 So now let me get to the next talk. It is MISP threat sharing platform It's a security related topic and we have a speaker here. He's like Security person all over he it's his day job like working security research and incident response But he also commits quite a lot of the rest of his life to it working with several Organizations also organization a security conference on Luxembourg the hack So yeah, he spends a lot of time with security and computers and when he doesn't he also likes photography I've heard and also some organic hacking in this garden, but yeah, this talk is about security I guess that's what you are here for so give a nice run of applause to Alexandra Thanks So good afternoon, sir. It's great to be here today, and I'm really glad we have some people Not everyone go to the lock-picking talk. It's a good move So today we'll talk about information sharing What I'm doing as a day job. I would say two main parts One is incident response. I do work for circle, which is a computer incident response center in Luxembourg we take care about incident response for the economical sector and In parallel, I'm one of the core team member of the miss project The miss project is open source software for doing information sharing and I will talk about information sharing and the aspect of it So the first thing they say always a bright side of the story and a bad side of the story so today I will do two things only one slide on the bright side and I will talk about all the mess the shit happens, you know, all the bugs error mistake that we did after us because basically miss has been built from that so Currently miss pieces quite a successful project at circle. We use it for sharing informations with more than 750 organizations worldwide We have more than 1500 users using daily the platform So actively using sharing commenting and some of the platforms. So it's quite successful The thing is for circle miss piece just a tool that we maintain To be able to sustain what we are doing. That means information sharing incident response and basically collaborate on incident response and Besides the tool itself, we do a lot of those things that are linked to miss which is the liberal libraries and so on I will go into detail later on and What we try to do and that's that's why I'm here today It's to share with you what we do and then we can see if the information sharing aspect could be used in other fields Not only information security, but maybe for I don't know spotting FETs in a conference Maybe that would be a way to do it too. So that's a bright side of the story. No, the reality is a bit different When we started miss it was in 2012 it was one five years ago We needed of mistakes our first mistake in 2012 is basically as a sort We do collaborate with other sorts. So that means on a regular basis you go to meetings You share information about malware that you are doing reverse engineering too But we were a bit surprised during one of the sharing groups so we had a sharing group in 2012 in in in Europe in Brussels and what we discovered it's Basically, we were not able to share in advance on what we are working on So basically we had two different sorts in two different country Work on a targeted malware all took not together so in standalone and then after two months You basically discover that we were working on the same malware. So it was basically huge. I would say we use gap So and it was like a kind of a pity because basically everyone in different sort at software engineering capabilities We could do programming. We could coders tools and son, but we basically were not able to start with a tool for sharing So at that times Christophe van der Pla who did work at the Ministry of Defense in Belgium Did a project called cyber def sick at that times which was a kind of pre version of Misp for doing information sharing And that's where it started. It's basically on our own mistakes. We discovered that we should build a tool and Misp is basically built like this is basically getting feedback from users people contributing back And then we improve the platform. So Misp is not at all built like, you know, those huge waterfall models tons of documentation and paper that no one's read about We design software Based on the requirement of user on the I would say day to day basis So that means if an issue pop-ups in get up which try to figure out which one is really useful for information sharing and then we Incorporate it. So nowadays Misp is basically really a community driven project because it's basically everyone is completely contributing to this project And you'll see that it's kind of a bit of paradoxical because Misp is used by military sector search intelligence services, but it's used by civil society tools and Malware reversers and so on so it's a very large scope of different users and based on those different users We started with Orcore user what we do every day. That means malware reversers people doing reversing of malware so those users and I'm included I like to be stay on you know on a grab on a Terminal based interface. I don't want to go to graphical user interface that are complex and so on and this Drived a lot the Misp development It's really based on what we want to have as those platforms to make it work for us and to not be you know Born with complex user interface and so on But the thing is more and more people who are using the platforms more information We are putting into the platforms. We have seen that other people were interested into the platform so when you start to share malware samples and For example reversing the sample so the information the indicators of the samples Other people came and say yeah, but you know those indicators might be useful for detections might be useful for tracking down the attackers and find back the information and so on and over the years more and more people were basically starting to use a Misp platforms and Nowadays, I don't know. We know that around the world is around 3500 Misp installed different communities trusted groups. So you see that it's a very versatile group of people's and Up to recently that we start to have more and more people using miss to share information about fraud or financial frauds like bank accounts and so on so you see that Misp is initially started as a very small project and grow organically to something. It's more usable to different group of users but this Come with a big issues The people sharing the information of different objectives when you share informations You might share for detections and that's usually our use case as a sort We want to know that if a constituent is compromised Has been already compromised by an attacker and adversary But some of the users imagine an internet service providers Sometimes they provide you know those security services that they want to block for example fishing web pages But if you use Misp to share fishing web pages, sometimes you wanted to notify the organization hosting the fishing pages, but sometimes you have this kind of things that are used for Blocking so you see already conflict of interest. It's basically a conflict between Blocking things meaning that if you have false positive on blocking, it's not very good But it's only a detection and you have a small rates of false positive. It's still fine So you see that you still have a very conflictual Of way of using the information so sharing in one spot you have different communities of people sharing but the Objective of those communities might become really different and then you end up into such kind of conflictual things Then you have other groups of people that are very interested into gathering the data to compare the data But we don't really care about for example false positive. They are even eager to get false positives Because they do intelligent analysis of the data itself So you see that you basically have three different objectives, but you developed a platform that can be used for three objectives So all the few features in MISP we try to accommodate those kind of things and it might be conflictual sometimes But that's just one part technical problems Then you have I think the biggest part of the problem when you do information sharing It's the social aspect of it the human aspect of information sharing and one of the big one is a social interactions I mean if you have sorts sharing informations Would you share information between the Hungarian third the Chinese third and the US third or do you trust those organizations or do you Evaluate the trust what kind of information that you can share what they will do with informations. That's very complex We try to accommodate the platform to support such kind of things But you will see that at the end is always a human problem. So it's a challenging one for the more than Five years that we are doing it. We discover many things But especially a lot of things from the human and all the interact with sharing informations Another problem that we have seen very often and it was I think in the past the legal restrictions. It's The legal site or the legal framework that block you of sharing informations And that's a major problem because a lot of people are afraid of sharing due to the legal restriction in their countries In the region of their organizations, so it might be one of the biggest challenge I have a little story of that it was another mistake that we did and that we solved at the end For the community that we run initially we had one of those four pages and User license agreement explaining how you could share information and so on and we had some companies joining the project as a community's and at one point a large US company Read the document and the lawyers look it look at it and say, you know guys this document is nice But we want to change this section and this section and these sections But you know if you have a trusting community to share informations and you have a different contract it will not work So we were thinking about it and we were like, yeah, maybe we are on the wrong track on the wrong side So we basically dish and user license agreement or lawyers was like what what do you want to do? So we were a bit scared but we change the models and we basically said no more license agreement Just two simple things. You have to respect the classification of the data and you are responsible for your own data That's it And after what it was much more easy that to get people in because they don't have to involve their legal teams Or on very minimal things to review a document because we have no document just basic rules That are linked to how to use information and the platforms So you see sometimes legal restriction could be on double-sided and some If people are interested we can talk later on outside the talk because it's a huge discussions about GDPR and stuff like that But we have some I would say pre-defined and pre-template how to use it So we are on a kind of good ground on it and then you have additional practical restrictions That limits you to share informations and we try to solve those kind of things in the mixed platforms Like we don't have information to share sharing information is not only less an information itself that you want to share But the validity of informations so some organizations Did not understand that they could share for example a flag like saying oh, I know this information I've seen these informations or I trust this information and so on and it's a way of sharing informations So a lot of organizations think I have nothing to share But on the other hand they have a lot of information to share that could be useful for the community so that's quite interesting because over time we have improved the tools based on the scan of limitations and That we have seen in the I would say past year since if you want to tackle Security incidents and you basically want to be better than the adversaries and we are still not better than the adversaries The best thing is to share at least more or at least a bit smarter Because you know adversaries are sharing a lot. I just take an example five eyes UK, Australia, US, they are sharing quite a lot You basically have access they have access to their data and between each other's automatically and you can share the information to Defense yourself. It's a pity. So that's why for us if you share informations as early as possible Even at launch scale you might be better product it and that the sharing part is really but it's tough It's not easy to do so going back to MISP itself MISP is becoming MISP project itself is quite large nowadays So you have the core project which is the back-end Supporting the API, the user interface. It's a mix of PHP and Python and Then you have additional projects that are sub-modules in Git for the different projects One of them is modules in Python so you can expand the user interface You can expand important export functionalities of MISP by writing simple Python modules So you don't have to know the core of the MISP modules. So it's one way to do it Then you have additional things that pop up later on for example taxonomies came later because we discovered that a lot of People are talking about classifications, but you know, it's very nice world document that no one wants to read about classifications It's not machine-readables. They are not common. So it's a complex thing. So we started to have Libraries of the common classifications and I will go back to that part. It's quite important because it's if you cannot classify an incident You don't know exactly what is behind Then you have warning list stuff like false positive You want to know in advance if it's potential false positive we share such kind of list in advance So you can even use it in MISP and in other tools. All the things that are talking about here are open-source software The libraries are even released into public domain licensing So you can even reuse it into your own tools and so on. We do the same with the galaxies It's all the traductor. So we start to have vocabularies about the adversaries the different traductors or even the contour measures that you want to take against specific adversaries So to summarize itself MISP and at the generic terms and it's just the a platform to store indicator of compromise trade indicators And is an open-source software that basically it know you have core functionalities that makes the software interesting to use on a Day-to-day basis for operational teams security teams One of the most important part is the automatic correlations is basically when you start to share information You want to know if you have duplicate if other people are sharing the same informations if an adversary is sharing the same back-end infrastructures and so on and you have a lot of things like collaborating and so on that are key to do information sharing Then we are an open-source project We don't block people into kind of closed services Whatever people can get the data in and out as they much and that's as they like and MISP itself as kind of functionalities for using the data So for example if you enter an IP addresses into MISP Automatically you have a PI where you can export it into bro snort format Suricata you can export it into RPZ format if you have doing blacklisting into DNS servers or sync calling so Really MISP is designed to do import export as much as this can and I will explain later on There's a feed format that you can use to do synchronizations between external data and so on and as I said MISP is built on basic trial and errors We don't have very long-term roadmaps But the thing is growing at I think the at the rate of really as a use case and so on so The main part of MISP is the sharing aspect As a sort what we have seen a lot of a model in security are based on commercial models Where you have a producer and a consumer? We basically think that is a wrong way to do it for sharing informations if you want to share information It should be two way in any case It's not forced to be two way, but you should be able you should be able to do it so in MISP you don't have any core producer Key a consumer, but everyone can be a consumer and can everyone can be a producer So if you have a MISP you see the gray one here It's basically you have a MISP instance you create an initial event and then Depending of all you set the distributions those even will be propagated back to other MISP instance So you can add additional attributes like for example if you see an IP address see that is wrong You can propose to the editor that oh guys I think you did the type on the IP address is there and it's very common. I mean for a huge report containing tons of MD5 ashes IP addresses URLs and so on you have typographic error You have mistakes and stuff like that because it's the analyst at the end So that's the way that MISP works everything that you share could be Duplicate it contribute it back and send back to the original contributor and that's very important for us another point is Everyone should be able to contribute not only highly technical people's but support staff or People that are just basically in face doing face-to-face interaction with users and so on And then the thing is MISP as a simple concept of attributes Which if you generalize over generalizes like indicators But it's a good go a bit further on that is always filled with a context around it And then those indicators could be vulnerabilities could be financial indicators and so on so it's quite flexible And all attributes are solely based on usage. So we don't follow, you know a huge consortium Thing are you should use this attribute and this one and so on is the only base on people or what they use really So if we are in Luxembourg, you know, you there's a lot of banks We got a lot of requests from banks to have way to share financial indicators. So we basically Extended MISP with financial indicators if you have to wait for a standard to expand this kind of Attribute type it might take months or years to be in the standard in MISP is a bit different You can generate new attributes as long as you have the up-to-date version of the software you can share these informations. That's basically it In MISP you can even and it's not anymore in the next release is a today release You can even add and create Adversary groups you can create your own community of information that you want to share and those are can be Internal that you keep it for yourself or can be external and you share with third parties So contributing data to MISP you have various ways to do it as I mentioned initially It was malware reverser. So you like to use VTI console interface. So you have a full-blown API For the one using viper for example You can have a full-blown viper modules to do interaction with MISP and you can stay in viper Do everything from there without going to the web interface if you hate your web interface It's fine. You can go there and you have plenty of interrogation with sandboxes and son Lot of proprietary ones, but open source one like cuckoo for example And we have other way to contribute people can do sightings. I will show an example one of the thing that we have is a free text input This one is quite interesting You know when you do incident response very often you receive an email from someone Email containing information like oh, you know, I got those indicators I don't know if I can share them, but I will give it to you should have a look In MISP, you have a free text import tool So you just paste whole text could be anything's emails PDF conversions anything and automatically MISP will try out to figure out if those are potential indicators and if those were indicators you have a kind of Resulting point where you can see already correlations So if you know about it or not and if it's not you can just create an event So even in MISP you can create even very quickly we have API an extension in MISP where you can basically use a spam trap and Automatically send all your spam to MISP and do correlation and so on so you can use MISP in different way But some people are doing that we are doing that for some kind of what we call playground or junk yard MISP so it's an easy way to collaborate and in this way you can still have your Flow of information from emails and automatically check it out if you have any missed the data If you don't you create an event if you know the data you don't create an event That's straight forward. It's one of the functionalities, but I will not go to all the functionalities Another thing that we have seen is some people are willing to share they really want to share But they don't want to share their name. I Take a random example. You are you are a huge bank You want to share information, but you don't want to have your link your name Associated to this event. So you don't want to link your name back to this incident For some sometimes good reason because some people might think that this bank if you share the information I've been targeted for this malware, which is not usually the case, but it could be the case. So There's a way in MISP where you can delegate the publications. So instead of the bank itself They ask a third party To do the publication for them. So for example, they can delegate the bank and they get to circle Third the publication and us as a circle, we can review the informations We can discount it or we can publish it. So it's a kind of way to do pseudonymity So you can still share informations, you know, it's your information, but it's under different names. So you don't have the kind of you know For back but at the end is still the one publishing that gets the responsibility of publishing the informations There are a huge Different way of sharing information in MISP where you have sharing groups. You can even share epic organization and so on If you want and later on we can do a demonstration together and you can have a look at it Another thing that we have is the sightings support. So sightings is a way to say that you have seen something so in MISP you have attributes and you can Basically just check like a like button or dislike button to say that you have seen this informations It's a way to contribute without sharing the indicators You can basically say oh, I've seen that too Or I don't like this one because this one is a false positive again on my one And then you can have a history of all the contributions of Activities and so on is very useful if you take some Russian actors For example, they tend to reuse infrastructures But that's very regular intervals and they switch off their infrastructure to make like oh, it's take down It's fine, but three months later. They come back With the sightings support you can see such kind of stable infrastructure that are basically appearing and disappearing back You can export the data you can automatically do it from an API So for example, you have an intrusion detection systems that can automatically set the sightings And you can see that the indicators are within your infrastructures. So Sighting is it's Quite extensive in MISP you have many use case And I know some user using it in a different way for example at some teams I've seen it or some tools within the organization I've seen it For example, if you have honeypots in the infrastructures, you can basically use it for the For basically seeing that you have seen it too. So it's quite interesting and then Automatically, this is linked to the tagging that you use the classification and so on you can automatically see that if a specific Redactors is coming back and that's a way to basically track down what's going on into your indicators Another thing that we introduce So it's another mistake that we did at the early version of MISP. We had what we call tagging So everyone could tag an event just add a tag a specific tag To an event, but this one was a complete disaster. I mean, I don't know How many different way I've seen traffic light protocol TLP white for example return So you have TLP double-point white, TLP space white, TLP dash white or white or just TLP white together So it was basically complete disaster So what we discover is if we will have taxonomies and classifications It must be globally known by everyone and using the same terminology So we look around on the internet to find out, you know, all those complex RDF model and so on They are all very nice on paper, but practically it's it's crap. I mean you cannot use it You can use it for some machine-to-machine, but if you want to have using by human and then we found back something done by a Guys from Flickr other times In 2004 called triple tag and it's basically machine tag where you have a namespace a predicate and a value It's very simple. You can still read it as a human, but it's possible by your machines. So we decided to have libraries of taxonomies Describing the same format. So for the one that are familiar with Adminarity scale. It's a scale in NATO to define the Source reliability for example, so you see that in one simple tag you can say that This is an admiralty scale and the source reliability is fairly reliable. You have C and you have an expanded version That is human readable. That's it. There is no complex XML format. So you don't have to have an RDF parser and so on that's it and We introduced that I think more than two years ago and nowadays we have tons of taxonomies. So The nice thing with it within MISP itself you can basically classify the informations You so for example, you have estimative language You might have stuff like Europol incident classifications in ESA1 and so on and you cannot automatically see in the platforms What are the most commonly used tags and see what are the ones that are used for classifications and it's a nice way to find out I mean all the information because in the problem with cyber security indicators You might have tons of indicators per day, but you don't know to what kind of information they're related to. So that's quite important So what kind of taxonomy do we have? We have tons of NATO classifications We have traffic light protocol for the one I don't know we have some specific one that we built like the open source intelligence one with the classifications Very specifications and people can contribute. It's a very easy way to do it You have a GCN files and those classifications are even reused in other platforms. All open source Very easy to use An example here look around somewhere Indicators about a lock infection lock infections. You see that you basically have the organization that contributes it And you have the tags that are basically the classifications of the ransomware and The nice thing with it is as those classifications are globally shared among the different Users they basically rely on the same definition of the terms so you can easily find out okay the same terms and In information sharing there is an important part to a lot of things are done by imitations So an analyst imitated another analyst. So better you do classifications. You see other analysts like oh, yes This classification is correct I will use it too or they start to talk about you that this one is not Specific enough and then you improve it and what we have seen is for the five five years I mean we have seen initially that events were one two or three tax Nowadays you have tax attribute levels even level and you have sometimes between 10 or 20 tax on a specific event So you see that the classification itself improved by people using it So that's that's very important for us Something else that we do You know on the internet you have tons of OS in feet so you can basically get CSV files at random places about malicious IP addresses Fishing website whatever So in this we did a feed systems where you can basically just point to a new rails and say okay This one is CSV is free text just like the free text in point and automatically will find out The attribute type and you will find the existing correlations And that's quite nice because you can basically see the correlation automatically from a misspe event without ingesting this event Another thing is when you have this kind of things you can even automatically correlate the information from Undigest this information so this information is still not in your misspe, but you can see if you have correlations an example that we had When the US cert did the report about grizzly step the Russian activities The first thing that we did we put it into misspe to see the correlations and we see tons of correlations with Torax it notes So even the report was not saying anything about that But you see automatically the correlations with the Torax it notes So is the report useful or not depending of the thing that you do with it? But at least you can automatically see that those indicators were part of Torax it notes feeds By default we have like 30 or 40 Default feeds you can add yours. It's a simple gson files too And We saw a talk from Alex Pinto. I don't know if some people know Alex Pinto He did a project called ML sec where you want to measure securities And he has this one you call it the IQ test which is a test for testing a threat feed So what is the quality of a fit? So we came with an idea well if we connect port those feats we can compare them we can see All overlap those different feet so in misspe you have what we call an overlap things I don't know if you see it from here, but it's basically a matrix You have all the feet that we import And you can see the one that are overlapping with others somehow basically telling that they are aggregating information Which is fine, but some are trying to sell you Feeds that are basically coming from other feats So it's an easy way to quickly see okay does it work to basically acquire these feet because it's Composed of this OSN feet for example So it's an interesting way over time we want to improve that to have a kind of Timeline visualization so in in addition to the overlap matrix we can see the evolution So where the data is coming from so which feet is gathering the data and then where from the other feet is moving to So it's one of the benefit of using the feet part So we have discovered that some people are using misspe to just do purchase of feet So they just ask for proof of concept to some vendors they acquire the feats and then they just compare it to see Oh, it looks like okay. It's one use of it We didn't think about that one at the early stage, but it's a way to do it so some use case Where information already helped? Very often I heard a lot of people that want to share After the incident is finished. They say okay. I have a nice report its package. I want to share But I think it's a complete mistake. We had a very interesting case It's a it's a bank that wanted to share informations But they had no resource no reversing engineering teams and so on so they basically use misspe as pushing an event With a binary that they found on their infrastructures that they didn't know about and just okay if someone want to have a look have a look so Sharing our lease in a pre-investigation phase is with working. It's something that we didn't talk initially But it's a way of of of getting informations especially that if you have a large community of Malware reverser A lot of people what they want is fresh malware They want to have to you know think that they want to look into new interesting things and doing kind of early Sharing it's usually much better than basically lay back and wait to share the informations Another thing that we have seen is in misspe you can share Between brackets those cyber security indicators so IP resist ashes of sample and so on but you can share bank account details Where the information is going to so we discovered that for example that some kind of malware's are buying The same sharing a mule networks So you see that you can't link and make the tights between the malware use case And which cyber criminals are buying the mule network because usually mule networks are not so Diverse and they have to buy the services to support him Another thing that we discover I'm pretty sure that everyone of us have seen it. It's fake invoice. You receive a paper at your place Asking you to pay an invoice and this invoice is basically a fake one What we have seen is a bank account details in those fake invoice are usually the one the same use for the mule account So you see a tight between the mule account the fake invoice system and the malware for the banking systems So it's a quite a lot of interesting things Another thing that we discover when you share informations you must share regularly if you just say once you know in a year interesting but not so much if You share for example, I know look around somewhere every day and so on you start to see a regular or stable infrastructures we discover some Core C2 of some malware and some attackers Based on that. So you found we found basically the stable infrastructures in a complex infrastructure So it's very important that if you share regularly or more people are sharing regular informations You can't find back those kind of things. So as an example, I have one here This one is a look around somewhere that we get a lot of malicious website So it's a huge mess. They compromise they use compromise machine and so on difficult to find This another lucky around somewhere. We found dire exploit kits and their instructions were like, okay, but this one single point this machines and This machine was basically the one that the attacker use for basically testing his infrastructures And it was the core one. So it's quite interesting. So more you share the informations More you see that those stable systems So it's like in you know biology at some point when you do a lot of long-term monitoring You start to see some stable things in your infrastructure same because it's you know biology and cyber criminals are usually not far away from it so and that's for for me the most important part is the MISP is just a tool. So for us information sharing is just practices and every day that you do Mistakes when sharing informations you can improve the process and other things for us. It is very important the imitation aspect when you share information and so on so For us it's information sharing really come from practices and what you are doing. So MISP is just a tool It's an open source tool glad that a lot of people are using it So don't hesitate to provide feedback test it on the GitHub pages. You'll see you have many sub project And the thing that we want is at some point We want that MISP works like what the attacker are doing. They are sharing They have their tools for sharing and so on that we want to mimic at some point some aspect of what the adversaries are doing To at least to be as to be to behave at least like them for some good sides So I mean defense aspect And another thing is The information of a flow is usually what people are afraid of but if you can filter Classified information as early as possible the other flow become an advantage because you know what information is coming from you can Automate the things for example, we do take down requests automatically from Things that we get so if we get an incident or report containing I don't know 2000 URLs of compromise machines we do automate take down requests So we send notification and so on we have a full tools that is belonging to MISP project Where you can basically do take the notification. So that's basically it for me for today If you have any questions for the community that we run a circle and you want to join feel free As I said the MISP GitHub page is basically containing all the sub project and so on the MISP project page Usually explain or you can get with MISP. You have for example the background installations virtual box image if you want to test it out We have a miss submit is a third one before the akelyu conference and we do an open-source open-source security Hackathon the day after akelyu All the core team from MISP will be there. So if you want to join you're more than welcome So thank you and if you have any questions feel free. Thank you very much Yes, thank you very much for this interesting talk. We have questions. I see great Come here sound Yeah, good actually I have two questions Yeah, first question is how do you make sure that people that are sharing information have the same level of knowledge? So that you don't get crap fitted to you. Do you do a training before that explain people? What is the basic thing that they need to share? I mean, how do you process this? That's a very good question. It's a large one because the thing is yes two things yet You're knowing the capabilities of different teams That's why we have a classifications know that we created recently to Evaluate the capabilities of a specific teams so you can even bond a specific organization to a tag and this tag is a classifications we do training in Luxembourg where people come over and When people come over us we basically classified them into our MISP that knowing those one and they conjure our community But it's indeed one of the biggest problem because a lot of organizations might have Initial bootstrap to learn or to share information. So it's a difficult one, but the thing that we try and I think it's the same for between bracket open source contributions When the first time you get to put requests from someone that you don't know usually they do they try to do something But it's basically failed. So we try to catch those one and to explain to them. Okay. I've seen your Event that you try to propose and then we ask commands we do proposal in MISP you can do proposal on the event so what we try to do is to Basically learn how to explain to people how to use the platforms, but it is indeed one of the biggest Problem that we have is a bootstrap of the analyst itself because they are all at different level And I have a second question. Yeah It miss is definitely a great tool for information sharing What about the incident response the whole full cycle of it? Yeah, do you plan to get that into MISP or and to use up other? For example, we we have a very tight work with the hive. I don't know if you know the project The project is done by Bank de France. It's an open source project They have miss connector for import and exports. So it's more like a thread hunting platforms So to do like you mentioned the hunting aspect as an open source project. We don't compete with them We don't even collaborate with them. So it's not impossible in the future That's basically when you install MISP you will get a bundle with the hive cortex and so on so you can get the full chain So the sharing aspect the collection aspect and then all the chain for thread hunting and so on Which is indeed a good point But we don't want to cripple MISP with ton of features. We want to keep it at what is good sharing We might go a bit more into the analyst aspect Estimative language reclassifications like you said that not everyone has the same capability. So you want to improve that kind of analyst things that's the thing that we are targeting into MISP and to Diverse the object type in the next two weeks. We will release a new version with the MISP object to basically Know being able to share completely new objects that are combined object with things that you can even create yourself But that's the core focus for MISP. So that means the current in platform and so on We usually recommend to bundle it with the hive and the hive import export and you can share back what you do You did into to the hive Thank you. Okay microphone on the back, please. Yeah, I also got two questions. First is Is MISP import on the lists anytime soon? MISP import. Sticks, Sticks import, sorry. Okay, so we have already some sticks import into the MISP taxi interface So it's basically an external project The problem with sticks and I didn't want to talk about sticks because It's a standard but Sticks itself has a lot of major limitations, especially the version 1.1 So we basically have this kind of import into the Libraries, we have the support into the taxi interface External but it's really depending of which tool generating the stick format because all sticks format are all different between each tools So for us, it's it's it's tough Sticks is a standard but it looks like that if you want to represent an IP RSEs you have I'm not I'm not joking I mean you have six or four it's indeed the minimal But that's this we found six way to represent an IP RSEs, which is a big awkward for a standard So that's but we are part of the or as this CTI group where they do sticks 2.0 and 2.1 and so on we try to Bring some of the idea from MISP into sticks. It's difficult because behind we are the alone open source project We have Cisco blue codes and whatever large organizations, but sticks import The one that I'm not want and did for the import is quite good For format we know about so if you know that this Functionality of the software the an award the import doesn't work Just send us some stick sample and then we can basically improve the software, but the sticks import for us is just an External modules like we do for the export What we would like to do is the export part of sticks 2.0 be a Library an open source library like the rest But the thing is Or speed of doing development in MISP is much faster than what the OS is standard is doing So for example financial indicators, we are supporting them, but even in sticks 2.0 you cannot do it. So For us it's a bit challenging because it's it's a limited format right now So but indeed import works with your taxing port if you have feedback on that one I would be really glad to hear that I didn't test the last version yet. Okay, so if you can just bring back to us if you have any Filling sticks files and so on that's interesting. Okay, but something else is quite important too MISP itself the software know as standard so the format the MISP gson format is an internet draft So that means we advise tools that are using exporting miss format to use a miss gson format Which is completely standard open source. There's no string attached to it For example joy sandbox All the tools and so on are exporting into the gson format. So you like that you benefit from the format itself So we advise to use a native miss format, but if you have sticks, just bring it to us. Thank you Thanks, okay, so back to the front Hello, did you consider to in To introduce an incentive mechanism because I think you're also similarly works if you share information And I think it could be useful to have an incentive mechanism So for example, if I share a lot of information I get more Real-time or something like that. Have you considered this? Yeah We consider various things at the early beginning. We consider that People would be not able to get that anymore if you don't contribute information back after three months. What we have seen is a Lot of organizations are contributing back So that means on our community is around 30% are really contributing and 70% are getting the information as a source We don't really care because people as long as they get the information and protect themselves We are already fine with that I mean if they do the effort to get the data and do the protection is already a good move for them Now we we basically dish this part and we say okay everyone can get the information use it commercially non-commercial As long as it's used for defense and son But no we are thinking of another models where it's more like on gaming model So we basically want to gamify Misp where people get points. So that's more rewarding stuff. So like it's more socially interesting. So we don't want to Provide something that is a detriment or a limitation to people but once that the one that I'm contributing get a bit more which is like Rewardness of the group itself or additional things like functionalities in the platform and so on but not the data itself That's the thing that we are but it's an interesting discussion. If you have time later on we can even discuss about it. Thank you Hey another one in front. Yes First thanks for the tools and the second. I'm sorry if I miss it How many different subject or parties join the Project and I don't know also if you have an taxonomy of them like banks security group so if The thing is maybe I didn't mention it in the talk But you have the miss software itself and the miss community that you built using the miss software So if you want to run your Misp into I don't know the pharmaceutical sectors in Germany You can run your missp and being standalone and I learned never been connected So that's one way to do it if you look back at all community. That's the one of the mentioned at the early beginning That's basically this one. It's some of the 50 organizations a Significant percentage are banking sectors and financial sectors payment processing and so on And then a lot of industries so industrial certs are very common on those one and a lot of ice-peas for doing the takedowns and so on and Third that are linked to product certs and so on so that's the main categories that we have Then you have a huge mix of others that are more security researcher People using the data for doing research analysis. So we have a lot in academia and so on doing the use of the data, but that's I would say the Fingerprint of our community, but it might be very different than others I know that not so as a huge community that they use for using your Misp We are connected to that one too, but that's those one are limited to certs. So basically military certs national governmental certs and so on But I mean in all we have a kind of large spectrum of different organizations if you want I could give you the statistics I just I need to dig into it, but it's I think it's quite diverse. It's not so Mono maniac it's early beginning. It was more like Malware reversers AV vendors and T-Virus vendors and so on and now it's drifting a bit more that it's it's time to be more I would say a diverse Okay, thank you. Okay. I don't see anyone else. Do we have another great question like all those before? No anyone otherwise I would say thank you very much