Leveraging MISP and TheHive When You Create Your CTI PracticeCYRILLE BADEAU
Many CISOs I speak with across Europe tell me their cybersecurity teams rely on two, primary open-source platforms within their security operations (SecOps). The first is Malware Information Sharing Platform (MISP), that allows the storing and sharing of indicators of compromise (IoCs) with other MISP users. The second is TheHive, designed for security incident response (IR). The two solutions are tightly integrated so that SOCs, CERTs and any security practitioner can act more quickly when incidents happen.
For organizations with limited resources or just beginning to build a SecOps practice, MISP and TheHive are easy-to-use tools to help your teams react to malicious threats. The next step to proactively mitigate risk from the full breadth of threats your organization is facing, is to leverage MISP and TheHive to create a cyber threat intelligence (CTI) practice. To do this, you need to consider a third platform that integrates with these two solutions and provides five essential capabilities for a CTI practice so your teams can get ahead of threats.
- Aggregate all the data you need. To gain a comprehensive understanding of the threats you are facing, you need to gather internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. With the right internal threat and event data aggregated in a platform that serves as a central repository, you then need to augment and enrich it with external threat data from the multiple sources you subscribe to –open source (MISP and others), commercial, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. Out-of-the-box connectors make this easy. But you also need custom connectors that can be written and deployed within hours to ingest data from new sources of threat data as new crises and outbreaks occur, for example the SolarWinds Orion security breach. With the ability to organize and structure relationships across the entire pyramid of pain – starting at the bottom with basic indicators and moving up to include, malware families and campaigns, adversaries, and tactics, techniques and procedures (TTPs) – the value security teams can derive from threat intelligence to understand the adversary increases dramatically.
- Make threat data usable for analysis and action. With all your threat data in one manageable location, now you need to understand where to focus your resources to mitigate risk. To start, the platform must be able to automatically deduplicate and normalize the data so that it is in a uniform format for analysis and action. Because these threat feeds will inevitably contain some data that isn’t relevant to your organization, you also need the ability to score and prioritize threat data based on your definition of priority to automatically filter out noise. Expiration strategies that consider that different pieces of intelligence have different life cycles, ensure threat intelligence is still accurate and timely. This allows you to focus on what matters to your organization and send relevant threat intelligence directly to your sensor grid (firewalls, IPS/IDS, routers, endpoint, and web and email security) to harden security controls for better defensive posture.
- Build organizational memory. This central repository is really a structured library that also serves as organizational memory for learning and improvement. As new data and learnings are added to the library, from the MISP community, TheHive, your internal tools, your analysts and other trusted sources, intelligence is automatically reevaluated and reprioritized. The CTI program continues to improve by maintaining trusted and timely information and the library helps accelerate actions. For example, an analyst who is new to a specific threat or campaign can benefit from this shared knowledge and prior techniques that have worked, to accelerate their analysis, decision-making and actions.
- Support additional use cases. Because threat intelligence is the lifeblood of security operations, beyond the obvious use case of threat intelligence management, a CTI program allows you to address other top use cases. Integrating with TheHive you can support incident response, but you can also integrate with an ecosystem of tools to support other use cases, including spear phishing, threat hunting, alert triage and vulnerability management. In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. With the ability to analyze multi source threat intelligence, and determine relevance and priority, you can determine the right actions to take and take them faster.
- Enhanced reporting. Within the platform, real-time dashboards provide the data, metrics and status updates that are important for each specific stakeholder to monitor. You can provide regular reports to executive leadership with KPIs that are important to them. You also have immediate access to relevant intelligence organized in one location for ad hoc reporting on the latest threat. When an attack happens, you can be ready with information about who is attacking you, what you know, and the steps you are taking to mitigate damage.
MISP is a great source for information sharing. And connecting with TheHive accelerates incident response which is a priority for many organizations. Leveraging the two solutions to create a CTI program takes your SecOps to the next level. With a platform that works with both and is purpose-built for threat-centric security operations, your security teams aren’t just reacting to threats but proactively mitigating risk and even anticipating and preventing attacks.