MISP
MISP (Malware Information Sharing Platform) is an open-source threat information platform that facilitates the collection, storage, and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud, or any intelligence within a community of trusted members1.
MISP Terms
Events: Collections of contextually linked information, representing specific incidents or occurrences.
Attributes: Individual data points associated with an event, such as network or system indicators.
Objects: Custom attribute compositions.
Object References: Relationships between different objects.
Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.
Tags: Labels attached to events/attributes.
Taxonomies: Classification libraries used to tag, classify, and organize information. Taxonomies provide a standardized framework for categorizing and labeling threat intelligence. Examples include:
-
MISP Galaxy: A knowledge base that provides a comprehensive set of threat intelligence items, including threat actors, tools, vulnerabilities, and more. It enables analysts to label events and attributes with relevant contextual information from the galaxy.
-
Industry-Specific Taxonomies: Custom taxonomies tailored to specific industries, such as finance, healthcare, or energy. These taxonomies help organizations focus on relevant threats and indicators specific to their sector.
-
MITRE ATT&CK: A widely used taxonomy that describes adversary behavior and techniques across the cyber kill chain. It provides a standardized framework for understanding and categorizing the tactics, techniques, and procedures (TTPs) employed by threat actors.
Indicators: Pieces of information that can detect suspicious or malicious cyber activity.