Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • Deploying (and using) TheHive4 [Part 1] Build
  • External Analysis with VirusTotal Digital Forensics & Incident Response
  • Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks. Digital Forensics & Incident Response
  • Building a MISP Threat Feed Aggregator Blog
  • An Introduction to Threat Intelligence Threat Intelligence
  • Extracting RAM from VirtualBox session Digital Forensics & Incident Response
  • Using MISP in a TraceLabs Missing Persons engagement Blog

Using the Course of Action Taxonomies in MISP

Posted on May 10, 2021 By A.McHugh No Comments on Using the Course of Action Taxonomies in MISP
  1. Using the Course of Action Taxonomies in MISP
  2. Using the Data Classification Taxonomies in MISP
  3. Using the Estimative Language Taxonomy in MISP

One of the great aspects of MISP, is the use of tags to give an indication of what needs to be done with an indicator within an event. Whole events may be assigned tags, but in this article I am going to talk to marking specific indicators with a Course of Action which implies a response when / if that indicator as been encountered.

What is a Course of Action?

A course of action is an ‘action taken within organisation to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack’. Whilst MISP does not allow for direct action on Course of Action marked indicators, the indicators may be exported into other systems using those indicators.

This methodology is particularly useful where a Threat Intelligence provider has assessed a threat with high-confidence and has made a recommendation for handling of that indicator. It is then up to the consuming Threat Intelligence partner to utilise those tags to manage indicators in their environment.

Enabling Course of Action Taxonomies in MISP

Whilst logged into MISP as an Administrator, from the navigation menu click Event Actions > List Taxonomies, within the Namespace column, search for the namespace called ‘course-of-action’. This namespace needs to be activated through the Enable button to the far right, and then ‘enable all’ once the page refreshes.

Enabling Course of Action from the Taxonomies screen

Once completed, the following tags will now become available within MISP for tagging.

  • course-of-action:active=”decieve”
  • course-of-action:active=”degrade”
  • course-of-action:active=”deny”
  • course-of-action:active=”destroy”
  • course-of-action:active=”disrupt”
  • course-of-action:passive=”detect”
  • course-of-action:passive=”discover”

Indicators associated with these tags may now be exported from the system, and acted upon based on those tags. For example, where an IP address has been tagged with ‘deceive’ any detection of that IP address within an environment may be sink holed to a honeypot. Or, where annotated as ‘deny’ the IP is simply blocked at the firewall.

Marking indicators with Course of Action tags

Within a MISP event, indicators within that event may be annotated with Course of Action tags which will describe how that indicator is to be used in other appliances.

To mark an indicator within the event, look for the indicator which you are going to tag and then click on the Global Tags button, then the Taxonomy Library:course-of-action drop down. Now we can select the appropriate course of action required for that indicator.

How to select the course-of-action for the indicator

Once you have started marking the indicators with the event, you should have a view similar to the below. Take note however, the usage of these tags needs to be in line with whatever Course of Action framework you have implemented within your Threat Intelligence Platform.

Indicators which have been marked with Course of Action taxonomies

Related

MISP - Open Source Threat Intelligence Platform Tags:course-of-action, misp

Post navigation

Previous Post: [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
Next Post: Using the Data Classification Taxonomies in MISP

Related Posts

  • Using the workflow taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • Using MISP in an air-gapped environment Design
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Building Structured Threat Intelligence (STIX) from FBI notices MISP - Open Source Threat Intelligence Platform
  • Using MISP in a TraceLabs Missing Persons engagement Blog
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

12 − eight =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • Deploying (and using) TheHive4 [Part 1] Build
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • Auto-updating Ubuntu 20.04 in less than 2 minutes Operate
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • TraceLabs Missing Persons 11th of April 2020 Open-Source Intelligence
  • Feeding Analysis Information Leak (AIL) Framework AIL Framework
  • External Analysis with VirusTotal Digital Forensics & Incident Response
  • What is Cyber Threat Intelligence? Blog

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme