MISP (Malware Information Sharing Platform) is an open-source threat information platform that facilitates the collection, storage, and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud, or any intelligence within a community of trusted members1.

MISP Terms

Events: Collections of contextually linked information, representing specific incidents or occurrences.

Attributes: Individual data points associated with an event, such as network or system indicators.

Objects: Custom attribute compositions.

Object References: Relationships between different objects.

Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.

Tags: Labels attached to events/attributes.

Taxonomies: Classification libraries used to tag, classify, and organize information. Taxonomies provide a standardized framework for categorizing and labeling threat intelligence. Examples include:

  • MISP Galaxy: A knowledge base that provides a comprehensive set of threat intelligence items, including threat actors, tools, vulnerabilities, and more. It enables analysts to label events and attributes with relevant contextual information from the galaxy.

  • Industry-Specific Taxonomies: Custom taxonomies tailored to specific industries, such as finance, healthcare, or energy. These taxonomies help organizations focus on relevant threats and indicators specific to their sector.

  • MITRE ATT&CK: A widely used taxonomy that describes adversary behavior and techniques across the cyber kill chain. It provides a standardized framework for understanding and categorizing the tactics, techniques, and procedures (TTPs) employed by threat actors.

Indicators: Pieces of information that can detect suspicious or malicious cyber activity.

References