In this post, we talked about MISP, its uses cases and features. We also covered how to share Malware indicators of compromise using MISP platform. Finally, we solved the room named TryHackMe MISP.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Network Packets Analysis Study Notes
What is MISP
MISP is an open-source threat information platform that facilitates the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud or any intelligence within a community of trusted members.
The threat information can be distributed and consumed by Network Intrusion Detection Systems (NIDS), log analysis tools and Security Information and Event Management Systems (SIEM).
MISP Use Cases
Malware Reverse Engineering: Sharing of malware indicators to understand how different malware families function.
Security Investigations:Searching, validating and using indicators in investigating security breaches.
Intelligence Analysis:Gathering information about adversary groups and their capabilities.
Law Enforcement:Using indicators to support forensic investigations.
Risk Analysis:Researching new threats, their likelihood and occurrences.
Fraud Analysis:Sharing of financial indicators to detect financial fraud.
Key Functionalities of Malware Information Sharing Platforms
- IOC database: This allows for the storage of technical and non-technical information about malware samples, incidents, attackers and intelligence.
- Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack campaigns or analysis.
- Data Sharing: This allows for sharing of information using different models of distributions and among different MISP instances.
- Import & Export Features: This allows the import and export of events in different formats to integrate other systems such as NIDS, HIDS, and OpenIOC.
- Event Graph: Showcases the relationships between objects and attributes identified from events.
- API support: Supports integration with own systems to fetch and export events and intelligence.
Room Answers | TryHackMe MISP
How many distribution options does MISP provide to share threat information?
4
Which user has the role to publish events?
Organisation Admin
What event ID has been assigned to the PupyRAT event?
1145
The event is associated with the adversary gaining __ into organisations.
Remote Access
What IP address has been mapped as the PupyRAT C2 Server
89.107.62.39
From the Intrusion Set Galaxy, what attack group is known to use this form of attack?
Magic Hound
There is a taxonomy tag set with a Certainty level of 50. Which one is it?
OSINT
TryHackMe MISP