mirror of https://github.com/MISP/misp-training
248 lines
7.3 KiB
TeX
Executable File
248 lines
7.3 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Summary}
|
|
\begin{itemize}
|
|
\item Past \& current status
|
|
\item Recent changes
|
|
\item Continuous improvement \& future roadmap
|
|
\item Organisational \& philosophical aspects
|
|
\item Demo (?)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP \& STIX}
|
|
\begin{itemize}
|
|
\item{\bf Built-in integration}
|
|
\item Export \& Import features
|
|
\begin{itemize}
|
|
\item Export MISP Events collections
|
|
\item Import STIX files
|
|
\end{itemize}
|
|
\item Supported version
|
|
\begin{itemize}
|
|
\item STIX 1.1.1
|
|
\item STIX 2.0
|
|
\end{itemize}
|
|
\item Accessible via restSearch
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.19]{images/simple_rest_query.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.2]{images/simple_rest_results.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.235]{images/simple_rest_curl.png} \\
|
|
\includegraphics[scale=0.235]{images/simple_rest_pymisp.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Feature limitations}
|
|
\begin{minipage}{0.45\textwidth}
|
|
\begin{itemize}
|
|
\item {\bf Supported versions}
|
|
\begin{itemize}
|
|
\item 1.1.1 XML (\& JSON)
|
|
\item 2.0
|
|
\end{itemize}
|
|
\item Data type support
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.55\textwidth}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{images/limited_version.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Feature limitations}
|
|
\begin{minipage}{0.5\textwidth}
|
|
\begin{itemize}
|
|
\item Supported versions
|
|
\begin{itemize}
|
|
\item 1.1.1 XML (\& JSON)
|
|
\item 2.0
|
|
\end{itemize}
|
|
\item {\bf Data type support}
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.5\textwidth}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{images/limited_data_type.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Practical \& Organisational limitations}
|
|
\begin{itemize}
|
|
\item Export and import features only available via MISP
|
|
\begin{itemize}
|
|
\item Need an automation key (and/or to deal with the UI)
|
|
\end{itemize}
|
|
\item []
|
|
\item {\bf Github}: STIX issues lost within the MISP core issues
|
|
\pause
|
|
\vspace{4em}
|
|
\begin{center}
|
|
\includegraphics[scale=0.4]{images/issues.png}
|
|
\end{center}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The solution}
|
|
\begin{center}
|
|
\includegraphics[scale=0.3]{images/solution.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Key features}
|
|
\begin{itemize}
|
|
\item Support all the STIX versions
|
|
\begin{itemize}
|
|
\item {\bf STIX 2.1 Support}
|
|
\item 1.1.1, 1.2, 2.0 Support enhanced
|
|
\end{itemize}
|
|
\item Various MISP data collection supported
|
|
\item[]
|
|
\item {\bf Mapping documentation}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Handling the conversion with a python library}
|
|
\begin{itemize}
|
|
\item Used in MISP built-in export modules
|
|
\item []
|
|
\item Enable a {\bf stand-alone} use of the python code\footnote{i.e command line}
|
|
\begin{itemize}
|
|
\item Pass filenames \& get the converted content written in 1 or more result file(s)
|
|
\end{itemize}
|
|
\item Possible integration within python code
|
|
\begin{itemize}
|
|
\item Give it a list of filenames
|
|
\item MISP standard format <-> STIX
|
|
\begin{itemize}
|
|
\item JSON or PyMISP
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Library usage - Command line}
|
|
\centering
|
|
\includegraphics[scale=0.145]{images/stand_alone_usage.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Library usage - Python integration}
|
|
\centering
|
|
\includegraphics[scale=0.12]{images/python_usage.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Mapping documentation}
|
|
\begin{itemize}
|
|
\item Mapping overview
|
|
\begin{itemize}
|
|
\item Quick overview on how MISP data structures are mapped with STIX objects
|
|
\end{itemize}
|
|
\item []
|
|
\item Detailed mapping
|
|
\begin{itemize}
|
|
\item Extended explanation on how each granular data is mapped with STIX objects fields
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Work in Progress}
|
|
\begin{itemize}
|
|
\item {\bf STIX 2 -> MISP import feature}
|
|
\item Better support of Custom Galaxy clusters
|
|
\item []
|
|
\item Decisions on how to import non Indicator or Observable data
|
|
\begin{itemize}
|
|
\item Attack Patterns, Threat Actors, etc. are contextual data on MISP
|
|
\item Ongoing discussions to define whether we import those STIX objects as MISP Galaxy clusters or MISP Attribute / Object
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Continuous development}
|
|
\begin{itemize}
|
|
\item Better support of existing STIX objects libraries\footnote{https://github.com/mitre/cti}
|
|
\item Support custom STIX format\footnote{Especially while importing STIX data, {\bf and as long as we can implement support of well defined versions}}
|
|
\item []
|
|
\item Mapping improvement
|
|
\begin{itemize}
|
|
\item MISP object templates -> STIX
|
|
\item Improve the STIX 2 patterns \& Observable objects -> MISP
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Next improvements}
|
|
\begin{itemize}
|
|
\item Extend the export feature to any kind of data collection
|
|
\item []
|
|
\item Add notes on any data structure
|
|
\item Sightings on context layers
|
|
\item []
|
|
\item Port the STIX 1 -> MISP import feature
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{How to report bugs/issues}
|
|
\begin{itemize}
|
|
\item Github issues
|
|
\begin{itemize}
|
|
\item {\bf https://github.com/MISP/misp-stix/issues}
|
|
\item https://github.com/MISP/MISP/issues
|
|
\end{itemize}
|
|
\item []
|
|
\item Please provide details
|
|
\begin{itemize}
|
|
\item How did the issue happen
|
|
\item {\bf Recommendation}: provide samples
|
|
\end{itemize}
|
|
\item[]
|
|
\item Any feedback welcome
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Useful links}
|
|
\begin{itemize}
|
|
\item \url{https://github.com/MISP/misp-stix}
|
|
\item \url{https://github.com/MISP/misp-stix/tree/main/documentation}
|
|
\item []
|
|
\item \url{https://github.com/MISP}
|
|
\item \url{https://www.misp-project.org/}
|
|
\item \url{https://twitter.com/MISPProject}
|
|
\item \url{https://twitter.com/chrisred_68}
|
|
\end{itemize}
|
|
\end{frame}
|