diff --git a/x.1-belgomisp/Sightings2.PNG b/x.1-belgomisp/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/x.1-belgomisp/Sightings2.PNG differ diff --git a/x.1-belgomisp/attack-screenshot.png b/x.1-belgomisp/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/x.1-belgomisp/attack-screenshot.png differ diff --git a/x.1-belgomisp/attack.png b/x.1-belgomisp/attack.png new file mode 100644 index 0000000..11b53d1 Binary files /dev/null and b/x.1-belgomisp/attack.png differ diff --git a/x.1-belgomisp/attack_like.png b/x.1-belgomisp/attack_like.png new file mode 100644 index 0000000..af14fc1 Binary files /dev/null and b/x.1-belgomisp/attack_like.png differ diff --git a/x.1-belgomisp/bankaccount.png b/x.1-belgomisp/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/x.1-belgomisp/bankaccount.png differ diff --git a/x.1-belgomisp/bankview.png b/x.1-belgomisp/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/x.1-belgomisp/bankview.png differ diff --git a/x.1-belgomisp/circl.png b/x.1-belgomisp/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/x.1-belgomisp/circl.png differ diff --git a/x.1-belgomisp/community.png b/x.1-belgomisp/community.png new file mode 100644 index 0000000..2964acb Binary files /dev/null and b/x.1-belgomisp/community.png differ diff --git a/x.1-belgomisp/community_request.png b/x.1-belgomisp/community_request.png new file mode 100644 index 0000000..2964acb Binary files /dev/null and b/x.1-belgomisp/community_request.png differ diff --git a/x.1-belgomisp/content.tex b/x.1-belgomisp/content.tex new file mode 100644 index 0000000..6814d7c --- /dev/null +++ b/x.1-belgomisp/content.tex @@ -0,0 +1,260 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame} +\titlepage +\end{frame} + +\begin{frame} + \frametitle{What happened in the past 6 months?} + \begin{itemize} + \item {\bf 13} new MISP {\bf releases} - on track for ~2 / month + \item Over {\bf 2000 commits} for the core alone from {\bf 34 contributors} + \item Progress on a massive rework that is underways + \item Before we get to the highlights... + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Standardisation for open source formats} + \begin{itemize} + \item \url{https://www.misp-standard.org} + \item Standardising the {\bf MISP related} and {\bf other open source} formats + \item We want a vehicle for publishing standards {\bf without giving up control} + \item Let us know if you would like to be listed! + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Steady growth in efforts to share refined information} + \begin{itemize} + \item Both on a {\bf data} and a {\bf context} level + \item Growth in the {\bf community's} and {\bf tooling's} maturity + \item {\bf ATT\&CK}'s quick adoption is partially to blame for recent surge + \item Also a side effect of MISP becoming a sharing tool for completely {\bf different domains} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Object relations} + \begin{center} + \includegraphics[width=1.0\linewidth]{story.png} + \end{center} +\end{frame} + + +\begin{frame} + \frametitle{ATT\&CK} + \begin{center} + \includegraphics[width=1.0\linewidth]{attack.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{ATT\&CK like matrices} + \begin{center} + \includegraphics[width=1.0\linewidth]{attack_like.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Community management} + \begin{itemize} + \item Sectorial, regional, topical groupings becoming more organised + \item Inherently more difficult to find the right communities + \item We're starting to build an opt-in {\bf community registry} + \item Still very early days, but let us know if you would like to {\bf announce yourselves}! + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Community request} + \begin{center} + \includegraphics[width=1.0\linewidth]{community_request.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Sightings improved} + \begin{itemize} + \item More organisations involved in the feedback-loop of reporting back sightings + \item Sighting synchronisation improved + \item Alternate sighting back-end for heavy, bulk sightings + \item SightingDB, open source, developed by Devo + \item Experimental for now, but fully functional. + \item SightingDB standard for alternate implementations via misp-standard.org + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Various improvements to taxonomies} + \begin{itemize} + \item Tag exclusivity allows for taxonomies with inherent rules + \begin{itemize} + \item For example: It makes no sense to have multiple TLP tags on an event + \item You can also restrict on a predicate level + \end{itemize} + \item Require taxonomies to be set + \begin{itemize} + \item Certain taxonomies can be set as requirements for publishing in a community + \item Example: No TLP/PAP? No right to publish. + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Alerting rules} + \begin{itemize} + \item First steps for our user settings system + \item Customise the rules that decide what you want to get alerted on + \end{itemize} + \begin{center} + \includegraphics[width=0.8\linewidth]{publish_alert.png} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Decaying of indicators} + \begin{itemize} + \item MISP has a powerful toolbox that allows users to filter their dataset based on their needs + \item We were still missing a way to use all of these systems in combination to decay indicators + \item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models} + \item Decay models would take into account various \textbf{taxonomies}, \textbf{sightings}, the \textbf{type} of each indicator \textbf{Sightings} and \textbf{Creation date} + \item The first iteration of what we have in MISP now took: + \begin{itemize} + \item 2 years of research + \item 3 published research papers + \item A lot of prototyping + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators: Our solution} + $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ + Where,\vspace{0.5cm} + \begin{itemize} + \item \texttt{score} $ \in [0, 100] $ + \item \texttt{base\_score} $ \in [0, 100] $ + \item \texttt{decay} is a function defined by model's parameters controlling decay speed + \item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)} + \item \texttt{Model} Contains the \textit{Model}'s configuration + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{Event/view}} + \includegraphics[width=1.00\linewidth]{decaying-event.png} + \begin{itemize} + \item \texttt{Decay score} toggle button + \begin{itemize} + \item Shows Score for each \textit{Models} associated to the \textit{Attribute} type + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API result} + \texttt{/attributes/restSearch} + \begin{lstlisting} +"Attribute": [ + { + "category": "Network activity", + "type": "ip-src", + "to_ids": true, + "timestamp": "1565703507", + [...] + "value": "8.8.8.8", + "decay_score": [ + { + "score": 54.475223849544456, + "decayed": false, + "DecayingModel": { + "id": "85", + "name": "NIDS Simple Decaying Model" + } + } + ], +[...] + \end{lstlisting} +\end{frame} + + +\begin{frame} + \frametitle{Implementation in MISP: Index} + \includegraphics[width=1.00\linewidth]{decaying-index.png} + View, update, add, create, delete, enable, export, import +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Fine tuning tool} + \includegraphics[width=1.00\linewidth]{decaying-tool.png} + Create, modify, visualise, perform mapping +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{base\_score} tool} + \includegraphics[width=1.00\linewidth]{decaying-basescore.png} + Adjust Taxonomies relative weights +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: simulation tool} + \includegraphics[width=1.00\linewidth]{decaying-simulation.png} + Simulate \textit{Attributes} with different \textit{Models} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API query body} + \texttt{/attributes/restSearch} + \begin{lstlisting} +{ + "includeDecayScore": 1, + "includeFullModel": 0, + "excludeDecayed": 0, + "decayingModel": [85], + "modelOverrides": { + "threshold": 30 + } + "score": 30, +} + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{Where do we go from here?} + \begin{itemize} + \item Massive list of features/todos + \item Most immediate ones we're working on: + \begin{itemize} + \item {\bf Community management} via a new, related tool called {\bf Cerebrate} coming 2020 + \item {\bf Custom galaxies}, editing in MISP directly + \item Massive {\bf rework} moving MISP to a more modern version of the framework + \item Internal refactor / deprecation of old baggage + \item {\bf New UI} + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact CIRCL + \begin{itemize} + \item info@circl.lu + \item \url{https://twitter.com/circl_lu} + \item \url{https://www.circl.lu/} + \end{itemize} + \item Contact MISPProject + \begin{itemize} + \item \url{https://github.com/MISP} + \item \url{https://gitter.im/MISP/MISP} + \item \url{https://twitter.com/MISPProject} + \end{itemize} + \item Poke me directly + \begin{itemize} + \item \url{https://twitter.com/iglocska} + \end{itemize} + \end{itemize} +\end{frame} diff --git a/x.1-belgomisp/creativity.png b/x.1-belgomisp/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/x.1-belgomisp/creativity.png differ diff --git a/x.1-belgomisp/dashboard-trendings.png b/x.1-belgomisp/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/x.1-belgomisp/dashboard-trendings.png differ diff --git a/x.1-belgomisp/decaying-basescore.png b/x.1-belgomisp/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/x.1-belgomisp/decaying-basescore.png differ diff --git a/x.1-belgomisp/decaying-event.png b/x.1-belgomisp/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/x.1-belgomisp/decaying-event.png differ diff --git a/x.1-belgomisp/decaying-index.png b/x.1-belgomisp/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/x.1-belgomisp/decaying-index.png differ diff --git a/x.1-belgomisp/decaying-simulation.png b/x.1-belgomisp/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/x.1-belgomisp/decaying-simulation.png differ diff --git a/x.1-belgomisp/decaying-tool.png b/x.1-belgomisp/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/x.1-belgomisp/decaying-tool.png differ diff --git a/x.1-belgomisp/en_cef.png b/x.1-belgomisp/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/x.1-belgomisp/en_cef.png differ diff --git a/x.1-belgomisp/galaxy-ransomware.png b/x.1-belgomisp/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/x.1-belgomisp/galaxy-ransomware.png differ diff --git a/x.1-belgomisp/logo-circl.pdf b/x.1-belgomisp/logo-circl.pdf new file mode 100755 index 0000000..62c9239 Binary files /dev/null and b/x.1-belgomisp/logo-circl.pdf differ diff --git a/x.1-belgomisp/misp.pdf b/x.1-belgomisp/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/x.1-belgomisp/misp.pdf differ diff --git a/x.1-belgomisp/misplogo.pdf b/x.1-belgomisp/misplogo.pdf new file mode 100755 index 0000000..60da568 Binary files /dev/null and b/x.1-belgomisp/misplogo.pdf differ diff --git a/x.1-belgomisp/object.png b/x.1-belgomisp/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/x.1-belgomisp/object.png differ diff --git a/x.1-belgomisp/publish_alert.png b/x.1-belgomisp/publish_alert.png new file mode 100644 index 0000000..16c0869 Binary files /dev/null and b/x.1-belgomisp/publish_alert.png differ diff --git a/x.1-belgomisp/publish_rules.png b/x.1-belgomisp/publish_rules.png new file mode 100644 index 0000000..16c0869 Binary files /dev/null and b/x.1-belgomisp/publish_rules.png differ diff --git a/x.1-belgomisp/sighting-n.png b/x.1-belgomisp/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/x.1-belgomisp/sighting-n.png differ diff --git a/x.1-belgomisp/slide.tex b/x.1-belgomisp/slide.tex new file mode 100644 index 0000000..33d9331 --- /dev/null +++ b/x.1-belgomisp/slide.tex @@ -0,0 +1,25 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usepackage{adjustbox} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} +%\usepackage[T1]{fontenc} +%\usepackage[scaled]{beramono} +\author{\small{\input{../includes/authors.txt}}} +\title{MISP development update} +\subtitle{6 momths update} +\institute{\includegraphics[scale=0.5]{misplogo.pdf}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} + +\date{\input{../includes/location.txt}} +\begin{document} +\include{content} +\end{document} + diff --git a/x.1-belgomisp/story.png b/x.1-belgomisp/story.png new file mode 100644 index 0000000..f14981a Binary files /dev/null and b/x.1-belgomisp/story.png differ diff --git a/x.1-belgomisp/taxonomy-workflow.png b/x.1-belgomisp/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/x.1-belgomisp/taxonomy-workflow.png differ diff --git a/x.1-belgomisp/warning-list-event.png b/x.1-belgomisp/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/x.1-belgomisp/warning-list-event.png differ diff --git a/x.1-belgomisp/warning-list.png b/x.1-belgomisp/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/x.1-belgomisp/warning-list.png differ diff --git a/x.1-belgomisp/workflow_initial.png b/x.1-belgomisp/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/x.1-belgomisp/workflow_initial.png differ diff --git a/x.1-belgomisp/workflow_initial2.png b/x.1-belgomisp/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/x.1-belgomisp/workflow_initial2.png differ diff --git a/x.1-belgomisp/x-isac-logo.png b/x.1-belgomisp/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/x.1-belgomisp/x-isac-logo.png differ