Red Teaming

Threat Intelligence: MISP Lab Setup

MISP is an open-source Threat intelligence and sharing platform (formerly known as Malware Information Sharing Platform) that is used for collecting, storing distributing and sharing cybersecurity indicators and threats about cybersecurity incidents & malware analysis.

MISP provides facilities to support the exchange of information but also the consumption of information by network intrusion detection systems (NIDS), a Log-based intrusion detection system (LIDS), but also by log analysis tools, SIEMs.

  • MISP provides storage of technical and non-technical information about seen malware and attacks.
  • Creates automatically relations between malware and their attributes.
  • It Stores all of the intelligence and threat attributes data in a structured format.
  • It Shares threat attributes & malware data by default with other trust-groups.
  • MISP able to Improve malware detection and reversing to promote information exchange among organizations (e.g. avoiding duplicate works).
  • MISP Stores all information from other instances locally (ensuring confidentiality on queries).

To configure MISP in your Ubuntu platform, there are some prerequisites required for installation.

Ubuntu 20.04.1

Mysql

Non-root user

Table of Content

  • Install MISP and All Dependencies
  • Default Credentials
  • Change admin password
  • Create an organization
  • Create admin for the new organization
  • Enable threat intel feeds
  • Setup of IPython+PyMisp
  • Integrate MISP instance with PyMISP
  • Create a MISP event
  • Addition of object to MISP event
  • Search MISP for IOC
  • Threat monitoring
  • Updation of MISP in future for latest versions

Install MISP and All Dependencies

Let’s begin installation with system update and upgrade.

sudo apt-get update -y && sudo apt-get upgrade -y

MISP requires Mysql-client available in our machine. Install Mysql-client using the below command.

sudo apt-get install mysql-client -y

To install MISP on fresh ubuntu 20.04.1, all you need to do is the following. Just remember one thing this is an automated bash script that can’t run with Root privileges run this script with Non-root users.

Install MISP with install.sh

curl https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o misp_install.sh

Change the permission of file misp_install.sh and make it executable. To do this run the following command. The script will need some time to install MISP on your Ubuntu platform.

chmod +x misp_install.sh
./misp_install.sh -A

In the middle of installation Enter “Y” to create MISP user

Now, we are going to add a rule to firewall this will allow port 80/tcp and 443/tcp

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

After, the installation of MISP we can use a browser to connect to MISP.

By Default, MISP is listening on loopback address or Base URL To access MISP on your Browser browse the following URL

https://127.0.0.1/users/login

Default Credentials

For the MISP web interface -> admin@admin.test:admin

For the system -> misp:Password1234

Change Admin Password

Enter new Password

The password must be in standard form. Minimum Length of password is at least 12 words that contain upper case & lowercase alphabet, special character and a numerical value

For example – Ignite@12345

You can verify your credentials by a head over to

https://127.0.0.1/users/view/1

or also by going in my profile section of MISP Administration panel

Create an organization

GO to Administration section head over to Add Organisations

  • Select Administration > add Organisations
  • Enter “< organization name >” into organization identifier
  • Select “Generate UUID”
  • Select “submit” button at the bottom

You can also check the instance presence of your local organizations by heading over to List organizations under the section of Administration

Create Admin for New Organisation

we have successfully created an organization let’s assign an Admin role to the organization all you need to do is head over to “Add User” under the section of “Administration”

Administration > Add user

  • Enter “ignite@<fqdn>” for email
  • Check the “set password” password should be in a standard form that satisfies the minimum requirements.
  • Select “<new org name>” for organization
  • Select “Role” for the new organization
  • Select “submit” button at the bottom

You can also check the instance Rights of your local organizations by heading over to List organizations under the section of Administration

Create an API user for the new organization

Administration > Add user

Enter “api_user@<fqdn>” for email

Select “<new organization name >” for organization

Select the “user” role for the new organization

Select “submit” button at the bottom

Enable Threat intel feeds

To enable feeds you will need to login to MISP console with the superuser account which is admin@admin.test account.

This one is a little bit special, as we can go into the “Sync actions” tab to build our panel.

When entering the Sync actions tab, select the list feeds tab.

From there find feeds such as CIRCL osint and check feeds tab

And then head over to the “Edit” icon

  • Check “Enabled”
  • Check “Lookup Visible”
  • Check “Caching Enabled”
  • Select “Edit” at the bottom

By Editing feeds head over to “fetch and store all feed data” tab

Great! we have successfully Enabled threat intel feeds.

Setup Ipython+PyMISP

PyMISP is a python library to access MISP platforms via there REST API.

PyMISP allows you to fetch events, add or update events/attributes, add or update samples or search for attributes. PyMISP API is used to store indicators of compromise (IOCs) in MISP and query IOCs from MISP.

In the MISP console head over to Administration and select List Users

Look for “api_user@<fqdn>” and copy “auth key

Let’s open the terminal and begin setup of Ipython & PyMISP

To do this run the following command

pip3 install ipython
pip3 install -U pymisp

Connect MISP instance with PyMISP

Ipython

Ipython is an alterative python interpreter it is an interactive shell used for computing in python. Let’s load the Ipython interpreter and start scripting to do this follow the below commands. Just remind one thing don’t leave or exit from python interpreter till the end (e.g ipython).

ipython
from pymisp import ExpandedPyMISP
misp_url = 'https://<FQDN of MISP>'
misp_key = "<Enter MISP API key>"
misp_verifycert = False
misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)

Create MISP Event

MISP events are encapsulation for contextually linked information. Linked information will include things such as domains, file hashes, IP addresses, Malicious binaries,. We are going to call an object named “Event from notebook 2” to do this run the following command.

from pymisp import ExpandedPyMISP, PyMISP, MISPEvent
event_obj = MISPEvent()
event_obj.distribution = 1
event_obj.threat_level_id = 1
event_obj.analysis = 1
event_obj.info = "Event from notebook 2"
# Add event to MISP
event = misp.add_event(event_obj)
event_id, event_uuid = event['Event']['id'], event['Event']['uuid']
print (event_id, event_uuid)

Addition of object to MISP event

The creation of a new MISP object generator should be done using a pre-defined template and inheritance. Our new MISP generator needs to generate attributes, and add them as class properties using additional attributes. When the object is sent to MISP, all the class properties will be exported to JSON Export. Attributes in MISP can be network indicators such as IP address, System indicators (e.g a string in memory), or bank account details.

To do this run the following command.

from pymisp import MISPAttribute
# Define attributes
attr_type = "ip-src"
value = "8.8.8.8"
category = "Network activity"
to_ids = False
# Create attribute object
attribute = MISPAttribute()
attribute.type = attr_type
attribute.value = value
attribute.category = category
attribute.to_ids = to_ids
# Add attributes to event
attribute_to_change = misp.add_attribute(event_id, attribute)
# Print event
print(attribute_to_change['Attribute']['id'], attribute_to_change)

Search MISP for IOC

Let’s search for an IOC in MISP ipython interpreter. Run the following command to perform the search.

misp.search(controller=’attributes’, type_attribute=”ip-src”, value=”8.8.8.8″)

Awesome now you have completely setup MISP on your Ubuntu Platform.

Great!

Threat Monitoring

Let’s check what happens on the MISP dashboard.

This one is gonna very special as we can go into the “Audit” tab to build our panel.

When entering the Audit tab select “List Logs” tab

Wait this is not enough 🙂

Hold tight!

As we can see, Now we have direct access to every log related to Threat Intelligence.

We can for Example track illegal attacks.

Similarly, we can do Malware analysis from various servers also we can see logs of (NIDS) Network intrusion detection system,  (LIDS), Log analysis Tools, SIEMs.

Nice! Now your Panel is included in your dashboard.

Updation of MISP in Future for Latest Versions

It is strongly recommended to upgrade MISP via the Web interface. This Blog may not always be up-to-date and will require you to fix permissions.

In general, updating MISP between point releases for example 2.4.50 -> 2.4.53 happens with the following command are to be executed to be as root.

To update the latest commit from 2.4 branches simply pull the latest commit.

Enter the following command

cd /var/www/MISP
sudo -u www-data git pull origin 2.4
sudo -u www-data git submodule update –init –recursive

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here