new: [a.zz-isacs] Removed old slides and updated text - WiP

a.zz-misp-and-isacs/content.aux

@@ -1,97 +0,0 @@
-\relax 
-\providecommand\hyper@newdestlabel[2]{}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {20}{20}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {21}{21}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {22}{22}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {23}{23}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {24}{24}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {25}{25}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {26}{26}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {27}{27}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {28}{28}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {29}{29}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {30}{30}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {31}{31}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {32}{32}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {33}{33}}}
-\@writefile{nav}{\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}}}
-\@writefile{nav}{\headcommand {\beamer@framepages {34}{34}}}
-\@setckpt{content}{
-\setcounter{page}{35}
-\setcounter{equation}{0}
-\setcounter{enumi}{0}
-\setcounter{enumii}{0}
-\setcounter{enumiii}{0}
-\setcounter{enumiv}{0}
-\setcounter{footnote}{3}
-\setcounter{mpfootnote}{0}
-\setcounter{beamerpauses}{1}
-\setcounter{bookmark@seq@number}{0}
-\setcounter{lecture}{0}
-\setcounter{part}{0}
-\setcounter{section}{0}
-\setcounter{subsection}{0}
-\setcounter{subsubsection}{0}
-\setcounter{subsectionslide}{34}
-\setcounter{framenumber}{33}
-\setcounter{figure}{0}
-\setcounter{table}{0}
-\setcounter{parentequation}{0}
-\setcounter{theorem}{0}
-\setcounter{realframenumber}{33}
-\setcounter{lstnumber}{1}
-\setcounter{section@level}{0}
-\setcounter{lstlisting}{0}
-}

a.zz-misp-and-isacs/content.tex

@@ -6,434 +6,266 @@
 \end{frame}
 
 \begin{frame}
-\frametitle{Who we are - MISP and CIRCL}
+    \frametitle{\texttt{\$whoarewe} - MISP and CIRCL}
-\begin{itemize}
+    \begin{center}
-\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
+            \includegraphics[width=1.0\textwidth]{misp-banner.png}
-\item {\bf CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
+    \end{center}
-\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
+    \begin{center}
-\item Funding is shared between Luxembourg, several European Union programs and partnerships (EU/US) agreements.
+            \includegraphics[width=0.35\textwidth]{circl.png}
-\end{itemize}
+    \end{center}
-\end{frame}
+    \begin{itemize}
-\begin{frame}
+            \item CIRCL is mandated by the Ministry of Economy
-	\frametitle{Plan}
+            \item CIRCL leads the development of MISP.
+            \item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
+            \item Funding is from LU, several EU programs and partnerships (EU/US) agreements.
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Plan of this session}
+    \begin{itemize}
+        \item MISP Intro: What it is, and what it can do
+        \item Current state and Future of MISP
+        \item How can MISP supports ISACs and its members
+    \end{itemize}
+    \vspace{1em}
     \begin{itemize}
-		\item An introduction to the MISP project and how it supports ISACs.
         \item Building an information sharing community, lessons learnt and best practices\footnote{We published the complete guidelines in \url{https://www.x-isac.org/assets/images/guidelines_to_set-up_an_ISAC.pdf}}.
     \end{itemize}
 \end{frame}
 
+\begin{frame}
+    \frametitle{What is MISP?}
+    \begin{itemize}
+        \item MISP is a {\bf threat information sharing platform} ({\bf TISP}) that is free \& open source software
+        \item Mature project that was started in 2012, and since then, has been following a community-driven development
+    \end{itemize}
+
+    \begin{center}
+        \includegraphics[width=0.99\linewidth]{release_overtime.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What is MISP?}
+    \begin{itemize}
+        \item Used worldwide to share threat-related information
+        \item \textbf{Open-source commitment}: Users of MISP can rely on the tool never turning into closed source
+    \end{itemize}
+
+    \begin{center}
+        \includegraphics[width=0.99\linewidth]{contributors.png}
+    \end{center}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What is MISP? (1)}
+    \begin{itemize}
+        \item MISP is a {\bf threat information sharing platform} ({\bf TISP}) that is free \& open source software
+        \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
+        \item Normalises, {\bf correlates}, {\bf enriches} the data
+        \item Allows teams and communities to {\bf collaborate}
+        \item {\bf Feeds} automated protective tools and analyst tools with the output
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Who is using MISP?}
+    {\bf Communities:} groups of users sharing within a set of common objectives/values.
+    \vspace{0.5em}
+    \begin{itemize}
+        \item {\bf Private sector} Financial, Manufacturing, Telecommunication
+        \item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
+        \item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
+        \item {\bf Topical communities} set up to tackle individual specific issues (COVID-19 MISP)
+        \item {\bf ISACs} for many sectors (telecom, retail, aviations, ...) use MISP as a sharing mechanism
+        \item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
+        \item {\bf LEA Agencies} EUROPOL, INTERPOL, MISP-LEA, $\cdots$
+        \item {\bf International groups} FIRST.org, MISP-Priv, $\cdots$
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{What is MISP? (2)}
+    MISP is designed from the ground up to perform context-rich \textbf{threat intelligence}:
+    \vspace{0.5em}
+    \begin{itemize}
+           \item {\bf Enrich} information with context and metadata
+           \item Maps {\bf Threats and TTPs} (e.g MITRE ATT\&CK)
+           \item Supports many {\bf standardized classification} marking
+           \item Enables information {\bf curation} through automated quality checks
+           \item Offers visualisation of threat {\bf relationships} and \textbf{technique} used
+           \item Generates customizable {\bf threat reports}
+           \item Allows creation of {\bf Dashboard} for trend analysis
+    \end{itemize}
+\end{frame}
+
 \begin{frame}
     \frametitle{MISP Project Overview}
-        \includegraphics[scale=0.35]{misp-overview-simplified.pdf}
+    \begin{center}
-\end{frame}
+        \includegraphics[width=0.85\linewidth]{misp-overview-simplified.pdf}
-
+    \end{center}
-\begin{frame}
-    \frametitle{MISP features}
-    \begin{itemize}
-            \item MISP project is an open source project developed the past 10-year with a large and active community.
-            \item A complete set of features in MISP to work as a {\bf threat intelligence platform} with a strong set of {\bf information sharing capabilities}. 
-            \item A {\bf flexible information sharing} model to support centralised, distributed or mixed model ISACs.
-            \item Integration and extensability functionalities allow MISP to support different use-cases (from cybersecurity to complex intelligence community requirements).
-    \end{itemize}
-\end{frame}
-
-\begin{frame}
-    \frametitle{MISP feature - correlation}
-    \begin{itemize}
-        \item MISP includes a {\bf powerful engine for correlation} which allows analysts to discover correlating values between attributes. 
-        \item Getting a direct benefit from shared information by other ISAC members.
-    \end{itemize}
-    \includegraphics[scale=0.20]{campaign.png}
-\end{frame}
-
-\begin{frame}
-    \frametitle{MISP feature - event graph}
-    \begin{itemize}
-        \item {\bf Analysts can create stories} based on graph relationships between objects, attributes.
-         \item ISACs users can directly understand the information shared.
-    \end{itemize}
-    \includegraphics[scale=0.20]{event-graph.png}
-\end{frame}
-
-\begin{frame}
-    \frametitle{MISP feature - workflow}
-    \begin{itemize}
-        \item MISP can control publication steps via {\bf customised workflow} when publishing events, creating new users... 
-        \item ISACs can enforce specific policies and rules via workflows.  
-    \end{itemize}
-    \includegraphics[scale=0.20]{workflow.png}
-\end{frame}
-
-\begin{frame}
-    \frametitle{MISP feature - flexible data models} 
-    \begin{itemize}
-        \item MISP can be easily customised to support other data models (via {\bf object templates, taxonomies and galaxies}).
-        \item ISACs don't need to change their models, policies or structure.
-        \item A library of {\bf 290+ objects, 200+ taxonomies and many galaxies} (such as MITRE ATT\&CK) are available. 
-    \end{itemize}
-    \includegraphics[scale=0.12]{galaxy.png}
 \end{frame}
 
 
 \begin{frame}
-\frametitle{Communities operated by CIRCL}
+    \frametitle{Sharing in MISP (1)}
-\begin{itemize}
+    \begin{center}
-        \item As a CSIRT, CIRCL operates a wide range of communities
+        \includegraphics[width=0.99\linewidth]{misp-infosharing.png}
-        \item We use it as an {\bf internal tool} to cover various day-to-day activities
+    \end{center}
-        \item Whilst being the main driving force behind the development, we're also one of the largest consumers
-	\item Different communities have different needs and restrictions
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Communities operated by CIRCL}
+    \frametitle{Sharing in MISP (2)}
-\begin{itemize}
+    MISP offers a wide range of strategy to share information:
-        \item Private sector community
     \begin{itemize}
-		\item Our largest sharing community
+        \item Many {\bf distribution level} offering granularity
-		\item Over {\bf +1500 organisations}
+        \item Sharing via distribution lists - {\bf Sharing groups}
-		\item {\bf +4000 users}
+        \item {\bf Delegation} for pseudo-anonymised information sharing
-		\item Functions as a central hub for a lot of different sharing communities
+        \item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
-		\item Private organisations, researchers, various SoCs, some CSIRTs, etc
+        \item Synchronisation, Feed system, air-gapped sharing
+        \item User defined {\bf filtered sharing} for all the above mentioned methods
+        \item Cross-instance information {\bf caching} for quick lookups of large data-sets
+        \item Support for multi-MISP \textbf{internal enclaves}
     \end{itemize}
-	\item CSIRT community
-	\begin{itemize}
-		\item Tighter community
-		\item National CSIRTs, connections to international organisations, etc
-	\end{itemize}
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Communities co-operated and supported by CIRCL}
+    \frametitle{Information quality management}
-\begin{itemize}
+    MISP has many features to help you manage and curate the data:
-	\item Financial sector community
     \begin{itemize}
-		\item Banks, payment processors, etc.
+        \item \textbf{Correlating} data
-		\item Sharing of {\bf mule accounts} and {\bf non-cyber threat information}
+        \item Feedback loop from detections via {\bf Sightings}
+        \item {\bf False positive management} via the warninglist system
+        \item {\bf Enrichment system} via MISP-modules
+        \item {\bf workflow} system to review and control information publication
+        \item {\bf Integrations} with a plethora of tools and formats
+        \item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
+        \item {\bf Timelines} and giving information a temporal context
+        \item Full chain for {\bf indicator life-cycle management}
     \end{itemize}
-    \item X-ISAC\footnote{\url{https://www.x-isac.org/}}
-	\begin{itemize}
-		\item {\bf Bridging the gap} between the various sectorial and geographical ISACs
-		\item New, but ambitious initiative
-		\item Goal is to {\bf bootstrap the cross-sectorial sharing} along with building the infrastructure to enable sharing when needed
-	\end{itemize}
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Communities supported by CIRCL}
+    \frametitle{Integration and Automation ecosystem}
-\begin{itemize}
+    MISP has many features to help you integrate various tools, processes and workflows
-        \item ISAC / specialised community MISPs
     \begin{itemize}
-            \item Topical or community specific instances hosted or co-managed by CIRCL
+        \item REST-full API \& PyMISP
-            \item Examples, GSMA, FIRST.org, CSIRT network, PISAX.org, etc
+        \item PubSub channels (ZeroMQ \& Kafka)
-            \item Often come with their {\bf own taxonomies and domain specific object definitions}
+        \item Enrichment \& Import/Export service through MISP-modules
+        \item Workflow system: Quick and easy automation based on trigger/conditions/actions blocks
     \end{itemize}
-	\item FIRST.org's MISP community
-	\item Telecom and Mobile operators' such as GSMA T-ISAC community
-	\item Various ad-hoc communities for exercises for example
-	\begin{itemize}
-		\item The ENISA exercise for example
-         \item Locked Shields exercise
-	\end{itemize}
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Sharing Scenarios in MISP}
+    \frametitle{Using the Power of the Community}
-\begin{itemize}
+    MISP has many features to foster collaboration. To name a few:
-	\item Sharing can happen for {\bf many different reasons}. Let's see what we believe are the typical CSIRT scenarios
-        \item We can generally split these activities into 4 main groups when we're talking about traditional CSIRT tasks:
     \begin{itemize}
-		\item Core services
+        \item Proposals
-		\item Proactive services
+        \item Analyst Data
-		\item Advanced services
+        \item Delegation
-		\item Sharing communities managed by CSIRTs for various tasks
+        \item Sightings
+        \item Extended Events
+        \item Sharing-Groups
     \end{itemize}
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{CSIRT core services}
+    \frametitle{Getting started: Joining/Running a sharing community using MISP}
-\begin{itemize}
+
-	\item Incident response
+    \begin{minipage}[t]{0.5\textwidth}
+        \begin{center}
+            \bf \Large As a Member
+        \end{center}
         \begin{itemize}
-		\item {\bf Internal storage} of incident response data
+            \item \textbf{Join} a "Hub" MISP instance
-		\item Sharing of indicators {\bf derived from incident response}
+            \item \textbf{Host your own} MISP instance and connect to a "Hub"
-		\item {\bf Correlating data} derived and using the built in analysis tools
-		\item {\bf Enrichment} services
-		\item {\bf Collaboration} with affected parties via MISP during IR
-		\item {\bf Co-ordination} and collaboration
-		\item {\bf Takedown} requests
         \end{itemize}
-	\item Alerting of information leaks (integration with {\bf AIL}\footnote{\url{https://www.ail-project.org/}})
+    \end{minipage}%
-\end{itemize}
+    \begin{minipage}[t]{0.5\textwidth}
+        \begin{center}
+            \bf \Large As a ISAC
+        \end{center}
+        Plan ahead:
+        \begin{itemize}
+            \item Estimate community \textbf{requirements and objectives}
+            \item Decide on \textbf{common vocabularies}
+            \item \textbf{Offer services} to your members
+            \begin{itemize}
+                \item Enrichment, Curation, $\cdots$
+            \end{itemize}
+        \end{itemize}
+    \end{minipage}%
 \end{frame}
 
 \begin{frame}
-\frametitle{CSIRT proactive services}
+    \frametitle{Success/Failure stories in MISP communities}
-\begin{itemize}
+    TODO: To be added by alex
-	\item {\bf Contextualising} both internal and external data
-	\item {\bf Collection} and {\bf dissimination} of data from various sources (including OSINT)
-	\item Storing, correlating and sharing own manual research ({\bf reversing, behavioural analysis})
-	\item Aggregating automated collection ({\bf sandboxing, honeypots, spamtraps, sensors})
     \begin{itemize}
-		\item MISP allows for the creation of {\bf internal MISP "clouds"}
+        \item CSSA
-		\item Store {\bf large specialised datasets} (for example honeypot data)
+        \item Forced sharing as a requirement
-		\item MISP has {\bf interactions with} a large set of such {\bf tools} (Cuckoo, Mail2MISP, etc)
     \end{itemize}
-	\item {\bf Situational awareness} tools to monitor trends and adversary TTPs within my sector/geographical region (MISP-dashboard, built in statistics)
-\end{itemize}
-\end{frame}
-
-%\begin{frame}
-%\frametitle{CSIRT proactive services - MISP dashboard}
-%\includegraphics[scale=0.18]{screenshots/dashboard-live.png}
-%\end{frame}
-
-%\begin{frame}
-%\frametitle{CSIRT proactive services - MISP dashboard}
-%\includegraphics[scale=0.18]{screenshots/dashboard-trendings.png}
-%\end{frame}
-
-\begin{frame}
-\frametitle{CSIRT advanced services}
-\begin{itemize}
-	\item Supporting {\bf forensic analysts}
-	\item Collaboration with {\bf law enforcement}
-	\item {\bf Vulnerability} information sharing
-	\begin{itemize}
-		\item {\bf Notifications} to the constituency about relevant vulnerabilities
-		\item {\bf Co-ordinating} with vendors for notifications (*)
-		\item Internal / closed community sharing of pentest results
-	\end{itemize}
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}
-\frametitle{ISACs and CSIRT role in information sharing}
-\begin{itemize}
-	\item {\bf Reporting} non-identifying information about incidents (such as outlined in NISD)
-	\item {\bf Seeking} and engaging in {\bf collaboration} with CSIRT or other parties during an incident
-	\item Pre-sharing information to {\bf request for help} / additional information from the community
-	\item {\bf Pseudo-anonymised sharing} through 3rd parties to {\bf avoid attribution} of a potential target
-	\item Building processes for {\bf other types of sharing} to get the community engaged and acquainted with the methodologies of sharing (mule account information, disinformation campaigns, border control, etc)
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Compliance, legal framework and ISACs}
+    \frametitle{Advantage of MISP being free and open-source}
-\begin{itemize}
+    TODO: To be added by alex
-	\item MISP project collaborated with legal advisory services
-	\begin{itemize}
-		\item Information sharing and cooperation {\bf enabled by GDPR};
-		\item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities;
-        \item {\bf ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications;
-        \item Guidelines to setting up an information sharing community such as an ISAC or ISAO;
-	\end{itemize}
-	\item For more information: https://www.misp-project.org/compliance/
-\end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Getting started with building your own sharing community}
+    \frametitle{Future of MISP: What's ongoing}
-\begin{itemize}
+    \begin{minipage}[t]{0.5\textwidth}
-	\item Starting a sharing community is {\bf both easy and difficult} at the same time
+    \textbf{Medium term:}
-    \item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people}
+    \begin{itemize}
-	\item Understanding and working with your constituents to help them face their challenges is key
+        \item We just release a minor version \texttt{2.4}
-\end{itemize}
+        \item Support \texttt{2.4} until 6 months after \texttt{2.5}'s release
+        \item Full feature parity and compatibility
+        \item In progress: Installation/update scripts for alternate distros
+    \end{itemize}
+    \end{minipage}%
+    \begin{minipage}[t]{0.5\textwidth}
+    \textbf{Long term:} Major version \texttt{3.0}
+    \begin{itemize}
+        \item Purge old/unused functionalities
+        \item Port of the codebase to a new stack
+        \item Rework DB updates
+        \item Revamp front-end \& aesthetics
+        \item Analyst centric perspective
+        \item Improved search and trend 
+        \item Improved performance
+    \end{itemize}
+    \end{minipage}%
 \end{frame}
 
 \begin{frame}
-\frametitle{Running a sharing community using MISP - How to get going?}
+    \frametitle{CIRCL's MISP Professional Services (MPS)}
-\begin{itemize}
-	\item Different models for constituents
     \begin{itemize}
-        \item {\bf Connecting to} a MISP instance hosted by a ISAC 
+        \item We are confortably funded for the project to continue to prospere
-        \item {\bf Hosting} their own instance and connecting to ISAC's MISP
+        \item MPS offers professional services \& supports the growth of the project
-        \item {\bf Becoming member} of a sectorial MISP community that is connected to ISAC's community
     \end{itemize}
-	\item Planning ahead for future growth
+    \vspace{1em}
+    CIRCL's Offering:
     \begin{itemize}
-		\item Estimating requirements
+        \item \textbf{Support Contract} - Prioritized resolution of issues and guidance
-		\item Deciding early on common vocabularies
+        \item \textbf{Training} - Adapted to the level of expertise of the participants
-		\item Offering services through MISP
+            \begin{itemize}
+                \item {\small Free onboarding MISP training for ISACs and it's member}
             \end{itemize}
-\end{itemize}
+            \item \textbf{Hosting} - Hosted on our infrastructure (LU): Virtual or Dedicated
-\end{frame}
-
-\begin{frame}
-\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
-\begin{itemize}
-    \item {\bf Lead by example} - the power of immitation
-    \item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
             \begin{itemize}
-		\item What should the information look like?
+                \item {\small Maintenance of OS \& MISP, Early patching for security issues}
-		\item How should it be contextualise
-		\item What do you consider as useful information?
-		\item What tools did you use to get your conclusions?
-        \item How the information could be used by the ISAC members?
-	\end{itemize}
-\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{What counts as valuable data?}
-\begin{itemize}
-	\item Sharing comes in many shapes and sizes
-	\begin{itemize}
-		\item Sharing results / reports is the classical example
-		\item Sharing enhancements to existing data
-		\item Validating data / flagging false positives
-		\item Asking for support from the community
-	\end{itemize}
-\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{How to deal with organisations that only "leech"?}
-\begin{itemize}
-    \item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
-	\item We have come across some communities with sharing requirements
-	\item In our experience, this sets you up for failure because:
-	\begin{itemize}
-		\item Organisations losing access are the ones who would possibily benefit the most from it
-		\item Organisations that want to stay above the thresholds will start sharing junk / fake data
-		\item You lose organisations that might turn into valuable contributors in the future
-	\end{itemize}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{So how does one convert the passive organisations into actively sharing ones?}
-\begin{itemize}
-    \item Rely on {\bf organic growth} and it takes time (+2 years is common)
-    \item {\bf Help} them increase their capabilities
-	\item As mentioned before, lead by example
-	\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
-    \item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{Dispelling the myths around blockers when it comes to information sharing}
-        \begin{itemize}
-                \item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
-		\begin{itemize}
-			\item You can play a role here: organise regular workshops, conferences, have face to face meetings
-		\end{itemize}
-                \item Legal restrictions
-                        \begin{itemize}
-                                \item "Our legal framework doesn't allow us to share information."
-                                \item "Risk of information leak is too high and it's too risky for our organization or partners."
-                        \end{itemize}
-                \item Practical restrictions
-                        \begin{itemize}
-                                \item "We don't have information to share."
-                                \item "We don't have time to process or contribute indicators."
-                                \item "Our model of classification doesn't fit your model."
-                                \item "Tools for sharing information are tied to a specific format, we use a different one."
             \end{itemize}
     \end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Contextualising the information}
+    \frametitle{Conclusion}
-\begin{itemize}
-    \item Sharing {\bf technical information} is a {\bf great start}
-	\item However, to truly create valueable information for your community, always consider the context:
     \begin{itemize}
-		\item Your IDS might not care why it should alert on a rule
+            \item MISP is just a tool. What matters is your {\bf sharing practices}.
-		\item But your analysts will be interested in the threat landscape and the "big picture"
+            \item MISP strives to meet any community's use-cases.
-	\end{itemize}
+            \item MISP project combines {\bf open source softwares}, {\bf open standards \& best practices} to make information sharing a reality.
-    \item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them}
-    \item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{Choice of vocabularies}
-\begin{itemize}
-    \item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data
-	\item However, this includes different vocabularies with obvious overlaps
-    \item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community
-	\item Good idea to start with this process early
-	\item If you don't find what you're looking for:
-	\begin{itemize}
-		\item Create your own (JSON format, no coding skills required)
-		\item If it makes sense, share it with us via a pull request for redistribution
-	\end{itemize}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{Conclusion}
-    \begin{itemize}
-        \item MISP is a complete and advanced open source stack available to create large international sharing communities (JP/US/EU).
-        \item Building and improving ISACs is critical to limit the impact of security threats.
-        \item We welcome partnerships in the field of information sharing.
     \end{itemize}
 \end{frame}
 
 
-\begin{frame}
-\frametitle{Get in touch if you need some help to get started}
-\begin{itemize}
-\item Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions!
-\item Contact: info@circl.lu
-\item \url{https://www.circl.lu/}
-\item \url{https://github.com/MISP}  \url{https://www.misp-project.org/}  \url{https://twitter.com/MISPProject}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{Backup slides}
-{\center Backup slides}
-\end{frame}
-
-\begin{frame}
-\frametitle{Shared libraries of meta-information (Galaxies)}
-\begin{itemize}
-    \item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
-	\item Can include information packages of different types, for example:
-	\begin{itemize}
-        \item Threat actor information (event different models or approaches)
-		\item Specialised information such as Ransomware, Exploit kits, etc
-		\item Methodology information such as preventative actions
-		\item Classification systems for methodologies used by adversaries - ATT\&CK
-	\end{itemize}
-	\item Consider improving the default libraries or contributing your own (simple JSON format)
-    \item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
-	\item Pull requests are always welcome
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{False-positive handling}
-\begin{itemize}
-	\item You might often fall into the trap of discarding seemingly "junk" data
-	\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
-	\begin{itemize}
-		\item Be lenient when considering what to keep
-		\item Be strict when you are feeding tools
-	\end{itemize}
-\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools
-\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users}
-\end{itemize}
-\end{frame}
-
-\begin{frame}
-\frametitle{False-positive handling}
-\begin{itemize}
-    \item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time}
-	\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
-	\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
-\end{itemize}
-\includegraphics[scale=0.8]{screenshots/false-positive.png}
-\end{frame}
-
 

a.zz-misp-and-isacs/slide.aux

@@ -1,27 +0,0 @@
-\relax 
-\providecommand\hyper@newdestlabel[2]{}
-\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
-\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
-\global\let\oldcontentsline\contentsline
-\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
-\global\let\oldnewlabel\newlabel
-\gdef\newlabel#1#2{\newlabelxx{#1}#2}
-\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
-\AtEndDocument{\ifx\hyper@anchor\@undefined
-\let\contentsline\oldcontentsline
-\let\newlabel\oldnewlabel
-\fi}
-\fi}
-\global\let\hyper@last\relax 
-\gdef\HyperFirstAtBeginDocument#1{#1}
-\providecommand\HyField@AuxAddToFields[1]{}
-\providecommand\HyField@AuxAddToCoFields[2]{}
-\providecommand\BKM@entry[2]{}
-\@input{content.aux}
-\pgfsyspdfmark {pgfid1}{1398509}{16636717}
-\@writefile{nav}{\headcommand {\beamer@partpages {1}{34}}}
-\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{34}}}
-\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{34}}}
-\@writefile{nav}{\headcommand {\beamer@documentpages {34}}}
-\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {33}}}
-\gdef \@abspage@last{34}

a.zz-misp-and-isacs/slide.nav

@@ -1,73 +0,0 @@
-\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
-\headcommand {\beamer@framepages {1}{1}}
-\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
-\headcommand {\beamer@framepages {2}{2}}
-\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
-\headcommand {\beamer@framepages {3}{3}}
-\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
-\headcommand {\beamer@framepages {4}{4}}
-\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
-\headcommand {\beamer@framepages {5}{5}}
-\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
-\headcommand {\beamer@framepages {6}{6}}
-\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
-\headcommand {\beamer@framepages {7}{7}}
-\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
-\headcommand {\beamer@framepages {8}{8}}
-\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
-\headcommand {\beamer@framepages {9}{9}}
-\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
-\headcommand {\beamer@framepages {10}{10}}
-\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}
-\headcommand {\beamer@framepages {11}{11}}
-\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}
-\headcommand {\beamer@framepages {12}{12}}
-\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}
-\headcommand {\beamer@framepages {13}{13}}
-\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
-\headcommand {\beamer@framepages {14}{14}}
-\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}
-\headcommand {\beamer@framepages {15}{15}}
-\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}
-\headcommand {\beamer@framepages {16}{16}}
-\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}
-\headcommand {\beamer@framepages {17}{17}}
-\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}
-\headcommand {\beamer@framepages {18}{18}}
-\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}
-\headcommand {\beamer@framepages {19}{19}}
-\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}}
-\headcommand {\beamer@framepages {20}{20}}
-\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}}
-\headcommand {\beamer@framepages {21}{21}}
-\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}}
-\headcommand {\beamer@framepages {22}{22}}
-\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}}
-\headcommand {\beamer@framepages {23}{23}}
-\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}}
-\headcommand {\beamer@framepages {24}{24}}
-\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}}
-\headcommand {\beamer@framepages {25}{25}}
-\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}}
-\headcommand {\beamer@framepages {26}{26}}
-\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}}
-\headcommand {\beamer@framepages {27}{27}}
-\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}}
-\headcommand {\beamer@framepages {28}{28}}
-\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}}
-\headcommand {\beamer@framepages {29}{29}}
-\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}}
-\headcommand {\beamer@framepages {30}{30}}
-\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}}
-\headcommand {\beamer@framepages {31}{31}}
-\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}}
-\headcommand {\beamer@framepages {32}{32}}
-\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}}
-\headcommand {\beamer@framepages {33}{33}}
-\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}}
-\headcommand {\beamer@framepages {34}{34}}
-\headcommand {\beamer@partpages {1}{34}}
-\headcommand {\beamer@subsectionpages {1}{34}}
-\headcommand {\beamer@sectionpages {1}{34}}
-\headcommand {\beamer@documentpages {34}}
-\headcommand {\gdef \inserttotalframenumber {33}}

a.zz-misp-and-isacs/slide.tex

@@ -1,4 +1,4 @@
-\documentclass{beamer}
+\documentclass[aspectratio=169]{beamer}
 \usetheme[numbering=progressbar]{focus}
 \definecolor{main}{RGB}{47, 161, 219}
 \definecolor{textcolor}{RGB}{128, 128, 128}
@@ -15,7 +15,7 @@
 
 \author{Team CIRCL \\ \emph{TLP:WHITE}}
 \title{MISP Project and ISACs}
-\subtitle{{\small A versatile open source information sharing platform}}
+\subtitle{{\small A Versatile Open Source Information Sharing Platform}}
 \institute{}
 \titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
 \date{\input{../includes/location.txt}}

a.zz-misp-and-isacs/slide_handout.tex

@@ -1,4 +1,4 @@
-\documentclass{beamer}
+\documentclass[aspectratio=169]{beamer}
 \usetheme[numbering=progressbar]{focus}
 \definecolor{main}{RGB}{47, 161, 219}
 \definecolor{textcolor}{RGB}{128, 128, 128}
@@ -16,8 +16,8 @@
 %\usepackage[scaled]{beramono}
 
 \author{Team CIRCL \\ \emph{TLP:WHITE}}
-\title{MISP workshop}
+\title{MISP Project and ISACs}
-\subtitle{Introduction into Information Sharing using MISP for CSIRTs}
+\subtitle{{\small A Versatile Open Source Information Sharing Platform}}
 \institute{}
 \titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
 \date{\input{../includes/location.txt}}