MISP: open source platform for threat intelligence sharing

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

From cooperation between CERTs

Sharing indicators of compromise (IoCs) between response teams requires common formats, quality metadata and trust mechanisms. In the early 2010s European CERTs share via email, text feeds and Excel: no standard, constant duplication of work.

In 2011 Christophe Vandeplas (Belgian Ministry of Defence CERT) starts an internal tool called CyDefSIG. In 2013 the project is renamed MISP (Malware Information Sharing Platform) and released open source; in the same period CIRCL (Computer Incident Response Centre Luxembourg) becomes its main maintainer.

The first public release with the MISP name dates from July 2013. Today’s lead developers are Andras Iklody and Alexandre Dulaunoy (CIRCL). The licence is AGPLv3.

Data model

MISP is based on events, each containing:

• Attributes — individual IoCs (IP, domain, file hash, URL, email, filename, registry key)
• Objects — groups of related attributes (e.g. file object with hash + size + filename)
• Galaxy clusters — semantic tags for threat actor, malware family, attack pattern (ATT&CK mapping)
• Taxonomies — hierarchical tags for classification (TLP, PAP, confidence, admiralty scale)
• Sightings — IoC sighting confirmations

The native format is MISP JSON, with export to STIX 1.x / 2.x, OpenIOC, Suricata/Snort rules, Bro/Zeek intel, YARA, CSV.

Sharing groups and feeds

MISP supports sharing groups — sets of organisations with controlled visibility of events. An event can be:

• organisation-private
• shared with a specific community
• public

Feeds allow importing external sources (CIRCL OSINT feed, Abuse.ch, own vendors). Synchronization automates exchange between MISP instances via API.

STIX, TAXII, automation

MISP exposes a complete REST API and supports STIX 1.x/2.x and TAXII for interoperability with other TI platforms (OpenCTI, IBM X-Force, ThreatConnect). PyMISP is the reference Python library for custom integrations.

Ready-made integrations include: TheHive/Cortex, Suricata, Zeek, SIEMs (Splunk, Elastic, QRadar, Sentinel), EDR/XDR.

Galaxy and ATT&CK

MISP galaxies represent threat actors, campaigns, malware families, ATT&CK techniques in structured and versioned format. Every event can be tagged with MITRE ATT&CK techniques, enabling reports and coverage measures aligned to the standard.

Institutional adoption

• NATO NCIRC — sharing between allied nations
• European national CSIRTs (Italy, France, Germany, Luxembourg, Belgium, Netherlands)
• ENISA — reference for European sharing
• Sector ISACs — finance, energy, transport, health
• Commercial vendors — integration in own XDR/TI products

In the Italian context

MISP is used by:

• CSIRT Italia (ACN) — national sharing
• Sector CERTs — financial (CERTFin), health, energy, telecommunications
• Italian ISACs — sector sharing
• Regulated companies (NIS2, DORA) — threat intel pipelines to SIEM/EDR

After over a decade, MISP is the de facto standard for open source threat intelligence sharing in Europe, with neutral governance and a rich ecosystem.

References: MISP — project started as CyDefSIG in 2011 by Christophe Vandeplas (Belgian MOD CERT), renamed and published as MISP in July 2013. Main maintainer CIRCL Luxembourg (Andras Iklody, Alexandre Dulaunoy). AGPLv3 licence. STIX/TAXII support. Site: https://www.misp-project.org.