How to set up your own Threat Intel infrastructure (III)
Introduction
This is the third post of the series “How to set up your own Threat Intelligence infrastructure”. If you haven’t read the previous posts, I encourage you to read part 1 and part 2 before reading this new entry.
Once we have our MISP up and running, it’s time to gather threats from different threat intel sources. In this case, I will use OTX (Open Threat Exchange), the Threat Intelligence platform by AT&T Alien Labs.
OTX
OTX is probably one of the most popular Open Threat Intelligence communities. OTX receives a large number of threats daily submitted by different Security Researches around the world, as well as by the Alien Labs team. The platform provides the latest information about emerging threats, attack methods and threat actors.
An OTX pulse is a summary of a particular threat. OTX pulses provide Indicators of Compromise (IOS) of the threat that can be used for detection, ATT&CK ids and even Yara rules, which can be used for detection and for hunting new samples related. The pulses also put in context the threat, such as what are the countries and the industries targeted.
You can subscribe to different contributors or groups in order to stay aware of emerging threats.
Sending OTX pulses to MISP with Python
The first step that you have to do for being able to send a threat to your MISP instance using PyMISP, is to enable your API KEY. You can read more information about this here.
Of course, for sending OTX pulses, you will also have to sign up on OTX and be subscribed to at least one pulse.
Configure your subscriptions according to your interests and you will be ready to start collecting pulses.
I’ve created a basic script for collecting pulses from OTX and sending them to MISP. It’s called otx_2_misp. There is also a python tool called otx_misp, that may be of your interest.
The script gathers OTX pulses and prints them to the console. By default, the script doesn’t filter any pulse. However, the script allows you to narrow the number of Pulses gathered by filtering in 2 different ways:
- By keyword (config->**keywords.txt**) using -a parameter (e.g. Dridex, Web Shell, etc).
- By ATT&CK technique (config->**attack_ids.txt**) using -t parameter (e.g. T1078)
By default, the script gathers pulses from the last 7 days, but it can be modified with the parameter -d. For instance,-d 20 for gathering pulses from the last 20 days.
python otx2misp.py -d 2
The alerts gathered can be sent to your MISP instance with the -m parameter. The script also allows using a proxy for the connection with the instance using the parameter -p.
For instance, the command below is for gathering all the pulses from the last 2 days and filtering those pulses that match your keywords and ATT&CK techniques. Finally, the pulses filtered will be sent to your MISP instance using a proxy.
python otx2misp.py -d 2 -a -t -m -p
Finally, the pulses will be sent to the MISP instance with the tag “otx”.
