MISP
By giving you will receive safety
Sharing is key to fast and effective detection of attacks. Quite often similar organisations are targeted by the same Threat Actor, in the same or different Campaign. MISP will make it easier for you to share with, but also to receive from trusted partners and trust-groups. Sharing also enabled collaborative analysis and prevents you from doing the work someone else already did before.
Implementing an automatic synchronisation of your IOC's gives you a hassle free "always-up-to-date" situation for your own security components in terms of detecting, alerting and blocking known malisious activities.
Having a framework like the MISP at hand, you can very granually decide what to share and what to receive.
The IT community is confronted with incidents of all kinds and nature, new threats appear on a daily basis. Fighting these security incidents individually is almost impossible. Sharing information about threats among the community has become a key element in incident response to stay on top of the attackers. Reliable information resources, providing credible information, are therefore essential to the IT community, or even at broader scale, to intelligence communities or fraud detection groups. This paper presents the Malware Information Sharing Platform (MISP) and threat sharing project, a trusted platform, that allows the collection and sharing of important indicators of compromise (IoC) of targeted attacks, but also threat information like vulnerabilities or financial indicators used in fraud cases. The aim of MISP is to help in setting up preventive actions and countermeasures used against targeted attacks. Enable detection via collaborative-knowledge-sharing about existing malware and other threats.
Researchlabs
Threat intelligence is of crucial importance to companies in their everyday struggle with complex threats. It allows businesses to keep up to date with the evolving landscape before technical threat descriptions become publicly available. This access to constantly updated information from expert sources and the very latest APT Intelligence reports means that an effective and swift response can be taken to overcome potential threats, through improved visibility of criminal and cyberespionage tactics, techniques and procedures available in human and machine readable formats such Indicators of compromise (IoC) and Yara rules.
Kaspersky
The main motivation keys of IOC-sharing is:
- My threat is your safety
- Faster access to actionable security information, often peer / industry relevant
- Causes the threat actors to change infrastructure more frequently
- Builds trust relationships between organizations
- Supports an Intelligence Driven security model
- Decide yourself which information is eligable of sharing with whom
- Fight back the massive power of maliciouse actors by concentrating your power with many others
For a more technical reading on how to setup and join the sharing community, continue reading the below articles.
- Munich
- DigitalSide is giving a free MISP-feed to the community
- The (M)alware (I)nformation (S)hare (P)ortal aka MISP
- About MISP
Isn't it sad to have a lot of data and not use it because it's too much work? Thanks to MISP you can store your IOCs in a structured manner, and thus enjoy the correlation, automated exports fo...
mehr... - Get part of the team, install your own MISP
The profesional way to the MISP-crowd is to install a clean and fresh version from scratch within a new Linux. See: https://github.com/MISP/MISP Everything you need is there and also a complete...
mehr... - Accessing the MISP-Data from within Splunk to correlate your livedata with the MISP events
Wouldn't it be great to have the chance of seeing which of your network activity is related to a known malicious event? Well if you send your firewall and proxy logs to Splunk, there is a way of ...
mehr... - Prepare MISP
Having not found a reliable logfile within the MISP instance to run Splunk on, I decided to use the MySQL-Backend of MISP to catch the data. But a view things need to be done prior of being able to...
mehr... - Prepare Splunk
Simply install the Splunk-App "DB connect V2" and configure it as below: I had to install the Oracle JRE to get the App run, so the below lines might help if you have the same issue: Get the jre-8...
mehr... - Accessing the data
As the MISP-DB has a lot of fields, I needed to create a simple view that joins the major fields of information together to have an easy way for a Splunk search to access it. The search I crafted...
mehr...