MISP: Sharing Done Differently

One of the awesome things about the security community is its close relationship with development and learning. It’s not uncommon to find open source tools or free solutions that can be leveraged in order to protect your organization from a range of different threats. MISP is one of those solutions and they do a killer job of enabling sharing between disparate entities. We have been paying attention to tools like MISP, so when we saw the recent announcement of MISP Modules, we jumped at the idea of bring our data directly into the platform.

When you first visit the MISP documentation page, it can be pretty daunting to see all of the packages and commands needed to perform the installation. However, we ran into no issues installing the latest build inside of a Ubuntu 14.04 LTS virtual machine. Within 20 minutes, we had a fully operating instance ready to be populated with data. If you are just looking to test out MISP, considering checking out their virtual machine from their training materials.

What makes MISP special and exciting to us is how easy they make sharing between different organizations or data feeds. MISP sharing comes in two flavors, 1) feeds we all know and love and 2) abilities to connect to other MISP instances. It almost feels like magic when clicking the button to add a feed and seeing your local MISP installation populate with curated intelligence.

Each MISP event offers a static set of tools, attributes describing the event and a table of indicators associated with the event itself similar to what you see in other platforms or exchanges. Where MISP begins to differ is in the continuation of the sharing team and the ability to “propose” indicators or changes to an event. When ready, users can simply click to publish the event and choose from a selection of sharing styles including publishing to everyone or just the local MISP instance. While not incredibly groundbreaking, this feature removes the need to constantly email back and forth between researching parties and that by itself is a big win.

Even without modules, MISP would be a great tool for storing indicators related to events observed on your network or simply sharing content between organizations, but the addition of them brings the platform to another level. Modules aid in automating the enrichment process and ease the burden of inputting that discovered content back into the event. In order to take advantage of these modules, your instance must be on at least version 2.4.28 and should check out the module code located here.

Once setup, configuring the modules is done through the “Server Settings > Plugins Settings” menu. For PassiveTotal, you will need a valid username (your email address) and an API key from within the settings page. After activation, you should notice a small asterisk icon on entities within events where PassiveTotal can add enrichment.

Clicking the asterisk reveals a prompt asking the user which enrichment they would like to run. Depending on the indicator being used for enrichment, PassiveTotal will conduct a series of searches against our API. Like our other integrations, we tried to account for as many data types as possible for both the inputs and outputs.

Results from our query process are shown inside of a table that gives users more options including the ability to adjust its categories, comments and signature status. In just a few clicks, a user can quickly go from a public event to related enrichment to a more complete event to sharing with others in the community. This is a huge leap from the current process and hope others begin to see the value in platforms like MISP.

Integration: MISP and PassiveTotal from RiskIQ on Vimeo.

If you have been on the fence about playing around with MISP, then hopefully this post helped nudge you along. We are going to continue following developments of the platform and intend to expand the amount of supported input and output types as object types grow in detail. MISP offers both open source and commercial support for those who need help and the team has been excellent in working with us through the development of our module. We can’t wait to see how our community leverage this integration and would love any feedback!