Blogs

MISP 2.4.71 released

A new version of MISP 2.4.71 has been released including new features, improvements and important bug fixes.

• Distribution can now be set in the free-text and modules import.
• Password complexity default tightened to allow passphrase-like in addition to password.
• Password regexp (can be considered a CTF-challenge for some users) is now available as a hint.
• API restsearch has been significantly improved allowing to support alternate download types from the restsearch (currently OpenIOC is supported). OpenIOC export and CIDR tool refactored.
• Organisation blacklist is now enabled by default and sample UUIDs/organisations are now blacklisted by default.
• API The “proposal to delete flag” is now available in the API output.
• Improved error handling when failing to add a tag.
• API Event history is now available via the API.
• Set comment field to an empty string in the attributes pre-validation (to avoid null comment field).
• Correlation can now be disabled for site admin even if (s)he is not the owner.

Various bugs fixed in the sharing group synchronisation and delegation. Improvements to the UI popups when using low-resolution (aka potato displays).

Continue reading

MISP 2.4.70 released

A new version of MISP 2.4.70 has been released including new features, improvements and important bug fixes.

• A significant improvement has been introduced to the MISP user-interface to make it more accessible especially for visually impaired users.
• API improvements introduced to allow adding several attributes in one go.
• API extended to support the functionality of adding and editing MISP servers.
• A simple update feature from the user-interface was introduced to ease the update process of MISP.
• New attribute types (hex, sigma and impfuzzy) have been introduced for new misp-objects and to improve the support of the new sigma format. Sigma is a generic signature format for SIEM Systems. This new attribute type will help the development of a sigma converter via misp-modules.
• Test and diagnostic for the MISP server synchronisation has been significantly improved. The old legacy and mangle sync for very old MISP instances (2.3x) has been removed in an effort to make the code cleaner and improve the synchronisation process with recent MISP instances.

Many other bugs fixed and minor features added.

Continue reading

MISP 2.4.69 released

A new version of MISP 2.4.69 has been released including multiple security bug fixes and minor improvements.

Improvements added:

• User creation now shows a warning if the encrypted notification cannot be send due to encryption issue.
• Tagged properly added to Suricata rules.

Two security vulnerabilities (XSS) reported by Tien Phan and David Maciejak of Fortinet’s FortiGuard Labs were fixed. Thanks to them for reporting the vulnerabilities.

Continue reading

MISP 2.4.68 released

A new version of MISP 2.4.68 has been released including multiple bug fixes and improvements.

Improvements and features added:

• Enable sync permissions for read-only accounts.
• Upload org logo can now be performed via the org edit/view interface.
• An option to disable cached export has been added for low disk space servers.

Blacklisting of deleted events is now enabled by default. This feature existed before but was not enabled by default. This feature allows MISP users to ensure that deleted events never propagate back to their instance. The blacklist can easily be managed from the MISP interface. As this feature is a default behaviour that a large majority of the MISP community needs, we have decided to enable this feature by default starting from version 2.4.68.

Continue reading

MISP 2.4.67 released

A new version of MISP 2.4.67 has been released, including improvements to the sighting feature, user management and activity visualisation.

Sighting activities over tags and galaxy clusters are now visualised using sparklines, giving us an interesting outlook of contextual activity:

Continue reading

Sighting the next level

Sighting is an endless topic of discussion. This is a required feature especially when information or indicators are regularly shared to gather feedback from users said shared data. Adequate sightings can be an incredible source of information in order to describe the life-time of an indicator, its evolution and especially to ensure the understanding of indicators among a group of users using the information to detect, mitigate or block malicious activities in their infrastructures. The potential is endless, potentially being a significant gain for organised communities of infosec professionals sharing information or even serve as a requirement for advanced algorithms ranging from machine learning to reinforcement learning. But to reach such a state of a feedback loop, you first require a functional model of sighting.

Continue reading

MISP 2.4.65 released

A new version of MISP 2.4.65 (and 2.4.64) has been released, including bug fixes and new features.

API access added to the MISP statistics providing additional statistics regarding information on contributions by organisation, attributes used and tags. The API can be also used by monitoring tools to monitor the state of a MISP instance.

Continue reading

MISP 2.4.63 released

A new version of MISP 2.4.63 has been released, including bug fixes and new features.

New features in the API:

• Allowing fetching of full discussion threads via the API.
• Add and remove tags from objects by uuid (in addition to the id).

Added a new setting to show post count on the event index including a notification if it has a post newer than 24 hours.

Continue reading

MISP 2.4.62 and PyMISP 2.4.62 released

A new version of MISP 2.4.62 has been released, including bug fixes and new features.

MISP feed has been expanded to support local feed allowing users to import feeds from local directories (if MISP format) or local files (like free-text or CSV import) in addition to the network feeds.

Continue reading

MISP 2.4.61 released

A new version of MISP 2.4.61 has been released, including a critical bug fix, new features and minor updates. We strongly recommend to update MISP to this latest version.

Continue reading

MISP 2.4.60 released

A new version of MISP 2.4.60 has been released, including bug fixes and the long awaited attribute-level tagging feature.

All tags (local or from taxonomies) can now be also applied at the attribute level. This allows analysts or users to easily classify attributes within an event. Many of the taxonomies have useful properties that can be applied to provide additional contextual information to attributes. The attribute level tagging feature introduces many new potential use-cases where MISP can be used to better the day-to-day tasks of incident handlers, analysts or security engineers.

Continue reading

Information Sharing Maturity Model

Here at the MISP project, we are practical oriented people. We create software (from MISP core to MISP workbench), develop data models (such as taxonomies, warning-lists and galaxies) and build practical standards to solve information sharing challenges and improve the general state of information sharing. That’s what we strive for. If we lack something, we build it. If we see a requirement, we fullfil it.

Continue reading

MISP 2.4.58 released

A new version of MISP 2.4.58 has been released, including bug fixes and a specific improvement to the correlation feature.

Correlation can be disabled at the instance level, or, if a new setting is enabled, at the event or at the attribute level by a site admin or the creator of the event. The latter is an optional feature that can be enabled or disabled system-wide in MISP. This allows for a flexible scheme, supporting situations where the correlations of certain events or attributes are not interesting for the analysts. This feature is also available via the API.

Continue reading

MISP 2.4.57 released

A new version of MISP 2.4.57 has been released, including bug fixes and improvements.

Two major new features were introduced in 2.4.57. One of them is the addition of new attribute types and categories to support the new use-cases in MISP, including the Person, Social network and Support tool categories. The new attribute types include additional email header types along with attributes describing a natural person and even an attribute type for describing mobile application identifiers. For a complete overview of the new types, you can have a look at the wiki page “New Attributes”.

Continue reading

MISP 2.4.56 released

A new version of MISP 2.4.56 has been released, including bug fixes and improvements.

This is the first version introducing the misp-galaxy. MISP galaxy is a simple method to express large objects called cluster that can be attached to MISP events or (in the near future) attributes. A cluster can be composed of one or more elements, which are expressed as key-value pairs. You can now directly benefit from the shared galaxy with threat actors and tools used by attackers in MISP.

Continue reading

MISP 2.4.55 released

A new version of MISP 2.4.55 has just been released, including bug fixes and improvements.

This release is a transient release before the galaxy release (TTP-like support) coming up soon.

Continue reading

Independence and Threat Intelligence Platforms

After the recent news of a Threat Intelligence Platform vendor stopping its activities, we have received some questions about our strategies as a Threat Intelligence Platform.

Continue reading

MISP 2.4.54 released

A new version 2.4.54 of MISP including new features, bug and security fixes.

We strongly recommend to update to this latest version.

Continue reading

MISP 2.4.53 released

A new version 2.4.53 of MISP including several security fixes has been released.

We strongly recommend to update to this latest version as soon as possible.

Continue reading

MISP Internet Drafts Published

We recently released two Internet-Drafts describing the MISP format:

• misp-core-format - the core JSON format of MISP which describes the Event format including meta-information, attributes, shadow attributes. In addition, the Manifest format which bundles MISP events is described.
• misp-taxonomy-format - The MISP taxonomy JSON format describes how to define the complete namespace of machine tags in a parseable format.

The misp-rfc project was started to better document and describe MISP formats. The specifications are based from the real implementation cases (code is law). As we received many requests of vendors or software developers willing to integrate MISP. The specifications were designed to support organizations willing to use and integrate MISP formats in their product or software.

Continue reading