Merge branch 'main' of github.com:MISP/misp-training
|
@ -0,0 +1,57 @@
|
||||||
|
\relax
|
||||||
|
\providecommand\hyper@newdestlabel[2]{}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {1}{1}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {2}{2}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {3}{3}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {4}{4}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {5}{5}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {6}{6}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {7}{7}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {8}{8}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {9}{9}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {10}{10}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {11}{11}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {12}{12}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {13}{13}}}
|
||||||
|
\@writefile{nav}{\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@framepages {14}{14}}}
|
||||||
|
\@setckpt{content}{
|
||||||
|
\setcounter{page}{15}
|
||||||
|
\setcounter{equation}{0}
|
||||||
|
\setcounter{enumi}{0}
|
||||||
|
\setcounter{enumii}{0}
|
||||||
|
\setcounter{enumiii}{0}
|
||||||
|
\setcounter{enumiv}{0}
|
||||||
|
\setcounter{footnote}{5}
|
||||||
|
\setcounter{mpfootnote}{0}
|
||||||
|
\setcounter{beamerpauses}{1}
|
||||||
|
\setcounter{bookmark@seq@number}{0}
|
||||||
|
\setcounter{lecture}{0}
|
||||||
|
\setcounter{part}{0}
|
||||||
|
\setcounter{section}{0}
|
||||||
|
\setcounter{subsection}{0}
|
||||||
|
\setcounter{subsubsection}{0}
|
||||||
|
\setcounter{subsectionslide}{14}
|
||||||
|
\setcounter{framenumber}{13}
|
||||||
|
\setcounter{figure}{0}
|
||||||
|
\setcounter{table}{0}
|
||||||
|
\setcounter{parentequation}{0}
|
||||||
|
\setcounter{theorem}{0}
|
||||||
|
\setcounter{realframenumber}{13}
|
||||||
|
\setcounter{lstnumber}{1}
|
||||||
|
\setcounter{section@level}{0}
|
||||||
|
\setcounter{lstlisting}{0}
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
This is pdfTeX, Version 3.141592653-2.6-1.40.22 (TeX Live 2022/dev/Debian) (preloaded format=pdflatex 2024.5.9) 16 MAY 2024 11:26
|
||||||
|
entering extended mode
|
||||||
|
restricted \write18 enabled.
|
||||||
|
%&-line parsing enabled.
|
||||||
|
**content.tex
|
||||||
|
(./content.tex
|
||||||
|
LaTeX2e <2021-11-15> patch level 1
|
||||||
|
L3 programming layer <2022-01-21>
|
||||||
|
|
||||||
|
! LaTeX Error: Missing \begin{document}.
|
||||||
|
|
||||||
|
See the LaTeX manual or LaTeX Companion for explanation.
|
||||||
|
Type H <return> for immediate help.
|
||||||
|
...
|
||||||
|
|
||||||
|
l.5 \titlepage
|
||||||
|
|
||||||
|
?
|
||||||
|
! Emergency stop.
|
||||||
|
...
|
||||||
|
|
||||||
|
l.5 \titlepage
|
||||||
|
|
||||||
|
You're in trouble here. Try typing <return> to proceed.
|
||||||
|
If that doesn't work, type X <return> to quit.
|
||||||
|
|
||||||
|
|
||||||
|
Here is how much of TeX's memory you used:
|
||||||
|
18 strings out of 478287
|
||||||
|
540 string characters out of 5849290
|
||||||
|
289007 words of memory out of 5000000
|
||||||
|
18314 multiletter control sequences out of 15000+600000
|
||||||
|
469259 words of font info for 28 fonts, out of 8000000 for 9000
|
||||||
|
1141 hyphenation exceptions out of 8191
|
||||||
|
13i,0n,12p,79b,22s stack positions out of 5000i,500n,10000p,200000b,80000s
|
||||||
|
! ==> Fatal error occurred, no output PDF file produced!
|
|
@ -0,0 +1,186 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Who is Who}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Alexandre Dulaunoy\footnote{\url{https://github.com/adulau}} (CIRCL, MISP, etc.)
|
||||||
|
\item Christophe Vandeplas\footnote{\url{https://github.com/cvandeplas}} (Consultant \& Reservist, MISP, Sysdiagnose (EU), etc.)
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What is a MISP Galaxy?}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP Galaxy is a feature in MISP and a MISP standard\footnote{\url{https://www.misp-standard.org/}} format to create {\bf contextualization libraries}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item There are two main types: \textbf{combined list} or \textbf{matrix-like list}.
|
||||||
|
\end{itemize}
|
||||||
|
\item The first historical matrix-like galaxy was MITRE ATT\&CK\footnote{Presented at the first EU ATT\&CK community meeting in Luxembourg}.
|
||||||
|
\item Galaxies contain intelligence that can be \textbf{structured} in a matrix-like format. Relationships between models can be created, and implementation such as in MISP allows for the \textbf{forking and sharing of information}. This is typically attached to intelligence in threat intelligence platforms to add context.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Origins and Evolution}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Seeing the success of the ATT\&CK framework in MISP gave rise to a host of matrix-based models:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Inflation? We don’t think so.
|
||||||
|
\item There are {\bf different models} because there are many {\bf different use cases to be represented}.
|
||||||
|
\item We found this to be good as long as those models are maintained.
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP galaxies over time}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.16]{./screenshots/timeline.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What Leads to Starting New Frameworks?}
|
||||||
|
\begin{itemize}
|
||||||
|
\item New frameworks try to {\bf fill gaps}.
|
||||||
|
\item New ideas in different areas/domains.
|
||||||
|
\item Small vs. large initiatives.
|
||||||
|
\item {\bf Collaboration is not always easy}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item Small contributors vs. large organizations.
|
||||||
|
\item Absence of guidance to contribute.
|
||||||
|
\item Closed models.
|
||||||
|
\end{itemize}
|
||||||
|
\item Research \& publication vs. practical use.
|
||||||
|
\item Need for timely new data in a continuously evolving threat landscape.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Conversion (or the Dirty Part)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Understand the topic.
|
||||||
|
\item Understand the users and their use cases.
|
||||||
|
\item Map to Matrix / Kill Chain.
|
||||||
|
\item Handle \textbf{various formats}:
|
||||||
|
\begin{itemize}
|
||||||
|
\item JSON, XLS, PDF, DOCX, Markdown, CSV, web scraping, Python, etc.
|
||||||
|
\end{itemize}
|
||||||
|
\item Reverse engineer the data model.
|
||||||
|
\item Manage UUIDs: existing vs. generating new.
|
||||||
|
\item Handle duplicate values\footnote{In other words, many organizations didn’t machine-validate their own model.}:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Interaction with the framework owner.
|
||||||
|
\end{itemize}
|
||||||
|
\item Create the conversion script, or do by hand.
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.3]{./screenshots/uuid-extraction.png}
|
||||||
|
\includegraphics[scale=0.3]{./screenshots/uuid-generation.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Relations (Where Are the Overlaps?)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Example relations: \texttt{similar}, \texttt{contains}, or lifecycle: \texttt{revoked-by}.
|
||||||
|
\item Frameworks might contain internal relations.
|
||||||
|
\item Relations between different frameworks:
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Native relationships}
|
||||||
|
\item \textbf{3rd party contributions}
|
||||||
|
\end{itemize}
|
||||||
|
\item Create specific tooling to help or partially automate the creation of relations.
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.35]{./screenshots/rel-gen-example.png}
|
||||||
|
% \includegraphics[scale=0.3]{./screenshots/rel-technique-re-search.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Maintenance (Anyone on the Line?)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Frameworks have a lifecycle} - evolution of the model.
|
||||||
|
\item Know when there is an update.
|
||||||
|
\item {\bf Deprecate, revoke, delete entries}.
|
||||||
|
\item Change of UUID (UUIDv4 or UUIDv5) / value - may impact UUID.
|
||||||
|
\begin{itemize}
|
||||||
|
\item Breaks relationships with UUIDs.
|
||||||
|
\end{itemize}
|
||||||
|
\item Conversion script breaks.
|
||||||
|
\item Keeping contributed relationships.
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.3]{./screenshots/new-uuids-everywhere.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Opportunities (How Can It Help Me?)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Structure new models: {\bf Understand existing ones to identify gaps} and raise feature requests or pull requests on \texttt{misp-galaxy}.
|
||||||
|
\item MISP Galaxy:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Open standard.
|
||||||
|
\item Data is CC0 - {\bf reusable in any software}.
|
||||||
|
\end{itemize}
|
||||||
|
\item Extend frameworks: Use one framework as a core library and build additional layers on top.
|
||||||
|
\item Marketing and promotion: The more tools that use it, the {\bf more widely the framework is adopted}.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Way Ahead for MISP Galaxy}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Add {\bf more} frameworks and taxonomies.
|
||||||
|
\item {\bf Better mark revoked and deprecated} clusters in the galaxy.
|
||||||
|
\item Automate the ingestion of updated third-party threat matrices.
|
||||||
|
\item Improve the library for managing conversions to MISP Galaxy.
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.2]{./screenshots/misp-galaxy-website.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{10 Golden Rules for Framework Creators (Technical)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item 1. Use a machine-readable format (JSON is preferred).
|
||||||
|
\item 2. Ensure fixed and unique UUIDs.
|
||||||
|
\item 3. Revoke entries, do not delete them.
|
||||||
|
\item 4. Relate to UUIDs with relationship types.
|
||||||
|
\item 5. Allow outbound relationships.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{10 Golden Rules for Framework Creators (Community)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item 6. Publish and communicate.
|
||||||
|
\item 7. Update regularly.
|
||||||
|
\item 8. Encourage third-party contributions.
|
||||||
|
\item 9. Expand existing frameworks.
|
||||||
|
\item 10. Collaborate with other framework creators.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Get in touch if you have any questions}
|
||||||
|
\begin{itemize}
|
||||||
|
\item MISP galaxy website \url{https://www.misp-galaxy.org/}
|
||||||
|
\item Contact MISPProject
|
||||||
|
\begin{itemize}
|
||||||
|
\item \url{https://github.com/MISP}
|
||||||
|
\item \url{https://gitter.im/MISP/MISP}
|
||||||
|
\item \url{https://twitter.com/MISPProject}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
After Width: | Height: | Size: 117 KiB |
After Width: | Height: | Size: 217 KiB |
After Width: | Height: | Size: 139 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 34 KiB |
After Width: | Height: | Size: 430 KiB |
After Width: | Height: | Size: 25 KiB |
After Width: | Height: | Size: 54 KiB |
After Width: | Height: | Size: 73 KiB |
After Width: | Height: | Size: 28 KiB |
After Width: | Height: | Size: 29 KiB |
After Width: | Height: | Size: 313 KiB |
After Width: | Height: | Size: 146 KiB |
After Width: | Height: | Size: 15 KiB |
After Width: | Height: | Size: 24 KiB |
|
@ -0,0 +1,28 @@
|
||||||
|
\relax
|
||||||
|
\providecommand\hyper@newdestlabel[2]{}
|
||||||
|
\providecommand\HyperFirstAtBeginDocument{\AtBeginDocument}
|
||||||
|
\HyperFirstAtBeginDocument{\ifx\hyper@anchor\@undefined
|
||||||
|
\global\let\oldcontentsline\contentsline
|
||||||
|
\gdef\contentsline#1#2#3#4{\oldcontentsline{#1}{#2}{#3}}
|
||||||
|
\global\let\oldnewlabel\newlabel
|
||||||
|
\gdef\newlabel#1#2{\newlabelxx{#1}#2}
|
||||||
|
\gdef\newlabelxx#1#2#3#4#5#6{\oldnewlabel{#1}{{#2}{#3}}}
|
||||||
|
\AtEndDocument{\ifx\hyper@anchor\@undefined
|
||||||
|
\let\contentsline\oldcontentsline
|
||||||
|
\let\newlabel\oldnewlabel
|
||||||
|
\fi}
|
||||||
|
\fi}
|
||||||
|
\global\let\hyper@last\relax
|
||||||
|
\gdef\HyperFirstAtBeginDocument#1{#1}
|
||||||
|
\providecommand\HyField@AuxAddToFields[1]{}
|
||||||
|
\providecommand\HyField@AuxAddToCoFields[2]{}
|
||||||
|
\providecommand\BKM@entry[2]{}
|
||||||
|
\@input{content.aux}
|
||||||
|
\providecommand \oddpage@label [2]{}
|
||||||
|
\pgfsyspdfmark {pgfid1}{1398509}{15859109}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@partpages {1}{14}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@subsectionpages {1}{14}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@sectionpages {1}{14}}}
|
||||||
|
\@writefile{nav}{\headcommand {\beamer@documentpages {14}}}
|
||||||
|
\@writefile{nav}{\headcommand {\gdef \inserttotalframenumber {13}}}
|
||||||
|
\gdef \@abspage@last{14}
|
|
@ -0,0 +1,33 @@
|
||||||
|
\headcommand {\slideentry {0}{0}{1}{1/1}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {1}{1}}
|
||||||
|
\headcommand {\slideentry {0}{0}{2}{2/2}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {2}{2}}
|
||||||
|
\headcommand {\slideentry {0}{0}{3}{3/3}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {3}{3}}
|
||||||
|
\headcommand {\slideentry {0}{0}{4}{4/4}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {4}{4}}
|
||||||
|
\headcommand {\slideentry {0}{0}{5}{5/5}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {5}{5}}
|
||||||
|
\headcommand {\slideentry {0}{0}{6}{6/6}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {6}{6}}
|
||||||
|
\headcommand {\slideentry {0}{0}{7}{7/7}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {7}{7}}
|
||||||
|
\headcommand {\slideentry {0}{0}{8}{8/8}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {8}{8}}
|
||||||
|
\headcommand {\slideentry {0}{0}{9}{9/9}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {9}{9}}
|
||||||
|
\headcommand {\slideentry {0}{0}{10}{10/10}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {10}{10}}
|
||||||
|
\headcommand {\slideentry {0}{0}{11}{11/11}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {11}{11}}
|
||||||
|
\headcommand {\slideentry {0}{0}{12}{12/12}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {12}{12}}
|
||||||
|
\headcommand {\slideentry {0}{0}{13}{13/13}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {13}{13}}
|
||||||
|
\headcommand {\slideentry {0}{0}{14}{14/14}{}{0}}
|
||||||
|
\headcommand {\beamer@framepages {14}{14}}
|
||||||
|
\headcommand {\beamer@partpages {1}{14}}
|
||||||
|
\headcommand {\beamer@subsectionpages {1}{14}}
|
||||||
|
\headcommand {\beamer@sectionpages {1}{14}}
|
||||||
|
\headcommand {\beamer@documentpages {14}}
|
||||||
|
\headcommand {\gdef \inserttotalframenumber {13}}
|
|
@ -0,0 +1,25 @@
|
||||||
|
\documentclass[aspectratio=169]{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{adjustbox}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
%\usepackage[T1]{fontenc}
|
||||||
|
%\usepackage[scaled]{beramono}
|
||||||
|
\author{\small{MISP Project}}
|
||||||
|
\title{Developing a Threat Intelligence Model and Framework?}
|
||||||
|
\subtitle{\small{How You Can Promote Its Use in MISP and Other TIPs.}}
|
||||||
|
\institute{}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.65]{misp.pdf}}
|
||||||
|
|
||||||
|
\date{12th EU MITRE ATT\&CK Community}
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|