Leveraging MISP and TheHive when you create your CTI practice - Photo by Fotis Fotopoulos on UnsplashMany CISOs I speak with across Europe tell me their cybersecurity teams rely on two primary open-source platforms within their security operations (SecOps). The first is a Malware Information Sharing Platform (MISP). It allows the storing and sharing of indicators of compromise (IoCs) with other MISP users.

The second is TheHive, designed for security incident response (IR). The two solutions are tightly integrated. They allow SOCs, CERTs and any security practitioner to act more quickly when incidents happen.

For organisations with limited resources or just beginning to build a SecOps practice, MISP and TheHive are easy-to-use tools to help your teams react to malicious threats. The next step is to proactively mitigate risk from the full breadth of threats your organisation is facing. Leverage MISP and TheHive to create a cyber threat intelligence (CTI) practice.

Five essential capabilities for a CTI Practice

To do this, you need to consider a third-platform that integrates with these two solutions. It will provide five essential capabilities for a CTI Practice so your teams can get ahead of threats.

1. Aggregate all the data you need.

To gain a comprehensive understanding of the threats you are facing, you need to gather internal data from across the entire ecosystem. That includes telemetry, content and data created by each layer in your security architecture, on-premises and the cloud. With the right internal threat and event data aggregated in a platform that serves as a central repository, you then need to augment and enrich it with external threat data. That will come from multiple sources you subscribe to –open source (MISP and others), commercial, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK.

Out-of-the-box connectors make this easy. But you also need custom connectors that can be written and deployed within hours. They will ingest data from new sources of threat data as new crises and outbreaks occur, for example, the SolarWinds Orion security breach. They provide the ability to organise and structure relationships across the entire pyramid of pain. This starts at the bottom with basic indicators. It also includes malware families and campaigns, adversaries, and tactics, techniques and procedures (TTPs). It means the value security teams can derive from threat intelligence to understand the adversary increases dramatically.

2. Make threat data usable for analysis and action.

With all your threat data in one manageable location, now you need to understand where to focus your resources to mitigate risk. To start, the platform must automatically deduplicate and normalise the data so that it is in a uniform format for analysis and action. These threat feeds will inevitably contain some data that isn’t relevant to your organisation. You need the ability to score and prioritise threat data based on your definition of priority. It will allow you to filter out noise automatically.

Expiration strategies that consider that different pieces of intelligence have different life cycles. You need to ensure threat intelligence is still accurate and timely. It allows you to focus on what matters to your organisation and send relevant threat intelligence directly to your sensor grid (firewalls, IPS/IDS, routers, endpoint, and web and email security) to harden security controls for a better defensive posture.

3. Build organisational memory.

This central repository is a structured library that also serves as organisational memory for learning and improvement. As new data and learnings are added to the library, from the MISP community, TheHive, your internal tools, your analysts and other trusted sources, intelligence is automatically reevaluated and reprioritised.

The CTI program continues to improve by maintaining trusted, and timely information and the library helps accelerate actions. For example, an analyst who is new to a specific threat or campaign can benefit from this shared knowledge and prior techniques that have accelerated their analysis, decision-making and actions.

4. Support additional use cases.

Threat intelligence is the lifeblood of security operations. Beyond the obvious use case of threat intelligence management, a CTI program allows you to address other top use cases. Integrating with TheHive allows you to support incident response.

It can also integrate with an ecosystem of tools to support other use cases. These include spear phishing, threat hunting, alert triage and vulnerability management. In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. With the ability to analyse multi-source threat intelligence and determine relevance and priority, you can determine the right actions to take and take them faster.

5. Enhanced reporting.

Within the platform, real-time dashboards provide the data, metrics and status updates important for each specific stakeholder to monitor. You can provide regular reports to executive leadership with KPIs that are important to them. You also have immediate access to relevant intelligence organised in one location for ad hoc reporting on the latest threat. When an attack happens, you can be ready with information about who is attacking you, what you know, and the steps you are taking to mitigate damage.

MISP and TheHive can accelerate IR

MISP is a great source for information sharing. And connecting with TheHive accelerates incident response which is a priority for many organisations. Leveraging the two solutions to create a CTI program takes your SecOps to the next level. With a platform that works with both and is purpose-built for threat-centric security operations, your security teams aren’t just reacting to threats but proactively mitigating risk and even anticipating and preventing attacks.


ThreatQThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here