diff --git a/20200623-NATO-MUG-update/Sightings2.PNG b/20200623-NATO-MUG-update/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/20200623-NATO-MUG-update/Sightings2.PNG differ diff --git a/20200623-NATO-MUG-update/attack-screenshot.png b/20200623-NATO-MUG-update/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20200623-NATO-MUG-update/attack-screenshot.png differ diff --git a/20200623-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf b/20200623-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/20200623-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/20200623-NATO-MUG-update/bankaccount.png b/20200623-NATO-MUG-update/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20200623-NATO-MUG-update/bankaccount.png differ diff --git a/20200623-NATO-MUG-update/bankview.png b/20200623-NATO-MUG-update/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20200623-NATO-MUG-update/bankview.png differ diff --git a/20200623-NATO-MUG-update/circl.png b/20200623-NATO-MUG-update/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20200623-NATO-MUG-update/circl.png differ diff --git a/20200623-NATO-MUG-update/content.tex b/20200623-NATO-MUG-update/content.tex new file mode 100644 index 0000000..8c7d27c --- /dev/null +++ b/20200623-NATO-MUG-update/content.tex @@ -0,0 +1,198 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item A small update of what has happened around MISP's development over the past few months + \item Our initial scope + \item Why is {\bf contextualisation} important? + \item What options do we have in MISP? + \item How can we {\bf leverage} this in the end? + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP's evolution since the last MUG} + \begin{itemize} + \item Since the last MUG (05/12/2019) we've had: + \begin{itemize} + \item 8 releases + \item 2196 commits + \item 85 contributors contributing to the core software and its components + \end{itemize} + \item COVID-19 didn't negatively impact the progress made all that much + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{So what were the main changes?} + \begin{itemize} + \item Loads of bug fixes + \item A host of improvements to how MISP functions + \item Security fixes, including several CVEs (keep your MISP up to date!) + \item Generally loads of internal improvements (in large part thanks to Jakub Onderka) + \item Massively expanding context libraries + \item Several major features (let's talk about these) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Timelining in MISP} +\begin{itemize} + \item The goal was to capture activity timelines + \item All attributes and objects can have first-seen/last-seen data +\end{itemize} +\includegraphics[scale=0.25]{images/timeline.png} +\end{frame} + +\begin{frame} +\frametitle{Timelining in MISP} +\begin{itemize} + \item Why is this interesting? + \item {\bf IoC lifecycle management} is one of the biggest challenges we face + \item Timeline information allows us to better {\bf express a story}, rather than {\bf share dumps of IoCs} + \item {\bf Time-based correlation} of certain actions helps us understand an incident +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Dashboarding} +\begin{itemize} + \item Outcome of our personal initiatives to track the COVID-19 spread + \item New built-in {\bf dashboarding system} directly available in MISP + \item Dashboard widgets are modular and {\bf easy to build} + \item Create widgets that are {\bf ACL aware} + \item The COVID-19 MISP community turned out to be a massive success + \item COVID-19 use-cases are just an example though (admin widgets, trend widgets, etc) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Dashboarding} +\includegraphics[scale=0.25]{images/dashboard.png} +\end{frame} + + +\begin{frame} +\frametitle{Decaying indicators v2} +\begin{itemize} + \item {\bf User settings} are now taken into account when crafting queries + \item {\bf Tool specific} user accounts can be pre-configured with decaying settings + \item {\bf Taxonomy} numerical values can be re-mapped to fit internal needs + \item {\bf Sightings} factor into the decay scores +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Massive rewrite of PyMISP} +\begin{itemize} + \item Python 3.6+ is a minimum since the modern PyMISP rework + \item Use of {\bf objects} with a {\bf long list of helpers} allows for easy creation/modification of MISP data + \item PyMISP's {\bf CI testing} suite has grown massively, allowing us to catch more and more issues as we commit changes + \item Automated testing {\bf including synchronising} several MISP instances +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Community management improvements} +\begin{itemize} + \item {\bf User configurations} allow users to manage different aspects of how they use MISP (for example {\bf alerting rules}) + \item {\bf Community listings} directly in MISP help new users find the right points of contact (perhaps something for NATO to consider?) + \item {\bf E-mail based OTP} - Implemented by NCIA's very own Loïc Fortemps +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Integrations} +\begin{itemize} + \item Long list of {\bf integrations}, both via our export system and module systems and by other tools integrating with MISP + \item Continuous iterations of our connectors using other formats (a massive STIX 2 rework has just dropped) + \item Integrations with analysis tools, such as with Maltego (thanks to Christophe Vandeplas) + \item Tighter integration with other OSS frameworks we develop in-house (AIL, D4) + \item Mapping of libraries to taxonomies/galaxies/object templates + \item ATT\&CK like matrices from other domains (disinformation via AMITT, various sectorial groups) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{So that's where we are now} +\begin{itemize} + \item Let's have a brief look at what is on our immediate and long-term roadmaps + \item For the long-term ones, priorities shift rapidly +\end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{MISP galaxy 2.0} +\begin{itemize} + \item MISP galaxies will be fully managed via MISP directly + \item Create, modify, {\bf share your custom galaxies} with the usual sync / ACL mechanisms + \item Fork and {\bf provide your own perspective} to already existing knowledge-base items + \item Build {\bf relationships between galaxy clusters} (Threat actor A uses Tool B and targets Sector C) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Reports} +\begin{itemize} + \item Create {\bf markdown reports} and share them along with your events + \item Structured information is great for automation, but sometimes plain prose helps telling a story +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Community management at scale} +\begin{itemize} + \item Cerebrate is a new OSS frameworks that we're building + \item Manage organisation, sharing group, encryption key data for communities + \item Instrument MISP instances and the interconnectivity between them via Cerebrate + \item Introduce information signing by validating signatures / ownership via trusted Cerebrate nodes +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Rework of the MISP internals} +\begin{itemize} + \item We are planning on moving MISP to a {\bf more modern stack} (cake4/bs4) + \item Cerebrate also acts as a {\bf test-bed} for this move and relies on MISP internals that have already been ported + \item We have been silently {\bf reworking a lot of the internals} of MISP to make the migration possible (UI generator systems for example) +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{To sum it all up...} + \begin{itemize} + \item Many interesting things are happening + \item We are following {\bf several routes} of development (internal improvements, contextualisation, integrations, operational improvements, community building) + \item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved} + \item Prioritisation is hard. {\bf Let us know what you think we should focus on}! + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Join the COVID-19 MISP community + \begin{itemize} + \item \url{https://covid-19.iglocska.eu} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20200623-NATO-MUG-update/covid.png b/20200623-NATO-MUG-update/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/20200623-NATO-MUG-update/covid.png differ diff --git a/20200623-NATO-MUG-update/creativity.png b/20200623-NATO-MUG-update/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/20200623-NATO-MUG-update/creativity.png differ diff --git a/20200623-NATO-MUG-update/dashboard-trendings.png b/20200623-NATO-MUG-update/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/20200623-NATO-MUG-update/dashboard-trendings.png differ diff --git a/20200623-NATO-MUG-update/decaying-basescore.png b/20200623-NATO-MUG-update/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/20200623-NATO-MUG-update/decaying-basescore.png differ diff --git a/20200623-NATO-MUG-update/decaying-event.png b/20200623-NATO-MUG-update/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/20200623-NATO-MUG-update/decaying-event.png differ diff --git a/20200623-NATO-MUG-update/decaying-index.png b/20200623-NATO-MUG-update/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/20200623-NATO-MUG-update/decaying-index.png differ diff --git a/20200623-NATO-MUG-update/decaying-simulation.png b/20200623-NATO-MUG-update/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20200623-NATO-MUG-update/decaying-simulation.png differ diff --git a/20200623-NATO-MUG-update/decaying-tool.png b/20200623-NATO-MUG-update/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/20200623-NATO-MUG-update/decaying-tool.png differ diff --git a/20200623-NATO-MUG-update/en_cef.png b/20200623-NATO-MUG-update/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/20200623-NATO-MUG-update/en_cef.png differ diff --git a/20200623-NATO-MUG-update/galaxy-ransomware.png b/20200623-NATO-MUG-update/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/20200623-NATO-MUG-update/galaxy-ransomware.png differ diff --git a/20200623-NATO-MUG-update/images/dashboard.png b/20200623-NATO-MUG-update/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/20200623-NATO-MUG-update/images/dashboard.png differ diff --git a/20200623-NATO-MUG-update/images/timeline.png b/20200623-NATO-MUG-update/images/timeline.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20200623-NATO-MUG-update/images/timeline.png differ diff --git a/20200623-NATO-MUG-update/logo-circl.pdf b/20200623-NATO-MUG-update/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/20200623-NATO-MUG-update/logo-circl.pdf differ diff --git a/20200623-NATO-MUG-update/makefile b/20200623-NATO-MUG-update/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20200623-NATO-MUG-update/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20200623-NATO-MUG-update/misp.pdf b/20200623-NATO-MUG-update/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20200623-NATO-MUG-update/misp.pdf differ diff --git a/20200623-NATO-MUG-update/misplogo.pdf b/20200623-NATO-MUG-update/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/20200623-NATO-MUG-update/misplogo.pdf differ diff --git a/20200623-NATO-MUG-update/object.png b/20200623-NATO-MUG-update/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/20200623-NATO-MUG-update/object.png differ diff --git a/20200623-NATO-MUG-update/sighting-n.png b/20200623-NATO-MUG-update/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20200623-NATO-MUG-update/sighting-n.png differ diff --git a/20200623-NATO-MUG-update/slide.tex b/20200623-NATO-MUG-update/slide.tex new file mode 100644 index 0000000..7361147 --- /dev/null +++ b/20200623-NATO-MUG-update/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP status update} +\subtitle{Improvements since the last MUG and the future roadmap} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/20200623-NATO-MUG-update/taxonomy-workflow.png b/20200623-NATO-MUG-update/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20200623-NATO-MUG-update/taxonomy-workflow.png differ diff --git a/20200623-NATO-MUG-update/timeline-misp-overview.png b/20200623-NATO-MUG-update/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20200623-NATO-MUG-update/timeline-misp-overview.png differ diff --git a/20200623-NATO-MUG-update/timeline.jpeg b/20200623-NATO-MUG-update/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/20200623-NATO-MUG-update/timeline.jpeg differ diff --git a/20200623-NATO-MUG-update/warning-list-event.png b/20200623-NATO-MUG-update/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20200623-NATO-MUG-update/warning-list-event.png differ diff --git a/20200623-NATO-MUG-update/warning-list.png b/20200623-NATO-MUG-update/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20200623-NATO-MUG-update/warning-list.png differ diff --git a/20200623-NATO-MUG-update/workflow_initial.png b/20200623-NATO-MUG-update/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/20200623-NATO-MUG-update/workflow_initial.png differ diff --git a/20200623-NATO-MUG-update/workflow_initial2.png b/20200623-NATO-MUG-update/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/20200623-NATO-MUG-update/workflow_initial2.png differ diff --git a/20200623-NATO-MUG-update/x-isac-logo.png b/20200623-NATO-MUG-update/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/20200623-NATO-MUG-update/x-isac-logo.png differ diff --git a/20200923-BNLSec/content.tex b/20200923-BNLSec/content.tex new file mode 100644 index 0000000..5c29fbe --- /dev/null +++ b/20200923-BNLSec/content.tex @@ -0,0 +1,377 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{MISP and CIRCL} + \begin{center} + \includegraphics[scale=0.45]{pics/circl.png} + \hspace{2.5em} + \includegraphics[scale=0.35]{pics/misp.pdf} + \end{center} + \begin{itemize} + \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. + \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing} + \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}. + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item Brief introduction to MISP + \item Why is {\bf contextualisation} important? + \item What options do we have in MISP? + \item How can we {\bf leverage} this in the end? + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform that is free \& open source software + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Allows teams and communities to {\bf collaborate} + \item {\bf Feeds} automated protective tools and analyst tools with the output +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{MISP Features Highlights} + \begin{itemize} + \item Functionalities to assist users in {\bf creating, collaborating and sharing} + \begin{itemize} + \item A wide range of imports + \item Rest API + \item Automatic correlation + \item Proposals + \item Granular distribution levels and sharing groups + \item Advanced synchronisation mechanisms + \end{itemize} + \item A host of export formats + \begin{itemize} + \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort} + \item {\bf SIEMs}: \texttt{CEF, STIX} + \item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara} + \item {\bf Analysis tools}: \texttt{Maltego} + \item {\bf DNS policies}: \texttt{RPZ} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Sharing Difficulties} +\begin{itemize} + \item Not really a technical issue, but often it's a matter of {\bf social interactions} (e.g. {\bf trust}). + \item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}} + \begin{itemize} + \item \textit{Our legal framework doesn't allow us to share information} + \item \textit{Risk of information-leak is too high and it's too risky for our organization or partners.} + \end{itemize} + \item Practical restriction + \begin{itemize} + \item \textit{We don't have information to share.} + \item \textit{We don't have time to process or contribute indicators.} + \item \textit{Our model of classification doesn't fit your model.} + \item \textit{Tools for sharing information are tied to a specific format, we use a different one.} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{The growing need to contextualise data} +\begin{itemize} + \item Contextualisation became more and more important as communities matured + \begin{itemize} + \item Support {\bf Diversification} of communities + \item {\bf Distinguish} between information of interest and raw data + \item {\bf False-positive} management, data {\bf quality} and {\bf relevance} + \end{itemize} + \item Classification practices need to be shared among the communities to support efficient collaboration +\end{itemize} +\end{frame} + +\section{contextualising data points} + +\begin{frame} +\frametitle{Base level of contextualisation} +{\centering Differentiation between {\bf indicators} and {\bf supporting data}} +\begin{itemize} + \item An IP address by itself is barely ever interesting + \item Relevance of the data must be explicit + \item Bare minimum context required +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{More contextualisation} +\begin{itemize} + \item {\bf Who} can receive our data? {\bf What} can they do with it? + \item {\bf Data accuracy, source reliability} + \item {\bf Why} is this data relevant to us? +\end{itemize} +\vspace{1em} +But we can go further, + +\pause +\begin{itemize} + \item {\bf Who} is behind it? What are their {\bf Motivations}? Who are the {\bf targets} + \item {\bf What tools} were used? What {\bf impacts} are we dealing with? + \item How can we {\bf block/detect/remediate} the attack? +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Tagging and taxonomies} +\begin{itemize} + \item Simple labels + \item {\bf Standardising} on vocabularies + \item Different community cultures require different nomenclatures + \item Libraries that can easily be extended +\end{itemize} +\vspace{1em} +\includegraphics[width=1.0\linewidth]{pics/taxonomy-workflow.png} +\end{frame} + +\begin{frame} +\frametitle{Tagging and taxonomies - The missing part} +\begin{itemize} + \item Taxonomy tags are often {\bf self-explanatory} + \begin{itemize} + \item \texttt{tlp:green} + \item \texttt{workflow:state="complete"} + \item \texttt{priority-level:high} + \end{itemize} +\end{itemize} +\vspace{1em} + +\begin{itemize} + \item For more complex classification this is ill-suited + \begin{itemize} + \item \texttt{APT 28} + \item \texttt{Locky} + \item \texttt{Mirai} + \item \texttt{Mitre's Att\&ck patterns} and co + \end{itemize} + \item Support of synonyms, metadata, preventive measures, ... +\end{itemize} + +\begin{center} + $\rightarrow$ Something more complex is needed +\end{center} +\end{frame} + + +\begin{frame} +\frametitle{Enriched tags - MISP Galaxies} + \begin{itemize} + \item Community driven \textbf{knowledge-base libraries} + \item Including {\it descriptions}, {\it links}, {\it synonyms} and other {\it meta} information + \item Can be used as {\bf pivot} when performing searches + \end{itemize} + \begin{center} + \includegraphics[scale=0.34]{pics/galaxy} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{MISP Galaxies benefits} + \begin{itemize} + \item Standardising on high-level {\bf TTPs} solved a variety of issues + \item Tools producing {\bf ATT\&CK} data and {\bf kill-chain} phases in general + \item Integrates into our {\bf filtering} and {\bf situational awareness} needs extremely well + \item Gave rise to other, ATT\&CK-like systems tackling other concerns + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{More complex data-structures for a modern age} + \begin{itemize} + \item Atomic data points are often useful, but can be lacking in many aspects + \item {\bf MISP Objects}\footnote{\url{https://github.com/MISP/misp-objects}} system + \begin{itemize} + \item Simple: {\bf templating} approach to build more complex structures + \item Flexible: allows users to {\bf define their own} + \item {\bf Relational}: interlink data-points to tell a story + \item Examples: \texttt{Domain-IP}, \texttt{File}, \texttt{VT-Report}, \texttt{Person} + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[scale=0.25]{pics/domain-ip} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{Graphs are worth a thousands words} + \begin{itemize} + \item Relationships allow to easily describe process or event + \begin{itemize} + \item \texttt{Word file} drops an \texttt{Hancitor} malware, that will download a \texttt{Zeus-Panda} Banker that will later connect to \texttt{IP} + \end{itemize} + \end{itemize} + \vspace{1em} + \includegraphics[width=1.0\linewidth]{pics/eventgraph} +\end{frame} + + +\begin{frame} + \frametitle{False Positive Handling} + \begin{itemize} + \item Low quality data and false positives lead to {\bf alert fatigue} + \item False positives are often obvious, thus can be encoded + \begin{itemize} + \item {\bf Warninglists} of well-known indicators which are obvious false positives + \item RFC1918 networks, empty hashes, ... + \end{itemize} + \end{itemize} + \vspace{1em} + \begin{center} + \includegraphics[width=0.49\linewidth]{pics/warning-list.png} + \includegraphics[width=0.49\linewidth]{pics/warning-list-event.png} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{Continuous feedback loop} + \begin{itemize} + \item {\bf Vital component} for IoC lifecycle management + \item Involves the output of detection tools to prioritise IoCs + \item {\bf Sighting system} + \begin{itemize} + \item Community can sight indicators and convey the time of sighting or detection + \item Can be used as a {\bf continuous reporting} stream between detection tools and MISP + \end{itemize} + \end{itemize} + + \begin{center} + \begin{tikzpicture}[shorten >=2pt,node distance=13em,semithick, auto] + \node[state] (MISP) {\includegraphics[scale=0.12]{pics/misp.pdf}}; + \node[state] (IDS) [right=of MISP] {Tool}; + \path[->] + (MISP) edge [bend left=20] node {Push relevant IoCS} (IDS) + (IDS) edge [bend left=20] node {Report Sightings} (MISP); + \end{tikzpicture} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Adding temporality} + \begin{itemize} + \item {\bf First seen} and {\bf Last seen} on data points + \item Enables {\bf visualisation} and improves IoC lifecycle + \end{itemize} + \begin{center} + \includegraphics[width=1.0\linewidth]{pics/timeline-misp-overview.png} + \end{center} +\end{frame} + +\section{Leveraging classifications} + +\begin{frame} + \frametitle{Making use of all this context} + \begin{itemize} + \item Providing advanced ways of querying data + \begin{itemize} + \item Unified {\bf export APIs} + \begin{itemize} + \item \texttt{Suricata}, \texttt{Snort}, \texttt{STIX}, \texttt{Yara}, \texttt{Maltego}, ... + \end{itemize} + \item Incorporating all contextualisation options into {\bf API filters} + \item {\bf On-demand} filters for {\bf excluding} potential false positives and expired data + \item Rich set of modules to add {\bf expansions}, {\bf imports} and {\bf exports} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Example query} + \begin{lstlisting} +/attributes/restSearch +{ + "returnFormat": "netfilter", + "enforceWarninglist": true, + "excludeDecayed": true, + "tags": { + "NOT": [ + "tlp:white", + "type:OSINT" + ], + "OR": [ + "misp-galaxy:threat-actor=\"Sofacy\"", + "misp-galaxy:sector=\"Chemical\"", + ] + }, + "galaxy.cfr-suspected-victims": ["China", "Japan"], +}\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Example query to generate ATT\&CK heatmaps} + \texttt{/events/restSearch} + \begin{lstlisting} +{ + "returnFormat": "attack", + "tags": [ + "misp-galaxy:sector=\"Chemical\"" + ], + "timestamp": "365d" +} + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{A sample result for the above query} + \begin{center} + \includegraphics[scale=0.2]{pics/attack-screenshot.png} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{Indicator lifecycle management} + \begin{itemize} + \item Built-in tool to {\bf filter out} IoCs marked as {\bf expired} by default and user-defined models + \item Overwhelmingly relies on proper classifications + \end{itemize} + \hspace{-1.5em} + \includegraphics[width=1.1\linewidth]{pics/decaying-simulation} +\end{frame} + +\begin{frame} + \frametitle{To sum it all up...} + \begin{itemize} + \item Massive rise in {\bf user capabilities} + \item Growing need for truly {\bf actionable threat intel} + \item Lessons learned: + \begin{itemize} + \item {\bf Context is king} - Enables better decision making + \item {\bf Intelligence and situational awareness} are natural by-products of context + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact us + \begin{itemize} + \item \url{https://twitter.com/mokaddem_sami} + \item \url{https://twitter.com/iglocska} + \end{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20200923-BNLSec/makefile b/20200923-BNLSec/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20200923-BNLSec/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20200923-BNLSec/pics/attack-screenshot.png b/20200923-BNLSec/pics/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20200923-BNLSec/pics/attack-screenshot.png differ diff --git a/20200923-BNLSec/pics/circl.png b/20200923-BNLSec/pics/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20200923-BNLSec/pics/circl.png differ diff --git a/20200923-BNLSec/pics/decaying-simulation.png b/20200923-BNLSec/pics/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20200923-BNLSec/pics/decaying-simulation.png differ diff --git a/20200923-BNLSec/pics/domain-ip.png b/20200923-BNLSec/pics/domain-ip.png new file mode 100644 index 0000000..33b83c2 Binary files /dev/null and b/20200923-BNLSec/pics/domain-ip.png differ diff --git a/20200923-BNLSec/pics/eventgraph.png b/20200923-BNLSec/pics/eventgraph.png new file mode 100644 index 0000000..8cb5c8e Binary files /dev/null and b/20200923-BNLSec/pics/eventgraph.png differ diff --git a/20200923-BNLSec/pics/galaxy.png b/20200923-BNLSec/pics/galaxy.png new file mode 100644 index 0000000..625432d Binary files /dev/null and b/20200923-BNLSec/pics/galaxy.png differ diff --git a/20200923-BNLSec/pics/logo-circl.pdf b/20200923-BNLSec/pics/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/20200923-BNLSec/pics/logo-circl.pdf differ diff --git a/20200923-BNLSec/pics/misp.pdf b/20200923-BNLSec/pics/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20200923-BNLSec/pics/misp.pdf differ diff --git a/20200923-BNLSec/pics/misplogo.pdf b/20200923-BNLSec/pics/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/20200923-BNLSec/pics/misplogo.pdf differ diff --git a/20200923-BNLSec/pics/taxonomy-workflow.png b/20200923-BNLSec/pics/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20200923-BNLSec/pics/taxonomy-workflow.png differ diff --git a/20200923-BNLSec/pics/timeline-misp-overview.png b/20200923-BNLSec/pics/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20200923-BNLSec/pics/timeline-misp-overview.png differ diff --git a/20200923-BNLSec/pics/warning-list-event.png b/20200923-BNLSec/pics/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20200923-BNLSec/pics/warning-list-event.png differ diff --git a/20200923-BNLSec/pics/warning-list.png b/20200923-BNLSec/pics/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20200923-BNLSec/pics/warning-list.png differ diff --git a/20200923-BNLSec/slide.tex b/20200923-BNLSec/slide.tex new file mode 100644 index 0000000..4e4d7bf --- /dev/null +++ b/20200923-BNLSec/slide.tex @@ -0,0 +1,55 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} +\definecolor{mybeige}{HTML}{eeeeee} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{myblack}{rgb}{0,0,0} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usetikzlibrary{shapes,snakes,automata,positioning} +\usepackage{listings} +\usepackage{adjustbox} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{Team MISP Project}} +\title{MISP - Sharing is Caring} +\date{Benelux Cyber Summit 2020} +\subtitle{Powering up information sharing} +\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + +\begin{document} +\include{content} +\end{document} + diff --git a/20200924-TW/content.tex b/20200924-TW/content.tex new file mode 100644 index 0000000..a707279 --- /dev/null +++ b/20200924-TW/content.tex @@ -0,0 +1,128 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item Who are we (CIRCL)? + \item Brief introduction to MISP + \item What sort of communities are using MISP? + \item How to get started + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP and CIRCL} + \begin{center} + \includegraphics[scale=0.45]{pics/circl.png} + \hspace{2.5em} + \includegraphics[scale=0.35]{pics/misp.pdf} + \end{center} + \begin{itemize} + \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}. + \item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing} + \item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}. + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform that is free \& open source software + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Allows teams and communities to {\bf collaborate} + \item {\bf Feeds} automated protective tools and analyst tools with the output +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What are some key objectives of communities?} +\begin{itemize} + \item To build "herd immunity" by sharing {\bf community relevant} threat information + \item By allowing to share data both for {\bf automation} and to {\bf tell a story} + \item {\bf Standardise} on how we {\bf express} and {\bf contextualise} threat information + \item {\bf Monitor trends} about attacks against your community + \item Rely on the shared data to {\bf bootstrap your investigations} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{MISP Features Highlights} + \begin{itemize} + \item Functionalities to assist users in {\bf creating, collaborating and sharing} + \begin{itemize} + \item A wide range of imports + \item Rest API + \item Automatic correlation + \item Proposals + \item Granular distribution levels and sharing groups + \item Advanced synchronisation mechanisms + \end{itemize} + \item A host of export formats + \begin{itemize} + \item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort} + \item {\bf SIEMs}: \texttt{CEF, STIX} + \item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara} + \item {\bf Analysis tools}: \texttt{Maltego} + \item {\bf DNS policies}: \texttt{RPZ} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What sort of MISP communities are there?} +\begin{itemize} + \item {\bf Generalist} cyber securitity communities (CIRCL's Private sector community, FIRST, etc) + \item {\bf Sectorial} communities (Financial, ISPs, GSMs, Law enforcement, Military, etc) + \item {\bf Geographic communities} such as national, regional (Nordic, South American, etc) + \item Communities centered around {\bf international organisations} (EU, NATO, etc) + \item {\bf Topical} communities (disinformation, RATs, COVID-19, climate) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{An example community in numbers: The CIRCL Private sector community} +\begin{itemize} + \item {\bf Users}: 3.4k + \item {\bf Organisations}: 1.6k + \item {\bf Organisations having shared events}: 441 + \item {\bf Events}: ~77k + \item {\bf Data points}: 12M + \item {\bf Correlations}: 9M + \item {\bf Proposals}: 78k +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Getting started} +\begin{itemize} + \item Simplest: {\bf join an existing community} hosted by a trusted peer, use their instance + \item {\bf Run your own} instance (simply install the OSS) and {\bf connect to} established communities + \item {\bf Start your own} community with your own guidelines + \item None of the above are exclusive + \item {\bf Organic growth} from one to the other is expected +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20200924-TW/makefile b/20200924-TW/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20200924-TW/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20200924-TW/pics/attack-screenshot.png b/20200924-TW/pics/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20200924-TW/pics/attack-screenshot.png differ diff --git a/20200924-TW/pics/circl.png b/20200924-TW/pics/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20200924-TW/pics/circl.png differ diff --git a/20200924-TW/pics/decaying-simulation.png b/20200924-TW/pics/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20200924-TW/pics/decaying-simulation.png differ diff --git a/20200924-TW/pics/domain-ip.png b/20200924-TW/pics/domain-ip.png new file mode 100644 index 0000000..33b83c2 Binary files /dev/null and b/20200924-TW/pics/domain-ip.png differ diff --git a/20200924-TW/pics/eventgraph.png b/20200924-TW/pics/eventgraph.png new file mode 100644 index 0000000..8cb5c8e Binary files /dev/null and b/20200924-TW/pics/eventgraph.png differ diff --git a/20200924-TW/pics/galaxy.png b/20200924-TW/pics/galaxy.png new file mode 100644 index 0000000..625432d Binary files /dev/null and b/20200924-TW/pics/galaxy.png differ diff --git a/20200924-TW/pics/logo-circl.pdf b/20200924-TW/pics/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/20200924-TW/pics/logo-circl.pdf differ diff --git a/20200924-TW/pics/misp.pdf b/20200924-TW/pics/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20200924-TW/pics/misp.pdf differ diff --git a/20200924-TW/pics/misplogo.pdf b/20200924-TW/pics/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/20200924-TW/pics/misplogo.pdf differ diff --git a/20200924-TW/pics/taxonomy-workflow.png b/20200924-TW/pics/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20200924-TW/pics/taxonomy-workflow.png differ diff --git a/20200924-TW/pics/timeline-misp-overview.png b/20200924-TW/pics/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20200924-TW/pics/timeline-misp-overview.png differ diff --git a/20200924-TW/pics/warning-list-event.png b/20200924-TW/pics/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20200924-TW/pics/warning-list-event.png differ diff --git a/20200924-TW/pics/warning-list.png b/20200924-TW/pics/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20200924-TW/pics/warning-list.png differ diff --git a/20200924-TW/slide.tex b/20200924-TW/slide.tex new file mode 100644 index 0000000..1fb0acd --- /dev/null +++ b/20200924-TW/slide.tex @@ -0,0 +1,55 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} +\definecolor{mybeige}{HTML}{eeeeee} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{myblack}{rgb}{0,0,0} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usetikzlibrary{shapes,snakes,automata,positioning} +\usepackage{listings} +\usepackage{adjustbox} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{Team MISP Project}} +\title{MISP - a Brief Intro} +\date{2020-09-24} +\subtitle{Getting started with information sharing} +\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + +\begin{document} +\include{content} +\end{document} + diff --git a/20201027-ITBN-communities/content.tex b/20201027-ITBN-communities/content.tex new file mode 100644 index 0000000..57478a7 --- /dev/null +++ b/20201027-ITBN-communities/content.tex @@ -0,0 +1,236 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{whoami} + \begin{itemize} + \item Iklódy András + \item CIRCL operator + \item 2012 óta vezetem a MISP core fejlesztését + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Kik is vagyunk mi - CIRCL, MISP} + \begin{center} + \includegraphics[scale=0.45]{pics/circl.png} + \hspace{2.5em} + \includegraphics[scale=0.35]{pics/misp.pdf} + \end{center} + \begin{itemize} + \item {\bf CIRCL} - a luxemburgi állami, privát-szektorért felelős CERT + \item Gazdasági minisztérium finanszíroz minket, hogy a Luxemburgban honos cégeknek segítsünk mindennel ami cyber-security témakörbe esik + \item Illetve, hogy toolokkal és információval lássuk el a közösséget + \item Mi állunk javarészt a {\bf MISP-project} mögött is, illetve aktívan megosztunk threat intelligence-t a közösséggel MISPen keresztül + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Megosztó közösségek} + \begin{itemize} + \item Feladatköreink közé tartozik különböző {\bf megosztó közösségek üzemeltetése} + \item Illetve résztvevői vagyunk mások által üzemeltetett közösségeknek + \item Mindenekelött {\bf napi teendőinkhez nélkülözhetetlen eszköz a MISP} + \item Egyben mi vagyunk a {\bf fő fejlesztői} is a toolnak, de ugyanakkor az egyik legnagyobb {\bf felhasználói is} + \item A sokféle közösségnek mind {\bf más igényei és elvárásai} vannak + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{A prezentáció céljai} + \begin{itemize} + \item Rövid MISP bevezető + \item Különböző community-k bemutatása + \item Tapasztalatok, kihívások, kudarcok, tippek + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Mi is az a MISP?} + \begin{itemize} + \item Threat intelligence sharing platform (TISP) + \item {\bf Open-source} és ingyenes + \item {\bf Threat-intel begyűjtése} saját incidensekből, partnerektől, feedekből + \item {\bf Harmonizálása és korrelációja} az adatoknak + \item {\bf Kollaborácio} partnerekkel, áldozatokkal illetve az ügyészséggel koordinálás, stb + \item {\bf Automatikus védelem} építése, partnerek {\bf informálása}, stb + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Milyen jellegű közösségeket üzemeltetünk?} + \begin{itemize} + \item Általános megosztó közösség a privát szektornak + \begin{itemize} + \item 1200 szervezet és 3500 felhasználó + \item {\bf Általános központi hub}, különböző közösségek összecsatolása + \item {\bf Cégek, CERT-ek, SoCok, kutatók}, a világ minden részéről + \item Ekkora community építése {\bf időbe telik} (éves növekedés): + \end{itemize} + \end{itemize} + \begin{center} + \includegraphics[scale=0.5]{pics/org_growth.png} + \end{center} + +\end{frame} + +\begin{frame} + \frametitle{Milyen jellegű közösségeket üzemeltetünk?} + \begin{itemize} + \item {\bf Nemzeti} illetve {\bf katonai CERT}ek community-jei + \item {\bf Regionális és szektoriális} ISAC-ek MISP közösségei + \item Különböző {\bf témakörökkel} foglalkozó közösségek (pl GSM, financial fraud, stb) + \item Röviden: sokféle közösség létezik, van, amelyik sikeresebb, van amelyik kevésbé + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Egy új közösség létrehozása} + \begin{itemize} + \item A technikai kivitelezés nagyon egyszerű + \item Egy {\bf központi MISP server telepítése} elegendő a folyamat megindításához, ezt bárki megteheti + \item Első lépésben a partnereink használhatják a mi MISP-ünket + \item Ha idővel növekedni akarnak, {\bf saját MISPet telepíthetnek es összeköthetik} a miénkkel + \item De az igazi kihívás nem ebben van + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Közösségi célok és elvárások} + \begin{itemize} + \item Akárhogy is nézzük, maga az információ elkészítése mindig is {\bf időigényes} lesz + \item Első lépés: {\bf elérhető és egyértelmű célok és szabályok} felállítása + \begin{itemize} + \item Milyen információ {\bf releváns} az adott csoportnak? + \item {\bf Kiket} akarunk felvenni a tagok közé (Szektor? Régió? ISAC? NGOk? Technikai képességek?) + \item Milyen {\bf szótárakat} használjunk az adatok {\bf kontextualizálásához}? + \item Mit csinálhatunk az adatokkal, amiket megosztunk? + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Játekszabályok} + \begin{itemize} + \item Ha túl sok a feltétel, {\bf elijesztjük a usereinket} + \item 20 oldalas jogi szöveg helyett pár mondatba foglalt szabályok + \item A cél: első ránézésre tudjuk, hogy valamit megoszthatunk-e + \item Készüljünk fel: A jogi csapatunk elsőre valószínűleg meg fog ijedni az ötlettől + \begin{itemize} + \item Mi van, ha túl sokat osztunk meg? + \item Jogi alapja a megosztásnak (compliance dokumentumok: https://github.com/CIRCL/compliance) + \end{itemize} + \item Procedúrák felállítása {\bf anonym megosztáshoz} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Adatok struktúrálása} + \begin{itemize} + \item Milyen kifejezéseket használjunk {\bf kontextualizálásra}? + \item Taxonómiák kiválasztása, létrehozása + \item {\bf IoC listák vs komplex kontextualizált gráfok} + \item {\bf IoC lifecycle management} + \item A legfontosabb: {\bf Imitáció} - első prioritás a helyes content gyártása + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Adatok struktúrálása} + \begin{center} + \includegraphics[scale=0.3]{pics/eventgraph.png} + \end{center} +\end{frame} + + +\begin{frame} + \frametitle{Legyünk befogadóak} + \begin{itemize} + \item {\bf Homogén közösségek nem léteznek} + \item Különböző technikai fejlettség, csapat méretek, igények, use-case-ek, megosztási akarat + \item Ezek a tulajdonságok {\bf idővel változnak}, ha valakit kirekesztünk késöbb lehet, hogy megbánjuk + \item Fogadjuk el a különbségeket és használjuk előnyként + \item Ha egy szervezet csak felhasználja az adatainkat és nem ad vissza semmit a közösségnek, az is lehet előny + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Legyünk befogadóak} + \begin{itemize} + \item Egy {\bf fejlettebb, összetartó közösség minket is véd}, javítsunk a helyzeten: + \begin{itemize} + \item Workshopok, trainingek + \item Összejövetelek + \item Kommunikációs csatornák + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Kudarcok} + \begin{itemize} + \item Az első próbálkozásunk: Bomba-biztos {\bf Terms and Conditions} + \item Üres megosztó közösségek + \item Megosztási {\bf kvóták} + \item Emberi {\bf tévedések} kezelése + \item {\bf Kitartás} hiánya (ellenpélda, CIRCL privát szektor): + \begin{itemize} + \item Szervezetek: 1214 + \item Legalább egy "event" létrehozása: 160 + \item Átlagos idő első megosztásig: 210 nap + \end{itemize} + \item Adjuk meg a {\bf kellő elismerést} azoknak, akik megosztanak információt + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{De hogyan is vegyük rá a közösségünket az aktiv megosztásra?} + \begin{itemize} + \item Organikus növekedés + \item {\bf Mindenki önző} - és ez nem feltétlenül probléma + \item A legfontosabb kérdés - {\bf milyen threat intel a legfontosabb a szervezetünknek}? + \end{itemize} + \begin{center} + \includegraphics[scale=0.2]{pics/informacio-forrasok.png} + \end{center} + \begin{itemize} + \item Visszajelzés, kollaboráció a saját incidenseknél + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Konklúzió} + \begin{itemize} + \item Röviden láttuk, {\bf miről szól a MISP} + \item Azt is, hogy egy megosztó {\bf közösség létrehozása egyszerű} + \item De ahhoz, hogy sikeres is legyen, fontos az {\bf átgondolt community management} + \item Illetve még fontosabb a {\bf kitartás és a pozitív hozzáállás} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Kapcsolat} + \begin{itemize} + \item Iklódy András + \begin{itemize} + \item \url{https://twitter.com/iglocska} + \item andras.iklody@circl.lu + \end{itemize} + \item CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20201027-ITBN-communities/makefile b/20201027-ITBN-communities/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20201027-ITBN-communities/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20201027-ITBN-communities/pics/attack-screenshot.png b/20201027-ITBN-communities/pics/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20201027-ITBN-communities/pics/attack-screenshot.png differ diff --git a/20201027-ITBN-communities/pics/circl.png b/20201027-ITBN-communities/pics/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20201027-ITBN-communities/pics/circl.png differ diff --git a/20201027-ITBN-communities/pics/decaying-simulation.png b/20201027-ITBN-communities/pics/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20201027-ITBN-communities/pics/decaying-simulation.png differ diff --git a/20201027-ITBN-communities/pics/domain-ip.png b/20201027-ITBN-communities/pics/domain-ip.png new file mode 100644 index 0000000..33b83c2 Binary files /dev/null and b/20201027-ITBN-communities/pics/domain-ip.png differ diff --git a/20201027-ITBN-communities/pics/eventgraph.png b/20201027-ITBN-communities/pics/eventgraph.png new file mode 100644 index 0000000..8cb5c8e Binary files /dev/null and b/20201027-ITBN-communities/pics/eventgraph.png differ diff --git a/20201027-ITBN-communities/pics/galaxy.png b/20201027-ITBN-communities/pics/galaxy.png new file mode 100644 index 0000000..625432d Binary files /dev/null and b/20201027-ITBN-communities/pics/galaxy.png differ diff --git a/20201027-ITBN-communities/pics/informacio-forrasok.png b/20201027-ITBN-communities/pics/informacio-forrasok.png new file mode 100644 index 0000000..d3cf4bd Binary files /dev/null and b/20201027-ITBN-communities/pics/informacio-forrasok.png differ diff --git a/20201027-ITBN-communities/pics/logo-circl.pdf b/20201027-ITBN-communities/pics/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/20201027-ITBN-communities/pics/logo-circl.pdf differ diff --git a/20201027-ITBN-communities/pics/misp.pdf b/20201027-ITBN-communities/pics/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20201027-ITBN-communities/pics/misp.pdf differ diff --git a/20201027-ITBN-communities/pics/misplogo.pdf b/20201027-ITBN-communities/pics/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/20201027-ITBN-communities/pics/misplogo.pdf differ diff --git a/20201027-ITBN-communities/pics/objects.png b/20201027-ITBN-communities/pics/objects.png new file mode 100644 index 0000000..7a1399a Binary files /dev/null and b/20201027-ITBN-communities/pics/objects.png differ diff --git a/20201027-ITBN-communities/pics/org_growth.png b/20201027-ITBN-communities/pics/org_growth.png new file mode 100644 index 0000000..c6ac4a8 Binary files /dev/null and b/20201027-ITBN-communities/pics/org_growth.png differ diff --git a/20201027-ITBN-communities/pics/taxonomy-workflow.png b/20201027-ITBN-communities/pics/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20201027-ITBN-communities/pics/taxonomy-workflow.png differ diff --git a/20201027-ITBN-communities/pics/timeline-misp-overview.png b/20201027-ITBN-communities/pics/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20201027-ITBN-communities/pics/timeline-misp-overview.png differ diff --git a/20201027-ITBN-communities/pics/warning-list-event.png b/20201027-ITBN-communities/pics/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20201027-ITBN-communities/pics/warning-list-event.png differ diff --git a/20201027-ITBN-communities/pics/warning-list.png b/20201027-ITBN-communities/pics/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20201027-ITBN-communities/pics/warning-list.png differ diff --git a/20201027-ITBN-communities/slide.tex b/20201027-ITBN-communities/slide.tex new file mode 100644 index 0000000..37b012f --- /dev/null +++ b/20201027-ITBN-communities/slide.tex @@ -0,0 +1,55 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} +\definecolor{mybeige}{HTML}{eeeeee} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{myblack}{rgb}{0,0,0} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usetikzlibrary{shapes,snakes,automata,positioning} +\usepackage{listings} +\usepackage{adjustbox} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{Iklódy András}} +\title{Cyber-threat információ-megosztó közösségek építése} +\date{ITBN 2020} +\subtitle{8 év tanulságai} +\titlegraphic{\includegraphics[scale=0.85]{pics/misp.pdf}} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + +\begin{document} +\include{content} +\end{document} + diff --git a/20201203-NATO-MUG-update/Sightings2.PNG b/20201203-NATO-MUG-update/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/20201203-NATO-MUG-update/Sightings2.PNG differ diff --git a/20201203-NATO-MUG-update/attack-screenshot.png b/20201203-NATO-MUG-update/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20201203-NATO-MUG-update/attack-screenshot.png differ diff --git a/20201203-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf b/20201203-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf new file mode 100644 index 0000000..2bdf2e6 Binary files /dev/null and b/20201203-NATO-MUG-update/b.4-turning-data-into-actionable-intelligence-short.pdf differ diff --git a/20201203-NATO-MUG-update/bankaccount.png b/20201203-NATO-MUG-update/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20201203-NATO-MUG-update/bankaccount.png differ diff --git a/20201203-NATO-MUG-update/bankview.png b/20201203-NATO-MUG-update/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20201203-NATO-MUG-update/bankview.png differ diff --git a/20201203-NATO-MUG-update/circl.png b/20201203-NATO-MUG-update/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20201203-NATO-MUG-update/circl.png differ diff --git a/20201203-NATO-MUG-update/content.tex b/20201203-NATO-MUG-update/content.tex new file mode 100644 index 0000000..9fbef75 --- /dev/null +++ b/20201203-NATO-MUG-update/content.tex @@ -0,0 +1,222 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{The aim of this presentation} + \begin{itemize} + \item A small update on the state of MISP's ongoing development + \item Some insight into what new tools we have at our disposal + \item What can we expect in the coming months + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{MISP's evolution since the last MUG} + \begin{itemize} + \item Since the last MUG (18/06/2020) we've had: + \begin{itemize} + \item 8 releases + \item 2170 commits + \item 50 contributors contributing to the core software and its components + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{So what were the main changes?} + \begin{itemize} + \item The usual {\bf bug- and usability-fixes, quality of life improvements} + \item Constant internal refactors to prepare us for moving to a more {\bf modern software stack} + \item Security fixes, including {\bf several CVEs} (keep your MISP up to date!) + \item Constantly evolving {\bf context libraries and integrations} + \item Several major features (some that were in development for most of the year) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Event Reports} +\begin{itemize} + \item MISP's strength has always been {\bf structured information sharing} + \item {\bf Analyst to Analyst} sharing has been somewhat neglected + \item The new {\bf Event Report system} aims to address this! + \item Create {\bf markdown reports} manually... + \item ...or ingest reports as a starting point +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Event Reports} +\includegraphics[scale=0.18]{images/eventreport.png} +\end{frame} + +\begin{frame} +\frametitle{Event Reports} +\begin{itemize} + \item Style the text via a live markdown editor + \item Use custom MISP syntax to {\bf reference MISP attributes/objects} + \item {\bf Share} the reports along with events + \item {\bf Restrict the distribution} to subsets of recipients as you would with attributes + \item Massive toolkit for crafting {\bf complex, rich reports} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Galaxy 2.0} +\begin{itemize} + \item Historically, {\bf higher level contextualisation was quite rigid} in MISP + \item Galaxies functioned as "tags with extra metadata" + \item Whilst we could use it to associate our technical data with higher level context... + \item ...we had no way of redefining the context + \item We also had no way of encoding our knowledge about how these {\bf concepts were interlinked} + \item For the past year, our colleague Sami Mokaddem has been working on a solution +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Galaxy 2.0 - create, modify, fork} +\begin{itemize} + \item In Galaxy 2.0, in addition to the standard libraries, we introduce the concept of {\bf custom galaxies} + \item Create {\bf new libraries}, add {\bf new elements} to existing ones, or create {\bf counter-analyses / forks} + \item Galaxy clusters now follow similar {\bf distribution rules} as all other first class citizens in MISP +\end{itemize} +\noindent\makebox[\textwidth]{% +\includegraphics[scale=0.15]{images/galaxy20.png}} +\end{frame} + + +\begin{frame} +\frametitle{Cerebrate} +\begin{itemize} + \item A new open-source tool that we're working on + \item Central component of the {\bf Melicertes} project + \item {\bf Management and orchestration} tool for communities + \item Manage {\bf organisations, contact information, sharing groups, tool peering} + \item First integration with MISP is available already, allows MISP to lookup organisation information + \item We are launching a {\bf misp-project instance} to centralise organisation uuid management/validation +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Dashboarding} +\noindent\makebox[\textwidth]{% +\includegraphics[scale=0.19]{images/cerebrate.png}} +\noindent\makebox[\textwidth]{% +\includegraphics[scale=0.19]{images/mispcerebrate.png}} +\end{frame} + +\begin{frame} +\frametitle{Cerebrate} +\begin{itemize} + \item In the future we'll expand the use-cases and integrations with MISP + \item Ease the {\bf interconnection of MISPs} for synchronisation + \item Manage {\bf MISPs and MISP users} for organisations with multiple MISPs + \item Lookup system for public keys for {\bf information veracity validation} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{New API key system} +\begin{itemize} + \item {\bf On-demand} functionality + \item Stores API keys hashed + \item {\bf Multiple keys per user} account + \item Individual {\bf expiration} and {\bf descriptions} for the API keys + \item Tooling for a painless transition to the modern API key system +\end{itemize} +\noindent\makebox[\textwidth]{% +\includegraphics[scale=0.32]{images/authkey.png}} +\end{frame} + +\begin{frame} +\frametitle{Interoperability} +\begin{itemize} + \item Constant co-operation with vendors + \item We've had several new integrations contributed by 3rd parties and developed in-house + \item Several more integrations in the pipe, both with proprietary and OSS tools + \item New integrations are supporting the {\bf rich MISP standard format} going beyond simple IoC sharing + \begin{itemize} + \item Some notable ones: Intel 471 MISP feeds, Farsight dnsdb 2 misp-modules, etc + \end{itemize} + \item Constant improvements for {\bf standard specific} integrations (such as STIX 2.1) + \item Collaboration with other CSIRTs on building a larger {\bf eco-system of OSS tools} (Melicertes) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Knowledge base and classification libraries} +\begin{itemize} + \item Constant flow of new libraries and improvements + \item Many topical libraries, some examples: + \begin{itemize} + \item China Defence Universities Tracker + \item SoD-Matrix (Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary) + \end{itemize} + \item ATT\&CK sub-techniques have been mapped (Thanks to Christophe Vandeplas!) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{SoD matrix example} +\begin{itemize} + \item Describe domain specific libraries using the ATT\&CK methodology + \item Lends itself to a lot of different use-cases +\end{itemize} +\noindent\makebox[\textwidth]{% +\includegraphics[scale=0.21]{images/SoD.png}} +\end{frame} + +\begin{frame} +\frametitle{What's in the pipe?} +\begin{itemize} + \item Long overdue move to a more {\bf modern stack} - in progress behind the scenes for a while + \item Cerebrate also acts as our playground for the modern stack + \item Larger focus on {\bf community management} + \item Cryptographic {\bf signing of data} + \item MISP over the past 2 years has heavily shifted focus to also include higher level threat intel sharing + \item Even though we now have the systems in place, we expect to capitalise on and improve these features heavily + \item {\bf New release pipeline} that we've switched to right now (to accomodate the additional testing) +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{To sum it all up...} + \begin{itemize} + \item The MISP {\bf developer community is constantly growing} and improvements are coming in at a crazy rate + \item We have {\bf wrapped up several longer projects} that have been underway for over a year recently + \item The main focus this year has been {\bf fleshing out threat intelligence and contextual} information sharing + \item As well as {\bf community management} to tackle our growing and more interconnected community networks + \item We have more ideas than can be implemented with days only having 24 hours, there are {\bf many ways to get involved} + \item Prioritisation is hard. {\bf Let us know what you think we should focus on}! + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Cerebrate project + \begin{itemize} + \item \url{https://github.com/cerebrate-project} + \item \url{https://github.com/cerebrate-project/cerebrate} + \end{itemize} + \item Join the COVID-19 MISP community + \begin{itemize} + \item \url{https://covid-19.iglocska.eu} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/20201203-NATO-MUG-update/covid.png b/20201203-NATO-MUG-update/covid.png new file mode 100644 index 0000000..e6e869f Binary files /dev/null and b/20201203-NATO-MUG-update/covid.png differ diff --git a/20201203-NATO-MUG-update/creativity.png b/20201203-NATO-MUG-update/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/20201203-NATO-MUG-update/creativity.png differ diff --git a/20201203-NATO-MUG-update/dashboard-trendings.png b/20201203-NATO-MUG-update/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/20201203-NATO-MUG-update/dashboard-trendings.png differ diff --git a/20201203-NATO-MUG-update/decaying-basescore.png b/20201203-NATO-MUG-update/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/20201203-NATO-MUG-update/decaying-basescore.png differ diff --git a/20201203-NATO-MUG-update/decaying-event.png b/20201203-NATO-MUG-update/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/20201203-NATO-MUG-update/decaying-event.png differ diff --git a/20201203-NATO-MUG-update/decaying-index.png b/20201203-NATO-MUG-update/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/20201203-NATO-MUG-update/decaying-index.png differ diff --git a/20201203-NATO-MUG-update/decaying-simulation.png b/20201203-NATO-MUG-update/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20201203-NATO-MUG-update/decaying-simulation.png differ diff --git a/20201203-NATO-MUG-update/decaying-tool.png b/20201203-NATO-MUG-update/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/20201203-NATO-MUG-update/decaying-tool.png differ diff --git a/20201203-NATO-MUG-update/en_cef.png b/20201203-NATO-MUG-update/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/20201203-NATO-MUG-update/en_cef.png differ diff --git a/20201203-NATO-MUG-update/galaxy-ransomware.png b/20201203-NATO-MUG-update/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/20201203-NATO-MUG-update/galaxy-ransomware.png differ diff --git a/20201203-NATO-MUG-update/images/SoD.png b/20201203-NATO-MUG-update/images/SoD.png new file mode 100644 index 0000000..b95a9ec Binary files /dev/null and b/20201203-NATO-MUG-update/images/SoD.png differ diff --git a/20201203-NATO-MUG-update/images/authkey.png b/20201203-NATO-MUG-update/images/authkey.png new file mode 100644 index 0000000..46174b9 Binary files /dev/null and b/20201203-NATO-MUG-update/images/authkey.png differ diff --git a/20201203-NATO-MUG-update/images/cerebrate.png b/20201203-NATO-MUG-update/images/cerebrate.png new file mode 100644 index 0000000..3b9d4db Binary files /dev/null and b/20201203-NATO-MUG-update/images/cerebrate.png differ diff --git a/20201203-NATO-MUG-update/images/dashboard.png b/20201203-NATO-MUG-update/images/dashboard.png new file mode 100644 index 0000000..d163f4d Binary files /dev/null and b/20201203-NATO-MUG-update/images/dashboard.png differ diff --git a/20201203-NATO-MUG-update/images/eventreport.png b/20201203-NATO-MUG-update/images/eventreport.png new file mode 100644 index 0000000..6f74bbe Binary files /dev/null and b/20201203-NATO-MUG-update/images/eventreport.png differ diff --git a/20201203-NATO-MUG-update/images/galaxy20.png b/20201203-NATO-MUG-update/images/galaxy20.png new file mode 100644 index 0000000..97911ac Binary files /dev/null and b/20201203-NATO-MUG-update/images/galaxy20.png differ diff --git a/20201203-NATO-MUG-update/images/mispcerebrate.png b/20201203-NATO-MUG-update/images/mispcerebrate.png new file mode 100644 index 0000000..d58796f Binary files /dev/null and b/20201203-NATO-MUG-update/images/mispcerebrate.png differ diff --git a/20201203-NATO-MUG-update/images/timeline.png b/20201203-NATO-MUG-update/images/timeline.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20201203-NATO-MUG-update/images/timeline.png differ diff --git a/20201203-NATO-MUG-update/logo-circl.pdf b/20201203-NATO-MUG-update/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/20201203-NATO-MUG-update/logo-circl.pdf differ diff --git a/20201203-NATO-MUG-update/makefile b/20201203-NATO-MUG-update/makefile new file mode 100644 index 0000000..6e5a51d --- /dev/null +++ b/20201203-NATO-MUG-update/makefile @@ -0,0 +1,5 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex + +clean: + rm *.aux *.nav *.log *.snm *.toc *.vrb diff --git a/20201203-NATO-MUG-update/misp.pdf b/20201203-NATO-MUG-update/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20201203-NATO-MUG-update/misp.pdf differ diff --git a/20201203-NATO-MUG-update/misplogo.pdf b/20201203-NATO-MUG-update/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/20201203-NATO-MUG-update/misplogo.pdf differ diff --git a/20201203-NATO-MUG-update/object.png b/20201203-NATO-MUG-update/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/20201203-NATO-MUG-update/object.png differ diff --git a/20201203-NATO-MUG-update/sighting-n.png b/20201203-NATO-MUG-update/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20201203-NATO-MUG-update/sighting-n.png differ diff --git a/20201203-NATO-MUG-update/slide.tex b/20201203-NATO-MUG-update/slide.tex new file mode 100644 index 0000000..7361147 --- /dev/null +++ b/20201203-NATO-MUG-update/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP status update} +\subtitle{Improvements since the last MUG and the future roadmap} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/20201203-NATO-MUG-update/taxonomy-workflow.png b/20201203-NATO-MUG-update/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20201203-NATO-MUG-update/taxonomy-workflow.png differ diff --git a/20201203-NATO-MUG-update/timeline-misp-overview.png b/20201203-NATO-MUG-update/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20201203-NATO-MUG-update/timeline-misp-overview.png differ diff --git a/20201203-NATO-MUG-update/timeline.jpeg b/20201203-NATO-MUG-update/timeline.jpeg new file mode 100644 index 0000000..d60db13 Binary files /dev/null and b/20201203-NATO-MUG-update/timeline.jpeg differ diff --git a/20201203-NATO-MUG-update/warning-list-event.png b/20201203-NATO-MUG-update/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20201203-NATO-MUG-update/warning-list-event.png differ diff --git a/20201203-NATO-MUG-update/warning-list.png b/20201203-NATO-MUG-update/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20201203-NATO-MUG-update/warning-list.png differ diff --git a/20201203-NATO-MUG-update/workflow_initial.png b/20201203-NATO-MUG-update/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/20201203-NATO-MUG-update/workflow_initial.png differ diff --git a/20201203-NATO-MUG-update/workflow_initial2.png b/20201203-NATO-MUG-update/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/20201203-NATO-MUG-update/workflow_initial2.png differ diff --git a/20201203-NATO-MUG-update/x-isac-logo.png b/20201203-NATO-MUG-update/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/20201203-NATO-MUG-update/x-isac-logo.png differ