Danish MISP User Group/Community
The Danish MISP User Group is build around the concept of an ISAO(Information Sharing and Analysis Organizations), it is non-profit meaning that the MISP instance provided is free of charge.
We want to provide an open cross sector MISP instance with member from Denmark.
We are mapping the structure up against X-ISAC(https://x-isac.org) defined model, without following it to the full, as we want to have as few rules as possible, since this tend to minimize the sharing.
You can join by writting to misp@ecrimelabs.dk (GPG Key at the buttom of this page), remember if you allready have an existing MISP installation to also send the UUID of your organisation.
Twitter: @DanishMISP
Linkedin Group: MISP Threat Sharing (Denmark)
MISP Instance: https://dk.ecrimelabs.net/
The instance will have a sharing group that can be used to ensure data that should only be shared within this community
In the MISP instance a Sharing Group is created: MISP Threat Sharing (Denmark)
Goals and foundation
Out goal is to improve the sharing capabilities and sharing mentality in Denmark, as the goal is to become strong by helping each other.
The MISP platform can be used by organisations that does not have a MISP platform but would like to be part of a danish community based setup.
Second it can also be used as a connection point for organisations who have their own platform setup.
Together we are stronger
It is NOT a requirement that you share data, we do believe in that you have the possibility to share what you will.
It is FREE to be a part of, meaning no cost neither if you connect with your own MISP instance, or if you just want to “live” on the community MISP
Do I need my own MISP instance to be a part of the community? NO This solution supports both if you have your own MISP instance or you can “live” on the community MISP, until you feel you want to be king of your own castle (https://www.misp-project.org/2019/09/25/hostev-vs-own-misp.html)
What type of data should you share
This is not to be seen as a complete list of scenarios where you should/could share - BUT an important mindset you have to include is context add as much data as you can as this is what makes the data easier to consume.
Phishing emails / sites
Malware information
BEC (Business Email Compromises)
Spear-phishing
Technical articles you found that could be interesting.
We will attempt to build a community where people share what they find relevant and through this community and physical meeting create more trust, and by trust relationships you often share more.
Organization
This is a community driven platform, and currently we are at a starting point, with a hope to grow slow and aim high.
Rules of usage and being a part of this community project
We want to keep the rules simple and without too many rules to start with.
To be a part of this community you need to be an organisation and have a danish CVR number.
Only organisation emails will be created for the Org Admin
You will need one primary person, who will be created on the MISP platform and this person is responsible for creating other local users for the specific organisation.
Do not every change other organisations events, but use the extend event and proposals if you want to request changes or give more context.
Do NOT attach a malware sandbox to submit data automatically, it tend to cause unstructured data, with low validity and many false positives.
Mechanisms and tools
Organisations with their own MISP instance can provide their MISP UUID and get a sync user in order to push and/or pull data.
Ensure security and compliance
eCrimeLabs ApS who are managing this platform is continually monitoring and updating the platform to ensure it is as protected as possible, however for now we will not firewall the service meaning you need to use a strong password.
The server is hosted through DigitalOcean in Frankfurt.
Follow-up and improve
Any input and requests please contact misp@ecrimelabs.dk also if you want to be a part of this Danish community
misp@ecrimelabs.dk - GPG Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF49WD4BEADpDaqhEU1mWlCbqvWWxRLJcBJara4Cg7yGAlabAU/trfw2x0Ob
on9Lh6p/CpyTY/CPcJ6fH4IrU18U8wN8RaWxmHLyml0GGKBHcSYNisDu7E4nCC5P
SY8F0OH6yQ9dwX2Os3s6fJNo9ZqC3u9lxzBf0+OzH6cV6x4Olto7slGQAP1922s6
ies8M21GhCJ4X+XO1sO9ap1nDlAT/44OvxQuQdYVXy46Letehk3QXo/RU8iVgqDQ
1v/YIaFEibk9/6teeBTe1y77lULUfgl1pd9PnD68+w/WhNUuX+RECmsGH7Snm+kb
L1x+WClQgYDJioVpTA+e4R2KYIBidKfhNw3F2Hcg70wo7Bq6u/i2iM3mtK5kALyb
7jn1MHKpIGUq7vtHCzEa+d9wB1cMPj4HYF7tXIfDdtcl3bTv6IiOsNT6rhpI1+vy
upNXyRplSGRQ6RV1kZ3ACqG8kErEp6L9g2AxCh1S5b4cf79JJvHMkkS60DLPnsF0
p8RwZL1JxlNHbQ1UxgWkSHAie2d5FLY8cpTmQwTJ6/z48b68wUS7cvtntvyf6+bq
PKZrUPK4I/ly/tcMlrShx1N+aC5oHGDujuQUmmQjax9Ec2MkLBilBZJd94+avyY3
xZGuI4sfEQurD8cP89/cJOtGNZ24ZVM8NRQVAVEaqDV1r3RzF30XbVdy0QARAQAB
tDVNSVNQIFRocmVhdCBTaGFyaW5nIChlQ3JpbWVMYWJzKSA8bWlzcEBlY3JpbWVs
YWJzLmRrPokCTgQTAQoAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMcp
ObUHQyZwszqsoacaYbhQMh7/BQJePVjHAAoJEKcaYbhQMh7/4scP/14BEKdF8qse
f0a4v8VrAjLEuiB97p/RI5EYqvdrPT4FqhpLOLrpGM8lBtemspzRiZyPOE9BQjN6
LPhJumzGukolbCLCwF5/pMXwkAIz1vDL01qLRx1nG/OSdAY/US/gpkjhbAK9J4sU
GpqiHqUwGFT7RMiUlRIzhz1xZaTITBK/LbkVnayU9UX3eoEq9q6k3yqp6dhqyM6r
MF5ai0oouWJ0MaoPmjRSR/r9FA6WMAI2Ni8pnWZqJVJVSmwaZJLMFR7JyXTUpNXP
AwrI+T3VEErMDx3bLhF2salZFCWS0HfQN313yhv81Nk9pDSl4JDahhao77gpSjtm
mp7MaFeGaeOnS3CWI8I57/fMn4Fax9dAoHwoaG4cPTZ9mML6yH39eMCx4ik77Ucs
F5vt4MImF5tucQga3P6JiYAzkDyBSzd5gQR0ocWECYnK7fMF9PmdYj6p56XqVwVs
vR+0rDXc6NrqpELf62NHwnCegn9bPTwNOK158m5CHcZ+veuQBitL/6AbjHX8K7cf
bb0iVJQpCskkIRq9oidNOXBDOt2vyrwLoG0RcfKS6uOJWoQakyO1TNCI87oo+fo3
lUfyUqHhDCXX72lBmW2kXIPAPRhpJmVUaAyc3nzYBU5/5xV1xrH0VhXeyw17tj6w
XpSrwosJzIkrJzto2oaJhAqehBPMTO0n
=FHjc
-----END PGP PUBLIC KEY BLOCK-----
Additional sources
Descriptions on the MISP Project and how to create an event
https://www.circl.lu/doc/misp/create-event-report/
https://www.misp-project.org/index.html
MISP Video's / Training
https://www.youtube.com/watch?v=aM7czPsQyaI
https://www.youtube.com/watch?v=Jqp8CVHtNVk&t=1s
https://www.youtube.com/watch?v=bJvsV1XjPd8