Using the Estimative Language Taxonomy in MISP

Posted on By admin No Comments on Using the Estimative Language Taxonomy in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

According to the MISP taxonomies listing for Estimative Language, this taxonomy is used to descrie the quality and credibility of the underlying information sources, data, and methodologies as described under the Intelligence Community Directive 203 (ICD 203) and JP 2-0. In this article I will describe how these tags may be applied by either an intelligence originator, or when the information is polled from a known credible source to convey likelihood.

Read More “Using the Estimative Language Taxonomy in MISP” »

MISP - Open Source Threat Intelligence Platform

Using the Data Classification Taxonomies in MISP

Posted on By admin No Comments on Using the Data Classification Taxonomies in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

Data classification is broadly defined as the process of organising data by relevant categories so that it may be used and protected more efficiently. On a basic level, the classification process makes data easier to locate and retrieve.

In this article, I will be discussing the usage of the data-classification taxonomy for MISP events and attributes within those events. The intent of this taxonomy being categorising the value of data to provide some additional context to the information or asset being affected.

Read More “Using the Data Classification Taxonomies in MISP” »

MISP - Open Source Threat Intelligence Platform

Using the Course of Action Taxonomies in MISP

Posted on By admin No Comments on Using the Course of Action Taxonomies in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

One of the great aspects of MISP, is the use of tags to give an indication of what needs to be done with an indicator within an event. Whole events may be assigned tags, but in this article I am going to talk to marking specific indicators with a Course of Action which implies a response when / if that indicator as been encountered.

Read More “Using the Course of Action Taxonomies in MISP” »

MISP - Open Source Threat Intelligence Platform

[Part 1] Building a Threat Integration and Testing Lab

Posted on By admin No Comments on [Part 1] Building a Threat Integration and Testing Lab
  1. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 1] Building a Threat Integration and Testing Lab

For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.

Read More “[Part 1] Building a Threat Integration and Testing Lab” »

Build

[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)

Posted on By admin 1 Comment on [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  1. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 1] Building a Threat Integration and Testing Lab

You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.

Read More “[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)” »

Build

[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise

Posted on By admin 1 Comment on [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  1. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 1] Building a Threat Integration and Testing Lab

As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.

Read More “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise” »

Build

Building Structured Threat Intelligence (STIX) from FBI notices

Posted on By admin No Comments on Building Structured Threat Intelligence (STIX) from FBI notices

Intelligence is pretty much everywhere in unstructured formats, and this can be in informal blog posts, tweets, and even within FBI or US Treasury documents. In this article, I am going to describe how to build a transferrable STIX object from the FBI’s Most Wanted website.

Read More “Building Structured Threat Intelligence (STIX) from FBI notices” »

MISP - Open Source Threat Intelligence Platform

Security Orchestration with Shuffle.io

Posted on By admin No Comments on Security Orchestration with Shuffle.io

For this post I will be talking through the deployment and configuration of Shuffler.io in a self-hosted configuration.
Shuffler.io is a Security Orchestration Automation and Response (SOAR) platform which allows integrations with a number of OpenAPI services (two-way) to better expedite mundane and mandrolic tasks within a Security Operations Centre.

In this implementation, I will talking through the basics of installation and configuration, and some very basic testing through it’s interface.

Read More “Security Orchestration with Shuffle.io” »

Design

Building a Cuckoo Malware Analysis Server

Posted on By Adam McHugh No Comments on Building a Cuckoo Malware Analysis Server

I have written this guide a few times in the past, but here is a revised version with some notable inclusions based on more recent experiences with Cuckoo. I have some Github repositories too which aim to expedite the process, but have a read nonetheless and see just how easy and quick it can be…

Read More “Building a Cuckoo Malware Analysis Server” »

Digital Forensics & Incident Response

Using MISP in an air-gapped environment

Posted on By admin No Comments on Using MISP in an air-gapped environment

MISP works really well in an internet connected environment in gathering and creating correlations. However, in air-gapped environments the ability to query MISP for indicators is still incredibly useful, except that an air-gapped environment doesn’t ordinarilly have an Internet connection.

In this article I describe how MISP may be used in an Internet denied environment by leveraging off an existing Internet-connected instance.

Read More “Using MISP in an air-gapped environment” »

Design, MISP - Open Source Threat Intelligence Platform
%d bloggers like this: