Mastering MISP Part-1

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that facilitates the collection, sharing, and management of cybersecurity data. It enhances collaboration among organizations, enabling proactive defense against cyber threats.

• Event Sharing: Create and share threat events, including indicators of compromise (IOCs).
• Feed Management: Import and manage various threat feeds in formats like JSON.
• API Integration: Automate data exchange with robust API capabilities.
• Collaboration: Securely share and receive intelligence with other organizations.
• Structured Data: Use standardized formats for easier analysis and sharing.
• Taxonomy and Tagging: Organize and categorize threat data for better retrieval.
• Access Control: Manage permissions to ensure data confidentiality.
• Visualization Tools: Understand threat relationships and trends through visualizations.

These features collectively enhance an organization’s threat intelligence capabilities and improve overall cybersecurity posture.

• For many organisations, MISP serves as a repository of knowledge about all the known threats and vulnerabilities an organisation has seen.
• By giving this information a consistent structure, the information becomes searchable, making it easier to correlate information across different days, months and years without relying on the memory of security analysts.
• MISP also automatically associates similar information (for example, recorded events about the same IP address will be automatically linked together).
• By storing information in a consistent format, MISP also makes information easier to share between organisations likely to face similar threats, such as governments, banks, and utilities.

• Consuming, searching through and sharing information. MISP makes it easier to consume IOCs and other information in a structured, organised format. For example, you can use MISP to search through the available information about a given IP address or domain, including whether it’s been flagged as malicious by your peers.
• Automatically pushing IOCs to your firewalls, endpoint agents and IDS’s (Intrusion Detection Systems). This means you can automate aspects of your organisation’s defences against known threats without requiring manual intervention and configuration.

MISP is designed to be used by security analysts, incident responders, and threat intelligence analysts. These individuals typically use MISP within and across their own organisation, as well as between organisations and within broader threat intelligence sharing communities.

• At the individual level, analysts, responders and researchers use MISP to organise their own information and share this information with peers.
• At the organisation level, teams use MISP to store and share information within and across teams and departments. They may also use MISP to exchange selected information with other organisations and communities.
• At the sharing community level, trusted members of the community share and receive information. For example, a sharing community could include a network of banks using MISP to share information about threats targeting the financial sector.

Both. MISP is a software application with a user interface. It also includes an API and can be interacted with programmatically. MISP runs on Ubuntu and Linux operating systems.

Organisations typically either self-host MISP on their own infrastructure, or use a hosted MISP provider such as CloudMISP.

1.  National CERTs (Computer Emergency Response Teams) and CSIRTs (Computer Security Incident Response Teams)
2.  Industry-Specific ISACs (Information Sharing and Analysis Centers)
3.  Law Enforcement Agencies
4.  Private Sector Organizations
5.  Research Institutions and Universities
6.  Open Source Intelligence (OSINT) Communities
7.  Individual Security Researchers and Experts
8.  International Organizations

• Processor (CPU): 4 core CPU.
• Memory (RAM): A minimum of 8 GB of RAM is recommended. For larger installations or to handle more concurrent users, consider 16GB or more.
• Storage: 320 GB or more disk space.
• Operating System: Ubuntu 22.04 LTS or equivalent.
• Database: MISP typically uses a MySQL or PostgreSQL database.
• Network bandwidth:Ensure sufficient bandwidth to handle data upload/download and user traffic.
• HTTP/HTTPS (80/443): Required for web interface access and API communication.
• Supporting Operating System: 
  • Ubuntu (18.04.5, 20.04.2, 21.04)
  • CentOS (7.9, 8)
  • Kali Linux (2022.1)

Important Note:- Please execute commands only as a user, not as root. 

Step: 1  First update & upgrade system using this command :

Linux Command:-

$sudo apt-get update -y && sudo apt-get upgrade -y

Step: 2  MISP requires Mysql-client available in our machine. Install Mysql-client using the below command.

Linux Command:-

$sudo apt-get install mysql-client -y

Step 3 : To install MISP on fresh ubuntu 20.04.1, all you need to do is the following. Just remember one thing this is an automated bash script that can’t run with Root privileges run this script with Non-root users.

●  Install MISP with install.sh

Linux Command:-

Curl https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o misp_install.sh

Step 4 : Change the permission of file misp_install.sh and make it executable. To do this run the following command. The script will need some time to install MISP on your Ubuntu platform.

Linux Command:-

$chmod +x misp_install.sh
$./misp_install.sh -A

●  In the middle of installation Enter “Y” to create MISP user.

Step 5 : Now, we are going to add a rule to firewall this will allow port 80/tcp and 443/tcp.

Linux command:-

$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp

Step 6 : After, the installation of MISP we can use a browser to connect to MISP.

●  By Default, MISP is listening on loopback address or Base URL To access MISP on your browse the following URL :

●  https://172.16.174.132/users/login

Default Credentials :-

For the MISP web interface -> [email protected]:admin

For the system -> misp:Password1234

Change Admin Password :-

Enter new Password

The password must be in standard form. Minimum Length of password is at least 12 words that contain upper case & lowercase alphabet, special character and a numerical value.

For example – Strong@12345

To enable feeds you will need to login to MISP console with the superuser account which is [email protected] account.

This one is a little bit special, as we can go into the “Sync actions” tab to build our panel.

When entering the Sync actions tab, select the list feeds tab.

From there find feeds such as CIRCL osint and check feeds tab.

If you want to import feeds from a JSON file, navigate to the appropriate tab.

Here, you can see the option to import feeds. You can add a JSON feed file to download additional feeds. 

From the list provided here, you can obtain another JSON feed file to import additional feeds.

Here, you can view all the additional feeds available.

Now, you need to select all feeds and enable them.

After that, go to Administration, then navigate to Jobs, and download all the feeds.

After downloading the feeds, you can list all events by going to List Events.

In summary, MISP (Malware Information Sharing Platform) is a powerful tool for organizations seeking to enhance their cybersecurity posture through effective threat intelligence sharing. By providing a structured framework for collecting, managing, and disseminating threat information, MISP facilitates collaboration among diverse entities, enabling them to respond proactively to emerging threats. Its rich features, including event sharing, feed management, and robust API integration, empower users to streamline their threat intelligence workflows and improve incident response capabilities. Embracing MISP not only fosters a culture of information sharing but also strengthens the collective defense against cyber threats in an increasingly complex landscape.