revamped intro

pull/13/head
iglocska 2021-02-02 11:12:32 +01:00
parent c7a8dbe252
commit dc59e894b9
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
26 changed files with 137 additions and 152 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 147 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 115 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

View File

@ -5,6 +5,10 @@
\titlepage
\end{frame}
\begin{frame}{Agenda}
\input{../includes/week_agenda.txt}
\end{frame}
\begin{frame}{Agenda}
\input{../includes/agenda.txt}
\end{frame}
@ -35,6 +39,16 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\includegraphics{en_cef.png}
\end{frame}
\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Development based on practical user feedback}
@ -75,6 +89,19 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Communities using MISP}
\begin{itemize}
\item Communities are groups of users sharing within a set of common objectives/values.
\item CIRCL operates multiple MISP instances with a significant user base (more than 1200 organizations with more than 4000 users).
\item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
\item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
\item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
\item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
\item {\bf Topical communities} set up to tackle individual specific issues (COVID-19 MISP)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sharing Difficulties}
\begin{itemize}
@ -100,79 +127,26 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
\end{frame}
%\begin{frame}
% \frametitle{MISP Project Overview}
% \begin{columns}[t]
% \column{5.0cm}
% \begin{figure}
% \includegraphics[scale=0.20]{misp-overview.pdf}\\
% \end{figure}
% \column{7cm}
% \begin{itemize}
% \item The {\bf core project}\footnote{\url{http://github.com/MISP/}} (PHP/Python3) supports the backend, API \& UI.
% \item Modules (Python3) expand MISP functionalities.
% \item Taxonomies (JSON) to add categories \& global tagging.
% \item Warning-lists (JSON) help analysts to detect potential false-positives.
% \item Galaxy (JSON) to add threat-actors, tools or "intelligence".
% \item Objects (JSON) to allow for templated composition of security related atomic points of information.
% \end{itemize}
% \end{columns}
%\end{frame}
\begin{frame}
\frametitle{MISP features}
\frametitle{Getting some naming conventions out of the way...}
\begin{itemize}
\item MISP\footnote{\url{https://github.com/MISP/MISP}} is a threat information sharing free \& open source software.
\item MISP has {\bf a host of functionalities} that assist users in creating, collaborating \& sharing threat information - e.g. flexible sharing groups, {\bf automatic correlation}, free-text import helper, event distribution \& proposals.
\item Many export formats which support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ).
\item A rich set of MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} to add expansion, import and export functionalities.
\item Data layer
\begin{itemize}
\item {\bf Events} are encapsulations for contextually linked information
\item {\bf Attributes} are individual data points, which can be indicators or supporting data
\item {\bf Objects} are custom templated Attribute compositions
\item {\bf Object references} are the relationships between other building blocks
\item {\bf Sightings} are time-specific occurances of a given data-point detected
\end{itemize}
\item Context layer
\begin{itemize}
\item {\bf Tags} are labels attached to events/attributes and can come from {\bf Taxonomies}
\item {\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}
\item {\bf Cluster relationships} denote pre-defined relationships between clusters
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Correlation features: a tool for analysts}
\includegraphics[scale=0.18]{screenshots/campaign.png}
\begin{itemize}
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Communities using MISP}
\begin{itemize}
\item Communities are groups of users sharing within a set of common objectives/values.
\item CIRCL operates multiple MISP instances with a significant user base (more than 950 organizations with more than 2400 users).
\item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
\item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
\item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
\item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP core distributed sharing functionality}
\begin{itemize}
\item MISPs' core functionality is sharing where everyone can be a consumer and/or a contributor/producer."
\item Quick benefit without the obligation to contribute.
\item Low barrier access to get acquainted to the system.
\end{itemize}
\includegraphics[scale=0.9]{misp-distributed.pdf}
\end{frame}
\begin{frame}
\frametitle{Events, Objects and Attributes in MISP}
\begin{itemize}
\item MISP events are encapsulations for contextually linked information
\item MISP attributes\footnote{attributes can be anything that helps describe the intent of the event package from indicators, vulnerabilities or any relevant information} initially started with a standard set of "cyber security" indicators.
\item MISP attributes are purely {\bf based on usage} (what people and organizations use daily).
\item Evolution of MISP attributes is based on practical usage \& users (e.g. the addition of {\bf financial indicators} in 2.4).
\item MISP objects are attribute compositions describing points of data using many facets, constructed along the lines of community and user defined templates.
\item Galaxies granularly contextualise, classify \& categorise data based on {\bf threat actors}, {\bf preventive measures}, tools used by adversaries.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Terminology about Indicators}
\begin{itemize}
@ -194,62 +168,62 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Sharing Attackers Techniques}
\begin{itemize}
\item MISP integrates at event or attribute level MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
\end{itemize}
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
\end{frame}
\begin{frame}
\frametitle{Supporting specific datamodel}
\frametitle{A rich data-model: telling stories via relationships}
\includegraphics[scale=0.24]{screenshots/bankaccount.png}
\includegraphics[scale=0.18]{screenshots/bankview.png}
\end{frame}
\begin{frame}
\frametitle{Helping Contributors in MISP}
\frametitle{Contextualisation and aggregation}
\begin{itemize}
\item Contributors can use the UI, API or using the freetext import to add events and attributes.
\begin{itemize}
\item Modules existing in Viper (a binary framework for malware reverser) to populate and use MISP from the vty or via your IDA.
\item MISP integrates at the event and the attribute levels MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
\end{itemize}
\item Contribution can be direct by creating an event but {\bf users can propose attributes updates} to the event owner.
\item {\bf Users should not be forced to use a single interface to contribute}.
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
\end{frame}
\begin{frame}
\frametitle{Sharing in MISP}
\begin{itemize}
\item Sharing via distribution lists - {\bf Sharing groups}
\item {\bf Delegation} for pseudo-anonymised information sharing
\item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
\item Synchronisation, Feed system, air-gapped sharing
\item User defined {\bf filtered sharing} for all the above mentioned methods
\item Cross-instance information {\bf caching} for quick lookups of large data-sets
\item Support for multi-MISP internal enclaves
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Example: Freetext import in MISP}
\includegraphics[scale=0.3]{screenshots/freetext1.PNG}\\
\includegraphics[scale=0.3]{screenshots/freetxt2.PNG}\\
\includegraphics[scale=0.3]{screenshots/freetxt3.PNG}
\frametitle{MISP core distributed sharing functionality}
\begin{itemize}
\item MISPs' core functionality is sharing where everyone can be a consumer and/or a contributor/producer."
\item Quick benefit without the obligation to contribute.
\item Low barrier access to get acquainted to the system.
\end{itemize}
\includegraphics[scale=0.9]{misp-distributed.pdf}
\end{frame}
\begin{frame}
\frametitle{Supporting Classification}
\frametitle{Information quality management}
\begin{itemize}
\item Tagging is a simple way to attach a classification to an event or an attribute.
\item {\bf Classification must be globally used to be efficient}.
\item MISP includes a flexible tagging scheme where users can select from more than 42 existing taxonomies or create their own taxonomy.
\item Correlating data
\item Feedback loop from detections via {\bf Sightings}
\item {\bf False positive management} via the warninglist system
\item {\bf Enrichment system} via MISP-modules
\item {\bf Integrations} with a plethora of tools and formats
\item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
\item {\bf Timelines} and giving information a temporal context
\item Full chain for {\bf indicator life-cycle management}
\end{itemize}
\includegraphics[scale=0.20]{tags-2-4-70.png}
\end{frame}
\begin{frame}
\frametitle{Supporting Sharing in MISP}
\frametitle{Correlation features: a tool for analysts}
\includegraphics[scale=0.18]{screenshots/campaign.png}
\begin{itemize}
\item Delegate events publication to another organization (introduced in MISP 2.4.18).
\begin{itemize}
\item The other organization can take over the ownership of an event and provide {\bf pseudo-anonymity to initial organization}.
\end{itemize}
\item Sharing groups allow custom sharing (introduced in MISP 2.4) per event or even at attribute level.
\begin{itemize}
\item Sharing communities can be used locally or even cross MISP instances.
\item {\bf Sharing groups} can be done at {\bf event level or attributes level} (e.g. financial indicators shared to a financial sharing groups and cyber security indicators to CSIRT community).
\end{itemize}
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
\end{itemize}
\end{frame}
@ -263,35 +237,53 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\end{figure}
\column{7cm}
\begin{itemize}
\item Sightings allow users to notify the community about the activities related to an indicator.
\item In recent MISP versions, the sighting system supports negative sigthings (FP) and expiration sightings.
\item Sightings can be performed via the API, and the UI, even including the import of STIX sighting documents.
\item Many use-cases for scoring indicators based on users sighting.
\item Has a data-point been {\bf sighted} by me or the community before?
\item Additionally, the sighting system supports negative sigthings (FP) and expiration sightings.
\item Sightings can be performed via the API or the UI.
\item Many use-cases for {\bf scoring indicators} based on users sighting.
\item For large quantities of data, {\bf SightingDB} by Devo
\end{itemize}
\end{columns}
\end{frame}
\begin{frame}
\frametitle{Timelines and giving information a temporal context}
\begin{itemize}
\item Recently introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} data points
\item All data-points can be placed in time
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
\end{itemize}
\begin{center}
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Improving Information Sharing in MISP}
\frametitle{Life-cycle management via decaying of indicators}
\includegraphics[width=1.00\linewidth]{decaying-event.png}
\begin{itemize}
\item False-positives are a recurring challenge in information sharing.
\item In MISP 2.4.39, we introduced the misp-warninglists\footnote{\url{https://github.com/MISP/misp-warninglists}} to help analysts in their day-to-day job.
\item Predefined lists of well-known indicators which are often false-positives like RFC1918 networks, public DNS resolver are included by default.
\item \texttt{Decay score} toggle button
\begin{itemize}
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Improving support of sharing within and outside an organization}
\begin{itemize}
\item Even in a single organization, multiple use-cases of MISP can appear (groups using it for dynamic malware analysis correlations, dispatching notification).
\item In MISP 2.4.51, we introduced the ability to have {\bf local MISP} servers connectivity to avoid changes in distribution level. This allows to have mixed synchronization setup within and outside an organization.
\item Feed support was also introduced to support synchronization between untrusted and trusted networks.
\end{itemize}
\frametitle{Decaying of indicators: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
Create, modify, visualise, perform mapping
\end{frame}
\begin{frame}
\frametitle{Bootstrapping MISP with indicators}
\frametitle{Decaying of indicators: simulation tool}
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
Simulate \textit{Attributes} with different \textit{Models}
\end{frame}
\begin{frame}
\frametitle{Bootstrapping your MISP with data}
\begin{itemize}
\item We maintain the default CIRCL OSINT feeds (TLP:WHITE selected from our communities) in MISP to allow users to ease their bootstrapping.
\item The format of the OSINT feed is based on standard MISP JSON output pulled from a remote TLS/HTTP server.
@ -301,7 +293,6 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Conclusion}
\begin{itemize}
@ -312,19 +303,4 @@ The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven
\end{itemize}
\end{frame}
\begin{frame}{MISP User Experience Survey}
A researcher--Borce STOJKOVSKI--from University of Luxembourg (SnT) is
conducting a survey about MISP UX.
\vspace{1cm}
\begin{itemize}
\item You may participate at the following location: \url{https://misp-project.org/ux-survey}
\item on-voluntary basis: opt-out at any time,
\item results will be communicated back to the community and used to improve
MISP's User Interface,
\item for any inquiries contact ux@misp-project.org
\end{itemize}
\end{frame}

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 358 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 119 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 155 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 98 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 148 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 166 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 23 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 85 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 146 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 39 KiB

View File

@ -1,8 +1,9 @@
\begin{itemize}
\item (10:00 - 10:30) Introduction to Information Sharing with MISP
\item (10:30 - 12:30) User perspective - diving into MISP functionalities and integration
\item (12:30 - 13:30) Lunch Break
\item (13:30 - 15:00) Admin perspective - Synchronisation and figuring out the health of your MISP instance.
\item (15:00 - 15:15) Small break
\item (15:15 - 17:00) Building your sharing community and Wrapping up
\item (13:00 - 13:45) Introduction to Information Sharing with MISP
\item (13:45 - 15:00) Usage 1
\item (15:00 - 15:15) break
\item (15:15 - 16:00) Usage 2
\item (16:00 - 16:30) Integration
\item (16:30 - 16:50) Best practices
\item (16:50 - 17:00) QA
\end{itemize}

View File

@ -1 +1 @@
Team MISP Project
CIRCL / Team MISP Project

View File

@ -1 +1 @@
GSMA Edition
Uniper training 2021

8
includes/week_agenda.txt Normal file
View File

@ -0,0 +1,8 @@
\begin{itemize}
\item (02.02) Usage 1
\item (03.02) Usage 2
\item (04.02) Analyst hands-on
\item (10.02) Administration
\item (11.02) Integration day
\item (12.02) Developer day
\end{itemize}