Part 10. MISP Threat Intel
Deploy your own threat intel in under 10minutes!
PART ONE: Backend Storage
PART TWO: Log Ingestion
PART THREE: Log Analysis
PART FOUR: Wazuh Agent Install
PART FIVE: Intelligent SIEM Logging
PART SIX: Best Open Source SIEM Dashboards
PART SEVEN: Firewall Log Collection Made Easy
PART EIGHT: Firewall Threat Intel With GreyNoise
PART NINE: Log Normalization
Intro
Apart from just ingesting and analyzing our logs, we need a way to enrich our logs with intelligence to help our analyst quickly spot potential malicious activity. For example, is this IP address that I see interacting with my website malicious or not? We need a solution that can:
- Enrich received logs with threat intelligence gathered from various providers.
- Parse and store selected responses so that only crucial data is stored.
- Automated so that your SOC analysts are not having to manually attempt to enrich received logs.
In the post we will deploy MISP, the open source threat sharing intelligence platform.
What is MISP?
MISP Threat Sharing is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise
MISP allows not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.
Some of the features included are:
- An efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
- Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis.
- Flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
- Built-in sharing functionality. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanism.
- Intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators.
- Flexible free text import tool to ease the integration of unstructured reports into MISP.
- Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
- STIX support: export data in the STIX format (XML and JSON) including export/import in STIX 2.0 format.
Installing MISP
MISP can be installed on most Linux distributions and the MISP community has put together install scripts that can easily be ran.
MISP has many dependencies and brings together various software in order to properly function. This is also referred to as the LAMP stack:
- Linux for the operating system
- Apache HTTP Server
- MySQL for the relational database management system
- PHP, Perl, or Python programming language
By far the easiest install process I have found is deploying MISP and its dependencies via Docker.
A docker container for MISP is maintained by Xavier Mertens. Using this docker config we will be able to get running with our MISP instance in minutes!
I am using a Debian 11 server for my build but the beauty of Docker means we can deploy on any Base OS that can run Docker and Docker Compose.
Install Docker and Docker Compose
- Update the
aptpackage index and install packages to allowaptto use a repository over HTTPS:
sudo apt-get update
sudo apt-get install \
ca-certificates \
curl \
gnupg \
lsb-release2. Add Docker’s official GPG key:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg3. Use the following command to set up the repository:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullsudo apt-get updatesudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-pluginsudo docker run hello-worldBuild Your MISP Image
- Fetch the MISP-Docker repo:
$ git clone https://github.com/MISP/misp-docker
$ cd misp-docker2. Set config:
cp template.env .env
nano .env
MYSQL_HOST=misp_db
MYSQL_DATABASE=misp
MYSQL_USER=misp
MYSQL_PASSWORD=misp
MYSQL_ROOT_PASSWORD=misp
MISP_ADMIN_EMAIL=admin@admin.test
MISP_ADMIN_PASSPHRASE=admin
MISP_BASEURL=https://localhost
POSTFIX_RELAY_HOST=relay.fqdn
TIMEZONE=Europe/Brussels
DATA_DIR=./data3. Build the containers
docker-compose build
or
docker compose build4. Run containers
docker-compose up -d
or
docker compose up -dAdd Feeds
Feeds are what MISP uses to download threat reports, IoCs, etc. These feeds contain all of the data that MISP stores. By default MISP does not come configured with enabled feeds. We must import and enable our feeds for use.
Enable your Feeds
Fetch Feed Data
Explore Events
Set Cronjob to download new feeds daily:
# Sync MISP feed daily
0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: **YOUR_API_KEY**" --header "Accept: application/json" --header "Content-Type: application/json" https://**YOUR_MISP_ADDRESS**/feeds/fetchFromAllFeedsConclusion
Throughout this blog post we discussed what MISP is and installed MISP using Docker. We then populated MISP with IoCs and detailed how to automate that process so your IoCs are always up to date. Get started with your own Threat Intel Platform using MISP today! Happy Defending 😄.
Need Help?
The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Professional Services: https://www.socfortress.co/ps.html
