MISP

New tools released for integration with the eCrimeLabs Threat API

The integration to the eCrimeLabs Threat API continues to grow.

symantec-bluecoat.jpg

Previously we added integration to Symantec BlueCoat, RPZ DNS format and the latest support was the generation of Bro rules.

security-onion.png

The Bro IDS rules generation was implemented to create a full support for SecurityOnion (https://securityonion.net/)

 

with the continuous growth of integrations we are working on giving the power back to companies and corporations and allow for the usage of various sources of threat data from both open and closed source relations.

It is important to be able to react on the and incident and this is where the eCrimeLabs Threat API in corporation with MISP Threat data sharing platform and close the gap.

 

eCrimeLabsFeeds (https://github.com/eCrimeLabs/eCrimeLabsFeeds)

The tool allows to fetch all the feeds presented through the API. The following script can be used to fetch IOC data from the eCrimeLabs Broker API and stores it into files or bulk can be choosen. This is usefull if you want to push the data into your security solutions ourself or if you have an off-site engangement with no internet connection.

SecurityOnion eCrimeLabs (https://github.com/eCrimeLabs/securityonion-ecrimelabs)

This script allows for an easy integration of the eCrimeLabs feeds into any SecurityOnion installations.


The below illustration is the most used implementation of the eCrimeLabs solution.

Release of VT2MISP a tool for enriching MISP with VirusTotal data

As a strong believer and supporter of the MISP Threat Sharing Platform as well as a long time user I've often while working  and adding event based on external reports and in relations to incidents we have worked on. This usually also include searching for additional attributes or IOC data to build up knowledge on the event.

This also includes going to VirusTotal to see if there are any information about e.g. hashes. Often in external reports there are only mentioned MD5, SHA1 or SHA256 however the work of doing this manually searching for every hash

and copy-paste this into MISP can be somewhat tedious and will take a long time to add file objects and virustotal-report objects and last but not least make a relation between these two.

For this reason I've created the tool VT2MISP thereby making the data more actionable as I have more data and content around the original hash.

The MISP event of the following case "QUASAR,SOBAKEN AND VERMIN: A deeper look into an ongoing espionage campaign" from ESET.

The VT2MISP is a small python script that can be downloaded HERE.
 


What is MISP for those who do not know. This is in short a Open Source Threat Sharing platform that allows users to share Threat data between each others, while also using it as an internal tool to collect all the threat data you received whether something you collect yourself or from external sources. The sharing part can be seen as a form of crowdsourcing, so if your network has seen a threat this platform can be used to easily share this with only trusted partners or everyone based on the sensitivity of the data. 

  • Knowledge data for threat data and threat intelligence.
  • Correlation between all the data in your instance.
  • Support for a large collection of OSINT threat feeds.
  • Make easy use of the data into your security solutions.

So don't store your valuable information in your inbox but get it into an ever evolving platform designed and developed by security professionals, Threat hunters and Incident response team.

If you are interested in MISP in general or our MISP SaaS solution a fully managed and detected MISP instance, where you can take advantage of the MISP platform without having to think of the operational part. While also eCrimeLabs has build a custom broker service that allows you to use the data in MISP to add into your security products in a simple way. You can read more on our services Threat Intelligence Software-as-a-Service or contact us directly