MISP is certainly intended to be used like this, however, with some creativity and some technical effort, the MISP Threat Intelligence Platform could be utilized as a missing person’s intelligence database.
In this post, I will discuss a methodology in using MISP as the Intelligence Platform, and more traditional applications such as Maltego (and some custom transforms) to collect, enrich, and manage your intelligence.
Read More “Using MISP in a TraceLabs Missing Persons engagement” »
Intelligence is the enrichment of data or information, its classification and publication by experts within a field. The resultant output is ordinarily a qualitative assessment backed by quantitative metrics, or absolutes which formed part of the data or information it was derived from.
In terms of Cyber Threat Intelligence, this goes beyond the extraction of IOCs, strings, and the generation of cryptographic hashes, and fuzzy hashing – this is the correlation of events, actors, methods, and motives to generate Threat Intelligence which aims to describe the objectives, motives, capability and perhaps the identity of a threat actor.
Over the last few months I have been working away on several work tasks which have had me hunting for threats within an immensely complex environment. Part of this hunt has involved the analysis and selection of threat feeds for incorporation into other tools to hunt known bad indicators. In this post I will be talking through the deployment of MISP to enable aggregation of threat indicators, and the generation of exports which may be ingested into other platforms.
It seems to be a significant buzzword nowadays, but Threat Intelligence is available in an abundance from a wide range of curators and commercial suppliers.
So what does it take to correlate observables such as precursors to determine if they are an indicator of compromise, and by whom have they been generated?