LLMpediaThe first transparent, open encyclopedia generated by LLMs

MISP

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Tornado IDS Hop 4
Expansion Funnel Raw 89 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted89
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
MISP
NameMISP
DeveloperCERT communities, ENISA, Deutsche Telekom
Released2011
Programming languagePHP, Python
Operating systemDebian, Ubuntu, Red Hat Enterprise Linux
LicenseGNU General Public License

MISP

MISP is an open-source platform for sharing, storing and correlating threat intelligence about cyber security incidents and indicators of compromise. It enables information exchange between incident response teams, CERT/CC, Europol, NATO CCDCOE, and private-sector responders to improve detection, analysis and mitigation of malicious activity. The project emphasizes structured data, automation and collaboration across stakeholders such as Microsoft, Google, Amazon Web Services, and national teams like US-CERT and ANSSI.

Overview

MISP provides a collaborative repository where analysts from Kaspersky Lab, FireEye, CrowdStrike, Palo Alto Networks, and Splunk can contribute indicators, sightings and contextual information. The platform supports taxonomies and attributes compatible with standards used by MITRE ATT&CK, STIX, TAXII, OpenIOC and YARA authors, enabling integration with sensors and platforms produced by Cisco, Fortinet, Juniper Networks and Elastic NV. MISP deployments often interoperate with orchestration tools from TheHive Project and Cortex to automate triage and response across environments including Amazon Elastic Compute Cloud, Microsoft Azure, and Google Cloud Platform.

History and Development

Initial development began in 2011 by members associated with Belgian Defence Ministry incident response and researchers collaborating with ENISA and national CERT teams. Over time, contributions came from academic institutions like University of Luxembourg and private vendors such as Trend Micro and Symantec. The project evolved through community-driven governance involving representatives from INTERPOL, Europol’s EC3, NATO CCDCOE, and major research groups connected to First.org and OWASP. Roadmaps reflected integration with threat frameworks like MITRE ATT&CK and standards promulgated by OASIS and engagement with initiatives such as Cyber Threat Alliance.

Architecture and Components

The core server implements a REST API enabling CRUD operations on events, attributes, objects and galaxies; client libraries in Python and integrations use connectors for STIX and TAXII endpoints. Persistent storage typically relies on MySQL or MariaDB while search and correlation leverage Elasticsearch indices. Frontend components are web applications built with technologies common to LAMP stacks, and automation workflows integrate with Ansible, Puppet, and SaltStack for configuration management. Additional components include modules for feed ingestion from providers like AbuseIPDB and VirusTotal, and modules for enrichment using services from Shodan, Censys, and PassiveTotal.

Features and Functionality

Key capabilities include event-based sharing, attribute-level tagging, sighting management and automated correlation across contributions from CERT/CC, US-CERT, and commercial intelligence vendors. The platform supports enrichment via integrated enrichment plugins such as WhoisXML API, MaxMind, and VirusTotal lookups, as well as pattern matching with YARA rules and mapping to MITRE ATT&CK techniques. Role-based access control enables segmentation for organisations like Ministry of Defence teams and critical infrastructure operators such as Siemens and Schneider Electric. Export and import features allow interchange with STIX 2.0 consumers, and the API facilitates integration with SIEM products including Splunk and IBM QRadar.

Use Cases and Deployment

Operational uses span incident response by teams at Airbus, Lockheed Martin, Boeing, and Raytheon; threat intelligence sharing across information sharing analysis centers such as FS-ISAC; and research by universities like MIT and Carnegie Mellon University. Deployments vary from single-organization instances for National CSIRT operations to federated multi-tenant clouds used by consortia including FIRST and regional alliances coordinated by ENISA. Integration scenarios include automated blocking via firewall vendors Palo Alto Networks and Fortinet, SIEM enrichment for ArcSight and QRadar, and red-team tooling orchestration with frameworks like Metasploit.

Governance, Community and Adoption

Development is community-driven with contributors from public institutions such as Europol, INTERPOL and many national CERT teams, alongside private-sector partners including CrowdStrike, Trend Micro, and Deutsche Telekom. Governance uses working groups and steering committees resembling models used by OWASP and Apache Software Foundation projects, with global events and training held in collaboration with organizations like FIRST and ENISA. Adoption spans governmental agencies such as US Department of Homeland Security, multinational corporations, and academic research groups, supported by ecosystem partners offering commercial support and managed services.

Operational security for deployments follows practices similar to those recommended by NIST and ENISA, including secure API keys, TLS, and network segmentation consistent with guidance from ISO/IEC standards. Privacy controls include attribute redaction, pseudonymisation and granular sharing groups to meet requirements found in regulations like GDPR and national data protection authorities such as CNIL. Legal considerations when sharing intelligence involve coordination with entities like Interpol and national prosecutors, adherence to export control regimes, and compliance with cyber incident reporting laws enacted by legislatures such as the European Parliament.

Category:Cyber threat intelligence