hngopher.com

       [HN Gopher] MISP - open-source threat intelligence and sharing p...
       ___________________________________________________________________
        
       MISP - open-source threat intelligence and sharing platform
        
       Author : adulau
       Score  : 68 points
       Date   : 2022-02-20 13:57 UTC (9 hours ago)
        
 (HTM) web link (www.misp-project.org)
 (TXT) w3m dump (www.misp-project.org)
        
       | jonstewart wrote:
       | MISP is primarily PHP. I haven't kept up with it, but a few years
       | ago when my team took it for a test drive it stored malware
       | samples inline in its database, rather than as flat files. We
       | quickly abandoned it.
       | 
       | In mid-2020, we stumbled upon OpenCTI
       | (https://www.opencti.io/en/). It's so much better! It probably
       | doesn't do quite as much as MISP, but it has a nice release tempo
       | and upgrades have been painless.
        
         | badrabbit wrote:
         | I use MISP all the time, what could you possibly have against
         | storing malware in a database? I mean, it's defacto practice to
         | zip them up with password "infected" anyways but even that
         | aisde, how do you imagine this to be harmful? Flat files in the
         | contrary risk unintended interaction or execution.
         | 
         | Also, there are plenty of alternatives (paid) that do a lot
         | more or less. This isn't one of those one-size-fits-all
         | products, it is a product you pick to help you operationalize
         | threat intel, what that means and the requirement derived from
         | it could be wildly different. I have implemented misp several
         | times and not once did it involve storing actual malware sample
         | (hashes and yara were adequate).
        
       | mpettitt wrote:
       | I was looking at this a couple of weeks ago, and compared to some
       | alternatives (e.g. opencti) it seemed a lot less polished. It was
       | still easier to get running than Cortex though, at least for a
       | basic look.
        
         | badrabbit wrote:
         | It isn't polished and is more involved but it is well supported
         | both by products for integration and as a project by EU. It has
         | a very flexible API as well. It lacks features paid platforms
         | have like a builtin taxii server but it is like most OSS
         | projects continually evolving and dependent on PRs.
         | 
         | It all depends on your requirements. I have seen industry wide
         | orgs using a spreadsheet for sharing intel. And then you have
         | theatconnect and SOAR's with builtin TIPs.
         | 
         | It's not for everyone but it is a good starting point. It you
         | are trying to figure out how to best operationalize threat
         | intel, use MISP. It will help you define what your requirements
         | are at least. Setting it up and dealing with occasional issues
         | can be a pain but that aisde works smoothly. Once you get it to
         | help you define your threat intel program and pipeline you can
         | decide if something else that costs six figures or is new to
         | the market can get the job done and provides better value. Just
         | my $0.02
        
       ___________________________________________________________________
       (page generated 2022-02-20 23:01 UTC)