One of the great aspects of MISP, is the use of tags to give an indication of what needs to be done with an indicator within an event. Whole events may be assigned tags, but in this article I am going to talk to marking specific indicators with a Course of Action which implies a response when / if that indicator as been encountered.
What is a Course of Action?
A course of action is an ‘action taken within organisation to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack’. Whilst MISP does not allow for direct action on Course of Action marked indicators, the indicators may be exported into other systems using those indicators.
This methodology is particularly useful where a Threat Intelligence provider has assessed a threat with high-confidence and has made a recommendation for handling of that indicator. It is then up to the consuming Threat Intelligence partner to utilise those tags to manage indicators in their environment.
Enabling Course of Action Taxonomies in MISP
Whilst logged into MISP as an Administrator, from the navigation menu click Event Actions > List Taxonomies, within the Namespace column, search for the namespace called ‘course-of-action’. This namespace needs to be activated through the Enable button to the far right, and then ‘enable all’ once the page refreshes.
Once completed, the following tags will now become available within MISP for tagging.
- course-of-action:active=”decieve”
- course-of-action:active=”degrade”
- course-of-action:active=”deny”
- course-of-action:active=”destroy”
- course-of-action:active=”disrupt”
- course-of-action:passive=”detect”
- course-of-action:passive=”discover”
Indicators associated with these tags may now be exported from the system, and acted upon based on those tags. For example, where an IP address has been tagged with ‘deceive’ any detection of that IP address within an environment may be sink holed to a honeypot. Or, where annotated as ‘deny’ the IP is simply blocked at the firewall.
Marking indicators with Course of Action tags
Within a MISP event, indicators within that event may be annotated with Course of Action tags which will describe how that indicator is to be used in other appliances.
To mark an indicator within the event, look for the indicator which you are going to tag and then click on the Global Tags button, then the Taxonomy Library:course-of-action drop down. Now we can select the appropriate course of action required for that indicator.
Once you have started marking the indicators with the event, you should have a view similar to the below. Take note however, the usage of these tags needs to be in line with whatever Course of Action framework you have implemented within your Threat Intelligence Platform.
