2023-07-05, 11:45–12:05 (Europe/Paris), Amphitheater
Ensuring the seamless flow of threat intelligence between sharing communities, CTI pipelines, and detection engineering teams heavily relies on the interoperability of CTI standards.
To achieve this, the misp-stix Python library (>=3.8) was developed and specifically designed to handle all conversions between the MISP standard format and STIX formats.
This library serves as a versatile and comprehensive solution that addresses the challenges faced in CTI standard conversion.
In this talk, we will discuss the implementation of misp-stix, which provides a generic Python library that supports various formats and conversions.
When it comes to discussions about exchanging threat intelligence, STIX is often mentioned as a standard for representing and sharing structured information.
However, the differences between STIX 1.x in XML and STIX 2.x in JSON can pose challenges for analysts and their tools to parse and consume the content easily and automatically.
To address this issue, misp-stix provides a straightforward conversion between different versions of STIX formats specialized in threat intelligence exchange and the generic MISP standard, which is widely used worldwide to share information across different domains and fields.
Effective interoperability between CTI standards is crucial to ensure smooth information exchange among sharing communities. By reducing the gap between different conceptions of exchange standards, misp-stix aims to facilitate this process.
During the presentation, we will showcase real-life examples of the challenges we face and the solutions we have developed to improve the interoperability and re-usability of knowledge bases, such as misp taxonomies, object templates, and galaxies. These tools are used in MISP and many other CTI tools, and are essential for exchanging structured threat intelligence effectively.
Christian Studer joined CIRCL in 2017 after he graduated with a Master in Computer Science. During his master thesis at CIRCL he showed his capacity to lead existing CIRCL software such as the Potiron framework, a tool to normalize, index and visualize network captures. He is mainly working on MISP, contributing to the core development and several integrations with other tools and formats, most notable, he leads the STIX implementation of the project. He is also the co-chair of the OASIS CTI STIX Subcommittee.