[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.


For this build, I will be using Ubuntu 18.04 within a Virtual Machine.

sudo apt update -y && sudo apt upgrade -y


wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh
bash /tmp/INSTALL.sh -A

Initial Configuration

For the initial login for the web interface you will need to login with [email protected] / admin

Initial login for MISP

From there initial configuration can be commenced for the MISP organizations, modules, and then eventually generating auth keys for external integrations.

Under the Administration, and Server Settings & Maintenance menu we will be configuring the MISP base configuration. Namely we will be ensuring we change out the hostname references for the live values, and we update the owner information associated with the installation.

Configuring MISP base installation options

Creating an organization

By default, a system organisation is created within MISP at install time which effectively owns the instance. I would suggest creating a new organisation for your purposes instead of modifying the existing one.

Creating a new organisation is achieved through the Administration menu (as below), and will require some basic information from yourself to get started. Generally, this should be a Local Organisation, so you will need to make sure the Local Organisation checkbox is checked.

Creating a new MISP Organisation

Creating an initial organization user

When creating an admin account for your organisation, do so using the org-admin role instead of Super Administrator. This way the administration of the whole platform is separated from that of the user administration function.

Similar to that of creating an organisation, users are created in the same Administration menu, and are assigned to organisations (as the below screenshot). Organisational Administrators should be added first (and should be a break-glass of sorts) for the whole organisation.

Creating a new user for an organisation

Further to creating users, customized roles may also be created which would allow better segregation and limitation of access of users.

Creating auth keys

Authentication keys are used within MISP to perform functions through the API interface. Generally, users may be assigned a single auth key, however it is possible to generate more than one for each user through the Auth Keys interface.

Creating authentication keys within MISP

Further customization is also possible by enabling advanced authentication keys, which allows for more granular controls and implementation of expiry timeframes.

Configuring modules

MISP is equipped with the misp-modules capability which in effect, is a method of enriching attributes using external services. These service can perform all manner of functions, including DNS resolution, submitting URLs to external sandboxes, and firing up dynamic analysis environments.

Modules from MISP

Import modules

The import modules for MISP allows the platform to ingest intelligence from external services, and then translate them into the MISP taxonomies and structures.

MISP Import Modules

Imports may occur from services such as Cuckoo, Lastline, VMRay or JoeSandbox.

Export modules

Exports are another interesting component of MISP, whereby the attributes within events may be exported for other systems to interoperate with. I will be going further into this in subsequent posts, and how each enrichment may be implemented effectively.

MISP Export Modules

Enrichment modules

Enrichment modules are used within MISP to provide additional context and more information to existing attributes, and potentially uncover further correlations. I will be going into these enrichments further in subsequent posts.

MISP enrichment modules

Leave a Reply

nine + 7 =