As if the pandemic itself weren’t causing enough pain and suffering in the world, cybercriminals are busy developing and deploying COVID-19-related malware to try and take advantage of unsuspecting victims. Fortunately, one of the world’s leading technology companies, Microsoft, is taking action to help people avoid becoming victims of these scams.
Last week, Microsoft announced in a blog post that it had begun sharing all of the indicators of compromise (IOC) related to COVID-19 that were hitting users of various Microsoft products, including the widely deployed Office 365. By itself, this is great news for people and organizations worldwide who have enough to worry about without the added burden of losing data or money to ransomware or other scams. But what really makes this exciting for Devo and our customers is Microsoft’s decision to share the COVID-themed threats it’s seeing via MISP, the open-source threat intelligence-sharing platform.
Devo is an active member of the MISP community. Customers using Devo Security Operations can consume indicators from the MISP community—and if they wish, contribute to it. Now, with the addition of COVID-19 threat intelligence from Microsoft, Devo customers also have access to the latest hashes and signals about these threats.
A Brief History of MISP
Before I go further, this seems like the right place for a little background on MISP. Formally known as the Malware Information Sharing Platform, MISP is an open-source threat-intelligence platform begun in 2011. MISP is funded by the European Union and CIRCL, the Computer Incident Response Center Luxembourg. Security companies, governments, and other organizations worldwide are members of the MISP community.
I love the fact that MISP is an open-source platform because I believe open source is the most effective way to do threat intelligence. The industry contributes threat data to MISP, and all members can use that data to help their customers protect against a wide range of threats. The great thing about open-source threat intelligence software is Devo customers have free use of the valuable MISP intelligence and can implement and improve it in whatever way will benefit their organization.
Because the world runs on data, there are a lot of threat actors out there who spend a lot of time and money creating ransomware, phishing scams, and other malware designed to steal or otherwise monetize peoples’ and organizations’ data. MISP enables security vendors and other organizations to quickly see if there is a hash, a hostname, an IP address, or whatever that can identify a piece of malware that’s out in the wild ready to inflict damage.
How Devo Works with MISP on Behalf of Our Customers
Devo Security Operations provides security operation center (SOC) analysts with an integrated workflow that includes threat intelligence community collaboration. That collaborative capability comes from our close ties to MISP. By leveraging our relationship with MISP, Devo provides our customers with insights about the latest threats, which makes SOC analysts’ threat hunting efforts more effective, helping them can stay ahead of the bad guys. As soon as threat intelligence is submitted to MISP, it’s immediately available to the Devo customer community.
How Microsoft Sharing Threat Data Benefits Everyone
Because so many devices worldwide run Microsoft software, the company sees a wide range of threats and helps protect its customers against them. Office 365, which includes the Exchange and Outlook email programs, enables Microsoft to see the myriad threats that try to take advantage of people’s concerns related to COVID-19. Now that Microsoft is sharing these threats with MISP, all MISP members—including Devo and our customers—are benefitting.
Why did Microsoft decide to share its threat intel with MISP? Perhaps for the same reasons as Devo—because MISP makes it easy for its members to leverage threat intelligence immediately. Once Microsoft began sharing its data, all MISP members could instantly benefit from the indicators and use them to quickly identify whether their own organizations have been hit by any of the same threats. It took me just a couple of minutes the other day to add the Microsoft feed to the Devo MISP instance.
Devo has standardized on, and works closely with MISP because it benefits our fast-growing customer base. Thanks to Microsoft for deciding to share its pandemic-related threat intelligence with MISP and, therefore, with organizations worldwide.
To learn more about how Devo and MISP work together on threat intelligence sharing, check out this on-demand webinar.