MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-website/_posts/2018-05-16-MISP.2.4.91.rele...

5.3 KiB
Executable File
Raw Blame History

title layout featured
MISP 2.4.91 released (aka distribution visualisation, galaxy at attribute level and privacy notice list) post /assets/images/misp-small.png

A new version of MISP 2.4.91 has been released including new major features, improvements and bug fixes.

Distribution and sharing visualisation

MISP 2.4.91 has a new visualisation aid in order to simply view the distribution and sharing model of all the attributes within an event. As event can be significantly large with multiple objects and attributes, analyst needs to verify if the proper distributions are applied. The new visualisation allows to view the distribution per distribution model including the associated sharing groups. The visualisation aid is dynamic and can be used to filter directly in the event the respective attributes matching a specific distribution.

Visualisation of a MISP event and how the sharing of the attribute will take place{:class="img-responsive"}

Galaxy at attribute level

MISP Galaxy includes a large number of libraries to better classify event based threat actors, kill chains or actor techniques such as described in MITRE ATT&CK. Initially, the MISP galaxy can be attached to the MISP event level. As many users developed new galaxy cluster to map their own model, MISP 2.4.91 is now capable of attaching MISP clusters at the attribute level. In the example below, a vulnerability attribute can be then easily linked to a respective MITRE ATT&CK adversary technique allowing to support analysts to search and pivot per techniques but also to support more advanced automation.

An example of a MISP galaxy such as MITRE ATT&CK attached to a specific attribute in MISP{:class="img-responsive"}

Privacy notice list and GDPR

MISP Project was actively involved in the question of compliance especially about information sharing and legal compliance. In the scope of the CEF-TC-2016-3 - Cyber Security co-fundin helped us to improve the various aspects of compliance while keeping a strong focus on the information sharing aspect.

In MISP 2.4.91, we introduce the MISP notice to inform MISP users of the legal, privacy, policy or even technical implications of using specific attributes, categories or objects. The feature was originally designed for the support of the Directive 95/46/EC (General Data Protection Regulation) to notify the analyst about the potential risks while entering specific information. The notice feature is a flexible solution to allow any kind of notice (expressed in a simple JSON format) to be included in MISP forms based on the category or type entered in the system.

We expect to see organisations using MISP to enable, disable or extend the notice lists to fit their specific policies, legal framework or local regulation framework.

GDPR notice about a specific category{:class="img-responsive"}

and notice lists are easily configurable:

Notice lists are configurable{:class="img-responsive"}

API

Feed management, in 2.4.91, can be also be done via the API such as add/edit/delete feeds. API documentation is directly accessible via the API if a GET request is performed instead of a POST.

ZMQ feed has been extended to include base64 encoded attachments in order to improve the integration with the CSP platform (MeliCERTes) and other application relying on the ZMQ feed (3169 fixed).

Miscellaneous Improvements

Even enrichment (via misp-modules) can now be easily triggered from the event menu to automatically enrich all the attributes in event. This enrichment is also globally accessible via the API and exposed via the command-line too.

STIX 1 import has been improved to support old legacy format including CustomObjects, socket address object, CIQ targets, DNS records object and many others.

Many bugs were fixed especially 3245, 3240, 3202 and 3201.

MISP 2.4.91 has been updated to the latest version of CakePHP 2.10 series.

The full change log is available here. PyMISP change log is also available.

PyMISP has been also updated, boasting a more clever approach to timestamp handling while updating MISP JSON files. The PyMISP documentation has been updated PDF.

MISP galaxy, objects and taxonomies were notably extended by many contributors. These are also included by default in MISP. Don't forget to do a git submodule update and update galaxies, objects and taxonomies via the UI. To get the MISP notice list, don't forget to perform a git submodule init; git submodule update to initialise the new external dependency.

Don't forget that the MISP Threat Intelligence Summit 0x4 will take place the Monday 15th October 2018 before hack.lu 2018. A Call-for-Papers is open for the MISP Threat Intelligence Summit 0x4. We would be glad to see users, contributors or organisations actively using MISP or/and threat intelligence to share their experiences and presentation to the CfP.