MISP Training Video December Edition - Best Practices for Encoding Threat Intelligence and Leveraging the information in MISP to Make Threat Landscape Report

Content of Training Session

• MISP data model introduction
• Best practices - from evidences to actionable evidences
• Leveraging the information in MISP to Make Threat Landscape Report

Jupyter notebook used during the training session.

Leverage the information in MISP to make threat landscape report

Most often questions asked to generate a threat landscape report

MISP can be a great source of information for generating a threat landscape report. Quite frequently, we get asked by various stakeholders, what exactly can be used as the basis of how to scope the kinds of information that are required or needed, for generating such a report.

• What are the most common vulnerabilities?
• What are the most common threats?
• What are the most common techniques used by adversaries?
• What are the priorities or remediation to limit specific risks?
• What are the most common countries targeted?
• What are the most common malware families?

MISP itself can be also a source of interesting insights such as

• Who are the most active organisations?
• How active is a given sharing community?
• What are the capabilities of an organisation?

MISP is not replacing analysts when it comes to producing a report, but it offers an easy way to create a threat intelligence report, reducing the tedious and repetitive tasks.

Tools in MISP that can help to generate threat-landscape report

From easiest to hardest - From UI to scripting

• Automatic event report generation

  • Create an event dedicated to threat-landscape
  • Build the event report automatically
  • Caveat: Time consuming to create, need to perform the aggregation manually

• MISP Periodic report

  • How to view it
  • How to set up automatic reporting by mail
  • How to configure in order to aggregate only for a filtered set of events

• MISP builtin-dashboard

  • How it works
    • Each user can have their own & templates can be shared
    • Drag & Drop widgets + configure the dashboard

• Extracting data from MISP

  • Get API key
  • Index VS RestSearch
  • Useful queries & parameters

• Toolsets to generate your report

  • Pandoc

pandoc misp-event-report.md -o misp-event-report.pdf --from markdown --template eisvogel --listings

References

• TIBER-EU Guidance for Target Threat Intelligence Report
• A pandoc LaTeX template to convert markdown files to PDF or LaTeX.
• Cybersecurity Threat Landscape Luxembourg 2021-2022

Resources

Cheatsheets

• Cheatsheet: Concepts & Data model
• Synchronisation logic
• Authentication logic
• For your lawyers or if you are interested in legal docs: MISP legal compliance (such as GDPR and alike)

Training materials

• Virtual machines (VirtualBox and VMWare format): https://vm.misp-project.org/
• All Slide Deck (source file and compiled): https://github.com/MISP/misp-training
• PyMISP: https://github.com/MISP/PyMISP/
• OpenAPI documentation: https://www.misp-project.org/documentation/openapi.html
• misp-stix a generic library for MISP standard format to STIX (1.1, 1.2, 2.0 and 2.1): documentation

Other ressources

• MISP Mastodon - @misp@misp-community.org
• MISP Twitter - Follow to get latest news
• Gitter MISP Support chat
• Benefits of running your own MISP instance

Acknowledgement

A huge thanks to all the participants for their active participation. The training is also part of the MeliCERTes project.