Merge branch 'main' of github.com:MISP/misp-training

x.17-eu-attack-community/content.aux

@@ -0,0 +1,57 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
+\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
+\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
+\@setckpt{content}{
+\setcounter{page}{15}
+\setcounter{equation}{0}
+\setcounter{enumi}{0}
+\setcounter{enumii}{0}
+\setcounter{enumiii}{0}
+\setcounter{enumiv}{0}
+\setcounter{footnote}{5}
+\setcounter{mpfootnote}{0}
+\setcounter{beamerpauses}{1}
+\setcounter{bookmark@seq@number}{0}
+\setcounter{lecture}{0}
+\setcounter{part}{0}
+\setcounter{section}{0}
+\setcounter{subsection}{0}
+\setcounter{subsubsection}{0}
+\setcounter{subsectionslide}{14}
+\setcounter{framenumber}{13}
+\setcounter{figure}{0}
+\setcounter{table}{0}
+\setcounter{parentequation}{0}
+\setcounter{theorem}{0}
+\setcounter{realframenumber}{13}
+\setcounter{lstnumber}{1}
+\setcounter{section@level}{0}
+\setcounter{lstlisting}{0}
+}

x.17-eu-attack-community/content.log

@@ -0,0 +1,36 @@
+This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) (preloaded format=pdflatex 2024.5.9)  16 MAY 2024 11:26
+entering extended mode
+ restricted \write18 enabled.
+ %&-line parsing enabled.
+**content.tex
+(./content.tex
+LaTeX2e <2021-11-15> patch level 1
+L3 programming layer <2022-01-21>
+
+! LaTeX Error: Missing \begin{document}.
+
+See the LaTeX manual or LaTeX Companion for explanation.
+Type  H <return>  for immediate help.
+ ...                                              
+                                                  
+l.5 \titlepage
+              
+? 
+! Emergency stop.
+ ...                                              
+                                                  
+l.5 \titlepage
+              
+You're in trouble here.  Try typing  <return>  to proceed.
+If that doesn't work, type  X <return>  to quit.
+
+ 
+Here is how much of TeX's memory you used:
+ 18 strings out of 478287
+ 540 string characters out of 5849290
+ 289007 words of memory out of 5000000
+ 18314 multiletter control sequences out of 15000+600000
+ 469259 words of font info for 28 fonts, out of 8000000 for 9000
+ 1141 hyphenation exceptions out of 8191
+ 13i,0n,12p,79b,22s stack positions out of 5000i,500n,10000p,200000b,80000s
+!  ==> Fatal error occurred, no output PDF file produced!

x.17-eu-attack-community/content.tex

@@ -0,0 +1,186 @@
+% DO NOT COMPILE THIS FILE DIRECTLY!
+% This is included by the other .tex files.
+
+\begin{frame}
+\titlepage
+\end{frame}
+
+\begin{frame}
+        \frametitle{Who is Who}
+        \begin{itemize}
+            \item Alexandre Dulaunoy\footnote{\url{https://github.com/adulau}} (CIRCL, MISP, etc.)
+            \item Christophe Vandeplas\footnote{\url{https://github.com/cvandeplas}} (Consultant \& Reservist, MISP, Sysdiagnose (EU), etc.)
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+  \frametitle{What is a MISP Galaxy?}
+  \begin{itemize}
+	  \item MISP Galaxy is a feature in MISP and a MISP standard\footnote{\url{https://www.misp-standard.org/}} format to create {\bf contextualization libraries}.
+    \begin{itemize}
+      \item There are two main types: \textbf{combined list} or \textbf{matrix-like list}.
+    \end{itemize}
+    \item The first historical matrix-like galaxy was MITRE ATT\&CK\footnote{Presented at the first EU ATT\&CK community meeting in Luxembourg}.
+    \item Galaxies contain intelligence that can be \textbf{structured} in a matrix-like format. Relationships between models can be created, and implementation such as in MISP allows for the \textbf{forking and sharing of information}. This is typically attached to intelligence in threat intelligence platforms to add context.
+  \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+   \frametitle{Origins and Evolution}
+   \begin{itemize}
+       \item Seeing the success of the ATT\&CK framework in MISP gave rise to a host of matrix-based models:
+       \begin{itemize}
+           \item Inflation? We don’t think so.
+           \item There are {\bf different models} because there are many {\bf different use cases to be represented}.
+           \item We found this to be good as long as those models are maintained.
+       \end{itemize}
+   \end{itemize}
+\end{frame}
+
+\begin{frame}
+	\frametitle{MISP galaxies over time}
+	\begin{center}
+	\includegraphics[scale=0.16]{./screenshots/timeline.png}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+        \frametitle{What Leads to Starting New Frameworks?}
+        \begin{itemize}
+	\item New frameworks try to {\bf fill gaps}.
+            \item New ideas in different areas/domains.
+            \item Small vs. large initiatives.
+	    \item {\bf Collaboration is not always easy}.
+                \begin{itemize}
+                    \item Small contributors vs. large organizations.
+                    \item Absence of guidance to contribute.
+                    \item Closed models.
+                \end{itemize}
+            \item Research \& publication vs. practical use.
+            \item Need for timely new data in a continuously evolving threat landscape.
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Conversion (or the Dirty Part)}
+        \begin{itemize}
+            \item Understand the topic.
+            \item Understand the users and their use cases.
+            \item Map to Matrix / Kill Chain.
+            \item Handle \textbf{various formats}:
+                \begin{itemize}
+                    \item JSON, XLS, PDF, DOCX, Markdown, CSV, web scraping, Python, etc.
+                \end{itemize}
+            \item Reverse engineer the data model.
+            \item Manage UUIDs: existing vs. generating new.
+            \item Handle duplicate values\footnote{In other words, many organizations didn’t machine-validate their own model.}:
+                \begin{itemize}
+                    \item Interaction with the framework owner.
+                \end{itemize}
+            \item Create the conversion script, or do by hand.
+        \end{itemize}
+        \begin{center}
+            \includegraphics[scale=0.3]{./screenshots/uuid-extraction.png}
+            \includegraphics[scale=0.3]{./screenshots/uuid-generation.png}
+        \end{center}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Relations (Where Are the Overlaps?)}
+        \begin{itemize}
+            \item Example relations: \texttt{similar}, \texttt{contains}, or lifecycle: \texttt{revoked-by}.
+            \item Frameworks might contain internal relations.
+            \item Relations between different frameworks:
+            \begin{itemize}
+                \item \textbf{Native relationships}
+                \item \textbf{3rd party contributions}
+            \end{itemize}
+            \item Create specific tooling to help or partially automate the creation of relations.
+        \end{itemize}
+        \begin{center}
+        \includegraphics[scale=0.35]{./screenshots/rel-gen-example.png}
+        % \includegraphics[scale=0.3]{./screenshots/rel-technique-re-search.png}
+        \end{center}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Maintenance (Anyone on the Line?)}
+        \begin{itemize}
+		\item {\bf Frameworks have a lifecycle} - evolution of the model.
+            \item Know when there is an update.
+	    \item {\bf Deprecate, revoke, delete entries}.
+            \item Change of UUID (UUIDv4 or UUIDv5) / value - may impact UUID.
+                \begin{itemize}
+                    \item Breaks relationships with UUIDs.
+                \end{itemize}
+            \item Conversion script breaks.
+            \item Keeping contributed relationships.
+        \end{itemize}
+        \begin{center}
+            \includegraphics[scale=0.3]{./screenshots/new-uuids-everywhere.png}
+        \end{center}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Opportunities (How Can It Help Me?)}
+        \begin{itemize}
+		\item Structure new models: {\bf Understand existing ones to identify gaps} and raise feature requests or pull requests on \texttt{misp-galaxy}.
+            \item MISP Galaxy:
+                \begin{itemize}
+                    \item Open standard.
+		    \item Data is CC0 - {\bf reusable in any software}.
+                \end{itemize}
+            \item Extend frameworks: Use one framework as a core library and build additional layers on top.
+	    \item Marketing and promotion: The more tools that use it, the {\bf more widely the framework is adopted}.
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{Way Ahead for MISP Galaxy}
+        \begin{itemize}
+            \item Add {\bf more} frameworks and taxonomies.
+            \item {\bf Better mark revoked and deprecated} clusters in the galaxy.
+            \item Automate the ingestion of updated third-party threat matrices.
+            \item Improve the library for managing conversions to MISP Galaxy.
+        \end{itemize}
+	\begin{center}
+	 	\includegraphics[scale=0.2]{./screenshots/misp-galaxy-website.png}
+	\end{center}
+\end{frame}
+
+\begin{frame}
+        \frametitle{10 Golden Rules for Framework Creators (Technical)}
+        \begin{itemize}
+            \item 1. Use a machine-readable format (JSON is preferred).
+            \item 2. Ensure fixed and unique UUIDs.
+            \item 3. Revoke entries, do not delete them.
+            \item 4. Relate to UUIDs with relationship types.
+            \item 5. Allow outbound relationships.
+        \end{itemize}
+\end{frame}
+
+\begin{frame}
+        \frametitle{10 Golden Rules for Framework Creators (Community)}
+        \begin{itemize}
+            \item 6. Publish and communicate.
+            \item 7. Update regularly.
+            \item 8. Encourage third-party contributions.
+            \item 9. Expand existing frameworks.
+            \item 10. Collaborate with other framework creators.
+        \end{itemize}
+\end{frame}
+
+
+\begin{frame}
+  \frametitle{Get in touch if you have any questions}
+  \begin{itemize}
+    \item MISP galaxy website \url{https://www.misp-galaxy.org/}
+    \item Contact MISPProject
+    \begin{itemize}
+      \item \url{https://github.com/MISP}
+      \item \url{https://gitter.im/MISP/MISP}
+      \item \url{https://twitter.com/MISPProject}
+    \end{itemize}
+  \end{itemize}
+\end{frame}

x.17-eu-attack-community/slide.aux

@@ -0,0 +1,28 @@
+\relax 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
+\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
+\global\let\oldcontentsline\contentsline
+\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
+\global\let\oldnewlabel\newlabel
+\gdef\newlabel#1#2{\newlabelxx{#1}#2}
+\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
+\AtEndDocument{\ifx\hyper@anchor\@undefined
+\let\contentsline\oldcontentsline
+\let\newlabel\oldnewlabel
+\fi}
+\fi}
+\global\let\hyper@last\relax 
+\gdef\HyperFirstAtBeginDocument#1{#1}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\providecommand\BKM@entry[2]{}
+\@input{content.aux}
+\providecommand \oddpage@label [2]{}
+\pgfsyspdfmark {pgfid1}{1398509}{15859109}
+\@writefile{nav}{\headcommand {\beamer@partpages {1}{14}}}
+\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}}
+\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}}
+\@writefile{nav}{\headcommand {\beamer@documentpages {14}}}
+\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {13}}}
+\gdef \@abspage@last{14}

x.17-eu-attack-community/slide.nav

@@ -0,0 +1,33 @@
+\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
+\headcommand {\beamer@framepages {1}{1}}
+\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
+\headcommand {\beamer@framepages {2}{2}}
+\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
+\headcommand {\beamer@framepages {3}{3}}
+\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
+\headcommand {\beamer@framepages {4}{4}}
+\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
+\headcommand {\beamer@framepages {5}{5}}
+\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
+\headcommand {\beamer@framepages {6}{6}}
+\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
+\headcommand {\beamer@framepages {7}{7}}
+\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
+\headcommand {\beamer@framepages {8}{8}}
+\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
+\headcommand {\beamer@framepages {9}{9}}
+\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
+\headcommand {\beamer@framepages {10}{10}}
+\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}
+\headcommand {\beamer@framepages {11}{11}}
+\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}
+\headcommand {\beamer@framepages {12}{12}}
+\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}
+\headcommand {\beamer@framepages {13}{13}}
+\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
+\headcommand {\beamer@framepages {14}{14}}
+\headcommand {\beamer@partpages {1}{14}}
+\headcommand {\beamer@subsectionpages {1}{14}}
+\headcommand {\beamer@sectionpages {1}{14}}
+\headcommand {\beamer@documentpages {14}}
+\headcommand {\gdef \inserttotalframenumber {13}}

x.17-eu-attack-community/slide.tex

@@ -0,0 +1,25 @@
+\documentclass[aspectratio=169]{beamer}
+\usetheme[numbering=progressbar]{focus}
+\definecolor{main}{RGB}{47, 161, 219}
+\definecolor{textcolor}{RGB}{128, 128, 128}
+\definecolor{background}{RGB}{240, 247, 255}
+
+\usepackage[utf8]{inputenc}
+\usepackage{tikz}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes,arrows}
+%\usepackage[T1]{fontenc}
+%\usepackage[scaled]{beramono}
+\author{\small{MISP Project}}
+\title{Developing a Threat Intelligence Model and Framework?}
+\subtitle{\small{How You Can Promote Its Use in MISP and Other TIPs.}}
+\institute{}
+\titlegraphic{\includegraphics[scale=0.65]{misp.pdf}}
+
+\date{12th EU MITRE ATT\&CK Community}
+\begin{document}
+\include{content}
+\end{document}
+