There are various Threat Intelligence sources that shares threat information with each other to help identify those threats in their organisation and respond to those issues. Some of these Threat Intelligence platforms are:
In MISP, these Threat intelligence sharing platforms are mostly integrated to automatically create security events and alerts. However, with some of them, it requires manually effort of reviewing threat articles to look for actionable IOCs (IPs, domain, filenames, hashes) and create Security Event and alerts.
Here we will be looking at one of the threat sharing organisations to identify IOCs to then manually create Security event on MISP.
“The Cyber Security Information Sharing Partnership (CISP) is a joint industry and government digital service to allow UK organisations to share cyber threat information in a secure and confidential environment.”
CiSP is one of the threat information sharing platforms which Blue team can use to create security events and alerts.
Login to your CiSP account and view articles in ‘News’ section especially the articles posted by NCSC and look for any actionable IOCs – This can then be fed to a Cyber threat platform that collect and store cyber incidents and threats. One of the well known platform that support this is the MISP software solution.
CiSP uses TLP to classify each posting by the community.
“The MISP is an open source software solution for collecting, storing, distributing, and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis.”
Once an actionable IOCs is identified on CiSP, you can now:
Distribution:
Your organisation only – only members of your organisation on this server can see it.
This community only – only organisation that are part of this MISP community can see it.
Connect community – Organisations that are either part of this MISP community or part of directly connected community can see it.
All communities – The event will be shared with all MISP communities.
The threat levels are:
High – sophisticated APT malware or zero day risk
Medium – APT Malware
Low – mass malware
Undefined – no risk
Analysis:
Initial – An event has just been created and is in an initial state
Ongoing – The analysis is still ongoing
Complete – An event creator considers the analysis complete
This is how the event profile page will look like in MISP once its created.
Next, to add the IOCs to the event, select ‘populate from…’ and choose the desired format from the list that you want to import.
Once all the relevant IOCs are added to the event, include ‘Alertable’ tag to that event. This will trigger an alert everytime when those IOCs are seen in the network traffic logs. Without this tag, the event will not trigger an alert. You can also add other relevant tags if you like.
Use TLP tags where appropriate.
Within the event profile page, ensure that the IDS box is ticked. If not, then simply click on the box to toggle on the IDS.
Hit ‘Publish Event’ > Yes
The Security Event creation is now complete!
Thank you for reading my article.