MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [events] Updated the old-fashioned `{\bf }` to `\textbf{}`

pull/25/head
Christian Studer 2024-05-02 16:27:02 +02:00
parent bb32f63044
commit e218e7dbbd
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 80 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex
View File

@ -26,10 +26,10 @@
\frametitle{CIRCL's involvement}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector.
\item {\bf CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
\item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
\item \textbf{CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally.
\item \textbf{CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}.
\item []
\item We use MISP as an {\bf internal tool} to cover various day-to-day activities
\item We use MISP as an \textbf{internal tool} to cover various day-to-day activities
\item Whilst being the main driving force behind the development, we're also one of the largest consumers
\end{itemize}
\end{frame}
@ -40,8 +40,8 @@
\item Private sector community
\begin{itemize}
\item Our largest sharing community
\item Over {\bf 1900 organisations}
\item Over {\bf 4800 users}
\item Over \textbf{1900 organisations}
\item Over \textbf{4800 users}
\item Functions as a central hub for a lot of sharing communities
\item Private organisations, Researchers, Various SoCs, some CSIRTs, etc
\end{itemize}
@ -53,7 +53,7 @@
\item Financial sector community
\begin{itemize}
\item Banks, payment processors, etc.
\item Sharing of {\bf mule accounts} and {\bf non-cyber threat information}
\item Sharing of \textbf{mule accounts} and \textbf{non-cyber threat information}
\end{itemize}
\end{itemize}
\end{frame}
@ -65,7 +65,7 @@
\begin{itemize}
\item Topical or community specific instances hosted or co-managed by CIRCL
\item Examples, CIISI, GSMA, FIRST.org, CSIRT network, etc
\item Often come with their {\bf own taxonomies and domain specific object definitions}
\item Often come with their \textbf{own taxonomies and domain specific object definitions}
\end{itemize}
\item Various ad-hoc communities for exercises
\begin{itemize}
@ -82,12 +82,12 @@
\begin{itemize}
\item There are many different types of users of an information sharing platform like MISP:
\begin{itemize}
\item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues.
\item {\bf Security analysts} searching, validating and using indicators in operational security.
\item {\bf Intelligence analysts} gathering information about specific adversary groups.
\item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
\item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
\item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds.
\item \textbf{Malware reversers} willing to share indicators of analysis with respective colleagues.
\item \textbf{Security analysts} searching, validating and using indicators in operational security.
\item \textbf{Intelligence analysts} gathering information about specific adversary groups.
\item \textbf{Law-enforcement} relying on indicators to support or bootstrap their DFIR cases.
\item \textbf{Risk analysis teams} willing to know about the new threats, likelyhood and occurences.
\item \textbf{Fraud analysts} willing to share financial indicators to detect financial frauds.
\end{itemize}
\end{itemize}
\end{frame}
@ -95,22 +95,22 @@
\begin{frame}
\frametitle{Usual sharing scenarios for ISACs}
\begin{itemize}
\item Exchange of {\bf insights from monitoring}
\item Sharing the outcomes of {\bf incidents}
\item Information on the {\bf attackers, techniques used}
\item {\bf Remediation} information / {\bf prevention} information
\item {\bf Vulnerability} pre-disclosure
\item Supporitng {\bf tools} / {\bf scripts}
\item Exchange of \textbf{insights from monitoring}
\item Sharing the outcomes of \textbf{incidents}
\item Information on the \textbf{attackers, techniques used}
\item \textbf{Remediation} information / \textbf{prevention} information
\item \textbf{Vulnerability} pre-disclosure
\item Supporitng \textbf{tools} / \textbf{scripts}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Examples of sharing scenarios for sectorial ISACs}
\begin{itemize}
\item {\bf Financial fraud} information sharing
\item {\bf Law enforcement} / Border control specific sharing
\item {\bf Disinformation} sharing
\item {\bf Health} related information sharing
\item \textbf{Financial fraud} information sharing
\item \textbf{Law enforcement} / Border control specific sharing
\item \textbf{Disinformation} sharing
\item \textbf{Health} related information sharing
\end{itemize}
\end{frame}
@ -119,10 +119,10 @@
\begin{itemize}
\item Different use-cases have conflicting requirements for the data shared
\begin{itemize}
\item {\bf False positive} appetite
\item {\bf Maturity} levels
\item {\bf Topical} interests
\item {\bf Detection rules} vs {\bf threat intel} vs {\bf remediation/prevention} support
\item \textbf{False positive} appetite
\item \textbf{Maturity} levels
\item \textbf{Topical} interests
\item \textbf{Detection rules} vs \textbf{threat intel} vs \textbf{remediation/prevention} support
\end{itemize}
\end{itemize}
\end{frame}
@ -131,9 +131,9 @@
\frametitle{Reconciling the different use-cases}
\begin{itemize}
\item For inclusiveness, be lenient with what you allow
\item Make {\bf contextualisation} a requirement
\item Users can then {\bf filter} based on their needs
\item Encourage the sharing of {\bf supporting materials, scripts, guidance}
\item Make \textbf{contextualisation} a requirement
\item Users can then \textbf{filter} based on their needs
\item Encourage the sharing of \textbf{supporting materials, scripts, guidance}
\item Raise awareness about the benefits of well modelled, graph based information sharing
\end{itemize}
\end{frame}
@ -141,9 +141,9 @@
\begin{frame}
\frametitle{Bringing different sharing communities together}
\begin{itemize}
\item Getting your community to be active takes {\bf time and effort}, but with persistence your chances are great.
\item We generally all {\bf end up sharing with peers that face similar threats}
\item Division is either {\bf sectorial or geographical}
\item Getting your community to be active takes \textbf{time and effort}, but with persistence your chances are great.
\item We generally all \textbf{end up sharing with peers that face similar threats}
\item Division is either \textbf{sectorial or geographical}
\item So why even bother with trying to bridge these communities?
\end{itemize}
\end{frame}
@ -151,11 +151,11 @@
\begin{frame}
\frametitle{Advantages of cross sectorial sharing}
\begin{itemize}
\item {\bf Reuse of TTPs} across sectors
\item Being hit by something that {\bf another sector has faced before}
\item {\bf Hybrid threats} - how seemingly unrelated things may be interesting to correlate
\item Prepare other communities for the capability and {\bf culture of sharing} for when the need arises for them to reach out to CSIRT
\item Generally our field is ahead of several other sectors when it comes to information sharing, might as well {\bf spread the love}
\item \textbf{Reuse of TTPs} across sectors
\item Being hit by something that \textbf{another sector has faced before}
\item \textbf{Hybrid threats} - how seemingly unrelated things may be interesting to correlate
\item Prepare other communities for the capability and \textbf{culture of sharing} for when the need arises for them to reach out to CSIRT
\item Generally our field is ahead of several other sectors when it comes to information sharing, might as well \textbf{spread the love}
\end{itemize}
\centering\includegraphics[scale=0.3]{../images/sharing.jpeg}
\end{frame}
@ -173,8 +173,8 @@
\begin{frame}
\frametitle{Getting started with building your own sharing community}
\begin{itemize}
\item Starting a sharing community is {\bf both easy and difficult} at the same time
\item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people}
\item Starting a sharing community is \textbf{both easy and difficult} at the same time
\item Many moving parts and most importantly, you'll be dealing with a \textbf{diverse group of people}
\item Understanding and working with your constituents to help them face their challenges is key
\end{itemize}
\end{frame}
@ -191,9 +191,9 @@
\item []
\item Different models for constituents
\begin{itemize}
\item {\bf Connecting to} a MISP instance hosted by the ISAC
\item {\bf Hosting} their own instance and connecting to ISAC's MISP
\item {\bf Becoming member} of a sectorial MISP community that is connected to ISAC's community
\item \textbf{Connecting to} a MISP instance hosted by the ISAC
\item \textbf{Hosting} their own instance and connecting to ISAC's MISP
\item \textbf{Becoming member} of a sectorial MISP community that is connected to ISAC's community
\end{itemize}
\end{itemize}
\end{frame}
@ -201,8 +201,8 @@
\begin{frame}
\frametitle{Rely on our instincts to immitate over expecting adherence to rules}
\begin{itemize}
\item {\bf Lead by example} - the power of immitation
\item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls
\item \textbf{Lead by example} - the power of immitation
\item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls
\begin{itemize}
\item What should the information look like?
\item How should it be contextualised?
@ -210,7 +210,7 @@
\item What tools did you use to get your conclusions?
\item How the information could be used by the ISAC members?
\end{itemize}
\item Side effect is that you will end up {\bf raising the capabilities of your constituents}
\item Side effect is that you will end up \textbf{raising the capabilities of your constituents}
\end{itemize}
\end{frame}
@ -220,10 +220,10 @@
\frametitle{Managing sub-communities}
\begin{itemize}
\item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks?
\item Use your {\bf best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with {\bf manual data transfer} if needed
\item Use your \textbf{best judgement} to decide which communities should be separated from one another
\item Create sharing hubs with \textbf{manual data transfer} if needed
\item Some organisations will even have their data air-gapped - Feed system
\item {\bf Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative!
\end{itemize}
\end{frame}
@ -237,14 +237,14 @@
\item Validating data / flagging false positives
\item Asking for support from the community
\end{itemize}
\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{How to deal with organisations that only "leech"?}
\begin{itemize}
\item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data}
\item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data}
\item We have come across some communities with sharing requirements
\item In our experience, this sets you up for failure because:
\begin{itemize}
@ -258,18 +258,18 @@
\begin{frame}
\frametitle{So how does one convert the passive organisations into actively sharing ones?}
\begin{itemize}
\item Rely on {\bf organic growth}
\item {\bf Help} them increase their capabilities
\item Rely on \textbf{organic growth}
\item \textbf{Help} them increase their capabilities
\item As mentioned before, lead by example
\item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations)
\item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
\item \textbf{Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dispelling the myths around blockers when it comes to information sharing}
\begin{itemize}
\item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}).
\item Sharing difficulties are not really technical issues but often it's a matter of \textbf{social interactions} (e.g. \textbf{trust}).
\begin{itemize}
\item You can play a role here: organise regular workshops, conferences, have face to face meetings
\end{itemize}
@ -293,9 +293,9 @@
\begin{itemize}
\item MISP project collaborated with legal advisory services
\begin{itemize}
\item Information sharing and cooperation {\bf enabled by GDPR};
\item {\bf ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications;
\item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities;
\item Information sharing and cooperation \textbf{enabled by GDPR};
\item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications;
\item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities;
\item Guidelines to setting up an information sharing community such as an ISAC or ISAO;
\end{itemize}
\item For more information: https://www.misp-project.org/compliance/
@ -307,7 +307,7 @@
\begin{frame}
\frametitle{MISP feature - correlation}
\begin{itemize}
\item MISP includes a {\bf powerful engine for correlation} which allows analysts to discover correlating values between attributes.
\item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes.
\item Getting a direct benefit from shared information by other ISAC members.
\end{itemize}
\includegraphics[scale=0.20]{../images/correlation.png}
@ -316,7 +316,7 @@
\begin{frame}
\frametitle{MISP feature - event graph}
\begin{itemize}
\item {\bf Analysts can create stories} based on graph relationships between objects, attributes.
\item \textbf{Analysts can create stories} based on graph relationships between objects, attributes.
\item ISACs users can directly understand the information shared.
\end{itemize}
\includegraphics[scale=0.20]{../images/event-graph.png}
@ -327,23 +327,23 @@
\begin{frame}
\frametitle{Contextualising the information}
\begin{itemize}
\item Sharing {\bf technical information} is a {\bf great start}
\item Sharing \textbf{technical information} is a \textbf{great start}
\item However, to truly create valueable information for your community, always consider the context:
\begin{itemize}
\item Your IDS might not care why it should alert on a rule
\item But your analysts will be interested in the threat landscape and the "big picture"
\end{itemize}
\item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them}
\item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense}
\item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them}
\item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Choice of vocabularies}
\begin{itemize}
\item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data
\item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data
\item However, this includes different vocabularies with obvious overlaps
\item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community
\item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community
\item Good idea to start with this process early
\item If you don't find what you're looking for:
\begin{itemize}
@ -357,7 +357,7 @@
\begin{frame}
\frametitle{Shared libraries of meta-information (Galaxies)}
\begin{itemize}
\item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information}
\item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information}
\item Can include information packages of different types, for example:
\begin{itemize}
\item Threat actor information
@ -366,7 +366,7 @@
\item Classification systems for methodologies used by adversaries - ATT\&CK
\end{itemize}
\item Consider improving the default libraries or contributing your own (simple JSON format)
\item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners
\item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners
\item Pull requests are always welcome
\end{itemize}
\end{frame}
@ -382,23 +382,23 @@
\item Be lenient when considering what to keep
\item Be strict when you are feeding tools
\end{itemize}
\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools
\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users}
\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools
\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Many objectives from different user-groups}
\begin{itemize}
\item Sharing indicators for a {\bf detection} matter.
\item Sharing indicators for a \textbf{detection} matter.
\begin{itemize}
\item 'Do I have infected systems in my infrastructure or the ones I operate?'
\end{itemize}
\item Sharing indicators to {\bf block}.
\item Sharing indicators to \textbf{block}.
\begin{itemize}
\item 'I use these attributes to block, sinkhole or divert traffic.'
\end{itemize}
\item Sharing indicators to {\bf perform intelligence}.
\item Sharing indicators to \textbf{perform intelligence}.
\begin{itemize}
\item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?'
\end{itemize}
@ -409,7 +409,7 @@
\begin{frame}
\frametitle{False-positive handling}
\begin{itemize}
\item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time}
\item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time}
\item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse)
\item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets
\end{itemize}
@ -419,7 +419,7 @@
\begin{frame}
\frametitle{Managing sub-communities}
\begin{itemize}
\item Often within a community {\bf smaller bubbles of information sharing will form}
\item Often within a community \textbf{smaller bubbles of information sharing will form}
\item For example: Within a national private sector sharing community, specific community for financial institutions
\item Sharing groups serve this purpose mainly
\item As an ISAC running a national community, consider bootstraping these sharing communities
@ -433,12 +433,12 @@
\frametitle{Conclusion and additional challenges}
\begin{itemize}
\item MISP is a complete and advanced tool ...
\item ... but also {\bf just one part of the puzzle} in any sharing community
\item Information sharing presumes knowledge of {\bf contacts}
\item Member to Member direct {\bf exchanges between MISPs and other tools} requires some know how
\item Creating reusable community-specific {\bf distribution lists} need to be maintained
\item Maintaining common {\bf community specific information knowledgebases} can be challenging
\item {\bf Fleet management} for larger organisations needs additional work
\item ... but also \textbf{just one part of the puzzle} in any sharing community
\item Information sharing presumes knowledge of \textbf{contacts}
\item Member to Member direct \textbf{exchanges between MISPs and other tools} requires some know how
\item Creating reusable community-specific \textbf{distribution lists} need to be maintained
\item Maintaining common \textbf{community specific information knowledgebases} can be challenging
\item \textbf{Fleet management} for larger organisations needs additional work
\item There's a European project and an open-source tool we are developing to address these points
\end{itemize}
\end{frame}