Using MISP to share vulnerability information efficiently

Posted 09 Jan 2018

Using MISP to share vulnerability information efficiently

Software and hardware vulnerabilities are often discussed, shared, prepared, analysed and reviewed before publication. This process can be tedious as it often includes multiple exchanges between the parties involved, including reporters, proxy-reporters, coordinators, editors and even impacted parties. Some vulnerabilities might be shared and exchanged among trusted parties for months before being officially disclosed. This can generate a significant workload on the staff dealing with a security team, vulnerability assessment team or CNA (CVE Numbering Authorities).

As MISP provides the complete list of functionalities facilitating the sharing of information, sharing and collaborating on security vulnerabilities within a trusted group is as easy as sharing indicators.

MISP Objects

MISP objects provide a flexible way to describe combined information using a simple templating system. There is already a vulnerability object which covers the most common cases used by organisations such as CSIRTs, security teams or security assessment teams. If you have a specific use-case of vulnerability information to share, a MISP object can also be built from a custom template in a matter of minutes.

How to share vulnerability information within MISP to a trusted group

Sharing a set of vulnerabilities to a trusted group is straightforward. First you create an event which will contain one or more vulnerabilities and assign the corresponding sharing group. An event is just a container with meta-data associated with it such as a classification or a generic description.

Then when your event is created, the event can be used to attach attributes or objects. If you want to share vulnerability information, a vulnerability object can be added to describe the vulnerability.

The vulnerability object is composed of various attributes such as the vulnerable configuration expressed as a CPE value and can be added multiple times if you have different vulnerable configurations.

Another effective aspect when pre-sharing vulnerability within MISP is to benefit from the Globally Unique Identifier allocation (GUID) for each attributes. This allows to share efficiently without the need to allocate unique identifier. If a CVE allocation is done after, this has no impact on the event when the vulnerability identifiers are set.

A significant benefit is also the ability to switch the sharing and distribution in one-click when the vulnerability becomes public or the status changed from embargo to publish.

Don’t hesitate to contact us if you have other models of vulnerability information distribution or any improvements.