Stamus Security Platform (SSP) users can now integrate the Malware Information Sharing Platform (MISP) to supplement their threat intelligence and security management. This blog details the benefits of doing so and how to optimize the performance and use of MISP with the Stamus Security Platform to ensure maximum benefit from threat intelligence sharing.
MISP, now known as the Open Source Threat Sharing Platform, is a software tool that helps organizations share and analyze information about cyber threats, such as malware and phishing campaigns. It allows users to store and organize data in a structured format, making it easy to search and identify potential threats. It also includes features for collaboration and threat intelligence sharing.
MISP is open-source software, which means that it is free to use, download, and modify. The source code is publicly available under the AGPLv3 license, which allows anyone to use, distribute, and modify the software for any purpose, including commercial use.
For an introduction to shared threat intelligence with MISP, read our blog “Harness the Power of Shared Threat Intelligence with MISP”.
What is Threat Intelligence?
Threat intelligence (often abbreviated to “threat intel”) is evidence-based knowledge about current or emerging cyber security threats. It helps individuals and organizations to better understand past, present, and potential future threats.
For a more thorough introduction to shared threat intelligence with MISP, read our blog “Harness the Power of Shared Threat Intelligence with MISP”.
A few reasons to use MISP
MISP solves two big problems for SecOps teams: information overload and the challenges of dealing with high volumes of unstructured data. Organizations of any size can benefit from using MISP to improve their cybersecurity posture and organize threat intelligence by automating certain tasks. Here are a few of the benefits organization’s might gain with MISP:
Threat Intelligence:
MISP can be used to gather and analyze threat intelligence information, which can help an organization to identify and respond to potential threats. This can be done by importing data from external sources, such as threat intelligence feeds, or by sharing information with other organizations through the platform's built-in collaboration features.
Incident response:
Shared threat intelligence helps security teams manage and respond to incidents more effectively. Organizations can use the platform to track and document incidents as well as share information and collaborate with other organizations.
Security awareness:
MISP enables organizations to create and share security awareness training materials with employees to help them understand and recognize the latest threats.
Risk Management:
Threat intelligence sharing platforms help Identify and evaluate potential risks to the organization and implement controls to mitigate those risks.
A posteriori IoC
With the help of the Stamus Security Platform we can easily check if a domain has already been seen on the network. In order to accomplish this task we can look at the vast amount of metadata produced in the NSM data pool. The “Sightings'' feature in Stamus Security Platform gives us the ability to pinpoint the first time a piece of metadata (such as domain, TLS certificate, HTTP host/user agent/server, JA3, JA3S, file checksum, etc) has been seen in the enterprise. For example, a domain name that can be referenced with the dns.rrname field in the DNS events, a “tls.sni'' in TLS events, and “http.host” in HTTP events could all be new “Sightings”. Such data can give an analyst pretty good coverage of a potential IoC in the network. Hash information can also be looked up inside the fileinfo metadata.
The problem with the existing integration
While this blog is about MISP and Stamus Security Platform, it is important to note that SSP is built around the Suricata detection engine. Because of this, many SSP detections come from Suricata signatures. MISP has an existing Suricata extension that can be implemented in SSP, but it is ineffective. It will generate one single signature for every IoC item. This could mean that even a small MISP instance can generate hundreds of thousands of signatures which can slow down the whole engine and impact performance.
The “Dataset” concept
The Stamus Security Platform can use a much more suitable Suricata feature for this task - the “dataset”. Datasets are used to store and match efficiently on big volumes (milions) of IoC custom data. It’s a list matching on sticky buffer keywords. This way we can match a list against extracted metadata. It can definitely do the job of IoC matching as well. This ability could be used to collect data from the network on the same principle and create a database – for example, new domains seen on the network.
More on the subject could be found here: https://youtu.be/dUUPwgHkuvo
When defining datasets, the data must be encoded with base64, which is a format that can be easily used in various contexts. The Stamus Security Platform will accept strings in the dataset that are only base64 encoded. This way it can ensure the integrity of the data and be loaded and used without causing syntax errors or other issues that might arise from including non-ASCII or non-printable characters.
Bringing it all together - MISP and the Stamus Security Platform (SSP)
It is important to mention that MISP only requires a one-time setup into the Stamus Security Platform. Once integrated, it will continue to update itself with new incoming data. Exported data (IoC’s) is a standard format - one string per line. This is exactly what a dataset is.
We can add the feed as a dataset via the sources page. We can later set it to update and push the new entries on an interval of choice.
Now we need an appropriate signature to load the dataset collected from MISP so it will hit for any matches. We can add the rules file via the same page.
This Suricata signature will accomplish that:
#MISP rules
alert dns $HOME_NET any -> any any (msg:"Detected DNS query to very bad domains"; flow:established,to_server; dns.query; dataset:isset,dataset-domains,type string,load dataset-domains,memcap 150mb,hashsize 1000000; classtype:unknown; flowbits:set, stamus.misp.domain; target:src_ip; sid:123456; rev:1; metadata:stamus_misp_domain dns.query.rrname, stamus_misp_domain src_ip, stamus_classification dataset-domains, provider Stamus, created_at 2023_02_24, updated_at 2023_02_24;)
By doing this we can have one rule to match on over 1 million IoCs, rather than 1 million individual rules. It is important to note that a memcap value of about 150 megabytes would be sufficient to service 1-2 million strings dataset (depending on the average string length). This memcap value is used to limit the amount of memory that can be used by the rule. This is useful when you have rules that are resource-intensive and may consume too much memory when resource control is needed on a specific setup.
Stamus Security Platform (SSP) can now fully take advantage of MISP. When we have a hit on a domain in the list, we should see something like this:
Improved threat intelligence with MISP and Stamus Security Platform
In conclusion, using MISP with the Stamus Security Platform can provide a robust, vendor agnostic and comprehensive approach to threat intelligence and security management. MISP allows for the sharing, storing and analyzing of threat intelligence, while SSP provides real-time network security monitoring and intrusion detection capabilities. Together, they can provide organizations the ability to proactively identify and respond to potential security threats.
By integrating MISP and SSP, organizations can leverage the strengths of both platforms to improve their overall security stance. Additionally, it's worth mentioning that MISP is free to use, giving organizations with limited budgets the opportunity to access advanced cyber threat intelligence and security management capabilities.
