Installing MISP with Docker

If you’ve worked with cyber threat intelligence (CTI) for any length of time, you’ve probably run into one or both of the MISP and STIX data formats.

Both are popular open source machine-readable (JSON) standards for sharing threat intelligence in a structured format.

Look under the hood for even a moment, though and you’ll find that while their aims are similar, they approach the problem of describing cyber threats in significantly different ways.

Using misp-docker

The most popular way to run the threat intel sharing platform MISP with Docker is the open source misp-docker project on Github.

It's a great way to quickly and easily spin up a local MISP for testing purposes, including a connected database (MariaDB) and Redis instance.

To get MISP up and running on your local machine, follow these steps:

  1. First, install Docker. Make sure the the Docker Desktop application is running on your machine.
  2. Clone the misp-docker repository.
  3. From the root of the repository, copy template.env to .env. You can leave the default environment variables as is if you only want to run Docker locally for testing.
  4. Run docker compose pull.
  5. Run docker compose up. Note: if you have problems with volume mounting, try changing the file sharing implementation for your containers to osxfs (Legacy).
  6. Once the process has finished, the MISP server will be running at https://localhost. You can login with the default MISP credentials:
    1. User: admin@admin.test
    2. Password: admin

Deploying MISP to production with Docker

As you've seen, getting a local MISP instance up and running with Docker is quick and easy.

Could it be that easy to deploy MISP to production using Docker?

Unfortunately, no.

Running MISP reliably and securely in production using Docker or any other technology comes with many important considerations.

Ignore these and your MISP instance running on Docker could end up being, at best, unreliable and, at worst, a security vulnerability.

These considerations are still important even if you're using a container orchestration tool like Kubernetes.

  1. Design and network architecture: How will you consume feeds without exposing MISP endpoints to the internet? How will you integrate intelligence from MISP with the rest of your security architecture?
  2. Hosting: will you opt for single-tenant or multi-tenant hosting for your Docker container? Although multi-tenant hosting is cheaper, it comes with potential security and performance trade-offs.
  3. Logging: how will you securely and reliably forward IOCs to your logging platform?
  4. Monitoring: how will you monitor on the health of your MISP instance? This is especially important if you ship IoCs from MISP feeds into your IDR systems, because a MISP outage will mean reduced security.
  5. Frequent upgrades: the pace of upgrades to MISP is only increasing, with between 12-20 upgrades per year to review, test, and migrate. How will ensure your MISP instance running on Docker stays up to date and that new versions won't have bugs or breaking changes?
  6. Authentication: will you use organisational SSO, such as Okta or Microsoft Entra? This will likely require a level of custom development and configuration.
  7. Alerting: will you alert on logs from MISP?
  8. Backups: how will you automatically backup (and securely store backups) of your MISP database?
  9. Plan for DR & Handling Outages: how will you recover from data loss or an unexpected container crash? Will someone need to be on call to fix problems?
  10. Securing: threat intelligence platforms are a high value target for attackers. How will you keep your MISP instance secure while also pulling from external feeds (and possibly even threat sharing)?
  11. SSL Certificate Management: you'll need to provision, install and manage an SSL certificate for your MISP instance to enable secure and encrypted data transfer.

In short, self-hosting MISP with Docker for production usage can be surprisingly difficult and complex project for CTI teams to navigate.

To help teams spend less time on configuring and maintaining their MISP and more time generating useful threat intel, we offer CloudMISP: an enterprise-grade fully managed, secure, and reliable MISP instance.