MISP – open-source threat intelligence and sharing platform

[jonstewart]

I don’t have much interest in an argument, but want to clarify, I’m not talking about security concerns of “live” vs inert malware. My point is that storing file blobs in a row-oriented relational database often comes with problems, creating performance issues and leading to scalability limits. With the malware corpus my org has, that was a real concern.

I agree that the point of these tools is operationalizing CTI and the benefit of doing that with any tool exceeds not doing it. But ultimately my org has been much better off with custom management of our malware and then using OpenCTI to record CTI, and I think folks interested in MISP should check out OpenCTI as a possible alternative.

[_8j50]

That's a valid concern, It makes a lot of sense to store files separately on a dedicated file server, your TIP should only track hashes.

I have heard both good and bad things about openCTI. But you can say the same about MISP as well. I agree people should check out both. But IMO, I have seen people pick a TIP like this without a long term evaluation and it always ends up with some important thing you want to do with it but that isn't possible, practical or supported. I think there are better platforms tha MISP (depending on use case), but if you just have a bunch of intel and you want to put it somewhere and let the rest of your security stack integrate to operationalize that data, MISP is the best. Then see if all the other platforms can meet the same needs and if your team and resources can save time/money without it.

I also like how I don't have to worry about MISP taking a radically different direction (thehive and their dbms for example) or lose support down the road (cuckoo and its many forks!) because someone is paying to support it. Love the devs too, they don't get enough praise!