Sharing threat information with MISP
Shared Protection
Cunning attackers often collaborate with others and share information about vulnerabilities. Companies, on the other hand, face hackers as lone warriors and all too often rely on traditional security technologies. But companies can also share IT security knowledge. One platform for sharing security information is the Malware Information Sharing Platform (MISP).
One important aspect of IT security is speed. The goal is to stay no more than one step behind the targeted attacker. Signatures for virus scanners, for instance, are delivered retroactively – after the malware appears. Users in other companies can benefit from the misfortune of the individual who was first hit by the malware when they receive the latest virus signatures from the antivirus product vendors.
The principle of sharing can extend to almost all threats to the IT infrastructure. The damage one individual suffers can help to protect other participants on a network if documentation is provided promptly and necessary information is exchanged regularly. This article shows how to set up an instance of the Threat Intelligence Sharing Platform MISP [1] and connect it to MISP instances run by administrators in other companies.
MISP is a work environment developed in Europe for the exchange of threat information. One interesting feature of MISP is the possibility of distributed use. You can run your own instance in your company and provide information for internal use so that your colleagues will be able to compare the information you report with their own reports of similar incidents.
You can also opt to share the information with external exchange partners. Your exchange partners can then share their own experiences with you in return. To be on the safe side, you can later set up a second instance and register the exchange partners as users. You then share with this additional internal instance only the reports that you can
...Buy this article as PDF
(incl. VAT)