In this post I go through the process of representing threat data from MISP in Elastic. The goal is to push attributes from MISP to Elastic and have a representation with a couple of pretty graphs. This is an alternative approach to using the MISP dashboard (and MISP-Dashboard, real-time visualization of MISP events).
The Filebeat component of Elastic contains a MISP module. This module queries the MISP REST API for recently published event and attribute … Read more.
Your users are the first line of defence against threats, especially for what concerns phishing. One of the ways to get more involvement is offering a simple and easy way to report suspicious messages, such as phishing e-mails. You can do this via a phishing alert button that allows users to notify the helpdesk of a suspicious message. The technology behind such a button is straightforward:
Forward the message; Remove the message from the inbox. … Read more.
MISP includes a powerful REST API that allows you to automate the dissemination of threat intelligence and threat data. If you aren’t familiar with the API you can explore its features (and the inline documentation) via Event Actions, REST client. In the latest versions of MISP the REST API client supports autocompletion, which is useful if you want to search for events or attributes with specific tags. And these tags are the vocabularies that we … Read more.
An antivirus solution is an indispensable component in your defence arsenal but it does not protect you against all threats. Complimentary to an antivirus is Loki, an open-source IOC scanner. Loki is a scanner that allows you to search for intrusion activity such as
Network connections to C2 servers or malicious domains; Presence of files related to APT activity; Process anomalies such as malicious implants or patches in memory ; Credential dump activities; Checks for … Read more.
One of the nice things of working in infosec is that there is always a new tool available to make your work easier. It can also cause a lot of frustration, as there is yet another new tool that you need to master. A tool I recently discovered is Watcher, a platform for discovering new cybersecurity threats targeting your organisation. Some of its key features include
Detecting emerging trends via social networks and RSS feeds; … Read more.
The Elastic stack is a great tool to quickly visualise large volumes of log files. In a previous post I described how to load stored Windows EVTX logs in Security Onion, with the help of Winlogbeat. In this new post I describe something similar with the goal to analyse Linux auditd logs with Elastic. Instead of using the Elastic stack of Security Onion I use an Elastic cluster via Docker and instead of storing the … Read more.
I published an article on the IBM Security Intelligence blog : Incident Response: 5 Steps to Prevent False Positives. The article describes how false positives look like and how they can interfere with your incident response and threat intelligence processes.
I propose 5 steps to prevent false positives, including
Prevent false positives from being added to threat intel report Notify analysts on likelihood of false positives in threat intel reports Report sightings, observables and false … Read more.
I published a post on the misp-project website on MISP service monitoring with Cacti.
The post covers how to use Cacti to monitor the performance and well-functioning of a MISP server. This includes
CPU, load average, memory usage and swap usage (based on default Cacti templates) Interface statistics, logged in users and running processes (based on default Cacti templates) MISP workers and job count MISP event, attribute, users and organisation statistics HTTP response time
I posted an article on the website of the MISP project on how to start with creating your own MISP galaxy / cluster.
The ATT&CK Navigator is a great tool to browse the ATT&CK matrices. You can run the tool directly from Github, but you can also install it locally. This can especially be useful if you want to browse the ATT&CK matrices when you’re working in an isolated environment.
Navigator can be used via Docker, but that instance does not contain the matrices. Next is a short overview of commands to get the Navigator to work locally, … Read more.