MISP – Malware Information Sharing Platform v2.1 in the wild
iSpeech
The problem that we experienced in the past was the difficulty to exchange information about
(targeted) malwares and attacks within a group of trusted partners, or a bilateral agreement.
Even today much of the information exchange happens in unstructured reports where you have
to copy-paste the information in your own text-files that you then have to parse to export to
(N)IDS and systems like log-searches, etc...
A huge challenge in the Cyber Security domain is the information sharing inside and between
organizations. This platform has as goal to facilitate:
[adsense size='1']
- central IOC database: storing technical and non-technical information about malwares
- and attacks, ... Data from external instances is also imported into your local instance
- correlation: automatically creating relations between malwares, events and attributes
- storing data in a structured format (allowing automated use of the database for various
- purposes)
- export: generating IDS, OpenIOC, plain text, xml output to integrate with other systems
- (network IDS, host IDS, custom tools, …)
- import: batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV, ...
- data-sharing: automatically exchange and synchronization with other parties and trustgroups
Exchanging info results in faster detection of targeted attacks and improves the detection ratio
while reducing the false positives. We also avoid reversing similar malware as we know very
fast that others already worked on this malware.
Gloss