MISP Integration for Open Source Intelligence enrichment and dissemination with Cymulate Platform

  • 30 September 2021
  • 2 replies
  • 134 views

Badge

Most of the Organization have their MISP infra to gather Open Source intelligence and integrated with Security Orchestration Automation and Response to block the threat but there is no way to vet the IOC provided by MISP.  

 

How can we make use of Cymulate to 

  1. Check Reachability to the IOC gathered from the OSInt ?
  2. Check Data Exfiltration capability through the said IOC ?
  3. Check Reputation of the said IOC gathered through and exchanged anonymously within the network of Cymulate and simultaneously being vetted across the various industries post their consent to exchange Threat Data?

 

Type of IOC to be vetted:-

  1. IP
  2. IP and Port combination
  3. Email

 


2 replies

Badge +1

Hi Aayush,

 

I’m not sure if this is the correct place for this message, because there’s not a integration available for MISP&Cymulate. Maybe it would be fit better in the “Ideas section”, because I think this idea have potential and it’s , on my mind, relevant enough for Cymulate Team to think about how to implement it, if it’s possible and matches with the roadmap they have in mind.

Anyway, some workarround could be done by ourselves.

Through the “Immediate Threats” module, it’s possible to create a custom threat simulation (blue button upon the right). You can upload URL’s, domains, ip’s and port numbers. You can also, upload files if the malware sample you want to test is not published on internet.

And…you have available the API endpoint /immediate-threats/upload/ which allows you to automate vía scripting the process of creating a custom immediate threat with custom IOC’s like URL, domain, IPs and port!

Taking that into account, the approach I’m suggesting is coding a script that:

  • Retrieves custom IOCs from MISP
  • Creates an assessment on Cymulate through “/immediate-threats/upload/
  • Start the assessment through “/immediate-threats/start/

MISP has a powerful API also, so you could search IOC’s in it applying filters following a criteria that allows you to prioritize the malware that should be tested.

So, to sum up, about the 3 things you suggested:

 

  1. Check Reachability to the IOC gathered from the OSInt – That’s possible
  2. Check Data Exfiltration capability through the said IOC ? – This is not an easy thing to implement, because each IOC in case it allow upload forms or other ways to exfiltrate data, will need to be implemented in a different way.
  3. Check Reputation of the said IOC gathered through and exchanged anonymously within the network of Cymulate and simultaneously being vetted across the various industries post their consent to exchange Threat Data? About exchanging anonymously with cymulate, will depend on if the company wants to share their misp data, and if cymulate thinks the misp data is relevant or trustworthy  enough to share that knowledge with other clients

Regards,

 

David

Userlevel 1
Badge +3

Most of the Organization have their MISP infra to gather Open Source intelligence and integrated with Security Orchestration Automation and Response to block the threat but there is no way to vet the IOC provided by MISP.  

 

How can we make use of Cymulate to 

  1. Check Reachability to the IOC gathered from the OSInt ?
  2. Check Data Exfiltration capability through the said IOC ?
  3. Check Reputation of the said IOC gathered through and exchanged anonymously within the network of Cymulate and simultaneously being vetted across the various industries post their consent to exchange Threat Data?

 

Type of IOC to be vetted:-

  1. IP
  2. IP and Port combination
  3. Email

 

Step 1 and 3 can be created using an Immediate threat custom template. If you have licensed this module, you can build this template and then test it with email, web, and endpoint vectors. If the files/IP’s are stopped by one of your tools you will know they are seen as true malicious. 

 

The hard part is if they are not stopped. This could be one of two things. Either the firewall didn’t recognize that as malicious because it is NOT. Or the firewall didn’t recognize as malicious because it is not updated. 

If you don’t have access to the Immediate threat license reach out to your customer success manager or sales person and they can enable a free trial of this. 

Reply