diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex new file mode 100644 index 0000000..1a03a55 --- /dev/null +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex @@ -0,0 +1,454 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} + \frametitle{Plan for this session} + \begin{itemize} + \item CIRCL, MISP and ISACs + \item [] + \item Motivations for sharing communities + \item How to get going? + \item Managing information sharing communities + \item [] + \item Features for analysts + \item The importance of contextualisation + \item False-positive handling + \end{itemize} +\end{frame} + +\section{CIRCL, MISP and ISACs} + +\begin{frame} + \frametitle{CIRCL's involvement} + \begin{itemize} + \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector. + \item {\bf CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally. + \item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}. + \item [] + \item We use MISP as an {\bf internal tool} to cover various day-to-day activities + \item Whilst being the main driving force behind the development, we're also one of the largest consumers + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Communities operated by CIRCL} + \begin{itemize} + \item Private sector community + \begin{itemize} + \item Our largest sharing community + \item Over {\bf 1900 organisations} + \item Over {\bf 4800 users} + \item Functions as a central hub for a lot of sharing communities + \item Private organisations, Researchers, Various SoCs, some CSIRTs, etc + \end{itemize} + \item CSIRT community + \begin{itemize} + \item Tighter community + \item National CSIRTs, connections to international organisations, etc + \end{itemize} + \item Financial sector community + \begin{itemize} + \item Banks, payment processors, etc. + \item Sharing of {\bf mule accounts} and {\bf non-cyber threat information} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Communities supported by CIRCL} + \begin{itemize} + \item ISACs / specialised community MISPs + \begin{itemize} + \item Topical or community specific instances hosted or co-managed by CIRCL + \item Examples, CIISI, GSMA, FIRST.org, CSIRT network, etc + \item Often come with their {\bf own taxonomies and domain specific object definitions} + \end{itemize} + \item Various ad-hoc communities for exercises + \begin{itemize} + \item The ENISA exercise + \item Locked Shields exercise + \end{itemize} + \end{itemize} +\end{frame} + +\section{Why creating a sharing\\ community?} + +\begin{frame} + \frametitle{Development based on practical user feedback} + \begin{itemize} + \item There are many different types of users of an information sharing platform like MISP: + \begin{itemize} + \item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues. + \item {\bf Security analysts} searching, validating and using indicators in operational security. + \item {\bf Intelligence analysts} gathering information about specific adversary groups. + \item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases. + \item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences. + \item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds. + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Usual sharing scenarios for ISACs} + \begin{itemize} + \item Exchange of {\bf insights from monitoring} + \item Sharing the outcomes of {\bf incidents} + \item Information on the {\bf attackers, techniques used} + \item {\bf Remediation} information / {\bf prevention} information + \item {\bf Vulnerability} pre-disclosure + \item Supporitng {\bf tools} / {\bf scripts} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Examples of sharing scenarios for sectorial ISACs} + \begin{itemize} + \item {\bf Financial fraud} information sharing + \item {\bf Law enforcement} / Border control specific sharing + \item {\bf Disinformation} sharing + \item {\bf Health} related information sharing + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Objectives can be mixed} + \begin{itemize} + \item Different use-cases have conflicting requirements for the data shared + \begin{itemize} + \item {\bf False positive} appetite + \item {\bf Maturity} levels + \item {\bf Topical} interests + \item {\bf Detection rules} vs {\bf threat intel} vs {\bf remediation/prevention} support + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Reconciling the different use-cases} + \begin{itemize} + \item For inclusiveness, be lenient with what you allow + \item Make {\bf contextualisation} a requirement + \item Users can then {\bf filter} based on their needs + \item Encourage the sharing of {\bf supporting materials, scripts, guidance} + \item Raise awareness about the benefits of well modelled, graph based information sharing + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Bringing different sharing communities together} + \begin{itemize} + \item Getting your community to be active takes {\bf time and effort}, but with persistence your chances are great. + \item We generally all {\bf end up sharing with peers that face similar threats} + \item Division is either {\bf sectorial or geographical} + \item So why even bother with trying to bridge these communities? + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Advantages of cross sectorial sharing} + \begin{itemize} + \item {\bf Reuse of TTPs} across sectors + \item Being hit by something that {\bf another sector has faced before} + \item {\bf Hybrid threats} - how seemingly unrelated things may be interesting to correlate + \item Prepare other communities for the capability and {\bf culture of sharing} for when the need arises for them to reach out to CSIRT + \item Generally our field is ahead of several other sectors when it comes to information sharing, might as well {\bf spread the love} + \end{itemize} + \centering\includegraphics[scale=0.3]{../images/sharing.jpeg} +\end{frame} + +\section{How to get going with your\\ sharing community?} + +\begin{frame} + \frametitle{Getting started with building your own sharing community} + \begin{itemize} + \item When you are starting out - you are in a unique position to drive the community and set best practices... + \end{itemize} + \centering\includegraphics[scale=0.3]{../images/power-responsibility.png} +\end{frame} + +\begin{frame} + \frametitle{Getting started with building your own sharing community} + \begin{itemize} + \item Starting a sharing community is {\bf both easy and difficult} at the same time + \item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people} + \item Understanding and working with your constituents to help them face their challenges is key + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Running a sharing community using MISP - How to get going?} + \begin{itemize} + \item Planning ahead for future growth + \begin{itemize} + \item Estimating requirements + \item Deciding early on common vocabularies + \item Offering services through MISP + \end{itemize} + \item [] + \item Different models for constituents + \begin{itemize} + \item {\bf Connecting to} a MISP instance hosted by the ISAC + \item {\bf Hosting} their own instance and connecting to ISAC's MISP + \item {\bf Becoming member} of a sectorial MISP community that is connected to ISAC's community + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Rely on our instincts to immitate over expecting adherence to rules} +\begin{itemize} + \item {\bf Lead by example} - the power of immitation + \item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls + \begin{itemize} + \item What should the information look like? + \item How should it be contextualised? + \item What do you consider as useful information? + \item What tools did you use to get your conclusions? + \item How the information could be used by the ISAC members? + \end{itemize} + \item Side effect is that you will end up {\bf raising the capabilities of your constituents} + \end{itemize} +\end{frame} + +\section{Managing your sharing \\ community} + +\begin{frame} + \frametitle{Managing sub-communities} + \begin{itemize} + \item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks? + \item Use your {\bf best judgement} to decide which communities should be separated from one another + \item Create sharing hubs with {\bf manual data transfer} if needed + \item Some organisations will even have their data air-gapped - Feed system + \item {\bf Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative! + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What counts as valuable data?} +\begin{itemize} + \item Sharing comes in many shapes and sizes + \begin{itemize} + \item Sharing results / reports is the classical example + \item Sharing enhancements to existing data + \item Validating data / flagging false positives + \item Asking for support from the community + \end{itemize} +\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{How to deal with organisations that only "leech"?} +\begin{itemize} + \item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data} + \item We have come across some communities with sharing requirements + \item In our experience, this sets you up for failure because: + \begin{itemize} + \item Organisations that want to stay above the thresholds will start sharing junk / fake data + \item Organisations losing access are the ones who would possibily benefit the most from it + \item You lose organisations that might turn into valuable contributors in the future + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{So how does one convert the passive organisations into actively sharing ones?} + \begin{itemize} + \item Rely on {\bf organic growth} + \item {\bf Help} them increase their capabilities + \item As mentioned before, lead by example + \item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations) + \item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating) + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Dispelling the myths around blockers when it comes to information sharing} + \begin{itemize} + \item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}). + \begin{itemize} + \item You can play a role here: organise regular workshops, conferences, have face to face meetings + \end{itemize} + \item Practical restrictions + \begin{itemize} + \item "We don't have information to share." + \item "We don't have time to process or contribute indicators." + \item "Our model of classification doesn't fit your model." + \item "Tools for sharing information are tied to a specific format, we use a different one." + \end{itemize} + \item Legal restrictions + \begin{itemize} + \item "Our legal framework doesn't allow us to share information." + \item "Risk of information leak is too high and it's too risky for our organization or partners." + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{A quick note on compliance...} +\begin{itemize} + \item MISP project collaborated with legal advisory services + \begin{itemize} + \item Information sharing and cooperation {\bf enabled by GDPR}; + \item {\bf ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications; + \item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities; + \item Guidelines to setting up an information sharing community such as an ISAC or ISAO; + \end{itemize} + \item For more information: https://www.misp-project.org/compliance/ +\end{itemize} +\end{frame} + +\section{Interesting visual features \\ for analysts} + +\begin{frame} + \frametitle{MISP feature - correlation} + \begin{itemize} + \item MISP includes a {\bf powerful engine for correlation} which allows analysts to discover correlating values between attributes. + \item Getting a direct benefit from shared information by other ISAC members. + \end{itemize} + \includegraphics[scale=0.20]{../images/correlation.png} +\end{frame} + +\begin{frame} + \frametitle{MISP feature - event graph} + \begin{itemize} + \item {\bf Analysts can create stories} based on graph relationships between objects, attributes. + \item ISACs users can directly understand the information shared. + \end{itemize} + \includegraphics[scale=0.20]{../images/event-graph.png} +\end{frame} + +\section{The importance of \\ contextualisation} + +\begin{frame} +\frametitle{Contextualising the information} +\begin{itemize} + \item Sharing {\bf technical information} is a {\bf great start} + \item However, to truly create valueable information for your community, always consider the context: + \begin{itemize} + \item Your IDS might not care why it should alert on a rule + \item But your analysts will be interested in the threat landscape and the "big picture" + \end{itemize} + \item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them} + \item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Choice of vocabularies} +\begin{itemize} + \item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data + \item However, this includes different vocabularies with obvious overlaps + \item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community + \item Good idea to start with this process early + \item If you don't find what you're looking for: + \begin{itemize} + \item Create your own (JSON format, no coding skills required) + \item If it makes sense, share it with us via a pull request for redistribution + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Shared libraries of meta-information (Galaxies)} +\begin{itemize} + \item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information} + \item Can include information packages of different types, for example: + \begin{itemize} + \item Threat actor information + \item Specialised information such as Ransomware, Exploit kits, etc + \item Methodology information such as preventative actions + \item Classification systems for methodologies used by adversaries - ATT\&CK + \end{itemize} + \item Consider improving the default libraries or contributing your own (simple JSON format) + \item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners + \item Pull requests are always welcome +\end{itemize} +\end{frame} + +\section{False-positive handling} + +\begin{frame} +\frametitle{False-positives handling} +\begin{itemize} + \item You might often fall into the trap of discarding seemingly "junk" data + \item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation: + \begin{itemize} + \item Be lenient when considering what to keep + \item Be strict when you are feeding tools + \end{itemize} +\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools +\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users} +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Many objectives from different user-groups} + \begin{itemize} + \item Sharing indicators for a {\bf detection} matter. + \begin{itemize} + \item 'Do I have infected systems in my infrastructure or the ones I operate?' + \end{itemize} + \item Sharing indicators to {\bf block}. + \begin{itemize} + \item 'I use these attributes to block, sinkhole or divert traffic.' + \end{itemize} + \item Sharing indicators to {\bf perform intelligence}. + \begin{itemize} + \item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?' + \end{itemize} + \item $\rightarrow$ These objectives can be conflicting (e.g. False-positives have different impacts) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{False-positive handling} +\begin{itemize} + \item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time} + \item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse) + \item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets +\end{itemize} +\centering\includegraphics[scale=0.8]{../images/false-positive.png} +\end{frame} + +\begin{frame} +\frametitle{Managing sub-communities} +\begin{itemize} + \item Often within a community {\bf smaller bubbles of information sharing will form} + \item For example: Within a national private sector sharing community, specific community for financial institutions + \item Sharing groups serve this purpose mainly + \item As an ISAC running a national community, consider bootstraping these sharing communities + \item Organisations can of course self-organise, but you are the ones with the know-how to get them started +\end{itemize} +\end{frame} + +\section{Conclusion} + +\begin{frame} + \frametitle{Conclusion and additional challenges} + \begin{itemize} + \item MISP is a complete and advanced tool ... + \item ... but also {\bf just one part of the puzzle} in any sharing community + \item Information sharing presumes knowledge of {\bf contacts} + \item Member to Member direct {\bf exchanges between MISPs and other tools} requires some know how + \item Creating reusable community-specific {\bf distribution lists} need to be maintained + \item Maintaining common {\bf community specific information knowledgebases} can be challenging + \item {\bf Fleet management} for larger organisations needs additional work + \item There's a European project and an open-source tool we are developing to address these points + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Get in touch if you need some help to get started} + \begin{itemize} + \item Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions! + \item Contact: info@circl.lu + \item \url{https://www.circl.lu/} + \item \url{https://github.com/MISP} \url{https://gitter.im/MISP/MISP} \url{https://twitter.com/MISPProject} + \end{itemize} +\end{frame} diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/Introduction_to_MISP_and_ISACs.tex b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/Introduction_to_MISP_and_ISACs.tex new file mode 100644 index 0000000..75c6814 --- /dev/null +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/Introduction_to_MISP_and_ISACs.tex @@ -0,0 +1,23 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + +\author{\input{../includes/authors.txt} \\ \emph{\input{../includes/classification.txt}}} +\title{Introduction to MISP and ISACs} +\subtitle{The importance of sharing communities} +\institute{} +\titlegraphic{\includegraphics[scale=0.85]{../images/misp.pdf}} +\date{\input{../includes/location.txt}} + +\begin{document} +\include{IntroductionToMISPandISACs_content} +\end{document} + diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/correlation.png b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/correlation.png new file mode 100644 index 0000000..df5b653 Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/correlation.png differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/event-graph.png b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/event-graph.png new file mode 100644 index 0000000..d0ee43a Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/event-graph.png differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/false-positive.png b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/false-positive.png new file mode 100644 index 0000000..7dd3dea Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/false-positive.png differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/misp.pdf b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/misp.pdf differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/power-responsibility.png b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/power-responsibility.png new file mode 100644 index 0000000..697909c Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/power-responsibility.png differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/sharing.jpeg b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/sharing.jpeg new file mode 100644 index 0000000..3296d43 Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/images/sharing.jpeg differ diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/authors.txt b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/authors.txt new file mode 100644 index 0000000..0fab002 --- /dev/null +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/authors.txt @@ -0,0 +1 @@ +Team CIRCL diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/classification.txt b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/classification.txt new file mode 100644 index 0000000..849dd71 --- /dev/null +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/classification.txt @@ -0,0 +1 @@ +TLP:CLEAR diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/location.txt b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/location.txt new file mode 100644 index 0000000..5851786 --- /dev/null +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/includes/location.txt @@ -0,0 +1 @@ +AusCERT 2024 diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/slides/Introduction_to_MISP_and_ISACs.pdf b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/slides/Introduction_to_MISP_and_ISACs.pdf new file mode 100644 index 0000000..b38c405 Binary files /dev/null and b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/slides/Introduction_to_MISP_and_ISACs.pdf differ