Building a MISP Threat Feed Aggregator

Over the last few months I have been working away on several work tasks which have had me hunting for threats within an immensely complex environment. Part of this hunt has involved the analysis and selection of threat feeds for incorporation into other tools to hunt known bad indicators. In this post I will be talking through the deployment of MISP to enable aggregation of threat indicators, and the generation of exports which may be ingested into other platforms.

Image result for misp manual

MISP (Malware Information Sharing Platform) is a threat intelligence platform available as a free and open source package which enables the collection, aggregation and distribution of threat data to the cyber security community.

I am well aware of other platforms which are available performing a similar function, however for the purposes of this demonstration I will be resorting to using free and open source applications as a means to reducing the capital expenditure barrier for entry.

To start with, I have a number of templated virtual machines which are located on my home test lab. Each template VM has been configured as the base operating system and application which will be deployed for my test labs (I will be writing up my approach to this in a later blog post).

Template VMs make deployment of labs more efficient

For the purposes of this blog post I will be focusing on the newly cloned VM ‘SECOPS – MISP’ which has been installed from the base installation script available at the MISP Github page.

Note: If you have not played with MISP before, I suggest you make a start in reading through the documentation available through the Circl.lu website.

Before we get into turning everything on and hoovering up all of the events available externally, we really need to decide what kinds of threats you care about detecting through these means.

To make this decision, you really need to determine where your blind spots are which you are going to get MISP to provide you some visibility. For example – if you are operating host based detection systems, up to date anti-virus, and a multi-layered approach to connection firewalling, you will not be so worried about malware signatures and hashes, nor would you be too terribly concerned about spammy email senders or mail servers.

Depending on your geographic region and your industry sector however, you may be more interested in Threat Actors and measuring attempts which have been repelled, or correlating events which have been attributed against an actor.

Once you are logged into MISP, head to the Galaxies menu, and List Galaxies. You will see a list of the groups which events will be funnelled into based on their content – in this case I am more interested in events which have been aligned to a Threat Actor as a means of informing a business of their actual threat sources.

Finding Galaxies with MISP

The other thing you should look at are Taxonomies which are effectively tags which are attributed to events. These tags are then used to filter events in or out of your fields of interest. In my case I have chosen to include taxonomies which give me details on the adversary, the economic impact, and the targeted threat index as a means of qualifying and quantifying threat events.

Selecting taxonomies for tagging events

Now we need to get some feeds into MISP which are relevant to our use case. It may be tempting to just turn on all the intelligence taps, but in our case this would be counter productive. Instead I will be selectively enabling feeds based on what I am wanting to detect and how.

Not all pre-populated feeds will be appropriate for your requirements, but there is an externally curated list of threat intelligence feeds which may provide some more context than that described within MISP.

Hslatman maintains a git repository with a large number of described lists which may be used as a reference point before enabling feed.

In my case I have chosen to enable the CIRCL OSINT Feed, the cybercrime tracker, and the DigitalSide Threat-Intel OSINT Feed as a starter.

Do not forget to configure the scheduled tasks component either, otherwise no new events will be received into your system.

Configuring Scheduled tasks for automated download of feeds

In a few minutes events should start to flow into MISP, and these events should be funneled into your chosen galaxies. For me this is something like what my Events screen will look like:

MISP Events listing screen

As on operator of MISP you can view these events themselves and trawl through the raw data being aligned against actors, groups, tool sets and even so far down as ip addresses, domains and hashes.

In one of the next posts, I will describe how we can use this data to enrich investigations or tag data as we are logging it, or even orchestrate actions based on the data within MISP.



Categories: Blog

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: