MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [b.4] Added timline and simplified decaying

master
mokaddem 2020-01-30 09:18:49 +01:00
parent fb2a823a43
commit cd59cd9c05
3 changed files with 29 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
b.4-turning-data-into-actionable-intelligence-short/content.tex
View File

@ -17,9 +17,9 @@
\begin{frame} \begin{frame}
\frametitle{The aim of this presentation} \frametitle{The aim of this presentation}
\begin{itemize} \begin{itemize}
\item Why is contextualisation important? \item Why is {\bf contextualisation} important?
\item What options do we have in MISP? \item What options do we have in MISP?
\item How can we leverage this in the end? \item How can we {\bf leverage} this in the end?
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -91,15 +91,17 @@
\item Different organisational/community cultures require different nomenclatures \item Different organisational/community cultures require different nomenclatures
\item Triple tag system - taxonomies \item Triple tag system - taxonomies
\item JSON libraries that can easily be defined without our intervention \item JSON libraries that can easily be defined without our intervention
***********PICPLZ
\end{itemize} \end{itemize}
\includegraphics[width=1.0\linewidth]{taxonomy-workflow.png}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Galaxies} \frametitle{Galaxies}
\begin{itemize} \begin{itemize}
\item Taxonomy tags often {\bf non self-explanatory} \item Taxonomy tags often {\bf non self-explanatory}
\begin{itemize}
\item Example: universal understanding of tlp:green vs APT 28 \item Example: universal understanding of tlp:green vs APT 28
\end{itemize}
\item For the latter, a single string was ill-suited \item For the latter, a single string was ill-suited
\item So we needed something new in addition to taxonomies - \textbf{Galaxies} \item So we needed something new in addition to taxonomies - \textbf{Galaxies}
\begin{itemize} \begin{itemize}
@ -170,7 +172,7 @@
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Supporting specific datamodel} \frametitle{Continuous feedback loop (2)}
\begin{center} \begin{center}
\includegraphics[scale=0.5]{sighting-n.png} \includegraphics[scale=0.5]{sighting-n.png}
\end{center} \end{center}
@ -179,7 +181,17 @@
\end{center} \end{center}
\end{frame} \end{frame}
******TIMELINETHING \begin{frame}
\frametitle{A brief history of time - Adding temporality to our data}
\begin{itemize}
\item {\bf 2.4.120} introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}}
\item Along with a complete integration with the {\bf UI}
\item {\bf Visualizating} and {\bf editing} time component effortlessly
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
\end{center}
\end{frame}
\section{Encoding analyst knowledge to automatically leverage the above} \section{Encoding analyst knowledge to automatically leverage the above}
@ -266,12 +278,13 @@
\begin{itemize} \begin{itemize}
\item We were still missing a way to use all of these systems in combination to decay indicators \item We were still missing a way to use all of these systems in combination to decay indicators
\item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models} \item Move the decision making \textbf{from complex filter options to} complex \textbf{decay models}
\item Decay models would take into account various \textbf{taxonomies}, \textbf{sightings}, the \textbf{type} of each indicator \textbf{Sightings} and \textbf{Creation date} \item Decay models would take into account various available {\bf context}
\item The first iteration of what we have in MISP now took:
\begin{itemize} \begin{itemize}
\item 2 years of research \item Taxonomies
\item 3 published research papers \item Sightings
\item A lot of prototyping \item type of each indicator
\item Creation date
\item ...
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -313,25 +326,12 @@
\end{lstlisting} \end{lstlisting}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Index}
\includegraphics[width=1.00\linewidth]{decaying-index.png}
View, update, add, create, delete, enable, export, import
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: Fine tuning tool} \frametitle{Implementation in MISP: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{decaying-tool.png} \includegraphics[width=1.00\linewidth]{decaying-tool.png}
Create, modify, visualise, perform mapping Create, modify, visualise, perform mapping
\end{frame} \end{frame}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
\includegraphics[width=1.00\linewidth]{decaying-basescore.png}
Adjust Taxonomies relative weights
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: simulation tool} \frametitle{Implementation in MISP: simulation tool}
\includegraphics[width=1.00\linewidth]{decaying-simulation.png} \includegraphics[width=1.00\linewidth]{decaying-simulation.png}
@ -344,12 +344,7 @@
\begin{lstlisting} \begin{lstlisting}
{ {
"includeDecayScore": 1, "includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0, "excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
}
"score": 30, "score": 30,
} }
\end{lstlisting} \end{lstlisting}

5
b.4-turning-data-into-actionable-intelligence-short/makefile Normal file
View File

@ -0,0 +1,5 @@
all:
pdflatex -interaction nonstopmode -halt-on-error -file-line-error slide.tex
clean:
rm *.aux *.nav *.log *.snm *.toc *.vrb

BIN
b.4-turning-data-into-actionable-intelligence-short/timeline-misp-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 146 KiB