MISP-Malware Information Sharing

MISP Threat Sharing (MISP)

According to Wikipedia, it is an open sourcethreat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise.^[2] There are several organizations who run MISP instances, who are listed on the website.^[3]

History

This project started around June 2011 when Christophe Vandeplas had a frustration that way too many Indicators of Compromise (IOCs) were shared by email, or in pdf documents and were not parsable by automatic machines. So at home he started to play around with CakePHP and made a proof of concept of his idea. He called it CyDefSIG: Cyber Defence Signatures.^[4]

Mid July 2011 he presented his personal project at work (Belgian Defence) where the feedback was rather positive. After giving access to CyDefSIG running on his personal server the Belgian Defence started to use CyDefSIG officially starting mid August 2011. Christophe was then allowed to spend some time on CyDefSIG during his work-hours, while still working on it at home.^[4]

At some point NATO heard about this project. In January 2012 a first presentation was done to introduce them in more depth to the project. They looked at other products that the market offered, but it seemed they deemed the openness of CyDefSIG to be of a great advantage. Andrzej Dereszowski was the first part-time developer from NATO side.^[4]

One thing led to another and some months later NATO hired a full-time developer to improve the code and add more features. A collaborative development started from that date. As with many personal projects the license was not explicitly written yet, it was collaboratively decided that the project would be released publicly under the Affero GPL license. This to share the code with as many people as possible and to protect it from any harm.^[4]

The project was then renamed to MISP: Malware Information Sharing Project, a name invented by Alex Vandurme from NATO.^[4]

In January 2013 Andras Iklody became the main full-time developer of MISP, during the day initially hired by NATO and during the evening and week-end contributor to an open source project.^[4]

Meanwhile other organisations started to adopt the software and promoted it around the CERT world (CERT-EU, CIRCL, and many others).^[4]

Nowadays, Andras Iklody is the lead developer of the MISP project and works for CIRCL.^[4]

As the MISP project expanded, MISP is not only covering the malware indicators but also fraud or vulnerability information. The name is now MISP Threat Sharing, which includes the core MISP software and a myriad of tools (PyMISP) and format (core format, MISP taxonomies, warning-lists) to support MISP. MISP is now a community project lead by a team of volunteers.^[4]

Funding

The project is funded by the European Union (through the Connecting Europe Facility^[5]) and the Computer Incident Response Center Luxembourg.

Intelligence Integration

Indicators of compromise which are managed by MISP may originate from a variety of sources; including internal incident investigation teams, intelligence sharing partners or commercial intelligence sources. Commercial sources with integration to MISP include Symantec’s DeepSight Intelligence, Kaspersky threat feeds and McAfee Active Response. MISP integrations with open-source and commercial threat intelligence platforms include the ThreatQuotient Platform and EclecticIQ Platform.

References

1. ^ “Tags”. Archived from the original on 13 October 2021.
2. ^ “MISP threat sharing platform”. media.ccc.de. Retrieved 19 February 2019.
3. ^ “MISP Communities”. www.misp-project.org. Retrieved 19 February 2019.
4. ^ Jump up to:^{a b c d e f g h i} “Who is behind the MISP project?”. MISP-Project.org. Retrieved 24 February 2019.  Material was copied from this source, which is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license.
5. ^ “Digital Single Market – MISP”. ec.europe.eu. Retrieved 19 February 2019.

External links

• Official website 
• IETF draft-dulaunoy-misp-taxonomy-format-06
• Building and designing MISP: A practical information-sharing tool for cybersecurity and fraud indicators
• Privacy Aware Sharing of IOCs in MISP
• MISP: Sharing Done Differently

Features (https://misp-project.org/features.html)

• An efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
• Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis. Correlation engine includes correlation between attributes and more advanced correlations like Fuzzy hashing correlation (e.g. ssdeep) or CIDR block matching. Correlation can be also enabled or event disabled per attribute.
• A flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
• Built-in sharing functionality to ease data sharing using different model of distributions. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
• An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. An event graph functionality to create and view relationships between objects and attributes. Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes.
• storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.
• export: generating IDS (Suricata, Snort and Bro are supported by default), OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools)
• import: bulk-import, batch-import, free-text import, import from OpenIOC, GFI sandbox, ThreatConnect CSV or MISP format.
• Flexible free text import tool to ease the integration of unstructured reports into MISP.
• A gentle system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.
• data-sharing: automatically exchange and synchronization with other parties and trust-groups using MISP.
• feed import: flexible tool to import and integrate MISP feed and any threatintel or OSINT feed from third parties. Many default feeds are included in standard MISP installation.
• delegating of sharing: allows a simple pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
• Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
• adjustable taxonomy to classify and tag events following your own classification schemes or existing taxonomies. The taxonomy can be local to your MISP but also shareable among MISP instances. MISP comes with a default set of well-known taxonomies and classification schemes to support standard classification as used by ENISA, Europol, DHS, CSIRTs or many other organisations.
• intelligence vocabularies called MISP galaxy and bundled with existing threat actors, malware, RAT, ransomware or MITRE ATT&CK which can be easily linked with events in MISP.
• expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
• sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed via MISP user-interface, API as MISP document or STIX sighting documents. Starting with MISP 2.4.66, Sighting has been extended to support false-negative sighting or expiration sighting.
• STIX support: export data in the STIX format (XML and JSON) including export/import in STIX 2.0 format.
• integrated encryption and signing of the notifications via PGP and/or S/MIME depending of the user preferences.
• Real-time publish-subscribe channel within MISP to automatically get all changes (e.g. new events, indicators, sightings or tagging) in ZMQ (e.g. misp-dashboard) or Kafka.

Sharing with humans

Data you store is immediately available to your colleagues and partners. Store the event id in your ticketing system or be informed by the signed and encrypted email notifications.

Sharing with machines

By generating Snort/Suricata/Bro/Zeek IDS rules, STIX, OpenIOC, text or csv exports MISP allows you to automatically import data in your detection systems resulting in better and faster detection of intrusions.

Importing data can also be done in various ways: free-text import, OpenIOC, batch import, sandbox result import or using the preconfigured or custom templates.

If you run MISP internally, data can also be uploaded and downloaded automagically from and to externally hosted MISP instances. Thanks to this automation and the effort of others you are now in possession of valuable indicators of compromise with no additional work.

Collaborative sharing of analysis and correlation

How often has your team analyzed to realise at the end that a colleague had already worked on another, similar, threat? Or that an external report has already been made?

When new data is added MISP will immediately show relations with other observables and indicators. This results in more efficient analysis, but also allows you to have a better picture of the TTPs, related campaigns and attribution.

The discussion feature will also enable conversations between multiple analysts resulting in win-win for everyone.