MISP Threat Sharing

MISP Threat Sharing (MISP), Malware Information Sharing Platform is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise. There are several organizations who run MISP instances, who are listed on the website.

History
This project started around June 2011 when Christophe Vandeplas had a frustration that way too many Indicators of Compromise (IOCs) were shared by email, or in pdf documents and were not parsable by automatic machines. So at home he started to play around with CakePHP and made a proof of concept of his idea. He called it CyDefSIG: Cyber Defence Signatures.

Mid July 2011 he presented his personal project at work (Belgian Defence) where the feedback was rather positive. After giving access to CyDefSIG running on his personal server the Belgian Defence started to use CyDefSIG officially starting mid August 2011. Christophe was then allowed to spend some time on CyDefSIG during his work-hours, while still working on it at home.

At some point NATO heard about this project. In January 2012 a first presentation was done to introduce them in more depth to the project. They looked at other products that the market offered, but it seemed they deemed the openness of CyDefSIG to be of a great advantage. Andrzej Dereszowski was the first part-time developer from NATO side.

One thing led to another and some months later NATO hired a full-time developer to improve the code and add more features. A collaborative development started from that date. As with many personal projects the license was not explicitly written yet, it was collaboratively decided that the project would be released publicly under the Affero GPL license. This to share the code with as many people as possible and to protect it from any harm.

The project was then renamed to MISP: Malware Information Sharing Project, a name invented by Alex Vandurme from NATO.

In January 2013 Andras Iklody became the main full-time developer of MISP, during the day initially hired by NATO and during the evening and week-end contributor to an open source project.

Meanwhile other organisations started to adopt the software and promoted it around the CERT world (CERT-EU, CIRCL, and many others).

Nowadays, Andras Iklody is the lead developer of the MISP project and works for CIRCL.

As the MISP project expanded, MISP is not only covering the malware indicators but also fraud or vulnerability information. The name is now MISP Threat Sharing, which includes the core MISP software and a myriad of tools (PyMISP) and format (core format, MISP taxonomies, warning-lists) to support MISP. MISP is now a community project led by a team of volunteers.

Funding
The project is funded by the European Union (through the Connecting Europe Facility ) and the Computer Incident Response Center Luxembourg.

Intelligence Integration
Indicators of compromise which are managed by MISP may originate from a variety of sources; including internal incident investigation teams, intelligence sharing partners or commercial intelligence sources. Commercial sources with integration to MISP include Symantec's DeepSight Intelligence (now called Broadcom), Kaspersky threat feeds and McAfee Active Response. MISP integrations with open-source and commercial threat intelligence platforms include the ThreatQuotient Platform and EclecticIQ Platform.