MISP Exercise 6

1. Introduction

This is properly the most difficult lab of all MISP labs. In this lab you will learn one of the key functions of MISP. MISP uses a complex sharing model that allows you to distribute events between multiple communities, organisations and sites (also known as MISP instances). It is important that you stay focused during the lab. Otherwise, you might get confused if you don't follow the steps exactly.

The goal of this Lab is, that you have understood the MISP sharing model in all its aspects. You should also be able to apply your learned knowledge it in the corporate environment.

2. SETUP

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://instance-a.misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

User: investigator-org-a@instance-a.misp-lab6.com Password: compass

If you do some research about MISP, you quickly come across the MISP Sharing Model. It's an illustration how the sharing philosophy works in a MISP environment.

You already logged in as user investigator-org-a@instance-a.misp-lab6.com. You properly noticed the differences in the username in comparison to the labs before.

The usernames in this lab are composed in the following format:

Role-org-X@instance-X.misp-lab6.com

The format should support you to understand, in which organisation and site you are currently logged in.

As you can see on the MISP Sharing Model illustration above, you are connected as an investigator (normal user) in the organisation A at the MISP instance A.

If you list your current events take a look at the distribution level!

Please open a new inkognito tab in your browser and navigate to http://instance-a.misp.localhost. Then login as:

user: investigator-org-b@instance-a.misp-lab6.com password: compass

After you logged in successfully and navigated to the events page in MISP (by pressing the L Key), you shouldn't see any events.

Now it's time to share the event from organisation A to organisation B. The green arrow in the MISP Sharing Model should illustrate, in which direction you are exactly sharing the event in this step.

Go back to your first (non inkognito) browser tab with your investigator-org-a@instance-a.misp-lab6.com user logged in. Click on the Edit button of your event.

Currently the Distribution field is set to Your organisation only. This means that your event is currently only shared within the organisation. Click on the field and choose This community only from the dropdown window. Press the Submit button to continue.

Attributes and Objects do not have to match the same distribution level as it's own event.

In this example that would mean, that only the event is distributed to the community. The attribute won't be visible to others, because its distribution level is set to organisation only. To change that, hover over the organisation field in the attribute and click on the edit button right to it.

Once the dropdown windows appears, select Inherit and submit it by clicking on the checkbox. Inherit mens, that the attribute uses the same distribution level as its event.

Now, refresh the second browser tab with your investigator-org-b@instance-a.misp-lab6.com user logged in. If the Hello World appeared, congratulation! You shared your first event in the MISP community.

5. Create a new synchronisation user

In MISP, users have assigned different roles.

In this step you are going to create a new synchronisation user.

Close the inkognito browser tab, press the Log out button on the top right corner in your remaining browser window and login with the following credentials:

user: admin@misp-lab.com password: compass

Now, you are administrator of the whole MISP instance A. Click on Administration -> List Users

MISP shows you all users on this instance. In order to share events, you need to add a new sync user, so click on Add User

Fill in the provided information into the form:

Email sync-org-b@instance-a.misp-lab6.com Organisation lab6-org-B Role Sync user

Deselect all the checkboxes and then click on Create user

The new sync user appears in your User index. Click on the little Eye button to display the informations.

Please click on Auth keys and then on the Ad authentication key button.

Auth key: QY5JeRIfxNcEw4VhljigCs1qPeqUGuP5C84mMAvX

Next, please click on lab6-org-B in order to display all information about the organisation of the sync user.

Please write down the UUID and Organisation name somewhere. You are going to need them together with the auth key in the next step.

UUID: 600cf190-89a2-4db1-aec6-ddc0f76063ad Organisation name: lab6-org-B

6. Add a server

Take a look at the illustration below. The Org B appears twice. Once on instance A and once on instance B.

Open a new browser tab and navigate to http://instance-b.misp.localhost

user: admin@misp-lab.com password: compass

Then navigate to Sync Actions -> List Servers

The page is currently empty. Add a new server by clicking on the New Servers button.

Then check the checkboxes Pull and Self Signed.

After you have pressed the Submit button, MISP will display the new added server. To check the connection between the two instances, click Run and View

After you have connected the server successful, the instances are ready to share events. In this step, you are going to share an event from Org B on Instance A to Org B on Instance B. Take a look at the illustration with the green arrow for your understanding.

Press the Log out button on instance A (http://instance-a.misp.localhost) browser tab. You are currently logged in there as instance-admin. Then login as a publisher user:

user: publisher-org-b@instance-a.misp-lab6.com password: compass

After a successful login, navigate to events and add a new event by clicking on the Add Event button.

The event has been saved. Add a new attribute.

Fill in the provided information:

Category Internal reference

Type text

Distribution Inherit event

Value Hello World from Org B on Instance A

Your event is now ready to be published. Since you logged in as a publisher user, the Publish Event can now be pressed.

Don't worry about the Publish (no email) button. You can't send any emails from your local lab environment, so it doesn't matter which button you press.

In a productive MISP environment, all user in organisation B which have enabled the email alerts would receive a notification. If you fix for example just a typo in the event, use the Publish (no email) button in order to don't spam everyone!

MISP will share the event now automatically for you. The synchronisation frequency can be adjusted by the instance administrator. The lowest synchronisation frequency is 1 hour. If you don't want to wait at least 1 hour, there is a little trick to force sync...

Go back to your other browser tab with the instance-admin logged in instance B. If you already closed the window, here are the credentials again:

URL: http://instance-b.misp.localhost

user:admin@misp-lab.com password: compass

Navigate back to Servers by clicking Sync Actions -> List Servers if you are currently on the wrong page. Then press the little arrow button, which forces a pull request on this server.

After you have done that, you should see your first shared event from instance A to instance b.

In this step, you are going to share an event from Org A on Instance A to Org B on Instance B. Take a look at the illustration with the green arrow for your understanding. The tiny e within the white circle represents the event you are going to share.

URL: http://instance-a.misp.localhost

user: publisher-org-a@instance-a.misp-lab6.com password: compass

List your events and then click on the Eye button.

Press the Publish Event button. The event should now be available for everyone within the same community.

If you closed the browser tab with your instance B, login again with the following credentials:

URL: http://instance-b.misp.localhost

user: admin@misp-lab.com password: compass

Then repeat the force-pull-trick you have learned at the end of the previous step 7.

After you have successful pulled from the server take a look at your events. The Hello World from Org A event should now appear.

Notice the differences: On your instance A, you defined the distribution level of this event as Community only, but on instance B the distribution level is set to Organisation.

9. Connected Communities

In this step, you are going to share an event from Org A on Instance A to Org F on Instance B. Org F isn't configured on Instance A. Take a look at the illustration with the green arrow for your understanding.

Open a new incognito browser tab and login with the following credentials on your MISP instance B. Do not log out from the site-admin account. You are gonna need it later.

URL: http://instance-b.misp.localhost

user: investigator-org-f@instance-b.misp-lab6.com password: compass

As you can see, there are no events currently visible within this organisation.

Login with the following credentials on your MISP instance A, if you aren't still logged in as the publisher of organisation A:

URL: http://instance-a.misp.localhost

user: publisher-org-a@instance-a.misp-lab6.com password: compass

Then, edit the event.

Choose now connected communities

Publish your event again!

Then repeat the force-pull-trick you have learned at the end of the previous step 7. After you have successful pulled from the server, refresh your inkognito tab with the investigator in Org F logged in.

Now the event should appear in Org F!

TBD

PreviousMISP Exercise 5 NextMISP Exercise 7

Last updated 2 years ago