Virtual MISP Summit 0x06
MISP - What happened the past year? and what's next
Cerebrate is an open-source platform meant to act as a trusted contact information provider and interconnection orchestrator for other security tools (such as MISP).
WHIDS is an open-source EDR under active development. Some integrations between this tool and MISP were already done in the past. However, some new ones have not yet been introduced to the community. This talk will make a status update on all the integrations between WHIDS and MISP, with a special focus on the latest ones.
MISP is a leading open-source threat intelligence platform (TIP) leveraged by organizations of all sizes to store, share, and enrich threat Indicators of Compromise (IoCs). Over time, many third-party MISP modules have been developed to greatly extend MISP’s capabilities, for example, by providing new facilities to import and export of new data, or likewise, to enrich existing indicators.
Recently, VMware Threat Analysis Unit (TAU) developed a new expansion module, called “VMware_NSX”, to improve the synergy between MISP and NSX Advanced Threat Analyzer (ATA) by allowing enrichment of threat indicators with detonation reports produced by the NSX ATA sandbox; whenever a detonation report is not available, “VMware_NSX” transparently retrieves the sample from VirusTotal and submit it to NSX ATA for detonation. The “VMware_NSX” module has been accepted and added to the official MISP modules distribution (https://github.com/MISP/misp-modules), making this contribution a clear benefit to all VMware NSX customers planning to better integrate with MISP.
In this talk, we introduce the “VMware_NSX” module, and discuss the associated threat IoC enrichment workflow. We then provide two enrichment examples to demonstrate the module’s core features and flexibility.
The NVISO Managed Detect & Respond service uses threat intelligence that is curated by our CTI team. This session highlights the reason for the curation, the curation procedure and the tools that are used.
We will present our experience in using MISP in a Law Enforcement Agency. We created a way to organize all cyber information produced by different branches (forensics, intelligence, investigation, malware, etc) and constructed knowledge on top of that. We created a backend to automatically submit information which is then available to all officers using MISP web interface or a Maltego Connector.
Using this solution we already have some success cases, where we found correlations between different cases and organized malware investigations using galaxies.
We would like to present OpenCTI.BR. A Open Source and Communitary effort from Brazilian pro's to Brazilian Cyber Ecosystem. The heart of OpenCTI.BR platform is MISP software integrated to other tools, exporting and importing threat information from partners and community.
This talk intends to share the architecture and best practices for integrating MISP, SOAR and multiple SIEMs instances and vendors for a MDR "Auto IOC Detection" capabilities, Incident Handling Enrichment and Vulnerability Prioritization.
Python library to handle the conversion between MISP and STIX. https://github.com/MISP/misp-stix
Leveraging open-source threat intel automation helps cybersecurity teams to improve analysis, enrichment, and enhance overall capabilities without breaking the bank. RH-ISAC’s intelligence team is working hard so that you don’t have to! Come learn about our community MISP initiative, a recently launched, Python-based, threat intel automation tool, PyOTI, and how these tools will interact. Topics include RH-ISAC’s cloud-based MISP architecture and best practices for use, along with how PyOTI strengthens your experience using a custom tagging taxonomy that will enhance context and confidence of vetted indicators within MISP.
MISP being the standard for information sharing, it simply make sense to not reinvent the wheel (one more time), and make it possible to hook Lookyloo to an existing MISP instance. The integration goes both ways: you can lookup indicators from the capture you made on Lookyloo and look at MISP events but also push a Lookyloo capture to a MISP instance to share it with your community.
We created an opensource tool called pcraft to help generating pcaps. Simulation is a well known technique which can be used to defeat the adversary and train your teams.
In this brief presentation, we'll discuss how network defenders can consume threat intel from MISP and use it within Security Onion to alert on and hunt for IOCs, as well as track adversaries across a variety of data sources.
In this discussion we'll cover how MISP can be leveraged in conjunction with the open source Velociraptor endpoint visibility platform for realtime alerting of indicator matches on endpoints, as well ad-hoc lookups and enrichment of artifact result sets.
Digital forensics is a critical field in information security and especially incident response. Providing intelligence about known set of files is crucial to avoid wasting efforts while conducting digital investigations. hashlookup.circl.lu provides a public and best-effort service to lookup known hashes and find out if this has been seen in existing software distribution. A hashlookup MISP module is available providing a smooth and simple integration with analysts using MISP.
Indicators decay over time, so why are we so satisfied with the current stare of affairs. Lets begin to move up the pyramid of pain and use MISP to share so much more than that!
In this talk we will look at how MISP + Sigma = profit, and how sharing detections and automating them into your SIEM tool is the new black.
We use a variety of third party tools to risk assess our client base. We store the data in MISP and use it to manage a portfolio of pre-incident consituents. Then, when an incident happens, we can quickly gather data on the constituent that makes our incident response partners lives easier.