It took some time, but finally we were able to release MISP as open source software.
This MISP - Malware Information Sharing Platform has been developed in collaboration between the Belgian Defence CERT and the NATO Computer Incident Response Capability (NATO NCIRC) and is today actively developed and used in production.
The problem that we experienced in the past was the difficulty to exchange information about (targeted) malwares and attacks within a group of trusted partners, or a bilateral agreement.
Even today much of the information exchange happens in unstructured reports where you have to copy-paste the information in your own text-files that you then have to parse to export to (N)IDS and systems like log-searches, etc...
To facilitate the exchange of technical information we started to develop this tool, that :
- automates exchange of IOC
- enables you to have your internal IOC database accessible (include uploaded malwares and reports,...)
- correlates different malwares and events
- generates files in various export formats (snort/IDS, plain text, xml, ...) (in the future MAEC and other IOC formats)
![Inline image 1]()
(...)![Inline image 2]()
This MISP - Malware Information Sharing Platform has been developed in collaboration between the Belgian Defence CERT and the NATO Computer Incident Response Capability (NATO NCIRC) and is today actively developed and used in production.
The problem that we experienced in the past was the difficulty to exchange information about (targeted) malwares and attacks within a group of trusted partners, or a bilateral agreement.
Even today much of the information exchange happens in unstructured reports where you have to copy-paste the information in your own text-files that you then have to parse to export to (N)IDS and systems like log-searches, etc...
To facilitate the exchange of technical information we started to develop this tool, that :
- automates exchange of IOC
- enables you to have your internal IOC database accessible (include uploaded malwares and reports,...)
- correlates different malwares and events
- generates files in various export formats (snort/IDS, plain text, xml, ...) (in the future MAEC and other IOC formats)
- synchronizes with instances of external trust-groups
This results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others already worked on this malware.
The Red October malware for example gives a similar view:This results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others already worked on this malware.
(...)
Feel free to have a look at the (pdf) documentation in the INSTALL directory.
For the future version (v2) this is the develop branch: https://github.com/MISP/MISP/tree/develop/INSTALL
We are actively developing this tool and many (code, documentation, export formats,...) improvements are coming.
Feel free to fork the code, play with it, make some patches and send us the pull requests.
Feel free to contact me if you have questions or remarks.
The project site is: https://github.com/MISP/MISP
There are 2 branches:
- develop: future v2 with many many improvements
- main: current stable version, but it has some bugs in the synchronization functionality (we're fixing these)
Some people might think about CIF, the collective intelligence framework, however both tools are different. Perhaps integration might be provided between those two in the future.
