Introduction of the MISP
The primary purpose of utilising cyber threat intelligence (CTI) in the SAFETY4RAILS Information System (S4RIS) platform is to anticipate expected and potential threats its users may face. Through its application, it is possible to develop and apply effective countermeasures to the identified threats. MISP (Open Source Threat Intelligence and Sharing Platform, formerly known as Malware Information Sharing Platform at https://misp-standard.org/) provides a single platform for the customer to access threat information. The platform ensures sharing and storing up-to-date threat information, which can be used to provide correlation predictions for transportation as well as for the IT sector actors regarding potential cyber threats.
MISP is an open-source platform optimised for system developers, operators, and users. The implemented functionalities are well documented and supported in the MISP development and maintenance project for the long term, led by CIRCL (Computer Incident Response Center Luxembourg). The system is actively used by renowned organisations worldwide, both on the military side (NATO) and on the civilian side, with a wide range of users, from state-level cyber defence organisations such as CERTs (Computer Emergency Response Teams) or CSIRTs (Computer Security Incident Response Teams) to major players in the IT sector, such as banks or ICT service providers.
The MISP can manage cyber threats based on an IOC (Indicator of Compromise), including the operating system and network. It supports a forensics-based investigation for skilled security incident analysts, by meeting the requirements defined in the forensic SANS DFIR (Digital Forensics, Incident Response and Threat Hunting) recommendation.
The platform enables sharing of detected cyber-attacks and cyber threats efficiently. Using this information within the framework of the MISP architecture, it provides flexible access in the form of simple or correlated free-word searches through the common areas of the MISP platform.
The outputs of MISP searches and correlations can be automatically made available on any client’s server as soon as they are available on the MISP, though in the S4RIS platform an extra level of analysis and filtering is implemented before alarms are shared through the S4RIS’s Distributed Messaging System (DMS) on to further tools and particularly the S4RIS main decision support system RAM2.
The S4RIS utilises a MISP (Open Source Threat Intelligence and Sharing Platform) server that is installed at the site where the current CTI (Cyber Threat Intelligence) information is hosted. By using this service, the S4RIS user has access to up-to-date open source threat and vulnerability information. This will enable the S4RIS user to develop and implement effective countermeasures, i.e., to manage the short-, medium-, and long-term risks to information security and their extent.
CyberServices in the S4R project
As the SAFETY4RAILS project evolved, CyberServices was entrusted with the implementation and configuration of MISP. Substantial discussions were held with project partners based on relevance, mainly with INNO and TREE, to identify the potential of the proposed component architecture and its possible limitations. The outcome of our discussions can be found in deliverable D4.3. In addition, CyberServices has completed the evaluation of the connectors in the document and successfully deployed the MISP process. MISP will continue to be managed by CyberServices, which will receive data from the TISAIL tool and transmit it to the S4RIS platform.
CyberServices, October 2022