misp-training/AUSCERT2020/content.tex

343 lines
12 KiB
TeX

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}
\titlepage
\end{frame}
\begin{frame}
\frametitle{MISP and CIRCL}
\begin{center}
\includegraphics[scale=0.45]{circl.png}
\hspace{2.5em}
\includegraphics[scale=0.35]{misp.pdf}
\end{center}
\begin{itemize}
\item CIRCL is mandated by the Ministry of Economy and acting as the Luxembourg {\bf National CERT for the private sector}.
\item CIRCL runs multiple large MISP communities performing {\bf active daily threat-intelligenge sharing}
\item CIRCL leads the development of {\bf MISP and many other open source softwares}\footnote{AIL-Framework, D4-project, CVE-search, passive-(ssl/dns), lookyloo}.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{The aim of this presentation}
\begin{itemize}
\item Provide a quick intro what MISP is and what issues we try to tackle
\item A small update of what has happened around MISP's development over the past year
\item Where we're headed from here
\end{itemize}
\end{frame}
\section{Intro on MISP}
\begin{frame}
\frametitle{Objectives of MISP}
\begin{itemize}
\item MISP is a {\bf threat information sharing} platform that is free \& open source software
\item A tool that {\bf collects} information from partners, your analysts, your tools, feeds
\item Normalises, {\bf correlates}, {\bf enriches} the data
\item Allows teams and communities to {\bf collaborate}
\item {\bf Feeds} automated protective tools and analyst tools with the output
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP Features Highlights}
\begin{itemize}
\item Extensive Rest {\bf API}
\item Automatic {\bf correlation}
\item Granular distribution levels and {\bf synchronisation} systems
\item A wide range of {\bf ingestion systems}
\item {\bf Visualisation tools} for dashboarding, graphing, statistics
\item A host of {\bf export formats}, covering a wide range of use-cases
\begin{itemize}
\item {\bf IDSes / IPSes}: \texttt{Suricata, Bro/Zeek, Snort}
\item {\bf SIEMs}: \texttt{CEF, STIX}
\item {\bf Host scanners}: \texttt{OpenIOC, STIX, CSV, Yara}
\item {\bf Analysis tools}: \texttt{Maltego}
\item {\bf DNS policies}: \texttt{RPZ}
\end{itemize}
\end{itemize}
\end{frame}
\section{High level overview of the past year's changes}
\begin{frame}
\frametitle{MISP's evolution since the last AusCERT}
\begin{itemize}
\item Since the AusCERT 2019 (31/05/2019) we've had:
\begin{itemize}
\item 34 releases
\item 4398 commits
\item 97 contributors contributing to the core software and its components
\end{itemize}
\item COVID-19 didn't negatively impact the progress made all that much
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{So what were the main changes?}
\begin{itemize}
\item Loads of {\bf bug fixes}
\item A host of improvements to how MISP behaves in general
\item {\bf Security fixes}, including several CVEs (keep your MISP up to date!)
\item {\bf Internal tuning} for better scaling and performance altogether
\item Massively expanding {\bf context libraries}
\item Several major features (let's talk about these)
\end{itemize}
\end{frame}
\section{Major features since last year}
\begin{frame}
\frametitle{Timelining in MISP}
\begin{itemize}
\item The goal was to capture activity timelines
\item All attributes and objects can have first-seen/last-seen data
\end{itemize}
\includegraphics[scale=0.25]{images/timeline.png}
\end{frame}
\begin{frame}
\frametitle{Timelining in MISP}
\begin{itemize}
\item Why is this interesting?
\item {\bf IoC lifecycle management} is one of the biggest challenges we face
\item Timeline information allows us to better {\bf express a story}, rather than {\bf share dumps of IoCs}
\item {\bf Time-based correlation} of certain actions helps us understand an incident
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding}
\begin{itemize}
\item Outcome of our personal initiatives to track the COVID-19 spread
\item New built-in {\bf dashboarding system} directly available in MISP
\item Dashboard widgets are modular and {\bf easy to build}
\item Create widgets that are {\bf ACL aware}
\item The COVID-19 MISP community turned out to be a massive success
\begin{itemize}
\item Just register if you would like to have access at \url{https://covid-19.iglocska.eu}
\end{itemize}
\item COVID-19 use-cases are just an example though (admin widgets, trend widgets, gamification, etc)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Dashboarding}
\includegraphics[scale=0.25]{images/dashboard.png}
\end{frame}
\begin{frame}
\frametitle{Decaying indicators v2}
\begin{itemize}
\item Further improvement on our indicator {\bf life-cycle management} tool
\item {\bf User settings} are now taken into account when crafting queries
\item {\bf Tool specific} user accounts can be pre-configured with decaying settings
\item {\bf Taxonomy} numerical values can be re-mapped to fit internal needs
\item {\bf Sightings} factor into the decay scores
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Convert attributes to objects}
\begin{itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end{itemize}
\begin{center}
\includegraphics[scale=0.15]{attributes_to_object_1.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Convert attributes to objects}
\begin{itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end{itemize}
\begin{center}
\includegraphics[scale=0.15]{attributes_to_object_2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Convert attributes to objects}
\begin{itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end{itemize}
\begin{center}
\includegraphics[scale=0.15]{attributes_to_object_3.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Convert attributes to objects}
\begin{itemize}
\item Allow users to easily select a set of attributes and automatically propose suitable object templates
\end{itemize}
\begin{center}
\includegraphics[scale=0.15]{attributes_to_object_4.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Massive rewrite of PyMISP}
\begin{itemize}
\item Python 3.6+ is a minimum since the modern PyMISP rework
\item Use of {\bf objects} with a {\bf long list of helpers} allows for easy creation/modification of MISP data
\item PyMISP's {\bf CI testing} suite has grown massively, allowing us to catch more and more issues as we commit changes
\item Automated testing {\bf including synchronising} several MISP instances
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Community management improvements}
\begin{itemize}
\item {\bf User configurations} - manage per user rule sets to alter MISP's behaviour ({\bf alerting rules}, {\bf dashboard configuration}, etc)
\item {\bf Community listings} - to help users find the right communities and negotiate access
\item Various improvements to authorization systems - {\bf E-mail based OTP}, {\bf further integrations with SSO systems}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Integrations}
\begin{itemize}
\item Long list of {\bf integrations}, both via our export system and module systems and by other tools integrating with MISP
\item Continuous iterations of our connectors using other formats (a massive STIX 2 rework has just dropped)
\item Integrations with analysis tools, such as with {\bf Maltego}
\item Tighter integration with other {\bf OSS frameworks we develop in-house} (AIL, D4)
\item Mapping of libraries to taxonomies/galaxies/object templates
\item ATT\&CK like matrices from other domains (disinformation via AMITT, various sectorial groups)
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP format modules}
\begin{itemize}
\item Initial modules
\begin{itemize}
\item Return {\bf single attributes} only
\item As {\bf light-weight} as possible
\item Good to handle {\bf simple queries}
\end{itemize}
\item MISP format modules
\begin{itemize}
\item Return {\bf MISP standard format}
\item {\bf Backward compatible}
\item Much better results with {\bf complex data}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP format modules}
\begin{center}
\includegraphics[width=0.7\linewidth]{cve_module.png}
\end{center}
\end{frame}
\section{The road ahead}
\begin{frame}
\frametitle{So that's where we are now}
\begin{itemize}
\item Let's have a brief look at what is on our immediate and long-term roadmaps
\item For the long-term ones, priorities shift rapidly
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Going further with the MISP modules}
\begin{itemize}
\item {\bf Expansion modules} for the event scope
\item Enable import modules to be able to {\bf generate entire events}
\item Move the export modules to the {\bf built-in export library}
\end{itemize}
\begin{itemize}
\item Move the modules to {\bf background processes} with a
messaging system
\item Avoid the results preview when applicable
\begin{itemize}
\item Preview page can be very heavy
\item Difficulty is {\bf dealing with uncertain results} (without the user
having final say)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MISP galaxy 2.0}
\begin{itemize}
\item MISP galaxies will be fully managed via MISP directly
\item Create, modify, {\bf share your custom galaxies} with the usual sync / ACL mechanisms
\item Fork and {\bf provide your own perspective} to already existing knowledge-base items
\item Build {\bf relationships between galaxy clusters} (Threat actor A uses Tool B and targets Sector C)
\item Already available in beta
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Reports}
\begin{itemize}
\item Create {\bf markdown reports} and share them along with your events
\item Structured information is great for automation, but sometimes plain prose helps telling a story
\item Shared along with events, distribution per report item configurable
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Community management at scale}
\begin{itemize}
\item {\bf Cerebrate} is a new OSS frameworks that we're building
\item Manage {\bf organisation, sharing group, encryption key} data for communities
\item {\bf Instrument} MISP instances and the interconnectivity between them via Cerebrate
\item Introduce {\bf information signing} by validating signatures / ownership via trusted Cerebrate nodes
\item Early alpha already available
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Rework of the MISP internals}
\begin{itemize}
\item We are planning on moving MISP to a {\bf more modern stack} (cake4/bs4)
\item Cerebrate also acts as a {\bf test-bed} for this move and relies on MISP internals that have already been ported
\item We have been silently {\bf reworking a lot of the internals} of MISP to make the migration possible (UI generator systems for example)
\end{itemize}
\end{frame}
\section{Conclusion}
\begin{frame}
\frametitle{To sum it all up...}
\begin{itemize}
\item Many interesting things are happening
\item We are following {\bf several routes} of development (internal improvements, contextualisation, integrations, operational improvements, community building)
\item We have many more ideas, but sadly days are only 24 hours long
\item There are {\bf many ways to get involved}
\item Prioritisation is hard. {\bf Let us know what you think we should focus on}!
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you have any questions}
\begin{itemize}
\item Contact CIRCL
\begin{itemize}
\item info@circl.lu
\item \url{https://twitter.com/circl_lu}
\item \url{https://www.circl.lu/}
\end{itemize}
\item Contact MISPProject
\begin{itemize}
\item \url{https://github.com/MISP}
\item \url{https://gitter.im/MISP/MISP}
\item \url{https://twitter.com/MISPProject}
\end{itemize}
\item Join the COVID-19 MISP community
\begin{itemize}
\item \url{https://covid-19.iglocska.eu}
\end{itemize}
\end{itemize}
\end{frame}