A new version of MISP (2.4.109) has been released with a host of new features, improvements, bug fixes and a minor security fix. We strongly advise all users to update their MISP installations to this latest version.
When an analyst inserts information into MISP, it’s very common to start with a set of unstructured indicators/attributes. At a later stage, common structures emerge and combining attributes into objects start making more and more sense. However, the effort spent on the process of attribute creation would have to be repeated in prior versions via the object creation interface, something that resulted in analysts deciding to save time and effort and move on, leaving the unstructured data as is. To reduce the workload needed to bring structure to our prior work, we have now introduced a new feature, allowing users to easily select a set of attributes and automatically propose suitable object templates depending on the combination of types of the selected attributes. These in turn, can be gathered and processed into the desired object.
We received exhaustive feedback during the FIRST.org CTI conference in London and the ATT&CK EU community workshop at Eurocontrol concerning the ATT&CK integration in MISP. The matrix visualisation has been improved by sorting and reorganising the individual techniques based on their aggregate scores. These statistics can now easily be queried based on time-ranges, organisations, tags, along with all other restSearch enabled filters to generate ATT&CK like matrix views.
An issue was discovered in MISP 2.4.108. Organisation admins could reset credentials for site admins (organization admins have the inherent ability to reset passwords for all of their organization’s users) or impersonate them by reusing their API keys. This could be abused in a situation where the host organisation of an instance decides to use organisation admins to further manage their own users. The potential for abuse is limited to situations where the host organisation of an instance creates lower-privilege organisation admins instead of the usual site admins, so whilst it was indeed in the spirit of what the powers of organisation admins are, we agree that this was a bad design decision. CVE-2019-12794 Thanks to Raymond Schippers for the report.
New default feeds were added in MISP. Don’t hesitate to contact us if you have any idea for new feeds.
We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large.
As always, a detailed and complete changelog is available with all the fixes, changes and improvements.
The next version of MISP will include major changes to the data-model by introducing new functionalities that support forensic capabilities, with a special focus on improving the time representation of MISP attributes and objects. The next release will update various tables in the database as usual, but the automatic update might take longer than usual (on larger instances between 30 and 45 minutes) depending on the number of attributes stored in the instance. During the update procedure, MISP will be unavailable until the update is complete. We will notify our users in advance to prepare their upgrade plan for the next release 2.4.110.