% DO NOT COMPILE THIS FILE DIRECTLY! % This is included by the other .tex files. \begin{frame} \titlepage \end{frame} \begin{frame} \frametitle{What is MISP?} \begin{itemize} \item MISP is a {\bf threat information sharing} platform that is free \& open source software \item A tool that {\bf collects} information from partners, your analysts, your tools, feeds \item Normalises, {\bf correlates}, {\bf enriches} and {\bf connects} the data \item Allows teams and communities to {\bf collaborate} and {\bf share} \item {\bf Feeds} automated protective tools and analyst tools with the output \item MISP is a {\bf complete threat intelligence platform} with strong sharing capabilities and extendability \end{itemize} \end{frame} \begin{frame}[plain,c] \begin{center} {\Huge Two years from now, threat intelligence will be easy.\\} {\it Bill Gates if he did work in threat intelligence} \end{center} \end{frame} \begin{frame} \frametitle{The aim of this presentation} \begin{itemize} \item {\Large Showing the {\bf evolution of threat intelligence}\footnote{based on our empirical view from users using/integrating MISP} and \item {\bf data-driven threat hunting} over the past years} \item {\Large What can we expect in {\bf the future}?} \end{itemize} \end{frame} \begin{frame} \frametitle{From standalone indicator to advanced object data models} \begin{itemize} \item In early 2010, MISP supported basic indicators sharing with a limited set of types \item In 2022, MISP integrates a dynamic object model with advanced custom relationships \item Why such evolution? \begin{itemize} \item {\bf Increase of intelligence usage in different sectors}. From threat-hunting\footnote{With different types of threat hunts including TTP-driven, intelligence-driven, asset-driven...} to risk assessment or strategic decisions \item {\bf Increased diversity among analysts} \end{itemize} \end{itemize} \end{frame} \begin{frame} \frametitle{Multitude of intelligence models} \begin{itemize} \item Chains, triangles, circles, diamonds, arrows, a mix or even a multi-layer matrix \item There is {\bf no perfect intelligence models} \item Organisations invent their model, reuse existing ones or are even more creative \item Showing {\bf how diverse\footnote{Embrace the diversity of models, taxonomies} our societies are} \end{itemize} \end{frame} \begin{frame} \frametitle{Main focus was securing our data and tooling} \begin{itemize} \item Current {\bf geo-political situation} lead to new challenges \item It has been an interesting time period with quite some activity \item Our goal was to {\bf shore up the security} aspects of MISP and Cerebrate \item Build new functionalities and tools to allow users to {\bf protect their data} \end{itemize} \end{frame} \begin{frame} \frametitle{Sharing group blueprints} \begin{itemize} \item Solving the issue of {\bf sharing group lifecycle management} \item Build SG blueprints for reusable, maintainable sharing groups \item Abstract sharing groups, organisation metadata as building blocks \item Solve newly arising sharing challenges \end{itemize} \end{frame} \begin{frame} \frametitle{Sharing group blueprints} \includegraphics[scale=0.6]{images/blueprints2.png} \end{frame} \begin{frame} \frametitle{Cryptographic signing and tamper protection} \begin{itemize} \item Need to be able to share and ensure the {\bf veracity of critical events} \item Tampering by {\bf malicious intermediaries}, even in closed networks became a new fear \item We came up with a solution that allows us to {\bf lock down critical events} \item Limits the distribution, but {\bf increases the resilience} of MISP immensely \end{itemize} \end{frame} \begin{frame} \frametitle{Cryptographic signing and tamper protection} \includegraphics[scale=0.5]{images/signing1.png} \end{frame} \begin{frame} \frametitle{Cryptographic signing and tamper protection} \includegraphics[scale=0.5]{images/signing2.png} \end{frame} \begin{frame} \frametitle{Cryptographic signing and tamper protection} \includegraphics[scale=0.6]{images/signing3.png} \includegraphics[scale=0.6]{images/signing4.png} \end{frame} \begin{frame} \frametitle{Other major improvements} \begin{itemize} \item Various other new functionalities that improve our day to day use of the tool \end{itemize} \end{frame} \begin{frame} \frametitle{Long list of security fixes} \begin{itemize} \item Partially from user reports \item Partially by an exhaustive pentest series \item Massive thank you to {\bf Zigrin Security} for conducting the tests... \item ...and to the {\bf Luxembourgish Army} for financing it \item Multiple {\bf CVEs} resolved, including a {\bf critical one that required a silent release} \item Make sure you stay up to date! \end{itemize} \end{frame} \begin{frame} \frametitle{Long list of security fixes} \includegraphics[scale=0.4]{images/security.png} \end{frame} \begin{frame} \frametitle{Event warning system} \begin{itemize} \item Build a rule based tool that analyses an event and {\bf recommends improvements} \item Typical issues easily caught (missing TLP, lack of context, etc) \item Simple to extend, flexible \end{itemize} \end{frame} \begin{frame} \frametitle{Event warning system} \includegraphics[scale=0.3]{images/warnings.png} \end{frame} \begin{frame} \frametitle{Massive rework of the STIX integrations} \begin{itemize} \item Our resident STIX guru (Christian Studer) has become {\bf co-chair of the STIX commitee} at OASIS \item Massive rework of how we handle {\bf STIX ingestion / generation} \item Continuous work with {\bf MITRE/CISA} to improve the integration \item STIX subsystem spun off as a standalone system {\bf misp-stix}\footnote{\url{https://github.com/MISP/misp-stix}} \item Can be used a standalone to convert in both directions MISP standard format to all the STIX variantes \end{itemize} \end{frame} \begin{frame} \frametitle{Further synchronisation filtering methods} \begin{itemize} \item The ability to {\bf exclude} certain attribute {\bf types from the synchronisation} \item Comes with some risks, but solves some issues \item An example: {\bf Exclusion of malware samples when sharing towards classified networks} \end{itemize} \end{frame} \begin{frame} \frametitle{Advanced timelining} \begin{itemize} \item Rework of the timelining in MISP \item Inclusion of images, sightings \item Various other improvements \end{itemize} \end{frame} \begin{frame} \frametitle{Timelining} \includegraphics[scale=0.2]{images/timelining.png} \end{frame} \begin{frame} \frametitle{New background processor} \begin{itemize} \item Since late November last year we have had a {\bf new background processing engine} \item Fully optional for now \item Lean, closer to an OS native implementation via {\bf Supervisor} \item Gets rid of a lot of the baggage of our previous system (scheduling) \item Implemetation by @righel (Luciano Righetti) \end{itemize} \end{frame} \begin{frame} \frametitle{Long list of other fixes} \begin{itemize} \item Usability fixes \item Performance improvements \item Bug fixes \item Too many improvements to the galaxies, taxonomies, object templates to list! \item Huge thank you to {\bf Jakub Onderka} for the {\bf constant stream of improvements} \end{itemize} \end{frame} \begin{frame} \frametitle{Workflows in MISP} \begin{itemize} \item Outcome of our initial work from GeekWeek 7.5\footnote{\href{https://cyber.gc.ca/en/events/geekweek-75}{Workshop organized by the Canadian Cyber Center}} \item Goal: Modifying the execution of certain {\bf core functionalities} \item Basically a {\bf hooking mechanism} \item Modular approach using {\bf MISP-modules} or {\bf PHP modules} \item Build and execute admin defined tasks on various actions \item Modify data in place, block, fire-and-forget \item All exposed via a {\bf completely new GUI} \end{itemize} \end{frame} \begin{frame} \frametitle{Workflows in MISP} \begin{itemize} \item {\bf Branching} codebase \item Context sensitive, per-module filters \item Implemented by our UI expert Sami "GraphMan" Mokaddem \end{itemize} \end{frame} \begin{frame} \frametitle{Workflows in MISP} \includegraphics[scale=0.2]{images/workflows1.png} \end{frame} \begin{frame} \frametitle{Workflows in MISP} \includegraphics[scale=0.2]{images/workflows2.png} \end{frame} \begin{frame} \frametitle{External data guard} \begin{itemize} \item Work in {\bf collaboration with BICES} \item Proxy server\footnote{\url{https://github.com/MISP/misp-guard}} that {\bf inspects and blocks potential data leaks} during synchronisation \item Standalone \item Simplistic design and {\bf easy to audit} \item Modular {\bf rule based} system \end{itemize} \end{frame} \begin{frame} \frametitle{Various reworks to support STIX mappings} \begin{itemize} \item {\bf Relationships for tags/galaxies} \item {\bf Templating} for galaxy cluster creation \item Dot notation {\bf deep cluster elements} \item Built in {\bf TAXII 2.1 export support} with the help of MITRE/CISA \end{itemize} \end{frame} \begin{frame} \frametitle{Quick Cerebrate update} \begin{center} \includegraphics[scale=0.4]{images/cerebrate.png} \end{center} \end{frame} \begin{frame} \frametitle{Quick Cerebrate update} \begin{itemize} \item 5 new releases \item Deployment for the {\bf CSIRT network} ongoing \item A host of new functionalities to solve day to day issues we have in the CSIRT community \end{itemize} \end{frame} \begin{frame} \frametitle{User management} \begin{itemize} \item Reworked completely \item Tight integration with {\bf KeyCloak} \item Full user provisioning / maintaining via Cerebrate \end{itemize} \end{frame} \begin{frame} \frametitle{Reworked meta information system} \begin{itemize} \item Introduction of {\bf context specific custom fields} \item Custom {\bf search algorithms} (for example CIDR block lookups for constituency information) \item Customisable and {\bf blueprint-able data model} \end{itemize} \end{frame} \begin{frame} \frametitle{API along with its documentation fleshed out} \begin{itemize} \item {\bf OpenAPI integration} similarly to MISP \item Integration tests and introduction of a {\bf CI pipeline} \item Documentation and API examples available in Cerebrate directly \end{itemize} \end{frame} \begin{frame} \frametitle{Security fixes} \begin{itemize} \item Cerebrate, similarly to MISP received an in-depth pentest by {\bf Zigrin Security} \item Likewise funded by the {\bf Luxembourgish Army} \item Besides fixes to vulnerabilities, a host of usability findings and fixes \item {\bf 5 CVEs} published \item \url{https://www.cerebrate-project.org/security.html} \end{itemize} \end{frame} \begin{frame} \frametitle{Get in touch if you have any questions} \begin{itemize} \item Contact CIRCL \begin{itemize} \item info@circl.lu \item \url{https://twitter.com/circl_lu} \item \url{https://www.circl.lu/} \end{itemize} \item Contact MISPProject \begin{itemize} \item \url{https://github.com/MISP} \item \url{https://gitter.im/MISP/MISP} \item \url{https://twitter.com/MISPProject} \end{itemize} \item Cerebrate project \begin{itemize} \item \url{https://github.com/cerebrate-project} \item \url{https://github.com/cerebrate-project/cerebrate} \end{itemize} \end{itemize} \end{frame}