mirror of https://github.com/MISP/misp-training
205 lines
7.8 KiB
TeX
Executable File
205 lines
7.8 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Bringing workflows into threat intelligence platform}
|
|
After multiple years, MISP users have reach a significant maturity level:
|
|
\begin{itemize}
|
|
\item Events with {\bf complex TTPs, objects and attributes};
|
|
\item Exhaustive context such as {\bf MITRE ATT\&CK}, tags and relationships;
|
|
\item Availability of {\bf external modules and services} (e.g. from expansion services to third-party CTI);
|
|
\item Comprehensive {\bf processing pipelines} for threat intelligence are available;
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Where is the glue?}
|
|
\begin{itemize}
|
|
\item Initial idea came from GeekWeek7.5
|
|
\begin{center}
|
|
\includegraphics[width=0.5\linewidth]{pictures/geekweek75.jpg}
|
|
\end{center}
|
|
\item Experienced users wanted to have a way to {\bf trigger actions and to modify to behavior of MISP} and especially leveraging what they have in their MISP platform.
|
|
\item {\bf Creating workflows for any of the steps} in MISP (creating attributes/objects, publishing and sharing information, ...).
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Simplistic overview}
|
|
\begin{enumerate}
|
|
\item \textbf{User Interacts} with MISP using the UI or API
|
|
\item MISP handles the request, starts \textbf{preparing data} to perform the operation
|
|
\item MISP checks if there are workflows \textbf{listening to the trigger}
|
|
\item MISP fetches enabled workflows and \textbf{executes} them
|
|
\item If all went fine, MISP \textbf{continue} to perform the operation
|
|
\end{enumerate}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Terminology}
|
|
\begin{enumerate}
|
|
\item \textbf{workflow}: Sequence of actions to be executed
|
|
\item \textbf{execution path}: A path composed of actions to be executed sequentially
|
|
\begin{itemize}
|
|
\item A workflow can contain more than one execution path
|
|
\end{itemize}
|
|
\item \textbf{trigger}: Starting point of an \texttt{execution path}. Triggers are called when specific action are done by MISP
|
|
\begin{itemize}
|
|
\item A workflow can contain more than one trigger, but only one per type
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\begin{center}
|
|
\includegraphics[width=1.0\linewidth]{pictures/workflow-view.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Workflow execution in MISP}
|
|
\begin{enumerate}
|
|
\item A trigger is called;
|
|
\item Collect workflows listening to called trigger;
|
|
\item Execute workflows in the saved order;
|
|
\end{enumerate}
|
|
\begin{center}
|
|
\includegraphics[width=0.5\linewidth]{pictures/execution-order-1.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Execution Paths}
|
|
Currently 2 types of execution path:
|
|
\vspace{0.5em}
|
|
\begin{itemize}
|
|
\item {\bf Blocking}: Execution is stoped in case of error
|
|
\begin{itemize}
|
|
\item Current workflow's blocking execution path is {\bf stopped}
|
|
\item Any other blocking path of next workflows {\bf will not be executed}
|
|
\end{itemize}
|
|
\vspace{0.5em}
|
|
\item {\bf Non-blocking}/Deferred: Stop execution for current path only
|
|
\begin{itemize}
|
|
\item Current execution path is {\bf stopped}
|
|
\item {\bf Resume} execution of remaining paths
|
|
\item Paths from other workflow will be {\bf executed}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Execution Order and Execution Types}
|
|
\begin{itemize}
|
|
\item \textbf{Blocking} paths from all workflows are executed first in the saved order
|
|
\item If any blocking executions failed, the action that called the trigger will \textbf{be stopped}
|
|
\item \textbf{Parallel/Deferred} paths from all workflows are executed. The order is irrelevant
|
|
\end{itemize}
|
|
|
|
\begin{center}
|
|
\includegraphics[width=0.35\linewidth]{pictures/execution-order-2.png}
|
|
\includegraphics[width=0.40\linewidth]{pictures/trigger-outputs.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Publishing example}
|
|
Example:
|
|
\begin{enumerate}
|
|
\item An Event is published
|
|
\item MISP starts the publishing process
|
|
\item MISP executes a workflow listening to the trigger
|
|
\begin{itemize}
|
|
\item {\bf execution success}: Proceed publishing
|
|
\item {\bf execution failure}: Stop publishing, log the reason and report the failure to the user
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Execution context}
|
|
\begin{itemize}
|
|
\item Workflow can be triggered by any users
|
|
\item However, the user for which the workflow executes is the workflow creator
|
|
\item This is to make sure users with a higher privilege will have their workflow correctly executed
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Workflow modules}
|
|
\begin{center}
|
|
\includegraphics[width=0.5\linewidth]{pictures/module-type.png}
|
|
\end{center}
|
|
\begin{itemize}
|
|
\item 3 types of modules
|
|
\begin{itemize}
|
|
\item \texttt{trigger}: Entry point of the execution
|
|
\begin{itemize}
|
|
\item Event publish, email about to be sent, feed data about to be saved, ...
|
|
\end{itemize}
|
|
\item \texttt{logic}: Allow to redirect the execution flow.
|
|
\begin{itemize}
|
|
\item IF condition, fork the blocking execution into a non-blocking one, ...
|
|
\end{itemize}
|
|
\item \texttt{action}: Modules that can modify data, prevent execution or perform additional actions
|
|
\begin{itemize}
|
|
\item Publish to ZMQ, perform enrichments, block the execution, ...
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Creating a workflow with the editor}
|
|
\begin{enumerate}
|
|
\item Drag a \texttt{trigger} module from the side panel to the canvas
|
|
\item Drag an \texttt{action} module from the side panel to the canvas
|
|
\item From the \texttt{trigger} output, drag an arrow into the \texttt{action} input (left side)
|
|
\begin{itemize}
|
|
\item You can choose between a \texttt{blocking} and \texttt{non-blocking} execution path by using the associated trigger output
|
|
\end{itemize}
|
|
\end{enumerate}
|
|
\begin{center}
|
|
\includegraphics[width=1.0\linewidth]{pictures/editor-1.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Workflow example with ATT\&CK}
|
|
\begin{center}
|
|
\includegraphics[width=0.9\linewidth]{pictures/ATT&CK-support.png}
|
|
\end{center}
|
|
|
|
\begin{enumerate}
|
|
\item Automatically processing phishing cases from ATT\&CK context including enrichments and publishing pipelines.
|
|
\end{enumerate}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Workflow - advanced example}
|
|
\vspace{-2em}
|
|
\begin{center}
|
|
\includegraphics[width=1.05\linewidth]{pictures/example-7.png}
|
|
\end{center}
|
|
\begin{center}
|
|
\includegraphics[width=0.45\linewidth]{pictures/event-1.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Ongoing developments}
|
|
\begin{itemize}
|
|
\item First release of the workflow in MISP for the FIRST.org annual conference in Dublin (end of June).
|
|
\item {\bf Workflows are shareable} and a library of workflows will be available.
|
|
\item Gathering ideas and requirements for new workflows from the threat intelligence community.
|
|
\item Reviewing ATT\&CK techniques to be mapped in the MISP workflows.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|