mirror of https://github.com/MISP/misp-training
349 lines
10 KiB
TeX
Executable File
349 lines
10 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Summary}
|
|
\begin{itemize}
|
|
\item Past \& current status
|
|
\item Recent changes
|
|
\item Continuous improvement \& future roadmap
|
|
\item Organisational \& philosophical aspects
|
|
\item Demo (?)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP \& STIX}
|
|
\begin{itemize}
|
|
\item{\bf Built-in integration}
|
|
\item Export \& Import features
|
|
\begin{itemize}
|
|
\item Export MISP Events collections
|
|
\item Import STIX files
|
|
\end{itemize}
|
|
\item Supported version
|
|
\begin{itemize}
|
|
\item STIX 1.1.1
|
|
\item STIX 2.0
|
|
\end{itemize}
|
|
\item Accessible via restSearch
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.19]{images/simple_rest_query.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.2]{images/simple_rest_results.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{STIX conversion usage in MISP}
|
|
\centering
|
|
\includegraphics[scale=0.235]{images/simple_rest_curl.png} \\
|
|
\includegraphics[scale=0.235]{images/simple_rest_pymisp.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Former feature limitations}
|
|
\begin{minipage}{0.45\textwidth}
|
|
\begin{itemize}
|
|
\item {\bf Supported versions}
|
|
\begin{itemize}
|
|
\item 1.1.1 XML (\& JSON)
|
|
\item 2.0
|
|
\end{itemize}
|
|
\item Data type support
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.55\textwidth}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{images/limited_version.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Former feature limitations}
|
|
\begin{minipage}{0.5\textwidth}
|
|
\begin{itemize}
|
|
\item Supported versions
|
|
\begin{itemize}
|
|
\item 1.1.1 XML (\& JSON)
|
|
\item 2.0
|
|
\end{itemize}
|
|
\item {\bf Data type support}
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.5\textwidth}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{images/limited_data_type.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Former practical \& Organisational limitations}
|
|
\begin{itemize}
|
|
\item Export and import features only available via MISP
|
|
\begin{itemize}
|
|
\item Need an automation key (and/or to deal with the UI)
|
|
\end{itemize}
|
|
\item []
|
|
\item {\bf Github}: STIX issues lost within the MISP core issues
|
|
\pause
|
|
\vspace{4em}
|
|
\begin{center}
|
|
\includegraphics[scale=0.4]{images/issues.png}
|
|
\end{center}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{The solution}
|
|
\begin{center}
|
|
\includegraphics[scale=0.3]{images/solution.png}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Key features}
|
|
\begin{itemize}
|
|
\item Support all the STIX versions
|
|
\begin{itemize}
|
|
\item {\bf STIX 2.1 Support}
|
|
\item 1.1.1, 1.2, 2.0 Support enhanced
|
|
\end{itemize}
|
|
\item Various MISP data collection supported
|
|
\item[]
|
|
\item {\bf Mapping documentation}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Handling the conversion with a python library}
|
|
\begin{itemize}
|
|
\item Used in MISP built-in export modules
|
|
\item []
|
|
\item Enable a {\bf stand-alone} use of the python code\footnote{i.e command line}
|
|
\begin{itemize}
|
|
\item Pass filenames \& get the converted content written in 1 or more result file(s)
|
|
\end{itemize}
|
|
\item Possible integration within python code
|
|
\begin{itemize}
|
|
\item Give it a list of filenames
|
|
\item MISP standard format <-> STIX
|
|
\begin{itemize}
|
|
\item JSON or PyMISP
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Library usage - Command line}
|
|
\centering
|
|
\includegraphics[scale=0.145]{images/stand_alone_usage.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Library usage - Python integration}
|
|
\centering
|
|
\includegraphics[scale=0.12]{images/python_usage.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Mapping documentation}
|
|
\begin{itemize}
|
|
\item Mapping overview
|
|
\begin{itemize}
|
|
\item Quick overview on how MISP data structures are mapped with STIX objects
|
|
\end{itemize}
|
|
\item []
|
|
\item Detailed mapping
|
|
\begin{itemize}
|
|
\item Extended explanation on how each granular data is mapped with STIX objects fields
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Work in Progress}
|
|
\begin{itemize}
|
|
\item {\bf STIX 2 -> MISP import feature}
|
|
\item []
|
|
\item New MISP object templates \& Galaxy clusters
|
|
\item []
|
|
\item Better support for Custom Galaxy clusters
|
|
\item []
|
|
\end{itemize}
|
|
\pause
|
|
\begin{minipage}{0.5\textwidth}
|
|
\begin{itemize}
|
|
\item {\bf TAXII integration}
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.5\textwidth}
|
|
\includegraphics[scale=0.2]{images/surprise.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Continuous development}
|
|
\begin{itemize}
|
|
\item Better support of existing STIX objects libraries\footnote{\url{https://github.com/mitre/cti}}
|
|
\item Support custom STIX format\footnote{Especially while importing STIX data, {\bf and as long as we can implement support of well defined versions}}
|
|
\item []
|
|
\item Mapping improvement
|
|
\begin{itemize}
|
|
\item MISP object templates -> STIX
|
|
\item Improve the STIX 2 patterns \& Observable objects -> MISP
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What comes next?}
|
|
\begin{itemize}
|
|
\item Extend the export feature to any kind of data collection
|
|
\item []
|
|
\item Add notes on any data structure
|
|
\item Sightings on context layers
|
|
\item []
|
|
\item Port the STIX 1 -> MISP import feature
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Handling different STIX content creation designs}
|
|
\begin{minipage}{0.6\textwidth}
|
|
\begin{itemize}
|
|
\item Impossible to control the content created by external parties
|
|
\item We want to keep UUIDs
|
|
\pause
|
|
\item []
|
|
\item Facing UUIDs validation issues
|
|
\begin{itemize}
|
|
\item Loading error
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.4\textwidth}
|
|
\includegraphics[scale=0.25]{images/two_buttons_dilemna.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{An easy fix: a STIX 2 python library fork\footnote{\url{https://github.com/MISP/cti-python-stix2} \& \url{https://pypi.org/project/misp-lib-stix2/}}}
|
|
\begin{minipage}{0.62\textwidth}
|
|
\begin{itemize}
|
|
\item No change on the content validation
|
|
\begin{itemize}
|
|
\item Differs only on the UUIDs validation process
|
|
\end{itemize}
|
|
\item MISP has now the same UUIDs requirements
|
|
\begin{itemize}
|
|
\item We keep a reference to the initial UUID
|
|
\item A UUID v5 is generated
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{minipage}%
|
|
\begin{minipage}{0.38\textwidth}
|
|
\includegraphics[scale=0.25]{images/two_buttons_solution.jpg}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Minding the gap between formats}
|
|
\begin{itemize}
|
|
\item From a sharing platform to an threat intelligence exchange format
|
|
\begin{itemize}
|
|
\item Custom STIX objects
|
|
\item Custom fields in existing objects
|
|
\item STIX extensions
|
|
\end{itemize}
|
|
\item Handling the infinite possibilities of a patterning language
|
|
\begin{itemize}
|
|
\item Importing STIX 2 patterns in separate MISP objects
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\pause
|
|
\vspace{1em}
|
|
\includegraphics[scale=0.15]{images/patterns.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Mapping challenges}
|
|
\includegraphics[scale=0.285]{images/challenges.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Evolution perspectives}
|
|
\begin{center}
|
|
\includegraphics[scale=0.1]{images/oasis.png}
|
|
\end{center}
|
|
\vspace{1em}
|
|
\begin{itemize}
|
|
\item Members of the Oasis CTI TC
|
|
\begin{itemize}
|
|
\item Our involvement
|
|
\begin{itemize}
|
|
\item Participating to the development process
|
|
\end{itemize}
|
|
\item []
|
|
\item Our proposal: Go for the open source way
|
|
\begin{itemize}
|
|
\item Make the contribution process more accessible \\
|
|
=> Bring more contributers / contributions
|
|
\item Easier access to the resources \\
|
|
=> More visibility
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{How to report bugs/issues}
|
|
\begin{itemize}
|
|
\item Github issues
|
|
\begin{itemize}
|
|
\item {\bf \url{https://github.com/MISP/misp-stix/issues}}
|
|
\item \url{https://github.com/MISP/MISP/issues}
|
|
\end{itemize}
|
|
\item []
|
|
\item Please provide details
|
|
\begin{itemize}
|
|
\item How did the issue happen
|
|
\item {\bf Recommendation}: provide samples
|
|
\end{itemize}
|
|
\item[]
|
|
\item Any feedback welcome
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Useful links}
|
|
\begin{itemize}
|
|
\item \url{https://github.com/MISP/misp-stix}
|
|
\item \url{https://github.com/MISP/misp-stix/tree/main/documentation}
|
|
\item []
|
|
\item \url{https://github.com/MISP}
|
|
\item \url{https://www.misp-project.org/}
|
|
\item \url{https://twitter.com/MISPProject}
|
|
\item \url{https://twitter.com/chrisred_68}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Demo time}
|
|
\centering
|
|
\includegraphics[scale=0.45]{images/demo.jpg}
|
|
\end{frame}
|