When it comes to cyber threats, we understand that a threat to one organization can quickly become a threat to another. Even a threat to a single host within an organization can spread and become a threat to the entire organization and its critical infrastructure. Cybercriminals, though often smart, do not always have the resources to attack each new target with a different strategy. They often use playbooks, attempting the same strategy on multiple organizations until one finally works.
Despite our knowing that these threat actors employ the same tactics over and over again, organizations are breached every day. Proactive organizations understand that sharing cyber threat intelligence with one another can create a more collaborative and connected cybersecurity defense. This is why platforms like the Malware Information Sharing Project (MISP) are vitally important to the future of cybersecurity.
What is MISP?
The Malware Information Sharing Project (MISP) is a free, open-source threat intelligence platform. Initially founded in 2011, MISP was born from frustration associated with the way indicators of compromise (IOCs) were being shared. The original developer, Christophe Vandeplas, sought a new way to share IOCs with peers. With the help of the North Atlantic Treaty Organization (NATO) with funding from the European Union (EU), MISP was released to the public. MISP is first and foremost an outlet to share IOCs, either directly with peers or through public and private feeds. Over time, MISP has expanded to support collaborative sharing of analysis and event correlations, automatic feeds into detection systems, taxonomies and classification schemes, and more. MISP enables users to stay more informed and better protected.
The Benefits of Using MISP for Threat Intelligence Sharing
Arguably the main benefit of using MISP for threat intelligence sharing is the simple knowledge transfer. For example, when a user discovers an IOC and shares it on MISP, it is immediately available to their colleagues and partners. Whenever new data is added to MISP, it shows relations to other observables and indicators. This makes analysis more efficient, and allows for easy collaboration between an organization’s team members. Additionally, MISP supports the sharing of IDS rules from Suricata, Zeek, Snort, and Bro as well as STIX, OpenIOC, text, or csv export formats. MISP allows the user to automatically import data directly into their detection system in the format they require, regardless of the source. For example, a Suricata user can still implement an IOC that was originally discovered and uploaded using Zeek. MISP will automatically export the IOCs into Suricata as a correctly formatted Suricata signature.
Another benefit is the community focus. MISP contains a number of public communities and feeds for threat intelligence sharing outside of the private connections users make with one another. Aside from the knowledge sharing benefits, the open-source nature of MISP means that it was built to support the needs of the cyber-defender community, and improvements are made based on community suggestions and contributions. These updates are made regularly and show no signs of slowing down.
MISP has other features that make it a very useful threat intelligence sharing platform, organizations should consider its use in their SOC. The flexible API, Python libraries, and MISP modules make integrating MISP into your tech stack straightforward.
Other Organizations Using MISP
MISP is widely used by both government entities and private businesses. The threat intelligence from other organizations facing serious threats on a daily basis paired with the helpful set of features makes it a useful addition to any threat detection strategy. Many organizations around the world have indicated their adoption and support for MISP, and while there is nothing published sharing the total number of users, there are some MISP communities with over 1100 international member organizations. Here are just a few of the organizations that have publicly announced that they use MISP in their cybersecurity strategy:
- European Union Agency for Cybersecurity (CERT-EU)
- NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE)
- Center for Internet Security (CIS)
- Computer Emergency Response Team Australia (CERT-Australia)
- UK’s National Cyber Security Center (NCSC)
- Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC)
Why You Should Integrate MISP
MISP integrates easily with both the Stamus Security Platform (SSP) and SELKS. By adopting MISP and integrating it with your Stamus threat detection solutions, you can join a community of over 6000 organizations sharing their threat intelligence. To learn how to integrate MISP into your Stamus solutions, read the follow-up articles published on the Stamus Networks blog.