Overview

Description

MISP is an efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence. If you are new to MISP or the concept of sharing threat intellifence to enable incident response activities, start with the

Components

MISP is composed of a few applications to facilitate the storage, communication, and handling of malware reports. These components can be orchestrated and spun up using docker-compose.

• Redis for processing tasks
• SMTP MTA for sending email notifications
• MySQL database
• the MISP application itself.

Purpose: What does MISP provide?

MISP provides the following core functionalities:

• IOC database: This allows for the storage of technical and non-technical information about malware samples, incidents, attackers and intelligence.
• Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack campaigns or analysis.
• Data Sharing: This allows for sharing of information using different models of distributions and among different MISP instances.
• Import & Export Features: This allows the import and export of events in different formats to integrate other systems such as NIDS, HIDS, and OpenIOC.
• Event Graph: Showcases the relationships between objects and attributes identified from events.
• API support: Supports integration with own systems to fetch and export events and intelligence.

Definitions

When using MISP or looking up the documentation, these are some keywords to keep in mind. People with a passing knowledge of incident response will often conflate some of these words with other, similar works that actually have very different meanings for the practitioner. It is best to have these words defined in an Incident Response Plan that is easily and frequently referenced by the team.

• Events: Collection of contextually linked information.
• Attributes: Individual data points associated with an event, such as network or system indicators.
• Objects: Custom attribute compositions.
• Object References: Relationships between different objects.
• Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.
• Tags: Labels attached to events/attributes.
• Taxonomies: Classification libraries are used to tag, classify and organize information.
• Galaxies: Knowledge base items used to label events/attributes.
• Indicators: Pieces of information that can detect suspicious or malicious cyber activity.

Running MISP in Docker

The original version of this used coolacid's docker-misp project, however, that has been deprecated in favor of the now-official docker instance for MISP.
MISP official misp-docker and the rest of this doc is for reference.

Setup

In order to persist the threat intel, we store it outside of the running containers. This step creates the directories referenced by the docker-compose.yml file.

Preparation

Create the data directories

Create the directories for persisting data across restarts.

sudo mkdir -p /opt/misp
sudo mkdir -p /data/misp/server-configs
sudo mkdir -p /data/misp/logs
sudo mkdir -p /data/misp/files
sudo mkdir -p /data/misp/mysql

Configuration

Initial

1. Login with the defailt credentials
   user: admin@admin.test
   pass: admin
2. Change the password as prompted (add it to a password manager!)
3. Announce the creation of the system:
   1. Global Actions > News
   2. click on Add News Item
   3. Post a message, such as "This MISP instance was configured on April 6, 2021. 20210406"

Primary MISP Settings

MISP has configurations and adjustments in many places. The primary can be found under "Administration > Server Settings & Maintenance". Generally, all settings highlighted in red or yellow should be set. These instructions will set only the bare minimum in order to have a functioning MISP system. Experimentation with other settins is encouraged; see teh full MISP documenbtation for information.

To configure these settings, double-click on the current value. This will allow you to make changes to the current configuration. When the change has been made, click the ✓ icon.

Follow these steps to set the basic settings

Set the name of the organization

1. click Administration > List Organizations
2. set the "Organisation Identifier" to one that matches your use case. (a company name works, as does a project, handle, meme, or other signifier) Note: use something sensible if this MISP instance will be federated with other instances.
3. Fill in the other boxes, as relevant
4. Add the UUID to the OpenCTI config
   1. Click the Generate UUID button
   2. copy and paste the UUIID ias the value for MISP_CONNECTOR_ID in the OpenCTI .env configuration file
5. Click Submit

Configure general settings

Note: many of the setting defaults are the desired setting for a stand-alone instance. Affirmatively setting them will make the red or yellow highlight disappear.

1. Click on "MISP Settings"
2. Set MISP.external\_baseurl to be the hostname for accessing the system.
3. Set MISP.live to true
4. Set MISP.host\_org\_id to the organization set in the section above. This will likely be set to a '1'
5. Optional: set a value for MISP.default\_event\_tag\_collection. This could be used later in OpenCTI filtering. Affirmatively setting it to 'None' removes the critical red highlight.

User Roles

MISP can be a complicated system to operate because it has been designed to create a network that is meant to share sensitive information with other entities and organizations

Roles:

• organisation admin required to publish information to the network so it can be viewed by other organizations with the requisite permissions

Configure Feeds

Feeds are the sources of indicators and can be imported into MISP in order to provide analysyts information about security events. If the feed is another MISP server, it usually represents a given organization. Additionally, it can be a more common list (usually CSV-formatted) of #IOCs.

Default Feeds

Navigate to the feed confguration through clicking Sync Actions > List Feeds A new installation should have two pre-configured feeds. To enable these:

1. Click the edit button
2. Check the "Enabled" box
3. Update any other options as necessary; the defaults are okay for a private instance
4. Click "Edit" to save

Adding Feeds

MISP also has a number of ready-to-go feeds easily added to the running configuration

1. Click the Load default feed metadata button near the top of the Feeds page.
2. This will populate over 50 available feeds
3. Enable any desired feeds as described in the Default Feeds section above.

Adding Custom Feeds

Other Settings

Server Settings & Maintenance

Security Settings

Set Security.rest\_client\_baseurl to blank

Plugin Settigns

This section, under Administration > Server Settings & Maintenance enables the configuration of many feeds tor artifact enrichment and additional information to be collected. If using OpenCTI in conjunction with MISP, this section is not overly necessary.

Baisics:

Set Plugin.Enrichment\_hover\_enable to true

Set Plugin.Enrichment\_hover\_popover\_only to true

Additional:

Set feeds as available or of interest to you

Sync Servers

Navigate to Sync Actions > List Communities

TRhesae items allow for requesting access to other communities. Clicking on the Request Access button will prompt a dialogue for entering information regarding your "organization" and why access should be gratned.

Configure Maintenance

Scheduled Tasks

Using the top navigation bar, click Administration > Scheduled Tasks

On the left-hand pane, click Scheduled Tasks

double-click into each date on the "next run" column and set it to a date in the future

Set the frequency for each task; this is an integer in hours

• The cache_feeds task should shortly follow the fetch_feeds task and run with the same frequency

cache_exports should run no more than once a week and during off-peak hours. (e.g. a frequency of 168 hours, which is once /wk)

Updating

With the use of the 1atest tag, updating is performed with the following

docker-compose down
docker-compose pull
docker-compose up -d

Check Jobs Health

Administration > Jobs

Using MISP

Navigating Events

Viewing Events

Event Actions > List Events will show events received by this MISP server from other MISP instances and those generated directly within this platform.

Taxonomies

Available from the navigation bar: Event Actions > List Taxonomies, taxonomies are a means of classifying information and in MISP, they are used to categoize events, indicators, and threat actors. They are expressed with tags and can be used to:

• Set events for further processing by external tools such as VirusTotal.
• Ensure events are classified appropriately before the Organisation Admin publishes them.
• Enrich intrusion detection systems' export values with tags that fit specific deployments.

Using The API

• part 6 of a series on using threat intelligence with MISP includes information and tips about using the API