Bryan Roh Cyber Security and Emerging Threats

Open Source Software Can Play a Key Role in NATO’s Cyber Defences

Cybersecurity is a field where innovation is a double-edged sword. The security solutions being implemented today may become obsolete against the new cyber threats of tomorrow. Meanwhile, the rapid pace and adoption of disruptive digital technologies by both enterprises and attackers alike has forced information security professionals to protect their organizations against a highly dynamic threat landscape.

In response to this evolving international challenge, NATO determined during the 2014 Wales Summit that cyber defence constituted a core realm in its commitment to collective defence per Article 5 of the Washington Treaty. Over the past decade, NATO has launched several strategic initiatives aimed at advancing the cybersecurity posture of its alliance members in its commitment to collective cyber defence, such as its ongoing Smart Defence initiative. The driving concept behind Smart Defence is that collaboration, pooling, and resource sharing between member countries facilitate greater security for less money.

MISP is one of the most important projects to be born out of NATO’s Smart Defence initiative. Developed in collaboration with the Belgian Ministry of Defence, NATO, and the Computer Incident Response Center Luxembourg (CIRCL), MISP was initially created to support NATO’s Computer Incident Response Capability (NCIRC) by streamlining and standardizing the sharing of malware information. Today, MISP is a free open-source threat intelligence platform used by more than 6000 organizations ranging from private financial institutions to government and military organizations. The NATO Communications and Information Agency (NCI), the organization responsible for spearheading NATO’s cybersecurity, operates a community on MISP where members of the alliance can share and consume threat intelligence.

What are the reasons behind MISP’s global success, and why does NATO continue to use an open source platform for sharing threat intelligence? To answer these two questions, the value of threat intelligence itself in today’s cybersecurity world must first be expanded on.

[Why Threat Intelligence Matters in Cybersecurity]

The importance of threat intelligence is evident in the offices of Security Operations Centres (SOC) in organizations. SOC teams work throughout the day to protect their organization’s networks by detecting, investigating, and responding to any suspicious activities that arise. They accomplish this by constantly monitoring networks for potential threats and sifting through thousands of daily alerts and logged activities generated by internal security tools to identify the ones that point to legitimate signs of a cybersecurity incident.

However, because of the rate at which the number and sophistication of emerging cyber threats are advancing, SOCs struggle to match the relentless pace of the constantly evolving threat landscape. This was made evident by a 2019 survey conducted by the Ponemon Institute, which found 53% of respondents stating that their organization’s SOCs were ineffective at gathering relevant evidence and investigating the source of threats, with one of the leading causes being the generation of too many false positive alerts. In a 2018 report on SOCs by Fidelis Cybersecurity, the majority of SOC analysts (60%) stated that they could realistically only manage 7-8 investigations a day. The challenges are clear: SOCs are being overburdened by the increasing challenge of having to quickly identify legitimate alerts and prioritize on ones that pose the most risk to an organization’s key assets.

Another challenge is that the usual Indicators of Compromise (IoC) or “breadcrumbs” that cyber adversaries leave behind after an attack (e.g. IP addresses, domain names, filenames, and file hashes) are often not enough for SOCs to conduct an in-depth investigation into who the attacker was, what their objectives were, or what particular methods and tools of intrusion they utilized. Thus, to streamline SOCs and help build effective countermeasures against the most relevant and critical  threats, those breadcrumbs and alerts must be paired with context that gives SOCs the ability to prioritize and execute decisions. That is what threat intelligence is all about at the end of the day: promoting evidence-based and context-driven visibility of the dynamic threat landscape to promote informed decision-making and risk mitigation for organizations.

[ Why Open Source Software like MISP Matter]

Cybersecurity hinges on the consumption of accurate up-to-date information. Adversaries that have utilized a particular set of tactics, techniques, and procedures (TTPs) to penetrate an organization’s network defences may change their TTPs entirely when they move to their next target and adapt to new circumstances to evade detection.

One of the key challenges facing organizations, therefore, is the reliability and timeliness of the threat intelligence they have access to. It is not enough for SOC analysts to be reacting against previously known threats and sealing relevant vulnerabilities. Instead, SOCs need to take a proactive stance in defending their organizations, and that means gaining and maintaining real-time visibility of the digital threat landscape through the consumption of the latest relevant threat intelligence feeds.

That is where MISP comes in. As a threat intelligence platform, MISP offers several benefits that make it stand out against other proprietary threat intelligence platforms.

One of the major features that has drawn both public and private organizations to using MISP is an inherent characteristic that open source software platforms often share: Data ownership. Unlike proprietary cloud models where an organization must trust its third-party software platform provider with the confidentiality, integrity, and availability of its data, organizations must install and manage MISP for themselves. The software is meant to be housed on-premises, which means that organizations will use their own resources and infrastructure to run their local instances of MISP. While that self-responsibility of managing and securing MISP may be too costly for some, organizations who deal with particularly sensitive data, like information pertaining to national security, may find that having total control over their data will be well worth the price.

Another open source perk that comes with utilizing MISP is that it is community-driven. Collaboration and sharing are defining characteristics that mark all open source software solutions, and these traits align especially well with the need for accurate and timely threat intelligence. This is because an organization’s situational awareness of the latest threat landscape will always be limited if it is only consuming intelligence originating from its own environments and networks. By participating in a common standardized platform like MISP, where threat intelligence feeds are shared and consumed across multiple sectors and industries in real-time, organizations can build resilience against past and future threats by leveraging the knowledge and experience gained by other participating organizations. Through collective sharing, organizations also reduce the likelihood of duplicating analytical work done by others.

Lastly, MISP offers community sharing models so that organizations can choose who they share and receive threat intelligence with. This is highly useful for those that are members of a common sector, industry, or community that share similar risks, vulnerabilities, and adversaries. For instance, MISP encourages members of the financial sector to partake in their open source platform because it supports not just the sharing of cybersecurity information but also financial information that can be used to detect fraud. In trusted communities such as this, the rapid dissemination of threat intelligence would be critical to mitigating the impact of an ongoing cyber campaign that is targeting their respective member organizations. Proactive sharing also enriches a community’s existing intelligence of relevant threats through knowledge maturation and increases its overall defensive agility against threats with shifting TTPs.


The Enhanced Cyber Defence Policy that was endorsed at the NATO 2014 Wales Summit espouses the importance of sharing information for promoting informed decision-making and situational awareness at NATO. As an open source threat intelligence sharing platform, it is safe to say that MISP goes above and beyond fulfilling the spirit of the policy for the Alliance. A software solution led by a small team of volunteers at CIRCL now freely serves thousands of organizations in both the public and private sectors across the globe in improving their cybersecurity postures. Indeed, in many ways, MISP serves as a paragon example of how open source solutions can be used as a powerful force for the greater public good if implemented correctly.

 In the face of an unrelenting cyber threat landscape that is poised to become more complex as the world progresses further into the 21st century, that is a quality that is well worth replicating in the cybersecurity community.   

 Featured Image: Cyberbrain (2021), by Bryan Roh. Used with permission.

Disclaimer: Any views or opinions expressed in the article are solely those of the author who is not affiliated with MISP or CIRCL in any capacity and whose views do not necessarily represent the views of the NATO Association of Canada or any organization.

Bryan Roh
Bryan Roh is a Research Analyst for the Cybersecurity and Emerging Threats programme at the NATO Association of Canada. He received a Cybersecurity Analyst diploma from Willis College, and a Bachelor of Arts from the University of Toronto, where he specialized in security issues related to the Asia-Pacific region. He is a former Compliance Director for the G7 Research Group and frequently publishes research work online. Bryan is also a former reservist in the Canadian Armed Forces where he developed an interest in information and national security issues.