MISP Use Cases

Updated

Malware Information Sharing Platform - Wikipedia

Introduction

This document describes the out of the box use cases supported by integrating Recorded Future as a threat intelligence feed and enrichment module in MISP. With this integration, MISP users can incorporate Recorded Future to:

  • Enrich intelligence with Recorded Future 
  • Aggregate Recorded Future Intelligence with MISP 
  • Correlate with external threat data sources 

For detailed information on how to install and configure the integration, please refer to the installation guide available for download on our website here

 

Use Cases

Enrich 

When investigating a potentially malicious indicator in MISP, it’s likely that Recorded Future will be able to provide additional context, storing content as attributes of the existing event. For example, you may be reviewing file hash related to malware found in your corporate environment provided by a different threat intelligence source. By running the Recorded Future enrichment, our Risk Scores and Risk Evidence can be applied as tags to the file hash. Additional context such as the infrastructure related to that particular hash may be returned, such as domains leveraged as part of the phishing campaign during the delivery phase or the IPs leveraged to exfiltrate data. Before adding the IPs, domains, URLs, hashes, emails, and vulnerabilities associated with the hash, you are given the opportunity to review the intelligence and store what you validate as relevant entities. To reduce false positives, only infrastructure co-referenced five times or more will be returned by the enrichment. The malware family that the hash belongs to, or the actor who is known to use that particular malware will be returned as well. These are mapped back to the MISP galaxies whenever possible to allow for correlation of intelligence across disparate data sets. By having this information in the single pane of glass, it reduces the need to pivot back and forth between platforms. The following fields are supported on enrichment: 

  • Risk Score as tag
  • Risk Rules as tag
  • Risk Tier as tags
  • Related Actors as MISP Galaxies 
  • Related Malware Families as MISP Galaxies 
  • Related MITRE ATT&CK codes as Galaxies
  • Related Domains as attributes
  • Related IPs as attributes
  • Related URLs as attributes
  • Related Hashes as attributes
  • Related Vulnerability as attributes

mceclip0.png

 

Aggregation

MISP facilitates the aggregation of threat intelligence from disparate data sources into a single system. This can be accomplished on a per Risk List basis with Recorded Future using out of the box Feeds component of MISP. The screenshot below shows how to enable a Recorded Future Risk List in MISP after clicking “Add Feed”. 

mceclip1.png

Depending on the type of intelligence your organization is interested in, there are different combinations of Risk Lists that will meet your needs. Below we will cover which Risk Lists to enable based on the most common customer use cases. The following fields are supported on ingestion: 

  • Risk Score as tag
  • Risk Rules as tag
  • Risk Tiers as tags
  • Mitre ATT&CK mappings as tags 

Command and Control

The indicators provided by the Risk Lists below have been identified to be associated with command and control activities. Command and control activities are the most detrimental activities carried out during one of the last phases of an attack, such as data exfiltration, distributed denial of service, reboots, or shutdowns. 

  • IP: C2 Communicating IPs
  • Hash: observedMalwareTesting (Observed in Underground Virus Testing Sites)
  • Hash: malwareSsl (Malware SSL Certificate Fingerprint)
    • Fingerprint hash for an SSL Certificate that is linked to Malware 
    • https://api.recordedfuture.com/gw/misp/feed/hash_malwareSsl

Malware 

Identifying malware takes more than a good antivirus solution. Malware is intentionally trying to evade detection, so it’s wise to have many mitigating controls to identify it. The Risk Lists below all offer a slightly different approach to finding malware lurking in your environment. By pulling the Risk Lists below, you can take a holistic approach covering from infection by the site serving it up to the vulnerabilities malware is known to exploit.  

Suspected APT / Threat Actor activity

The indicators provided by the Risk Lists below have been identified to be associated with threat actor activity. An Advanced Persistent Threat group is likely to use the same infrastructure for an extended period of time. Instead of changing their core infrastructure, APT groups will usually change techniques instead to evade detection as this is usually a cheaper alternative for the group. These lists are highly valuable for those which find themselves targets of groups such as these. 

Phishing activity

Phishing is the most commonly used attack vector to infiltrate an organization because it’s effective. Humans will always be the weakest link in the security chain. These Risk Lists provided the latest information on phishing attacks that may target your organization.  

  • URL: phishingUrl (Active Phishing URL)
    • URL reported as an active phish
    • https://api.recordedfuture.com/gw/misp/feed/url_phishingUrl

 

High Risk Indicators

All default risk lists have a minimum risk score threshold in the "Malicious" category. "Malicious" IOCs identified by Recorded Future can be used to easily identify high priority IOCs for further investigation.  For up-to-date details on the exact criteria used to compile each individual entity default risk list, please see this support article.  Risk lists exist for IP Addresses, domains, URLs, file hashes, and vulnerabilities.

  • IP: Default IP Risk List: Risk Score 90+
    • Indicators with a Risk Score of 90 and higher
    • https://api.recordedfuture.com/gw/misp/feed/ip_default
  • Domain: Default Domain Risk List: Risk Score 90+
    • Indicators with a Risk Score of 90 and higher
    • https://api.recordedfuture.com/gw/misp/feed/domain_default
  • URL: Default URL Risk List: Risk Score 70+
    • Indicators with a Risk Score of 70 and higher
    • https://api.recordedfuture.com/gw/misp/feed/url_default
  • Hash: Default URL Risk List: Risk Score 80+
    • Indicators with a Risk Score of 80 and higher
    • https://api.recordedfuture.com/gw/misp/feed/hash_default
  • Vulnerability: Default Vuln Risk List: Risk Score 90+
    • Vulnerabilities with a Risk Score of 90 and higher
    • https://api.recordedfuture.com/gw/misp/feed/vulnerability_default

 

Correlation

MISP defines correlation as “finding relationships between attributes and indicators from malware, attacks campaigns or analysis”. They offer a correlation graph to help users visualize these relationships. The correlation graph can be used on multiple events simultaneously, enabling users to find relationships between disparate data sources. For example, let’s say a Recorded Future event was related to a particular malware family. To find additional indicators or pieces of intelligence related, you can use the correlation graph to see what other intelligence in your MISP instance is related to that malware family. This can help you build out a more complete picture of the attack surface and different avenues it may use to evade controls. 



This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
5 out of 5 found this helpful

Articles in this section