A. Join our Slack Channel. An invite link is included in the support.txt included with the tools or in the MISP news items.
A. CanCyber is free malware threat intelligence and indicator exchange with a twist. While indicators are great, most IT systems aren't designed to take indicators and facilitate malware hunting for advanced threats commercial AV can miss. CanCyber is based on MISP, an open source sharing platform combined with our own custom developed malware hunting automation tools for Windows.
A. CanCyber, Inc. is a federally incorporated Canadian company. Our CEO is David Walker and based in Ottawa, On.
A. Malware Information Sharing Platform, an open source threat sharing system misp-project.org.
A. While we aren't part of the official project, we plan to release some of our tools and integrations later.
A. We are focussing on companies with a Canadian presence, generally new members are referred by another member. If you are an existing member, you can use the contact form or email us your vouch for a new member.
A. Yes. MISP supports sharing groups, such as industry groups, for group-only sharing. You can also choose to share to the greater community and share with all our members.
A. Only email addresses are visible when creating an event or when selecting a user.
A. The endpoint scanner uses Yara to scan files on disk and memory processes, domains in the DNS cache, open IP sockets, and filenames. Registry keys and mutexes will be added later. There's nothing to install, the endpoint scanning tool (EPST) is a self contained pre-compiled C/C++ shell application for Windows.
A. Yes. You can add private indicator events for your own organization only. You can test out the endpoint hunting for example, with your own indicators for testing. Yara signatures aren't automatically pulled from MISP - one broken rule can break everything, so we carefully manually add each rule. Contact us to add your own rules or run the tool on local pre-compiled Yara signatures.
A. Yara is a powerful yet easy to learn malware classification tool. While hashes, domains and IPs change, Yara signatures can be used to find small variations in the evolution of new malware. Yara on Github. Even with complicated packing or encryption, our endpoint scanning tool looks in memory to find the unpacked code as it runs.
A. Yes, there's a variety of ways to deploy an executable to users across the domain. Contact us with questions (or your success stories!)
A. The json results file is uploaded back to us, it has hashes and metadata on hits and the content of any matching files if they are under 10MB.
A. An interim tool api key is used for read-only access the MISP indicators your account has access to.
A. A CanCyber network monitoring Module is now available. It will download indicators every 6 hours and expire old indictors after 10 hours. Only indicators such as IPs, domains, hashes, email addresses, and urls are used. Content based signature sharing ie. for beacon conten is still under development. The Bro module shares only packet header metadata and not any content.
A. We felt there was an access gap for Canadian companies and individuals targeted by foreign state-sponsored cyber-espionage to access actionable APT threat intelligence at no cost. We use free open source software and rather than expensive threat feeds, we rely on our members to share actual threat intel from recent incidents or open source reporting.
A. We are a threat intelligence sharing and malware hunting service, once you find it, how and when you mitigate your systems is left up to you. We recommend contacting CCIRC, Canada's national computer incident response team for mitigative advice and best practices for securing your systems and networks. For more information on mitigation strategies for an APT event, please read this document from CCIRC.
A. No, your scan results are limited to your organization. Our employees and developers have administrator access which is monitored, logged and audited regularly. MISP sightings of hits are anonymized - only a count of hits for your org are available to members of your own org. The event owner can see a total count of hits for all orgs combined effectively anonymizing the results from any particular org.
A. When possible all our data is stored at Amazon, Inc. Montreal, QC data centres.
A. It's free. Now and forever. We are owned by passionate security researchers who are here to help, not make money. Our costs are low, we require no funding or donations. Your data will never be sold.
A. We are a community, all we ask is that, if you can share indicators and threat intel, please do. We can anonymize your events and publish them as one of ours if you prefer.
A. Yes. Use the upload file link at the top of the page, then contact us with your needs. There's no cost for analyst services.
A. CanCyber, Inc. is vendor neutral and cannot recommend any specific provider. We recommend asking your provider up front about their experience, mitigation plan and best practices for hardening security post-compromise..