like matrices from other domains (disinformation via AMITT, various sectorial groups)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{So that's where we are now}
\begin{itemize}
\item Let's have a brief look at what is on our immediate and long-term roadmaps
\item For the long-term ones, priorities shift rapidly
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP galaxy 2.0}
\begin{itemize}
\item MISP galaxies will be fully managed via MISP directly
\item Create, modify, {\bf share your custom galaxies} with the usual sync / ACL mechanisms
\item Fork and {\bf provide your own perspective} to already existing knowledge-base items
\item Build {\bf relationships between galaxy clusters} (Threat actor A uses Tool B and targets Sector C)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Reports}
\begin{itemize}
\item Create {\bf markdown reports} and share them along with your events
\item Structured information is great for automation, but sometimes plain prose helps telling a story
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Community management at scale}
\begin{itemize}
\item Cerebrate is a new OSS frameworks that we're building
\item Manage organisation, sharing group, encryption key data for communities
\item Instrument MISP instances and the interconnectivity between them via Cerebrate
\item Introduce information signing by validating signatures / ownership via trusted Cerebrate nodes
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Rework of the MISP internals}
\begin{itemize}
\item We are planning on moving MISP to a {\bf more modern stack} (cake4/bs4)
\item Cerebrate also acts as a {\bf test-bed} for this move and relies on MISP internals that have already been ported
\item We have been silently {\bf reworking a lot of the internals} of MISP to make the migration possible (UI generator systems for example)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{To sum it all up...}
\begin{itemize}
\item Many interesting things are happening
\item We are following {\bf several routes} of development (internal improvements, contextualisation, integrations, operational improvements, community building)
\item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved}
\item Prioritisation is hard. {\bf Let us know what you think we should focus on}!
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\item Join the COVID-19 MISP community
\begin{itemize}
\item \url{https://covid-19.iglocska.eu}
\end{itemize}
\end{itemize}
\end{frame}

Binary file not shown.

After

Width:  |  Height:  |  Size: 426 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 358 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 119 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 155 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 98 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 166 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 23 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 325 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 85 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

View File

@ -0,0 +1,25 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usepackage{listings}
\usepackage{adjustbox}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{\input{../includes/authors.txt}}}
\title{MISP status update}
\subtitle{Improvements since the last MUG and the future roadmap}
\institute{\includegraphics[scale=0.5]{misplogo.pdf}}
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
\date{\input{../includes/location.txt}}
\begin{document}
\include{content}
\end{document}

Binary file not shown.

After

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 102 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

377
20200923-BNLSec/content.tex Normal file
View File

@ -0,0 +1,377 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{center}
\includegraphics[scale=0.45]{pics/circl.png}
\hspace{2.5em}
\includegraphics[scale=0.35]{pics/misp.pdf}
\end{center}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}.
\item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
\item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item Brief introduction to MISP
\item Why is {\bf contextualisation} important?
\item What options do we have in MISP?
\item How can we {\bf leverage} this in the end?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Features Highlights}
\begin{itemize}
\item Functionalities to assist users in {\bf creating, collaborating and sharing}
\begin{itemize}
\item A wide range of imports
\item Rest API
\item Automatic correlation
\item Proposals
\item Granular distribution levels and sharing groups
\item Advanced synchronisation mechanisms
\end{itemize}
\item A host of export formats
\begin{itemize}
\item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
\item {\bf SIEMs}: \texttt{CEF, STIX}
\item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara}
\item {\bf Analysis tools}: \texttt{Maltego}
\item {\bf DNS policies}: \texttt{RPZ}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sharing Difficulties}
\begin{itemize}
\item Not really a technical issue, but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
\item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}}
\begin{itemize}
\item \textit{Our legal framework doesn't allow us to share information}
\item \textit{Risk of information-leak is too high and it's too risky for our organization or partners.}
\end{itemize}
\item Practical restriction
\begin{itemize}
\item \textit{We don't have information to share.}
\item \textit{We don't have time to process or contribute indicators.}
\item \textit{Our model of classification doesn't fit your model.}
\item \textit{Tools for sharing information are tied to a specific format, we use a different one.}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The growing need to contextualise data}
\begin{itemize}
\item Contextualisation became more and more important as communities matured
\begin{itemize}
\item Support {\bf Diversification} of communities
\item {\bf Distinguish} between information of interest and raw data
\item {\bf False-positive} management, data {\bf quality} and {\bf relevance}
\end{itemize}
\item Classification practices need to be shared among the communities to support efficient collaboration
\end{itemize}
\end{frame}
\section{contextualising data points}
\begin{frame}
\frametitle{Base level of contextualisation}
{\centering Differentiation between {\bf indicators} and {\bf supporting data}}
\begin{itemize}
\item An IP address by itself is barely ever interesting
\item Relevance of the data must be explicit
\item Bare minimum context required
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{More contextualisation}
\begin{itemize}
\item {\bf Who} can receive our data? {\bf What} can they do with it?
\item {\bf Data accuracy, source reliability}
\item {\bf Why} is this data relevant to us?
\end{itemize}
\vspace{1em}
But we can go further,
\pause
\begin{itemize}
\item {\bf Who} is behind it? What are their {\bf Motivations}? Who are the {\bf targets}
\item {\bf What tools} were used? What {\bf impacts} are we dealing with?
\item How can we {\bf block/detect/remediate} the attack?
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Tagging and taxonomies}
\begin{itemize}
\item Simple labels
\item {\bf Standardising} on vocabularies
\item Different community cultures require different nomenclatures
\item Libraries that can easily be extended
\end{itemize}
\vspace{1em}
\includegraphics[width=1.0\linewidth]{pics/taxonomy-workflow.png}
\end{frame}
\begin{frame}
\frametitle{Tagging and taxonomies - The missing part}
\begin{itemize}
\item Taxonomy tags are often {\bf self-explanatory}
\begin{itemize}
\item \texttt{tlp:green}
\item \texttt{workflow:state="complete"}
\item \texttt{priority-level:high}
\end{itemize}
\end{itemize}
\vspace{1em}
\begin{itemize}
\item For more complex classification this is ill-suited
\begin{itemize}
\item \texttt{APT 28}
\item \texttt{Locky}
\item \texttt{Mirai}
\item \texttt{Mitre's Att\&ck patterns} and co
\end{itemize}
\item Support of synonyms, metadata, preventive measures, ...
\end{itemize}
\begin{center}
$\rightarrow$ Something more complex is needed
\end{center}
\end{frame}
\begin{frame}
\frametitle{Enriched tags - MISP Galaxies}
\begin{itemize}
\item Community driven \textbf{knowledge-base libraries}
\item Including {\it descriptions}, {\it links}, {\it synonyms} and other {\it meta} information
\item Can be used as {\bf pivot} when performing searches
\end{itemize}
\begin{center}
\includegraphics[scale=0.34]{pics/galaxy}
\end{center}
\end{frame}
\begin{frame}
\frametitle{MISP Galaxies benefits}
\begin{itemize}
\item Standardising on high-level {\bf TTPs} solved a variety of issues
\item Tools producing {\bf ATT\&CK} data and {\bf kill-chain} phases in general
\item Integrates into our {\bf filtering} and {\bf situational awareness} needs extremely well
\item Gave rise to other, ATT\&CK-like systems tackling other concerns
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{More complex data-structures for a modern age}
\begin{itemize}
\item Atomic data points are often useful, but can be lacking in many aspects
\item {\bf MISP Objects}\footnote{\url{https://github.com/MISP/misp-objects}} system
\begin{itemize}
\item Simple: {\bf templating} approach to build more complex structures
\item Flexible: allows users to {\bf define their own}
\item {\bf Relational}: interlink data-points to tell a story
\item Examples: \texttt{Domain-IP}, \texttt{File}, \texttt{VT-Report}, \texttt{Person}
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[scale=0.25]{pics/domain-ip}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Graphs are worth a thousands words}
\begin{itemize}
\item Relationships allow to easily describe process or event
\begin{itemize}
\item \texttt{Word file} drops an \texttt{Hancitor} malware, that will download a \texttt{Zeus-Panda} Banker that will later connect to \texttt{IP}
\end{itemize}
\end{itemize}
\vspace{1em}
\includegraphics[width=1.0\linewidth]{pics/eventgraph}
\end{frame}
\begin{frame}
\frametitle{False Positive Handling}
\begin{itemize}
\item Low quality data and false positives lead to {\bf alert fatigue}
\item False positives are often obvious, thus can be encoded
\begin{itemize}
\item {\bf Warninglists} of well-known indicators which are obvious false positives
\item RFC1918 networks, empty hashes, ...
\end{itemize}
\end{itemize}
\vspace{1em}
\begin{center}
\includegraphics[width=0.49\linewidth]{pics/warning-list.png}
\includegraphics[width=0.49\linewidth]{pics/warning-list-event.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Continuous feedback loop}
\begin{itemize}
\item {\bf Vital component} for IoC lifecycle management
\item Involves the output of detection tools to prioritise IoCs
\item {\bf Sighting system}
\begin{itemize}
\item Community can sight indicators and convey the time of sighting or detection
\item Can be used as a {\bf continuous reporting} stream between detection tools and MISP
\end{itemize}
\end{itemize}
\begin{center}
\begin{tikzpicture}[shorten >=2pt,node distance=13em,semithick, auto]
\node[state] (MISP) {\includegraphics[scale=0.12]{pics/misp.pdf}};
\node[state] (IDS) [right=of MISP] {Tool};
\path[->]
(MISP) edge [bend left=20] node {Push relevant IoCS} (IDS)
(IDS) edge [bend left=20] node {Report Sightings} (MISP);
\end{tikzpicture}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Adding temporality}
\begin{itemize}
\item {\bf First seen} and {\bf Last seen} on data points
\item Enables {\bf visualisation} and improves IoC lifecycle
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{pics/timeline-misp-overview.png}
\end{center}
\end{frame}
\section{Leveraging classifications}
\begin{frame}
\frametitle{Making use of all this context}
\begin{itemize}
\item Providing advanced ways of querying data
\begin{itemize}
\item Unified {\bf export APIs}
\begin{itemize}
\item \texttt{Suricata}, \texttt{Snort}, \texttt{STIX}, \texttt{Yara}, \texttt{Maltego}, ...
\end{itemize}
\item Incorporating all contextualisation options into {\bf API filters}
\item {\bf On-demand} filters for {\bf excluding} potential false positives and expired data
\item Rich set of modules to add {\bf expansions}, {\bf imports} and {\bf exports}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Example query}
\begin{lstlisting}
/attributes/restSearch
{
"returnFormat": "netfilter",
"enforceWarninglist": true,
"excludeDecayed": true,
"tags": {
"NOT": [
"tlp:white",
"type:OSINT"
],
"OR": [
"misp-galaxy:threat-actor=\"Sofacy\"",
"misp-galaxy:sector=\"Chemical\"",
]
},
"galaxy.cfr-suspected-victims": ["China", "Japan"],
}\end{lstlisting}
\end{frame}
\begin{frame}[fragile]
\frametitle{Example query to generate ATT\&CK heatmaps}
\texttt{/events/restSearch}
\begin{lstlisting}
{
"returnFormat": "attack",
"tags": [
"misp-galaxy:sector=\"Chemical\""
],
"timestamp": "365d"
}
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{A sample result for the above query}
\begin{center}
\includegraphics[scale=0.2]{pics/attack-screenshot.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Indicator lifecycle management}
\begin{itemize}
\item Built-in tool to {\bf filter out} IoCs marked as {\bf expired} by default and user-defined models
\item Overwhelmingly relies on proper classifications
\end{itemize}
\hspace{-1.5em}
\includegraphics[width=1.1\linewidth]{pics/decaying-simulation}
\end{frame}
\begin{frame}
\frametitle{To sum it all up...}
\begin{itemize}
\item Massive rise in {\bf user capabilities}
\item Growing need for truly {\bf actionable threat intel}
\item Lessons learned:
\begin{itemize}
\item {\bf Context is king} - Enables better decision making
\item {\bf Intelligence and situational awareness} are natural by-products of context
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact us
\begin{itemize}
\item \url{https://twitter.com/mokaddem_sami}
\item \url{https://twitter.com/iglocska}
\end{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\end{itemize}
\end{frame}

5
20200923-BNLSec/makefile Normal file
View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 100 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 62 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

55
20200923-BNLSec/slide.tex Normal file
View File

@ -0,0 +1,55 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{mybeige}{HTML}{eeeeee}
\definecolor{mymauve}{rgb}{0.58,0,0.82}
\definecolor{myblack}{rgb}{0,0,0}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usetikzlibrary{shapes,snakes,automata,positioning}
\usepackage{listings}
\usepackage{adjustbox}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{Team MISP Project}}
\title{MISP - Sharing is Caring}
\date{Benelux Cyber Summit 2020}
\subtitle{Powering up information sharing}
\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
\lstdefinestyle{code}{ %
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
captionpos=b, % sets the caption-position to bottom
commentstyle=\color{mygreen}, % comment style
deletekeywords={...}, % if you want to delete keywords from the given language
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single, % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
keywordstyle=\color{blue}, % keyword style
language=Python, % the language of the code
morekeywords={*,...}, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
stringstyle=\color{mymauve}, % string literal style
tabsize=2, % sets default tabsize to 2 spaces
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
}
\lstset{style=code}
\begin{document}
\include{content}
\end{document}

128
20200924-TW/content.tex Normal file
View File

@ -0,0 +1,128 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item Who are we (CIRCL)?
\item Brief introduction to MISP
\item What sort of communities are using MISP?
\item How to get started
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{center}
\includegraphics[scale=0.45]{pics/circl.png}
\hspace{2.5em}
\includegraphics[scale=0.35]{pics/misp.pdf}
\end{center}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}.
\item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
\item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What are some key objectives of communities?}
\begin{itemize}
\item To build "herd immunity" by sharing {\bf community relevant} threat information
\item By allowing to share data both for {\bf automation} and to {\bf tell a story}
\item {\bf Standardise} on how we {\bf express} and {\bf contextualise} threat information
\item {\bf Monitor trends} about attacks against your community
\item Rely on the shared data to {\bf bootstrap your investigations}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Features Highlights}
\begin{itemize}
\item Functionalities to assist users in {\bf creating, collaborating and sharing}
\begin{itemize}
\item A wide range of imports
\item Rest API
\item Automatic correlation
\item Proposals
\item Granular distribution levels and sharing groups
\item Advanced synchronisation mechanisms
\end{itemize}
\item A host of export formats
\begin{itemize}
\item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
\item {\bf SIEMs}: \texttt{CEF, STIX}
\item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara}
\item {\bf Analysis tools}: \texttt{Maltego}
\item {\bf DNS policies}: \texttt{RPZ}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What sort of MISP communities are there?}
\begin{itemize}
\item {\bf Generalist} cyber securitity communities (CIRCL's Private sector community, FIRST, etc)
\item {\bf Sectorial} communities (Financial, ISPs, GSMs, Law enforcement, Military, etc)
\item {\bf Geographic communities} such as national, regional (Nordic, South American, etc)
\item Communities centered around {\bf international organisations} (EU, NATO, etc)
\item {\bf Topical} communities (disinformation, RATs, COVID-19, climate)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{An example community in numbers: The CIRCL Private sector community}
\begin{itemize}
\item {\bf Users}: 3.4k
\item {\bf Organisations}: 1.6k
\item {\bf Organisations having shared events}: 441
\item {\bf Events}: ~77k
\item {\bf Data points}: 12M
\item {\bf Correlations}: 9M
\item {\bf Proposals}: 78k
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Getting started}
\begin{itemize}
\item Simplest: {\bf join an existing community} hosted by a trusted peer, use their instance
\item {\bf Run your own} instance (simply install the OSS) and {\bf connect to} established communities
\item {\bf Start your own} community with your own guidelines
\item None of the above are exclusive
\item {\bf Organic growth} from one to the other is expected
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\end{itemize}
\end{frame}

5
20200924-TW/makefile Normal file
View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

BIN
20200924-TW/pics/circl.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 100 KiB

BIN
20200924-TW/pics/galaxy.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 62 KiB

Binary file not shown.

BIN
20200924-TW/pics/misp.pdf Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

55
20200924-TW/slide.tex Normal file
View File

@ -0,0 +1,55 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{mybeige}{HTML}{eeeeee}
\definecolor{mymauve}{rgb}{0.58,0,0.82}
\definecolor{myblack}{rgb}{0,0,0}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usetikzlibrary{shapes,snakes,automata,positioning}
\usepackage{listings}
\usepackage{adjustbox}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{Team MISP Project}}
\title{MISP - a Brief Intro}
\date{2020-09-24}
\subtitle{Getting started with information sharing}
\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
\lstdefinestyle{code}{ %
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
captionpos=b, % sets the caption-position to bottom
commentstyle=\color{mygreen}, % comment style
deletekeywords={...}, % if you want to delete keywords from the given language
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single, % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
keywordstyle=\color{blue}, % keyword style
language=Python, % the language of the code
morekeywords={*,...}, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
stringstyle=\color{mymauve}, % string literal style
tabsize=2, % sets default tabsize to 2 spaces
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
}
\lstset{style=code}
\begin{document}
\include{content}
\end{document}

View File

@ -0,0 +1,236 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{whoami}
\begin{itemize}
\item Iklódy András
\item CIRCL operator
\item 2012 óta vezetem a MISP core fejlesztését
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Kik is vagyunk mi - CIRCL, MISP}
\begin{center}
\includegraphics[scale=0.45]{pics/circl.png}
\hspace{2.5em}
\includegraphics[scale=0.35]{pics/misp.pdf}
\end{center}
\begin{itemize}
\item {\bf CIRCL} - a luxemburgi állami, privát-szektorért felelős CERT
\item Gazdasági minisztérium finanszíroz minket, hogy a Luxemburgban honos cégeknek segítsünk mindennel ami cyber-security témakörbe esik
\item Illetve, hogy toolokkal és információval lássuk el a közösséget
\item Mi állunk javarészt a {\bf MISP-project} mögött is, illetve aktívan megosztunk threat intelligence-t a közösséggel MISPen keresztül
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Megosztó közösségek}
\begin{itemize}
\item Feladatköreink közé tartozik különböző {\bf megosztó közösségek üzemeltetése}
\item Illetve résztvevői vagyunk mások által üzemeltetett közösségeknek
\item Mindenekelött {\bf napi teendőinkhez nélkülözhetetlen eszköz a MISP}
\item Egyben mi vagyunk a {\bf fő fejlesztői} is a toolnak, de ugyanakkor az egyik legnagyobb {\bf felhasználói is}
\item A sokféle közösségnek mind {\bf más igényei és elvárásai} vannak
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{A prezentáció céljai}
\begin{itemize}
\item Rövid MISP bevezető
\item Különböző community-k bemutatása
\item Tapasztalatok, kihívások, kudarcok, tippek
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Mi is az a MISP?}
\begin{itemize}
\item Threat intelligence sharing platform (TISP)
\item {\bf Open-source} és ingyenes
\item {\bf Threat-intel begyűjtése} saját incidensekből, partnerektől, feedekből
\item {\bf Harmonizálása és korrelációja} az adatoknak
\item {\bf Kollaborácio} partnerekkel, áldozatokkal illetve az ügyészséggel koordinálás, stb
\item {\bf Automatikus védelem} építése, partnerek {\bf informálása}, stb
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Milyen jellegű közösségeket üzemeltetünk?}
\begin{itemize}
\item Általános megosztó közösség a privát szektornak
\begin{itemize}
\item 1200 szervezet és 3500 felhasználó
\item {\bf Általános központi hub}, különböző közösségek összecsatolása
\item {\bf Cégek, CERT-ek, SoCok, kutatók}, a világ minden részéről
\item Ekkora community építése {\bf időbe telik} (éves növekedés):
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[scale=0.5]{pics/org_growth.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Milyen jellegű közösségeket üzemeltetünk?}
\begin{itemize}
\item {\bf Nemzeti} illetve {\bf katonai CERT}ek community-jei
\item {\bf Regionális és szektoriális} ISAC-ek MISP közösségei
\item Különböző {\bf témakörökkel} foglalkozó közösségek (pl GSM, financial fraud, stb)
\item Röviden: sokféle közösség létezik, van, amelyik sikeresebb, van amelyik kevésbé
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Egy új közösség létrehozása}
\begin{itemize}
\item A technikai kivitelezés nagyon egyszerű
\item Egy {\bf központi MISP server telepítése} elegendő a folyamat megindításához, ezt bárki megteheti
\item Első lépésben a partnereink használhatják a mi MISP-ünket
\item Ha idővel növekedni akarnak, {\bf saját MISPet telepíthetnek es összeköthetik} a miénkkel
\item De az igazi kihívás nem ebben van
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Közösségi célok és elvárások}
\begin{itemize}
\item Akárhogy is nézzük, maga az információ elkészítése mindig is {\bf időigényes} lesz
\item Első lépés: {\bf elérhető és egyértelmű célok és szabályok} felállítása
\begin{itemize}
\item Milyen információ {\bf releváns} az adott csoportnak?
\item {\bf Kiket} akarunk felvenni a tagok közé (Szektor? Régió? ISAC? NGOk? Technikai képességek?)
\item Milyen {\bf szótárakat} használjunk az adatok {\bf kontextualizálásához}?
\item Mit csinálhatunk az adatokkal, amiket megosztunk?
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Játekszabályok}
\begin{itemize}
\item Ha túl sok a feltétel, {\bf elijesztjük a usereinket}
\item 20 oldalas jogi szöveg helyett pár mondatba foglalt szabályok
\item A cél: első ránézésre tudjuk, hogy valamit megoszthatunk-e
\item Készüljünk fel: A jogi csapatunk elsőre valószínűleg meg fog ijedni az ötlettől
\begin{itemize}
\item Mi van, ha túl sokat osztunk meg?
\item Jogi alapja a megosztásnak (compliance dokumentumok: https://github.com/CIRCL/compliance)
\end{itemize}
\item Procedúrák felállítása {\bf anonym megosztáshoz}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Adatok struktúrálása}
\begin{itemize}
\item Milyen kifejezéseket használjunk {\bf kontextualizálásra}?
\item Taxonómiák kiválasztása, létrehozása
\item {\bf IoC listák vs komplex kontextualizált gráfok}
\item {\bf IoC lifecycle management}
\item A legfontosabb: {\bf Imitáció} - első prioritás a helyes content gyártása
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Adatok struktúrálása}
\begin{center}
\includegraphics[scale=0.3]{pics/eventgraph.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Legyünk befogadóak}
\begin{itemize}
\item {\bf Homogén közösségek nem léteznek}
\item Különböző technikai fejlettség, csapat méretek, igények, use-case-ek, megosztási akarat
\item Ezek a tulajdonságok {\bf idővel változnak}, ha valakit kirekesztünk késöbb lehet, hogy megbánjuk
\item Fogadjuk el a különbségeket és használjuk előnyként
\item Ha egy szervezet csak felhasználja az adatainkat és nem ad vissza semmit a közösségnek, az is lehet előny
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Legyünk befogadóak}
\begin{itemize}
\item Egy {\bf fejlettebb, összetartó közösség minket is véd}, javítsunk a helyzeten:
\begin{itemize}
\item Workshopok, trainingek
\item Összejövetelek
\item Kommunikációs csatornák
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Kudarcok}
\begin{itemize}
\item Az első próbálkozásunk: Bomba-biztos {\bf Terms and Conditions}
\item Üres megosztó közösségek
\item Megosztási {\bf kvóták}
\item Emberi {\bf tévedések} kezelése
\item {\bf Kitartás} hiánya (ellenpélda, CIRCL privát szektor):
\begin{itemize}
\item Szervezetek: 1214
\item Legalább egy "event" létrehozása: 160
\item Átlagos idő első megosztásig: 210 nap
\end{itemize}
\item Adjuk meg a {\bf kellő elismerést} azoknak, akik megosztanak információt
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{De hogyan is vegyük rá a közösségünket az aktiv megosztásra?}
\begin{itemize}
\item Organikus növekedés
\item {\bf Mindenki önző} - és ez nem feltétlenül probléma
\item A legfontosabb kérdés - {\bf milyen threat intel a legfontosabb a szervezetünknek}?
\end{itemize}
\begin{center}
\includegraphics[scale=0.2]{pics/informacio-forrasok.png}
\end{center}
\begin{itemize}
\item Visszajelzés, kollaboráció a saját incidenseknél
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Konklúzió}
\begin{itemize}
\item Röviden láttuk, {\bf miről szól a MISP}
\item Azt is, hogy egy megosztó {\bf közösség létrehozása egyszerű}
\item De ahhoz, hogy sikeres is legyen, fontos az {\bf átgondolt community management}
\item Illetve még fontosabb a {\bf kitartás és a pozitív hozzáállás}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Kapcsolat}
\begin{itemize}
\item Iklódy András
\begin{itemize}
\item \url{https://twitter.com/iglocska}
\item andras.iklody@circl.lu
\end{itemize}
\item CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\end{itemize}
\end{frame}

View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 48 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 100 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 62 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 51 KiB

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 85 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

View File

@ -0,0 +1,55 @@
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{mybeige}{HTML}{eeeeee}
\definecolor{mymauve}{rgb}{0.58,0,0.82}
\definecolor{myblack}{rgb}{0,0,0}
\usepackage[utf8]{inputenc}
\usepackage{tikz}
\usetikzlibrary{shapes,snakes,automata,positioning}
\usepackage{listings}
\usepackage{adjustbox}
%\usepackage[T1]{fontenc}
%\usepackage[scaled]{beramono}
\author{\small{Iklódy András}}
\title{Cyber-threat információ-megosztó közösségek építése}
\date{ITBN 2020}
\subtitle{8 év tanulságai}
\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}}
\lstdefinestyle{code}{ %
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
breaklines=true, % sets automatic line breaking
captionpos=b, % sets the caption-position to bottom
commentstyle=\color{mygreen}, % comment style
deletekeywords={...}, % if you want to delete keywords from the given language
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
frame=single, % adds a frame around the code
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
keywordstyle=\color{blue}, % keyword style
language=Python, % the language of the code
morekeywords={*,...}, % if you want to add more keywords to the set
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
numbersep=5pt, % how far the line-numbers are from the code
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
showstringspaces=false, % underline spaces within strings only
showtabs=false, % show tabs within strings adding particular underscores
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
stringstyle=\color{mymauve}, % string literal style
tabsize=2, % sets default tabsize to 2 spaces
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
}
\lstset{style=code}
\begin{document}
\include{content}
\end{document}

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 115 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

View File

@ -0,0 +1,222 @@
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item A small update on the state of MISP's ongoing development
\item Some insight into what new tools we have at our disposal
\item What can we expect in the coming months
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP's evolution since the last MUG}
\begin{itemize}
\item Since the last MUG (18/06/2020) we've had:
\begin{itemize}
\item 8 releases
\item 2170 commits
\item 50 contributors contributing to the core software and its components
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{So what were the main changes?}
\begin{itemize}
\item The usual {\bf bug- and usability-fixes, quality of life improvements}
\item Constant internal refactors to prepare us for moving to a more {\bf modern software stack}
\item Security fixes, including {\bf several CVEs} (keep your MISP up to date!)
\item Constantly evolving {\bf context libraries and integrations}
\item Several major features (some that were in development for most of the year)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Event Reports}
\begin{itemize}
\item MISP's strength has always been {\bf structured information sharing}
\item {\bf Analyst to Analyst} sharing has been somewhat neglected
\item The new {\bf Event Report system} aims to address this!
\item Create {\bf markdown reports} manually...
\item ...or ingest reports as a starting point
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Event Reports}
\includegraphics[scale=0.18]{images/eventreport.png}
\end{frame}
\begin{frame}
\frametitle{Event Reports}
\begin{itemize}
\item Style the text via a live markdown editor
\item Use custom MISP syntax to {\bf reference MISP attributes/objects}
\item {\bf Share} the reports along with events
\item {\bf Restrict the distribution} to subsets of recipients as you would with attributes
\item Massive toolkit for crafting {\bf complex, rich reports}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Galaxy 2.0}
\begin{itemize}
\item Historically, {\bf higher level contextualisation was quite rigid} in MISP
\item Galaxies functioned as "tags with extra metadata"
\item Whilst we could use it to associate our technical data with higher level context...
\item ...we had no way of redefining the context
\item We also had no way of encoding our knowledge about how these {\bf concepts were interlinked}
\item For the past year, our colleague Sami Mokaddem has been working on a solution
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Galaxy 2.0 - create, modify, fork}
\begin{itemize}
\item In Galaxy 2.0, in addition to the standard libraries, we introduce the concept of {\bf custom galaxies}
\item Create {\bf new libraries}, add {\bf new elements} to existing ones, or create {\bf counter-analyses / forks}
\item Galaxy clusters now follow similar {\bf distribution rules} as all other first class citizens in MISP
\end{itemize}
\noindent\makebox[\textwidth]{%
\includegraphics[scale=0.15]{images/galaxy20.png}}
\end{frame}
\begin{frame}
\frametitle{Cerebrate}
\begin{itemize}
\item A new open-source tool that we're working on
\item Central component of the {\bf Melicertes} project
\item {\bf Management and orchestration} tool for communities
\item Manage {\bf organisations, contact information, sharing groups, tool peering}
\item First integration with MISP is available already, allows MISP to lookup organisation information
\item We are launching a {\bf misp-project instance} to centralise organisation uuid management/validation
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding}
\noindent\makebox[\textwidth]{%
\includegraphics[scale=0.19]{images/cerebrate.png}}
\noindent\makebox[\textwidth]{%
\includegraphics[scale=0.19]{images/mispcerebrate.png}}
\end{frame}
\begin{frame}
\frametitle{Cerebrate}
\begin{itemize}
\item In the future we'll expand the use-cases and integrations with MISP
\item Ease the {\bf interconnection of MISPs} for synchronisation
\item Manage {\bf MISPs and MISP users} for organisations with multiple MISPs
\item Lookup system for public keys for {\bf information veracity validation}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{New API key system}
\begin{itemize}
\item {\bf On-demand} functionality
\item Stores API keys hashed
\item {\bf Multiple keys per user} account
\item Individual {\bf expiration} and {\bf descriptions} for the API keys
\item Tooling for a painless transition to the modern API key system
\end{itemize}
\noindent\makebox[\textwidth]{%
\includegraphics[scale=0.32]{images/authkey.png}}
\end{frame}
\begin{frame}
\frametitle{Interoperability}
\begin{itemize}
\item Constant co-operation with vendors
\item We've had several new integrations contributed by 3rd parties and developed in-house
\item Several more integrations in the pipe, both with proprietary and OSS tools
\item New integrations are supporting the {\bf rich MISP standard format} going beyond simple IoC sharing
\begin{itemize}
\item Some notable ones: Intel 471 MISP feeds, Farsight dnsdb 2 misp-modules, etc
\end{itemize}
\item Constant improvements for {\bf standard specific} integrations (such as STIX 2.1)
\item Collaboration with other CSIRTs on building a larger {\bf eco-system of OSS tools} (Melicertes)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Knowledge base and classification libraries}
\begin{itemize}
\item Constant flow of new libraries and improvements
\item Many topical libraries, some examples:
\begin{itemize}
\item China Defence Universities Tracker
\item SoD-Matrix (Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary)
\end{itemize}
\item ATT\&CK sub-techniques have been mapped (Thanks to Christophe Vandeplas!)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{SoD matrix example}
\begin{itemize}
\item Describe domain specific libraries using the ATT\&CK methodology
\item Lends itself to a lot of different use-cases
\end{itemize}
\noindent\makebox[\textwidth]{%
\includegraphics[scale=0.21]{images/SoD.png}}
\end{frame}
\begin{frame}
\frametitle{What's in the pipe?}
\begin{itemize}
\item Long overdue move to a more {\bf modern stack} - in progress behind the scenes for a while
\item Cerebrate also acts as our playground for the modern stack
\item Larger focus on {\bf community management}
\item Cryptographic {\bf signing of data}
\item MISP over the past 2 years has heavily shifted focus to also include higher level threat intel sharing
\item Even though we now have the systems in place, we expect to capitalise on and improve these features heavily
\item {\bf New release pipeline} that we've switched to right now (to accomodate the additional testing)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{To sum it all up...}
\begin{itemize}
\item The MISP {\bf developer community is constantly growing} and improvements are coming in at a crazy rate
\item We have {\bf wrapped up several longer projects} that have been underway for over a year recently
\item The main focus this year has been {\bf fleshing out threat intelligence and contextual} information sharing
\item As well as {\bf community management} to tackle our growing and more interconnected community networks
\item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved}
\item Prioritisation is hard. {\bf Let us know what you think we should focus on}!
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\item Cerebrate project
\begin{itemize}
\item \url{https://github.com/cerebrate-project}
\item \url{https://github.com/cerebrate-project/cerebrate}
\end{itemize}
\item Join the COVID-19 MISP community
\begin{itemize}
\item \url{https://covid-19.iglocska.eu}
\end{itemize}
\end{itemize}
\end{frame}

Binary file not shown.

After

Width:  |  Height:  |  Size: 426 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 358 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 119 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 155 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 98 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 166 KiB

Some files were not shown because too many files have changed in this diff Show More