What is MISP?

MISP: definition

MISP is an open source tool licensed under the Affero General Public License (AGPL), maintained and funded primarily by the Computer Incident Response Center Luxembourg (CIRCL), a government organization dedicated to collecting, investigating, reporting and responding to computer security threats and incidents.

Where does it come from?

Historically, teams used to share compromise indicators (IOCs) by e-mail in documents that were sometimes difficult to analyze, and whose processing could be complicated to automate.
At the same time, information sharing between operational teams in different entities, via their CSIRTs and SOCs, is becoming increasingly industrialized.

This observation gave rise to the MISP project in 2011, which aims to share information with trusted circles in a standard, automatable format.

Today, MISP is used by many CSIRTs and SOCs, whether for community information-sharing projects, or internally to manage Indicators of Compromise (IOC).

As the product is widely used, it is very easy to find libraries and tools that interconnect with MISP in an existing ecosystem.

Now that you know what MISP is, before we go any further on its advantages and its use at HarfangLab, let’s take a detour to the YARA and Sigma formats. These formats are well known to cyber experts, and are used by HarfangLab’s EDR to setup rules that are also managed via MISP.

Cyber threat detection: what are YARA and Sigma?

YARA: definition

YARA is a tool designed to help malware analysts and researchers identify and classify these malware samples. YARA allows the creation of malware family descriptions based on textual or binary models. It’s an open format used by the cyber community.

Sigma: definition

Sigma is a standard tool, also widely used by the community, for writing detection rules. It enables detection rules to be defined without depending on the format used by the security product. It also integrates Sigma’s conversion to the query language supported by the security tool.

HarfangLab EDR is based, among other things, on these standard formats, with full access to detection rules in a white-box spirit. Adopting standard formats such as YARA and Sigma has several advantages:

ease of use for users
- analysts are already familiar with,
- they can capitalize on their knowledge of these formats, which are used by other security solutions on the market;
interconnection with existing ecosystem, easy integration;
transparency: rules are displayed and can be modified if necessary.

Let’s get back to MISP. You may be wondering how HarfangLab manages Threat Intelligence, and how its teams leverage MISP? We’ll explain.

Cyber Threat Intelligence (CTI) at HarfangLab

The CTI team is constantly on the lookout for new threats, both through open sources (publications) and private channels (telemetry, communities, etc.), and updates and centralizes all these detection rules in MISP.

How HarfangLab integrates MISP

As already mentioned, MISP facilitates the centralized provision of detection rules on customer stacks, via a dedicated tool. This facilitates information sharing in all configurations, SaaS and On Premise.

The management console, via a native MISP connector, is linked to the HarfangLab MISP and retrieves up-to-date detection rules.

We’ve seen the YARA and Sigma rules, and how they are integrated and updated in MISP to feed our EDR’s detection engines. And for optimal management of security alerts, what about whitelists?

MISP and whitelists

System administration utilities or the behavior of certain applications can be considered as attacks and generate false alerts – also known as false positives. It is therefore essential for analysts to be able to manage the relevance of alerts sent to the central console, via whitelists.

As with detection rules, these whitelists are managed in MISP.

So, when an analyst concludes that the security event is a false positive, there are two possible outcomes:

whitelist creation or modification if the alert is specific to the customer’s information system,
modification of the rule by the CTI team if the whitelist is independent of the customer’s information system the customer’s information system, so that all users of the solution benefit.

Finally, how is a rule deployed?

Rule deployment cycle for all users

When the CTI team modifies or adds a rule, it makes the changes and the rule then enters a continuous integration and distribution (CI/CD) cycle.

Tests are run to check the consistency and validity of the rule, then it is sent to the HarfangLab MISP and made available to all customer stacks.

As mentioned earlier, MISP centralizes detection rules and integrates natively into an existing ecosystem. Users keep full control over the rules: they can decide to activate or deactivate them at any time, and can modify and add to them.

Finally, if a user already has MISP, they can connect theirs to the HarfangLab MISP, thus benefiting from HarfangLab rules in addition to their own.

In conclusion, MISP helps: