Securiment Blogs

Deploy Malware Information Sharing Platform (MISP)

Introduction

MISP stands for Malware Information Sharing Platform, an open-source threat intelligence sharing platform designed to help organizations share cyber threat information and improve their overall cyber security posture. It allows organizations to securely share sensitive data about security incidents, threats, and vulnerabilities with other trusted parties.

At its core, MISP is a collaborative system that facilitates the sharing of intelligence on threat indicators, including malware, indicators of compromise (IOCs), and other relevant meta-data. It provides a centralized repository for storing threat intelligence data, enabling organizations to collaborate in real time and quickly respond to emerging threats.

MISP is designed to be flexible enough to accommodate various workflows and can be customized to fit the specific needs of different organizations, including security operations centres (SOCs), threat intelligence teams, and incident response teams. It can also integrate with various third-party security tools used by organizations to provide a holistic view of their security posture.

Some benefits include

The benefits of using MISP for threat intelligence sharing and SOC operations include:

• Collaborative Threat Intelligence: MISP enables organizations to share threat intelligence and collaborate on identifying, analyzing, and mitigating threats. By pooling their resources and intelligence, organizations can better defend against cyber-attacks.

• Increased Visibility: MISP provides visibility into the latest threats and attack trends and helps security teams quickly identify new threats and vulnerabilities. MISP supports sharing indicators of compromise (IoCs), malware samples, and network traffic captures, which helps security teams detect and prevent cyber-attacks.

• Streamlined Intelligence Sharing: MISP automates the process of sharing threat intelligence across organizations, making it easy for security teams to respond to new threats. Organizations can use MISP's synchronization features to stay updated on the latest threat intelligence.

• Improved Incident Response: By using MISP, security teams can quickly identify the nature and scope of an attack, which improves the accuracy and speed of incident response. MISP provides actionable threat intelligence that can be used to disrupt malware campaigns and prevent data theft.

• Cost-Effective: MISP is open-source and freely available, meaning there are no licensing fees or substantial upfront costs associated with using the platform. This makes it a cost-effective solution for organizations looking to improve their threat intelligence-sharing capabilities.

Deployment

There are several methods to deploy MISP. However, we are using a dockerized version of the build that is easy to set up and run.

Install Docker and Docker Compose

Supported Platforms

• Update the apt package index and install packages to allow apt to use a repository over HTTPS:

sudo apt-get update

sudo apt-get install \

ca-certificates \

curl \

gnupg \

lsb-release

• Add Docker’s official GPG key:

sudo mkdir -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo --dearmor -o /etc/apt/keyrings/docker.gpg

• Use the following command to set up the repository:

echo \

"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \

$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.ddocker.list > /dev/null

sudo apt-get update

sudo apt-get install docker-ce-cli containerd.io docker-compose-plugin

sudo docker run hello-world

Build Your MISP Image

• Fetch the MISP-Docker repo:

$ git clone https://github.com/MISP/misp-docker

$ cd misp-docker

• Set config:

cp template.env .env

nano .env

MYSQL_HOST=misp_db

MYSQL_DATABASE=misp

MYSQL_USER=misp

MYSQL_PASSWORD=misp

MYSQL_ROOT_PASSWORD=misp

MISP_ADMIN_EMAIL=admin@admin.test

MISP_ADMIN_PASSPHRASE=admin

MISP_BASEURL=https://localhost //change it to something humanfriendly name like misp.securiment.com (don't forget to update hosts file in your system')

POSTFIX_RELAY_HOST=relay.fqdn

TIMEZONE=Europe/Brussels

DATA_DIR=./data

• Build the containers

docker-compose build

or

docker compose build

• Run containers

docker-compose up -d

or

docker compose up -d

Add feeds

Feeds are what MISP uses to download threat reports, IoCs, etc. These feeds contain all of the data that MISP stores. By default, MISP does not come configured with enabled. We must import and enable feeds to use.

https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json

• Enable your Feeds

• Fetch Feed Data

• Explore Events

Set Cronjob to download new feeds daily:

In your linux machine type:

crontab -e

Add below lines in the end:

# Sync MISP feed daily

0 1 * * * /usr/bin/curl -XPOST --insecure --header "Authorization: **YOUR_API_KEY**" --header "Accept: application/json" --header "Content-Type: application/" https://**YOUR_MISP_ADDRESS**/feeds/fetchFromAllFeeds

Get API key in MISP UI

• Go to my profile

• Click auth key > Add auth key

• Submit and copy the API key.

It’s not necessary to restart cron after making changes but even then sometimes restart is required so use this command to restart service:

sudo service cronreload

Once everything is done you will see feeds populating in the events list.

Conclusion

Deploying MISP (Malware Information Sharing Platform) using a dockerized version offers several advantages for organizations seeking to enhance their threat intelligence sharing and SOC operations. By leveraging MISP's collaborative and customizable features, organizations can effectively share threat intelligence, collaborate on analyzing and mitigating threats, and improve their overall cybersecurity posture.