add: [introduction] first skeleton for all slides

0-misp-introduction-to-information-sharing/content.tex

@@ -0,0 +1,313 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}{Agenda}
+    \input{../includes/agenda.txt}
+\end{frame}
+
+\begin{frame}
+ \frametitle{MISP and starting from a practical use-case}
+ \begin{itemize}
+         \item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
+         \item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
+         \item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
+         \item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
+         \item MISP is now {\bf a community-driven development}.
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{about CIRCL}
+The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg and is operated by securitymadein.lu g.i.e.
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP and CIRCL}
+\begin{itemize}
+\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
+\item CIRCL leads the development of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
+\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
+\end{itemize}
+        \includegraphics{en_cef.png}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Development based on practical user feedback}
+\begin{itemize}
+\item There are many different types of users of an information sharing platform like MISP:
+        \begin{itemize}
+                \item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues.
+                \item {\bf Security analysts} searching, validating and using indicators in operational security.
+                \item {\bf Intelligence analysts} gathering information about specific adversary groups.
+                \item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
+                \item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
+                \item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds.
+        \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{MISP model of governance}
+\includegraphics[scale=0.4]{governance.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Many objectives from different user-groups}
+        \begin{itemize}
+                \item Sharing indicators for a {\bf detection} matter.
+                        \begin{itemize}
+                                \item 'Do I have infected systems in my infrastructure or the ones I operate?'
+                        \end{itemize}
+                \item Sharing indicators to {\bf block}.
+                        \begin{itemize}
+                                \item 'I use these attributes to block, sinkhole or divert traffic.'
+                        \end{itemize}
+                \item Sharing indicators to {\bf perform intelligence}.
+                        \begin{itemize}
+                                \item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?'
+                        \end{itemize}
+                \item $\rightarrow$ These objectives can be conflicting (e.g. False-positives have different impacts)
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Sharing Difficulties}
+        \begin{itemize}
+                \item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
+                \item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}}
+                        \begin{itemize}
+                                \item "Our legal framework doesn't allow us to share information."
+                                \item "Risk of information-leak is too high and it's too risky for our organization or partners."
+                        \end{itemize}
+                \item Practical restriction
+                        \begin{itemize}
+                                \item "We don't have information to share."
+                                \item "We don't have time to process or contribute indicators."
+                                \item "Our model of classification doesn't fit your model."
+                                \item "Tools for sharing information are tied to a specific format, we use a different one."
+                        \end{itemize}
+        \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+        \frametitle{MISP Project Overview}
+        \includegraphics[scale=0.35]{misp-overview-simplified.pdf}
+\end{frame}
+
+%\begin{frame}
+%        \frametitle{MISP Project Overview}
+%        \begin{columns}[t]
+%        \column{5.0cm}
+%        \begin{figure}
+%        \includegraphics[scale=0.20]{misp-overview.pdf}\\
+%        \end{figure}
+%        \column{7cm}
+%        \begin{itemize}
+%                \item The {\bf core project}\footnote{\url{http://github.com/MISP/}} (PHP/Python3) supports the backend, API \& UI.
+%                \item Modules (Python3) expand MISP functionalities.
+%                \item Taxonomies (JSON) to add categories \& global tagging.
+%                \item Warning-lists (JSON) help analysts to detect potential false-positives.
+%                \item Galaxy (JSON) to add threat-actors, tools or "intelligence".
+%                \item Objects (JSON) to allow for templated composition of security related atomic points of information.
+%        \end{itemize}
+%        \end{columns}
+%\end{frame}
+
+\begin{frame}
+ \frametitle{MISP features}
+ \begin{itemize}
+         \item MISP\footnote{\url{https://github.com/MISP/MISP}} is a threat information sharing free \& open source software.
+         \item MISP has {\bf a host of functionalities} that assist users in creating, collaborating \& sharing threat information - e.g. flexible sharing groups, {\bf automatic correlation}, free-text import helper, event distribution \& proposals.
+         \item Many export formats which support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ).
+         \item A rich set of MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} to add expansion, import and export functionalities.
+ \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Correlation features: a tool for analysts}
+        \includegraphics[scale=0.18]{screenshots/campaign.png}
+        \begin{itemize}
+                \item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
+        \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+ \frametitle{Communities using MISP}
+ \begin{itemize}
+	 \item Communities are groups of users sharing within a set of common objectives/values.
+	 \item CIRCL operates multiple MISP instances with a significant user base (more than 950 organizations with more than 2400 users).
+     \item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
+	 \item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
+	 \item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
+	 \item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{MISP core distributed sharing functionality}
+\begin{itemize}
+\item MISPs' core functionality is sharing where everyone can be a consumer and/or a contributor/producer."
+\item Quick benefit without the obligation to contribute.
+\item Low barrier access to get acquainted to the system.
+\end{itemize}
+\includegraphics[scale=0.9]{misp-distributed.pdf}
+\end{frame}
+
+
+\begin{frame}
+        \frametitle{Events, Objects and Attributes in MISP}
+         \begin{itemize}
+                \item MISP events are encapsulations for contextually linked information
+                \item MISP attributes\footnote{attributes can be anything that helps describe the intent of the event package from indicators, vulnerabilities or any relevant information} initially started with a standard set of "cyber security" indicators.
+                \item MISP attributes are purely {\bf based on usage} (what people and organizations use daily).
+                \item Evolution of MISP attributes is based on practical usage \& users (e.g. the addition of {\bf financial indicators} in 2.4).
+                \item MISP objects are attribute compositions describing points of data using many facets, constructed along the lines of community and user defined templates.
+                \item Galaxies granularly contextualise, classify \& categorise data based on {\bf threat actors}, {\bf preventive measures}, tools used by adversaries.
+        \end{itemize}
+\end{frame}
+\begin{frame}
+        \frametitle{Sharing Attackers Techniques}
+        \begin{itemize}
+                \item MISP integrates at event or attribute level MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
+        \end{itemize}
+        \includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Supporting specific datamodel}
+        \includegraphics[scale=0.24]{screenshots/bankaccount.png}
+        \includegraphics[scale=0.18]{screenshots/bankview.png}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Terminology about Indicators}
+        \begin{itemize}
+                \item Indicators\footnote{IoC (Indicator of Compromise) is a subset of indicators}
+                        \begin{itemize}
+                                \item Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.
+                        \end{itemize}
+                \item Attributes in MISP can be network indicators (e.g. IP address), system indicators (e.g. a string in memory) or even bank account details.
+                \begin{itemize}
+                        \item {\bf A type (e.g. MD5, url) is how an attribute is described}.
+                \end{itemize}
+                \begin{itemize}
+                \item An attribute is always in a category (e.g. Payload delivery) which puts it in a context.
+                        \begin{itemize}
+                                \item {\bf A category is what describes} an attribute.
+                        \end{itemize}
+                \item An IDS flag on an attribute allows to determine if {\bf an attribute can be automatically used for detection}.
+                \end{itemize}
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Helping Contributors in MISP}
+        \begin{itemize}
+            \item Contributors can use the UI, API or using the freetext import to add events and attributes.
+                \begin{itemize}
+                        \item Modules existing in Viper (a binary framework for malware reverser) to populate and use MISP from the vty or via your IDA.
+                \end{itemize}
+        \item Contribution can be direct by creating an event but {\bf users can propose attributes updates} to the event owner.
+            \item {\bf Users should not be forced to use a single interface to contribute}.
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Example: Freetext import in MISP}
+        \includegraphics[scale=0.3]{screenshots/freetext1.PNG}\\
+        \includegraphics[scale=0.3]{screenshots/freetxt2.PNG}\\
+        \includegraphics[scale=0.3]{screenshots/freetxt3.PNG}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Supporting Classification}
+        \begin{itemize}
+          \item Tagging is a simple way to attach a classification to an event or an attribute.
+          \item {\bf Classification must be globally used to be efficient}.
+          \item MISP includes a flexible tagging scheme where users can select from more than 42 existing taxonomies or create their own taxonomy.
+        \end{itemize}
+        \includegraphics[scale=0.20]{tags-2-4-70.png}
+\end{frame}
+
+\begin{frame}
+\frametitle{Supporting Sharing in MISP}
+\begin{itemize}
+        \item Delegate events publication to another organization (introduced in MISP 2.4.18).
+        \begin{itemize}
+                \item The other organization can take over the ownership of an event and provide {\bf pseudo-anonymity to initial organization}.
+        \end{itemize}
+        \item Sharing groups allow custom sharing (introduced in MISP 2.4) per event or even at attribute level.
+        \begin{itemize}
+                \item Sharing communities can be used locally or even cross MISP instances.
+                \item {\bf Sharing groups} can be done at {\bf event level or attributes level} (e.g. financial indicators shared to a financial sharing groups and cyber security indicators to CSIRT community).
+        \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Sightings support}
+        \begin{columns}[t]
+        \column{5.0cm}
+        \begin{figure}
+        \includegraphics[scale=0.3]{screenshots/sighting-n.png}\\
+        \includegraphics[scale=0.34]{screenshots/Sightings2.PNG}
+        \end{figure}
+        \column{7cm}
+        \begin{itemize}
+                \item Sightings allow users to notify the community about the activities related to an indicator.
+                \item In recent MISP versions, the sighting system supports negative sigthings (FP) and expiration sightings.
+                \item Sightings can be performed via the API, and the UI, even including the import of STIX sighting documents.
+                \item Many use-cases for scoring indicators based on users sighting.
+        \end{itemize}
+        \end{columns}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Improving Information Sharing in MISP}
+\begin{itemize}
+        \item False-positives are a recurring challenge in information sharing.
+        \item In MISP 2.4.39, we introduced the misp-warninglists\footnote{\url{https://github.com/MISP/misp-warninglists}} to help analysts in their day-to-day job.
+        \item Predefined lists of well-known indicators which are often false-positives like RFC1918 networks, public DNS resolver are included by default.
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Improving support of sharing within and outside an organization}
+\begin{itemize}
+        \item Even in a single organization, multiple use-cases of MISP can appear (groups using it for dynamic malware analysis correlations, dispatching notification).
+        \item In MISP 2.4.51, we introduced the ability to have {\bf local MISP} servers connectivity to avoid changes in distribution level. This allows to have mixed synchronization setup within and outside an organization.
+        \item Feed support was also introduced to support synchronization between untrusted and trusted networks.
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Bootstrapping MISP with indicators}
+        \begin{itemize}
+                \item We maintain the default CIRCL OSINT feeds (TLP:WHITE selected from our communities) in MISP to allow users to ease their bootstrapping.
+                \item The format of the OSINT feed is based on standard MISP JSON output pulled from a remote TLS/HTTP server.
+                \item Additional content providers can provide their own MISP feeds. (\url{https://botvrij.eu/})
+                \item Allows users to {\bf test their MISP installations and synchronisation with a real dataset}.
+                \item Opening contribution to other threat intel feeds but also allowing the analysis of overlapping data\footnote{A recurring challenge in information sharing}.
+        \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+        \frametitle{Conclusion}
+        \begin{itemize}
+                \item {\bf Information sharing practices come from usage} and by example (e.g. learning by imitation from the shared information).
+                \item MISP is just a tool. What matters is your sharing practices. The tool should be as transparent as possible to support you.
+                \item Enable users to customize MISP to meet their community's use-cases.
+                \item MISP project combines open source software, open standards, best practices and communities to make information sharing a reality.
+        \end{itemize}
+\end{frame}
+

0-misp-introduction-to-information-sharing/infosharing-introduction.tex

@@ -0,0 +1,36 @@
+\documentclass{beamer}
+%\usetheme[pageofpages=of,% String used between the current page and the
+%                         % total page count.
+%          bullet=circle,% Use circles instead of squares for bullets.
+%          titleline=true,% Show a line below the frame title.
+%          alternativetitlepage=true,% Use the fancy title page.
+%          titlepagelogo=logo-circl.pdf,% Logo for the first page.
+%          watermark=watermark-polito,% Watermark used in every page.
+%          watermarkheight=100px,% Height of the watermark.
+%          watermarkheightmult=4,% The watermark image is 4 times bigger
+                                % than watermarkheight.
+%          ]{Torino}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+
+\author{\small{\input{../includes/authors.txt}}}
+
+\title{An Introduction to Cybersecurity Information Sharing}
+\subtitle{MISP - Malware Information Sharing Platform \& Threat Sharing}
+\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
+\date{\input{../includes/location.txt}}
+
+\begin{document}
+\include{content}
+\end{document}
+

build.sh

@@ -0,0 +1,4 @@
+export TEXINPUTS=::`pwd`/themes/
+echo ${TEXINPUTS}
+cd 0-misp-introduction-to-information-sharing
+pdflatex infosharing-introduction.tex

includes/agenda.txt

@@ -0,0 +1,10 @@
+\begin{itemize}
+    \item (10:00 - 11:30) Introduction to Information Sharing with MISP
+    \item (11:30 - 11:40) Coffee break
+    \item (11:40 - 13:00) User perspective - diving into MISP functionalities and integration
+    \item (13:00 - 14:00) {\bf Lunch Break}
+    \item (14:00 - 15:30) Administrating your MISP instance
+    \item (15:30 - 15:40) Coffee break
+    \item (15:40 - 16:45) Building your information sharing communities - CSIRT and financial sectors
+    \item (16:45 - 17:15) Future - Sharing Ideas
+\end{itemize}

includes/authors.txt

@@ -0,0 +1 @@
+Team CIRCL

includes/location.txt

@@ -0,0 +1 @@
+MISP Training @ CIRCL \\ \small{20181218}

themes/beamercolorthemefocus.sty

@@ -0,0 +1,71 @@
+% Copyright (C) 2018 Pasquale Claudio Africa.
+%               2018 Sebastian Friedl.
+%
+% This file is part of beamerthemefocus.
+%
+% beamerthemefocus is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% beamerthemefocus is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with beamerthemefocus. If not, see <http://www.gnu.org/licenses/>.
+
+\mode<presentation>
+
+
+% DEFINE COLORS. ---------------------------------------------------------------
+\definecolor{main}{RGB}{64, 64, 64}
+\definecolor{background}{RGB}{239, 239, 239}
+
+\definecolor{alert}{RGB}{180, 0, 0}
+\definecolor{example}{RGB}{0, 110, 0}
+
+
+% SET COLORS. ------------------------------------------------------------------
+\setbeamercolor{normal text}{fg=textcolor, bg=background}
+\setbeamercolor{alerted text}{fg=alert}
+\setbeamercolor{example text}{fg=example}
+
+\setbeamercolor{titlelike}{fg=background, bg=main}
+\setbeamercolor{frametitle}{parent={titlelike}}
+
+\setbeamercolor{footline}{fg=background, bg=main}
+
+\setbeamercolor{block title}{bg=main!80!background, fg=background}
+\setbeamercolor{block body}{bg=main!10!background, fg=main}
+
+\setbeamercolor{block title alerted}{bg=alert, fg=background}
+\setbeamercolor{block body alerted}{bg=alert!10!background, fg=main}
+
+\setbeamercolor{block title example}{bg=example, fg=background}
+\setbeamercolor{block body example}{bg=example!10!background, fg=main}
+
+\setbeamercolor{itemize item}{fg=main}
+\setbeamercolor{itemize subitem}{fg=main}
+
+\setbeamercolor{enumerate item}{fg=main!70!black}
+\setbeamercolor{enumerate subitem}{fg=main!70!black}
+
+\setbeamercolor{description item}{fg=main!70!black}
+\setbeamercolor{description subitem}{fg=main!70!black}
+
+\setbeamercolor{caption name}{fg=textcolor}
+
+\setbeamercolor{section in toc}{fg=textcolor}
+\setbeamercolor{subsection in toc}{fg=textcolor}
+\setbeamercolor{section number projected}{bg=textcolor}
+\setbeamercolor{subsection number projected}{bg=textcolor}
+
+\setbeamercolor{bibliography item}{fg=main}
+\setbeamercolor{bibliography entry author}{fg=main!70!black}
+\setbeamercolor{bibliography entry title}{fg=main}
+\setbeamercolor{bibliography entry location}{fg=main}
+\setbeamercolor{bibliography entry note}{fg=main}
+
+\mode<all>

themes/beamerfontthemefocus.sty

@@ -0,0 +1,47 @@
+% Copyright (C) 2018 Pasquale Claudio Africa.
+%               2018 Sebastian Friedl.
+%
+% This file is part of beamerthemefocus.
+%
+% beamerthemefocus is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% beamerthemefocus is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with beamerthemefocus. If not, see <http://www.gnu.org/licenses/>.
+
+\mode<presentation>
+
+
+% SET FONTS. -------------------------------------------------------------------
+\setbeamerfont{title}{size=\huge, shape=\bfseries}
+\setbeamerfont{subtitle}{size=\Large, parent=structure}
+\setbeamerfont{author}{size=\scriptsize}
+
+\setbeamerfont{institute}{size=\normalsize}
+\setbeamerfont{date}{size=\scriptsize}
+
+\setbeamerfont{sectiontitle}{size=\huge, series=\scshape\bfseries}
+\setbeamerfont{frametitle}{size=\Large, shape=\scshape}
+
+\setbeamerfont{footline}{size=\scriptsize}
+
+\setbeamerfont{focusframe}{size=\huge, shape=\scshape}
+
+\setbeamerfont{description item}{shape=\bfseries}
+
+\setbeamerfont{caption name}{shape=\bfseries}
+
+\setbeamerfont{bibliography item}{size=\small, shape=\scshape}
+\setbeamerfont{bibliography entry author}{size=\small, shape=\scshape}
+\setbeamerfont{bibliography entry title}{size=\small, series=\scshape\bfseries}
+\setbeamerfont{bibliography entry location}{size=\small, shape=\scshape\normalfont}
+\setbeamerfont{bibliography entry note}{size=\small, shape=\scshape\normalfont}
+
+\mode<all>

themes/beamerinnerthemefocus.sty

@@ -0,0 +1,117 @@
+% Copyright (C) 2018 Pasquale Claudio Africa.
+%               2018 Sebastian Friedl.
+%
+% This file is part of beamerthemefocus.
+%
+% beamerthemefocus is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% beamerthemefocus is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with beamerthemefocus. If not, see <http://www.gnu.org/licenses/>.
+
+\mode<presentation>
+
+\RequirePackage{tikz}
+
+
+% CUSTOMIZE STRUCTURE ELEMENTS. ------------------------------------------------
+\setbeamertemplate{blocks}[default]
+
+\setbeamertemplate{section in toc}[square]
+\setbeamertemplate{subsection in toc}[square]
+
+\setbeamertemplate{itemize items}[square]
+\setbeamertemplate{itemize subitem}[triangle]
+
+
+% STRUCTURE FRAME TEMPLATE DEFINITIONS. ----------------------------------------
+% Title page.
+\defbeamertemplate*{title page}{focus}{%
+    {\usebeamercolor{frametitle}\colorlet{focus@@temp}{bg}%
+        \begin{tikzpicture}[overlay, remember picture]
+            \fill[color=focus@@temp] (current page.north west) rectangle ([shift = {(0, -0.45\paperheight)}] current page.north east);
+        \end{tikzpicture}}
+    
+    \vspace{-1.65\baselineskip}
+    \begin{minipage}[b][0.35\paperheight]{\textwidth}
+        \vspace{\baselineskip}
+        \usebeamerfont{title}
+        \usebeamercolor[fg]{frametitle}
+        \inserttitle
+    \end{minipage}
+    
+    \begin{minipage}[t][0.1\paperheight]{\textwidth}
+        \usebeamerfont{subtitle}
+        \usebeamercolor[fg]{frametitle}
+        \insertsubtitle
+    \end{minipage}
+    
+    % Set the title graphic in a zero-height box, so that
+    % the position of other elements is not affected.
+    {\vfuzz=9999pt\vbox to 0pt {
+        \raggedleft
+        \inserttitlegraphic
+    }}
+    
+   
+    \vspace*{\baselineskip}
+    \begin{minipage}[t]{\textwidth}
+        \usebeamerfont{institute}
+        \insertinstitute
+    \end{minipage}
+    
+    \vspace*{\baselineskip}
+    \begin{minipage}[t]{\textwidth}
+        \usebeamerfont{date}{\insertdate}
+    \end{minipage}
+
+    
+    \vspace*{\baselineskip}
+    \vspace*{\baselineskip}
+    \vspace*{\baselineskip}
+    \vspace*{\baselineskip}
+    \begin{minipage}[t]{\textwidth}
+        \usebeamerfont{author}
+        \insertauthor
+    \end{minipage}
+    
+
+    \vspace*{5\baselineskip}
+    
+    \addtocounter{framenumber}{-1}
+}
+
+% Section page.
+\defbeamertemplate*{section page}{focus}{%
+    {%
+        \usebeamercolor{frametitle}\colorlet{focus@@temp}{bg}%
+        \begin{tikzpicture}[overlay, remember picture]
+            \fill[color=focus@@temp] (current page.north west) rectangle ([shift = {(0, -0.45\paperheight)}] current page.north east);
+        \end{tikzpicture}%
+    }
+    
+    \vspace{-2\baselineskip}
+    \begin{minipage}[b][0.45\paperheight]{\textwidth}
+        \usebeamerfont{sectiontitle}
+        \usebeamercolor[fg]{frametitle}
+        \let\hyperlink\@secondoftwo\insertsection
+    \end{minipage}
+    
+    \begin{minipage}[t][0.55\paperheight]{\textwidth}
+    \end{minipage}
+}
+
+\AtBeginSection{%
+    \begin{frame}[plain, noframenumbering]{}
+        \sectionpage
+    \end{frame}%
+}
+
+\mode<all>

themes/beamerouterthemefocus.sty

@@ -0,0 +1,255 @@
+% Copyright (C) 2018 Pasquale Claudio Africa.
+%               2018 Sebastian Friedl.
+%
+% This file is part of beamerthemefocus.
+%
+% beamerthemefocus is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% beamerthemefocus is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with beamerthemefocus. If not, see <http://www.gnu.org/licenses/>.
+
+\mode<presentation>
+
+\RequirePackage{appendixnumberbeamer}% Don't number appendix frames.
+\RequirePackage{etoolbox}% \BeforeBeginEnvironment
+\RequirePackage{tikz}
+
+
+% FRAMETITLE TEMPLATES. --------------------------------------------------------
+\defbeamertemplate*{frametitle}{focus}{%
+    % If not title page.
+    \ifnum\value{framenumber}>0%
+        \vspace{-1pt}%
+        \begin{beamercolorbox}[wd=\paperwidth,leftskip=0.55cm,rightskip=0.55cm,sep=0.2cm]{frametitle}%
+            \strut\insertframetitle\strut%
+        \end{beamercolorbox}%
+    \fi%
+}
+
+% Plain header.
+\defbeamertemplate{frametitle}{plain}{%
+    % If not title page.
+    \ifnum\value{framenumber}>0%
+        \vspace{-1pt}%
+        \begin{beamercolorbox}[wd=\paperwidth,leftskip=0.55cm,rightskip=0.55cm,sep=0.2cm,ignorebg]{frametitle}%
+            \strut%
+        \end{beamercolorbox}%
+    \fi%
+}
+
+
+% FOOTLINE TEMPLATES. ----------------------------------------------------------
+% Lenghts for the progress bar footline.
+\newlength{\focus@pbar@height}% Progress bar height.
+\newlength{\focus@pbar@leftoffset}
+\newlength{\focus@pbar@rightoffset}
+
+\defbeamertemplate*{footline}{progressbar}{%
+    % If not appendix.
+    \ifnum\mainend<0% From package appendixnumberbeamer.
+        %
+        \settowidth{\focus@pbar@leftoffset}{1}%
+        \addtolength{\focus@pbar@leftoffset}{1.5em}%
+        %
+        \settowidth{\focus@pbar@rightoffset}{\inserttotalframenumber}%
+        \addtolength{\focus@pbar@rightoffset}{1.5em}%
+        %
+        % If not title page.
+        \ifnum\c@framenumber>0%
+            \ifnum\c@framenumber<\inserttotalframenumber%
+                \begin{tikzpicture}[inner xsep=0.5em, inner ysep=0.5ex]\usebeamerfont{footline}
+                    \pgfmathsetmacro{\focus@pbar@progress}%
+                        {(\paperwidth-\focus@pbar@leftoffset-\focus@pbar@rightoffset)*(\insertframenumber/\inserttotalframenumber)}
+                
+                    \clip (0,0) rectangle ++(\paperwidth,\the\focus@pbar@height);
+                    \fill[footline.bg] (0,0) rectangle ++(\the\focus@pbar@leftoffset,\the\focus@pbar@height);
+                    
+                    \fill[footline.bg] (\the\focus@pbar@leftoffset,0) rectangle ++(\focus@pbar@progress pt,\the\focus@pbar@height)
+                                       ++(0,{-0.5*\the\focus@pbar@height}) node[anchor=east, text=footline.fg] {\strut\insertframenumber};
+                    
+                    \fill[footline.bg] (\paperwidth,0) rectangle ++(-\the\focus@pbar@rightoffset,\the\focus@pbar@height)
+                                       ++(0,{-0.5*\the\focus@pbar@height}) node[anchor=west, text=footline.fg] {\strut\inserttotalframenumber};
+                \end{tikzpicture}%
+            \else%
+                \begin{tikzpicture}[inner xsep=0.5em, inner ysep=0.5ex]
+                    \clip (0,0) rectangle ++(\paperwidth,\the\focus@pbar@height);
+                    \fill[footline.bg] (0,0) rectangle ++(\paperwidth,\the\focus@pbar@height);
+                    
+                    \node[anchor=east, footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut\insertframenumber};
+                    \node[footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut/};
+                    \node[anchor=west, footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut\inserttotalframenumber};
+                \end{tikzpicture}%
+            \fi%
+        \fi%
+    \fi%
+}
+
+% Full bar footline.
+\defbeamertemplate{footline}{fullbar}{%
+    % If not appendix.
+    \ifnum\mainend<0% From package appendixnumberbeamer.
+        %
+        \settowidth{\focus@pbar@leftoffset}{1}%
+        \addtolength{\focus@pbar@leftoffset}{1.5em}%
+        %
+        \settowidth{\focus@pbar@rightoffset}{\inserttotalframenumber}%
+        \addtolength{\focus@pbar@rightoffset}{1.5em}%
+        %
+        % If not title page.
+        \ifnum\c@framenumber>0%
+            \begin{tikzpicture}[inner xsep=0.5em, inner ysep=0.5ex]
+                \clip (0,0) rectangle ++(\paperwidth,\the\focus@pbar@height);
+                \fill[footline.bg] (0,0) rectangle ++(\paperwidth,\the\focus@pbar@height);
+                
+                \node[anchor=east, footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut\insertframenumber};
+                \node[footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut/};
+                \node[anchor=west, footline.fg] at ({\paperwidth-\the\focus@pbar@rightoffset},{0.5*\focus@pbar@height}) {\strut\inserttotalframenumber};
+            \end{tikzpicture}%
+        \fi%
+    \fi%
+}
+
+% Empty footline.
+\defbeamertemplate{footline}{none}{}
+
+\DeclareOptionBeamer{numbering}{\def\beamer@focus@numbering{#1}}
+\ExecuteOptionsBeamer{numbering=progressbar}
+\ProcessOptionsBeamer
+
+\def\beamer@focus@numberingprogressbar{progressbar}
+\def\beamer@focus@numberingfullbar{fullbar}
+\def\beamer@focus@numberingnone{none}
+
+
+% BACKGROUND CANVAS TEMPLATES. -------------------------------------------------
+\defbeamertemplate*{background canvas}{focus}{%
+    \begin{tikzpicture}
+        \clip (0,0) rectangle ++(\paperwidth,\paperheight);
+        \fill[normal text.bg] (0,0) rectangle ++(\paperwidth,\paperheight);
+    \end{tikzpicture}%
+}
+
+\defbeamertemplate{background canvas}{focusplain}{%
+    \begin{tikzpicture}
+        \clip (0,0) rectangle ++(\paperwidth,\paperheight);
+        \fill[normal text.bg] (0,0) rectangle ++(\paperwidth,\paperheight);
+    \end{tikzpicture}%
+}
+
+\defbeamertemplate{background canvas}{focusframe}{%
+    \begin{tikzpicture}
+        \clip (0,0) rectangle ++(\paperwidth,\paperheight);
+        \fill[frametitle.bg] (0,0) rectangle ++(\paperwidth,\paperheight);        
+    \end{tikzpicture}%
+}
+
+
+% HOOKS FOR CREATING FRAMES. ---------------------------------------------------
+\BeforeBeginEnvironment{frame}{%
+    \setbeamertemplate{background canvas}[focus]%
+    \setbeamertemplate{frametitle}[focus]%
+    %
+    % Reset footline height and determine it for the current slide.
+    \setlength{\focus@pbar@height}{0cm}%
+    \focus@calculatefootheight%
+    %
+    % If not appendix.
+    \ifnum\mainend<0 % From package appendixnumberbeamer.
+        \settoheight{\focus@pbar@height}{\usebeamerfont{footline}1234567890/}%
+        \addtolength{\focus@pbar@height}{6pt}%
+        %
+        \ifx\beamer@focus@numbering\beamer@focus@numberingprogressbar%
+            \setbeamertemplate{footline}[progressbar]%
+        \else%
+            \ifx\beamer@focus@numbering\beamer@focus@numberingfullbar%
+                \setbeamertemplate{footline}[fullbar]%
+            \fi%
+        \fi%
+        %
+        \focus@calculatefootheight%
+    \fi%
+}
+
+% Enable noframenumbering option.
+\define@key{beamerframe}{noframenumbering}[true]{%
+    \setbeamertemplate{footline}[none]%
+    \setlength{\focus@pbar@height}{0cm}%
+    \focus@calculatefootheight%
+    %
+    \addtocounter{framenumber}{-1}%
+}
+
+
+% Enable plain option.
+\define@key{beamerframe}{plain}[true]{%
+    \setbeamertemplate{background canvas}[focusplain]%
+    \setbeamertemplate{frametitle}[plain]%
+    %
+    \setbeamertemplate{footline}[none]%
+}
+
+
+% Full vertical centering
+% (from https://tex.stackexchange.com/questions/247826/beamer-full-vertical-centering).
+\define@key{beamerframe}{c}[true]{%
+    \beamer@frametopskip=0pt plus 1fill\relax%
+    \beamer@framebottomskip=0pt plus 1fill\relax%
+    \beamer@frametopskipautobreak=0pt plus 0.4\paperheight\relax%
+    \beamer@framebottomskipautobreak=0pt plus 0.6\paperheight\relax%
+    \def\beamer@initfirstlineunskip{}%
+}
+
+
+% Enable focus option.
+\providebool{focus@standout}
+\define@key{beamerframe}{focus}[true]{%
+    \booltrue{focus@standout}%
+    \begingroup%
+        \setkeys{beamerframe}{noframenumbering}%
+        \setbeamertemplate{background canvas}[focusframe]%
+        \setbeamertemplate{frametitle}[plain]%
+        %
+        \setkeys{beamerframe}{c}%
+        \centering%
+        \usebeamerfont{focusframe}%
+        \usebeamercolor[fg]{frametitle}%
+}
+
+\apptocmd{\beamer@reseteecodes}
+{%
+    \ifbool{focus@standout}%
+    {%
+        \endgroup%
+        \boolfalse{focus@standout}%
+    }{}%
+}{}{}
+
+
+% Recalculate the footline's size and refresh other parameters.
+% Partially copied from the definition of \beamer@calculateheadfoot.
+\def\focus@calculatefootheight{%
+    \footheight=\focus@pbar@height%
+    \advance\footheight by 4pt%
+    \sidebarheight=\paperheight%
+    \advance\sidebarheight by-\headheight%
+    \advance\sidebarheight by\headdp%
+    \advance\sidebarheight by-\footheight%
+    \advance\sidebarheight by 4pt%
+    \footskip=\footheight%
+    \textheight=\paperheight%
+    \advance\textheight by-\footheight%
+    \advance\textheight by-\headheight%
+    \@colht\textheight%
+    \@colroom\textheight%
+    \vsize\textheight%
+}
+
+\mode<all>

themes/beamerthemefocus.sty

@@ -0,0 +1,60 @@
+% Copyright (C) 2018 Pasquale Claudio Africa.
+%               2018 Sebastian Friedl.
+%
+% This file is part of beamerthemefocus.
+%
+% beamerthemefocus is free software: you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation, either version 3 of the License, or
+% (at your option) any later version.
+% 
+% beamerthemefocus is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+% 
+% You should have received a copy of the GNU General Public License
+% along with beamerthemefocus. If not, see <http://www.gnu.org/licenses/>.
+
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{beamerthemefocus}[2018/08/09 v2.2 Focus Beamer theme]
+
+\mode<presentation>
+
+
+% THEME OPTIONS. ---------------------------------------------------------------
+\DeclareOptionBeamer{numbering}{%
+    \PassOptionsToPackage{numbering=#1}{beamerouterthemefocus}
+}
+
+\newif\if@focus@loadfirafonts
+\@focus@loadfirafontstrue
+
+\DeclareOptionBeamer{nofirafonts}{\@focus@loadfirafontsfalse}
+\ProcessOptionsBeamer
+
+
+% LOAD EXTERNAL PACKAGES. ------------------------------------------------------
+\if@focus@loadfirafonts
+    \RequirePackage[T1]{fontenc}
+    
+    \PassOptionsToPackage{type1}{FiraSans}
+    \PassOptionsToPackage{type1}{FiraMono}
+    
+    \RequirePackage{FiraSans}
+    \RequirePackage{FiraMono}
+\fi
+
+\usecolortheme{focus}
+\usefonttheme{focus}
+\useinnertheme{focus}
+\useoutertheme{focus}
+
+\setbeamertemplate{navigation symbols}{}
+
+
+% SET MARGINS. -----------------------------------------------------------------
+\setbeamersize{text margin left=0.75cm, text margin right=0.75cm}
+\setlength{\leftmargini}{0.75cm}
+
+\mode<all>