An overall overview of the past year development in the MISP Project from new features, MISP-standard.org and new projects.
MISP is an open source threat intelligence platform used by more than 6000 organizations worldwide, ranging from NATO to national CSIRTs and private sector actors. As a technically-advanced information sharing platform that caters for a diverse set of security information workers with distinct needs and objectives, MISP has to pay an equal amount of attention to the user experience in order to maximize and optimize the amount of threat information that is contributed and consumed by the different user groups. Here, we present the first step of our ongoing research that aims to quantify and qualify the user experience of MISP.
Overview of the MISP sync process including events, proposal and sightings. Explaining the recent optimisation to the blacklist organisation logic making MISP sync 500x faster.
Sighting is the art of tracking when we have first/last seen an element and how many of them. They are voluminous, much larger than indicators. It is a key factor in an investigation to understand if something is new, old, common or unique. While trivial, they are hard to scale given to read/write constraints. This talks explains what has been done to power up MISP Sighting in order to be used at scale.
In order to approach the hard problem of decaying of the indicators of compromise the idea is to use a content-based Recommendation System as a decision algorithm based on the IoC data model and its Taxonomy, together with feeds gathered by TheHive Cortex Analyzers and MISP.
After "Master of Cluster" presented last year, the new work is focused on how to improve the comparison speed between malware samples. The goal is to provide this feature as service through a web platform freely and available for all and also being inspirational as comparison engine for other platforms.
Using MISP platform for modeling Adversary actions and how is adversary moving through environment, what actions are made and what alerts are triggered and which are not. Additional knowledge from these exercises are used for creating screenplays in active defense.
An introduction about data visualisation using the MISP-maltego transform.
This talk aims to give a thorough introduction of a new functionality added in MISP 2.4.116, allowing users and organisations to easily expire information depending on their personalised objectives and targets.
MISP, being a distributed system, enables the sharing of data between various users and organisations, often resulting in the parties involved in an exchange not even knowing one another. Whilst having access to a large trove of information is extremely beneficial for all parties involved, however, it can also introduce a whole new set of challenges to deal with.
In this talk, we will mainly touch on information quality and freshness, along with other issues such as trust, use-cases and interests.
This talk will focus on lessons learned during CERT.be's ongoing roll-out of a national MISP, embellished with musings on the history of CTI and the (perhaps quixotic) quest for open and interoperable standards for CTI exchange.
Based on working with multiple intrusions the one thing that often fails in larger organisations is the
Containment and Eradication part. It is often hard to coordinate a joint containment plan that will work across multiple platforms, systems and customer combined with change management and get all of these parts tied together and implemented within a time periode of less than 30 minutes.
The talk will cover how the usage of MISP can assist in the part of the Incident reponse process allowing the IR team to be much more in control on both large and minor incidents with in the parts of Detection & analysis and Containment and Eradication.
Combining visit statistics from different sharing partners with domains from DGArchive we leverage machine learning to pre-filter suspicious domains for further annotation and correlation in a dedicated MISP instance. This open source stack allows us to pinpoint domains which are most likely generated by a domain generation algorithm (DGA).
In todays cyber security world, SIEM vendors charge large amounts of money to enrich your logging information with the "latest" threat intelligence, which turns out is simply open source threat data. The purpose of this talk is to show how to put the SIEM vendors out of business.... No really... Combining MISP as your open source threat intelligence and threat data feed aggregator with ElasticSearch as your open source logging setup. SIEM doesn't have to be expensive or complicated and it should be obtainable for all!
WHIDS is an Open Source EDR like tool currently under active development. During this presentation I will present the tool itself to the MISP community. Then I will introduce how we enhanced the detection capabilities of the tool by integrating it with MISP. The source code of the new release integrating with MISP will be released following this talk.
During this presentation EclecticIQ's Aleksander Mancic and Peter Ferguson will demonstrate how EclecticIQ Platform integrates with MISP. Attend and learn how:
* EclecticIQ Platform customers can be part of the MISP community * MISP intelligence can be made more actionable with EclecticIQ Platform * Both MISP communities and EclecticIQ Platform customers can share intelligence with even more systems
The next version of TheHive will add two major features: multi-tenancy and role based access control capabilities. It will also include brand new graph based data model. Users will be able to define multiple organisations in their instances.
This presentation will describe the impacts of these features on MISP integration and what we can hope for the future.
This talk describes our idea of a platform for handling threat intelligence from source to end user. This consist not only of actionable IOC's but also offensive knowledge and detection rules. In order to implement this idea, MISP is used as the central database for storing, exporting and querying the data.
What happens when you want to scale MISP? You end up with HAMISPA!
In this talk we'll cover how we developed a platform to be highly available and resilient, explaining how, and why, everything was put together to provide a collaboration platform for users all around the world using several of AWS technologies.
We'll also demo some chaos happening in the platform, and how it responds to these events.
If you have some doubts about cloud computing, this talk might change your mind.
What's next in the MISP Project?