MISP - Threat Intelligence Platform

A platform for sharing, storing and correlating Indicators of Compromises of targeted attacks.

Private organizations or accredited CERTs can request an access to their respective MISP platform.

What is MISP?

A platform for sharing, storing and correlating Indicators of Compromises of targeted attacks.

Malware Information Sharing Platform (MISP) allows organizations to share information about malware and their indicators. MISP users benefit from the collaborative knowledge about existing malware or threats. The aim of this trusted platform is to help improving the counter-measures used against targeted attacks and set-up preventive actions and detection.

MISP Malware Information Sharing Platform screenshot

CIRCL MISP - a trusted platform with multiple goals

The objective of the CIRCL Malware Information Sharing Platform is to:

  • Facilitate the storage of technical and non-technical information about seen malware and attacks
  • Create automatically relations between malware and their attributes
  • Store data in a structured format (allowing automated use of the database to feed detection systems or forensic tools)
  • Generate rules for Network Intrusion Detection System (NIDS) that can be imported on IDS systems (e.g. IP addresses, domain names, hashes of malicious files, pattern in memory)
  • Share malware and threat attributes with other parties and trust-groups
  • Improve malware detection and reversing to promote information exchange among organizations (e.g. avoiding duplicate works)
  • Create a platform of trust - trusted information from trusted partners
  • Store locally all information from other instances (ensuring confidentiality on queries)

For more information: Information Sharing and Cyber Security - The Benefits of the Malware Information Sharing Platform (MISP).

How does MISP work?

MISP Malware Information Sharing Platform overview

Malware Information Sharing Platform is accessible from different interfaces like a web interface (for analysts or incident handlers) or via a ReST API (for systems pushing and pulling IOCs). The inherent goal of MISP is to be a robust platform that ensures a smooth operation from revealing, maturing and exploiting the threat information.

How to request access?

If you work for an organization or an accredited CERT or you are a trusted security vendor/researcher, you can request access by contacting us. The registration and access requires the use of at least one PGP key per organization.

What are the rules?

The access is free-of-charge. The objective is to stimulate sharing practises among public and private actors. The access is mainly bound to distribution as described in the traffic light protocol.

How the information is shared among the MISP instances worldwide?

MISP Malware Information Sharing Platform flow of events

In MISP, there are 4 options regarding distributing events and their respective attributes:

  • Your organisation only
  • This community only
  • Connected communities
  • All communities

In the diagram above, you can see an overview of the MISP instances operated by CIRCL. As the distribution is inherent to the connectivity among the MISP instances, participant should keep in mind the overall connectivity to select the appropriate distribution category.

Further details via CIRCL’s dedicated page or the general MISP project webpage.

Provided by