diff --git a/0.1-what-is-misp/attack-screenshot.png b/0.1-what-is-misp/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/0.1-what-is-misp/attack-screenshot.png differ diff --git a/0.1-what-is-misp/bankaccount.png b/0.1-what-is-misp/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/0.1-what-is-misp/bankaccount.png differ diff --git a/0.1-what-is-misp/bankview.png b/0.1-what-is-misp/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/0.1-what-is-misp/bankview.png differ diff --git a/0.1-what-is-misp/blueprint.png b/0.1-what-is-misp/blueprint.png new file mode 100644 index 0000000..ac96976 Binary files /dev/null and b/0.1-what-is-misp/blueprint.png differ diff --git a/0.1-what-is-misp/circl.png b/0.1-what-is-misp/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/0.1-what-is-misp/circl.png differ diff --git a/0.1-what-is-misp/content.tex b/0.1-what-is-misp/content.tex new file mode 100755 index 0000000..c4f36dd --- /dev/null +++ b/0.1-what-is-misp/content.tex @@ -0,0 +1,278 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\section{MISP in general} + +\begin{frame} + \frametitle{about CIRCL and MISP} + \begin{itemize} + \item CIRCL + \begin{itemize} + \item National CERT for the private sector, communes, non-govermental entities in Luxembourg + \item Government-driven initiative, funded by the Ministry of Economy + \item Mission is to provide a systematic response facility to computer security threats and incidents + \item Open Source toolsmiths + \end{itemize} + \item Our relationship with MISP has two sides + \begin{itemize} + \item We {\bf lead the development} of the MISP platform + \item We are also involved with and {\bf run several communities} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Before we start - What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform + \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Allows teams and communities to {\bf collaborate} + \item {\bf Feeds} automated protective tools and analyst tools with the output +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Before we start - what is MISP?} +\begin{itemize} + \item It is also a set of {\bf open standards} implemented both by MISP and other tools + \item Additionally, it is an {\bf ecosystem} of libraries, supporting tools + \item A collection of guidance and best practice documentation by practitioners + \item All of these are free \& open source +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What are the objectives of a modern TISP?} +\begin{itemize} + \item A tool that {\bf collects} information from partners, your analysts, your tools, sensors, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Manages your processes and automates tasks such as {\bf notifications}, {\bf data flow management}, {\bf triaging} and so on + \item Allows teams and communities to {\bf collaborate} and rapidly {\bf exchange knowledge} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item {\bf Presents} both individualised and community centric facts, trends, reports of the intelligence +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{MISP: Started from a practical use-case} + \begin{itemize} + \item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware. + \item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}. + \item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP. + \item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform. + \item MISP is now {\bf a community-driven development} supporting different intelligence communities. + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Development based on practical user feedback} +\begin{itemize} +\item There are many different types of users of an information sharing platform like MISP: + \begin{itemize} + \item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues. + \item {\bf Security analysts} searching, validating and using indicators in operational security. + \item {\bf Intelligence analysts} gathering information about specific adversary groups. + \item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases. + \item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences. + \item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds. + \item {\bf Military} sharing highly specialised information. + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Why do we develop all of this?} +\begin{itemize} + \item {\bf Main goal}: Make our own lives and the lives of our constituency easier + \begin{itemize} + \item Our central tool for ingesting, storing and disseminating information... + \item ...as well as to interact with organisations + \item By solving issues of other communities, we already have them prepared for information sharing with us when needed + \end{itemize} + \item {\bf Secondary}: Democratise threat intelligence for all + \item {\bf Stretch goal}: Build a full open-source tool-chain for CSIRTs / SoCs / etc +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Communities using MISP} + \begin{itemize} + \item Communities are groups of users sharing within a set of common objectives/values. + \item CIRCL operates multiple MISP instances with a significant user base (more than 2k organizations with close to 5k users). + \item {\bf Trust groups} running MISP communities in island mode (air gapped system) or partially connected mode. + \item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism. + \item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...). + \item {\bf Security vendors} running their own communities or interfacing with MISP communities. + \item {\bf Sectorial communities} Telcoes, ISPs, Medical services, Air traffic control, ... + \item {\bf Topical communities} set up to tackle individual specific issues (disinformation, SIGINT, COVID-19, ...) + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Information pipeline} + \includegraphics[width=0.75\linewidth]{misp_data_flow.png} +\end{frame} + + +\section{Some issues we try to tackle and their solutions} + +\begin{frame} +\frametitle{Information quality management} + \begin{itemize} + \item What do we consider {\bf actionable itelligence}? + \begin{itemize} + \item Conflicting requirements - analyst work vs automated blocking for example + \end{itemize} + \item {\bf Filtering} both on {\bf input} and on {\bf output} separately + \begin{itemize} + \item Lax on ingestion, strict on output mantra + \item Warninglists - sanitising obviously problematic data from output + \item Indicator scoring / lifecycle management + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Information quality management} + \includegraphics[width=1.00\linewidth]{decaying-event.png} + \begin{itemize} + \item {\bf Decay score} calculated based on the enabled models + \item Score takes into account {\bf contextualisation, type, sightings} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Information quality management} + Customisable lifecycle management + \includegraphics[width=1.00\linewidth]{decaying-tool.png} +\end{frame} + + + +\begin{frame} +\frametitle{Drilling down into our data} + \begin{itemize} + \item Different use-cases require different tools. + \item {\bf Interactive interaction} with the data + \begin{itemize} + \item "Event" tabular view + \item "Event" graph view + \item Correlation graphs + \item Various search interfaces + \end{itemize} + \item {\bf Trends and overviews} + \begin {itemize} + \item Dashboarding + \item ATT\&CK and similar frameworks based heatmaps + \item Alert e-mails and periodic reporting + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Drilling down into our data} + \begin{center} + \includegraphics[width=1.05\linewidth]{dashboard-new.png} + \end{center} +\end{frame} + + + + +\begin{frame} +\frametitle{Drilling down into our data} + \begin{itemize} + \item APIs + \begin{itemize} + \item Long list of {\bf filters} + \item {\bf Complex queries} + \item Infusing queries with other tools ({\bf warninglists, decaying}) + \item Interactive {\bf UI query builder and tester} + \end{itemize} + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Data model management} + \begin{itemize} + \item Three tier approach to information + \item All three tiers are tightly integrated with one another + \begin{itemize} + \item {\bf Data} (Attributes, Objects, Relationships) + \item {\bf Knowledge} ("Galaxies", Labels) + \item {\bf Analyst reports} (Markdown reports) + \end{itemize} + \item Different communities have wildly different requirements - extension mechanisms + \begin{itemize} + \item {\bf Object templates} + \item Custom {\bf Galaxies} + \item {\bf Taxonomies} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Data model management} + \includegraphics[width=0.90\linewidth]{sigint.png} +\end{frame} + +\begin{frame} +\frametitle{Customising MISP} + \begin{itemize} + \item Highly configurable per community need + \begin{itemize} + \item Hundreds of {\bf configuration options} to manage MISP behaviours + \item Hooking and modifying {\bf core cuntionalities via Workflows} + \item Custom modules via companion system ({\bf MISP-modules}) + \item {\bf Modular} parts of the {\bf codebase} (e-mail templates, dashboard elements, import/export functions) + \item If all of that is not enough - extensive {\bf Python library} support for DIY fans :) + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Customising MISP} + \includegraphics[width=1.00\linewidth]{blueprint.png} +\end{frame} + + +\section{Wrapping it all up} + +\begin{frame} +\frametitle{Community driven effort} + \begin{itemize} + \item This concludes a {\bf brief glimpse into what MISP is} and some of the key issues to tackle + \item MISP is evolving based on {\bf community efforts and needs} + \item The outcome is a highly {\bf versatile and customisable} system + \item We all have different ideas of what we'd like to be able to do in our TISP + \item {\bf Prioritisation is hard} plus there are only so many hours in a day... + \item ...{\bf Get involved}, let us know how we can make it better or at least usable for your use-case! + \end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact me: + \begin{itemize} + \item andras.iklody@circl.lu \url{https://twitter.com/iglocska} \url{https://infosec.exchange/@iglocska} + \end{itemize} + \item Contact us: + \begin{itemize} + \item info@circl.lu \url{https://twitter.com/circl_lu} \url{https://www.circl.lu/} + \item \url{https://github.com/MISP} \url{https://www.misp-project.org/} + \item \url{https://twitter.com/MISPProject} \url{https://misp-community.org/@misp} + \end{itemize} + \end{itemize} +\end{frame} + diff --git a/0.1-what-is-misp/creativity.png b/0.1-what-is-misp/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/0.1-what-is-misp/creativity.png differ diff --git a/0.1-what-is-misp/dashboard-new.png b/0.1-what-is-misp/dashboard-new.png new file mode 100644 index 0000000..24cb024 Binary files /dev/null and b/0.1-what-is-misp/dashboard-new.png differ diff --git a/0.1-what-is-misp/dashboard-trendings.png b/0.1-what-is-misp/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/0.1-what-is-misp/dashboard-trendings.png differ diff --git a/0.1-what-is-misp/decaying-basescore.png b/0.1-what-is-misp/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/0.1-what-is-misp/decaying-basescore.png differ diff --git a/0.1-what-is-misp/decaying-event.png b/0.1-what-is-misp/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/0.1-what-is-misp/decaying-event.png differ diff --git a/0.1-what-is-misp/decaying-index.png b/0.1-what-is-misp/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/0.1-what-is-misp/decaying-index.png differ diff --git a/0.1-what-is-misp/decaying-simulation.png b/0.1-what-is-misp/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/0.1-what-is-misp/decaying-simulation.png differ diff --git a/0.1-what-is-misp/decaying-tool.png b/0.1-what-is-misp/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/0.1-what-is-misp/decaying-tool.png differ diff --git a/0.1-what-is-misp/en_cef.png b/0.1-what-is-misp/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/0.1-what-is-misp/en_cef.png differ diff --git a/0.1-what-is-misp/galaxy-ransomware.png b/0.1-what-is-misp/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/0.1-what-is-misp/galaxy-ransomware.png differ diff --git a/0.1-what-is-misp/governance.png b/0.1-what-is-misp/governance.png new file mode 100644 index 0000000..389d250 Binary files /dev/null and b/0.1-what-is-misp/governance.png differ diff --git a/0.1-what-is-misp/misp-distributed.pdf b/0.1-what-is-misp/misp-distributed.pdf new file mode 100644 index 0000000..9bacba7 Binary files /dev/null and b/0.1-what-is-misp/misp-distributed.pdf differ diff --git a/0.1-what-is-misp/misp-overview-simplified.pdf b/0.1-what-is-misp/misp-overview-simplified.pdf new file mode 100644 index 0000000..021b252 Binary files /dev/null and b/0.1-what-is-misp/misp-overview-simplified.pdf differ diff --git a/0.1-what-is-misp/misp-overview.pdf b/0.1-what-is-misp/misp-overview.pdf new file mode 100644 index 0000000..b1d92c8 Binary files /dev/null and b/0.1-what-is-misp/misp-overview.pdf differ diff --git a/0.1-what-is-misp/misp.pdf b/0.1-what-is-misp/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/0.1-what-is-misp/misp.pdf differ diff --git a/0.1-what-is-misp/misp_data_flow.png b/0.1-what-is-misp/misp_data_flow.png new file mode 100644 index 0000000..88a3ff0 Binary files /dev/null and b/0.1-what-is-misp/misp_data_flow.png differ diff --git a/0.1-what-is-misp/misplogo.pdf b/0.1-what-is-misp/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/0.1-what-is-misp/misplogo.pdf differ diff --git a/0.1-what-is-misp/notes.txt b/0.1-what-is-misp/notes.txt new file mode 100644 index 0000000..6dad91d --- /dev/null +++ b/0.1-what-is-misp/notes.txt @@ -0,0 +1,50 @@ +What is MISP? + +# SUBSECTION 1: intro + +## what is MISP? +- tisp +- oss +- ecosystem of tools and libraries +- a set of formats + +## Who are we and why does CIRCL develop it? +- national CSIRT +- central tool for our activities + - information dissemination + - incident handling + - collaboration + - data fusion + +## How does a TISP such as MISP do? +- graph showing the main functionalities + + +# SUBSECTION 2: ingestion + +## Manual data creation + +## Synchronisation from other communities + +## Feed ingestion + +## Ingestion from tools / sensors + + +# SUBSECTION 3: managing data and collaboration + +## + + +# SUBSECTION 4: Dissemination + +## Synchronisation +## Feed generation +## Automation +## dashboarding +## Reporting + + + + +# diff --git a/0.1-what-is-misp/object.png b/0.1-what-is-misp/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/0.1-what-is-misp/object.png differ diff --git a/0.1-what-is-misp/pipeline_chart.md b/0.1-what-is-misp/pipeline_chart.md new file mode 100644 index 0000000..bacb0f5 --- /dev/null +++ b/0.1-what-is-misp/pipeline_chart.md @@ -0,0 +1,31 @@ +```mermaid +flowchart + A[Analysts] --> MI[(MISP ingestion)] + S[Sensors] --> MI + OM[Other Communities] --> MI + F[Feeds] --> MI + IT[Internal tools] --> MI + MI --> IF[Input filters] + IF --> MP[(MISP processing)] + MP <--> E[Enrichment] + MP <--> Col[Collaboration] + MP --> MD[(MISP dissemination)] + MP <--> C[Correlation] + MP <--> Wo[Workflows] + MD --> W[Warninglists] + W --> APIs + W --> Ex[Export tools] + MD --> SF[Sync filtering] + SF --> MG[MISP Guard] + MG --> OM2[Other Communities] + MD ---> Analyst[Analyst tools] + MD --> UF[User filters] + UF --> Dashboard + UF --> Reporting + + + + style MI fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MP fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MD fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff +``` diff --git a/0.1-what-is-misp/screenshots/Sightings1.PNG b/0.1-what-is-misp/screenshots/Sightings1.PNG new file mode 100644 index 0000000..5546cf3 Binary files /dev/null and b/0.1-what-is-misp/screenshots/Sightings1.PNG differ diff --git a/0.1-what-is-misp/screenshots/Sightings2.PNG b/0.1-what-is-misp/screenshots/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/0.1-what-is-misp/screenshots/Sightings2.PNG differ diff --git a/0.1-what-is-misp/screenshots/attack-screenshot.png b/0.1-what-is-misp/screenshots/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/0.1-what-is-misp/screenshots/attack-screenshot.png differ diff --git a/0.1-what-is-misp/screenshots/bankaccount.png b/0.1-what-is-misp/screenshots/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/0.1-what-is-misp/screenshots/bankaccount.png differ diff --git a/0.1-what-is-misp/screenshots/bankview.png b/0.1-what-is-misp/screenshots/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/0.1-what-is-misp/screenshots/bankview.png differ diff --git a/0.1-what-is-misp/screenshots/bhadra-matrix.png b/0.1-what-is-misp/screenshots/bhadra-matrix.png new file mode 100644 index 0000000..74cfc4e Binary files /dev/null and b/0.1-what-is-misp/screenshots/bhadra-matrix.png differ diff --git a/0.1-what-is-misp/screenshots/campaign.png b/0.1-what-is-misp/screenshots/campaign.png new file mode 100644 index 0000000..df5b653 Binary files /dev/null and b/0.1-what-is-misp/screenshots/campaign.png differ diff --git a/0.1-what-is-misp/screenshots/enrichment1.PNG b/0.1-what-is-misp/screenshots/enrichment1.PNG new file mode 100644 index 0000000..4e7df5d Binary files /dev/null and b/0.1-what-is-misp/screenshots/enrichment1.PNG differ diff --git a/0.1-what-is-misp/screenshots/enrichment2.PNG b/0.1-what-is-misp/screenshots/enrichment2.PNG new file mode 100644 index 0000000..5d1c4c4 Binary files /dev/null and b/0.1-what-is-misp/screenshots/enrichment2.PNG differ diff --git a/0.1-what-is-misp/screenshots/enrichment3.PNG b/0.1-what-is-misp/screenshots/enrichment3.PNG new file mode 100644 index 0000000..e785f2c Binary files /dev/null and b/0.1-what-is-misp/screenshots/enrichment3.PNG differ diff --git a/0.1-what-is-misp/screenshots/enrichment4.PNG b/0.1-what-is-misp/screenshots/enrichment4.PNG new file mode 100644 index 0000000..5f01cd9 Binary files /dev/null and b/0.1-what-is-misp/screenshots/enrichment4.PNG differ diff --git a/0.1-what-is-misp/screenshots/false-positive.png b/0.1-what-is-misp/screenshots/false-positive.png new file mode 100644 index 0000000..7dd3dea Binary files /dev/null and b/0.1-what-is-misp/screenshots/false-positive.png differ diff --git a/0.1-what-is-misp/screenshots/freetext1.PNG b/0.1-what-is-misp/screenshots/freetext1.PNG new file mode 100644 index 0000000..cb17c4c Binary files /dev/null and b/0.1-what-is-misp/screenshots/freetext1.PNG differ diff --git a/0.1-what-is-misp/screenshots/freetxt2.PNG b/0.1-what-is-misp/screenshots/freetxt2.PNG new file mode 100644 index 0000000..4bfb092 Binary files /dev/null and b/0.1-what-is-misp/screenshots/freetxt2.PNG differ diff --git a/0.1-what-is-misp/screenshots/freetxt3.PNG b/0.1-what-is-misp/screenshots/freetxt3.PNG new file mode 100644 index 0000000..6d348ee Binary files /dev/null and b/0.1-what-is-misp/screenshots/freetxt3.PNG differ diff --git a/0.1-what-is-misp/screenshots/normaltag.png b/0.1-what-is-misp/screenshots/normaltag.png new file mode 100644 index 0000000..781182c Binary files /dev/null and b/0.1-what-is-misp/screenshots/normaltag.png differ diff --git a/0.1-what-is-misp/screenshots/sg-example.png b/0.1-what-is-misp/screenshots/sg-example.png new file mode 100644 index 0000000..ade1252 Binary files /dev/null and b/0.1-what-is-misp/screenshots/sg-example.png differ diff --git a/0.1-what-is-misp/screenshots/sighting-n.png b/0.1-what-is-misp/screenshots/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/0.1-what-is-misp/screenshots/sighting-n.png differ diff --git a/0.1-what-is-misp/sighting-n.png b/0.1-what-is-misp/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/0.1-what-is-misp/sighting-n.png differ diff --git a/0.1-what-is-misp/sigint.png b/0.1-what-is-misp/sigint.png new file mode 100644 index 0000000..560f5ed Binary files /dev/null and b/0.1-what-is-misp/sigint.png differ diff --git a/0.1-what-is-misp/slide.tex b/0.1-what-is-misp/slide.tex new file mode 100644 index 0000000..1313c86 --- /dev/null +++ b/0.1-what-is-misp/slide.tex @@ -0,0 +1,23 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + + +\title{MISP, the state of the art in cyber threat sharing} +\author{\small{\input{../includes/authors.txt}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + +\begin{document} +\include{content} +\end{document} + diff --git a/0.1-what-is-misp/tags-2-4-70.png b/0.1-what-is-misp/tags-2-4-70.png new file mode 100644 index 0000000..e1c6fbd Binary files /dev/null and b/0.1-what-is-misp/tags-2-4-70.png differ diff --git a/0.1-what-is-misp/taxonomy-workflow.png b/0.1-what-is-misp/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/0.1-what-is-misp/taxonomy-workflow.png differ diff --git a/0.1-what-is-misp/timeline-misp-overview.png b/0.1-what-is-misp/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/0.1-what-is-misp/timeline-misp-overview.png differ diff --git a/0.1-what-is-misp/warning-list-event.png b/0.1-what-is-misp/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/0.1-what-is-misp/warning-list-event.png differ diff --git a/0.1-what-is-misp/warning-list.png b/0.1-what-is-misp/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/0.1-what-is-misp/warning-list.png differ diff --git a/0.1-what-is-misp/workflow_initial.png b/0.1-what-is-misp/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/0.1-what-is-misp/workflow_initial.png differ diff --git a/0.1-what-is-misp/workflow_initial2.png b/0.1-what-is-misp/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/0.1-what-is-misp/workflow_initial2.png differ diff --git a/0.1-what-is-misp/x-isac-logo.png b/0.1-what-is-misp/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/0.1-what-is-misp/x-isac-logo.png differ