Introduction to MISP: A Threat Intelligence Platform

As we know, cyber security attacks are more common than ever and it's not going away anytime soon. IT Governance recorded that there were 20.1 billion data records reported lost or stolen in 2020, which is a 50% increase in breached records compared to 2019. Sharing threat information can have a positive impact on decreasing the number of lost or stolen records year-over-year, giving cybersecurity researchers and vendors the tools to better identify and combat threats.

What is MISP?

MISP is a threat intelligence platform. MISP itself widely stands for Malware Information Sharing Platform. It is free and open source, developed primarily by CIRCL as well as other contributors. 

The History of MISP

The idea originated at a malware analysis workshop in 2012. After a lot of independent work, they discovered that multiple groups had done an analysis on the same malware so they were duplicating efforts when they could have been investigating new or un-researched malware. 

A lot of time was wasted and they began to think that there must be a better system to avoid this ever happening again. This is where it all started. 

They began to develop MISP. There was a lot of feedback and contribution that went into developing MISP. The final version of MISP was developed after security researchers and law enforcement started to use it and give their feedback to help build the platform as it is today. It grew through the years and different security experts from the industry started to use it more. All of this contributed to the MISP that it is today.

What is threat intelligence?

Threat intelligence is information that organizations can use to combat online security threats. This information starts off as a ton of unorganized data from many different sources. The information is then used by security professionals and data science to explore and analyze the data into more actionable insights to make better and more informed decisions.

Essentially, it helps organizations get the most relevant and timely insights needed to understand, predict, and respond to cybersecurity threats. 

Who uses MISP?

The users of MISP include malware reversers, intelligence analysts, law-enforcement, as well as risk analysts and fraud analysts. 

The communities using MISP to share data are diverse and include not only trusted organizations but also organizations in the financial sector (e.g. banks, ISACs, payment processing companies), military organizations (e.g. NATO), security vendors (e.g Fidelis, OTX) and there are even some communities that are setup to tackle specific (or seasonal) issues (such as COVID-19 MISP).

4 Main Benefits of MISP:

1. Powerful, structure nature

MISP allows an organization to have a more powerful and structured way to store data about the threats it has experienced (such as IP addresses, domains, and email addresses that may be related to a threat) and any relevant information that the organisation has learned about those threats. It also has the ability to combine the database with other MISP databases into a single large database. 

2. Searchable history

There is a searchable history of threat events that the platform automatically connects any historical data to new events entered into the system. It's like a search engine for the organizations threat events and what they did about them. This can make an organization much faster and smarter when dealing with new events. 

3. Sharing communities

The MISP developers recognized that sharing information outside of the organisation presents challenges and not all information should be shared with everyone, so they created the idea of sharing communities. This way, researchers can actually choose what to share and how far that sharing goes. Sharing communities are a group of trusted partners or peers who experience the same types of threat, so threat intel can be very relevant within a community.

4. Ingest threat intelligence from a public threat feed

Another great benefit is that MISP also allows an organization to ingest threat intelligence from a public threat intel where other trusted sources such as the police and security researchers also participate. With all of this valuable external threat info coming in, an organization can augment their event data with rich, high-quality threat intel that automatically connects to and enriches any new events in addition to an organization's own historical data. 

‍
MISP is not only a threat intelligence platform but also an important tool for furthering threat research. This useful cybersecurity tool will be beneficial to help fight against cybersecurity attacks. Want to learn more about threats and how we can identify them? Watch our on-demand webinar now on Advanced Threat Identification here.