I shared the MISP playbook for malware triage that I regularly use for a first assessment on new samples. It uses MISP, VirusTotal, MalwareBazaar, Hashlookupand pefile. It then uploads the samples to MWDB and alerts to Mattermost.
The MISP playbook on malware triage is one of many playbooks that address common use-cases encountered by SOCs, CSIRTs or CTI teams to detect, react and analyse specific intelligence received by MISP.
I contributed to the ENISA Threat Landscape 2023.
The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.
In the latter part of 2022 and the first half of 2023, the cybersecurity landscape witnessed a significant increase in both the variety … Read more.
The MISP2Sentinel integration allows you to sync indicators from MISP to Microsoft Sentinel. The old integration relied on the Microsoft Graph API. Microsoft prefers new integrations to rely on the Upload Indicators API. The new MISP to Microsoft (previously Azure) Sentinel or misp2sentinel does just that, it
Supports integration with the old Graph API, but also It supports the new, and preferred, Upload Indicators API.
Read the installation and configuration documentation at https://github.com/cudeso/misp2sentinel for … Read more.
I published a blog article on the MISP project website on how to do the MISP to Azure / Sentinel integration. This integration allows you to upload indicators from MISP to Microsoft Sentinel. It relies on PyMISP to get indicators from MISP and an Azure App and Threat Intelligence Data Connector in Azure.
Read the full article at MISP project website : MISP to Sentinel integration.
The integration is available via GitHub at https://github.com/cudeso/misp2sentinel
This … Read more.
In most MISP instances the database (MySQL or MariaDB) is on a local network, either directly on the machine or on a local DB-cluster. As a lot of organisations are moving towards a “full cloud” environment, this also means that they want to start making use of the database features offered by their cloud providers.
Microsoft offers Azure Database for MySQL and in this post I list the (limited) steps required to migrate the MISP … Read more.
Zeek (formerly Bro) is a free and open-source software network analysis framework. It gives insights on DNS queries, HTTP and TLS information and details on transmitted files. I find Zeek one of the best network monitoring tools available to provide detailed visibility on network traffic.
Zeek has a built-in intelligence framework. This framework allows you to add information received via MISP directly into the network visibility capabilities of Zeek. This includes
Visits to URLs or … Read more.
I contributed to the ENISA Threat Landscape 2022. The ETL is an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis. It also describes relevant mitigation measures.
Get a copy of the ENISA Threat Landscape 2022.
The first edition of the Cyber Threat Intelligence Summit took place in Luxembourg in October 2022. I did two presentations:
One presentation on MISP web scraper, a tool to create MISP events and reports from scraped websites; and one presentation on building CTI Operational Procedures with Jupyter Notebooks and PyMISP.
The slides and recording are available on GitHub and Youtube.
Slides: https://github.com/cudeso/misp-tip-of-the-week/tree/main/CTIS-2022; Recording of CTI Operational Procedures with Jupyter Notebooks and PyMISP; Recording of MISP … Read more.
Chainsaw is a tool to rapidly search through large sets of Windows Event logs. In this post I briefly go through the steps that I take to collect, process and analyse logs from different Windows machines and then use them for analysing Windows Event logs. Obviously it’s always better to use centralised logging and apply your detection techniques centrally but unfortunately this isn’t always possible.
Although Chainsaw is available as a binary package … Read more.
I published an article on the MISP project website on the MISP web scraper.
There are a lot of websites that regularly publish reports on new threats, campaigns or actors with useful indicators, references and context information. Unfortunately only a few publish information in an easily accessible and structured format, such as a MISP-feed. As a result, we often find ourself manually scraping these sites, and then copy-pasting this information in new MISP events. These … Read more.