MISP sharing groups demonstration video

Sharing groups in MISP are a more granular way to create re-usable distribution lists for events/attributes that allow users to include organisations from their own instance (local organisations) as well as organisations from directly, or indirectly connected instances (external organisations).

For a possible future project I had to document if sharing groups are an answer for a sort of multi-tenancy for sharing threat events within MISP.

Sharing groups certainly provide an answer, as long asRead more.

MISP and Microsoft Sentinel

A short post with things to consider when integrating MISP threat intelligence with Microsoft Sentinel. There are two documentation resources that describe the integration in detail and should get you started in no-time:

External Connectors for MISP Integrating open source threat feeds with MISP and Sentinel

This error is caused by invalid client secret or missing client ID. One of the steps in the documentation involves creating a new secret. You then have to addRead more.

A simple way to deploy MISP servers with Packer and Terraform

For a future project I was looking into ways of deploying (and deleting) instances of MISP on a regular basis. Instead of manually installing MISP, I wanted the deployment and the configuration automated and based on simple configuration files. This is called “infrastructure as code”, typically addressed by CI/CD (Continuous Integration, Continuous Development). To throw in other popular terminology “DevOps” could support me in provisioning (and deploying) the infrastructure that is going to be usedRead more.

Using VMRay Analyzer for Initial Triage and Incident Response

I published an article on the blog of VMRay: Using VMRay Analyzer for Initial Triage and Incident Response.

In this article I cover a practical case study how VMRay Analyzer helped with getting an accurate and noise-free analysis for initial triage and obtaining the relevant indicators of compromise for faster incident response.

Key recommendations and findings from the HSE Conti ransomware attack

The healthcare sector has been in the crosshairs of ransomware gangs.

One of the victims of last year was Ireland’s Health Services Executive. A report analysing the Conti ransomware attack was published as a follow-up to the incident. This Independent Post Incident Review provides a long list of recommendations that are not only valuable for the HSE but read as a “must-do” list for other organisations to be better prepared for such ransomware incidents.

IRead more.

Integrate DFIR-IRIS, MISP and TimeSketch

I published a set of scripts that I use to integrate

Threat events and indicators stored in MISP; CSIRT case handling data such as events, IOCs, timelines, assets and evidences in DFIR-IRIS; Analysis events on PCAP and EVTX files in TimeSketch.

The Python scripts tie everything together between MISP, IRIS and TimeSketch. The scripts and example usage, with screenshots, are published in a Github repository: https://github.com/cudeso/dfir-iris-misp-timesketch.

The scripts make it possible to document threatRead more.

Basic Automation with the VMRay API

I wrote an article on the VMRay website: Basic Automation with the VMRay API. This article walks you through the use of VMRay as a replacement of a Data Exchange Point.

The article documents how to Submit a Sample via VMRay API and look at the Behaviour Patterns to decide if a file is allowed into your environment or not.

Visualising MISP galaxies and clusters

The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster.

Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK)Read more.

Incident response case management, DFIR-IRIS and a bit of MISP

A good case management is indispensable for CSIRTs. There are a number of excellent case management tools available but either these are more tailored towards SOCs, are overpriced or are unnecessary complex to use. I have used TheHive, RTIR, Omnitracker, OTRS and ServiceNow and although TheHive and RTIR come close, I have never really found a solution that addresses my needs.

I currently use a combination of

TheHive Case management Template system to startRead more.

Send malware samples from MISP to MWDB (Malware Repository)

I use a MISP instance to store malware samples that I came across during an investigation or incident. I also worked for example on an integration via a MISP module with the VMRay malware sandbox. The setup with MISP works very well but I needed an easier solution to make these samples available to other users (and tools), without the need of access to this MISP instance.

Enter Malware Repository MWDB, formerly known asRead more.