MISP is an open-source threat intelligence and sharing platform for collecting, storing, distributing, and sharing cybersecurity indicators and threats related to incident and malware analysis.
MISP is designed by and for cybersecurity, ICT professionals, and malware reversers to support their daily operations by efficiently sharing structured information.
The primary goal of MISP is to promote the sharing of structured information within the security community and beyond. MISP offers functionalities to facilitate the exchange of information and its consumption by Network Intrusion Detection Systems (NIDS), Log-based Intrusion Detection Systems (LIDS), log analysis tools, and Security Information and Event Management systems (SIEMs).
Core functions
- An efficient IOC and indicators database, allowing to store technical and non-technical information about malware samples, incidents, etc.
- Automated correlation engine to discover relationships between attributes and indicators from malware, attack campaigns, or analysis.
- A flexible data model where complex objects can be expressed and linked to express threat intelligence, incidents, or connected elements.
- Built-in sharing functionalities to facilitate the sharing of threat information.
- An intuitive user interface for end-users to create, update, and collaborate on events, attributes/indicators.
- Storing data in a structured format with the support of cybersecurity and fraud indicators as in the financial sector.
- Text import tool to ease the integration of unstructured reports.
- User-friendly system to collaborate on events and attributes, allowing MISP users to propose changes or updates to attributes/indicators.
- Data-sharing: automatically exchange and synchronize with other parties and trust-groups using MISP.
- Delegating of sharing: allows for a simple, pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
- Flexible API to integrate MISP with your own solutions.
- Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification.
- Intelligence vocabularies called MISP galaxy and bundled with existing threat actors, malware, RAT, ransomware or MITRE ATT&CK which can be easily linked with events and attributes in MISP.
- Expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
- Sighting support to get observations from organizations concerning shared indicators and attributes.
- Integrated encryption and signing of the notifications via GnuPG and/or S/MIME.
- STIX support: import and export data in the STIX version 1 and version 2 format.
- Real-time publish-subscribe channel within MISP to automatically get all changes in ZMQ or Kafka publishing.
- Export: generating IDS, OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools), Cache format (used for forensic tools), STIX (XML and JSON) 1 and 2, NIDS export (Suricata, Snort and Bro/Zeek) or RPZ zone. Many other formats can be easily added via the misp-modules.
- Import: bulk-import, batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV, MISP standard format or STIX 1.1/2.0. Many other formats easily added via the misp-modules.
Download
MISP is available for free on GitHub. It currently requires PHP 7.4, an end-of-life version of PHP. Because of this, it is recommended that you only run MISP on distributions or PHP installs that you know will get security fixes backported, like Red Hat or Debian and derivatives.
Must read: