Professional Documents
Culture Documents
Csirt Kit Workshop - 2 PDF
Csirt Kit Workshop - 2 PDF
Page 2
Page 3
Page 4
CSIRT-KIT workshop
jordi.guijarro@csuc.cat
@jordiguijarro @javierberciano
•
CSIRT-KIT workshop
@jordiguijarro @jberciano borja.guaita@csuc.cat
Page 5
Tools ecosystem : Csirt-kit inspiration!
Detection
Analysis
&
Visulization
Page 6
Page 7
Disk Image (OVA)
ftp://ftp.csuc.cat/NCN/csirt-kit.ova
Page 8
https://intelmq.org/
Page 9
- Automatic feeds injection and processing
- Easy to configure and change (Python)
- GUI (IntelMQ Manager)
- Opensource
- Various output results («enrichment» with expert bots)
- ASN lookup
- Abuse contact
- Whois
- GeoIP
- DNS lookups
- Filters.
https://intelmq.org/
Page 10
https://intelmq.org/
Page 11
Malware Information
Sharing Platform
http://www.misp-project.org/
Objective
Source: http://circl.lu/services/misp-malware-information-sharing-platform/
Model
User 1 User 2
User N
Incident affecting
strategic company IOC without
victim
information
Compan
y
Architecture
CERTSI
STRATEGIC
COMPANIES HUB
CERTSI MISP
INTERNATIONAL CERTSI MAIN MISP
HUB
MISP COMPANY
… GROUP I
Page 21
RTIR: Request tracker for Incident Response
To manage «easily»:
- Incident Requests
- Incidents
- Investigations
- Blocks
Page 22
- NFDUMP Graphical interface
- BSD license
http://nfsen.sourceforge.net/
Page 23
NFSEN
NFSEN - Stat TopN “proto udp”
Page 25
https://www.elastic.co/
Page 26
ELK and DNS
Intel and external sources
Q&A
Thanks!
https://www.csirt-kit.org
Page 29