mirror of https://github.com/MISP/misp-training
GitHub
commit
8c4b5300d1
|
|
@ -12,14 +12,14 @@
|
||||||
\item Tagging is a simple way to attach a classification to an event or an attribute.
|
\item Tagging is a simple way to attach a classification to an event or an attribute.
|
||||||
\item In the early version of MISP, tagging was local to an instance.
|
\item In the early version of MISP, tagging was local to an instance.
|
||||||
\item {\bf Classification must be globally used to be efficient}.
|
\item {\bf Classification must be globally used to be efficient}.
|
||||||
\item After evaluating different solutions of classification, we build a new scheme using the concept of machine tags.
|
\item After evaluating different solutions of classification, we built a new scheme using the concept of machine tags.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Machine Tags}
|
\frametitle{Machine Tags}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Triple tag or machine tag was introduced in 2004 to extend geotagging on images.
|
\item Triple tag, or machine tag, format was introduced in 2004 to extend geotagging on images.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
{
|
{
|
||||||
\setlength{\fboxsep}{1pt}
|
\setlength{\fboxsep}{1pt}
|
||||||
|
|
@ -30,7 +30,7 @@
|
||||||
\item A machine tag is just a tag expressed in way that allows systems to parse and interpret it.
|
\item A machine tag is just a tag expressed in way that allows systems to parse and interpret it.
|
||||||
\item Still have a human-readable version:\\
|
\item Still have a human-readable version:\\
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item admiralty-scale:Source Reliability="Fairly reliable"
|
\item admiralty-scale:source-reliability="Fairly reliable"
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
@ -41,8 +41,8 @@
|
||||||
\item Taxonomies are implemented in a simple JSON format.
|
\item Taxonomies are implemented in a simple JSON format.
|
||||||
\item Anyone can create their own taxonomy or reuse an existing one.
|
\item Anyone can create their own taxonomy or reuse an existing one.
|
||||||
\item The taxonomies are in an independent git repository\footnote{\url{https://www.github.com/MISP/misp-taxonomies/}}.
|
\item The taxonomies are in an independent git repository\footnote{\url{https://www.github.com/MISP/misp-taxonomies/}}.
|
||||||
\item These can be freely reused and integrated in other threat intel tools.
|
\item These can be freely reused and integrated into other threat intel tools.
|
||||||
\item Taxonomies are licensed under CC0 (public domain) except if the taxonomy author decided to use another license.
|
\item Taxonomies are licensed under Creative Commons (public domain) except if the taxonomy author decided to use another license.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
@ -58,7 +58,7 @@
|
||||||
\item OSINT {\bf Open Source Intelligence - Classification}
|
\item OSINT {\bf Open Source Intelligence - Classification}
|
||||||
\item TLP - {\bf Traffic Light Protocol}
|
\item TLP - {\bf Traffic Light Protocol}
|
||||||
\item Vocabulary for Event Recording and Incident Sharing - {\bf VERIS}
|
\item Vocabulary for Event Recording and Incident Sharing - {\bf VERIS}
|
||||||
\item and many more like ENISA, Europol, or the draft FIRST SIG Information Exchange Policy.
|
\item And many more like ENISA, Europol, or the draft FIRST SIG Information Exchange Policy.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
|
|
@ -139,7 +139,7 @@
|
||||||
\frametitle{How are taxonomies integrated in MISP?}
|
\frametitle{How are taxonomies integrated in MISP?}
|
||||||
\includegraphics[scale=0.21]{tags-2-4-70.png}
|
\includegraphics[scale=0.21]{tags-2-4-70.png}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item MISP administrator can just import (or even cherry pick) the namespace or predicates they want to use as tag.
|
\item MISP administrator can just import (or even cherry pick) the namespace or predicates they want to use as tags.
|
||||||
\item Tags can be exported to other instances.
|
\item Tags can be exported to other instances.
|
||||||
\item Tags are also accessible via the MISP REST API.
|
\item Tags are also accessible via the MISP REST API.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
@ -158,7 +158,7 @@
|
||||||
\frametitle{Other use cases using MISP taxonomies}
|
\frametitle{Other use cases using MISP taxonomies}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Tags can be used to set events or attributes for {\bf further processing by external tools} (e.g. VirusTotal auto-expansion using Viper).
|
\item Tags can be used to set events or attributes for {\bf further processing by external tools} (e.g. VirusTotal auto-expansion using Viper).
|
||||||
\item Ensuring a classification manager {\bf classies the events before release} (e.g. release of information from air-gapped/classified networks).
|
\item Ensuring a classification manager {\bf classifies the events before release} (e.g. release of information from air-gapped/classified networks).
|
||||||
\item {\bf Enriching IDS export} with tags to fit your NIDS deployment.
|
\item {\bf Enriching IDS export} with tags to fit your NIDS deployment.
|
||||||
\item Using {\bf IntelMQ} and MISP together to process events (tags limited per organization introduced in MISP 2.4.49).
|
\item Using {\bf IntelMQ} and MISP together to process events (tags limited per organization introduced in MISP 2.4.49).
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
@ -181,7 +181,7 @@
|
||||||
\item {\bf Python module} to handle the taxonomies
|
\item {\bf Python module} to handle the taxonomies
|
||||||
\item {\bf Offline} and online mode (fetch the newest taxonomies from GitHub)
|
\item {\bf Offline} and online mode (fetch the newest taxonomies from GitHub)
|
||||||
\item Simple {\bf search} to make tagging easy
|
\item Simple {\bf search} to make tagging easy
|
||||||
\item Totally independant from MISP
|
\item Totally independent from MISP
|
||||||
\item {\bf No external dependencies} in offline mode
|
\item {\bf No external dependencies} in offline mode
|
||||||
\item Python3 only
|
\item Python3 only
|
||||||
\item Can be used to create \& {\bf dump a new taxonomy}
|
\item Can be used to create \& {\bf dump a new taxonomy}
|
||||||
|
|
@ -224,22 +224,22 @@ print(taxonomies.get('circl').machinetags_expanded())
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{The dilemma of false-positive}
|
\frametitle{The dilemma of false-positives}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item False-positive is a {\bf common issue} in threat intelligence sharing.
|
\item False-positives are a {\bf common issue} in threat intelligence sharing.
|
||||||
\item It's often a contextual issue:
|
\item It's often a contextual issue:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item false-positive might be different per community of users sharing information.
|
\item False-positives might be different per community of users sharing information.
|
||||||
\item organization might have their {\bf own view} on false-positive.
|
\item Organizations might have their {\bf own view} on false-positives.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item Based on the success of the MISP taxonomy model, we build misp-warninglists.
|
\item Based on the success of the MISP taxonomy model, we built misp-warninglists.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}[t,fragile]
|
\begin{frame}[t,fragile]
|
||||||
\frametitle{MISP warning lists}
|
\frametitle{MISP warning lists}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item misp-warninglists are lists of {\b well-known indicators} that can be associated to potential false positives, errors or mistakes.
|
\item misp-warninglists are lists of {\b well-known indicators} that can be associated to potential false positives, errors, or mistakes.
|
||||||
\item Simple JSON files
|
\item Simple JSON files
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\begin{lstlisting}[language=json,firstnumber=1]
|
\begin{lstlisting}[language=json,firstnumber=1]
|
||||||
|
|
@ -264,7 +264,7 @@ print(taxonomies.get('circl').machinetags_expanded())
|
||||||
\item The warning lists are integrated in MISP to display an info/warning box at the event and attribute level.
|
\item The warning lists are integrated in MISP to display an info/warning box at the event and attribute level.
|
||||||
\item Enforceable via the API where all attributes that have a hit on a warninglist will be excluded.
|
\item Enforceable via the API where all attributes that have a hit on a warninglist will be excluded.
|
||||||
\item This can be enabled at MISP instance level.
|
\item This can be enabled at MISP instance level.
|
||||||
\item Default warning lists can be enabled or disabled like {\bf known public resolver}, {\bf multicast IP addresses}, {\bf hashes for empty values}, {\bf rfc1918}, {\bf TLDs} or {\bf known google domains}.
|
\item Default warning lists can be enabled or disabled like {\bf known public resolver}, {\bf multicast IP addresses}, {\bf hashes for empty values}, {\bf rfc1918}, {\bf TLDs} or {\bf known Google domains}.
|
||||||
\item The warning lists can be expanded or added in JSON locally or via pull requests.
|
\item The warning lists can be expanded or added in JSON locally or via pull requests.
|
||||||
\item Warning lists can be also used for {\bf critical or core infrastructure warning}, {\bf personally identifiable information}...
|
\item Warning lists can be also used for {\bf critical or core infrastructure warning}, {\bf personally identifiable information}...
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue