We have extensive experience working with MISP at Cosive. We also offer a managed MISP service. Based on this expertise, we’ve put together this ultimate guide for anyone who wants to understand more about what MISP is, what it does, and how to use MISP.
What is threat intelligence?
What is MISP and what does it do?
What problem does MISP solve?
Is MISP just a threat feed?
How do I add threat intelligence feeds to MISP?
What are the main use cases for MISP?
Who typically uses MISP?
Is MISP a software application or an API?
What are events in MISP?
Sharing threat intelligence with MISP
What is the benefit of sharing threat intelligence?
What are MISP communities?
How should organisations decide what kinds of threat intel to share–and what not to share?
How can MISP be used in security orchestration and automation?
Installing and using MISP
How can I get started with MISP?
MISP, formerly Malware Information Sharing Platform and now known as the Open Source Threat Sharing Platform, is a powerful open source threat intelligence platform organisations can use to store, share and receive information about malware, threats, and vulnerabilities in a structured way.
Threat intelligence (often abbreviated to “threat intel”) is evidence-based knowledge about current or emerging cyber security threats. It helps individuals and organisations to better understand past, present, and potential future threats.
All threat intel exists on a broad spectrum of granularity. At the highest level threat intel can include information on the motives that might drive emerging threats, such as geopolitical conflict between nations. At the lowest level it can include fine-grained information like individual IP addresses associated with suspicious activity.
For many organisations, MISP serves as a repository of knowledge about all the known threats and vulnerabilities an organisation has seen.
By giving this information a consistent structure, the information becomes searchable, making it easier to correlate information across different days, months and years without relying on the memory of security analysts.
MISP also automatically associates similar information (for example, recorded events about the same IP address will be automatically linked together).
By storing information in a consistent format, MISP also makes information easier to share between organisations likely to face similar threats, such as governments, banks, and utilities.
MISP solves two big problems for SecOps teams: information overload and the challenges of dealing with high volumes of unstructured data.
Many security analysts have experienced what it’s like to be flooded with a constant stream of IOCs (Indicators of Compromise), suspicious domains and IPs, alerts, reports, notices and information from security vendors.
Not only is the information hugely varied, but it’s shared in many unstructured formats: it’s in emails, PDFs, news articles, press releases, websites, blog posts, reports and white papers.
Buried inside this stream of information lies potentially relevant data that could help further an investigation or prevent a future threat. But without a way to process, structure, categorise, search through and correlate this information, it can be more overwhelming than helpful.
MISP fights this information overload by giving analysts a simpler way to structure, gather, search, analyse, share, and ultimately use this information.
When used effectively MISP makes organisations faster and more efficient at dealing with potential threats.
No. MISP isn’t just a STIX or TAXII-based threat feed. You can use MISP to receive information from both public and commercial threat feeds and threat sharing communities.
There are many high-quality and free threat intel feeds you can add to MISP immediately.
To add threat intel feeds, log in to your MISP instance, then select ‘Sync Actions’ in the top navigation menu. From the drop-down list, select ‘List Feeds’.
Be default, two feeds are shown, but there are more feeds available. Click ‘Load default feed metadata’ to pull in many more threat intel feeds. Select the feeds that you want to pull into MISP, and click the ‘Enable selected’ button to make them active.
Finally, click the ‘Fetch and store all feed data’ button and MISP will begin to pull in the selected feed data from remote servers.
To confirm that the newly selected feeds are available, click on ‘Administration’ in the top navigation, then select ‘Jobs’ from the drop-down. From there, you should see that there are both queued and running fetch feed jobs.
If you go back to the ‘Home’ tab, you should see that the new events from your newly added threat intelligence feeds are starting to populate in your MISP instance. Click on an event’s ID to view the full selection of data available for that event.
MISP is designed to be used by security analysts, incident responders, and threat intelligence analysts. These individuals typically use MISP within and across their own organisation, as well as between organisations and within broader threat intelligence sharing communities.
Both. MISP is a software application with a user interface. It also includes an API and can be interacted with programmatically. MISP runs on Ubuntu and Linux operating systems.
Organisations typically either self-host MISP on their own infrastructure, or use a hosted MISP provider such as CloudMISP.
In MISP an event is a structured unit of threat information. Events can include information like bad hostnames, links, IPs, and sha256s.
While tracking individual events is useful, one of MISP’s most powerful features is automatic correlation between related events. For example, a blog post event in MISP covering a new ransomware might correlate dozens of other events, including malware files, md5 and sha256 hashes, email addresses and filenames, all of which have previously been associated with that threat.
A surprising aspect of information security is the amount of collaboration between organisations that compete in other areas. For example, financial institutions frequently participate in threat sharing communities together while also competing for a slice of the same market share.
Why is this the case? Isn’t the enemy of your enemy your friend? 🤔
Not necessarily. Security researchers instead take a “stronger together” approach.
Threat actors often specialise in targeting certain sectors, such as governments or banking. When they find a technique that works against one organisation, a common next step is to try the same techniques against similar organisations. That’s why threat intelligence is mutually beneficial for everyone involved.
Sharing threat information reduces the likelihood that similar organisations will fall victim to the same threats.
A MISP community, also known as a sharing community, is a network of individuals and organisations that share threat intelligence with one another. Typically, these communities are made up of trusted partners or peers facing similar types of threats. This similarity boosts the signal to noise ratio of the threat intel they share. For example, a network of cryptocurrency exchanges might form a sharing community focused on threat actors targeting the cryptocurrency and blockchain sector.
In addition to private organisations and individual researchers, threat intelligence is also often shared by public organisations like police and governments.
One of the challenges of sharing threat intelligence is finding the right balance between transparency, privacy, and confidentiality.
On the one hand, you want to share threat intel that helps other organisations in your intel sharing community to better understand threats.
On the other hand, you must avoid sharing threat intel that contains identifiable or sensitive information, like company names, internal IP addresses, staff names, customer identifiers, business documents and data, or intellectual property.
In other words, you want to share intelligence only about threats, and not about you, your infrastructure, your employees, or your customers.
To mitigate risk, and for the sake of confidentiality and accuracy, you may want to implement a chain of approval prior to sharing information with other organisations.
Lastly, it’s worth noting that once information enters a threat sharing community it’s difficult to withdraw—even if you make a mistake, such as sharing a false positive. That’s why sanity checking the threat intel you share is very important.
Because MISP events are uniformly structured they can be ingested by firewalls, SIEM (Security Information and Event Management) tools, email filters, endpoint agents and IDS’s (Intrusion Detection Systems).
Organisations can automatically alert on or block threats based on MISP events. For example, an organisation could automatically add an email address associated with spear-phishing attacks to their corporate email filters.
If you’re technical, the best way to gain experience with MISP is to download and install it locally on your development machine. You’ll quickly be able to get an instance up and running, access public feeds, experiment with configuration, and create your own events. You may even be able to participate in threat intelligence sharing communities with other security researchers and analysts.
For many analysts, the next step is to start using MISP at the organisation level, either to store and share information, as the basis of automations, or both. This typically involves deploying MISP on cloud infrastructure, such as AWS.
Using MISP effectively at the organisational level can be complex, particularly given the constantly improving nature of actively maintained open source software like MISP.
While MISP is constantly evolving in response to the needs of security researchers and analysts, staying on top of updates without introducing breaking changes can require extensive developer effort and resources.
We created CloudMISP as an option for organisations that want to get up and running with MISP quickly and continue to use the latest and greatest version without the operational headaches involved with deployment, maintenance, configuration, upgrades, and hardening.