cerebrate-project
/
cerebrate-training
mirror of https://github.com/cerebrate-project/cerebrate-training
2
0
Fork 0
Code Issues Releases Wiki Activity
cerebrate-training/2022-06-28-FIRSTCON22/content.tex

501 lines
17 KiB
TeX
Raw Blame History

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}
\frametitle{Who are we ?}
\begin{center}
\includegraphics[width=0.4\linewidth]{pictures/circl.png}
\end{center}
\begin{itemize}
\item The Computer Incident Response Center Luxembourg (CIRCL)
\item CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg
\item CIRCL leads the development of the open-source MISP threat intelligence platform
\begin{itemize}
\item As well as running multiple large MISP communities performain active daily threat-intelligence sharing
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{MeliCERTes II: a quick recap of the morning session}
\begin{itemize}
\item {}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Some stats about one of our MISP instance: MISPPriv (1)}
\includegraphics[width=0.45\linewidth]{pictures/misppriv-usage.png}
\includegraphics[width=0.45\linewidth]{pictures/misppriv-user-org-stats.png}
\end{frame}
\begin{frame}
\frametitle{Some stats about one of our MISP instance: MISPPriv (2)}
\begin{center}
\includegraphics[width=1.1\linewidth]{pictures/bokeh_new_org.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Issues we're trying to solve}
Rising number of communities is great!
\begin{itemize}
\item \textbf{Bridge the gap} between between communities
\item Sharing with peers that face \textbf{similar threats}
\item \textbf{Reuse} of TTPs across sectors
\item \textbf{Hybrid threat} How seemingly unrelated things may be interesting to correlate
\item \textbf{Spread the love}, as our field is ahead of several other sectors when it comes to information sharing
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Issues we're trying to solve}
However, more communities means more issues
\begin{itemize}
\item {Non-technical issues}
\begin{itemize}
\item Sharing difficulties in terms of social interactions (e.g trust)
\begin{itemize}
\item \includegraphics[width=80px]{pictures/firstcon-22.png} greatly help in that aspect!
\end{itemize}
\item Lots of points of contacts
\end{itemize}
\end{itemize}
\begin{itemize}
\item {Technical issues}
\begin{itemize}
\item Data might change or evolve over time
\item (MISP specific) Loads of UUIDs to manually process
\item (MISP specific) Loads of Sharing Group issues / inconsistencies
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=0.8\linewidth]{pictures/org-circl.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Issues we're trying to solve with Cerebrate}
\begin{minipage}{0.8\textwidth}
\begin{itemize}
\item Constituencies of organisations
\begin{itemize}
\item Geographic \& sectorial
\item But also technical: CIDR blocks \& AS Numbers
\end{itemize}
\item Cryptographic key lookup for information signing
\begin{itemize}
\item MISP's protected event feature (New since MISP v2.4.156)
\end{itemize}
\end{itemize}
\end{minipage}
\begin{minipage}{0.19\textwidth}
% \includegraphics[width=0.8\linewidth]{pictures/clippy-hint.png}
\end{minipage}
\end{frame}
\begin{frame}
\frametitle{Issues we're trying to solve with Cerebrate}
\begin{minipage}{0.8\textwidth}
\begin{itemize}
\item Constituencies of organisations
\begin{itemize}
\item Geographic \& sectorial
\item But also technical: CIDR blocks \& AS Numbers
\end{itemize}
\item Cryptographic key lookup for information signing
\begin{itemize}
\item MISP's protected event feature (New since MISP v2.4.156)
\end{itemize}
\end{itemize}
\end{minipage}
\begin{minipage}{0.19\textwidth}
\includegraphics[width=0.8\linewidth]{pictures/clippy-hint.png}
\end{minipage}
\end{frame}
\begin{frame}
\frametitle{Issues we're trying to solve with Cerebrate}
\begin{itemize}
\item Data model customisable to adapt it to each community
\begin{itemize}
\item Based on the sheer amount of different type of communities, \textbf{it's a must}
\end{itemize}
\item Sharing group management
\item Synchronisation and lookup system
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Our attempt at solving them: Cerebrate}
\begin{itemize}
\item Open source community management and orchestration tool
\end{itemize}
\begin{center}
\includegraphics[width=0.15\linewidth]{pictures/logo.png}
\linebreak
\includegraphics[width=0.99\linewidth]{pictures/cerebrate-github.png}
\end{center}
\begin{itemize}
\item Central tool for the \textbf{Melicertes 2 project} (Co-funded by the EU as a CEF project - SMART 2018/1024)
\item Rich \textbf{Contact Database}
\item Tightly coupled management system and companion for MISP (and other tool?)
\begin{itemize}
\item Get in touch with us for integration!
\end{itemize}
\item Planned as the primary MISP \textbf{fleet management} tool
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Goals and design}
\begin{itemize}
\item Goals: Simplicity, lightweight and open-source
\item Technologies used: PHP, cakephp4, BS5, ...
\begin{itemize}
\item (almost) the same as in MISP for easier \textbf{maintainability} and \textbf{code re-use}
\end{itemize}
\item IAM centric design
\begin{itemize}
\item Tightly integrated with Keycloak
\end{itemize}
\item Core functionalities: Auditing, API
\begin{itemize}
\item Any changes should be easily accessible to counter errors or foul plays
\item From our perspective, automation and integration is essential and should be as easy as possible
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Goals and design}
\begin{itemize}
\item Built with tool integration in mind, acting as a contact database companion
\end{itemize}
\begin{center}
\includegraphics[width=0.85\linewidth]{pictures/misp-cerebrate.png}\\
MISP is able to look Organisations \& Sharing Group up in Cerebrate
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's place in a typical CSIRT software stack}
\begin{center}
\includegraphics[width=0.42\linewidth]{pictures/software-stack.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database}
\begin{itemize}
\item Contact database for the CSIRT network
\begin{itemize}
\item Common contact fields such as \texttt{UUID}, \texttt{name}, \texttt{contact email address}, \texttt{nationality}, \texttt{URL}, ...
\end{itemize}
\end{itemize}
\begin{center}
\includegraphics[width=0.8\linewidth]{pictures/contact-database-1.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database}
\begin{center}
\includegraphics[width=0.99\linewidth]{pictures/contact-database-2.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Meta-fields}
\begin{itemize}
\item Flexible system to store additional information: \texttt{meta-fields} (KV-store)
\item These \texttt{meta-fields} are part of a larger structure called \texttt{meta-templates}
\item Support of multiple templates used by various entities out there
\begin{itemize}
\item FIRST Directory
\item ENISA CSIRT inventory
\item CSIRT Constituency (CIDR blocks, AS Numbers, ...)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Meta-fields}
\begin{center}
\includegraphics[width=0.99\linewidth]{pictures/meta-fields-first.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Meta-fields}
\begin{center}
\includegraphics[width=0.99\linewidth]{pictures/meta-templates-first.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Meta-fields}
\begin{center}
\includegraphics[width=0.99\linewidth]{pictures/meta-template-repo.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Sharing group management}
\begin{itemize}
\item easy way to \textbf{create} and \textbf{share} distribution lists
\item Allow sharing groups to be \textbf{reusable}
\item Circumvent limitation of traditional Threat Intelligence Sharing Platform
\begin{itemize}
\item Sharing group not shared unless the recipient should received data + duplication
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Sharing group management}
\begin{center}
\includegraphics[width=0.9\linewidth]{pictures/sharinggroup.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Identity and Signing}
\begin{itemize}
\item Cerebrate can act as a trusted contact database containing cryptographic keys (PGP, S/MIME)
\item Which can be used by other application to sign and validation information
\begin{itemize}
\item Cfr MISP's protected Event feature \includegraphics[width=0.09\linewidth]{pictures/clippy-solo.png}
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Identity and Signing}
\begin{center}
\includegraphics[width=0.95\linewidth]{pictures/pgp.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Cerebrate's contact database: Open Directory}
\begin{itemize}
\item Cerebrate can be configured to \textbf{open} its contact database to \textbf{anyone} (no auth required)
\item Other tools (including other Cerebrate nodes) can use this directory
\item Basically an open bar contact lookup database
\end{itemize}
\begin{center}
\includegraphics[width=0.8\linewidth]{pictures/open-directory.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Data sharing}
Basically the same strategy used in MISP:
\begin{itemize}
\item \textbf{Connect} with other Cerebrate nodes
\item \textbf{Diagnose} connectivity issues
\item Remotely \textbf{browse} data of the other node
\item \textbf{Fetch and save} organisation, individual, sharing-group data
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Data sharing}
\begin{center}
\includegraphics[width=0.95\linewidth]{pictures/brood-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Data sharing}
\begin{center}
\includegraphics[width=0.95\linewidth]{pictures/brood-view.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Data sharing: Synchronisation strategies}
Two synchronisation strategies:
\begin{enumerate}
\item \textbf{Standard}: Fetch and save only new records
\item \textbf{Trusted upstream source}: Remote Cerebrate acts as an authoritative instance
\end{enumerate}
\begin{center}
\includegraphics[width=0.7\linewidth]{pictures/brood-edit.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Managing local tools}
Why would Cerebrate have an integration with other tools?
\begin{itemize}
\item In information sharing, it's essential to be able to attribute data to its creator
\item Traditional information sharing software stacks have to have their own organisation database
\item Why re-invent the wheel everytime?
\end{itemize}
\begin{center}
\includegraphics[width=0.2\linewidth]{pictures/software-stack.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Managing local tools}
There will enivetably be integration between local tools and Cerebrate. Why not go a step further?
\begin{itemize}
\item Cerebrate exposes a modular system to manage these local tools
\item Based on a configuration file, user interfaces can be created to visualize data and instruct local tools to perform operation
\end{itemize}
\begin{center}
\includegraphics[width=0.7\linewidth]{pictures/github-local-tool.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Local tool: MISP Connector capabilities}
\begin{itemize}
\item \textbf{Configure} a MISP instance via server settings
\item \textbf{Fetch} Organisation \& Sharing Group
\item \textbf{Diagnose} other connected MISP servers
\item \textbf{Manage} users, ...
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Local tool: MISP Connector capabilities}
\begin{center}
\includegraphics[width=0.97\linewidth]{pictures/localtool-view.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Local tool: MISP Connector capabilities}
Why do one when we can do many?
\begin{itemize}
\item Cerebrate can connect to multiple tools via its associated connector
\item Allowing local tool fleet management
\begin{itemize}
\item MISP fleet management!
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Local tool: MISP Fleet management}
\begin{center}
\includegraphics[width=0.97\linewidth]{pictures/localtools-index.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Local tool interconnection via Cerebrate}
\begin{itemize}
\item Cerebrate's main goal is to \textbf{ease community management}
\item Open dialogues to community members to request tool-to-tool interconnections
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Local tool interconnection via Cerebrate}
Cerebrate can leverage its access to local tool to reach out to tools from other Cerebrate nodes
\begin{center}
\includegraphics[width=0.85\linewidth]{pictures/tools-made-available.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Local tool interconnection via Cerebrate}
\begin{itemize}
\item Local tools can be \textbf{exposed} to other Cerebrate nodes
\item \textbf{Inter-connection requests} can be issued from one node to another
\item Following a 3-way handshake protocol, inter-connections can be:
\begin{itemize}
\item Issued
\item Accepted
\item Finalised
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Local tool interconnection via Cerebrate}
\begin{center}
\includegraphics[width=0.40\linewidth]{pictures/guys-chatting.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{MISP interconnection via Cerebrate}
\begin{center}
\includegraphics[width=0.98\linewidth]{pictures/connection_request.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What else does Cerebrate have?}
\begin{itemize}
\item Mailing list management
\item ACL system
\item Inbox system: Inter-connection requests, enrolment requests
\item Tagging
\item Update system
\item Audit logs
\item Open API
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{What else does Cerebrate have?}
Cerebrate has \colorbox{black!90}{\color{white}\texttt{dark theme}} and \textbf{{\color{blue!70}m}{\color{red!70}o}{\color{purple!90}r}{\color{orange!70}e}}!
\linebreak
\begin{center}
\includegraphics[width=0.42\linewidth]{pictures/theme-1.png}
\includegraphics[width=0.42\linewidth]{pictures/theme-2.png}
\end{center}
\begin{center}
\includegraphics[width=0.42\linewidth]{pictures/theme-3.png}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Current roadmap}
\begin{itemize}
\item Data signing / validation
\begin{itemize}
\item Community centric PKI
\item Enable data validation services for tools such as MISP
\end{itemize}
\item Integration with other tools
\begin{itemize}
\item Ticketing systems
\item Tighter Mailing list integration (Mailman)
\item Messaging App (Mattermost)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Thanks!}
\begin{itemize}
\item Want to integrate your tool with Cerebrate?
\begin{itemize}
\item[ ] $\rightarrow$ Get in touch!
\end{itemize}
\item Want to have a live demo?
\begin{itemize}
\item[ ] $\rightarrow$ Get in touch!
\end{itemize}
\item Want to suggest features or integrations?
\begin{itemize}
\item[ ] That's right $\rightarrow$ Get in touch!
\end{itemize}
\end{itemize}
\end{frame}
Reference in New Issue View Git Blame Copy Permalink