mirror of https://github.com/MISP/misp-website
48 lines
2.9 KiB
Markdown
Executable File
48 lines
2.9 KiB
Markdown
Executable File
---
|
|
title: Using MISP to share vulnerability information efficiently
|
|
date: 2018-01-09
|
|
layout: post
|
|
banner: /img/blog/vul02.png
|
|
---
|
|
|
|
# Using MISP to share vulnerability information efficiently
|
|
|
|
Software and hardware vulnerabilities are often discussed, shared, prepared, analysed and reviewed before publication. This process
|
|
can be tedious as it often includes multiple exchanges between the parties involved, including reporters, proxy-reporters, coordinators,
|
|
editors and even impacted parties. Some vulnerabilities might be shared and exchanged among trusted parties for months before being
|
|
officially disclosed. This can generate a significant workload on the staff dealing with a security team, vulnerability assessment team or
|
|
CNA (CVE Numbering Authorities).
|
|
|
|
As MISP provides the complete list of functionalities facilitating the sharing of information, sharing and collaborating on security vulnerabilities
|
|
within a trusted group is as easy as sharing indicators.
|
|
|
|
## MISP Objects
|
|
|
|
[MISP objects](/objects.html) provide a flexible way to describe combined information using a simple templating system. There is already a [vulnerability object](/objects.html#_vulnerability) which covers the most common cases used by organisations such as CSIRTs, security teams or security assessment teams. If you
|
|
have a specific use-case of vulnerability information to share, a MISP object can also be built from a custom template in a matter of minutes.
|
|
|
|
# How to share vulnerability information within MISP to a trusted group
|
|
|
|
Sharing a set of vulnerabilities to a trusted group is straightforward. First you create an event which will contain one or more
|
|
vulnerabilities and assign the corresponding sharing group. An event is just a container with meta-data associated with it such as a classification
|
|
or a generic description.
|
|
|
|
![](/img/blog/vul01.png)
|
|
|
|
Then when your event is created, the event can be used to attach attributes or objects. If you want to share vulnerability information,
|
|
a vulnerability object can be added to describe the vulnerability.
|
|
|
|
![](/img/blog/vul02.png)
|
|
|
|
The vulnerability object is composed of various attributes such as the vulnerable configuration expressed as a CPE value and can be added multiple times if you have different vulnerable configurations.
|
|
|
|
![](/img/blog/vul03.png)
|
|
|
|
![](/img/blog/vul04.png)
|
|
|
|
Another effective aspect when pre-sharing vulnerability within MISP is to benefit from the Globally Unique Identifier allocation (GUID) for each attributes. This allows to share efficiently without the need to allocate unique identifier. If a CVE allocation is done after, this has no impact on the event when the vulnerability identifiers are set.
|
|
|
|
A significant benefit is also the ability to switch the sharing and distribution in one-click when the vulnerability becomes public or the status changed from embargo to publish.
|
|
|
|
Don't hesitate to contact us if you have other models of vulnerability information distribution or any improvements.
|