Awesome
misp-training-lea - Practical Information Sharing between Law Enforcement and CSIRT communities using MISP
Practical Information Sharing between Law Enforcement and CSIRT communities using MISP. The training is composed of theoritical and practical modules. A part of the practical modules include specific topics such as network forensic analysis, system forensic and threat analysis. The focus of the modules is show the complete chain from incident response, analysis up to the modeling and sharing with MISP.
eLearning
This eLearning module is a prerequisite or refreshing module to read before the actual training sessions. This helps to ensure that all participants are inline with the basic knowledge of MISP. In the training modules, the various elements mentioned in this introduction will be completed in details (e.101-104, e.205-e.206 and e.302-e.304).
Modules
- Practical Information Sharing between Law Enforcement and CSIRT communities using MISP (e.101)
- Data mining Tor, social networks, OSINT with AIL Project (e.102)
- Managing information sharing communities - Cerebrate introduction (e.103)
- CSIRTs network, notification and sharing scenarios (e.104)
- From evidences to actionable information (e.206)
- Labs - Modeling, Interpreting and Sharing “Hacking Evidence” (e.302)
- Labs - Extract an Executable from PCAP & Investigating an Attack on a Linux Host (e.303)
- Labs - Isolate Threat Actor(s) from Network Captures - (e.304)
Complete detailed syllabus.
Infrastructure required
At minimum, a dedicated MISP instance is to be made available for the students and trainers. A network of MISP instances can be also set up in order to conduct additional sharing exercises between the teams.
Each individual participant would connect to the MISP instance(s) from their workstations / laptops, where the requirement would simply be network access (TCP port 80/443 towards the MISP instances) and an Internet browser.
Additionally, students will need to have wireshark installed or at the very least have system permissions to download and run wireshark as well as deploy custom extensions for it.
tcpflow and tshark (and some additional Unix tools) are also to be used during the lab exercises, as such a *nix operating system is highly recommended.
Further readings and documentation
- Neolea trainings
- Virtual machines (VirtualBox and VMWare format) if you want to explore a bit more MISP
- Slide Deck (source file and compiled)
- Cheatsheet
- PyMISP
- OpenAPI documentation
- MISP Book
- MISP data models and knowledge base available
Course codes
1xx
- Introductory2xx
- Intermediate3xx
- Advanced
Compiling slides
Simply run the command below to compile the slides
./build.sh
The slides and their associated handouts can be found in output
.
Contributing
Review the conventions for the directory structure and required information, then you can make a pull-request to contribute a new training.
For existing content, a pull-request can be done.
To create a new slide deck:
- copy the
blueprint
directory - rename it to match the course name:
e.xxx-my-course
- edit
e.xxx-my-course/slides.tex
to update the course title - edit
e.xxx-my-course/content.tex
to add the course's content - include
e.xxx-my-course
in the list of the slidecks variables in the build filebuild.sh
- run
build.sh
to compile it
License
All the materials are dual-licensed under GNU Affero General Public License version 3 or later and the Creative Commons Attribution-ShareAlike 4.0 International. You can use either one of the licenses depending of your use case of the training materials.
Contributors in alphabetical order
- Alexandre Dulaunoy
- Jean-Louis Huynen
- Andras Iklody
- Sami Mokaddem
- Luciano Righetti