Merge branch 'main' of github.com:MISP/misp-training into main
|
@ -29,7 +29,7 @@ given to the materials. We welcome contributions in order to improve the trainin
|
|||
| [a.2-pymisp](https://www.misp-project.org/misp-training/a.2-pymisp.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.2-pymisp) |
|
||||
| [a.3-misp-feed](https://www.misp-project.org/misp-training/a.3-misp-feed.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.3-misp-feed) |
|
||||
| [a.4-best-practices](https://www.misp-project.org/misp-training/a.4-best-practices.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.4-best-practices) |
|
||||
| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-decaying-indicators.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-decaying-indicators) |
|
||||
| [a.5-decaying-indicators](https://www.misp-project.org/misp-training/a.5-bis-decaying-indicators-light-version.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.5-bis-decaying-indicators-light-version) |
|
||||
| [a.6-forensic](https://www.misp-project.org/misp-training/a.6-forensic.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.6-forensic) |
|
||||
| [a.7-rest-API](https://www.misp-project.org/misp-training/a.7-rest-API.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.7-rest-API) |
|
||||
| [a.8-dev-hands-on.pdf](https://www.misp-project.org/misp-training/a.8-dev-hands-on.pdf) | [source](https://github.com/MISP/misp-training/tree/master/a.8-dev-hands-on) |
|
||||
|
|
|
@ -10,13 +10,12 @@
|
|||
\begin{itemize}
|
||||
\item Present the components used in MISP to expire IOCs
|
||||
\item Present the current state of Indicators life-cycle management in MISP
|
||||
\item Present the current state of Indicators life-cycle management in MISP
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\section{Expiring IOCs: Why and How?}
|
||||
\begin{frame}[fragile]
|
||||
\frametitle{Indicators - Problem Statement}
|
||||
\frametitle{Indicators lifecycle - Problem Statement}
|
||||
\begin{itemize}
|
||||
\item {\bf Sharing information} about threats {\bf is crucial}
|
||||
\item Organisations are sharing more and more
|
||||
|
@ -51,51 +50,62 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Indicators - Problem Statement}
|
||||
\frametitle{Indicators lifecycle - Problem Statement}
|
||||
\begin{itemize}
|
||||
\item Various users and organisations can share data via MISP, multiple parties can be involved
|
||||
\begin{itemize}
|
||||
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
|
||||
\item Each user/organisation has \textbf{different use-cases} and interests
|
||||
\item \textbf{Trust}, \textbf{data quality} and \textbf{relevance} issues
|
||||
\item Each user/organisation have \textbf{different use-cases} and interests
|
||||
\begin{itemize}
|
||||
\item Conflicting interests such as operational security, attribution,... (depends on the user)
|
||||
\item Conflicting interests: Operational security VS attribution
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
|
||||
\pause
|
||||
\vspace{0.5cm}
|
||||
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
|
||||
\item Attributes can be shared in large quantities \small{(more than 12M on \texttt{MISPPRIV} - Sept. 2020)}
|
||||
\begin{itemize}
|
||||
\item Partial info about their \textbf{freshness} (\textit{Sightings})
|
||||
\item Partial info about their \textbf{validity} (last update)
|
||||
\item Partial info about their \textbf{validity} (\textit{last\_seen})
|
||||
\end{itemize}
|
||||
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model}
|
||||
\item[] $\rightarrow$ Can be partially solved with our \textit{Data model}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
MISP's \textit{Decaying model} combines the two
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Requirements to enjoy the decaying feature in MISP}
|
||||
\begin{itemize}
|
||||
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
|
||||
\item Don't forget to \textbf{update the decay models} and \textbf{enable} the ones you want
|
||||
\item The decaying feature has no impact on the information in MISP, it's just an \textbf{overlay} to be used in the user-interface and API
|
||||
\item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
|
||||
\end{itemize}
|
||||
\begin{itemize}
|
||||
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
|
||||
\item \textbf{Update} decay models and \textbf{enable} some
|
||||
\item MISP Decaying strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
|
||||
\end{itemize}
|
||||
\vspace{0.7cm}
|
||||
Note: The decaying feature has no impact on the information stored in MISP, it's just an \textbf{overlay} to be used in the user-interface and API
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{\textit{Sightings} - Refresher}
|
||||
\textit{Sightings} add \textbf{temporal context} to indicators.
|
||||
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
|
||||
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
|
||||
\vspace{0.5cm}
|
||||
\frametitle{\textit{Sightings} - Refresher (1)}
|
||||
\textit{Sightings} add a \textbf{temporal context} to indicators.
|
||||
\begin{itemize}
|
||||
\item \textit{Sightings} can be used to represent that you saw the IoC
|
||||
\item \textbf{Usecase:} Continuous feedback loop MISP $\leftrightarrow$ IDS
|
||||
\end{itemize}
|
||||
|
||||
\begin{center}
|
||||
\includegraphics[scale=1.00]{pics/sightings.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{\textit{Sightings} - Refresher (2)}
|
||||
\textit{Sightings} add a \textbf{temporal context} to indicators.
|
||||
\begin{itemize}
|
||||
\item \textit{Sightings} give more credibility/visibility to indicators
|
||||
\item This information can be used to {\bf prioritise and decay indicators}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=1.00]{pics/sightings.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
|
@ -118,14 +128,56 @@
|
|||
\begin{frame}
|
||||
\frametitle{Taxonomies - Refresher (3)}
|
||||
\begin{itemize}
|
||||
\item Some taxonomies have \texttt{numerical\_value}
|
||||
\item Some taxonomies have a \texttt{numerical\_value}
|
||||
\item Allows concepts to be used in an mathematical expression
|
||||
\begin{itemize}
|
||||
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
|
||||
\item[$\rightarrow$] Can be used to prioritise IoCs
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\vspace{0.5cm}
|
||||
|
||||
\begin{footnotesize}
|
||||
\texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}}
|
||||
\begin{columns}[T] % align columns
|
||||
\begin{column}{.40\textwidth}
|
||||
\begin{tabular}{|ll|}
|
||||
\hline
|
||||
\textbf{Description} & \textbf{Value}\\
|
||||
\hline
|
||||
Completely reliable & 100\\
|
||||
Usually reliable & 75\\
|
||||
Fairly reliable & 50\\
|
||||
Not usually reliable & 25\\
|
||||
Unreliable & 0\\
|
||||
Reliability cannot be judged & 50\\
|
||||
Deliberatly deceptive & 0\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\end{column}%
|
||||
\hfill%
|
||||
\begin{column}{.48\textwidth}
|
||||
\begin{tabular}{|ll|}
|
||||
\hline
|
||||
\textbf{Description} & \textbf{Value}\\
|
||||
\hline
|
||||
Confirmed by other sources & 100\\
|
||||
Probably true & 75\\
|
||||
Possibly true & 50\\
|
||||
Doubtful & 25\\
|
||||
Improbable & 0\\
|
||||
Truth cannot be judged & 50\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\end{column}%
|
||||
\end{columns}
|
||||
\end{footnotesize}
|
||||
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Taxonomies - Refresher (3)}
|
||||
\begin{footnotesize}
|
||||
\texttt{admirality-scale} taxonomy\footnote{\url{https://github.com/MISP/misp-taxonomies/blob/master/admiralty-scale/machinetag.json}}
|
||||
\begin{columns}[T] % align columns
|
||||
\begin{column}{.40\textwidth}
|
||||
\begin{tabular}{|ll|}
|
||||
|
@ -161,21 +213,7 @@
|
|||
\end{footnotesize}
|
||||
|
||||
\vspace{0.5cm}
|
||||
$\rightarrow$ In next version, Users will be able to override these \texttt{numerical\_value}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators: Our solution}
|
||||
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
|
||||
Where,\vspace{0.5cm}
|
||||
\begin{itemize}
|
||||
\item \texttt{score} $ \in [0, +\infty $
|
||||
\item \texttt{base\_score} $ \in [0, 100] $
|
||||
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
|
||||
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
|
||||
\item \texttt{Model} Contains the \textit{Model}'s configuration
|
||||
\end{itemize}
|
||||
|
||||
$\rightarrow$ Users can override tag \texttt{numerical\_value}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
|
@ -184,16 +222,31 @@
|
|||
\begin{itemize}
|
||||
\item \texttt{base\_score}(\texttt{\tiny Attribute, Model})
|
||||
\begin{itemize}
|
||||
\item Initial score of the \textit{Attribute} only considering the context (i.e. \textit{Tags})
|
||||
\item Initial score of the \textit{Attribute} only considering the context (\textit{Attribute's type}, \textit{Tags})
|
||||
\end{itemize}
|
||||
\vspace{1cm}
|
||||
\item \texttt{decay}(\texttt{\tiny Model, time})
|
||||
\begin{itemize}
|
||||
\item Function composed of the \textbf{lifetime} and \textbf{Decay speed} decreasing the \texttt{base\_score} over time
|
||||
\item Function composed of the \textbf{lifetime} and \textbf{decay speed}
|
||||
\item Decreases the \texttt{base\_score} over time
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators: Our solution}
|
||||
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
|
||||
\begin{center}
|
||||
\begin{tikzpicture}
|
||||
\draw[->] (-1, 0) -- (4.5, 0) node[right] {$time$};
|
||||
\draw[->] (0, -1) -- (0, 4.2) node[left] {$score$};
|
||||
\node at (-1, 2.6) {\footnotesize base\_score};
|
||||
\draw[scale=0.5, domain=0:8, smooth, variable=\y, blue] plot ({\y}, {5 * (1 - (\y/8)^(3.5))});
|
||||
\end{tikzpicture}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\section{Current implementation in MISP}
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: \texttt{Event/view}}
|
||||
|
@ -247,29 +300,30 @@
|
|||
\frametitle{Implementation in MISP: Models definition}
|
||||
\hspace{190pt}
|
||||
\raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $}
|
||||
\textit{Models} are an instanciation of the formula where elements can be defined:
|
||||
\textit{Models} are an instanciation of the formula with configurable parameters:
|
||||
\begin{itemize}
|
||||
\item Parameters: \texttt{lifetime, decay\_rate, threshold}
|
||||
\item \texttt{base\_score}
|
||||
\item \texttt{base\_score} computation
|
||||
\item \texttt{default base\_score}
|
||||
\item formula
|
||||
\item associate \textit{Attribute} types
|
||||
\item formula
|
||||
\item creator organisation
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Models Types}
|
||||
Multiple model types are available
|
||||
Two types of model are available
|
||||
\begin{itemize}
|
||||
\item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
|
||||
\item \textbf{Default Models}: Created and shared by the community. Coming from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
|
||||
\begin{itemize}
|
||||
\item $\rightarrow$ Not editable
|
||||
\item[$\rightarrow$] Not editable
|
||||
\end{itemize}
|
||||
\item \textbf{Organisation Models}: Models created by a user belonging to an organisation
|
||||
\vspace{0.5cm}
|
||||
\item \textbf{Organisation Models}: Created by a user on MISP
|
||||
\begin{itemize}
|
||||
\item These models can be hidden or shared to other organisation
|
||||
\item $\rightarrow$ Editable
|
||||
\item Can be hidden or shared to other organisation
|
||||
\item[$\rightarrow$] Editable
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
@ -277,13 +331,13 @@
|
|||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Index}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
|
||||
View, update, add, create, delete, enable, export, import
|
||||
Standard CRUD operations: View, update, add, create, delete, enable, export, import
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Fine tuning tool}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
|
||||
Create, modify, visualise, perform mapping
|
||||
Configure models: Create, modify, visualise, perform mapping
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
|
@ -295,7 +349,7 @@
|
|||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: simulation tool}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
|
||||
Simulate \textit{Attributes} with different \textit{Models}
|
||||
Simulate decay on \textit{Attributes} with different \textit{Models}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}[fragile]
|
||||
|
|
|
@ -1 +1 @@
|
|||
Team CIRCL
|
||||
Team MISP Project
|
||||
|
|
|
@ -1 +1 @@
|
|||
CanSecWest 2020
|
||||
GSMA Edition
|
||||
|
|
After Width: | Height: | Size: 147 KiB |
After Width: | Height: | Size: 53 KiB |
After Width: | Height: | Size: 115 KiB |
After Width: | Height: | Size: 9.5 KiB |
|
@ -0,0 +1,340 @@
|
|||
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||
% This is included by the other .tex files.
|
||||
|
||||
\begin{frame}[t,plain]
|
||||
\titlepage
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Agenda}
|
||||
\begin{itemize}
|
||||
\item Introduction to Information Sharing with MISP
|
||||
\item General MISP usage - diving into MISP functionalities and integration
|
||||
\item GSMA instance usage by Alexandre De Oliveira
|
||||
\item Q \& A
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP: Started from a practical use-case}
|
||||
\begin{itemize}
|
||||
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
|
||||
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
|
||||
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
|
||||
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
|
||||
\item MISP is now {\bf a community-driven development}.
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{about CIRCL}
|
||||
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg and is operated by securitymadein.lu g.i.e.
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP and CIRCL}
|
||||
\begin{itemize}
|
||||
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
|
||||
\item CIRCL leads the development of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
|
||||
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics{en_cef.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Many objectives from different user-groups}
|
||||
\begin{itemize}
|
||||
\item Sharing indicators for a {\bf detection} matter.
|
||||
\begin{itemize}
|
||||
\item \textit{Do I have infected systems in my infrastructure or the ones I operate?}
|
||||
\end{itemize}
|
||||
\item Sharing indicators to {\bf block}.
|
||||
\begin{itemize}
|
||||
\item \textit{I use these attributes to block, sinkhole or divert traffic}
|
||||
\end{itemize}
|
||||
\item Sharing indicators to {\bf perform intelligence}.
|
||||
\begin{itemize}
|
||||
\item Gathering information about campaigns and attacks. \textit{Are they related? Who is targeting me? Who are the adversaries?}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
|
||||
\vspace{1em}
|
||||
\begin{center}
|
||||
$\rightarrow$ These objectives can be {\bf conflicting}
|
||||
|
||||
(e.g. False-positives have different impacts)
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Sharing Difficulties}
|
||||
\begin{itemize}
|
||||
\item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
|
||||
\item Legal restriction\footnote{\url{https://www.misp-project.org/compliance/}}
|
||||
\begin{itemize}
|
||||
\item \textit{Our legal framework doesn't allow us to share information}
|
||||
\item \textit{Risk of information-leak is too high and it's too risky for our organization or partners.}
|
||||
\end{itemize}
|
||||
\item Practical restriction
|
||||
\begin{itemize}
|
||||
\item \textit{We don't have information to share.}
|
||||
\item \textit{We don't have time to process or contribute indicators.}
|
||||
\item \textit{Our model of classification doesn't fit your model.}
|
||||
\item \textit{Tools for sharing information are tied to a specific format, we use a different one.}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP Project Overview}
|
||||
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP model of governance}
|
||||
\includegraphics[scale=0.4]{governance.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Getting some naming conventions out of the way...}
|
||||
\begin{itemize}
|
||||
\item Data layer
|
||||
\begin{itemize}
|
||||
\item {\bf Events} are encapsulations for contextually linked information
|
||||
\item {\bf Attributes} are individual data points, which can be indicators or supporting data.
|
||||
\item {\bf Objects} are custom templated Attribute compositions
|
||||
\item {\bf Object references} are the relationships between other building blocks
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Getting some naming conventions out of the way...}
|
||||
\begin{itemize}
|
||||
\item Context layer
|
||||
\begin{itemize}
|
||||
\item {\bf Tags} are labels attached to events/attributes and can come from {\bf Taxonomies}
|
||||
\begin{itemize}
|
||||
\item \texttt{Android Malware}, \texttt{C2}, ...
|
||||
\end{itemize}
|
||||
|
||||
\item {\bf Taxonomies} are a set of common classification allowing to express the same vocabulary among a distributed set of users and organisations
|
||||
\begin{itemize}
|
||||
\item \texttt{tlp:green}, \texttt{false-positive:risk="high"}, \texttt{gsma-fraud:technical="sim-card-cloning"}, \texttt{gsma-attack-category:spoofing}
|
||||
\end{itemize}
|
||||
|
||||
\item {\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}. Basically a taxonomy with additional meta-information.
|
||||
\begin{itemize}
|
||||
\item Typical {\bf Galaxy-clusters}: {\bf threat actors}, {\bf preventive measures}, ...
|
||||
\item \texttt{misp-galaxy:bhadra-framework="Billing frauds"}, \texttt{misp-galaxy:bhadra-framework="DNS-based attacks"}, \texttt{misp-galaxy:threat-actor="APT 29"}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{A rich data-model: telling stories via relationships}
|
||||
\includegraphics[scale=0.25]{screenshots/bankaccount.png}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.18]{screenshots/bankview.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Correlation features: a tool for analysts}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.18]{screenshots/campaign.png}
|
||||
\end{center}
|
||||
\begin{itemize}
|
||||
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Contextualisation and aggregation}
|
||||
\begin{itemize}
|
||||
\item MISP integrates MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK) and similar {\bf Galaxy Matrix}
|
||||
\end{itemize}
|
||||
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Sharing in MISP: Distribution}
|
||||
MISP offers granulars distribution settings:
|
||||
\begin{itemize}
|
||||
\item \texttt{Organisation only}
|
||||
\item \texttt{This community}
|
||||
\item \texttt{Connected communities}
|
||||
\item \texttt{All communities}
|
||||
\item Distribution lists - aka \texttt{\bf Sharing groups}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.2]{screenshots/sg-example.png}
|
||||
\end{center}
|
||||
|
||||
At multiple levels: Events, Attributes and Objects (and their Attributes)
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Sharing in MISP: Advanced usage}
|
||||
\begin{itemize}
|
||||
\item {\bf Delegation} for pseudo-anonymised information sharing
|
||||
\item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
|
||||
\item 2-way synchronisation, Feed system, air-gapped sharing
|
||||
\item User defined {\bf filtered sharing} for all the above mentioned methods
|
||||
\item Cross-instance information {\bf caching} for quick lookups of large data-sets
|
||||
\item Support for multi-MISP internal enclaves
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{MISP core distributed sharing functionality}
|
||||
\begin{itemize}
|
||||
\item MISP's core functionality is sharing where everyone can be a consumer and/or a contributor/producer.
|
||||
\item Quick benefit without the obligation to contribute.
|
||||
\item Low barrier access to get acquainted to the system.
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.9]{misp-distributed.pdf}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Information quality management}
|
||||
\begin{itemize}
|
||||
\item Correlating data
|
||||
\item Feedback loop from detections via {\bf Sightings}
|
||||
\item {\bf False positive management} via the warninglist system
|
||||
\item {\bf Enrichment system} via MISP-modules
|
||||
\item {\bf Integrations} with a plethora of tools and formats
|
||||
\item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
|
||||
\item {\bf Timelines} and giving information a temporal context
|
||||
\item Full chain for {\bf indicator life-cycle management}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Sightings support}
|
||||
\begin{columns}[t]
|
||||
\column{5.0cm}
|
||||
\begin{figure}
|
||||
\includegraphics[scale=0.3]{screenshots/sighting-n.png}\\
|
||||
\includegraphics[scale=0.34]{screenshots/Sightings2.PNG}
|
||||
\end{figure}
|
||||
\column{7cm}
|
||||
\begin{itemize}
|
||||
\item \textit{Has a data-point been {\bf sighted} by me or the community before?}
|
||||
\item Additionally, the sighting system supports negative sigthings (FP) and expiration sightings.
|
||||
\item Sightings can be performed via the API or the UI.
|
||||
\item Many use-cases for {\bf scoring indicators} based on users sighting.
|
||||
\item For large quantities of data, {\bf SightingDB} by Devo
|
||||
\end{itemize}
|
||||
\end{columns}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Timelines and giving information a temporal context}
|
||||
\begin{itemize}
|
||||
\item Recently introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} data points
|
||||
\item All data-points can be placed in time
|
||||
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Life-cycle management via decaying of indicators}
|
||||
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
|
||||
Expiration based on user-defined \textit{Models}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{GSMA specific {\bf taxonomies}}
|
||||
\begin{itemize}
|
||||
\item \texttt{gsma-attack-category}
|
||||
\begin{itemize}
|
||||
\item Used by GSMA for their information sharing program with telco describing the {\bf attack categories}
|
||||
\end{itemize}
|
||||
\item \texttt{gsma-fraud}
|
||||
\begin{itemize}
|
||||
\item Used by GSMA for their information sharing program with telco describing the {\bf various aspects of fraud}
|
||||
\end{itemize}
|
||||
\item \texttt{gsma-network-technology}
|
||||
\begin{itemize}
|
||||
\item Used by GSMA for their information sharing program with telco describing the {\bf types of infrastructure}.
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Telco usefull {\bf galaxies}: Bhadra Framework}
|
||||
Bhadra is a threat modeling framework for mobile communication systems\footnote{https://arxiv.org/pdf/2005.05110.pdf}
|
||||
\includegraphics[width=1.05\linewidth]{screenshots/bhadra-matrix.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Telco usefull {\bf MISP Objects}}
|
||||
\begin{itemize}
|
||||
\item \texttt{phone}
|
||||
\begin{itemize}
|
||||
\item A phone or mobile phone object which describe a phone
|
||||
\item \texttt{brand}, \texttt{imei}, \texttt{imsi}, \texttt{serial-number}, ...
|
||||
\end{itemize}
|
||||
|
||||
\item \texttt{short-message-service}
|
||||
\begin{itemize}
|
||||
\item Short Message Service (SMS) object template describing one or more SMS message
|
||||
\item \texttt{body}, \texttt{from}, \texttt{to}, \texttt{received-date}, ...
|
||||
\end{itemize}
|
||||
|
||||
\item \texttt{ss7-attack}
|
||||
\begin{itemize}
|
||||
\item SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging
|
||||
\item \texttt{SccpCdGT}, \texttt{Category}, \texttt{MapOpCode}, ...
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Acknowledgements}
|
||||
\begin{itemize}
|
||||
\item Supported by the grant \texttt{2018-LU-IA-0148}
|
||||
\item Pan-European Information Sharing \& Analysis fos IXP and GRX
|
||||
\item Goal is to create and support existing ISACs
|
||||
\begin{itemize}
|
||||
\item T-ISAC initiative of GSMA
|
||||
\item Internet Exchange Points (IXPs)
|
||||
\item General Packet Radio Service Roaming eXchange (GRXs)
|
||||
\item Network operators at large
|
||||
\end{itemize}
|
||||
\item Who is begind LU-CIX, Post Luxembourg and CIRCL
|
||||
\item \url{https://pisax.org/}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.5]{en_cef.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Conclusion}
|
||||
\begin{itemize}
|
||||
\item {\bf Information sharing practices come from usage} and by example (e.g. learning by imitation from the shared information).
|
||||
\item MISP is just a tool. What matters is your sharing practices. The tool should be as transparent as possible to support you.
|
||||
\item Enable users to customize MISP to meet their community's use-cases.
|
||||
\item MISP project combines open source software, open standards, best practices and communities to make information sharing a reality.
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.5]{en_cef.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
|
After Width: | Height: | Size: 11 KiB |
After Width: | Height: | Size: 358 KiB |
After Width: | Height: | Size: 119 KiB |
After Width: | Height: | Size: 155 KiB |
After Width: | Height: | Size: 98 KiB |
After Width: | Height: | Size: 148 KiB |
After Width: | Height: | Size: 166 KiB |
After Width: | Height: | Size: 12 KiB |
After Width: | Height: | Size: 23 KiB |
After Width: | Height: | Size: 31 KiB |
After Width: | Height: | Size: 85 KiB |
After Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 147 KiB |
After Width: | Height: | Size: 53 KiB |
After Width: | Height: | Size: 115 KiB |
After Width: | Height: | Size: 76 KiB |
After Width: | Height: | Size: 137 KiB |
After Width: | Height: | Size: 13 KiB |
After Width: | Height: | Size: 22 KiB |
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 25 KiB |
After Width: | Height: | Size: 8.0 KiB |
After Width: | Height: | Size: 26 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 25 KiB |
After Width: | Height: | Size: 31 KiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 15 KiB |
|
@ -0,0 +1,25 @@
|
|||
\documentclass{beamer}
|
||||
\usetheme[numbering=progressbar]{focus}
|
||||
\definecolor{main}{RGB}{47, 161, 219}
|
||||
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||
\definecolor{background}{RGB}{240, 247, 255}
|
||||
|
||||
\usepackage[utf8]{inputenc}
|
||||
\usepackage{tikz}
|
||||
\usepackage{listings}
|
||||
\usetikzlibrary{positioning}
|
||||
\usetikzlibrary{shapes,arrows}
|
||||
|
||||
|
||||
\title{An Introduction to Cybersecurity Information Sharing}
|
||||
\subtitle{MISP - Threat Sharing}
|
||||
\author{\small{\input{../includes/authors.txt}}}
|
||||
\date{\input{../includes/location.txt}}
|
||||
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||
\institute{MISP Project \\ \url{https://www.misp-project.org/}}
|
||||
|
||||
|
||||
\begin{document}
|
||||
\include{content}
|
||||
\end{document}
|
||||
|
After Width: | Height: | Size: 102 KiB |
After Width: | Height: | Size: 22 KiB |
After Width: | Height: | Size: 146 KiB |
After Width: | Height: | Size: 8.9 KiB |
After Width: | Height: | Size: 27 KiB |
After Width: | Height: | Size: 16 KiB |
After Width: | Height: | Size: 20 KiB |
After Width: | Height: | Size: 39 KiB |