misp-training/events/20200924-TW/content.tex

129 lines
4.8 KiB
TeX

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item Who are we (CIRCL)?
\item Brief introduction to MISP
\item What sort of communities are using MISP?
\item How to get started
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{center}
\includegraphics[scale=0.45]{pics/circl.png}
\hspace{2.5em}
\includegraphics[scale=0.35]{pics/misp.pdf}
\end{center}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}.
\item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
\item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What is MISP?}
\begin{itemize}
\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What are some key objectives of communities?}
\begin{itemize}
\item To build "herd immunity" by sharing {\bf community relevant} threat information
\item By allowing to share data both for {\bf automation} and to {\bf tell a story}
\item {\bf Standardise} on how we {\bf express} and {\bf contextualise} threat information
\item {\bf Monitor trends} about attacks against your community
\item Rely on the shared data to {\bf bootstrap your investigations}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Features Highlights}
\begin{itemize}
\item Functionalities to assist users in {\bf creating, collaborating and sharing}
\begin{itemize}
\item A wide range of imports
\item Rest API
\item Automatic correlation
\item Proposals
\item Granular distribution levels and sharing groups
\item Advanced synchronisation mechanisms
\end{itemize}
\item A host of export formats
\begin{itemize}
\item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
\item {\bf SIEMs}: \texttt{CEF, STIX}
\item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara}
\item {\bf Analysis tools}: \texttt{Maltego}
\item {\bf DNS policies}: \texttt{RPZ}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What sort of MISP communities are there?}
\begin{itemize}
\item {\bf Generalist} cyber securitity communities (CIRCL's Private sector community, FIRST, etc)
\item {\bf Sectorial} communities (Financial, ISPs, GSMs, Law enforcement, Military, etc)
\item {\bf Geographic communities} such as national, regional (Nordic, South American, etc)
\item Communities centered around {\bf international organisations} (EU, NATO, etc)
\item {\bf Topical} communities (disinformation, RATs, COVID-19, climate)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{An example community in numbers: The CIRCL Private sector community}
\begin{itemize}
\item {\bf Users}: 3.4k
\item {\bf Organisations}: 1.6k
\item {\bf Organisations having shared events}: 441
\item {\bf Events}: ~77k
\item {\bf Data points}: 12M
\item {\bf Correlations}: 9M
\item {\bf Proposals}: 78k
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Getting started}
\begin{itemize}
\item Simplest: {\bf join an existing community} hosted by a trusted peer, use their instance
\item {\bf Run your own} instance (simply install the OSS) and {\bf connect to} established communities
\item {\bf Start your own} community with your own guidelines
\item None of the above are exclusive
\item {\bf Organic growth} from one to the other is expected
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\end{itemize}
\end{frame}