Sharing threat information with MISP
Shared Protection
Cunning attackers often collaborate with others and share information about vulnerabilities. Companies, on the other hand, face hackers as lone warriors and all too often rely on traditional security technologies. But companies can also share IT security knowledge. One platform for sharing security information is the Malware Information Sharing Platform (MISP).
One important aspect of IT security is speed. The goal is to stay no more than one step behind the targeted attacker. Signatures for virus scanners, for instance, are delivered retroactively – after the malware appears. Users in other companies can benefit from the misfortune of the individual who was first hit by the malware when they receive the latest virus signatures from the antivirus product vendors.
The principle of sharing can extend to almost all threats to the IT infrastructure. The damage one individual suffers can help to protect other participants on a network if documentation is provided promptly and necessary information is exchanged regularly. This article shows how to set up an instance of the Threat Intelligence Sharing Platform MISP [1] and connect it to MISP instances run by administrators in other companies.
MISP is a work environment developed in Europe for the exchange of threat information. One interesting feature of MISP is the possibility of distributed use. You can run your own instance in your company and provide information for internal use so that your colleagues will be able to compare the information you report with their own reports of similar incidents.
You can also opt to share the information with external exchange partners. Your exchange partners can then share their own experiences with you in return. To be on the safe side, you can later set up a second instance and register the exchange partners as users. You then share with this additional internal instance only the reports that you can pass on without disclosing trade secrets.
What you document with MISP is pointers to attacks or the existence of malware on your network or on individual computers. The technical term for these pointers is Indicators of Compromise (IOCs). Different data formats for IOCs are supported. You simply enter the latest information in the web interface to create an entry. Everything else is done by the system itself, including converting the information into the appropriate data formats used for storage and distribution.
Some of the threat information you receive from your partners can be directly integrated into your own protections. MISP is suitable for sharing concrete recommendations for action. You can also share a signature for the packet filter or firewall or the name of a domain that you will want to block on your network. With a little effort, you can protect all the computers on your entire network in good time if someone shares the information you need.
Setting up MISP
MISP programmers provide prebuilt virtual machines (VM) for VMware and VirtualBox [1]. These VM images are suitable for initial trials and also for production use later on. The current version did not work correctly in our tests with VirtualBox. We therefore switched to the alternative installation using Vagrant. A VirtualBox VM is also created there and prepared using a Vagrantfile. You need to install the VirtualBox, Vagrant, and Git dependencies on your system to install MISP. Run the following commands:
$ git clone https://github.com/MISP/MISP.git $ cd MISP/ $ git submodule update --init misp-vagrant $ cd misp-vagrant/
Before you start Vagrant, change the Ubuntu version in the Vagrantfile to the current LTS version with the following command:
$ sed -i s/zesty/xenial/g Vagrantfile $ vagrant up
Now Vagrant configures the VM and installs the current MISP version with all dependencies. After the run completes, you will see the login credentials at the end of the Vagrant output (Figure 1).
Using MISP
Now use the login data to log into the web interface on http://127.0.0.1:5000 . You will see the overview of your local MISP server and can proceed to complete the configuration. If you click on Server Settings & Maintenance below Administration , you will be shown some critical errors. You can address these errors at a later point in time. First launch some processes and then install some software packages in the VM. Click on the Worker tab in the Server Settings & Maintenance overview. Then start all Worker types on the page. Use Vagrant to connect to the VM and install missing Python packages using the following commands:
$ vagrant ssh $ sudo apt-get install libfuzzy-dev $ sudo pip install pymisp git+https://github.com/kbandla/pydeep.git
You can then use MISP for testing. Click on Event Actions | Add Event to create a first data record (Figure 2). You can select the Distribution of the shared event directly. This means that you only share what you really want to pass on to other people or companies. Select another title and click on the Add button. You are now taken to the Event page, where you can upload files and enter more details to describe the incident in as many ways as possible.
Production Operation
If you now want to use the MISP server in production, set up port forwarding on your host system or configure a web server as a proxy. Additionally you have to go through the configuration in the VM again and adapt it to your needs. You will find the application configuration below /var/www/MISP/app/Config
. In the web interface, you can create additional users and also add organizations.
If you have the authentication key of another user, you can log further instances into your running instance. To do this, connect a user to a newly created organization, set up another MISP instance, and connect it via the Sync Actions | List Servers | New Server menu item. Now select the instance type, which influences the range of the shared content.
Buy this article as PDF
(incl. VAT)