mirror of https://github.com/MISP/misp-training
211 lines
9.9 KiB
TeX
Executable File
211 lines
9.9 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP features}
|
|
\begin{itemize}
|
|
\item MISP\footnote{\url{https://github.com/MISP/MISP}} is a threat information sharing free \& open source software.
|
|
\item MISP has {\bf a host of functionalities} that assist users in creating, collaborating \& sharing threat information - e.g. flexible sharing groups, {\bf automatic correlation}, free-text import helper, event distribution \& proposals.
|
|
\item Many export formats which support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ).
|
|
\item A rich set of MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} to add expansion, import and export functionalities.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP and starting from a practical use-case}
|
|
\begin{itemize}
|
|
\item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware.
|
|
\item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}.
|
|
\item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP.
|
|
\item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform.
|
|
\item MISP is now {\bf a community-driven development}.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Communities using MISP}
|
|
\begin{itemize}
|
|
\item Communities are groups of users sharing within a set of common objectives/values.
|
|
\item CIRCL operates multiple MISP instances with a significant user base (more than 950 organizations with more than 2400 users).
|
|
\item {\bf Trusted groups} running MISP communities in island mode (air gapped system) or partially connected mode.
|
|
\item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism.
|
|
\item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...).
|
|
\item {\bf Security vendors} running their own communities (e.g. Fidelis) or interfacing with MISP communities (e.g. OTX).
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Many objectives from different user-groups}
|
|
\begin{itemize}
|
|
\item Sharing indicators for a {\bf detection} matter.
|
|
\begin{itemize}
|
|
\item 'Do I have infected systems in my infrastructure or the ones I operate?'
|
|
\end{itemize}
|
|
\item Sharing indicators to {\bf block}.
|
|
\begin{itemize}
|
|
\item 'I use these attributes to block, sinkhole or divert traffic.'
|
|
\end{itemize}
|
|
\item Sharing indicators to {\bf perform intelligence}.
|
|
\begin{itemize}
|
|
\item 'Gathering information about campaigns and attacks. Are they related? Who is targeting me? Who are the adversaries?'
|
|
\end{itemize}
|
|
\item $\rightarrow$ These objectives can be conflicting (e.g. False-positives have different impacts)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP Project Overview}
|
|
\includegraphics[scale=0.35]{misp-overview-simplified.pdf}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Getting some naming conventions out of the way...}
|
|
\begin{itemize}
|
|
\item Data layer
|
|
\begin{itemize}
|
|
\item {\bf Events} are encapsulations for contextually linked information
|
|
\item {\bf Attributes} are individual data points, which can be indicators or supporting data.
|
|
\item {\bf Objects} are custom templated Attribute compositions
|
|
\item {\bf Object references} are the relationships between other building blocks
|
|
\end{itemize}
|
|
\item Context layer
|
|
\begin{itemize}
|
|
\item {\bf Tags} are labels attached to events/attributes and can come from {\bf Taxonomies}
|
|
\item {\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A rich data-model: telling stories via relationships}
|
|
\includegraphics[scale=0.24]{screenshots/bankaccount.png}
|
|
\includegraphics[scale=0.18]{screenshots/bankview.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Contextualisation and aggregation}
|
|
\begin{itemize}
|
|
\item MISP integrates at the event and the attribute levels MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT\&CK).
|
|
\end{itemize}
|
|
\includegraphics[scale=0.2]{screenshots/attack-screenshot.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Sharing in MISP}
|
|
\begin{itemize}
|
|
\item Sharing via distribution lists - {\bf Sharing groups}
|
|
\item {\bf Delegation} for pseudo-anonymised information sharing
|
|
\item {\bf Proposals} and {\bf Extended events} for collaborated information sharing
|
|
\item Synchronisation, Feed system, air-gapped sharing
|
|
\item User defined {\bf filtered sharing} for all the above mentioned methods
|
|
\item Cross-instance information {\bf caching} for quick lookups of large data-sets
|
|
\item Support for multi-MISP internal enclaves
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP core distributed sharing functionality}
|
|
\begin{itemize}
|
|
\item MISPs' core functionality is sharing where everyone can be a consumer and/or a contributor/producer."
|
|
\item Quick benefit without the obligation to contribute.
|
|
\item Low barrier access to get acquainted to the system.
|
|
\end{itemize}
|
|
\includegraphics[scale=0.9]{misp-distributed.pdf}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Information quality management}
|
|
\begin{itemize}
|
|
\item Correlating data
|
|
\item Feedback loop from detections via {\bf Sightings}
|
|
\item {\bf False positive management} via the warninglist system
|
|
\item {\bf Enrichment system} via MISP-modules
|
|
\item {\bf Integrations} with a plethora of tools and formats
|
|
\item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
|
|
\item {\bf Timelines} and giving information a temporal context
|
|
\item Full chain for {\bf indicator life-cycle management}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Correlation features: a tool for analysts}
|
|
\includegraphics[scale=0.18]{screenshots/campaign.png}
|
|
\begin{itemize}
|
|
\item To {\bf corroborate a finding} (e.g. is this the same campaign?), {\bf reinforce an analysis} (e.g. do other analysts have the same hypothesis?), {\bf confirm a specific aspect} (e.g. are the sinkhole IP addresses used for one campaign?) or just find if this {\bf threat is new or unknown in your community}.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Sightings support}
|
|
\begin{columns}[t]
|
|
\column{5.0cm}
|
|
\begin{figure}
|
|
\includegraphics[scale=0.3]{screenshots/sighting-n.png}\\
|
|
\includegraphics[scale=0.34]{screenshots/Sightings2.PNG}
|
|
\end{figure}
|
|
\column{7cm}
|
|
\begin{itemize}
|
|
\item Has a data-point been {\bf sighted} by me or the community before?
|
|
\item Additionally, the sighting system supports negative sigthings (FP) and expiration sightings.
|
|
\item Sightings can be performed via the API or the UI.
|
|
\item Many use-cases for {\bf scoring indicators} based on users sighting.
|
|
\item For large quantities of data, {\bf SightingDB} by Devo
|
|
\end{itemize}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Timelines and giving information a temporal context}
|
|
\begin{itemize}
|
|
\item Recently introduced {\bf \texttt{first\_seen}} and {\bf \texttt{last\_seen}} data points
|
|
\item All data-points can be placed in time
|
|
\item Enables the {\bf visualisation} and {\bf adjustment} of indicators timeframes
|
|
\end{itemize}
|
|
\begin{center}
|
|
\includegraphics[width=1.0\linewidth]{timeline-misp-overview.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Life-cycle management via decaying of indicators}
|
|
\includegraphics[width=1.00\linewidth]{decaying-event.png}
|
|
\begin{itemize}
|
|
\item \texttt{Decay score} toggle button
|
|
\begin{itemize}
|
|
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Decaying of indicators: Fine tuning tool}
|
|
\includegraphics[width=1.00\linewidth]{decaying-tool.png}
|
|
Create, modify, visualise, perform mapping
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Decaying of indicators: simulation tool}
|
|
\includegraphics[width=1.00\linewidth]{decaying-simulation.png}
|
|
Simulate \textit{Attributes} with different \textit{Models}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{Conclusion}
|
|
\begin{itemize}
|
|
\item {\bf Information sharing practices come from usage} and by example (e.g. learning by imitation from the shared information).
|
|
\item MISP is just a tool. What matters is your sharing practices. The tool should be as transparent as possible to support you.
|
|
\item Enable users to customize MISP to meet their community's use-cases.
|
|
\item MISP project combines open source software, open standards, best practices and communities to make information sharing a reality.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|