mirror of https://github.com/MISP/misp-training
Merge branch 'master' of github.com:MISP/misp-training
commit
6a7cb16ce5
|
@ -79,7 +79,7 @@
|
||||||
\item Telecom and Mobile operators' community
|
\item Telecom and Mobile operators' community
|
||||||
\item Various ad-hoc communities for exercises for example
|
\item Various ad-hoc communities for exercises for example
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Most recently for example for the ENISA exercise a few weeks ago
|
\item The ENISA exercise for example
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
@ -206,7 +206,7 @@
|
||||||
\frametitle{Getting started with building your own sharing community}
|
\frametitle{Getting started with building your own sharing community}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Starting a sharing community is {\bf both easy and difficult} at the same time
|
\item Starting a sharing community is {\bf both easy and difficult} at the same time
|
||||||
\item Many moving parts and most importantly, you'll be dealing with a diverse group of people
|
\item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people}
|
||||||
\item Understanding and working with your constituents to help them face their challenges is key
|
\item Understanding and working with your constituents to help them face their challenges is key
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
@ -224,9 +224,9 @@
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Different models for constituents
|
\item Different models for constituents
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Connecting to a MISP instance hosted by a CSIRT
|
\item {\bf Connecting to} a MISP instance hosted by a CSIRT
|
||||||
\item Hosting their own instance and connecting to CSIRT's MISP
|
\item {\bf Hosting} their own instance and connecting to CSIRT's MISP
|
||||||
\item Becoming member of a sectorial MISP community that is connected to CSIRT's community
|
\item {\bf Becoming member} of a sectorial MISP community that is connected to CSIRT's community
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Planning ahead for future growth
|
\item Planning ahead for future growth
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -240,15 +240,15 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Lead by example - the power of immitation
|
\item {\bf Lead by example} - the power of immitation
|
||||||
\item Encourage improving by doing instead of blocking sharing with unrealistic quality controls
|
\item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item What should the information look like?
|
\item What should the information look like?
|
||||||
\item How should it be contextualise
|
\item How should it be contextualise
|
||||||
\item What do you consider as useful information?
|
\item What do you consider as useful information?
|
||||||
\item What tools did you use to get your conclusions?
|
\item What tools did you use to get your conclusions?
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Side effect is that you will end up raising the capabilities of your constituents
|
\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -262,18 +262,18 @@
|
||||||
\item Validating data / flagging false positives
|
\item Validating data / flagging false positives
|
||||||
\item Asking for support from the community
|
\item Asking for support from the community
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Embrace all of them. Even the ones that don't do either, you'll never know when they change their minds...
|
\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{How to deal with organisations that only "leech"?}
|
\frametitle{How to deal with organisations that only "leech"?}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item From our own communities, only about 30\% of the organisations actively share data
|
\item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
|
||||||
\item We have come across some communities with sharing requirements
|
\item We have come across some communities with sharing requirements
|
||||||
\item In our experience, this sets you up for failure because:
|
\item In our experience, this sets you up for failure because:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Organisations will lose protection who would possibily benefit the most from it
|
\item Organisations losing access are the ones who would possibily benefit the most from it
|
||||||
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
|
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
|
||||||
\item You lose organisations that might turn into valuable contributors in the future
|
\item You lose organisations that might turn into valuable contributors in the future
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -283,11 +283,11 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{So how does one convert the passive organisations into actively sharing ones?}
|
\frametitle{So how does one convert the passive organisations into actively sharing ones?}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Rely on organic growth
|
\item Rely on {\bf organic growth}
|
||||||
\item Help them increase their capabilities
|
\item {\bf Help} them increase their capabilities
|
||||||
\item As mentioned before, lead by example
|
\item As mentioned before, lead by example
|
||||||
\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
|
\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
|
||||||
\item Give credit where credit is due, never steal the accolades of your community (that is incredibly demotivating)
|
\item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -316,23 +316,23 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Contextualising the information}
|
\frametitle{Contextualising the information}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Sharing technical information is a great start
|
\item Sharing {\bf technical information} is a {\bf great start}
|
||||||
\item However, to truly create valueable information for your community, always consider the context:
|
\item However, to truly create valueable information for your community, always consider the context:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Your IDS might not care why it should alert on a rule
|
\item Your IDS might not care why it should alert on a rule
|
||||||
\item But your analysts will be interested in the threat landscape and the "big picture"
|
\item But your analysts will be interested in the threat landscape and the "big picture"
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Classify data to make sure your partners understand why it is important for them
|
\item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them}
|
||||||
\item Massively important once an organisation has the maturity to filter the most critical subsets of information for their own defense
|
\item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Choice of vocabularies}
|
\frametitle{Choice of vocabularies}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item MISP has a verify versatile system (taxonomies) for classifying and marking data
|
\item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data
|
||||||
\item However, this includes different vocabularies with obvious overlaps
|
\item However, this includes different vocabularies with obvious overlaps
|
||||||
\item MISP allows you to pick and choose vocabularies to use and enforce in a community
|
\item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community
|
||||||
\item Good idea to start with this process early
|
\item Good idea to start with this process early
|
||||||
\item If you don't find what you're looking for:
|
\item If you don't find what you're looking for:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -346,7 +346,7 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Shared libraries of meta-information (Galaxies)}
|
\frametitle{Shared libraries of meta-information (Galaxies)}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The MISPProject in co-operation with partners provides a curated list of galaxy information
|
\item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
|
||||||
\item Can include information packages of different types, for example:
|
\item Can include information packages of different types, for example:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Threat actor information
|
\item Threat actor information
|
||||||
|
@ -355,7 +355,7 @@
|
||||||
\item Classification systems for methodologies used by adversaries - ATT\&CK
|
\item Classification systems for methodologies used by adversaries - ATT\&CK
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
\item Consider improving the default libraries or contributing your own (simple JSON format)
|
||||||
\item If there is something you cannot share, run your own galaxies and share it out of bound with partners
|
\item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
|
||||||
\item Pull requests are always welcome
|
\item Pull requests are always welcome
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
@ -369,8 +369,8 @@
|
||||||
\item Be lenient when considering what to keep
|
\item Be lenient when considering what to keep
|
||||||
\item Be strict when you are feeding tools
|
\item Be strict when you are feeding tools
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item MISP allows you to filter out the relevant data on demand when feeding protective tools
|
\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools
|
||||||
\item What may seem like junk to you may be absolutely critical to other users
|
\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
@ -396,7 +396,7 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{False-positive handling}
|
\frametitle{False-positive handling}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Analysts will often be interested in the modus operandi of threat actors over long periods of time
|
\item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time}
|
||||||
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
|
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
|
||||||
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
|
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -406,7 +406,7 @@
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Managing sub-communities}
|
\frametitle{Managing sub-communities}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Often within a community smaller bubbles of information sharing will form
|
\item Often within a community {\bf smaller bubbles of information sharing will form}
|
||||||
\item For example: Within a national private sector sharing community, specific community for financial institutions
|
\item For example: Within a national private sector sharing community, specific community for financial institutions
|
||||||
\item Sharing groups serve this purpose mainly
|
\item Sharing groups serve this purpose mainly
|
||||||
\item As a CSIRT running a national community, consider bootstraping these sharing communities
|
\item As a CSIRT running a national community, consider bootstraping these sharing communities
|
||||||
|
@ -418,10 +418,10 @@
|
||||||
\frametitle{Managing sub-communities}
|
\frametitle{Managing sub-communities}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
|
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
|
||||||
\item Use your best judgement to decide which communities should be separated from one another
|
\item Use your {\bf best judgement} to decide which communities should be separated from one another
|
||||||
\item Create sharing hubs with manual data transfer
|
\item Create sharing hubs with {\bf manual data transfer} if needed
|
||||||
\item Some organisations will even have their data air-gapped - Feed system
|
\item Some organisations will even have their data air-gapped - Feed system
|
||||||
\item Create guidance on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
|
\item {\bf Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue