MISP — Open Source Threat Intelligence and Sharing Platform

Introduction

MISP (Malware Information Sharing Platform) is a threat intelligence platform used by security teams and CERTs to collect, store, and share indicators of compromise (IoCs), threat actor profiles, and attack patterns. It provides structured formats for automated threat data exchange between organizations.

What MISP Does

• Stores and correlates indicators of compromise (IPs, domains, hashes, emails)
• Shares threat intelligence with trusted communities via automated synchronization
• Provides taxonomies, galaxies, and MITRE ATT&CK mappings for enrichment
• Exports data in STIX, OpenIOC, CSV, and MISP JSON formats
• Offers a REST API for integration with SIEMs, firewalls, and detection tools

Architecture Overview

MISP is a PHP application backed by MySQL/MariaDB, with a Redis cache for performance and a Python-based worker system (CakeResque) for background jobs. Instances synchronize by pushing and pulling events over HTTPS with API key authentication. A ZeroMQ publisher streams real-time events to subscribers.

Self-Hosting & Configuration

• Deploy using the official install script on Ubuntu or the Docker Compose stack
• Configure organizations, sharing groups, and synchronization feeds in the web UI
• Set up LDAP or OIDC authentication for enterprise single sign-on
• Enable feeds from public threat intel sources (abuse.ch, CIRCL, Botvrij)
• Integrate with TheHive, Cortex, or SIEM platforms via the REST API

Key Features

• Automated correlation engine links related indicators across events
• MITRE ATT&CK integration maps threats to techniques and tactics
• Granular sharing controls: organization-only, community, or connected communities
• Built-in data models for galaxies (threat actors, tools, malware families)
• PyMISP Python library for scripting and automation

Comparison with Similar Tools

• OpenCTI — Knowledge graph-based threat intel; more complex deployment, stronger STIX support
• TheHive — Incident response platform; MISP focuses on intelligence sharing, TheHive on case management
• YETI — Lightweight threat intel tracker; fewer features, simpler to deploy
• CrowdSec — Collaborative blocklist engine; focuses on real-time blocking, not analysis
• Anomali ThreatStream — Commercial threat intel platform; proprietary, managed service

FAQ

Q: Is MISP suitable for small teams? A: Yes. MISP can run on a single server and scales from a single analyst to large CERTs with hundreds of users.

Q: How does threat sharing work? A: MISP instances synchronize events via push/pull over HTTPS. Sharing groups and distribution levels control who sees what data.

Q: Can I integrate MISP with my SIEM? A: Yes. MISP exports indicators via its REST API, ZeroMQ feeds, or direct SIEM integrations for Splunk, Elasticsearch, and QRadar.

Q: What are MISP Galaxies? A: Galaxies are knowledge bases bundled with MISP that describe threat actors, malware, tools, and attack patterns, linked to events for enrichment.

Sources

• https://github.com/MISP/MISP
• https://www.misp-project.org/documentation