Threat Intelligence Contextualized Knowledge base
2019-10-21, 17:00–17:20, Hollenfels

This talk describes our idea of a platform for handling threat intelligence from source to end user. This consist not only of actionable IOC's but also offensive knowledge and detection rules. In order to implement this idea, MISP is used as the central database for storing, exporting and querying the data.

The platform consists of multiple systems working together where MISP is the central component. The first system collects OSINT data from multiple source like Pastebin, honeypots and certificate transparency logs. This data is send to a second system which automatically filters the data and enriches when needed. The results are aggregated and stored in MISP. On the output side the data could be used for automatic hunts on SIEMs or EDR systems as well as generating specific threat intelligence feeds and detection rules (Sigma, Snort, Yara). The take away is that threat intelligence is not only IOC's but could also consist other data like the offensive techniques and detection rules for the threats.