MISP

Using Threat data in your vulnerability management strategy with MISP

Using Threat data in your vulnerability management strategy with MISP

Ensuring a good patch management strategy in any company often poses some big issues, pointing back to coverage vs risk vs cost.

Some companies expect to be 100% patched no matter the critical level of the patch, meaning it can be fixing anything from a button that does not work, to a critical vulnerability that are being abused in the wild.

This blog post will be focusing on patches that are related to vulnerabilities, and how organizations can optimize the cost and minimize the risk, through the usage of the MISP Threat Sharing Platform.

eCrimeLabs Cratos API creates integration between MISP and Cb Response

eCrimeLabs Cratos API creates integration between MISP and Cb Response

With the latest update of the Cratos API we now support direct integration between MISP and Carbon Black’s CB Response (https://www.carbonblack.com/products/cb-response/) through delivery with Threat Intelligence Feeds.

With this latest addition of features you can consume specific data sets automatically from your MISP instance directly into Carbon Black Response, and thereby making the power of your threat data even more operational as you can choose to alert, block or even hunt with the data.

Samarbejde via deling af trusselsdata er vejen frem

Samarbejde via deling af trusselsdata er vejen frem

Det er langt fra nyt, at cybertruslerne stiger i kompleksitet. Antallet af kompromitteringer, med lækage af fortrolig information til følge, er støt stigende. Trusselsaktørerne har både viden, kapacitet og midler til at omgå de traditionelle kontrolforanstaltninger. Informationssikkerhed skal suppleres med taktisk information, der kan bruges som indikator på indsatsområder.

eCrimeLabs tilbyder lige nu en 30 dages prøve periode på hosted MISP

Merry Christmas and a Happy new year - a Summary

The year has almost come to an end and what a year it has been.

A big thanks to all who has supported a small startup and believes in the path that we are on.

eCrimeLabs Cratos REST API

During the past 12 months the eCrimeLabs Cratos API has evolved on a massive level and has shown its effectiveness in detecting and mitigating various threats on an enterprise level. The API is used on top of the MISP Threat Sharing Platrform.

We are now able to deliver in formats like:

  • Text

  • XML

  • JSON

  • YAML

  • STIX2

  • RPZ

  • CEF

  • Bro/Zeek

  • Checkpoint

  • BlueCoat

  • SecurityOnion support

The features continue to evolve and the implementations improve, keep an eye on https://www.github.com/eCrimeLabs for new open projects


Hosting of MISP Threat Sharing

“Share your indicators” together we can make a difference.

eCrimeLabs also continues to on-board customers on our hosted MISP platform, designed for costumers who was to make use of this, without having to handle the operational part of keeping a MISP instance updated and running.


So to summarize thanks to all who believes and support a small growing company like eCrimeLabs working and correlating with many to help secure your businesses from the on-going threats.

Merry Christmas and a happy new year.

Dennis Rand
Founder

Attending MISP Threat Intelligence Summit 0x04 and presenting at Hack.lu

Dennis Rand will be attending the MISP Threat Intelligence Summit 0x04 at hack.lu 2018 the upcoming week, and will at hack.lu be presenting the latest updates around the DDoS research project, where research around an MaxPain attack will be presented.

The MaxPain attack is where an attacker is using amongst other data mining in order to prepare for the best possible attack scenario. By using this it can be possible to bypassing ISP based and enterprise anti-DDoS solutions.

https://2018.hack.lu/talks/#So+you+think+IoT+DDoS+botnets+are+dangerous+-+Bypassing+ISP+and+Enterprise+Anti-DDoS+with+90%27s+technology

If you are in Luxembourg the upcomming week and want to meet up, please feel free to reach out.

Update from the conference:

Video’s from the conference as well as the slides

https://github.com/eCrimeLabs/Hack.lu-2018

Release of VT2MISP a tool for enriching MISP with VirusTotal data

As a strong believer and supporter of the MISP Threat Sharing Platform as well as a long time user I've often while working  and adding event based on external reports and in relations to incidents we have worked on. This usually also include searching for additional attributes or IOC data to build up knowledge on the event.

This also includes going to VirusTotal to see if there are any information about e.g. hashes. Often in external reports there are only mentioned MD5, SHA1 or SHA256 however the work of doing this manually searching for every hash

and copy-paste this into MISP can be somewhat tedious and will take a long time to add file objects and virustotal-report objects and last but not least make a relation between these two.

For this reason I've created the tool VT2MISP thereby making the data more actionable as I have more data and content around the original hash.

The MISP event of the following case "QUASAR,SOBAKEN AND VERMIN: A deeper look into an ongoing espionage campaign" from ESET.

The VT2MISP is a small python script that can be downloaded HERE.
 


What is MISP for those who do not know. This is in short a Open Source Threat Sharing platform that allows users to share Threat data between each others, while also using it as an internal tool to collect all the threat data you received whether something you collect yourself or from external sources. The sharing part can be seen as a form of crowdsourcing, so if your network has seen a threat this platform can be used to easily share this with only trusted partners or everyone based on the sensitivity of the data. 

  • Knowledge data for threat data and threat intelligence.
  • Correlation between all the data in your instance.
  • Support for a large collection of OSINT threat feeds.
  • Make easy use of the data into your security solutions.

So don't store your valuable information in your inbox but get it into an ever evolving platform designed and developed by security professionals, Threat hunters and Incident response team.

If you are interested in MISP in general or our MISP SaaS solution a fully managed and detected MISP instance, where you can take advantage of the MISP platform without having to think of the operational part. While also eCrimeLabs has build a custom broker service that allows you to use the data in MISP to add into your security products in a simple way. You can read more on our services Threat Intelligence Software-as-a-Service or contact us directly