Visualising MISP galaxies and clusters

The MISP galaxies and clusters are an easy way to add context to data. I’ve previously written an article “Creating a MISP Galaxy, 101” that describes how you can create your own galaxy and cluster.

Apart from the context, galaxies and clusters also allow you to describe relations between individual elements. These relations can for example be the synonyms (naming) for an APT group or the fact that a specific group uses a (MITRE ATT&CK)Read more.

Send malware samples from MISP to MWDB (Malware Repository)

I use a MISP instance to store malware samples that I came across during an investigation or incident. I also worked for example on an integration via a MISP module with the VMRay malware sandbox. The setup with MISP works very well but I needed an easier solution to make these samples available to other users (and tools), without the need of access to this MISP instance.

Enter Malware Repository MWDB, formerly known asRead more.

Install Elastic Filebeat as daemon on OSX

Filebeat is a lightweight shipper for logs. You can use it to collect logs from endpoints and store them centrally in Elastic. You can use it to collect logs from Linux systems, but it also works on Apple OSX. Installing filebeat is straightforward

After installing filebeat you have to enable the system module

Then update the configuration file (filebeat/filebeat.yml)

I used the information from a support post on the Elastic site: https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/11. This post describesRead more.

Use Mobile Verification Tool to check if your iPhone is affected by Pegasus spyware

The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.

Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.

Setup a Python virtual environmentRead more.

Identify malicious servers / Cobalt Strike servers with JARM

For a new assignment I wanted to use JARM to group servers with a similar configuration. Why JARM? Because it’s an easy way to quickly identify and group servers based on their configuration.

JARM is an active fingerprinting of TLS servers made available by Salesforce Engineering. It sends 10 TLS Client Hello packets to a server and captures specific attributes of the responses. These responses are then aggregated and hashed. A JARM fingerprint consists ofRead more.

Debugging MISP event publish workflow. And a faulty application gateway

For a recent MISP installation I had to debug the reason why certain events were not pushed to a remote server. First a bit of context

Both servers run the same version of MISP (a fairly recent version); Events are pushed from server A to server B. The synchronisation user used on server A existed on server B and had sufficient permissions; The server synchronisation was configured to push events if they were considered completeRead more.

Interactive usage of MISP

The MISP API provides an easy way for interacting with MISP. In most cases you’ll do this via scripting or from external applications. Sometimes it can however be interesting to use the API to do some simple queries via Python on your threat data.

First start Python from the virtual environment.

Then load the libraries and set some variables.

Now you can use the misp variable to interact with MISP.

For example toRead more.

Staying in control of MISP correlations

MISP correlations are a way to find relationships between attributes and indicators from malware or attacks campaigns. Correlation support analysts in detecting clusters of similar activities and pivot from one event to another.

When the volume of data in your MISP instance grows, the number of correlations can however explode and make your system less responsive. I cover some approaches that you can use to stay in control.

Correlation basically is a way forRead more.

Creating a MISP Object, 101

I published an article on the blog of the MISP project on how to create your own custom object: Creating a MISP Object, 101. This is a follow-up to a previous post on how to create your own MISP galaxy or MISP cluster (Creating a MISP Galaxy, 101).

Use Elastic to represent MISP threat data

In this post I go through the process of representing threat data from MISP in Elastic. The goal is to push attributes from MISP to Elastic and have a representation with a couple of pretty graphs. This is an alternative approach to using the MISP dashboard (and MISP-Dashboard, real-time visualization of MISP events).

The Filebeat component of Elastic contains a MISP module. This module queries the MISP REST API for recently published event and attributeRead more.