MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [a.zz-isacs] Removed old slides and updated text - WiP

main
Sami Mokaddem 2024-11-19 15:30:08 +01:00
parent 5dc38486f6
commit 89f8f7ae8d
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
15 changed files with 218 additions and 2055 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
a.zz-misp-and-isacs/circl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.5 KiB

97
a.zz-misp-and-isacs/content.aux
View File

@ -1,97 +0,0 @@
\relax
\providecommand\hyper@newdestlabel[2]{}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {15}{15}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {16}{16}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {17}{17}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {18}{18}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {19}{19}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {20}{20}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {21}{21}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {22}{22}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {23}{23}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {24}{24}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {25}{25}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {26}{26}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {27}{27}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {28}{28}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {29}{29}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {30}{30}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {31}{31}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {32}{32}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {33}{33}}}
\@writefile{nav}{\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}}}
\@writefile{nav}{\headcommand {\beamer@framepages {34}{34}}}
\@setckpt{content}{
\setcounter{page}{35}
\setcounter{equation}{0}
\setcounter{enumi}{0}
\setcounter{enumii}{0}
\setcounter{enumiii}{0}
\setcounter{enumiv}{0}
\setcounter{footnote}{3}
\setcounter{mpfootnote}{0}
\setcounter{beamerpauses}{1}
\setcounter{bookmark@seq@number}{0}
\setcounter{lecture}{0}
\setcounter{part}{0}
\setcounter{section}{0}
\setcounter{subsection}{0}
\setcounter{subsubsection}{0}
\setcounter{subsectionslide}{34}
\setcounter{framenumber}{33}
\setcounter{figure}{0}
\setcounter{table}{0}
\setcounter{parentequation}{0}
\setcounter{theorem}{0}
\setcounter{realframenumber}{33}
\setcounter{lstnumber}{1}
\setcounter{section@level}{0}
\setcounter{lstlisting}{0}
}

594
a.zz-misp-and-isacs/content.tex
View File

@ -6,434 +6,266 @@
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Who we are - MISP and CIRCL} \frametitle{\texttt{\$whoarewe} - MISP and CIRCL}
\begin{itemize} \begin{center}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector. \includegraphics[width=1.0\textwidth]{misp-banner.png}
\item {\bf CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally. \end{center}
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}. \begin{center}
\item Funding is shared between Luxembourg, several European Union programs and partnerships (EU/US) agreements. \includegraphics[width=0.35\textwidth]{circl.png}
\end{itemize} \end{center}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy
\item CIRCL leads the development of MISP.
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
\item Funding is from LU, several EU programs and partnerships (EU/US) agreements.
\end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Plan} \frametitle{Plan of this session}
\begin{itemize} \begin{itemize}
\item An introduction to the MISP project and how it supports ISACs. \item MISP Intro: What it is, and what it can do
\item Current state and Future of MISP
\item How can MISP supports ISACs and its members
\end{itemize}
\vspace{1em}
\begin{itemize}
\item Building an information sharing community, lessons learnt and best practices\footnote{We published the complete guidelines in \url{https://www.x-isac.org/assets/images/guidelines_to_set-up_an_ISAC.pdf}}. \item Building an information sharing community, lessons learnt and best practices\footnote{We published the complete guidelines in \url{https://www.x-isac.org/assets/images/guidelines_to_set-up_an_ISAC.pdf}}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Project Overview}
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
\end{frame}
\begin{frame}
\frametitle{MISP features}
\begin{itemize}
\item MISP project is an open source project developed the past 10-year with a large and active community.
\item A complete set of features in MISP to work as a {\bf threat intelligence platform} with a strong set of {\bf information sharing capabilities}.
\item A {\bf flexible information sharing} model to support centralised, distributed or mixed model ISACs.
\item Integration and extensability functionalities allow MISP to support different use-cases (from cybersecurity to complex intelligence community requirements).
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{MISP feature - correlation} \frametitle{What is MISP?}
\begin{itemize} \begin{itemize}
\item MISP includes a {\bf powerful engine for correlation} which allows analysts to discover correlating values between attributes. \item MISP is a {\bf threat information sharing platform} ({\bf TISP}) that is free \& open source software
\item Getting a direct benefit from shared information by other ISAC members. \item Mature project that was started in 2012, and since then, has been following a community-driven development
\end{itemize} \end{itemize}
\includegraphics[scale=0.20]{campaign.png}
\begin{center}
\includegraphics[width=0.99\linewidth]{release_overtime.png}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{MISP feature - event graph} \frametitle{What is MISP?}
\begin{itemize} \begin{itemize}
\item {\bf Analysts can create stories} based on graph relationships between objects, attributes. \item Used worldwide to share threat-related information
\item ISACs users can directly understand the information shared. \item \textbf{Open-source commitment}: Users of MISP can rely on the tool never turning into closed source
\end{itemize} \end{itemize}
\includegraphics[scale=0.20]{event-graph.png}
\begin{center}
\includegraphics[width=0.99\linewidth]{contributors.png}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{MISP feature - workflow} \frametitle{What is MISP? (1)}
\begin{itemize} \begin{itemize}
\item MISP can control publication steps via {\bf customised workflow} when publishing events, creating new users... \item MISP is a {\bf threat information sharing platform} ({\bf TISP}) that is free \& open source software
\item ISACs can enforce specific policies and rules via workflows. \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize} \end{itemize}
\includegraphics[scale=0.20]{workflow.png}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{MISP feature - flexible data models} \frametitle{Who is using MISP?}
{\bf Communities:} groups of users sharing within a set of common objectives/values.
\vspace{0.5em}
\begin{itemize} \begin{itemize}
\item MISP can be easily customised to support other data models (via {\bf object templates, taxonomies and galaxies}). \item {\bf Private sector} Financial, Manufacturing, Telecommunication
\item ISACs don't need to change their models, policies or structure. \item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
\item A library of {\bf 290+ objects, 200+ taxonomies and many galaxies} (such as MITRE ATT\&CK) are available. \item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
\item {\bf Topical communities} set up to tackle individual specific issues (COVID-19 MISP)
\item {\bf ISACs} for many sectors (telecom, retail, aviations, ...) use MISP as a sharing mechanism
\item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
\item {\bf LEA Agencies} EUROPOL, INTERPOL, MISP-LEA, $\cdots$
\item {\bf International groups} FIRST.org, MISP-Priv, $\cdots$
\end{itemize} \end{itemize}
\includegraphics[scale=0.12]{galaxy.png} \end{frame}
\begin{frame}
\frametitle{What is MISP? (2)}
MISP is designed from the ground up to perform context-rich \textbf{threat intelligence}:
\vspace{0.5em}
\begin{itemize}
\item {\bf Enrich} information with context and metadata
\item Maps {\bf Threats and TTPs} (e.g MITRE ATT\&CK)
\item Supports many {\bf standardized classification} marking
\item Enables information {\bf curation} through automated quality checks
\item Offers visualisation of threat {\bf relationships} and \textbf{technique} used
\item Generates customizable {\bf threat reports}
\item Allows creation of {\bf Dashboard} for trend analysis
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Project Overview}
\begin{center}
\includegraphics[width=0.85\linewidth]{misp-overview-simplified.pdf}
\end{center}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Communities operated by CIRCL} \frametitle{Sharing in MISP (1)}
\begin{itemize} \begin{center}
\item As a CSIRT, CIRCL operates a wide range of communities \includegraphics[width=0.99\linewidth]{misp-infosharing.png}
\item We use it as an {\bf internal tool} to cover various day-to-day activities \end{center}
\item Whilst being the main driving force behind the development, we're also one of the largest consumers
\item Different communities have different needs and restrictions
\end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Communities operated by CIRCL} \frametitle{Sharing in MISP (2)}
\begin{itemize} MISP offers a wide range of strategy to share information:
\item Private sector community \begin{itemize}
\begin{itemize} \item Many {\bf distribution level} offering granularity
\item Our largest sharing community \item Sharing via distribution lists - {\bf Sharing groups}
\item Over {\bf +1500 organisations} \item {\bf Delegation} for pseudo-anonymised information sharing
\item {\bf +4000 users} \item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
\item Functions as a central hub for a lot of different sharing communities \item Synchronisation, Feed system, air-gapped sharing
\item Private organisations, researchers, various SoCs, some CSIRTs, etc \item User defined {\bf filtered sharing} for all the above mentioned methods
\end{itemize} \item Cross-instance information {\bf caching} for quick lookups of large data-sets
\item CSIRT community \item Support for multi-MISP \textbf{internal enclaves}
\begin{itemize} \end{itemize}
\item Tighter community
\item National CSIRTs, connections to international organisations, etc
\end{itemize}
\end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Communities co-operated and supported by CIRCL} \frametitle{Information quality management}
\begin{itemize} MISP has many features to help you manage and curate the data:
\item Financial sector community \begin{itemize}
\begin{itemize} \item \textbf{Correlating} data
\item Banks, payment processors, etc. \item Feedback loop from detections via {\bf Sightings}
\item Sharing of {\bf mule accounts} and {\bf non-cyber threat information} \item {\bf False positive management} via the warninglist system
\end{itemize} \item {\bf Enrichment system} via MISP-modules
\item X-ISAC\footnote{\url{https://www.x-isac.org/}} \item {\bf workflow} system to review and control information publication
\begin{itemize} \item {\bf Integrations} with a plethora of tools and formats
\item {\bf Bridging the gap} between the various sectorial and geographical ISACs \item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
\item New, but ambitious initiative \item {\bf Timelines} and giving information a temporal context
\item Goal is to {\bf bootstrap the cross-sectorial sharing} along with building the infrastructure to enable sharing when needed \item Full chain for {\bf indicator life-cycle management}
\end{itemize} \end{itemize}
\end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Communities supported by CIRCL} \frametitle{Integration and Automation ecosystem}
\begin{itemize} MISP has many features to help you integrate various tools, processes and workflows
\item ISAC / specialised community MISPs \begin{itemize}
\item REST-full API \& PyMISP
\item PubSub channels (ZeroMQ \& Kafka)
\item Enrichment \& Import/Export service through MISP-modules
\item Workflow system: Quick and easy automation based on trigger/conditions/actions blocks
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Using the Power of the Community}
MISP has many features to foster collaboration. To name a few:
\begin{itemize}
\item Proposals
\item Analyst Data
\item Delegation
\item Sightings
\item Extended Events
\item Sharing-Groups
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Getting started: Joining/Running a sharing community using MISP}
\begin{minipage}[t]{0.5\textwidth}
\begin{center}
\bf \Large As a Member
\end{center}
\begin{itemize} \begin{itemize}
\item Topical or community specific instances hosted or co-managed by CIRCL \item \textbf{Join} a "Hub" MISP instance
\item Examples, GSMA, FIRST.org, CSIRT network, PISAX.org, etc \item \textbf{Host your own} MISP instance and connect to a "Hub"
\item Often come with their {\bf own taxonomies and domain specific object definitions}
\end{itemize} \end{itemize}
\item FIRST.org's MISP community \end{minipage}%
\item Telecom and Mobile operators' such as GSMA T-ISAC community \begin{minipage}[t]{0.5\textwidth}
\item Various ad-hoc communities for exercises for example \begin{center}
\begin{itemize} \bf \Large As a ISAC
\item The ENISA exercise for example \end{center}
\item Locked Shields exercise Plan ahead:
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sharing Scenarios in MISP}
\begin{itemize}
\item Sharing can happen for {\bf many different reasons}. Let's see what we believe are the typical CSIRT scenarios
\item We can generally split these activities into 4 main groups when we're talking about traditional CSIRT tasks:
\begin{itemize}
\item Core services
\item Proactive services
\item Advanced services
\item Sharing communities managed by CSIRTs for various tasks
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{CSIRT core services}
\begin{itemize}
\item Incident response
\begin{itemize}
\item {\bf Internal storage} of incident response data
\item Sharing of indicators {\bf derived from incident response}
\item {\bf Correlating data} derived and using the built in analysis tools
\item {\bf Enrichment} services
\item {\bf Collaboration} with affected parties via MISP during IR
\item {\bf Co-ordination} and collaboration
\item {\bf Takedown} requests
\end{itemize}
\item Alerting of information leaks (integration with {\bf AIL}\footnote{\url{https://www.ail-project.org/}})
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{CSIRT proactive services}
\begin{itemize}
\item {\bf Contextualising} both internal and external data
\item {\bf Collection} and {\bf dissimination} of data from various sources (including OSINT)
\item Storing, correlating and sharing own manual research ({\bf reversing, behavioural analysis})
\item Aggregating automated collection ({\bf sandboxing, honeypots, spamtraps, sensors})
\begin{itemize}
\item MISP allows for the creation of {\bf internal MISP "clouds"}
\item Store {\bf large specialised datasets} (for example honeypot data)
\item MISP has {\bf interactions with} a large set of such {\bf tools} (Cuckoo, Mail2MISP, etc)
\end{itemize}
\item {\bf Situational awareness} tools to monitor trends and adversary TTPs within my sector/geographical region (MISP-dashboard, built in statistics)
\end{itemize}
\end{frame}
%\begin{frame}
%\frametitle{CSIRT proactive services - MISP dashboard}
%\includegraphics[scale=0.18]{screenshots/dashboard-live.png}
%\end{frame}
%\begin{frame}
%\frametitle{CSIRT proactive services - MISP dashboard}
%\includegraphics[scale=0.18]{screenshots/dashboard-trendings.png}
%\end{frame}
\begin{frame}
\frametitle{CSIRT advanced services}
\begin{itemize}
\item Supporting {\bf forensic analysts}
\item Collaboration with {\bf law enforcement}
\item {\bf Vulnerability} information sharing
\begin{itemize}
\item {\bf Notifications} to the constituency about relevant vulnerabilities
\item {\bf Co-ordinating} with vendors for notifications (*)
\item Internal / closed community sharing of pentest results
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{ISACs and CSIRT role in information sharing}
\begin{itemize}
\item {\bf Reporting} non-identifying information about incidents (such as outlined in NISD)
\item {\bf Seeking} and engaging in {\bf collaboration} with CSIRT or other parties during an incident
\item Pre-sharing information to {\bf request for help} / additional information from the community
\item {\bf Pseudo-anonymised sharing} through 3rd parties to {\bf avoid attribution} of a potential target
\item Building processes for {\bf other types of sharing} to get the community engaged and acquainted with the methodologies of sharing (mule account information, disinformation campaigns, border control, etc)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Compliance, legal framework and ISACs}
\begin{itemize}
\item MISP project collaborated with legal advisory services
\begin{itemize}
\item Information sharing and cooperation {\bf enabled by GDPR};
\item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities;
\item {\bf ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications;
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO;
\end{itemize}
\item For more information: https://www.misp-project.org/compliance/
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Getting started with building your own sharing community}
\begin{itemize}
\item Starting a sharing community is {\bf both easy and difficult} at the same time
\item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people}
\item Understanding and working with your constituents to help them face their challenges is key
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Running a sharing community using MISP - How to get going?}
\begin{itemize}
\item Different models for constituents
\begin{itemize}
\item {\bf Connecting to} a MISP instance hosted by a ISAC
\item {\bf Hosting} their own instance and connecting to ISAC's MISP
\item {\bf Becoming member} of a sectorial MISP community that is connected to ISAC's community
\end{itemize}
\item Planning ahead for future growth
\begin{itemize}
\item Estimating requirements
\item Deciding early on common vocabularies
\item Offering services through MISP
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
\begin{itemize}
\item {\bf Lead by example} - the power of immitation
\item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
\begin{itemize}
\item What should the information look like?
\item How should it be contextualise
\item What do you consider as useful information?
\item What tools did you use to get your conclusions?
\item How the information could be used by the ISAC members?
\end{itemize}
\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What counts as valuable data?}
\begin{itemize}
\item Sharing comes in many shapes and sizes
\begin{itemize}
\item Sharing results / reports is the classical example
\item Sharing enhancements to existing data
\item Validating data / flagging false positives
\item Asking for support from the community
\end{itemize}
\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{How to deal with organisations that only "leech"?}
\begin{itemize}
\item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
\item We have come across some communities with sharing requirements
\item In our experience, this sets you up for failure because:
\begin{itemize}
\item Organisations losing access are the ones who would possibily benefit the most from it
\item Organisations that want to stay above the thresholds will start sharing junk / fake data
\item You lose organisations that might turn into valuable contributors in the future
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{So how does one convert the passive organisations into actively sharing ones?}
\begin{itemize}
\item Rely on {\bf organic growth} and it takes time (+2 years is common)
\item {\bf Help} them increase their capabilities
\item As mentioned before, lead by example
\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
\item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dispelling the myths around blockers when it comes to information sharing}
\begin{itemize} \begin{itemize}
\item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}). \item Estimate community \textbf{requirements and objectives}
\begin{itemize} \item Decide on \textbf{common vocabularies}
\item You can play a role here: organise regular workshops, conferences, have face to face meetings \item \textbf{Offer services} to your members
\end{itemize} \begin{itemize}
\item Legal restrictions \item Enrichment, Curation, $\cdots$
\begin{itemize} \end{itemize}
\item "Our legal framework doesn't allow us to share information."
\item "Risk of information leak is too high and it's too risky for our organization or partners."
\end{itemize}
\item Practical restrictions
\begin{itemize}
\item "We don't have information to share."
\item "We don't have time to process or contribute indicators."
\item "Our model of classification doesn't fit your model."
\item "Tools for sharing information are tied to a specific format, we use a different one."
\end{itemize}
\end{itemize} \end{itemize}
\end{minipage}%
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Contextualising the information} \frametitle{Success/Failure stories in MISP communities}
\begin{itemize} TODO: To be added by alex
\item Sharing {\bf technical information} is a {\bf great start}
\item However, to truly create valueable information for your community, always consider the context:
\begin{itemize}
\item Your IDS might not care why it should alert on a rule
\item But your analysts will be interested in the threat landscape and the "big picture"
\end{itemize}
\item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them}
\item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Choice of vocabularies}
\begin{itemize}
\item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data
\item However, this includes different vocabularies with obvious overlaps
\item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community
\item Good idea to start with this process early
\item If you don't find what you're looking for:
\begin{itemize}
\item Create your own (JSON format, no coding skills required)
\item If it makes sense, share it with us via a pull request for redistribution
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Conclusion}
\begin{itemize} \begin{itemize}
\item MISP is a complete and advanced open source stack available to create large international sharing communities (JP/US/EU). \item CSSA
\item Building and improving ISACs is critical to limit the impact of security threats. \item Forced sharing as a requirement
\item We welcome partnerships in the field of information sharing. \end{itemize}
\end{frame}
\begin{frame}
\frametitle{Advantage of MISP being free and open-source}
TODO: To be added by alex
\end{frame}
\begin{frame}
\frametitle{Future of MISP: What's ongoing}
\begin{minipage}[t]{0.5\textwidth}
\textbf{Medium term:}
\begin{itemize}
\item We just release a minor version \texttt{2.4}
\item Support \texttt{2.4} until 6 months after \texttt{2.5}'s release
\item Full feature parity and compatibility
\item In progress: Installation/update scripts for alternate distros
\end{itemize}
\end{minipage}%
\begin{minipage}[t]{0.5\textwidth}
\textbf{Long term:} Major version \texttt{3.0}
\begin{itemize}
\item Purge old/unused functionalities
\item Port of the codebase to a new stack
\item Rework DB updates
\item Revamp front-end \& aesthetics
\item Analyst centric perspective
\item Improved search and trend
\item Improved performance
\end{itemize}
\end{minipage}%
\end{frame}
\begin{frame}
\frametitle{CIRCL's MISP Professional Services (MPS)}
\begin{itemize}
\item We are confortably funded for the project to continue to prospere
\item MPS offers professional services \& supports the growth of the project
\end{itemize}
\vspace{1em}
CIRCL's Offering:
\begin{itemize}
\item \textbf{Support Contract} - Prioritized resolution of issues and guidance
\item \textbf{Training} - Adapted to the level of expertise of the participants
\begin{itemize}
\item {\small Free onboarding MISP training for ISACs and it's member}
\end{itemize}
\item \textbf{Hosting} - Hosted on our infrastructure (LU): Virtual or Dedicated
\begin{itemize}
\item {\small Maintenance of OS \& MISP, Early patching for security issues}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Conclusion}
\begin{itemize}
\item MISP is just a tool. What matters is your {\bf sharing practices}.
\item MISP strives to meet any community's use-cases.
\item MISP project combines {\bf open source softwares}, {\bf open standards \& best practices} to make information sharing a reality.
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Get in touch if you need some help to get started}
\begin{itemize}
\item Getting started with building a new community can be daunting. Feel free to get in touch with us if you have any questions!
\item Contact: info@circl.lu
\item \url{https://www.circl.lu/}
\item \url{https://github.com/MISP} \url{https://www.misp-project.org/} \url{https://twitter.com/MISPProject}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Backup slides}
{\center Backup slides}
\end{frame}
\begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
\item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
\item Can include information packages of different types, for example:
\begin{itemize}
\item Threat actor information (event different models or approaches)
\item Specialised information such as Ransomware, Exploit kits, etc
\item Methodology information such as preventative actions
\item Classification systems for methodologies used by adversaries - ATT\&CK
\end{itemize}
\item Consider improving the default libraries or contributing your own (simple JSON format)
\item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
\item Pull requests are always welcome
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item You might often fall into the trap of discarding seemingly "junk" data
\item Besides volume limitations (which are absolutely valid, fear of false-positives is the most common reason why people discard data) - Our recommendation:
\begin{itemize}
\item Be lenient when considering what to keep
\item Be strict when you are feeding tools
\end{itemize}
\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools
\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time}
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
\end{itemize}
\includegraphics[scale=0.8]{screenshots/false-positive.png}
\end{frame}

BIN
a.zz-misp-and-isacs/contributors.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 665 KiB

BIN
a.zz-misp-and-isacs/misp-banner.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
a.zz-misp-and-isacs/misp-infosharing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

BIN
a.zz-misp-and-isacs/release_overtime.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

27
a.zz-misp-and-isacs/slide.aux
View File

@ -1,27 +0,0 @@
\relax
\providecommand\hyper@newdestlabel[2]{}
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
\global\let\oldcontentsline\contentsline
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
\global\let\oldnewlabel\newlabel
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
\AtEndDocument{\ifx\hyper@anchor\@undefined
\let\contentsline\oldcontentsline
\let\newlabel\oldnewlabel
\fi}
\fi}
\global\let\hyper@last\relax
\gdef\HyperFirstAtBeginDocument#1{#1}
\providecommand\HyField@AuxAddToFields[1]{}
\providecommand\HyField@AuxAddToCoFields[2]{}
\providecommand\BKM@entry[2]{}
\@input{content.aux}
\pgfsyspdfmark {pgfid1}{1398509}{16636717}
\@writefile{nav}{\headcommand {\beamer@partpages {1}{34}}}
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{34}}}
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{34}}}
\@writefile{nav}{\headcommand {\beamer@documentpages {34}}}
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {33}}}
\gdef \@abspage@last{34}

1472
a.zz-misp-and-isacs/slide.log
View File

File diff suppressed because it is too large Load Diff

73
a.zz-misp-and-isacs/slide.nav
View File

@ -1,73 +0,0 @@
\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
\headcommand {\beamer@framepages {1}{1}}
\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
\headcommand {\beamer@framepages {2}{2}}
\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
\headcommand {\beamer@framepages {3}{3}}
\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
\headcommand {\beamer@framepages {4}{4}}
\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
\headcommand {\beamer@framepages {5}{5}}
\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
\headcommand {\beamer@framepages {6}{6}}
\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
\headcommand {\beamer@framepages {7}{7}}
\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
\headcommand {\beamer@framepages {8}{8}}
\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
\headcommand {\beamer@framepages {9}{9}}
\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
\headcommand {\beamer@framepages {10}{10}}
\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}
\headcommand {\beamer@framepages {11}{11}}
\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}
\headcommand {\beamer@framepages {12}{12}}
\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}
\headcommand {\beamer@framepages {13}{13}}
\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
\headcommand {\beamer@framepages {14}{14}}
\headcommand {\slideentry {0}{0}{15}{15/15}{}{0}}
\headcommand {\beamer@framepages {15}{15}}
\headcommand {\slideentry {0}{0}{16}{16/16}{}{0}}
\headcommand {\beamer@framepages {16}{16}}
\headcommand {\slideentry {0}{0}{17}{17/17}{}{0}}
\headcommand {\beamer@framepages {17}{17}}
\headcommand {\slideentry {0}{0}{18}{18/18}{}{0}}
\headcommand {\beamer@framepages {18}{18}}
\headcommand {\slideentry {0}{0}{19}{19/19}{}{0}}
\headcommand {\beamer@framepages {19}{19}}
\headcommand {\slideentry {0}{0}{20}{20/20}{}{0}}
\headcommand {\beamer@framepages {20}{20}}
\headcommand {\slideentry {0}{0}{21}{21/21}{}{0}}
\headcommand {\beamer@framepages {21}{21}}
\headcommand {\slideentry {0}{0}{22}{22/22}{}{0}}
\headcommand {\beamer@framepages {22}{22}}
\headcommand {\slideentry {0}{0}{23}{23/23}{}{0}}
\headcommand {\beamer@framepages {23}{23}}
\headcommand {\slideentry {0}{0}{24}{24/24}{}{0}}
\headcommand {\beamer@framepages {24}{24}}
\headcommand {\slideentry {0}{0}{25}{25/25}{}{0}}
\headcommand {\beamer@framepages {25}{25}}
\headcommand {\slideentry {0}{0}{26}{26/26}{}{0}}
\headcommand {\beamer@framepages {26}{26}}
\headcommand {\slideentry {0}{0}{27}{27/27}{}{0}}
\headcommand {\beamer@framepages {27}{27}}
\headcommand {\slideentry {0}{0}{28}{28/28}{}{0}}
\headcommand {\beamer@framepages {28}{28}}
\headcommand {\slideentry {0}{0}{29}{29/29}{}{0}}
\headcommand {\beamer@framepages {29}{29}}
\headcommand {\slideentry {0}{0}{30}{30/30}{}{0}}
\headcommand {\beamer@framepages {30}{30}}
\headcommand {\slideentry {0}{0}{31}{31/31}{}{0}}
\headcommand {\beamer@framepages {31}{31}}
\headcommand {\slideentry {0}{0}{32}{32/32}{}{0}}
\headcommand {\beamer@framepages {32}{32}}
\headcommand {\slideentry {0}{0}{33}{33/33}{}{0}}
\headcommand {\beamer@framepages {33}{33}}
\headcommand {\slideentry {0}{0}{34}{34/34}{}{0}}
\headcommand {\beamer@framepages {34}{34}}
\headcommand {\beamer@partpages {1}{34}}
\headcommand {\beamer@subsectionpages {1}{34}}
\headcommand {\beamer@sectionpages {1}{34}}
\headcommand {\beamer@documentpages {34}}
\headcommand {\gdef \inserttotalframenumber {33}}

BIN
a.zz-misp-and-isacs/slide.pdf
View File

Binary file not shown.

0
a.zz-misp-and-isacs/slide.snm
View File

4
a.zz-misp-and-isacs/slide.tex
View File

@ -1,4 +1,4 @@
\documentclass{beamer} \documentclass[aspectratio=169]{beamer}
\usetheme[numbering=progressbar]{focus} \usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219} \definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128} \definecolor{textcolor}{RGB}{128, 128, 128}
@ -15,7 +15,7 @@
\author{Team CIRCL \\ \emph{TLP:WHITE}} \author{Team CIRCL \\ \emph{TLP:WHITE}}
\title{MISP Project and ISACs} \title{MISP Project and ISACs}
\subtitle{{\small A versatile open source information sharing platform}} \subtitle{{\small A Versatile Open Source Information Sharing Platform}}
\institute{} \institute{}
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} \titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
\date{\input{../includes/location.txt}} \date{\input{../includes/location.txt}}

0
a.zz-misp-and-isacs/slide.toc
View File

6
a.zz-misp-and-isacs/slide_handout.tex
View File

@ -1,4 +1,4 @@
\documentclass{beamer} \documentclass[aspectratio=169]{beamer}
\usetheme[numbering=progressbar]{focus} \usetheme[numbering=progressbar]{focus}
\definecolor{main}{RGB}{47, 161, 219} \definecolor{main}{RGB}{47, 161, 219}
\definecolor{textcolor}{RGB}{128, 128, 128} \definecolor{textcolor}{RGB}{128, 128, 128}
@ -16,8 +16,8 @@
%\usepackage[scaled]{beramono} %\usepackage[scaled]{beramono}
\author{Team CIRCL \\ \emph{TLP:WHITE}} \author{Team CIRCL \\ \emph{TLP:WHITE}}
\title{MISP workshop} \title{MISP Project and ISACs}
\subtitle{Introduction into Information Sharing using MISP for CSIRTs} \subtitle{{\small A Versatile Open Source Information Sharing Platform}}
\institute{} \institute{}
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} \titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
\date{\input{../includes/location.txt}} \date{\input{../includes/location.txt}}