The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.
The need for a consolidated object comes to group correlated elements.
Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:
The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.
A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E
inicio{
"host":"<variable>",
"porta":"<variable>"
}fim
With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
Adding first class support for Emails in .msg format to the email definition.
This includes making the attribute support multiple bodies. Msg formats
nearly always have at least 2, if not 3, versions of the body (plain text, rtf, html).
This object was created to support the use-case of pisax.org for the
following use-case:
- They define well-known assets which are used by IXPs and GRXs via
their CPEs;
- The assets are defined in a set of fixed/master MISP events;
- Those events are used to query NVD/CVE database via cve-search
(https://github.com/cve-search/cve-search) using a PyMISP script
- Then the CVEs matching the CPE are added in MISP and dispatched to the
sharing community of users as specific MISP events.
Ref: PISAX - pan-European Information Sharing and Analysis Center (ISAC) to IXPs and GRXs
Ref: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf ((NIST Interagency Report 7695))