MrXcrypt

0 MISP Intro & features

2 min read

MISP

MISP (Malware Information Sharing Platform) is an open-source threat information platform that facilitates the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud or any intelligence within a community of trusted members. 

The threat information can be distributed and consumed by Network Intrusion Detection Systems (NIDS), log analysis tools and Security Information and Event Management Systems (SIEM).

==MISP Feeds provide a way to:==

  • Exchange threat information.
  • Preview events along with associated attributes and objects.
  • Select and import events to your instance.
  • Correlate attributes identified between events and feeds.

MISP provides the following core functionalities:

  • IOC database: This allows for the storage of technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack campaigns or analysis.
  • Data Sharing: This allows for sharing of information using different models of distributions and among different MISP instances.
  • Import & Export Features: This allows the import and export of events in different formats to integrate other systems such as NIDS, HIDS, and OpenIOC.
  • Event Graph: Showcases the relationships between objects and attributes identified from events.
  • API support: Supports integration with own systems to fetch and export events and intelligence.

MISP Terms

  • Event: Collection of contextually linked information.
  • Attributes: Individual data points associated with an event, such as network or system indicators.
  • Objects: Custom attribute compositions.
  • Object References: Relationships between different objects.
  • Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.
  • Tags: Labels attached to events/attributes.
  • Taxonomies: Classification libraries are used to tag, classify and organise information.
  • Galaxies: Knowledge base items used to label events/attributes.
  • Indicators: Pieces of information that can detect suspicious or malicious cyber activity.

Graph View