2022-06-21 08:29:52 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
2022-06-28 10:57:12 +02:00
\begin { frame}
\frametitle { Who are we ?}
\begin { center}
2022-06-28 13:23:51 +02:00
\includegraphics [width=0.3\linewidth] { pictures/circl.png}
2022-06-28 10:57:12 +02:00
\end { center}
\begin { itemize}
\item The Computer Incident Response Center Luxembourg (CIRCL)
\item CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg
\item CIRCL leads the development of the open-source MISP threat intelligence platform
\begin { itemize}
\item As well as running multiple large MISP communities performain active daily threat-intelligence sharing
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { MeliCERTes II: a quick recap of the morning session}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item MeliCERTes
\item Common tooling for CSIRTs
\item Cerebrate a central component of the new tooling
\item Takes care of:
\begin { itemize}
\item Contact management
\item orchestration
\item Sharing group distribution and management
\end { itemize}
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Some stats about one of our MISP instance: MISPPriv (1)}
\includegraphics [width=0.45\linewidth] { pictures/misppriv-usage.png}
\includegraphics [width=0.45\linewidth] { pictures/misppriv-user-org-stats.png}
\end { frame}
2022-06-21 08:29:52 +02:00
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Some stats about one of our MISP instance: MISPPriv (2)}
\begin { center}
\includegraphics [width=1.1\linewidth] { pictures/bokeh_ new_ org.png}
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Issues we're trying to solve}
Rising number of communities is great!
\begin { itemize}
\item \textbf { Bridge the gap} between between communities
\item Sharing with peers that face \textbf { similar threats}
\item \textbf { Reuse} of TTPs across sectors
2022-06-28 14:49:10 +02:00
\item \textbf { Hybrid threats} How seemingly unrelated things may be interesting to correlate
2022-06-28 10:57:12 +02:00
\item \textbf { Spread the love} , as our field is ahead of several other sectors when it comes to information sharing
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Issues we're trying to solve}
2022-06-28 14:49:10 +02:00
However, broader and more diverse communities lead to more issues
2022-06-28 10:57:12 +02:00
\begin { itemize}
\item { Non-technical issues}
\begin { itemize}
\item Sharing difficulties in terms of social interactions (e.g trust)
2022-06-21 08:29:52 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item \includegraphics [width=80px] { pictures/firstcon-22.png} greatly helps in that aspect!
2022-06-21 08:29:52 +02:00
\end { itemize}
2022-06-28 10:57:12 +02:00
\item Lots of points of contacts
2022-06-21 08:29:52 +02:00
\end { itemize}
2022-06-28 10:57:12 +02:00
\end { itemize}
\begin { itemize}
\item { Technical issues}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Centralised identity management
2022-06-28 10:57:12 +02:00
\item Data might change or evolve over time
2022-06-28 14:49:10 +02:00
\item Loads of UUIDs to manually process
\item Distribution list management is difficult across communities
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { itemize}
\begin { center}
\includegraphics [width=0.8\linewidth] { pictures/org-circl.png}
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Issues we're trying to solve with Cerebrate}
\begin { minipage} { 0.8\textwidth }
\begin { itemize}
\item Constituencies of organisations
\begin { itemize}
\item Geographic \& sectorial
\item But also technical: CIDR blocks \& AS Numbers
\end { itemize}
\item Cryptographic key lookup for information signing
\begin { itemize}
\item MISP's protected event feature (New since MISP v2.4.156)
\end { itemize}
\end { itemize}
\end { minipage}
\begin { minipage} { 0.19\textwidth }
% \includegraphics[width=0.8\linewidth]{pictures/clippy-hint.png}
\end { minipage}
2022-06-21 08:29:52 +02:00
\end { frame}
2022-06-28 10:57:12 +02:00
\begin { frame}
\frametitle { Issues we're trying to solve with Cerebrate}
\begin { minipage} { 0.8\textwidth }
\begin { itemize}
\item Constituencies of organisations
\begin { itemize}
\item Geographic \& sectorial
\item But also technical: CIDR blocks \& AS Numbers
\end { itemize}
\item Cryptographic key lookup for information signing
\begin { itemize}
\item MISP's protected event feature (New since MISP v2.4.156)
\end { itemize}
\end { itemize}
\end { minipage}
\begin { minipage} { 0.19\textwidth }
\includegraphics [width=0.8\linewidth] { pictures/clippy-hint.png}
\end { minipage}
\end { frame}
\begin { frame}
\frametitle { Issues we're trying to solve with Cerebrate}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Customisable data model adaptable to each community
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Based on the sheer amount of different types of communities, \textbf { it's a must}
2022-06-28 10:57:12 +02:00
\end { itemize}
\item Sharing group management
\item Synchronisation and lookup system
\end { itemize}
\end { frame}
2022-06-21 08:29:52 +02:00
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Our attempt at solving them: Cerebrate}
\begin { itemize}
\item Open source community management and orchestration tool
\end { itemize}
2022-06-21 08:29:52 +02:00
\begin { center}
2022-06-28 10:57:12 +02:00
\includegraphics [width=0.15\linewidth] { pictures/logo.png}
\linebreak
\includegraphics [width=0.99\linewidth] { pictures/cerebrate-github.png}
2022-06-21 08:29:52 +02:00
\end { center}
2022-06-28 10:57:12 +02:00
\begin { itemize}
\item Central tool for the \textbf { Melicertes 2 project} (Co-funded by the EU as a CEF project - SMART 2018/1024)
\item Rich \textbf { Contact Database}
2022-06-28 14:49:10 +02:00
\item Tightly coupled management system and companion for MISP (and other tools)
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Get in touch with us if you need help building integrations!
2022-06-28 10:57:12 +02:00
\end { itemize}
\item Planned as the primary MISP \textbf { fleet management} tool
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Goals and design}
\begin { itemize}
\item Goals: Simplicity, lightweight and open-source
\item Technologies used: PHP, cakephp4, BS5, ...
\begin { itemize}
\item (almost) the same as in MISP for easier \textbf { maintainability} and \textbf { code re-use}
\end { itemize}
\item IAM centric design
\begin { itemize}
\item Tightly integrated with Keycloak
\end { itemize}
\item Core functionalities: Auditing, API
\begin { itemize}
\item Any changes should be easily accessible to counter errors or foul plays
\item From our perspective, automation and integration is essential and should be as easy as possible
\end { itemize}
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Goals and design}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Built with tool integration in mind, acting as a contact database
2022-06-28 10:57:12 +02:00
\end { itemize}
\begin { center}
\includegraphics [width=0.85\linewidth] { pictures/misp-cerebrate.png} \\
2022-06-28 14:49:10 +02:00
MISP is able to look up Organisations \& Sharing Group in Cerebrate
2022-06-28 10:57:12 +02:00
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Cerebrate's place in a typical CSIRT software stack}
\begin { center}
\includegraphics [width=0.42\linewidth] { pictures/software-stack.png}
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
2022-06-28 10:57:12 +02:00
\begin { frame}
\frametitle { Cerebrate's contact database}
\begin { itemize}
\item Contact database for the CSIRT network
\begin { itemize}
\item Common contact fields such as \texttt { UUID} , \texttt { name} , \texttt { contact email address} , \texttt { nationality} , \texttt { URL} , ...
\end { itemize}
\end { itemize}
\begin { center}
\includegraphics [width=0.8\linewidth] { pictures/contact-database-1.png}
\end { center}
\end { frame}
2022-06-21 08:29:52 +02:00
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Cerebrate's contact database}
\begin { center}
\includegraphics [width=0.99\linewidth] { pictures/contact-database-2.png}
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Cerebrate's contact database: Meta-fields}
\begin { itemize}
\item Flexible system to store additional information: \texttt { meta-fields} (KV-store)
\item These \texttt { meta-fields} are part of a larger structure called \texttt { meta-templates}
\item Support of multiple templates used by various entities out there
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item { \bf FIRST Directory}
2022-06-28 10:57:12 +02:00
\item ENISA CSIRT inventory
\item CSIRT Constituency (CIDR blocks, AS Numbers, ...)
\end { itemize}
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Cerebrate's contact database: Meta-fields}
\begin { center}
\includegraphics [width=0.99\linewidth] { pictures/meta-fields-first.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Meta-fields}
\begin { center}
\includegraphics [width=0.99\linewidth] { pictures/meta-templates-first.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Meta-fields}
\begin { center}
\includegraphics [width=0.99\linewidth] { pictures/meta-template-repo.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Sharing group management}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Easy way to \textbf { create} and \textbf { share} distribution lists
2022-06-28 10:57:12 +02:00
\item Allow sharing groups to be \textbf { reusable}
2022-06-28 14:49:10 +02:00
\item Circumvent limitations of traditional Threat Intelligence Sharing Platform
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item The exchange of sharing groups on creation / modification rather than on data exchange
\item Avoids the duplication of similar sharing groups
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Sharing group management}
\begin { center}
\includegraphics [width=0.9\linewidth] { pictures/sharinggroup.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Identity and Signing}
\begin { itemize}
\item Cerebrate can act as a trusted contact database containing cryptographic keys (PGP, S/MIME)
2022-06-28 14:49:10 +02:00
\item Which can be used by other application to sign and validate information
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item See MISP's protected Event feature \includegraphics [width=0.09\linewidth] { pictures/clippy-solo.png}
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Cerebrate's contact database: Identity and Signing}
2022-06-21 08:29:52 +02:00
\begin { center}
2022-06-28 10:57:12 +02:00
\includegraphics [width=0.95\linewidth] { pictures/pgp.png}
2022-06-21 08:29:52 +02:00
\end { center}
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Cerebrate's contact database: Open Directory}
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item Cerebrate can be configured to act as an \textbf { open} directory of contact information
2022-06-28 10:57:12 +02:00
\item Other tools (including other Cerebrate nodes) can use this directory
2022-06-28 14:49:10 +02:00
\item Allows for information and information source validation
2022-06-28 10:57:12 +02:00
\end { itemize}
\begin { center}
\includegraphics [width=0.8\linewidth] { pictures/open-directory.png}
\end { center}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Data sharing}
2022-06-28 14:49:10 +02:00
Basically the same strategy as the one used in MISP:
2022-06-28 10:57:12 +02:00
\begin { itemize}
\item \textbf { Connect} with other Cerebrate nodes
\item \textbf { Diagnose} connectivity issues
\item Remotely \textbf { browse} data of the other node
\item \textbf { Fetch and save} organisation, individual, sharing-group data
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 10:57:12 +02:00
\frametitle { Data sharing}
\begin { center}
\includegraphics [width=0.95\linewidth] { pictures/brood-index.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Data sharing}
\begin { center}
\includegraphics [width=0.95\linewidth] { pictures/brood-view.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Data sharing: Synchronisation strategies}
Two synchronisation strategies:
\begin { enumerate}
2022-06-28 14:49:10 +02:00
\item \textbf { Standard} : Only fetch and save new records
2022-06-28 10:57:12 +02:00
\item \textbf { Trusted upstream source} : Remote Cerebrate acts as an authoritative instance
\end { enumerate}
\begin { center}
\includegraphics [width=0.7\linewidth] { pictures/brood-edit.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Managing local tools}
2022-06-28 14:49:10 +02:00
Why would Cerebrate have integration with other tools?
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item To support information sharing, being able to validate information sources is crucial
2022-06-28 10:57:12 +02:00
\item Traditional information sharing software stacks have to have their own organisation database
\item Why re-invent the wheel everytime?
\end { itemize}
\begin { center}
\includegraphics [width=0.2\linewidth] { pictures/software-stack.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Managing local tools}
2022-06-28 14:49:10 +02:00
There will inevitably be integration between local tools and Cerebrate. Why not go a step further?
2022-06-28 10:57:12 +02:00
\begin { itemize}
\item Cerebrate exposes a modular system to manage these local tools
2022-06-28 14:49:10 +02:00
\item Based on a configuration file, user interfaces can be created to visualise data and instruct local tools to perform operations
2022-06-28 10:57:12 +02:00
\end { itemize}
\begin { center}
2022-06-28 15:53:09 +02:00
\includegraphics [width=0.9\linewidth] { pictures/github-local-tool.png}
2022-06-28 10:57:12 +02:00
\end { center}
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { Local tool: MISP Connector capabilities}
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 14:49:10 +02:00
\item \textbf { Configure} a MISP instances via server settings
\item \textbf { Fetch} Organisations \& Sharing Groups
2022-06-28 11:45:16 +02:00
\item \textbf { Diagnose} other connected MISP servers
\item \textbf { Manage} users, ...
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { Local tool: MISP Connector capabilities}
\begin { center}
\includegraphics [width=0.97\linewidth] { pictures/localtool-view.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Local tool: MISP Connector capabilities}
Why do one when we can do many?
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 11:45:16 +02:00
\item Cerebrate can connect to multiple tools via its associated connector
\item Allowing local tool fleet management
\begin { itemize}
\item MISP fleet management!
\end { itemize}
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { Local tool: MISP Fleet management}
\begin { center}
\includegraphics [width=0.97\linewidth] { pictures/localtools-index.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Local tool interconnection via Cerebrate}
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 11:45:16 +02:00
\item Cerebrate's main goal is to \textbf { ease community management}
2022-06-28 14:49:10 +02:00
\item Select which local tools are meant to be exposed to the community for requests
2022-06-28 11:45:16 +02:00
\item Open dialogues to community members to request tool-to-tool interconnections
2022-06-28 10:57:12 +02:00
\end { itemize}
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { Local tool interconnection via Cerebrate}
Cerebrate can leverage its access to local tool to reach out to tools from other Cerebrate nodes
\begin { center}
\includegraphics [width=0.85\linewidth] { pictures/tools-made-available.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Local tool interconnection via Cerebrate}
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 11:45:16 +02:00
\item Local tools can be \textbf { exposed} to other Cerebrate nodes
\item \textbf { Inter-connection requests} can be issued from one node to another
\item Following a 3-way handshake protocol, inter-connections can be:
\begin { itemize}
\item Issued
\item Accepted
\item Finalised
\end { itemize}
2022-06-28 10:57:12 +02:00
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { Local tool interconnection via Cerebrate}
\begin { center}
\includegraphics [width=0.40\linewidth] { pictures/guys-chatting.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { MISP interconnection via Cerebrate}
\begin { center}
\includegraphics [width=0.98\linewidth] { pictures/connection_ request.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { What else does Cerebrate have?}
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 11:45:16 +02:00
\item Mailing list management
\item ACL system
2022-06-28 13:23:51 +02:00
\item Inbox system
\begin { itemize}
\item Inter-connection requests, enrolment requests
\end { itemize}
2022-06-28 11:45:16 +02:00
\item Tagging
\item Update system
\item Audit logs
\item Open API
2022-06-28 10:57:12 +02:00
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
\begin { frame}
2022-06-28 11:45:16 +02:00
\frametitle { What else does Cerebrate have?}
Cerebrate has \colorbox { black!90} { \color { white} \texttt { dark theme} } and \textbf { { \color { blue!70} m} { \color { red!70} o} { \color { purple!90} r} { \color { orange!70} e} } !
\linebreak
\begin { center}
\includegraphics [width=0.42\linewidth] { pictures/theme-1.png}
\includegraphics [width=0.42\linewidth] { pictures/theme-2.png}
\end { center}
\begin { center}
\includegraphics [width=0.42\linewidth] { pictures/theme-3.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Current roadmap}
2022-06-28 10:57:12 +02:00
\begin { itemize}
2022-06-28 11:45:16 +02:00
\item Data signing / validation
\begin { itemize}
\item Community centric PKI
\item Enable data validation services for tools such as MISP
\end { itemize}
\item Integration with other tools
\begin { itemize}
\item Ticketing systems
\item Tighter Mailing list integration (Mailman)
\item Messaging App (Mattermost)
\end { itemize}
2022-06-28 10:57:12 +02:00
\end { itemize}
2022-06-21 08:29:52 +02:00
\end { frame}
2022-06-28 11:45:16 +02:00
\begin { frame}
\frametitle { Thanks!}
\begin { itemize}
\item Want to integrate your tool with Cerebrate?
\begin { itemize}
\item [ ] $ \rightarrow $ Get in touch!
\end { itemize}
\item Want to have a live demo?
\begin { itemize}
\item [ ] $ \rightarrow $ Get in touch!
\end { itemize}
\item Want to suggest features or integrations?
\begin { itemize}
\item [ ] That's right $ \rightarrow $ Get in touch!
\end { itemize}
\end { itemize}
\end { frame}