mirror of https://github.com/MISP/misp-training
176 lines
7.4 KiB
TeX
Executable File
176 lines
7.4 KiB
TeX
Executable File
% DO NOT COMPILE THIS FILE DIRECTLY!
|
|
% This is included by the other .tex files.
|
|
|
|
\begin{frame}[t,plain]
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{COVID-19 MISP intro}
|
|
\begin{itemize}
|
|
\item COVID-19 MISP is a MISP instance retrofitted for COVID-19 info sharing
|
|
\item We are focusing on two areas of sharing:
|
|
\begin{itemize}
|
|
\item {\bf Medical} information
|
|
\item {\bf Cyber threats} related to / abusing COVID-19
|
|
\end{itemize}
|
|
\item Low barrier of entry, aiming for wide spread
|
|
\item Already a {\bf massive community} - 1560 users
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Why?}
|
|
\begin{itemize}
|
|
\item We are obviously interested on a personal level, as is everyone
|
|
\item {\bf Information sharing is what we do anyway}
|
|
\item The tools that we are building are expanding our capabilities for the future
|
|
\item Bridging different domains affected in different ways can reveal correlations
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Who is this meant for?}
|
|
\begin{itemize}
|
|
\item Anyone wanting to gain {\bf situational awareness} for the current situation
|
|
\item Security practicioners trying to fend off covid related attacks
|
|
\item Those wanting to share, collaborate, visualise, automate data
|
|
\item All data is contextualised as {\bf either medical or security} related information for easy filtering
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{What is MISP?}
|
|
\begin{itemize}
|
|
\item MISP\footnote{\url{https://github.com/MISP/MISP}} is a threat information sharing free \& open source software.
|
|
\item MISP has {\bf a host of functionalities} that assist users in creating, collaborating \& sharing threat information - e.g. flexible sharing groups, {\bf automatic correlation}, free-text import helper, event distribution \& proposals.
|
|
\item Many export formats which support IDSes / IPSes (e.g. Suricata, Bro, Snort), SIEMs (eg CEF), Host scanners (e.g. OpenIOC, STIX, CSV, yara), analysis tools (e.g. Maltego), DNS policies (e.g. RPZ).
|
|
\item A rich set of MISP modules\footnote{\url{https://www.github.com/MISP/misp-modules}} to add expansion, import and export functionalities.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Getting some naming conventions out of the way...}
|
|
\begin{itemize}
|
|
\item Data layer
|
|
\begin{itemize}
|
|
\item {\bf Events} are encapsulations for contextually linked information
|
|
\item {\bf Attributes} are individual data points, which can be indicators or supporting data.
|
|
\item {\bf Objects} are custom templated Attribute compositions
|
|
\item {\bf Object references} are the relationships between other building blocks
|
|
\end{itemize}
|
|
\item Context layer
|
|
\begin{itemize}
|
|
\item {\bf Tags} are labels attached to events/attributes and can come from {\bf Taxonomies}
|
|
\item {\bf Galaxy-clusters} are knowledge base items used to label events/attributes and come from {\bf Galaxies}.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{A rich data-model: telling stories via relationships}
|
|
\includegraphics[scale=0.24]{screenshots/bankaccount.png}
|
|
\includegraphics[scale=0.18]{screenshots/bankview.png}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{MISP core distributed sharing functionality}
|
|
\begin{itemize}
|
|
\item MISP is a {\bf peer to peer} sharing software
|
|
\item As such, everyone can be a {\bf consumer} and/or a {\bf producer} of information.
|
|
\item Immediate benefit without the obligation to contribute.
|
|
\item Low barrier of entry to get acquainted with the system.
|
|
\end{itemize}
|
|
\includegraphics[scale=0.9]{misp-distributed.pdf}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Information quality management}
|
|
\begin{itemize}
|
|
\item Correlating data
|
|
\item Feedback loop from detections via {\bf Sightings}
|
|
\item {\bf False positive management} via the warninglist system
|
|
\item {\bf Enrichment system} via MISP-modules
|
|
\item {\bf Integrations} with a plethora of tools and formats
|
|
\item Flexible {\bf API} and support {\bf libraries} such as PyMISP to ease integration
|
|
\item {\bf Timelines} and giving information a temporal context
|
|
\item Full chain for {\bf indicator life-cycle management}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Modelling new data structures for COVID-19}
|
|
\includegraphics[width=1.00\linewidth]{covidobject.png}
|
|
We are rapidly building new models for the different COVID-19 related information sources
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Evolution of the community}
|
|
\begin{itemize}
|
|
\item From health and cyber security, the community started to gather and share more information about {\bf disinformation}
|
|
\item Contextualisation improved (e.g. dedicated "pandemic" taxonomy)
|
|
\item Specific data models such as {\bf misinformation patterns} started to be used
|
|
\item Particular features used in digital forensic were used to create timeline of the disinformation events
|
|
\item Take control of the open source tools to extend the system for their own needs
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Disinformation \#wewontstayhome}
|
|
\includegraphics[width=1.00\linewidth]{wewontstayhome.png}
|
|
\end{frame}
|
|
\begin{frame}
|
|
\frametitle{Disinformation "Operation Gridlock"}
|
|
\includegraphics[width=1.00\linewidth]{operationgridlock.png}
|
|
\end{frame}
|
|
\begin{frame}
|
|
\frametitle{Disinformation and correlation}
|
|
\includegraphics[scale=0.15]{misinfo-correlation.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{What did we learn?}
|
|
\begin{itemize}
|
|
\item Creating ad-hoc collaboration is an incredible laboratory for experimenting
|
|
\item {\bf Removing control provides freedom} to collaborate and share information is possible
|
|
\item Building community up without any prior planning / any existing structure can be succesful
|
|
\item Self-organisation and filtering came very early due to early abusers of the freedom
|
|
\item New information and topics shared moved the community towards different fields
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}
|
|
\frametitle{How can you get involved?}
|
|
\begin{itemize}
|
|
\item Join the COVID-19 community
|
|
\item Either just use the data, or contribute data back, examples:
|
|
\begin{itemize}
|
|
\item Ongoing Covid-19 phishing campaigns
|
|
\item Sharing warninglists of known valid covid-19 related websites
|
|
\item Local articles about the situation in your area
|
|
\item Best practice recommendations
|
|
\item Informations on travel restrictions
|
|
\item Analysis and further {\bf research of a live information sharing community}
|
|
\end{itemize}
|
|
\item Create {\bf pull requests} on data models, dashboards, taxonomies...
|
|
\item Share your ideas
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\frametitle{Contact us}
|
|
\begin{itemize}
|
|
\item \url{https://www.misp-project.org/}
|
|
\item \url{https://www.misp-standard.org/}
|
|
\item \url{https://github.com/MISP}
|
|
\item \url{info@misp-project.org}
|
|
\item \url{https://twitter.com/MISPProject}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|