How to set up your own Threat Intelligence infrastructure (I)

Introduction

This is the first post in the series “How to set up your own Threat Intelligence infrastructure”. The aim of this series is to describe how to set up your own Threat Intel infrastructure using MISP and deploy it on AWS.

What’s Threat Intelligence?

According to Gartner, Threat Intelligence is evidence-based knowledge, that includes context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

To summarise the above definition, Threat Intelligence transforms raw data into actionable intelligence that helps organisations to be informed about Cyber-threats such as APTs (Advanced Persistent Threat), Crimeware, as well as vulnerabilities and exploits used by adversaries.

If this concept doesn’t sound familiar to you, I encourage you to keep learning about Threat Intelligence. You may be interested in watching this SANS webinar about the cycle of Cyber Threat Intelligence. I also recommend you to read this paper from Sergio Caltagirone, VP of Threat Intelligence at Dragos Inc, a company focused on ICS Cybersecurity.

Threat intelligence is important and it can help security teams and organisations to make better and faster decisions. This is crucial since the number of cyber incidents seems to be on rising after the COVID-19 pandemic.

MISP

The Malware Information Sharing Platform (MISP) is an open-source Threat Intelligence Platform(TIP). The project develops utilities and documentation for more effective Threat Intelligence, by sharing Indicators of Compromise. MISP project was funded by the EU and it has a large community that has developed different modules for extending the functionalities of the platform. There are a lot of plugins for enriching IoCs with external services such VirusTotal, DomainTools, Intel471, Shodan and ThreatCrowd among others. Besides enriching modules, there are also available other types, such as modules for exporting the events stored in MISP to PDF or modules for validating the syntax of Yara rules stored in the platform.

In addition to the software modules, MISP also provides their own data model, including taxonomies for expressing information related to threats, such as attacks, threat actors, TTPs or Indicators of Compromise.

The plan

MISP provides different alternatives for deploying the platform such as Docker or cloud-ready images for deploying MISP on cloud providers. For simplicity, I will use their AWS AMI for deploying the MISP instance. I recommend you take a look at the best practices guide described here.

The idea is to host the MISP instance on a private network to avoid the instance can be reached from the Internet. There will be also automated processes (e.g. crawlers) for gathering raw information for being processed later by security analysts. The image below shows how will be the architecture of our Threat Intelligence Infrastructure.

I will use a bastion hosted on the public network of the VPC created in order to connect to the instance for admin purposes as well as for tunneling my connection while accessing the web platform. This will be explained in the next article: How to set up your own Threat Intel infrastructure: Part 2.