help@cyb4rgeek.xyz

+1 (512) 588 6950

Using Threat Intelligence data to generate MISP alerts

Home/Using Threat Intelligence data...
Using Threat Intelligence data to generate MISP alerts

There are various Threat Intelligence sources that shares threat information with each other to help identify those threats in their organisation and respond to those issues. Some of these Threat Intelligence platforms are:

In MISP, these Threat intelligence sharing platforms are mostly integrated to automatically create security events and alerts. However, with some of them, it requires manually effort of reviewing threat articles to look for actionable IOCs (IPs, domain, filenames, hashes) and create Security Event and alerts.

Here we will be looking at one of the threat sharing organisations to identify IOCs to then manually create Security event on MISP.

“The Cyber Security Information Sharing Partnership (CISP) is a joint industry and government digital service to allow UK organisations to share cyber threat information in a secure and confidential environment.”

CiSP is one of the threat information sharing platforms which Blue team can use to create security events and alerts.

Login to your CiSP account and view articles in ‘News’ section especially the articles posted by NCSC and look for any actionable IOCs – This can then be fed to a Cyber threat platform that collect and store cyber incidents and threats. One of the well known platform that support this is the MISP software solution.

CiSP uses TLP to classify each posting by the community.

“The MISP is an open source software solution for collecting, storing, distributing, and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis.”

Once an actionable IOCs is identified on CiSP, you can now:

  • Log into your MISP account to create a new security event. Select ‘Add event’. Here I’ve created an example Event.

Distribution:

Your organisation only – only members of your organisation on this server can see it.

This community only – only organisation that are part of this MISP community can see it.

Connect community – Organisations that are either part of this MISP community or part of directly connected community can see it.

All communities – The event will be shared with all MISP communities.

The threat levels are:

High – sophisticated APT malware or zero day risk

Medium – APT Malware

Low – mass malware

Undefined – no risk

Analysis:

Initial – An event has just been created and is in an initial state

Ongoing – The analysis is still ongoing

Complete – An event creator considers the analysis complete

View Event

This is how the event profile page will look like in MISP once its created.

Add actionable IOC to the Event

Next, to add the IOCs to the event, select ‘populate from…’ and choose the desired format from the list that you want to import.

Add Tags to the Event to trigger Alerts

Once all the relevant IOCs are added to the event, include ‘Alertable’ tag to that event. This will trigger an alert everytime when those IOCs are seen in the network traffic logs. Without this tag, the event will not trigger an alert. You can also add other relevant tags if you like.

Use TLP tags where appropriate.

Ensure IDS check is applied

Within the event profile page, ensure that the IDS box is ticked. If not, then simply click on the box to toggle on the IDS.

Publish the Event!

Hit ‘Publish Event’ > Yes

The Security Event creation is now complete!

Thank you for reading my article.

Leave a Reply