PART ONE: Backend Storage
PART TWO: Log Ingestion
PART THREE: Log Analysis
PART FOUR: Wazuh Agent Install
PART FIVE: Intelligent SIEM Logging
PART SIX: Best Open Source SIEM Dashboards
PART SEVEN: Firewall Log Collection Made Easy
PART EIGHT: Firewall Threat Intel With GreyNoise
PART NINE: Log Normalization
Apart from just ingesting and analyzing our logs, we need a way to enrich our logs with intelligence to help our analyst quickly spot potential malicious activity. For example, is this IP address that I see interacting with my website malicious or not? We need a solution that can:
- Enrich received logs with threat intelligence gathered from various providers.
- Parse and store selected responses so that only crucial data is stored.
- Automated so that your SOC analysts are not having to manually attempt to enrich received logs.
In the post we will deploy MISP, the open source threat sharing intelligence platform.
What is MISP?
MISP Threat Sharing is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise
MISP allows not only to store, share, collaborate on cyber security indicators, malware analysis, but also to use the IoCs and information to detect and prevent attacks, frauds or threats against ICT infrastructures, organizations or people.
Some of the features included are:
- An efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
- Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis.
- Flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
- Built-in sharing functionality. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanism.
- Intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators.
- Flexible free text import tool to ease the integration of unstructured reports into MISP.
- Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
- STIX support: export data in the STIX format (XML and JSON) including export/import in STIX 2.0 format.
MISP can be installed on most Linux distributions and the MISP community has put together install scripts that can easily be ran.
MISP has many dependencies and brings together various software in order to properly function. This is also referred to as the LAMP stack:
- Linux for the operating system
- Apache HTTP Server
- MySQL for the relational database management system
- PHP, Perl, or Python programming language
By far the easiest install process I have found is deploying MISP and its dependencies via Docker.
A docker container for MISP is maintained by Xavier Mertens. Using this docker config we will be able to get running with our MISP instance in minutes!
I am using a Debian 11 server for my build but the beauty of Docker means we can deploy on any Base OS that can run Docker and Docker Compose.
Install Docker and Docker Compose
- Update the
aptpackage index and install packages to allow
aptto use a repository over HTTPS:
sudo apt-get update
sudo apt-get install \
2. Add Docker’s official GPG key:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
3. Use the following command to set up the repository:
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo docker run hello-world
Build Your MISP Image
- Fetch the MISP-Docker repo:
$ git clone https://github.com/MISP/misp-docker
$ cd misp-docker
2. Set config:
cp template.env .env
3. Build the containers
docker compose build
4. Run containers
docker-compose up -d
docker compose up -d
Feeds are what MISP uses to download threat reports, IoCs, etc. These feeds contain all of the data that MISP stores. By default MISP does not come configured with enabled feeds. We must import and enable our feeds for use.
Enable your Feeds
Fetch Feed Data
Set Cronjob to download new feeds daily:
# Sync MISP feed daily
0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: **YOUR_API_KEY**" --header "Accept: application/json" --header "Content-Type: application/json" https://**YOUR_MISP_ADDRESS**/feeds/fetchFromAllFeeds
Throughout this blog post we discussed what MISP is and installed MISP using Docker. We then populated MISP with IoCs and detailed how to automate that process so your IoCs are always up to date. Get started with your own Threat Intel Platform using MISP today! Happy Defending 😄.
The functionality discussed in this post, and so much more, are available via SOCFortress’s Professional Services. Let SOCFortress help you and your team keep your infrastructure secure.
Professional Services: https://www.socfortress.co/ps.html