MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.
As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.
Read More “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise” »
You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.
For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.
Read More “[Part 1] Building a Threat Integration and Testing Lab” »