If you are wondering how MISP can be used in the framework of the NIS Directive User Community to share not only the observed attacking techniques but also the reporting, NISDUC has just published a Lessons Learnt report “NISDUC Lessons learnt –vol.1”
This report explains that “Information on threat actors that target infrastructures help security analysts to assess the observed attacks. For instance, some threat actors are well known for making targeted attacks and have more focus on an infrastructure than opportunistic attackers. In CSIRT communities, MISP galaxies are used for sharing this kind of information, especially threat actor information.” (page 20).
Efficient NIS reporting with MISP
The report goes on explaining how MISP is a key CSIRT tool for actively using information in MeliCERTes: “The aim of CIRCL is to support the different actors and thus facilitate collaboration and strategic sharing of cybersecurity information. One key element is the current implementation and deployment of MeliCERTes by the European Commission to improve cooperation and information-sharing platform. MISP is one of the key CSIRT tools for actively using information in MeliCERTes. The aim is to improve the sharing aspect (such as the privacy-aware functionnalities), which can help the Operators of Essential Services more efficiently share and reuse information from CSIRTs and improve their notification duties within the NIS Directive.” (page 20).
As the lead developer of MISP, CIRCL is keen to improve the existing confidence in sharing in order to improve the key activities that stakeholders need to perform within the NIS Directive.