Lately I have been playing with having MISP be the Intelligence Sharing platform for a number of business intelligence functions. However, the main issue with MISP (from a user’s perspective) is the interface, and how a less technical person would generate information for the platform.
This is where pairing MISP and Maltego together goes really well, and even results in less technical people being able to generate technical data for incorporation into intelligence operations.
To achieve this integration, you will need a couple of things to be in place prior to starting this. Those being:
- An instance of MISP deployed
- An installation of Maltego
- Python3 installed on the same system as Maltego
- Git clone of MISPego (Note: The original repo has not yet been updated with my pull request)
You will require an installation of MISP to perform the integration, and it should be something which is relatively accessible to your intelligence platform stakeholders.
A user will need to be created on the MISP platform specific to the Intelligence Analyst who will be operating Maltego, and an AuthKey will need to be sourced from the Administration > List Users screen.
The role for the user should also be set to Publisher (as this user will be adding content to the MISP database).
Preparing the Intelligence Analyst’s Maltego
Installation of Maltego
This is pretty straight-forward, install Maltego from the official source and start a new graph using the Community mode.
Installation of Python3
You will need to install Python3 from the official source, so please make sure you do this properly. Install the version of Python (32bit or 64bit) compatible with your environment.
Take note of the installation directory too, you will need to refer to it in the next step.
Pip install of PyMISP
Taking note of the Python installation location, head to the root folder, and open the Scripts folder. You should see pip and pip3 in this folder.
From here run the following command to install PyMISP:
- pip3 install pymisp
If you get some errors, you will need to check those out, otherwise the integration will not work.
Import of MISPego
Once you have downloaded or cloned MISPego from the repository, you will need to import the package into Maltego.
git clone https://github.com/adammchugh/MISPego MISPego
You can do this by heading to the Import | Export tab, and then clicking on Import Config. From here you browse to the MISPego.mtz file, and then select Next.
You should see a list of Local Transforms, and a Transform Set enabled for installation in the platform. From there make sure they are checked, then click Next.
The import should complete, and you can close the Import Wizard by clicking on the Finish button.
In addition, there are a number of files which came with the MISPego archive, these files will need to be moved to somewhere Maltego can execute them:
In my case, I opted to store them in C:\Repos\MISPego\ (take note of where you store them, you will need to update the Maltego configuration soon).
You will now need to edit the mispego_util.py file and update a number of fields with information you sourced from MISP.
The following fields need to be updated and set:
- BASE_URL = ‘YOUR_BASE_URL’
- API_KEY = ‘YOUR_API_KEY’
- MISP_VERIFYCERT = False
- MISP_EVENT_PUBLISH = False
- MISP_DISTRIBUTION = 0
- MISP_ANALYSIS = 2
- MISP_THREAT = 2
- MISP_TO_IDS = True
Configuration of Maltego
Now we need to update the Transforms configuration to reference the correct MISPego files we moved to C:\Repos\MISPego\.
Click the Transforms menu in Maltego, then Transform Manager, then Transform Servers, expand Local, and then for each of the MISPego entries, perform the following update:
- Adjust Command Line to point to the Python.exe interpretor
- Adjust the Working Directory to point to the C:\Repos\MISPego\ directory
MISPego in Action!
For fun I am testing MISPego on a URL from PhishTank to generate a graph of indicators in a more structured and interesting manner.
So for a live, example, I will take a URL from the OpenPhish feed and performance an initial analysis on the artifact using all the inbuilt components of Maltego.
The initial artifact in question will be https://support-suspended-account.com/ (VT Link), which from my own research appears to be rather close to the TTPs described of an Iranian threat actor.
Using the basic tools of Maltego, I can get some information from VirusTotal, and there are couple of things there that Maltego will do as well.
Pivoting from the domain support-suspended-account.com, we can start drilling into the artefacts surrounding this attribute. We can pull out the IP addresses associated with the A records, and we can extract other elements like the ASN, and even the netblock owners.
Now that we have a very basic breakdown the artefacts associated with the URL which has been reported, we can start sending all of this information to MISP.
To begin with however, we need a ‘Phrase’ object added to the graph to function as the Event Title in MISP. We do this by dragging the Phrase object into the graph, and then updating the title accordingly.
Maltego will start firing off the MISPego python scripts, and you will notice a bunch of output in the Debug panel.
Assuming your configuration was correct, you will also see a new object added to the graph with a number. This number is the MISP event ID, and will be used from here on with this graph for adding new attributes to the event.
An obvious choice to add to the MISP event will be the domain, so we can right-click on that object, and then select the MISPego domain action.
Once again, Maltego will execute the python code, and then add the domain to the assigned Event ID. The same goes for multiple selections, just group them up and select the appropriate MISPego action.
Assuming you have not encountered any errors, those fields should now be added to MISP under the event you have raised previously.
This has been a very rapid way to build up threat intelligence from a very small indicator, in a manner which does not involve an intelligence analyst interacting with the Threat Intelligence Platform too extensively. Whilst this initial work has involved modifying an aged MISPego repository, it has been tailored to work in the v2.4 MISP installation and the current Maltego version.
Hopefully, the nice people at CIRCL will incorporate my pull request, but in the meantime, I will be writing more attribute actions into my own MISPego repository to cover a wider range of attributes for MISP (and expand how Maltego and MISP can be used together).