MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

small changes

master
iglocska 2020-01-30 09:58:23 +01:00
parent cd59cd9c05
commit 6421e8e879
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
b.4-turning-data-into-actionable-intelligence-short/content.tex
View File

@ -151,7 +151,7 @@
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Supporting specific datamodel} \frametitle{Supporting specific datamodels}
\begin{center} \begin{center}
\includegraphics[scale=0.24]{bankaccount.png} \includegraphics[scale=0.24]{bankaccount.png}
\end{center} \end{center}
@ -163,11 +163,13 @@
\begin{frame} \begin{frame}
\frametitle{Continuous feedback loop} \frametitle{Continuous feedback loop}
\begin{itemize} \begin{itemize}
\item Data ingested by MISP was in a sense frozen in time \item Data shared was {\bf frozen in time}
\item We had a creation data, but lacked a way to use the output of our detection \item All we had was a creation/modification timestamp
\item Improved tooling and willingness allowed us to create a {\bf feedback loop}
\item Lead to the introduction of the {\bf Sighting system} \item Lead to the introduction of the {\bf Sighting system}
\item The community could sight indicators and convey the time of sighting \item Signal the fact of an indicator sighting...
\item Potentially powerful tool for IoC lifecycle management, clumsy query implementation default \item ...as well as {\bf when} and {\bf where} it was sighted
\item Vital component for IoC {\bf lifecycle management}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -184,16 +186,16 @@
\begin{frame} \begin{frame}
\frametitle{A brief history of time - Adding temporality to our data} \frametitle{A brief history of time - Adding temporality to our data}
\begin{itemize} \begin{itemize}
\item {\bf 2.4.120} introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} \item Recently introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} data points
\item Along with a complete integration with the {\bf UI} \item Along with a complete integration with the {\bf UI}
\item {\bf Visualizating} and {\bf editing} time component effortlessly \item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
\end{itemize} \end{itemize}
\begin{center} \begin{center}
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png} \includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
\end{center} \end{center}
\end{frame} \end{frame}
\section{Encoding analyst knowledge to automatically leverage the above} \section{The various ways of encoding analyst knowledge to automatically leverage our TI}
\begin{frame} \begin{frame}
\frametitle{False positive handling} \frametitle{False positive handling}
@ -201,7 +203,7 @@
\item Low quality / false positive prone information being shared \item Low quality / false positive prone information being shared
\item Lead to {\bf alert-fatigue} \item Lead to {\bf alert-fatigue}
\item Exclude organisation xy out of the community? \item Exclude organisation xy out of the community?
\item False positives are often obvious - {\bf can be encoded} \item FPs are often obvious - {\bf can be encoded}
\item {\bf Warninglist system}\footnote{\url{https://github.com/MISP/misp-warninglists}} aims to do that \item {\bf Warninglist system}\footnote{\url{https://github.com/MISP/misp-warninglists}} aims to do that
\item Lists of well-known indicators which are often false-positives like RFC1918 networks, ... \item Lists of well-known indicators which are often false-positives like RFC1918 networks, ...
\end{itemize} \end{itemize}