Tool Description
ETIP is able to correlate static and real-time information (e.g., Indicators of Compromise), related to the monitored infrastructure and data coming from OSINT sources through OSINT data fusion and analysis tools, for checking the relevance and accuracy of the data. Furthermore, the platform is also able to share both the original and the enriched information with external entities, in an automated way.
The proposed architecture is composed of two main modules: (i) the Enriched IoC Component, and (ii) the Context Aware Intelligence Sharing Component as shown in the Figure.
​
The integration between SIEMs and ETIP is possible thanks to the adoption of MISP. The objective is to use, as much as possible, the built-in sharing capabilities of the platform when this interaction takes place, such as a zeroMQ publish-subscribe model.
​
MISP comes with so-called "MISP-modules'', used both for ad-hoc import and export of threat information. If required, new modules could be created from scratch and integrated with the MISP Instance, without modifying the core functionalities of the platform.
The Heuristic Module receives all data coming from the monitored infrastructures, through MISP. Data could be dynamic (e.g., IoC detected in the infrastructures) or static and generic information about a specific infrastructure (e.g., used sensors, operating systems, specific lists of IP addresses). These data are stored in the MISP database, represented through the JSON format (e.g., STIX, MISP events), or through simple documents related to generic information. Since its usage is of great interest to the heuristic module, data could be also stored in a different way, using for instance a private non-relational database such as MongoDB, which simplifies the information retrieval by the heuristic engine and allows for a full control of the analysis performed by the tool.
​
​The adoption of MISP makes it possible to automatically share data with external entities thanks to its built-in information sharing capabilities. For those cases in which the external entity is using a MISP instance, the sharing process is performed by simply synchronizing both instances. Otherwise, MISP comes out with a list of REST APIs, which are accessed from any internal and external services with different levels of access rights, to directly interact with its database, to push/pull cyber-security related events.
​
The enriched IoC, with the computed Threat Store, is sent back to MISP and stored in the MISP database, considering that it will be shared externally. Optionally, some IoCs received by the monitored infrastructures, could be stored in the MISP database, in order to perform basic automated correlation steps, when some OSINT data are received, before performing the heuristic analysis.