MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [event:AusCERT24] Updated Introduction to ISACs slides 

- Typo fixed
- A few bullet points added
- Slides on sub-communities rearranged
pull/25/head
Christian Studer 2024-05-08 10:18:06 +02:00
parent 89bb9638a9
commit 6851dd5fb2
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex
View File

@ -6,7 +6,7 @@
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Plan for this session} \frametitle{Agenda}
\begin{itemize} \begin{itemize}
\item CIRCL, MISP and ISACs \item CIRCL, MISP and ISACs
\item [] \item []
@ -95,12 +95,12 @@
\begin{frame} \begin{frame}
\frametitle{Usual sharing scenarios for ISACs} \frametitle{Usual sharing scenarios for ISACs}
\begin{itemize} \begin{itemize}
\item Exchange of \textbf{insights from monitoring} \item Exchange of \textbf{IOCs} and \textbf{TTPs}
\item Sharing the outcomes of \textbf{incidents} \item Sharing the outcomes of \textbf{incidents}
\item Information on the \textbf{attackers, techniques used} \item Information on the \textbf{attackers, techniques used}
\item \textbf{Remediation} information / \textbf{prevention} information \item \textbf{Remediation} information / \textbf{prevention} information
\item \textbf{Vulnerability} pre-disclosure \item \textbf{Vulnerability} pre-disclosure
\item Supporitng \textbf{tools} / \textbf{scripts} \item Supporting \textbf{tools} / \textbf{scripts}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -111,6 +111,7 @@
\item \textbf{Law enforcement} / Border control specific sharing \item \textbf{Law enforcement} / Border control specific sharing
\item \textbf{Disinformation} sharing \item \textbf{Disinformation} sharing
\item \textbf{Health} related information sharing \item \textbf{Health} related information sharing
\item \textbf{Telecommunication} threat sharing
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -120,7 +121,7 @@
\item Different use-cases have conflicting requirements for the data shared \item Different use-cases have conflicting requirements for the data shared
\begin{itemize} \begin{itemize}
\item \textbf{False positive} appetite \item \textbf{False positive} appetite
\item \textbf{Maturity} levels \item \textbf{Capability}/\textbf{Maturity} levels
\item \textbf{Topical} interests \item \textbf{Topical} interests
\item \textbf{Detection rules} vs \textbf{threat intel} vs \textbf{remediation/prevention} support \item \textbf{Detection rules} vs \textbf{threat intel} vs \textbf{remediation/prevention} support
\end{itemize} \end{itemize}
@ -216,23 +217,13 @@
\section{Managing your sharing \\ community} \section{Managing your sharing \\ community}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your \textbf{best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with \textbf{manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{What counts as valuable data?} \frametitle{What counts as valuable data?}
\begin{itemize} \begin{itemize}
\item Sharing comes in many shapes and sizes \item Sharing comes in many shapes and sizes
\begin{itemize} \begin{itemize}
\item Sharing results / reports is the classical example \item Sharing results / reports is the classical example
\item Sighting of indicators
\item Sharing enhancements to existing data \item Sharing enhancements to existing data
\item Validating data / flagging false positives \item Validating data / flagging false positives
\item Asking for support from the community \item Asking for support from the community
@ -252,6 +243,8 @@
\item Organisations losing access are the ones who would possibily benefit the most from it \item Organisations losing access are the ones who would possibily benefit the most from it
\item You lose organisations that might turn into valuable contributors in the future \item You lose organisations that might turn into valuable contributors in the future
\end{itemize} \end{itemize}
\item []
\item Constituents have access to and can \textbf{use the data}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -302,6 +295,30 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\section{The tough choice of separating a community}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community \textbf{smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As an ISAC running a national community, consider bootstraping these sharing communities
\item Organisations can of course self-organise, but you are the ones with the know-how to get them started
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your \textbf{best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with \textbf{manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}
\section{Interesting visual features \\ for analysts} \section{Interesting visual features \\ for analysts}
\begin{frame} \begin{frame}
@ -353,7 +370,6 @@
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)} \frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize} \begin{itemize}
@ -416,17 +432,6 @@
\centering\includegraphics[scale=0.8]{../images/false-positive.png} \centering\includegraphics[scale=0.8]{../images/false-positive.png}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community \textbf{smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As an ISAC running a national community, consider bootstraping these sharing communities
\item Organisations can of course self-organise, but you are the ones with the know-how to get them started
\end{itemize}
\end{frame}
\section{Conclusion} \section{Conclusion}
\begin{frame} \begin{frame}