How to host your own Threat Intelligence server and filling it with data?
Ever received a link through email that took you to a suspicious website?
Well, if your answer is No, You are fortuitous enough because you could have lost a lot of personal information.
According to a Cybercrime report, most cyberattacks begin with a simple email. Above 90 percent of unbeaten hacks and data breaches stem from phishing emails that beguile the recipients to click a link, open a document, or forward information to someone which they shouldn't.
People are the weakest link in the security chain,
says Kathy Hughes
Being associated with Cyber Security, I am compelled to agree with him.
Approximately 66 billion legal emails are sent on a daily basis. Unfortunately, an average of 303 billion illicit emails or malicious also spams inboxes.
This information clearly shows the importance of monitoring spam emails while on their way to corporate users’ inboxes.
As cyber threats evolve and new ones pop up every other day, it is evident that cybersecurity analysts have to step up as they cannot afford to lose to such hideous threat actors, which is why cyber threat intelligence comes into play for Hosting your own threat intelligence and populate it with data.
? Table of contents:
- What is Cyber Threat Intelligence?
- Types of CTI.
- Cyber threat intelligence lifecycle and process.
- Creating your Cyber Threat Intelligence program
- Cyber Threat Intelligence Sources
- What is Malware Information Sharing Platform and Threat Sharing?
- Configuring MISP On Ubuntu 20.04
According to a definition provided by Robert Clark, “Analysts describe intelligence as being actionable information”. These pave the way for two deductions that also apply to the CTI, intelligence number one is not just any information or data, but information that has been analyzed; number two, intelligence must be implementable, if it cannot be implemented, there is no use in having that.
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
- Gartner l.
Image Source – slideshare.net
In my opinion, Cyber threat intelligence can be Strategic, Tactical, or Operational.
- Strategic intelligence provides organizations crucial insight by answering the questions WHO and WHY. It has the goal to identify threat actors while addressing ongoing trends. At the strategic level, CTI also works for the why.
- Tactical intelligence includes things like ‘tactics, techniques and procedures (TTP)’ and ‘Indicators of compromise (IOCs)’. IOCs are among the most accessible types of CTI to process and are often the standards and focus tools. Some of the most commonly used IOCs include IP addresses, Uniform Resource Locators domain names(URLs), and file hashes.
- Operational threat intelligence educates on specific threats to the organization. It provides contextual information about security events and incidents that help defenders uncover potential risks, better understand criminals' methods, identify past malicious activity, and investigate malicious activity much more cheaply. Response, Network Advocates, Security Forensics, and Fraud Detection Groups.
Image Source – twitter.com
There are five or six iterative process steps for the cyber threat intelligence lifecycle that turns raw data into intelligence. Cyber Threat Intelligence is formed by a process called the Threat Intelligence Lifecycle. Threat intelligence works best as a cycle rather than a list of steps. The CIA initially developed a six-step lifecycle process, but the lifecycle process, which is broken down into five steps, looks like this:
- Direction: During the management phase of the threat intelligence lifecycle, you set your program goals, which should describe the assets and business processes you want to protect, the threats you want to prioritize, and the types of threat intelligence you will deploy.
- Collection: Collection constitutes gathering information to satisfy the Intelligence needs. Information can be obtained from a variety of sources, including threat intelligence reports, online forums, threat intelligence sources, and security professionals.
- Processing: Processing involves converting raw data into a utilizable format. Different survey methods often involve different forms of processing. For example, human reports should be reviewed and processed for key threat indicators related to your program objectives.
- Analysis: Analysis is the process of converting processed information into information that can guide security decisions. During the analysis phase, recipients’ requirements should be prioritized. The key is to make critical data points easily digestible for stakeholder decisions.
- Dissemination: This is the accurate distribution of Threat Intelligence to required parties. You need to determine the frequency of sending updates, and the platform you will disperse the information on, and how you can communicate with stakeholders about information.
- Feedback: Improving your threat intelligence program requires regular feedback from stakeholders to ensure that the information gathered matches the needs of each group so that you can make adjustments as your goals change. An indispensable tool to learn about cybersecurity best practices to stay up to date.
The global CTI market is estimated at $ 981.8 million by 2023, with experience and access to information from all sources. According to the 2018 Ponemon Institute Report on Cyber Threat Intelligence Sharing:
- Over 60% of respondents were dissatisfied with the quality of the threat intelligence.
- Almost 25% of respondents were unable to prioritize threats by category.
- Nearly 40% of respondents lacked context about threat making intelligence actionable.
Image Source – eccouncil.org
If you don't already have a threat intelligence program, make it a priority.
Threat Intelligence is a hot topic these days and may have been one of the main topics at the 2016 RSA conference, but businesses need to realize this. Simply having more data on the latest threats, vulnerabilities, and exploits is not the answer to all of your cybersecurity problems.
Conversely, threat intelligence only makes sense if it meets the following four criteria:
- It Comes From a Qualified, Trusted, Third-Party Source
Most organizations do not have the resources to collect, investigate, organize, and analyze threat intelligence on their own. This makes these activities a treasured part of third-party offers, provided the source is qualified and trustworthy.
- It Provides Insight Into an Active Campaign
Most organizations already have a large amount of raw information about threats, vulnerabilities, and exploits. What they need, however, is information about active attack campaigns, information that includes the "who, what, where, when, and how" of the latest security threats. The most valuable information about active campaigns is information that is specific to the company's environment and business context.
- It Issues Associated Insights into Risk
Threat intelligence can provide information about the likelihood of a risk, the business impact of the risk, or both. However, the information is only pertinent if it is formulated for the specific context of the organization. Attack campaigns, for example, are not relevant to your company. When they exploit vulnerabilities in technology that you do not need to access information that you do not hold. This highlights the valuable fact that threat intelligence must be linked to an accurate understanding of information resources.
- It Includes Options for Action
Understanding risk is essential, but ultimately, companies must decide what to do with those risks. Should you accept it? Create a remedy? Remedial actions can include changing existing controls and countermeasures, adding additional controls and countermeasures, or finding third parties.
Cyber Threat Intelligence Sources CTI sources can be split into three categories: internal, community, and external.
- Internal: The internal threat category includes all CTIs that are collected within the organization. This can include information reported by security tools such as firewalls, intrusion prevention systems (IPS), and host security systems such as antivirus systems from computer forensic analyzes. Analytics can generate information that is not easily visible and can be very useful in detecting other attacks.
- Community: This category includes all CTIs that are shared through a trusting relationship with multiple members with a common interest. This can be an informal group with affiliates that are in the same industry or have different interests in common. Exchange and Analysis Centers (ISAC) organized under the ISAC National Council. ISACs are initiated for particular sectors such as higher education or financial services.
External: The external category includes ICT from sources outside of an organization and not part of a community group. There are two types of external sources.
Amoroso points out possible problems with volunteered data, “efforts to collect volunteered data will always have an issue with guaranteed data quality" (Amoroso, 2011).
Image Source – siriuscom.com
MISP is an open-supply software program answer for collecting, storing, dispensing, and sharing cybersecurity signs and threats, approximately cybersecurity incidents evaluation, and malware evaluation. MISP is designed via way of means of and for incident analysts, safety, and ICT experts or malware reversers to assist their everyday operations to percentage-based statistics efficiently.
MISP activities are encapsulations for contextually related facts. Linked facts will consist of matters which include IP addresses, domains, malicious binaries, document hashes, and etc. For example, let’s say your NIDS detects net scanner activity. The occasion could field for the attributes related to this occasion which includes supplying IP address, URIs scanned HTTP methods, and etc.
MISP objects are further to MISP attributes to permit advanced combinations of attributes. The introduction of those objects and their related attributes are primarily based totally on actual cyber safety use instances and current practices in records sharing. The gadgets are simply shared like other attributes in MISP, even supposing the alternative MISP times don’t have the template of the object.
Attributes in MISP may be network indicators consisting of (e.g., IP address), system indicators (e.g., a string in memory), or maybe financial institution account details. A type (e.g., MD5, URL) is how a character is described. A characteristic is continually in a class (e.g., Payload delivery), which places it in a context. A class is what describes a characteristic.
MISP consists of a set of public OSINT feeds in its default configuration. The feeds may be used as a supply of correlations for all your activities and attribute without the want to import them at once into your machine. The MISP feed machine permits for immediate correlation; however, additionally for a rapid assessment of the feeds in opposition to one another.
- Installing MISP with Install.sh
- Changing admin password
- Creating an organization
- Creating admin for a new organization
- Enabling threat intel feeds
- Setting Up IPython + PyMISP
- Creating MISP Event
- Additioning of an object to MISP event
- Searching MISP for IOC
1. sudo apt-get update -y && sudo apt-get upgrade -y
2. sudo apt-get install MySQL-client -y
3. curl https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o misp_install.sh
4. chmod +x misp_install.sh
5. ./misp_install.sh -A
6. Creating new user "misp"
Browse to HTTPS://
- Username:[email protected].
- Enter new password.
- Go to Administration section head over to Add Organisations .
- Select Administration > add Organisations.
- Enter “< organization name >” into organization identifier.
- Select “Generate UUID”.
- Select “submit” button at the bottom.
- Head over to Add User under the section of Administration.
- Administration > Add user.
- Enter email.
- Check the “set password”.
- Select the organization name for an organization.
- Select Role for the new organization.
- Head over to the “Edit” icon.
- Check “Enabled”.
- Check “Lookup Visible”.
- Check “Caching Enabled”.
- Select “Edit” at the bottom.
- sudo pip3 install ipython
- pip3 install -U pymisp
- from pymisp import ExpandedPyMISP
- misp_url = 'https://
- misp_key = "
- misp_verifycert = False
- misp = ExpandedPyMISP(misp_url, misp_key, misp_verifycert)
- from pymisp import MISPAttribute
- attr_type = "ip-src" value = "126.96.36.199"
- category = "Network activity" to_ids = False
- attribute = MISPAttribute()
- attribute.type = attr_type
- attribute.value = value
- attribute.category = category
- attribute.to_ids = to_ids
- attribute_to_change = misp.add_attribute(event_id, attribute) print(attribute_to_change['Attribute']['id'], attribute_to_change)
- misp.search(controller=’attributes’, type_attribute=”ip-src”, value=”188.8.131.52″)
Cyber Threat Intelligence has become especially crucial after the pandemic.
Hackers use complex attacks to steal business data. CTI helps you to protect your network from hacker attacks and helps you to minimize the costs for the security of your network. You get more insight into the threats that really matter. This will reduce the workload on your security team. You can implement your own solution or use Cyber Threat Intelligence.
Feel free to leave a message with us if you have any suggestions for a cyber threat intelligence server that we might have missed out on, or you want me to put my hands on any specific stuff.