This page and it’s child pages covers all aspects of the Threat Intelligence module.
Malware Information Sharing Platform (MISP) is an open-source software solution use to collect, store, distribute, and share cyber security indicators and threats about cyber security incidents analysis and malware analysis.
The objective of MISP is to promote the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of said information by Network Intrusion Detection Systems (NIDS) and log analysis tools like Security Information and Event Management (SIEM).
MISP is accessible from different interfaces like a web interface (for analysts or incident handlers) or via a REST API (for systems pushing and pulling IOCs). The inherent goal of MISP is to be a robust platform that ensures a smooth operation from revealing, maturing, and exploiting threat information.
There are many different types of users of an information sharing platform like MISP:
Malware reversers willing to share indicators of analysis with respective colleagues
Security analysts searching, validating, and using indicators in operational security
Intelligence analysts gathering information about specific adversary groups
Law-enforcement relying on indicators to support or bootstrap their DFIR cases
Risk analysis teams willing to know about the new threats, likelihood, and occurrences
Fraud analysts willing to share financial indicators to detect financial frauds
The objective of the MISP, open-source threat intelligence and sharing platform is to:
Facilitate the storage of technical and non-technical information about seen malware and attacks
Create automatic relations between malware and their attributes
Store data in a structured format (allowing automated use of the database to feed detection systems or forensic tools)
Generate rules for Network Intrusion Detection System (NIDS) that can be imported on IDS systems (e.g. IP addresses, domain names, hashes of malicious files, pattern in memory)
Share malware and threat attributes with other parties and trust-groups
Improve malware detection and reversing to promote information exchange among organizations (e.g. avoiding duplicate works)
Create a platform of trust - trusted information from trusted partners
Store locally all information from other instances (ensuring confidentiality on queries)