MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-training

changes-actionable
iglocska 2019-09-26 09:15:20 +02:00
parent 58d29dbf2f 7587fd222b
commit 6a7cb16ce5
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
a.4-best-practices/content.tex
View File

@ -79,7 +79,7 @@
\item Telecom and Mobile operators' community
\item Various ad-hoc communities for exercises for example
\begin{itemize}
\item Most recently for example for the ENISA exercise a few weeks ago
\item The ENISA exercise for example
\end{itemize}
\end{itemize}
\end{frame}
@ -206,7 +206,7 @@
\frametitle{Getting started with building your own sharing community}
\begin{itemize}
\item Starting a sharing community is {\bf both easy and difficult} at the same time
\item Many moving parts and most importantly, you'll be dealing with a diverse group of people
\item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people}
\item Understanding and working with your constituents to help them face their challenges is key
\end{itemize}
\end{frame}
@ -224,9 +224,9 @@
\begin{itemize}
\item Different models for constituents
\begin{itemize}
\item Connecting to a MISP instance hosted by a CSIRT
\item Hosting their own instance and connecting to CSIRT's MISP
\item Becoming member of a sectorial MISP community that is connected to CSIRT's community
\item {\bf Connecting to} a MISP instance hosted by a CSIRT
\item {\bf Hosting} their own instance and connecting to CSIRT's MISP
\item {\bf Becoming member} of a sectorial MISP community that is connected to CSIRT's community
\end{itemize}
\item Planning ahead for future growth
\begin{itemize}
@ -240,15 +240,15 @@
\begin{frame}
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
\begin{itemize}
\item Lead by example - the power of immitation
\item Encourage improving by doing instead of blocking sharing with unrealistic quality controls
\item {\bf Lead by example} - the power of immitation
\item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
\begin{itemize}
\item What should the information look like?
\item How should it be contextualise
\item What do you consider as useful information?
\item What tools did you use to get your conclusions?
\end{itemize}
\item Side effect is that you will end up raising the capabilities of your constituents
\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
\end{itemize}
\end{frame}
@ -262,18 +262,18 @@
\item Validating data / flagging false positives
\item Asking for support from the community
\end{itemize}
\item Embrace all of them. Even the ones that don't do either, you'll never know when they change their minds...
\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{How to deal with organisations that only "leech"?}
\begin{itemize}
\item From our own communities, only about 30\% of the organisations actively share data
\item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
\item We have come across some communities with sharing requirements
\item In our experience, this sets you up for failure because:
\begin{itemize}
\item Organisations will lose protection who would possibily benefit the most from it
\item Organisations losing access are the ones who would possibily benefit the most from it
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
\item You lose organisations that might turn into valuable contributors in the future
\end{itemize}
@ -283,11 +283,11 @@
\begin{frame}
\frametitle{So how does one convert the passive organisations into actively sharing ones?}
\begin{itemize}
\item Rely on organic growth
\item Help them increase their capabilities
\item Rely on {\bf organic growth}
\item {\bf Help} them increase their capabilities
\item As mentioned before, lead by example
\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
\item Give credit where credit is due, never steal the accolades of your community (that is incredibly demotivating)
\item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
\end{itemize}
\end{frame}
@ -316,23 +316,23 @@
\begin{frame}
\frametitle{Contextualising the information}
\begin{itemize}
\item Sharing technical information is a great start
\item Sharing {\bf technical information} is a {\bf great start}
\item However, to truly create valueable information for your community, always consider the context:
\begin{itemize}
\item Your IDS might not care why it should alert on a rule
\item But your analysts will be interested in the threat landscape and the "big picture"
\end{itemize}
\item Classify data to make sure your partners understand why it is important for them
\item Massively important once an organisation has the maturity to filter the most critical subsets of information for their own defense
\item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them}
\item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Choice of vocabularies}
\begin{itemize}
\item MISP has a verify versatile system (taxonomies) for classifying and marking data
\item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data
\item However, this includes different vocabularies with obvious overlaps
\item MISP allows you to pick and choose vocabularies to use and enforce in a community
\item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community
\item Good idea to start with this process early
\item If you don't find what you're looking for:
\begin{itemize}
@ -346,7 +346,7 @@
\begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
\item The MISPProject in co-operation with partners provides a curated list of galaxy information
\item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
\item Can include information packages of different types, for example:
\begin{itemize}
\item Threat actor information
@ -355,7 +355,7 @@
\item Classification systems for methodologies used by adversaries - ATT\&CK
\end{itemize}
\item Consider improving the default libraries or contributing your own (simple JSON format)
\item If there is something you cannot share, run your own galaxies and share it out of bound with partners
\item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
\item Pull requests are always welcome
\end{itemize}
\end{frame}
@ -369,8 +369,8 @@
\item Be lenient when considering what to keep
\item Be strict when you are feeding tools
\end{itemize}
\item MISP allows you to filter out the relevant data on demand when feeding protective tools
\item What may seem like junk to you may be absolutely critical to other users
\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools
\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users}
\end{itemize}
\end{frame}
@ -396,7 +396,7 @@
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item Analysts will often be interested in the modus operandi of threat actors over long periods of time
\item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time}
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
\end{itemize}
@ -406,7 +406,7 @@
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community smaller bubbles of information sharing will form
\item Often within a community {\bf smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As a CSIRT running a national community, consider bootstraping these sharing communities
@ -418,10 +418,10 @@
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your best judgement to decide which communities should be separated from one another
\item Create sharing hubs with manual data transfer
\item Use your {\bf best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with {\bf manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item Create guidance on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\item {\bf Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}