Covering the newest threats can sometimes be time consuming, especially if you are going rampage and google your way through the web and/or scrolling through hundreds of twitter feeds daily.

Using this way, you reduce OSInt/ThreatIntel to a “let me google that for you” and important details tend to go down the rabbit hole or you simply miss them.

During the next months, I will dig into this topic and if you want, you can follow me on my way down the rabbit hole.

So, where do we start? Well, we need a tool, which offers us the way of consolidating different info streams.

Yes, the first thing what comes into your mind could be SPLUNK. But do you really want to shot with a battleship gun onto a undefined target?

I personaly selected MISP for the first steps, knowing that I propably will have to change to SPLUNK in the future. But for the first steps, let us use MISP.

What is MISP ?

MISP itself stands for

Malware
Information
Sharing
Platform

If you want a more standardized way of working with TAXII and STIX, MISP could help you getting a quicker overview and has 66 different ThreatIntel feeds already build in.

They provide an installation script and they even have a VM, which can be used to get a quick overview of MISP, without installing it on your own.

You can find several ways of installation scripts and the VMs here:

MISP Downloads

But if you think it would be easy, you are wrong.

Starting the VM is easy, opening your browser and pointing it to the IP of this VM is still easy and yes, the login credentials are easy to, but then it starts…

The login page redirects you to

https://localhost:8443

Well… guess what, this isn’t working for you if you do not install MISP on your local machine…

You could now just install the missing kde environment in this VM, but doing this broke several other things, like mysql not more working afterwards.

But hey, use Kali Linux and follow the installation procedure…

Well, it worked, till I wanted to login and mysql stopped working there too.

To make things easy, especially if you have control over your DNS entries in you local network, open the following file:

/var/www/MISP/app/Config/config.php

There you have to change two parameters to get it running. Here are my examples:

'baseurl' => 'https://misp2go:443',
'external_baseurl' => 'https://misp2go:443',

misp2go is just a placeholder. Now assign the DNS entry to the used IP in this VM and make sure, that your DHCP Server is enforcing this IP for that VM.

Things like static mappings in your hosts file are possible, but you should overthink this twice.

Next time we are going deeper into MISP, TAXII and STIX.