MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [event:AusCERT24] Updated Introduction to ISACs slides 

- Typo fixed
- A few bullet points added
- Slides on sub-communities rearranged
pull/25/head
Christian Studer 2024-05-08 10:18:06 +02:00
parent 89bb9638a9
commit 6851dd5fb2
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 32 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex
View File

@ -6,7 +6,7 @@
\end{frame}
\begin{frame}
\frametitle{Plan for this session}
\frametitle{Agenda}
\begin{itemize}
\item CIRCL, MISP and ISACs
\item []
@ -95,12 +95,12 @@
\begin{frame}
\frametitle{Usual sharing scenarios for ISACs}
\begin{itemize}
\item Exchange of \textbf{insights from monitoring}
\item Exchange of \textbf{IOCs} and \textbf{TTPs}
\item Sharing the outcomes of \textbf{incidents}
\item Information on the \textbf{attackers, techniques used}
\item \textbf{Remediation} information / \textbf{prevention} information
\item \textbf{Vulnerability} pre-disclosure
\item Supporitng \textbf{tools} / \textbf{scripts}
\item Supporting \textbf{tools} / \textbf{scripts}
\end{itemize}
\end{frame}
@ -111,6 +111,7 @@
\item \textbf{Law enforcement} / Border control specific sharing
\item \textbf{Disinformation} sharing
\item \textbf{Health} related information sharing
\item \textbf{Telecommunication} threat sharing
\end{itemize}
\end{frame}
@ -120,7 +121,7 @@
\item Different use-cases have conflicting requirements for the data shared
\begin{itemize}
\item \textbf{False positive} appetite
\item \textbf{Maturity} levels
\item \textbf{Capability}/\textbf{Maturity} levels
\item \textbf{Topical} interests
\item \textbf{Detection rules} vs \textbf{threat intel} vs \textbf{remediation/prevention} support
\end{itemize}
@ -216,23 +217,13 @@
\section{Managing your sharing \\ community}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your \textbf{best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with \textbf{manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What counts as valuable data?}
\begin{itemize}
\item Sharing comes in many shapes and sizes
\begin{itemize}
\item Sharing results / reports is the classical example
\item Sighting of indicators
\item Sharing enhancements to existing data
\item Validating data / flagging false positives
\item Asking for support from the community
@ -252,6 +243,8 @@
\item Organisations losing access are the ones who would possibily benefit the most from it
\item You lose organisations that might turn into valuable contributors in the future
\end{itemize}
\item []
\item Constituents have access to and can \textbf{use the data}
\end{itemize}
\end{frame}
@ -302,6 +295,30 @@
\end{itemize}
\end{frame}
\section{The tough choice of separating a community}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community \textbf{smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As an ISAC running a national community, consider bootstraping these sharing communities
\item Organisations can of course self-organise, but you are the ones with the know-how to get them started
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your \textbf{best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with \textbf{manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}
\section{Interesting visual features \\ for analysts}
\begin{frame}
@ -353,7 +370,6 @@
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
@ -416,17 +432,6 @@
\centering\includegraphics[scale=0.8]{../images/false-positive.png}
\end{frame}
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community \textbf{smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As an ISAC running a national community, consider bootstraping these sharing communities
\item Organisations can of course self-organise, but you are the ones with the know-how to get them started
\end{itemize}
\end{frame}
\section{Conclusion}
\begin{frame}