MISP is primarily PHP. I haven't kept up with it, but a few years ago when my team took it for a test drive it stored malware samples inline in its database, rather than as flat files. We quickly abandoned it.
In mid-2020, we stumbled upon OpenCTI (https://www.opencti.io/en/). It's so much better! It probably doesn't do quite as much as MISP, but it has a nice release tempo and upgrades have been painless.
I use MISP all the time, what could you possibly have against storing malware in a database? I mean, it's defacto practice to zip them up with password "infected" anyways but even that aisde, how do you imagine this to be harmful? Flat files in the contrary risk unintended interaction or execution.
Also, there are plenty of alternatives (paid) that do a lot more or less. This isn't one of those one-size-fits-all products, it is a product you pick to help you operationalize threat intel, what that means and the requirement derived from it could be wildly different. I have implemented misp several times and not once did it involve storing actual malware sample (hashes and yara were adequate).
Also, just to clarify: misp doesn’t and never has stored malware samples in the db.
It was always password protected zip files, containing 2 files: a txt file with the original filename as well as the actual malware with its hash as the filename.
I don’t have much interest in an argument, but want to clarify, I’m not talking about security concerns of “live” vs inert malware. My point is that storing file blobs in a row-oriented relational database often comes with problems, creating performance issues and leading to scalability limits. With the malware corpus my org has, that was a real concern.
I agree that the point of these tools is operationalizing CTI and the benefit of doing that with any tool exceeds not doing it. But ultimately my org has been much better off with custom management of our malware and then using OpenCTI to record CTI, and I think folks interested in MISP should check out OpenCTI as a possible alternative.
That's a valid concern, It makes a lot of sense to store files separately on a dedicated file server, your TIP should only track hashes.
I have heard both good and bad things about openCTI. But you can say the same about MISP as well. I agree people should check out both. But IMO, I have seen people pick a TIP like this without a long term evaluation and it always ends up with some important thing you want to do with it but that isn't possible, practical or supported. I think there are better platforms tha MISP (depending on use case), but if you just have a bunch of intel and you want to put it somewhere and let the rest of your security stack integrate to operationalize that data, MISP is the best. Then see if all the other platforms can meet the same needs and if your team and resources can save time/money without it.
I also like how I don't have to worry about MISP taking a radically different direction (thehive and their dbms for example) or lose support down the road (cuckoo and its many forks!) because someone is paying to support it. Love the devs too, they don't get enough praise!
I was looking at this a couple of weeks ago, and compared to some alternatives (e.g. opencti) it seemed a lot less polished. It was still easier to get running than Cortex though, at least for a basic look.
It isn't polished and is more involved but it is well supported both by products for integration and as a project by EU. It has a very flexible API as well. It lacks features paid platforms have like a builtin taxii server but it is like most OSS projects continually evolving and dependent on PRs.
It all depends on your requirements. I have seen industry wide orgs using a spreadsheet for sharing intel. And then you have theatconnect and SOAR's with builtin TIPs.
It's not for everyone but it is a good starting point. It you are trying to figure out how to best operationalize threat intel, use MISP. It will help you define what your requirements are at least. Setting it up and dealing with occasional issues can be a pain but that aisde works smoothly. Once you get it to help you define your threat intel program and pipeline you can decide if something else that costs six figures or is new to the market can get the job done and provides better value. Just my $0.02
7 comments
[ 2.8 ms ] story [ 20.9 ms ] threadIn mid-2020, we stumbled upon OpenCTI (https://www.opencti.io/en/). It's so much better! It probably doesn't do quite as much as MISP, but it has a nice release tempo and upgrades have been painless.
Also, there are plenty of alternatives (paid) that do a lot more or less. This isn't one of those one-size-fits-all products, it is a product you pick to help you operationalize threat intel, what that means and the requirement derived from it could be wildly different. I have implemented misp several times and not once did it involve storing actual malware sample (hashes and yara were adequate).
It was always password protected zip files, containing 2 files: a txt file with the original filename as well as the actual malware with its hash as the filename.
I agree that the point of these tools is operationalizing CTI and the benefit of doing that with any tool exceeds not doing it. But ultimately my org has been much better off with custom management of our malware and then using OpenCTI to record CTI, and I think folks interested in MISP should check out OpenCTI as a possible alternative.
I have heard both good and bad things about openCTI. But you can say the same about MISP as well. I agree people should check out both. But IMO, I have seen people pick a TIP like this without a long term evaluation and it always ends up with some important thing you want to do with it but that isn't possible, practical or supported. I think there are better platforms tha MISP (depending on use case), but if you just have a bunch of intel and you want to put it somewhere and let the rest of your security stack integrate to operationalize that data, MISP is the best. Then see if all the other platforms can meet the same needs and if your team and resources can save time/money without it.
I also like how I don't have to worry about MISP taking a radically different direction (thehive and their dbms for example) or lose support down the road (cuckoo and its many forks!) because someone is paying to support it. Love the devs too, they don't get enough praise!
It all depends on your requirements. I have seen industry wide orgs using a spreadsheet for sharing intel. And then you have theatconnect and SOAR's with builtin TIPs.
It's not for everyone but it is a good starting point. It you are trying to figure out how to best operationalize threat intel, use MISP. It will help you define what your requirements are at least. Setting it up and dealing with occasional issues can be a pain but that aisde works smoothly. Once you get it to help you define your threat intel program and pipeline you can decide if something else that costs six figures or is new to the market can get the job done and provides better value. Just my $0.02