Part 1: MISP in a box

MISP is a free open source platform developed by the MISP project team that primarily serves the purpose of sharing IOCs. It has been enjoying steady growth for some time now, as evidenced by the incredible active community around the main repository, the several side projects, and the growing number of participants at the yearly MISP Summit at Hack.lu.

For our analysts, MISP is one of the key platforms we work on and use to share knowledge and indicators internally and with friends and partners. Over time, we have also supported different companies as they became familiar with MISP and built up their own infrastructure. Through this support and our own experience working with the platform, we came to understand not only the benefits of MISP, but also the problems that occurred during the operation in one place or another, and this is mostly …

…Dealing with MISP in enterprise environments

As already mentioned, MISP is a great platform, but starting and, more importantly, installing MISP in enterprise environments where Suse Linux Enterprise Server (SLES) or Red Hat Enterprise Linux (RHEL) is a more common platform is a bit of a challenge. Especially all of the dependencies needed to install MISP, combined with the use of mostly enclosed and self-operated repositories, is a hurdle that often results in a negative outcome or experience with the platform.

But even if all dependencies are somehow met, the next challenge on the operation horizon quickly emerges: the numerous software versions available on the several Linux server platforms which are more or less compatible with MISP. This quickly becomes clear when taking a look at some of the basic dependencies from MISP like PHP, Redis, Python 3, and MariaDB/MySQL and which of them are available on, for example, RHEL or SLES, if at all. This is certainly also a huge challenge for the developers of MISP to manage all these dependencies with all these different versions, especially in cases of support.

Putting things in a container

Based on these experiences and needs, we started a project in early 2018 with the goal to reduce and simplify the effort that is needed to install and operate MISP in an enterprise environment as much as possible. To achieve this, we also had to reduce the several dependencies required for MISP to a minimum. Additionally, the project should also be usable for everyone from developers to the community to the CERT employee.

As well as MISP, MISP-dockerized was planned from the beginning as an open source project. From our point of view, Docker quickly turns out to be an ideal solution for this approach because it is supported by almost all common Linux server distributions. The Docker concept of containers and images allowed us to combine any necessary dependencies and applications needed for MISP in an appropriate container with a common operating system with which we are also very familiar.

A MISP-dockerized container can therefore be structured as follows:

  • Application
  • Runtime & Dependencies
  • Operation System Image e.G. Debian

Packing MISP in containers also has the advantage of reducing the several dependencies required for installation to only two: Git and the Docker CE. This makes installation incredibly easier, especially with RHEL and SLES in mind. Since all necessary dependencies are identical for each version of an image used for the containers, we hope this will also lead to some kind of standardization that will make it easier for developers and support cases to identify possible problems.

In summary, MISP-dockerized turns the installation of MISP from this:

installation of MISP from this

To this:

$> git clone https://github.com/DCSO/MISP-dockerized.git
$> cd MISP-dockerized
$> make install

Links

MISP project page: https://github.com/MISP/MISP
MISP-dockerized project page: https://github.com/DCSO/MISP-dockerized
MISP-dockerized documentation: https://dcso.github.io/MISP-dockerized-docs/

Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels - from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.