Part 10. MISP Threat Intel

Deploy your own threat intel in under 10minutes!

Intro

Apart from just ingesting and analyzing our logs, we need a way to enrich our logs with intelligence to help our analyst quickly spot potential malicious activity. For example, is this IP address that I see interacting with my website malicious or not? We need a solution that can:

  • Enrich received logs with threat intelligence gathered from various providers.
  • Parse and store selected responses so that only crucial data is stored.
  • Automated so that your SOC analysts are not having to manually attempt to enrich received logs.

In the post we will deploy MISP, the open source threat sharing intelligence platform.

What is MISP?

MISP Threat Sharing is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise

MISP allows not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.

Some of the features included are:

  • An efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis.
  • Flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
  • Built-in sharing functionality. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanism.
  • Intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators.
  • Flexible free text import tool to ease the integration of unstructured reports into MISP.
  • Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
  • STIX support: export data in the STIX format (XML and JSON) including export/import in STIX 2.0 format.
MISP

Installing MISP

MISP can be installed on most Linux distributions and the MISP community has put together install scripts that can easily be ran.

MISP has many dependencies and brings together various software in order to properly function. This is also referred to as the LAMP stack:

By far the easiest install process I have found is deploying MISP and its dependencies via Docker.

A docker container for MISP is maintained by Xavier Mertens. Using this docker config we will be able to get running with our MISP instance in minutes!

I am using a Debian 11 server for my build but the beauty of Docker means we can deploy on any Base OS that can run Docker and Docker Compose.

Install Docker and Docker Compose

Supported Platforms

  1. Update the apt package index and install packages to allow apt to use a repository over HTTPS:
sudo apt-get update
sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release

2. Add Docker’s official GPG key:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

3. Use the following command to set up the repository:

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo docker run hello-world

Build Your MISP Image

  1. Fetch the MISP-Docker repo:
$ git clone https://github.com/MISP/misp-docker
$ cd misp-docker

2. Set config:

cp template.env .env

nano .env

MYSQL_HOST=misp_db
MYSQL_DATABASE=misp
MYSQL_USER=misp
MYSQL_PASSWORD=misp
MYSQL_ROOT_PASSWORD=misp

MISP_ADMIN_EMAIL=admin@admin.test
MISP_ADMIN_PASSPHRASE=admin
MISP_BASEURL=https://localhost

POSTFIX_RELAY_HOST=relay.fqdn
TIMEZONE=Europe/Brussels

DATA_DIR=./data

3. Build the containers

docker-compose build
or
docker compose build

4. Run containers

docker-compose up -d
or
docker compose up -d

Add Feeds

Feeds are what MISP uses to download threat reports, IoCs, etc. These feeds contain all of the data that MISP stores. By default MISP does not come configured with enabled feeds. We must import and enable our feeds for use.

JSON FEEDS FILE

Import Feeds

Enable your Feeds

Enable Feeds

Fetch Feed Data

Fetch Feed Data

Explore Events

Explore Events

Set Cronjob to download new feeds daily:

# Sync MISP feed daily
0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: **YOUR_API_KEY**" --header "Accept: application/json" --header "Content-Type: application/json" https://**YOUR_MISP_ADDRESS**/feeds/fetchFromAllFeeds

Conclusion

Throughout this blog post we discussed what MISP is and installed MISP using Docker. We then populated MISP with IoCs and detailed how to automate that process so your IoCs are always up to date. Get started with your own Threat Intel Platform using MISP today! Happy Defending 😄.

Need Help?

The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Professional Services: https://www.socfortress.co/ps.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).