Using MISP to feed security appliances and bridge threat signature update intervals.

Let’s make an assumption that you are not using a commercial appliance with threat signature feeds, or you are concerned about ingesting real-time intelligence from alternate sources, which your threat signature provider cannot do in a timely manner.

How can you leverage MISP to feed these other platforms with real-time actionable signatures, without duplicating rules or signatures you may (or may not) already be ingesting.

Here we will play with the MISP automation function!

Your MISP installation has the option for Automation, and it is described within the Event Actions > Automation menu. From here you should be able to see the Auth Key for your active user, and perhaps some information on what the endpoint configuration looks like for your environment.

What I am going to describe here is a really quick method to export the last 1 day of MISP attributes for ip-src and domain from MISP into a text file, and a very crude de-duplication process.

#!/bin/bash
curl -d '{"returnFormat":"text","type":"ip-src","category":"Network activity","last":"1d","enforceWarninglist":true,"to_ids":true}' -H "Authorization: xxxauthkeyxxx" -H "Accept: application/json" -H "Content-type: application/json" -X POST https://misp.yourmispdomain.com/attributes/restSearch > ../public_html/ip_src.tmp
sort ../public_html/ip_src.tmp | uniq > ../public_html/ip_src.txt
rm -fr ../public_html/ip_src.tmp

This will write a .tmp file with the full extract, and the sort & dedup the output into a .txt file.

Once you make this accessible through a webservice, you can now consume this into an appliance, along with your existing threat signatures.

As for the why would you use something like this – if your service level agreement with a particular threat signature vendor is once daily update, then you are potentially missing out on threat intelligence updates for 24 hours. By ingesting real-time OSINT from reputable sources, and using this as a backfill to your commercial signature feed, you are effectively bridging a commercial gap between your SLA and current threats.

Just make sure you are using reputable OSINT sources for this information, and you are not just ingesting everything to block the entire internet.

Happy block listing!



Categories: MISP - Open Source Threat Intelligence Platform

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: