MISP-Malware Information Sharing Platform & Threat Sharing

Riya Jain
4 min readOct 9, 2023

MISP stands for Malware Information Sharing Platform & Threat Sharing.

It’s like a special tool that helps people share information about bad computer stuff, like viruses and hackers. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.

Events:

  1. Event Information:
  • Event ID: A unique identifier for the event.
  • Date and Time: When the event was created or updated.
  • Event Info: A brief description or summary of the event.
  1. Attributes:
  • Attributes are key-value pairs that provide specific details about the event. Examples of attributes include IP addresses, domain names, file hashes, email addresses, etc. These attributes are crucial in analyzing and understanding the nature and characteristics of the event.
  1. Tags and Taxonomies:
  • Tags: Labels or markers that provide additional context to the event. They can indicate the type of threat, level of confidence, or any other relevant classification.
  • Taxonomies: Hierarchical classifications used to categorize and standardize event information. These taxonomies help in organizing and understanding the different attributes and their relationships within the event.
  1. Related Events:
  • Links to other events that may be related to or associated with the current event. This linkage helps in establishing connections between different incidents and threats.
  1. Event Sharing:
  • MISP allows for the sharing of events with other organizations or within a community. Events can be shared in various formats, ensuring that threat intelligence is disseminated effectively and efficiently.

Taxonomies:

  1. Classification and Categorization:
  • Taxonomies help in classifying and categorizing various attributes, indicators, or characteristics of a threat or event. This classification allows for a standardized way of organizing and describing information, making it easier to analyze and share.
  1. Hierarchical Structure:
  • Taxonomies are usually organized in a hierarchical structure, with broader categories or classes at the top and more specific subcategories below. This hierarchical arrangement helps in organizing information at different levels of granularity.
  1. Standardized Terminology:
  • Taxonomies define and use standardized terminology or labels to describe different aspects of threats, vulnerabilities, attack techniques, etc. These standardized terms enhance communication and collaboration among security professionals by ensuring a common understanding of the concepts.
  1. Examples of Taxonomies in MISP:
  • ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge): Developed by MITRE, ATT&CK is a widely used taxonomy that categorizes and describes tactics and techniques used by attackers during different stages of a cyber-attack.
  • CAPEC (Common Attack Pattern Enumeration and Classification): CAPEC is a structured enumeration and classification of common attack patterns, providing a comprehensive view of known attack types.
  • TLP (Traffic Light Protocol): TLP is a standard way to share sensitive information in a controlled manner. It categorizes information into different levels of sensitivity: White, Green, Amber, and Red.
  • Veris: The Vocabulary for Event Recording and Incident Sharing (Veris) is another widely used taxonomy that standardizes the language used to describe security incidents.

Integration and Mapping:

  • MISP integrates multiple taxonomies to provide a holistic view of threat intelligence. Security analysts can map attributes and events to relevant taxonomies, enhancing the clarity and usefulness of the information.

Configurations:

  • Event Basics:
  • Create an Event:
  • Navigate to Events > New Event.
  • Fill in the relevant event details and click Create Event.
  • Edit Event:
  • Open an event, click on the Edit button (pencil icon), make necessary changes, and click Save.

Attributes and Object Templates:

  • Add Attributes:
  • Inside an event, click Add Attribute.
  • Select the type of attribute (e.g., ip-src, domain, md5) and provide the value.
  • Object Templates:
  • Navigate to Event Actions > Add Object.
  • Choose an object template and fill in the required fields.

Tags and Taxonomies:

  • Add Tags:
  • Navigate to Event Actions > Tag.
  • Select or create a tag and apply it to an event.
  • Use Taxonomies:
  • While adding attributes, you can use taxonomies to classify them.

Sharing and Exporting Data:

  • Export Event:
  • Navigate to the event and click Actions > Export event.
  • Choose the export format (e.g., JSON, CSV) and configure the export options.
  • Sharing Groups:
  • Navigate to Sharing > Sharing Groups.
  • Create and configure sharing groups to share information with specific organizations or communities.

Administration and Settings:

  • User Management:
  • Navigate to Administration > Manage users.
  • Create, modify, or delete user accounts and set permissions.
  • Site Settings:
  • Navigate to Administration > Server Settings.
  • Configure MISP settings, such as baseurl, enable/disable features, and customize the instance.
  • Authentication & Authorization:
  • Configure authentication and authorization mechanisms under Administration > Authentication.

Integrations and Feeds:

  • Feed Management:
  • Navigate to Sync Actions > List Feeds.
  • Manage MISP feeds, sync them, and configure fetching intervals.
  • Integration with Other Tools:
  • Explore integrations with various security tools and platforms under Sync Actions and Extensions.

Advanced Features:

  • Correlations:
  • Navigate to Event Actions > Correlation.
  • Perform correlation with existing events to identify potential relationships and overlaps.
  • Sightings:
  • Record sightings to indicate when and where an attribute has been observed.

--

--

Riya Jain

Security Researcher | Penetration Tester | Red Team | Blue Team | eJPT|CAP | CND | Purple Team