- [Part 1] Building a Threat Integration and Testing Lab
- [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
- [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
- [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform
MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.
Table of Contents
For this build, I will be using Ubuntu 18.04 within a Virtual Machine.
sudo apt update -y && sudo apt upgrade -y
wget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh bash /tmp/INSTALL.sh -A
For the initial login for the web interface you will need to login with email@example.com / admin
From there initial configuration can be commenced for the MISP organizations, modules, and then eventually generating auth keys for external integrations.
Under the Administration, and Server Settings & Maintenance menu we will be configuring the MISP base configuration. Namely we will be ensuring we change out the hostname references for the live values, and we update the owner information associated with the installation.
Creating an organization
By default, a system organisation is created within MISP at install time which effectively owns the instance. I would suggest creating a new organisation for your purposes instead of modifying the existing one.
Creating a new organisation is achieved through the Administration menu (as below), and will require some basic information from yourself to get started. Generally, this should be a Local Organisation, so you will need to make sure the Local Organisation checkbox is checked.
Creating an initial organization user
When creating an admin account for your organisation, do so using the org-admin role instead of Super Administrator. This way the administration of the whole platform is separated from that of the user administration function.
Similar to that of creating an organisation, users are created in the same Administration menu, and are assigned to organisations (as the below screenshot). Organisational Administrators should be added first (and should be a break-glass of sorts) for the whole organisation.
Further to creating users, customized roles may also be created which would allow better segregation and limitation of access of users.
Creating auth keys
Authentication keys are used within MISP to perform functions through the API interface. Generally, users may be assigned a single auth key, however it is possible to generate more than one for each user through the Auth Keys interface.
Further customization is also possible by enabling advanced authentication keys, which allows for more granular controls and implementation of expiry timeframes.
MISP is equipped with the misp-modules capability which in effect, is a method of enriching attributes using external services. These service can perform all manner of functions, including DNS resolution, submitting URLs to external sandboxes, and firing up dynamic analysis environments.
The import modules for MISP allows the platform to ingest intelligence from external services, and then translate them into the MISP taxonomies and structures.
Imports may occur from services such as Cuckoo, Lastline, VMRay or JoeSandbox.
Exports are another interesting component of MISP, whereby the attributes within events may be exported for other systems to interoperate with. I will be going further into this in subsequent posts, and how each enrichment may be implemented effectively.
Enrichment modules are used within MISP to provide additional context and more information to existing attributes, and potentially uncover further correlations. I will be going into these enrichments further in subsequent posts.