From e218e7dbbde89d47b26781889e90bf531884fba3 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 2 May 2024 16:27:02 +0200 Subject: [PATCH] chg: [events] Updated the old-fashioned `{\bf }` to `\textbf{}` --- .../IntroductionToMISPandISACs_content.tex | 160 +++++++++--------- 1 file changed, 80 insertions(+), 80 deletions(-) diff --git a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex index 1a03a55..1f1ba45 100644 --- a/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex +++ b/events/AusCERT2024_Enhancing_Cybersecurity_Collaboration/content/IntroductionToMISPandISACs_content.tex @@ -26,10 +26,10 @@ \frametitle{CIRCL's involvement} \begin{itemize} \item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg National CERT for private sector. - \item {\bf CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally. - \item {\bf CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}. + \item \textbf{CIRCL leads the development} of the Open Source MISP threat intelligence platform which is used by many military or intelligence communities, private companies, financial sector, National CERTs and LEAs globally. + \item \textbf{CIRCL runs multiple large MISP communities performing active daily threat-intelligence sharing}. \item [] - \item We use MISP as an {\bf internal tool} to cover various day-to-day activities + \item We use MISP as an \textbf{internal tool} to cover various day-to-day activities \item Whilst being the main driving force behind the development, we're also one of the largest consumers \end{itemize} \end{frame} @@ -40,8 +40,8 @@ \item Private sector community \begin{itemize} \item Our largest sharing community - \item Over {\bf 1900 organisations} - \item Over {\bf 4800 users} + \item Over \textbf{1900 organisations} + \item Over \textbf{4800 users} \item Functions as a central hub for a lot of sharing communities \item Private organisations, Researchers, Various SoCs, some CSIRTs, etc \end{itemize} @@ -53,7 +53,7 @@ \item Financial sector community \begin{itemize} \item Banks, payment processors, etc. - \item Sharing of {\bf mule accounts} and {\bf non-cyber threat information} + \item Sharing of \textbf{mule accounts} and \textbf{non-cyber threat information} \end{itemize} \end{itemize} \end{frame} @@ -65,7 +65,7 @@ \begin{itemize} \item Topical or community specific instances hosted or co-managed by CIRCL \item Examples, CIISI, GSMA, FIRST.org, CSIRT network, etc - \item Often come with their {\bf own taxonomies and domain specific object definitions} + \item Often come with their \textbf{own taxonomies and domain specific object definitions} \end{itemize} \item Various ad-hoc communities for exercises \begin{itemize} @@ -82,12 +82,12 @@ \begin{itemize} \item There are many different types of users of an information sharing platform like MISP: \begin{itemize} - \item {\bf Malware reversers} willing to share indicators of analysis with respective colleagues. - \item {\bf Security analysts} searching, validating and using indicators in operational security. - \item {\bf Intelligence analysts} gathering information about specific adversary groups. - \item {\bf Law-enforcement} relying on indicators to support or bootstrap their DFIR cases. - \item {\bf Risk analysis teams} willing to know about the new threats, likelyhood and occurences. - \item {\bf Fraud analysts} willing to share financial indicators to detect financial frauds. + \item \textbf{Malware reversers} willing to share indicators of analysis with respective colleagues. + \item \textbf{Security analysts} searching, validating and using indicators in operational security. + \item \textbf{Intelligence analysts} gathering information about specific adversary groups. + \item \textbf{Law-enforcement} relying on indicators to support or bootstrap their DFIR cases. + \item \textbf{Risk analysis teams} willing to know about the new threats, likelyhood and occurences. + \item \textbf{Fraud analysts} willing to share financial indicators to detect financial frauds. \end{itemize} \end{itemize} \end{frame} @@ -95,22 +95,22 @@ \begin{frame} \frametitle{Usual sharing scenarios for ISACs} \begin{itemize} - \item Exchange of {\bf insights from monitoring} - \item Sharing the outcomes of {\bf incidents} - \item Information on the {\bf attackers, techniques used} - \item {\bf Remediation} information / {\bf prevention} information - \item {\bf Vulnerability} pre-disclosure - \item Supporitng {\bf tools} / {\bf scripts} + \item Exchange of \textbf{insights from monitoring} + \item Sharing the outcomes of \textbf{incidents} + \item Information on the \textbf{attackers, techniques used} + \item \textbf{Remediation} information / \textbf{prevention} information + \item \textbf{Vulnerability} pre-disclosure + \item Supporitng \textbf{tools} / \textbf{scripts} \end{itemize} \end{frame} \begin{frame} \frametitle{Examples of sharing scenarios for sectorial ISACs} \begin{itemize} - \item {\bf Financial fraud} information sharing - \item {\bf Law enforcement} / Border control specific sharing - \item {\bf Disinformation} sharing - \item {\bf Health} related information sharing + \item \textbf{Financial fraud} information sharing + \item \textbf{Law enforcement} / Border control specific sharing + \item \textbf{Disinformation} sharing + \item \textbf{Health} related information sharing \end{itemize} \end{frame} @@ -119,10 +119,10 @@ \begin{itemize} \item Different use-cases have conflicting requirements for the data shared \begin{itemize} - \item {\bf False positive} appetite - \item {\bf Maturity} levels - \item {\bf Topical} interests - \item {\bf Detection rules} vs {\bf threat intel} vs {\bf remediation/prevention} support + \item \textbf{False positive} appetite + \item \textbf{Maturity} levels + \item \textbf{Topical} interests + \item \textbf{Detection rules} vs \textbf{threat intel} vs \textbf{remediation/prevention} support \end{itemize} \end{itemize} \end{frame} @@ -131,9 +131,9 @@ \frametitle{Reconciling the different use-cases} \begin{itemize} \item For inclusiveness, be lenient with what you allow - \item Make {\bf contextualisation} a requirement - \item Users can then {\bf filter} based on their needs - \item Encourage the sharing of {\bf supporting materials, scripts, guidance} + \item Make \textbf{contextualisation} a requirement + \item Users can then \textbf{filter} based on their needs + \item Encourage the sharing of \textbf{supporting materials, scripts, guidance} \item Raise awareness about the benefits of well modelled, graph based information sharing \end{itemize} \end{frame} @@ -141,9 +141,9 @@ \begin{frame} \frametitle{Bringing different sharing communities together} \begin{itemize} - \item Getting your community to be active takes {\bf time and effort}, but with persistence your chances are great. - \item We generally all {\bf end up sharing with peers that face similar threats} - \item Division is either {\bf sectorial or geographical} + \item Getting your community to be active takes \textbf{time and effort}, but with persistence your chances are great. + \item We generally all \textbf{end up sharing with peers that face similar threats} + \item Division is either \textbf{sectorial or geographical} \item So why even bother with trying to bridge these communities? \end{itemize} \end{frame} @@ -151,11 +151,11 @@ \begin{frame} \frametitle{Advantages of cross sectorial sharing} \begin{itemize} - \item {\bf Reuse of TTPs} across sectors - \item Being hit by something that {\bf another sector has faced before} - \item {\bf Hybrid threats} - how seemingly unrelated things may be interesting to correlate - \item Prepare other communities for the capability and {\bf culture of sharing} for when the need arises for them to reach out to CSIRT - \item Generally our field is ahead of several other sectors when it comes to information sharing, might as well {\bf spread the love} + \item \textbf{Reuse of TTPs} across sectors + \item Being hit by something that \textbf{another sector has faced before} + \item \textbf{Hybrid threats} - how seemingly unrelated things may be interesting to correlate + \item Prepare other communities for the capability and \textbf{culture of sharing} for when the need arises for them to reach out to CSIRT + \item Generally our field is ahead of several other sectors when it comes to information sharing, might as well \textbf{spread the love} \end{itemize} \centering\includegraphics[scale=0.3]{../images/sharing.jpeg} \end{frame} @@ -173,8 +173,8 @@ \begin{frame} \frametitle{Getting started with building your own sharing community} \begin{itemize} - \item Starting a sharing community is {\bf both easy and difficult} at the same time - \item Many moving parts and most importantly, you'll be dealing with a {\bf diverse group of people} + \item Starting a sharing community is \textbf{both easy and difficult} at the same time + \item Many moving parts and most importantly, you'll be dealing with a \textbf{diverse group of people} \item Understanding and working with your constituents to help them face their challenges is key \end{itemize} \end{frame} @@ -191,9 +191,9 @@ \item [] \item Different models for constituents \begin{itemize} - \item {\bf Connecting to} a MISP instance hosted by the ISAC - \item {\bf Hosting} their own instance and connecting to ISAC's MISP - \item {\bf Becoming member} of a sectorial MISP community that is connected to ISAC's community + \item \textbf{Connecting to} a MISP instance hosted by the ISAC + \item \textbf{Hosting} their own instance and connecting to ISAC's MISP + \item \textbf{Becoming member} of a sectorial MISP community that is connected to ISAC's community \end{itemize} \end{itemize} \end{frame} @@ -201,8 +201,8 @@ \begin{frame} \frametitle{Rely on our instincts to immitate over expecting adherence to rules} \begin{itemize} - \item {\bf Lead by example} - the power of immitation - \item Encourage {\bf improving by doing} instead of blocking sharing with unrealistic quality controls + \item \textbf{Lead by example} - the power of immitation + \item Encourage \textbf{improving by doing} instead of blocking sharing with unrealistic quality controls \begin{itemize} \item What should the information look like? \item How should it be contextualised? @@ -210,7 +210,7 @@ \item What tools did you use to get your conclusions? \item How the information could be used by the ISAC members? \end{itemize} - \item Side effect is that you will end up {\bf raising the capabilities of your constituents} + \item Side effect is that you will end up \textbf{raising the capabilities of your constituents} \end{itemize} \end{frame} @@ -220,10 +220,10 @@ \frametitle{Managing sub-communities} \begin{itemize} \item Consider compartmentalisation - does it make sense to move a secret squirrel club to their own sharing hub to avoid accidental leaks? - \item Use your {\bf best judgement} to decide which communities should be separated from one another - \item Create sharing hubs with {\bf manual data transfer} if needed + \item Use your \textbf{best judgement} to decide which communities should be separated from one another + \item Create sharing hubs with \textbf{manual data transfer} if needed \item Some organisations will even have their data air-gapped - Feed system - \item {\bf Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative! + \item \textbf{Create guidance} on what should be shared outside of their bubbles - organisations often lack the insight / experience to decide how to get going. Take the initiative! \end{itemize} \end{frame} @@ -237,14 +237,14 @@ \item Validating data / flagging false positives \item Asking for support from the community \end{itemize} -\item {\bf Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... +\item \textbf{Embrace all of them}. Even the ones that don't make sense right now, you never know when they come handy... \end{itemize} \end{frame} \begin{frame} \frametitle{How to deal with organisations that only "leech"?} \begin{itemize} - \item From our own communities, only about {\bf 30\%} of the organisations {\bf actively share data} + \item From our own communities, only about \textbf{30\%} of the organisations \textbf{actively share data} \item We have come across some communities with sharing requirements \item In our experience, this sets you up for failure because: \begin{itemize} @@ -258,18 +258,18 @@ \begin{frame} \frametitle{So how does one convert the passive organisations into actively sharing ones?} \begin{itemize} - \item Rely on {\bf organic growth} - \item {\bf Help} them increase their capabilities + \item Rely on \textbf{organic growth} + \item \textbf{Help} them increase their capabilities \item As mentioned before, lead by example \item Rely on the inherent value to one's self when sharing information (validation, enrichments, correlations) - \item {\bf Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating) + \item \textbf{Give credit} where credit is due, never steal the contributions of your community (that is incredibly demotivating) \end{itemize} \end{frame} \begin{frame} \frametitle{Dispelling the myths around blockers when it comes to information sharing} \begin{itemize} - \item Sharing difficulties are not really technical issues but often it's a matter of {\bf social interactions} (e.g. {\bf trust}). + \item Sharing difficulties are not really technical issues but often it's a matter of \textbf{social interactions} (e.g. \textbf{trust}). \begin{itemize} \item You can play a role here: organise regular workshops, conferences, have face to face meetings \end{itemize} @@ -293,9 +293,9 @@ \begin{itemize} \item MISP project collaborated with legal advisory services \begin{itemize} - \item Information sharing and cooperation {\bf enabled by GDPR}; - \item {\bf ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications; - \item How MISP enables stakeholders identified by the {\bf NISD} to perform key activities; + \item Information sharing and cooperation \textbf{enabled by GDPR}; + \item \textbf{ISO/IEC 27010:2015} - Information security management for inter-sector and inter-organizational communications; + \item How MISP enables stakeholders identified by the \textbf{NISD} to perform key activities; \item Guidelines to setting up an information sharing community such as an ISAC or ISAO; \end{itemize} \item For more information: https://www.misp-project.org/compliance/ @@ -307,7 +307,7 @@ \begin{frame} \frametitle{MISP feature - correlation} \begin{itemize} - \item MISP includes a {\bf powerful engine for correlation} which allows analysts to discover correlating values between attributes. + \item MISP includes a \textbf{powerful engine for correlation} which allows analysts to discover correlating values between attributes. \item Getting a direct benefit from shared information by other ISAC members. \end{itemize} \includegraphics[scale=0.20]{../images/correlation.png} @@ -316,7 +316,7 @@ \begin{frame} \frametitle{MISP feature - event graph} \begin{itemize} - \item {\bf Analysts can create stories} based on graph relationships between objects, attributes. + \item \textbf{Analysts can create stories} based on graph relationships between objects, attributes. \item ISACs users can directly understand the information shared. \end{itemize} \includegraphics[scale=0.20]{../images/event-graph.png} @@ -327,23 +327,23 @@ \begin{frame} \frametitle{Contextualising the information} \begin{itemize} - \item Sharing {\bf technical information} is a {\bf great start} + \item Sharing \textbf{technical information} is a \textbf{great start} \item However, to truly create valueable information for your community, always consider the context: \begin{itemize} \item Your IDS might not care why it should alert on a rule \item But your analysts will be interested in the threat landscape and the "big picture" \end{itemize} - \item Classify data to make sure your partners understand why it is {\bf important for you}, so they can see why it could be {\bf useful to them} - \item Massively important once an organisation has the maturity to filter the most critical {\bf subsets of information for their own defense} + \item Classify data to make sure your partners understand why it is \textbf{important for you}, so they can see why it could be \textbf{useful to them} + \item Massively important once an organisation has the maturity to filter the most critical \textbf{subsets of information for their own defense} \end{itemize} \end{frame} \begin{frame} \frametitle{Choice of vocabularies} \begin{itemize} - \item MISP has a verify {\bf versatile system} (taxonomies) for classifying and marking data + \item MISP has a verify \textbf{versatile system} (taxonomies) for classifying and marking data \item However, this includes different vocabularies with obvious overlaps - \item MISP allows you to {\bf pick and choose vocabularies} to use and enforce in a community + \item MISP allows you to \textbf{pick and choose vocabularies} to use and enforce in a community \item Good idea to start with this process early \item If you don't find what you're looking for: \begin{itemize} @@ -357,7 +357,7 @@ \begin{frame} \frametitle{Shared libraries of meta-information (Galaxies)} \begin{itemize} - \item The MISPProject in co-operation with partners provides a {\bf curated list of galaxy information} + \item The MISPProject in co-operation with partners provides a \textbf{curated list of galaxy information} \item Can include information packages of different types, for example: \begin{itemize} \item Threat actor information @@ -366,7 +366,7 @@ \item Classification systems for methodologies used by adversaries - ATT\&CK \end{itemize} \item Consider improving the default libraries or contributing your own (simple JSON format) - \item If there is something you cannot share, run your own galaxies and {\bf share it out of bound} with partners + \item If there is something you cannot share, run your own galaxies and \textbf{share it out of bound} with partners \item Pull requests are always welcome \end{itemize} \end{frame} @@ -382,23 +382,23 @@ \item Be lenient when considering what to keep \item Be strict when you are feeding tools \end{itemize} -\item MISP allows you to {\bf filter out the relevant data on demand} when feeding protective tools -\item What may seem like {\bf junk to you may} be absolutely {\bf critical to other users} +\item MISP allows you to \textbf{filter out the relevant data on demand} when feeding protective tools +\item What may seem like \textbf{junk to you may} be absolutely \textbf{critical to other users} \end{itemize} \end{frame} \begin{frame} \frametitle{Many objectives from different user-groups} \begin{itemize} - \item Sharing indicators for a {\bf detection} matter. + \item Sharing indicators for a \textbf{detection} matter. \begin{itemize} \item 'Do I have infected systems in my infrastructure or the ones I operate?' \end{itemize} - \item Sharing indicators to {\bf block}. + \item Sharing indicators to \textbf{block}. \begin{itemize} \item 'I use these attributes to block, sinkhole or divert traffic.' \end{itemize} - \item Sharing indicators to {\bf perform intelligence}. + \item Sharing indicators to \textbf{perform intelligence}. \begin{itemize} \item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?' \end{itemize} @@ -409,7 +409,7 @@ \begin{frame} \frametitle{False-positive handling} \begin{itemize} - \item {\bf Analysts} will often be interested in the {\bf modus operandi} of threat actors over {\bf long periods of time} + \item \textbf{Analysts} will often be interested in the \textbf{modus operandi} of threat actors over \textbf{long periods of time} \item Even cleaned up infected hosts might become interesting again (embedded in code, recurring reuse) \item Use the tools provided to eliminate obvious false positives instead and limit your data-set to the most relevant sets \end{itemize} @@ -419,7 +419,7 @@ \begin{frame} \frametitle{Managing sub-communities} \begin{itemize} - \item Often within a community {\bf smaller bubbles of information sharing will form} + \item Often within a community \textbf{smaller bubbles of information sharing will form} \item For example: Within a national private sector sharing community, specific community for financial institutions \item Sharing groups serve this purpose mainly \item As an ISAC running a national community, consider bootstraping these sharing communities @@ -433,12 +433,12 @@ \frametitle{Conclusion and additional challenges} \begin{itemize} \item MISP is a complete and advanced tool ... - \item ... but also {\bf just one part of the puzzle} in any sharing community - \item Information sharing presumes knowledge of {\bf contacts} - \item Member to Member direct {\bf exchanges between MISPs and other tools} requires some know how - \item Creating reusable community-specific {\bf distribution lists} need to be maintained - \item Maintaining common {\bf community specific information knowledgebases} can be challenging - \item {\bf Fleet management} for larger organisations needs additional work + \item ... but also \textbf{just one part of the puzzle} in any sharing community + \item Information sharing presumes knowledge of \textbf{contacts} + \item Member to Member direct \textbf{exchanges between MISPs and other tools} requires some know how + \item Creating reusable community-specific \textbf{distribution lists} need to be maintained + \item Maintaining common \textbf{community specific information knowledgebases} can be challenging + \item \textbf{Fleet management} for larger organisations needs additional work \item There's a European project and an open-source tool we are developing to address these points \end{itemize} \end{frame}