Visualising MISP galaxies and clusters

MISP Galaxies and Clusters

The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster.

Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK) technique. They can also be used to describe similarities between different tools.

A visual representation of relations make it much more easier for human analysts to represent interactions between different elements (for example in reporting) but also allow to correlate and pivot to other relevant elements.

Visualise the galaxy relations

One of the tools that I discovered in the MISP galaxy repository is a script to create these visual representations, based on the galaxy/cluster JSON file but outside MISP. This allows you to

  • Document the threat in MISP and have the contextual relations in the threat event;
  • Create and re-use the same relation-graph in customer reports.

The Python script to create these graphs is graph.py. You can either create a graph for a specific UUID or create all graphs. You need to have Graphviz installed. On OSX this is all very straightforward.

python3 -m misp-galaxy
source misp-galaxy/bin/activate
git clone https://github.com/MISP/misp-galaxy
pip install graphviz
brew install graphviz
cd misp-galaxy/tools
./graph.py -u 2abe89de-46dd-4dae-ae22-b49a593aff54

This will generate a graph for the ID 2abe89de-46dd-4dae-ae22-b49a593aff54, or the PoisonIvy RAT.

Eventually you end up with the graph



Conclusion

This post describes building graphs and visual relations between galaxies and clusters based on the MISP built-in information. Obviously you can do the same for your own threat research and maybe you can contribute back to the community?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.