MISP works really well in an internet connected environment in gathering and creating correlations. However, in air-gapped environments the ability to query MISP for indicators is still incredibly useful, except that an air-gapped environment doesn’t ordinarilly have an Internet connection.
In this article I describe how MISP may be used in an Internet denied environment by leveraging off an existing Internet-connected instance.
In previous articles I have written, MISP can be configured to do a range of functions. Ingesting feeds from external sources is one such purpose, and executing enrichments is another. However, the function I am going to use here is export.
Concept of Operations
At a high level, an Internet-connected MISP instance would contain processed intelligence in a state which would be very consumable by the incident response group.
Processed intelligence would come in the form of complex MISP reports or STIX compatible intelligence which could be correlated immediately. So this almost always eliminates raw lists being periodically imported into an environment.
Remember, the air-gapped environment has no means to call for additional information. So the intelligence needed in the air-gapped system would need to be significantly enriched to be useful.
Internet-connected MISP instance
An internet-connected instance of MISP can tend to contain lots of data and information and to a lesser extent intelligence. See here, for a breakdown of what I mean by data, information, and intelligence.
The intelligence you want to transfer to an air-gapped environment should have the following qualities:
- Has context on it’s own (does not need other sources to provide context)
Segregating the different levels of data within MISP can tricky, but it is achievable through the implementation of tags and/or organizations and sharing groups.
Air-gapped MISP instance
The Air-gapped instance of MISP obviously cannot ingest the same intelligence directly from the internet-connected instance, however, it could import MISP or STIX objects from a local or network-accessible directory for incorporation into the air-gapped instance.
However, this will mean that the transfer is not instantaneous, and is reliant on another data transfer process to transfer the internet-connected intelligence up into the air-gapped instance.
Transferring from Internet-connected to Air-gapped
Transferring from a lower classification domain to a higher classification domain may be achieved through the use of a diode (a device or process which prevents the transmission of higher classification information down to a lower classification domain).
There are a number of mechanisms that may be utilized to achieve this, some as simple as a pair of multiplex media convertors and the clever use of UDP unicast packets to transfer data without a means to transfer back to the lower classification domain.
Actioning the Intelligence from the Air-Gapped Environment
Since MISP can be configured to synchronize a directory of STIX or MISP objects, this would effectively become the air-gapped MISP installation’s intelligence source. Now new MISP events incorporated into the instance can be actioned from your DFIR suite, and the intelligence enriched and consumed within the internet-connected domain may be utilized within the air-gapped environment.