What is MISP

Cyber Threat Intelligence

Posted on: September 17, 2020

Malware is an incredibly common cyber threat that many organizations face weekly, if not daily. To help circumvent any potential threats caused by Malware, a team of developers from CIRCL, the Belgian Defence, NATO, and the NCIRC created the Malware Information Sharing Platform, or MISP. But what is MISP, and how does it play into your overall cybersecurity efforts?

Cyware's cybersecurity experts have all the answers to your burning threat intelligence questions. Read on to learn more about how MISP integration improves your threat detection and incident response capabilities.

MISP is an open-source platform that allows sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. An MISP helps a security team ingest and analyze threat data on detected malware attacks, automatically creating connections between malware and their characteristics, and storing data in a structured format.

In addition, MISP also helps to make the rules for network intrusion detection systems (NIDS) and enables malware information sharing with third parties. In simpler words, MISP aims to create a platform of trust by locally storing threat information and enhancing malware detection to encourage threat intelligence sharing among organizations.

What are the features of MISP?

With in-built sharing functionality to ease threat intelligence data sharing using different models of distributions, MISP can automatically synchronize events and their attributes. Its filtering functionalities can be utilized to meet an organization’s threat sharing policy and the user interface allows end-users to create and collaborate on events, attributes, and indicators. The STIX-supported MISP stores data in a structured format and is equipped with a free-text import tool that enables the integration of unstructured reports into the platform. In addition, users can automatically exchange and synchronize events with other parties as well as import and integrate MISP feed, OSINT feed, or any threat intelligence from third parties.

The platform’s API allows integration with an organization’s solutions and its PyMISP, a Python Library, helps to collect, add, update, search events’ attributes, and study malware samples. With an adjustable taxonomy, MISP users can classify and tag events based on their existing taxonomies or classification schemes. Bundled with a unique intelligence vocabulary called MISP galaxy, malware, threat actors, ransomware, RAT, or MITRE ATT&CK can be linked with events in MISP.

How does MISP work?

The MISP structure consists of events, feeds, communities, and subscribers. An event is a threat entry containing information related to the threat and the associated IOCs. Once an event has been created, a user assigns it to a specific feed that acts as a centralized list of events belonging to a specific organization and containing certain events or grouping specifications.

MISP is utilized by numerous independent organizations in different industries, each with public-, proprietary-, or community-driven threat feeds. Once an instance is created, organizations can add events to their own feeds viewable by either the organization, community, or connected communities, or all communities.

Accessible via a web interface or REST API, MISP consists of trusted independent users and organizational threat submissions, both ingested by the respective user base. Upon joining MISP communities, organizations can subscribe to feeds related to threats in their respective industries. After subscribing to the feeds, organizations can start ingesting API pull requests into SIEM platforms, detection rules, firewall blacklists, and so on. Moreover, organizations can contribute to the community, by adding their feeds and events which can be shared among other community subscribers.

What is the Difference Between MISP and a Threat Intelligence Platform (TIP)?

MISP operates as a centralized hub for threat intelligence but it does lack many of the features of a true threat intelligence platform (TIP). Below are a few key capabilities that a TIP has but are lacking in MISP:

Multi-Source Threat Intel Ingestion

A true TIP can collect tactical and technical intelligence from multiple external sources, including threat intel providers, regulatory bodies, peer organizations, ISACs, the dark web, and more. A TIP can automatically convert, store, and organize this threat data from various formats including STIX, XML, JSON, Cybox, MAEC, etc.

Automated Alerting on Confidence Scoring

A TIP allows for confidence scoring of IOCs and can leverage that score to conduct certain actions, such as automated alerting.

MITRE ATT&CK Visualization

An advanced TIP can visualize the MITRE ATT&CK framework for an analyst and provide them with information on attacker TTPs and identify trends across the cyber kill chain and relate them to reported intel.

Automated Enrichment, Correlation, and Analysis

A TIP can automatically enrich threat data from VirusTotal, Whois, NVD, and other trusted sources to perform real-time correlation, deduplication, analysis, and indicator deprecation.

Automated Actioning on Intel

A TIP has features to automatically share threat data to security tools for real-time actioning. Custom workflows and scoring can be leveraged to design automation rules that power automated actioning with these deployed security tools.

Read more about a true threat intelligence platform (TIP).