mirror of https://github.com/MISP/misp-training
new: [1.2] misp integration added
parent
4de030a188
commit
ee514f638d
|
@ -0,0 +1,146 @@
|
||||||
|
# Makefile for LaTeX files
|
||||||
|
|
||||||
|
# Original Makefile from http://www.math.psu.edu/elkin/math/497a/Makefile
|
||||||
|
|
||||||
|
# Please check http://www.acoustics.hut.fi/u/mairas/UltimateLatexMakefile
|
||||||
|
# for new versions.
|
||||||
|
|
||||||
|
# Copyright (c) 2005,2006 (in order of appearance):
|
||||||
|
# Matti Airas <Matti.Airas@hut.fi>
|
||||||
|
# Rainer Jung
|
||||||
|
# Antoine Chambert-Loir
|
||||||
|
# Timo Kiravuo
|
||||||
|
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining
|
||||||
|
# a copy of this software and associated documentation files (the
|
||||||
|
# "Software"), to deal in the Software without restriction, including
|
||||||
|
# without limitation the rights to use, copy, modify, merge, publish,
|
||||||
|
# distribute, sublicense, and/or sell copies of the Software, and to
|
||||||
|
# permit persons to whom the Software is furnished to do so, subject to
|
||||||
|
# the following conditions:
|
||||||
|
|
||||||
|
# The above copyright notice and this permission notice shall be
|
||||||
|
# included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
||||||
|
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
||||||
|
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
||||||
|
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
|
# $Id: Makefile,v 1.18 2006-06-19 10:58:11 mairas Exp $
|
||||||
|
|
||||||
|
LATEX = latex
|
||||||
|
BIBTEX = bibtex
|
||||||
|
MAKEINDEX = makeindex
|
||||||
|
XDVI = xdvi -gamma 4
|
||||||
|
DVIPS = dvips
|
||||||
|
DVIPDF = dvipdft
|
||||||
|
L2H = latex2html
|
||||||
|
GH = gv
|
||||||
|
|
||||||
|
RERUN = "(There were undefined references|Rerun to get (cross-references|the bars) right)"
|
||||||
|
RERUNBIB = "No file.*\.bbl|Citation.*undefined"
|
||||||
|
MAKEIDX = "^[^%]*\\makeindex"
|
||||||
|
MPRINT = "^[^%]*print"
|
||||||
|
USETHUMBS = "^[^%]*thumbpdf"
|
||||||
|
|
||||||
|
DATE=$(shell date +%Y-%m-%d)
|
||||||
|
|
||||||
|
COPY = if test -r $(<:%.tex=%.toc); then cp $(<:%.tex=%.toc) $(<:%.tex=%.toc.bak); fi
|
||||||
|
RM = rm -f
|
||||||
|
OUTDATED = echo "EPS-file is out-of-date!" && false
|
||||||
|
|
||||||
|
# These are OK
|
||||||
|
|
||||||
|
SRC := $(shell egrep -l '^[^%]*\\begin\{document\}' *.tex)
|
||||||
|
TRG = $(SRC:%.tex=%.dvi)
|
||||||
|
PSF = $(SRC:%.tex=%.ps)
|
||||||
|
PDF = $(SRC:%.tex=%.pdf)
|
||||||
|
|
||||||
|
# These are not
|
||||||
|
|
||||||
|
#BIBFILE := $(shell perl -ne '($$_)=/^[^%]*\\bibliography\{(.*?)\}/;@_=split /,/;foreach $$b (@_) {print "$$b.bib "}' $(SRC))
|
||||||
|
#DEP := $(shell perl -ne '($$_)=/^[^%]*\\include\{(.*?)\}/;@_=split /,/;foreach $$t (@_) {print "$$t.tex "}' $(SRC))
|
||||||
|
#EPSPICS := $(shell perl -ne '@foo=/^[^%]*\\(includegraphics|psfig)(\[.*?\])?\{(.*?)\}/g;if (defined($$foo[2])) { if ($$foo[2] =~ /.eps$$/) { print "$$foo[2] "; } else { print "$$foo[2].eps "; }}' $(SRC) $(DEP))
|
||||||
|
|
||||||
|
|
||||||
|
define run-latex
|
||||||
|
$(COPY);$(LATEX) $<
|
||||||
|
egrep $(MAKEIDX) $< && ($(MAKEINDEX) $(<:%.tex=%);$(COPY);$(LATEX) $<) >/dev/null; true
|
||||||
|
egrep -c $(RERUNBIB) $(<:%.tex=%.log) && ($(BIBTEX) $(<:%.tex=%);$(COPY);$(LATEX) $<) ; true
|
||||||
|
egrep $(RERUN) $(<:%.tex=%.log) && ($(COPY);$(LATEX) $<) >/dev/null; true
|
||||||
|
egrep $(RERUN) $(<:%.tex=%.log) && ($(COPY);$(LATEX) $<) >/dev/null; true
|
||||||
|
if cmp -s $(<:%.tex=%.toc) $(<:%.tex=%.toc.bak); then true ;else $(LATEX) $< ; fi
|
||||||
|
$(RM) $(<:%.tex=%.toc.bak)
|
||||||
|
# Display relevant warnings
|
||||||
|
egrep -i "(Reference|Citation).*undefined" $(<:%.tex=%.log) ; true
|
||||||
|
endef
|
||||||
|
|
||||||
|
define run-pdflatex
|
||||||
|
LATEX=pdflatex
|
||||||
|
@$(run-latex)
|
||||||
|
endef
|
||||||
|
|
||||||
|
define get_dependencies
|
||||||
|
deps=`perl -ne '($$_)=/^[^%]*\\\(?:include|input)\{(.*?)\}/;@_=split /,/;foreach $$t (@_) {print "$$t.tex "}' $<`
|
||||||
|
endef
|
||||||
|
|
||||||
|
define getbibs
|
||||||
|
bibs=`perl -ne '($$_)=/^[^%]*\\\bibliography\{(.*?)\}/;@_=split /,/;foreach $$b (@_) {print "$$b.bib "}' $< $$deps`
|
||||||
|
endef
|
||||||
|
|
||||||
|
#define geteps
|
||||||
|
# epses=`perl -ne '@foo=/^[^%]*\\\(includegraphics|psfig)(\[.*?\])?\{(.*?)\}/g;if (defined($$foo[2])) { if ($$foo[2] =~ /.eps$$/) { print "$$foo[2] "; } else { print "$$foo[2].eps "; }}' $< $$deps`
|
||||||
|
#endef
|
||||||
|
|
||||||
|
define manconf
|
||||||
|
mandeps=`if test -r $(basename $@).cnf ; then cat $(basename $@).cnf |tr -d '\n\r' ; fi`
|
||||||
|
endef
|
||||||
|
|
||||||
|
all : $(TRG)
|
||||||
|
|
||||||
|
.PHONY : all show clean ps pdf showps veryclean
|
||||||
|
|
||||||
|
clean :
|
||||||
|
-rm -f $(TRG) $(PSF) $(PDF) $(TRG:%.dvi=%.aux) $(TRG:%.dvi=%.bbl) $(TRG:%.dvi=%.blg) $(TRG:%.dvi=%.log) $(TRG:%.dvi=%.out) $(TRG:%.dvi=%.idx) $(TRG:%.dvi=%.ilg) $(TRG:%.dvi=%.ind) $(TRG:%.dvi=%.toc) $(TRG:%.dvi=%.d)
|
||||||
|
|
||||||
|
veryclean : clean
|
||||||
|
-rm -f *.log *.aux *.dvi *.bbl *.blg *.ilg *.toc *.lof *.lot *.idx *.ind *.ps *~ *.nav *.vrb *.snm *.synctex.gz *.toc.bak
|
||||||
|
|
||||||
|
# This is a rule to generate a file of prerequisites for a given .tex file
|
||||||
|
%.d : %.tex
|
||||||
|
$(get_dependencies) ; echo $$deps ; \
|
||||||
|
$(getbibs) ; echo $$bibs ; \
|
||||||
|
# $(geteps) ; echo $$epses ; \
|
||||||
|
$(manconf) ; echo $$mandeps ;\
|
||||||
|
echo "$*.dvi $@ : $< $$deps $$bibs $$mandeps" > $@
|
||||||
|
# echo "$*.dvi $@ : $< $$deps $$bibs $$epses $$mandeps" > $@
|
||||||
|
|
||||||
|
include $(SRC:.tex=.d)
|
||||||
|
|
||||||
|
# $(DEP) $(EPSPICS) $(BIBFILE)
|
||||||
|
$(TRG) : %.dvi : %.tex
|
||||||
|
@$(run-latex)
|
||||||
|
|
||||||
|
$(PSF) : %.ps : %.dvi
|
||||||
|
@$(DVIPS) $< -o $@
|
||||||
|
|
||||||
|
$(PDF) : %.pdf : %.dvi
|
||||||
|
@$(DVIPDF) -o $@ $<
|
||||||
|
# To use pdflatex, comment the two lines above and uncomment the lines below
|
||||||
|
#$(PDF) : %.pdf : %.tex
|
||||||
|
# @$(run-pdflatex)
|
||||||
|
|
||||||
|
|
||||||
|
show : $(TRG)
|
||||||
|
@for i in $(TRG) ; do $(XDVI) $$i & done
|
||||||
|
|
||||||
|
showps : $(PSF)
|
||||||
|
@for i in $(PSF) ; do $(GH) $$i & done
|
||||||
|
|
||||||
|
ps : $(PSF)
|
||||||
|
|
||||||
|
pdf : $(PDF)
|
|
@ -0,0 +1,121 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{A Common Integration}
|
||||||
|
\includegraphics[scale=0.8]{misp-integration-overview.pdf}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Recommended MISP Setup}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Provisioning your MISP infrastructure depends heavily on the {\bf number of attributes/events} (whether your dataset is below or above ~50 million attributes).
|
||||||
|
\item Number of MISP instances and the overall design depends on the following factors:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Is your community private? Are you gathering MISP events from other communities? Are you {\bf publishing events to external} (trusted/untrusted) communities.
|
||||||
|
\item Do you plan to have {\bf automatic tools} (e.g. sandbox analysis or low-value information needing correlation or an analyst workbench) feeding MISP?
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Vendors and Formats}
|
||||||
|
\begin{itemize}
|
||||||
|
\item There is {\bf a jungle of formats} with some vendors having little to no interest in keeping their users autonomous.
|
||||||
|
\item Attacks and threats require a {\bf dynamic format} to be efficiently shared (e.g. from financial indicators to personal information).
|
||||||
|
\item {\bf Review your current list of formats/vendors} to ensure a limited loss of information, especially when exporting from MISP to other formats (e.g. STIX not supporting financial indicators or taxonomies/galaxies).
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Use case: Normalizing OSINT and Private Feeds}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Normalizing external input and feed into MISP (e.g. feed importer).
|
||||||
|
\item Comparing feeds before import (how many similarities? false-positives?).
|
||||||
|
\item Evaluating quality of information before import (warning-list lookup at feed evaluation).
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Connecting Devices and Tools to MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item One of the main goals of MISP is to feed protective or detection tools with data
|
||||||
|
\begin{itemize}
|
||||||
|
\item IDSes / IPSes (e.g. Suricata, Bro, Snort format as included in Cisco products)
|
||||||
|
\item SIEMs (e.g. CEF, CSV or real-time ZMQ pub-sub or Sigma)
|
||||||
|
\item Host scanners (e.g. OpenIOC, STIX, yara rule-set, CSV)
|
||||||
|
\item Various analysis tools (e.g. Maltego)
|
||||||
|
\item DNS policies (e.g. RPZ)
|
||||||
|
\end{itemize}
|
||||||
|
\item Various ways of exporting this data (downloads of the selected data, full exports, APIs)
|
||||||
|
\item The idea was to leave the selection process of the subset of data to be pushed to these up to the user using APIs.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{SIEM and MISP Integration}
|
||||||
|
\begin{itemize}
|
||||||
|
\item SIEMs and MISP can be integrated with different techniques depending on the processes at your SOC or IR:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Pulling events (via the API) or indicator lists at {\bf regular intervals} in a given time frame to perform lookups.
|
||||||
|
\item Subscribing to the MISP ZMQ {\bf pub-sub channel} to directly get the published events and use these in a lookup process.
|
||||||
|
\item {\bf Lookup expansion module} in MISP towards the SIEM to have a direct view of the attributes matched against the SIEM.
|
||||||
|
\end{itemize}
|
||||||
|
\item The above options can be combined, depending on your organisation or requirements to increase coverage and detection.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{ZMQ integration: misp-dashboard}
|
||||||
|
\begin{itemize}
|
||||||
|
\item A dashboard showing live data and statistics from the ZMQ pub-sub of one or more MISP instances.
|
||||||
|
\item Building {\bf low-latency software} by consuming pub-sub channel provides significant advantages over standard API use.
|
||||||
|
\item Process information in {\bf real-time} when it's updated, created, published or gathered in MISP.
|
||||||
|
\item Demo!
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{New integrations: IR and threat hunting using MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Close co-operation with {\bf the Hive project} for IR
|
||||||
|
\begin{itemize}
|
||||||
|
\item Interact with MISP directly from the Hive
|
||||||
|
\item Use both the MISP modules and the {\bf Cortex} analysers in MISP or the Hive directly
|
||||||
|
\end{itemize}
|
||||||
|
\item Using MISP to support your threat hunting via {\bf McAfee OpenDXL}
|
||||||
|
\item (\url{https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl})
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{The Hive integration}
|
||||||
|
\includegraphics[scale=0.25]{screenshots/cortex.jpg}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Reporting Back from your Devices, Tools or Processes}
|
||||||
|
As {\bf Sightings} can be positive, negative or even based on expiration, different use cases are possible:
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Sightings} allow users to notify a MISP instance about the activities related to an indicator.
|
||||||
|
\item Activities can be from a SIEM (e.g. Splunk lookup validation or {\bf false-positive feedback}), a NIDS or honeypot devices\footnote{\url{https://www.github.com/MISP/misp-sighting-tools}}.
|
||||||
|
\item Sighting can affect the API to limit the NIDS exports and improve the NIDS rule-set directly.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Q\&A}
|
||||||
|
\begin{itemize}
|
||||||
|
\item info@circl.lu (if you want to join the CIRCL MISP sharing community)
|
||||||
|
\item \url{https://github.com/MISP/} - \url{http://www.misp-project.org/}
|
||||||
|
\item We welcome any contributions to the project, be it pull requests, ideas, github issues,...
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 31 KiB |
Binary file not shown.
After Width: | Height: | Size: 49 KiB |
|
@ -0,0 +1,24 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{adjustbox}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
|
||||||
|
\author{\small{\input{../includes/authors.txt}}}
|
||||||
|
|
||||||
|
\title{MISP Training: MISP Deployment and Integration}
|
||||||
|
\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
|
||||||
|
\date{\input{../includes/location.txt}}
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 58 KiB |
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 57 KiB |
Binary file not shown.
After Width: | Height: | Size: 35 KiB |
2
build.sh
2
build.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
|
|
||||||
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template")
|
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template")
|
||||||
mkdir output
|
mkdir output
|
||||||
export TEXINPUTS=::`pwd`/themes/
|
export TEXINPUTS=::`pwd`/themes/
|
||||||
echo ${TEXINPUTS}
|
echo ${TEXINPUTS}
|
||||||
|
|
Loading…
Reference in New Issue