Sometime last year, Soltra was starting to go through some interesting times and as such I started looking into new intel sharing platforms. Soltra has since been purchased by NC4 and now the free version of Soltra only allows consumption of indicators with no capabilities to contribute. If you are interested in taking a look at what Soltra may have to offer your group/company, click here to check them out. The tool was great for the time that we have used it and I’m sure it’s just getting better and better now that there’s cash flow in the project.
So where does that take us? Well I looked at the self-proclaimed replacement of Soltra called Staxx but found that it doesn’t allow me to really contribute the way I’d like to. I do want to say that Anomali is doing good work in the field and I think they have some great things with their other products but, really, there has to be a solid free way to share intel that isn’t a huge pain in the rear (or wallet). Enter MISP.
MISP is the Malware Information Sharing Platform and does exactly what the name suggests. It has a great API, capabilities to add users and groups and share indicators based on who needs that data-set, pretty easy to setup and overall has some amazing utilities for being able to import indicators and observables. The free-form text parser is absolutely incredible and has been able to identify all of the indicators I have thrown at it whether it’s registry keys, an IP, domains, hashes, a uri or straight filenames. I will be making another post after I have built a python script that can be used to pull out the indicators we have stored from a few of our previous posts which will also contain the conclusion of the analysis from the last Something Phishy. Our intel feed is going to continue to exist at https://intelfeed.malwerewolf.com/ and we hope you can find some interesting stuff on your network with the intel we are sharing. Below is a quick snippet of how the data is displayed in the web GUI.