mirror of https://github.com/MISP/misp-training
305 lines
12 KiB
TeX
Executable File
305 lines
12 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Purpose of this session}
|
|
\begin{itemize}
|
|
\item Cliffs notes on what MISP is all about
|
|
\item Describe what we ended up building
|
|
\begin{itemize}
|
|
\item In terms of a COVID-19 community
|
|
\item As well as actual tooling
|
|
\end{itemize}
|
|
\item Community involvement
|
|
\item What did end up working for us and what didn't
|
|
\item Some lessons learnt
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Origins}
|
|
\begin{itemize}
|
|
\item As the pandemic started we all quickly faced a set of new issues to tackle
|
|
\begin{itemize}
|
|
\item Remote work exposed completely {\bf new attack surfaces}
|
|
\item We were all personally invested in {\bf tracking the evolution of the pandemic} itself
|
|
\item There was a rampant {\bf abuse of the general chaos}, for a host of objectives
|
|
\end{itemize}
|
|
\item We saw more and more disjointed information popping up in our regular communities...
|
|
\item ...but both the {\bf reach} and the {\bf interest} were varied
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What is MISP}
|
|
\begin{itemize}
|
|
\item {\bf Threat Intelligense Sharing Platform} (TISP)
|
|
\item To summarise what it does:
|
|
\begin{itemize}
|
|
\item {\bf Ingests data} from different sources (analysis, feeds, partners, tools)
|
|
\item {\bf Processes} the data (common format, correlation, enrichment, etc)
|
|
\item Allows us to {\bf interact} with it (collaboration, contextualisation, improvement)
|
|
\item {\bf Disseminates} the data (our tools, partners, constituency, the world)
|
|
\end{itemize}
|
|
\item Besides being a tool, MISP is also a set of libraries, best practices and a standard
|
|
\item All of this is open-source and lead by us
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A side note - FIRST MISP instance}
|
|
\begin{itemize}
|
|
\item \url{https://misp.first.org}
|
|
\item Just authenticate with the SSO of FIRST
|
|
\item Start using the {\bf hosted instance}...
|
|
\item ...or {\bf set up your own} and start synchronising with it.
|
|
\item Information sharing SIG (\url{https://www.first.org/global/sigs/information-sharing})
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Flexibility}
|
|
\begin{itemize}
|
|
\item Long time goal to make the tool as {\bf flexible} as possible
|
|
\item Modular data-model lead to a diversification of the user-base
|
|
\begin{itemize}
|
|
\item IT security
|
|
\item Financial fraud
|
|
\item Border control / law enforcement
|
|
\item Vulnerability management
|
|
\item Weird radar wave-forms information sharing?...
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{COVID-19 - our personal challenges}
|
|
\begin{itemize}
|
|
\item Suddenly our lives changed with COVID-19
|
|
\begin{itemize}
|
|
\item Obvious cause for concern for all of us, focus of day-to-day lives
|
|
\item At the start of the pandemic, information was sparse and difficult to understand
|
|
\item Where can we travel? How concerned should we be? How are countries dealing with all of this?
|
|
\end{itemize}
|
|
\item Can't we do better? We claim that MISP is so flexible, let's put it to test
|
|
\item Overcoming doubts - {\bf lack of expertise, massive effort, lack of interest}, etc
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{COVID-19 MISP}
|
|
\begin{itemize}
|
|
\item The initial goal was to modify MISP to help us track the pandemic
|
|
\item What we thought we needed:
|
|
\begin{itemize}
|
|
\item A {\bf new data-model} to capture health related information
|
|
\item Good {\bf data-sources} and ways to ingest them
|
|
\item A way to {\bf visiualise} all of this information
|
|
\end{itemize}
|
|
\item What we needed additionally as it turns out
|
|
\begin{itemize}
|
|
\item Ways to deal with an {\bf explosive growth in a community}
|
|
\item Manage a community that has several {\bf distinct layers of information exchange}
|
|
\item Building an {\bf allowlist system} for other positive COVID-19 related efforts
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{New data model and ingestion}
|
|
\begin{itemize}
|
|
\item We've found and built our connectors to our two main health related sources
|
|
\begin{itemize}
|
|
\item John Hopkins data set
|
|
\item Chinese governmental reporting
|
|
\end{itemize}
|
|
\item This meant new "object templates" to model these...
|
|
\item ...as well as feed ingestors that would automatically fetch this data daily
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{John Hopkins covid object}
|
|
\includegraphics[width=1.00\linewidth]{csse.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{New dashboard system}
|
|
\begin{itemize}
|
|
\item We actually lacked a nice distributed way of visualising data
|
|
\item The idea was to build a new dashboard with the following goals
|
|
\begin{itemize}
|
|
\item Easy to repurpose and build widgets for
|
|
\item Full access to the functionalities of MISP
|
|
\item Adhere to the releasability rules of MISP
|
|
\item Each user will want to customise their own configuration
|
|
\item Even though it's a nice side-project, the main goal is to make MISP better for all use-cases
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{New dashboard system}
|
|
\includegraphics[width=1.0\linewidth]{dashboard.png}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{COVID-19 MISP 1.0}
|
|
\begin{itemize}
|
|
\item All of this took us {\bf ~2 weekends} and some long evenings
|
|
\item The result worked surprisingly well
|
|
\item More surprisingly, many were interested
|
|
\item Coping with access requests became a challenge, so we needed something new
|
|
\begin{itemize}
|
|
\item User self-registration (this was new)
|
|
\item Rely on org administrators to manage their teams (we do this already in other places)
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Self registration}
|
|
\includegraphics[width=0.6\linewidth]{registration.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{So who was interested?}
|
|
\begin{itemize}
|
|
\item Initially, mostly people looking for a COVID-19 dashboard/health info
|
|
\item Over the time though, we've ended up with 4 main pillars of information sharing around COVID-19
|
|
\begin{itemize}
|
|
\item Health
|
|
\item Cyber-threats
|
|
\item Disinformation
|
|
\item Known "good" domains / websites
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Userbase growth}
|
|
\includegraphics[width=1\linewidth]{user_regs_daily.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Health}
|
|
\begin{itemize}
|
|
\item Initially had a large uptake
|
|
\item Became less relevant over time, others started improving
|
|
\item Daily updates of health data
|
|
\item Articles / reports about the topic
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Cyber threat information}
|
|
\begin{itemize}
|
|
\item How are {\bf attackers abusing} the situation?
|
|
\item Remote work transformation projects with COVID-19 as the PM
|
|
\item {\bf New attack surfaces}, heavily abused
|
|
\item More traditional information sharing, similar to our other MISPs
|
|
\item Groups involved:
|
|
\begin{itemize}
|
|
\item CSIRTs, SOCs, researchers, governments in general
|
|
\item Other vendors / providers (Splunk, OTX, RiskIQ, NCSC.uk)
|
|
\item CTI-league
|
|
\item Sectorial groups, such as the Luxembourgish health sector
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Disinformation campaigns}
|
|
\begin{itemize}
|
|
\item Anti-vaxxers / Anti-maskers
|
|
\item COVID-deniers
|
|
\item Often political motivation / influence campaigns
|
|
\item Driven by CogSec Collaborative (\url{https://cogsec-collab.org/})
|
|
\item Spawned a host of new object templates (focusing on social media, facebook, twitter, etc)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Disinformation \#wewontstayhome}
|
|
\includegraphics[width=1.00\linewidth]{wewontstayhome.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Disinformation "Operation Gridlock"}
|
|
\includegraphics[width=1.00\linewidth]{operationgridlock.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Disinformation and correlation}
|
|
\includegraphics[scale=0.14]{misinfo-correlation.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Allowlists for known good resources}
|
|
\begin{itemize}
|
|
\item Anything covid related often ended up {\bf getting blocked}
|
|
\item Including official, national outlets
|
|
\item Publishing of legitimate research, visualisations
|
|
\item {\bf No official lists of governmental known good related sites}
|
|
\item Lead to maintaining several {\bf allowlists} (CTI-league, Krassi's list, etc)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Some statistics}
|
|
\begin{itemize}
|
|
\item ~1600 users...
|
|
\item ...from 300+ organisations
|
|
\item 10k+ events shared
|
|
\item ~3.5M data points
|
|
\item During the peak, almost 15TB of traffic / month
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The shift in topics of information shared}
|
|
\includegraphics[width=1.00\linewidth]{topics_of_sharing_daily.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What worked well}
|
|
\begin{itemize}
|
|
\item We did indeed get a {\bf new topical sharing community} up and running quickly
|
|
\item The lighweight rules ended up creating a {\bf very inclusive community}
|
|
\item We saw several useful {\bf community efforts} emerge (regional health sector initiatives, disinfo sharing, etc)
|
|
\item Loads of ideas for {\bf improvements} that will {\bf benefit other use-cases}
|
|
\item We could adapt the tool itself quite quickly
|
|
\item Interesting overlaps between data from the 4 different domains
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What didn't work / caused issues}
|
|
\begin{itemize}
|
|
\item Initial idea of all users being in an {\bf anonymous COVID-19} organisation
|
|
\item Giving some members that had the trust of the community {\bf group admin roles} for the collective COVID-19 org
|
|
\item This lead to some abuse initially
|
|
\item {\bf Intermingling data} of 4 separate concerns without clear distinction / guidelines
|
|
\item Still being a bit {\bf too slow to heavily commit} and losing some communities initially
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Lessons learnt / takeaways}
|
|
\begin{itemize}
|
|
\item {\bf Don't be afraid to step out of your comfort zones}
|
|
\item Be {\bf agile} when {\bf new types of threats} emerge, don't wait, just get to work
|
|
\item {\bf Removing control provides freedom} to collaborate and share information
|
|
\item Bootstraping a community is easy technically, but requires continuous {\bf community management}
|
|
\item {\bf New information and topics} shared can move a community towards different fields
|
|
\item MISP is indeed quite flexible, but we had some serious deficiencies that we had to overcome (visualisation)
|
|
\item The {\bf good-will is there in the community} to share and to help others stay protected. Assist them!
|
|
\end{itemize}
|
|
\end{frame}
|
|
|