Developed by a team of developers from CIRCL, Belgian Defence, NATO, and NCIRC, Malware Information Sharing Platform (MISP) is an open-source platform that allows sharing, storing, and correlating of Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
MISP helps security teams ingest and analyze threat data on detected malware attacks, automatically creating connections between malware and their characteristics, and storing data in a structured format. In addition, MISP also helps to make the rules for network intrusion detection systems (NIDS) and enables the sharing of malware information with third parties. In simpler words, MISP aims to create a platform of trust by locally storing threat information and enhancing malware detection to encourage information exchange among organizations.
What are the features of MISP?
With in-built sharing functionality to ease data sharing using different models of distributions, MISP can automatically synchronize events and their attributes. Its filtering functionalities can be utilized to meet an organization’s sharing policy and the user interface allows end-users to create and collaborate on events, attributes, and indicators. The STIX-supported MISP stores data in a structured format and is equipped with a free-text import tool that enables the integration of unstructured reports into the platform. In addition, users can automatically exchange and synchronize events with other parties as well as import and integrate MISP feed, OSINT feed, or any threat intelligence from third parties.
The platform’s API allows integration with an organization’s solutions and its PyMISP, a Python Library, helps to collect, add, update, search events’ attributes, and study malware samples. With an adjustable taxonomy, MISP users can classify and tag events based on their existing taxonomies or classification schemes. Bundled with a unique intelligence vocabulary called MISP galaxy, malware, threat actors, ransomware, RAT, or MITRE ATT&CK can be linked with events in MISP.
How does MISP work?
The MISP structure consists of events, feeds, communities, and subscribers. An event is a threat entry containing information related to the threat and the associated IOCs. Once an event has been created, a user assigns it to a specific feed that acts as a centralized list of events belonging to a specific organization and containing certain events or grouping specifications.
MISP is utilized by numerous independent organizations in different industries, each with the public-, proprietary-, or community-driven threat feeds. Once an instance is created, organizations can add events to their own feeds viewable by either only organization, or only community, or connected communities, or all communities.
Accessible via a web interface or REST API, MISP consists of trusted independent users and organizational threat submissions, both ingested by the respective user base. Upon joining MISP communities, organizations can subscribe to feeds related to threats in their respective industries. After subscribing to the feeds, organizations can start ingesting API pull requests into SIEM platforms, detection rules, firewall blacklists, and so on. Moreover, organizations can contribute to the community, adding their feeds and events which can be shared among other community subscribers.
What is the Difference Between MISP and a Threat Intelligence Platform (TIP)?
MISP operates as a centralized hub for threat intelligence but it does lack many of the features of a true threat intelligence platform (TIP). Below are a few key capabilities that a TIP has but are lacking in MISP:
Multi-Source Threat Intel Ingestion
A true TIP can collect tactical and technical intelligence from multiple external sources, including threat intel providers, regulatory bodies, peer organizations, ISACs, the dark web, and more. A TIP can automatically convert, store, and organize this threat data from various formats including STIX, XML, JSON, Cybox, MAEC, etc.
Automated Alerting on Confidence Scoring
A TIP allows for confidence scoring of IOCs and can leverage that score to conduct certain actions, such as automated alerting.
MITRE ATT&CK Visualization
An advanced TIP can visualize the MITRE ATT&CK framework for an analyst and provide them information on attacker TTPs and identify trends across the cyber kill chain and relate them to reported intel.
Automated Enrichment, Correlation, and Analysis
A TIP can automatically enrich threat data from VirusTotal, Whois, NVD, and other trusted sources to perform real-time correlation, deduplication, analysis, and indicator deprecation.
Automated Actioning on Intel
A TIP has features to automatically share threat data to security tools for real-time actioning. Custom workflows and scoring can be leveraged to design automation rules that power automated actioning with these deployed security tools.
Read more about a true threat intelligence platform (TIP).