new: [1.2] misp integration added

1.2-misp-integration/Makefile

@@ -0,0 +1,146 @@
+# Makefile for LaTeX files
+
+# Original Makefile from http://www.math.psu.edu/elkin/math/497a/Makefile
+
+# Please check http://www.acoustics.hut.fi/u/mairas/UltimateLatexMakefile
+# for new versions.
+
+# Copyright (c) 2005,2006 (in order of appearance):
+#	Matti Airas <Matti.Airas@hut.fi>
+# 	Rainer Jung
+#	Antoine Chambert-Loir
+#	Timo Kiravuo
+
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# $Id: Makefile,v 1.18 2006-06-19 10:58:11 mairas Exp $
+
+LATEX	= latex
+BIBTEX	= bibtex
+MAKEINDEX = makeindex
+XDVI	= xdvi -gamma 4
+DVIPS	= dvips
+DVIPDF  = dvipdft
+L2H	= latex2html
+GH	= gv
+
+RERUN = "(There were undefined references|Rerun to get (cross-references|the bars) right)"
+RERUNBIB = "No file.*\.bbl|Citation.*undefined"
+MAKEIDX = "^[^%]*\\makeindex"
+MPRINT = "^[^%]*print"
+USETHUMBS = "^[^%]*thumbpdf"
+
+DATE=$(shell date +%Y-%m-%d)
+
+COPY = if test -r $(<:%.tex=%.toc); then cp $(<:%.tex=%.toc) $(<:%.tex=%.toc.bak); fi
+RM = rm -f
+OUTDATED = echo "EPS-file is out-of-date!" && false
+
+# These are OK
+
+SRC	:= $(shell egrep -l '^[^%]*\\begin\{document\}' *.tex)
+TRG	= $(SRC:%.tex=%.dvi)
+PSF	= $(SRC:%.tex=%.ps)
+PDF	= $(SRC:%.tex=%.pdf)
+
+# These are not
+
+#BIBFILE := $(shell perl -ne '($$_)=/^[^%]*\\bibliography\{(.*?)\}/;@_=split /,/;foreach $$b (@_) {print "$$b.bib "}' $(SRC))
+#DEP     := $(shell perl -ne '($$_)=/^[^%]*\\include\{(.*?)\}/;@_=split /,/;foreach $$t (@_) {print "$$t.tex "}' $(SRC))
+#EPSPICS := $(shell perl -ne '@foo=/^[^%]*\\(includegraphics|psfig)(\[.*?\])?\{(.*?)\}/g;if (defined($$foo[2])) { if ($$foo[2] =~ /.eps$$/) { print "$$foo[2] "; } else { print "$$foo[2].eps "; }}' $(SRC) $(DEP))
+
+
+define run-latex
+	$(COPY);$(LATEX) $<
+	egrep $(MAKEIDX) $< && ($(MAKEINDEX) $(<:%.tex=%);$(COPY);$(LATEX) $<) >/dev/null; true
+	egrep -c $(RERUNBIB) $(<:%.tex=%.log) && ($(BIBTEX) $(<:%.tex=%);$(COPY);$(LATEX) $<) ; true
+	egrep $(RERUN) $(<:%.tex=%.log) && ($(COPY);$(LATEX) $<) >/dev/null; true
+	egrep $(RERUN) $(<:%.tex=%.log) && ($(COPY);$(LATEX) $<) >/dev/null; true
+	if cmp -s $(<:%.tex=%.toc) $(<:%.tex=%.toc.bak); then true ;else $(LATEX) $< ; fi
+	$(RM) $(<:%.tex=%.toc.bak)
+	# Display relevant warnings
+	egrep -i "(Reference|Citation).*undefined" $(<:%.tex=%.log) ; true
+endef
+
+define run-pdflatex
+	LATEX=pdflatex
+	@$(run-latex)
+endef
+
+define get_dependencies
+	deps=`perl -ne '($$_)=/^[^%]*\\\(?:include|input)\{(.*?)\}/;@_=split /,/;foreach $$t (@_) {print "$$t.tex "}' $<`
+endef
+
+define getbibs
+	bibs=`perl -ne '($$_)=/^[^%]*\\\bibliography\{(.*?)\}/;@_=split /,/;foreach $$b (@_) {print "$$b.bib "}' $< $$deps`
+endef
+
+#define geteps
+#	epses=`perl -ne '@foo=/^[^%]*\\\(includegraphics|psfig)(\[.*?\])?\{(.*?)\}/g;if (defined($$foo[2])) { if ($$foo[2] =~ /.eps$$/) { print "$$foo[2] "; } else { print "$$foo[2].eps "; }}' $< $$deps`
+#endef
+
+define manconf
+	mandeps=`if test -r $(basename $@).cnf ; then cat $(basename $@).cnf |tr -d '\n\r' ; fi`
+endef
+
+all 	: $(TRG)
+
+.PHONY	: all show clean ps pdf showps veryclean
+
+clean	:
+	  -rm -f $(TRG) $(PSF) $(PDF) $(TRG:%.dvi=%.aux) $(TRG:%.dvi=%.bbl) $(TRG:%.dvi=%.blg) $(TRG:%.dvi=%.log) $(TRG:%.dvi=%.out) $(TRG:%.dvi=%.idx) $(TRG:%.dvi=%.ilg) $(TRG:%.dvi=%.ind) $(TRG:%.dvi=%.toc) $(TRG:%.dvi=%.d)
+
+veryclean	: clean
+	  -rm -f *.log *.aux *.dvi *.bbl *.blg *.ilg *.toc *.lof *.lot *.idx *.ind *.ps  *~ *.nav *.vrb *.snm *.synctex.gz *.toc.bak
+
+# This is a rule to generate a file of prerequisites for a given .tex file
+%.d	: %.tex
+	$(get_dependencies) ; echo $$deps ; \
+	$(getbibs) ; echo $$bibs ; \
+#	$(geteps) ; echo $$epses ; \
+	$(manconf) ; echo  $$mandeps  ;\
+	echo "$*.dvi $@ : $< $$deps $$bibs $$mandeps" > $@
+#	echo "$*.dvi $@ : $< $$deps $$bibs $$epses $$mandeps" > $@
+
+include $(SRC:.tex=.d)
+
+# $(DEP) $(EPSPICS) $(BIBFILE)
+$(TRG)	: %.dvi : %.tex
+	  @$(run-latex)
+
+$(PSF)	: %.ps : %.dvi
+	  @$(DVIPS) $< -o $@
+
+$(PDF)  : %.pdf : %.dvi
+	  @$(DVIPDF) -o $@ $<
+# To use pdflatex, comment the two lines above and uncomment the lines below
+#$(PDF) : %.pdf : %.tex
+#	@$(run-pdflatex)
+
+
+show	: $(TRG)
+	  @for i in $(TRG) ; do $(XDVI) $$i & done
+
+showps	: $(PSF)
+	  @for i in $(PSF) ; do $(GH) $$i & done
+
+ps	: $(PSF)
+
+pdf	: $(PDF)

1.2-misp-integration/content.tex

@@ -0,0 +1,121 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}[t,plain]
+\titlepage
+\end{frame}
+
+\begin{frame}
+\frametitle{A Common Integration}
+        \includegraphics[scale=0.8]{misp-integration-overview.pdf}
+\end{frame}
+
+\begin{frame}
+\frametitle{Recommended MISP Setup}
+    \begin{itemize}
+            \item Provisioning your MISP infrastructure depends heavily on the {\bf number of attributes/events} (whether your dataset is below or above ~50 million attributes).
+            \item Number of MISP instances and the overall design depends on the following factors:
+                    \begin{itemize}
+                            \item Is your community private? Are you gathering MISP events from other communities? Are you {\bf publishing events to external} (trusted/untrusted) communities.
+                            \item Do you plan to have {\bf automatic tools} (e.g. sandbox analysis or low-value information needing correlation or an analyst workbench) feeding MISP?
+                    \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Vendors and Formats}
+\begin{itemize}
+        \item There is {\bf a jungle of formats} with some vendors having little to no interest in keeping their users autonomous.
+        \item Attacks and threats require a {\bf dynamic format} to be efficiently shared (e.g. from financial indicators to personal information).
+        \item {\bf Review your current list of formats/vendors} to ensure a limited loss of information, especially when exporting from MISP to other formats (e.g. STIX not supporting financial indicators or taxonomies/galaxies).
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{Use case: Normalizing OSINT and Private Feeds}
+\begin{itemize}
+        \item Normalizing external input and feed into MISP (e.g. feed importer).
+        \item Comparing feeds before import (how many similarities? false-positives?).
+        \item Evaluating quality of information before import (warning-list lookup at feed evaluation).
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Connecting Devices and Tools to MISP}
+\begin{itemize}
+        \item One of the main goals of MISP is to feed protective or detection tools with data
+        \begin{itemize}
+            \item IDSes / IPSes (e.g. Suricata, Bro, Snort format as included in Cisco products)
+            \item SIEMs (e.g. CEF, CSV or real-time ZMQ pub-sub or Sigma)
+            \item Host scanners (e.g. OpenIOC, STIX, yara rule-set, CSV)
+            \item Various analysis tools (e.g. Maltego)
+            \item DNS policies (e.g. RPZ)
+        \end{itemize}
+        \item Various ways of exporting this data (downloads of the selected data, full exports, APIs)
+        \item The idea was to leave the selection process of the subset of data to be pushed to these up to the user using APIs.
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{SIEM and MISP Integration}
+\begin{itemize}
+        \item SIEMs and MISP can be integrated with different techniques depending on the processes at your SOC or IR:
+        \begin{itemize}
+                \item Pulling events (via the API) or indicator lists at {\bf regular intervals} in a given time frame to perform lookups.
+                \item Subscribing to the MISP ZMQ {\bf pub-sub channel} to directly get the published events and use these in a lookup process.
+                \item {\bf Lookup expansion module} in MISP towards the SIEM to have a direct view of the attributes matched against the SIEM.
+        \end{itemize}
+        \item The above options can be combined, depending on your organisation or requirements to increase coverage and detection.
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+\frametitle{ZMQ integration: misp-dashboard}
+        \begin{itemize}
+        \item A dashboard showing live data and statistics from the ZMQ pub-sub of one or more MISP instances.
+        \item Building {\bf low-latency software} by consuming pub-sub channel provides significant advantages over standard API use.
+        \item Process information in {\bf real-time} when it's updated, created, published or gathered in MISP.
+        \item Demo!
+        \end{itemize}
+
+\end{frame}
+
+\begin{frame}
+    \frametitle{New integrations: IR and threat hunting using MISP}
+    \begin{itemize}
+        \item Close co-operation with {\bf the Hive project} for IR
+        \begin{itemize}
+            \item Interact with MISP directly from the Hive
+            \item Use both the MISP modules and the {\bf Cortex} analysers in MISP or the Hive directly
+        \end{itemize}
+        \item Using MISP to support your threat hunting via {\bf McAfee OpenDXL}
+        \item (\url{https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl})
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{The Hive integration}
+    \includegraphics[scale=0.25]{screenshots/cortex.jpg}
+\end{frame}
+
+\begin{frame}
+\frametitle{Reporting Back from your Devices, Tools or Processes}
+As {\bf Sightings} can be positive, negative or even based on expiration, different use cases are possible:
+\begin{itemize}
+\item {\bf Sightings} allow users to notify a MISP instance about the activities related to an indicator.
+\item Activities can be from a SIEM (e.g. Splunk lookup validation or {\bf false-positive feedback}), a NIDS or honeypot devices\footnote{\url{https://www.github.com/MISP/misp-sighting-tools}}.
+\item Sighting can affect the API to limit the NIDS exports and improve the NIDS rule-set directly.
+\end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Q\&A}
+        \begin{itemize}
+                \item info@circl.lu (if you want to join the CIRCL MISP sharing community)
+                \item \url{https://github.com/MISP/} - \url{http://www.misp-project.org/}
+                \item We welcome any contributions to the project, be it pull requests, ideas, github issues,...
+        \end{itemize}
+\end{frame}
+

1.2-misp-integration/slide.tex

@@ -0,0 +1,24 @@
+\documentclass{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+
+\author{\small{\input{../includes/authors.txt}}}
+
+\title{MISP Training: MISP Deployment and Integration}
+\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
+\date{\input{../includes/location.txt}}
+
+\begin{document}
+\include{content}
+\end{document}
+

build.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 #
 
-slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template")
+slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template")
 mkdir output
 export TEXINPUTS=::`pwd`/themes/
 echo ${TEXINPUTS}