Training Video - MISP Best Practices for Encoding Threat Intelligence

December 15, 2022

MISP Training Video December Edition - Best Practices for Encoding Threat Intelligence and Leveraging the information in MISP to Make Threat Landscape Report

Content of Training Session

Jupyter notebook used during the training session.

Leverage the information in MISP to make threat landscape report

Most often questions asked to generate a threat landscape report

MISP can be a great source of information for generating a threat landscape report. Quite frequently, we get asked by various stakeholders, what exactly can be used as the basis of how to scope the kinds of information that are required or needed, for generating such a report.

  • What are the most common vulnerabilities?
  • What are the most common threats?
  • What are the most common techniques used by adversaries?
  • What are the priorities or remediation to limit specific risks?
  • What are the most common countries targeted?
  • What are the most common malware families?

MISP itself can be also a source of interesting insights such as

  • Who are the most active organisations?
  • How active is a given sharing community?
  • What are the capabilities of an organisation?

MISP is not replacing analysts when it comes to producing a report, but it offers an easy way to create a threat intelligence report, reducing the tedious and repetitive tasks.

Tools in MISP that can help to generate threat-landscape report

From easiest to hardest - From UI to scripting

  • Automatic event report generation

    • Create an event dedicated to threat-landscape
    • Build the event report automatically
    • Caveat: Time consuming to create, need to perform the aggregation manually
  • MISP Periodic report

    • How to view it
    • How to set up automatic reporting by mail
    • How to configure in order to aggregate only for a filtered set of events
  • MISP builtin-dashboard

    • How it works
      • Each user can have their own & templates can be shared
      • Drag & Drop widgets + configure the dashboard
  • Extracting data from MISP

    • Get API key
    • Index VS RestSearch
    • Useful queries & parameters
  • Toolsets to generate your report

    • Pandoc
pandoc misp-event-report.md -o misp-event-report.pdf --from markdown --template eisvogel --listings

References

Resources

Cheatsheets

Training materials

Other ressources

Acknowledgement

A huge thanks to all the participants for their active participation. The training is also part of the MeliCERTes project.