BruCON 0x0E

Just like many organizations, we are ingesting Threat Intelligence from a number of different sources. Very frequently however, we notice that the data received is lacking context or generates a lot of false positives (which in turn causes alert fatigue). In this talk we would like to demonstrate how we achieved to get around this problem by setting up a MISP ecosystem backed by a number of automation scripts and processes that support us in the curation and contextualization of individual events.

This dedicated MISP ecosystem consists of multiple MISP instance and ZeroMQ scripts. In conjunction with the extensive use of the MISP tagging features and workflow procedures, we were able to set up a curation process that not only saves us a lot of time, but also provides a clean feed of directly actionable threat intelligence. A happy side effect of this setup was that it allowed us to instill a full TI feedback loop between the SOC, Incident response team and our malware analysts.

Attendees will learn how we at NVISO have set up a functional MISP architecture and operational curation process. The attendees will then be able to duplicate this setup in their own organization to ensure an optimal threat intelligence feedback loop and workflow.