To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
10:05
10:20
10:20
20min
A preliminary user experience evaluation of MISP (Work in Progress)
Borce Stojkovski

MISP is an open source threat intelligence platform used by more than 6000 organizations worldwide, ranging from NATO to national CSIRTs and private sector actors. As a technically-advanced information sharing platform that caters for a diverse set of security information workers with distinct needs and objectives, MISP has to pay an equal amount of attention to the user experience in order to maximize and optimize the amount of threat information that is contributed and consumed by the different user groups. Here, we present the first step of our ongoing research that aims to quantify and qualify the user experience of MISP.

Hollenfels
10:40
10:40
20min
MISP sync process (or How to make MISP sync 500x faster)
Richard van den Berg

Overview of the MISP sync process including events, proposal and sightings. Explaining the recent optimisation to the blacklist organisation logic making MISP sync 500x faster.

Hollenfels
11:20
11:20
20min
Scaling Sighting
Sebastien Tricaud

Sighting is the art of tracking when we have first/last seen an element and how many of them. They are voluminous, much larger than indicators. It is a key factor in an investigation to understand if something is new, old, common or unique. While trivial, they are hard to scale given to read/write constraints. This talks explains what has been done to power up MISP Sighting in order to be used at scale.

Hollenfels
11:40
11:40
20min
A Content-Based Recommendation System for Indicators of Compromise Life Cycle
Rocco Di Domenico

In order to approach the hard problem of decaying of the indicators of compromise the idea is to use a content-based Recommendation System as a decision algorithm based on the IoC data model and its Taxonomy, together with feeds gathered by TheHive Cortex Analyzers and MISP.

Hollenfels
12:00
12:00
20min
...And performance for All
Andrea Garavaglia

After "Master of Cluster" presented last year, the new work is focused on how to improve the comparison speed between malware samples. The goal is to provide this feature as service through a web platform freely and available for all and also being inspirational as comparison engine for other platforms.

Hollenfels
12:20
12:20
20min
Modeling adversary actions and defense with MISP
ONE, m3c4n1sm0

Using MISP platform for modeling Adversary actions and how is adversary moving through environment, what actions are made and what alerts are triggered and which are not. Additional knowledge from these exercises are used for creating screenplays in active defense.

Hollenfels
13:00
13:00
20min
Visualizing MISP and ATT&CK data in Maltego
Christophe Vandeplas

An introduction about data visualisation using the MISP-maltego transform.

Hollenfels
13:20
13:20
20min
The new indicator scoring method introduced in MISP 2.4.116
Sami Mokaddem

This talk aims to give a thorough introduction of a new functionality added in MISP 2.4.116, allowing users and organisations to easily expire information depending on their personalised objectives and targets.

MISP, being a distributed system, enables the sharing of data between various users and organisations, often resulting in the parties involved in an exchange not even knowing one another. Whilst having access to a large trove of information is extremely beneficial for all parties involved, however, it can also introduce a whole new set of challenges to deal with.

In this talk, we will mainly touch on information quality and freshness, along with other issues such as trust, use-cases and interests.

Hollenfels
13:40
13:40
20min
Dr. StrangeSTIX or: How I Learned to Stop Worrying and Love the MISP
Trey Darley

This talk will focus on lessons learned during CERT.be's ongoing roll-out of a national MISP, embellished with musings on the history of CTI and the (perhaps quixotic) quest for open and interoperable standards for CTI exchange.

Hollenfels
14:20
14:20
20min
Utilizing MISP into your Incident reponse plan
Dennis Rand

Based on working with multiple intrusions the one thing that often fails in larger organisations is the
Containment and Eradication part. It is often hard to coordinate a joint containment plan that will work across multiple platforms, systems and customer combined with change management and get all of these parts tied together and implemented within a time periode of less than 30 minutes.

The talk will cover how the usage of MISP can assist in the part of the Incident reponse process allowing the IR team to be much more in control on both large and minor incidents with in the parts of Detection & analysis and Containment and Eradication.

Hollenfels
14:40
14:40
20min
DGA-Detect: Using Machine Learning for Collaborative DGA Detection
Tammo Krueger

Combining visit statistics from different sharing partners with domains from DGArchive we leverage machine learning to pre-filter suspicious domains for further annotation and correlation in a dedicated MISP instance. This open source stack allows us to pinpoint domains which are most likely generated by a domain generation algorithm (DGA).

Hollenfels
15:00
15:00
20min
ElastiMISPStash - Threat data enrichment for the masses!
David Thejl-Clayton

In todays cyber security world, SIEM vendors charge large amounts of money to enrich your logging information with the "latest" threat intelligence, which turns out is simply open source threat data. The purpose of this talk is to show how to put the SIEM vendors out of business.... No really... Combining MISP as your open source threat intelligence and threat data feed aggregator with ElasticSearch as your open source logging setup. SIEM doesn't have to be expensive or complicated and it should be obtainable for all!

Hollenfels
15:40
15:40
20min
WHIDS integration with MISP
Quentin JEROME

WHIDS is an Open Source EDR like tool currently under active development. During this presentation I will present the tool itself to the MISP community. Then I will introduce how we enhanced the detection capabilities of the tool by integrating it with MISP. The source code of the new release integrating with MISP will be released following this talk.

Hollenfels
16:00
16:00
20min
Discover how EclecticIQ Platform and MISP go together
Aleksandar Mancic, Peter Ferguson

During this presentation EclecticIQ's Aleksander Mancic and Peter Ferguson will demonstrate how EclecticIQ Platform integrates with MISP. Attend and learn how:
* EclecticIQ Platform customers can be part of the MISP community * MISP intelligence can be made more actionable with EclecticIQ Platform * Both MISP communities and EclecticIQ Platform customers can share intelligence with even more systems

Hollenfels
16:20
16:20
20min
TheHive 4 and MISP: What's new?
Jérôme Leonard

The next version of TheHive will add two major features: multi-tenancy and role based access control capabilities. It will also include brand new graph based data model. Users will be able to define multiple organisations in their instances.

This presentation will describe the impacts of these features on MISP integration and what we can hope for the future.

Hollenfels
17:00
17:00
20min
Threat Intelligence Contextualized Knowledge base
Jeroen Klaver, Leandro Velasco

This talk describes our idea of a platform for handling threat intelligence from source to end user. This consist not only of actionable IOC's but also offensive knowledge and detection rules. In order to implement this idea, MISP is used as the central database for storing, exporting and querying the data.

Hollenfels
17:20
17:20
20min
Introducing HAMISPA - High Availability MISP in AWS
Tiago Faria

What happens when you want to scale MISP? You end up with HAMISPA!

In this talk we'll cover how we developed a platform to be highly available and resilient, explaining how, and why, everything was put together to provide a collaboration platform for users all around the world using several of AWS technologies.

We'll also demo some chaos happening in the platform, and how it responds to these events.

If you have some doubts about cloud computing, this talk might change your mind.

Hollenfels
17:40
17:40
20min
MISP Project future
MISP Project

What's next in the MISP Project?

Hollenfels