So Kubernetes is something I’ve been meaning to play with for a while now, but I didn’t really have a good enough use case to really try it out. Docker was doing what I needed it to do without the complexity of Kubernetes so I was all good. I tried getting into Kubernetes a few years ago, watched plenty of videos but it all kind of fell by the wayside, and was eventually forgotten about.
I’ve been fortunate in that my workplace has sponsored me to take the SANS SEC504 - Hacker Tools, Techniques and Incident Handling as a 4 month on-demand course. This is the second SANS course that I have been fortunate enough to attend. The first one was the SEC511 - Continous Security Monitoring back in 2016, which was done on-site over 6 days. I have to say that with the amount of content thats jammed into these courses, I found that on-site was a struggle for me.
In my last post about the MITRE attack Navigator I covered how you can create multiple layers and then aggregate them together which is all well and good until you realise, that if you wanted to see that level of detail each time you accessed the Attack Navigator you need to specify that json file. This is where this post comes in. Its quite a straight forward process to host your own navigator and further customise it to suit your needs.
MITRE ATT&CK. Its the bread and butter for Security Operations Centres. But how are you tracking what you can detect? Does your SIEM have a built in tool?, Perhaps you have you straight up copied the matrix into Excel? or keeping score in a text file? You may or may not be aware of the online version of the MITRE Navigator. Theres heaps of functionality, allowing you to apply custom colors, heat mapping to score tallies, show all the tactic/technique ID’s as well as export functionality to Excel/SVG/JSON.
So I wanted to do something which has been done many times before and that was to create an SSH honeypot for some threat intelligence collection purposes. The twist to this is that I want to send the results to MISP and I came across a few hicups along the way. Ive previously blogged about Fail2Ban and it got me thinking, what if I added a secondary action to send the resulting banned ip into MISP.
When it comes to online applications some of the best functionality comes when you can programmatically tap into it as it creates countless opportunities to customise and extend the functionality to suit your needs without having to modify the underlying application. In the Context of TheHive, the API will allow you to query, post or search data which can aid in the lifecycle of an incident as well as create alerts and cases programmatically.
I’ll start by saying, that I have done these sorts of posts in the past where I have stood up TheHive and reverse proxies etc using a docker-compose file so the basic configuration etc is going to be heavily borrowed except for some minor tweaks. I am still old school so this isnt a configuration you would want to run for mission critical services, however there is a guide for how to use Docker in Production.
TheHive. You know i’m a huge fan of this Incident Response platform with many blog posts dedicated to it including how you can integrate and interface with it. Over the years TheHive has been on a journey and has matured and stabalised. Now with a new code base the developers have taken full control of the licensing for version 5. I do however have mixed feelings about this. On one hand i’m sad that TheHive no longer open source.
Wow, its been a while….. 681 days since my last post. What the hell happened? I’ve been slack. I’ve wanted to keep up the blogging and documenting cool open source stuff but its been a hectic few years. You know, pandemic and such. So heres a little recap of my life since the last post. Kept up the routine of my 12Km New Years hike up a mountain (twice) Sold my house just before the COVID-19 pandemic went into full swing and Melbourne got locked down for what seemed like an eternity Moved house Bought a block of land Designed a floorplan for a new house Had said house built Moved house again Worked a few security incidents at work Learnt a lot about Splunk Phantom and SOAR Started building a new homelab Built a NAS using a few ODROIDS, and glusterfs Played around a fair bit with Home Assistant, ESP32 devices and Grafana Doesnt seem like a lot to squeeze in during that time.
Recently I attended a webinar in which the presenter from Blackberry Cylance was talking about this tool that they created called Cybot. This tool is a chatbot designed for SOCs to hopefully speed up triagae its offerings. Turns out Cybot is a pretty nifty tool and has integrations to various chat platforms like Slack and Microsoft Teams. Installation Steps There are a number of prereqs required to stand up this app.
One of the most powerful features of TheHive has to be the outgoing webhooks. You make any modification to any case, task, observable etc and if configured, the outgoing webhooks will do with it what you will. I’ve written a few blog posts about TheHive webhooks, and my platform of choice has been Nodered for this. With a highly extendable and easy to use graphical drag and drop interface, it makes it easier to visualise your workflows.
In my last post, I covered how I went about upgrading TheHive from 3.4 to 3.5RC1 along with a double upgrade of Elasticsearch. Well now its Cortex’s time. Cortex 3.1.0 also uses Elasticsearch 7.8 so we are in for a similar upgrade process. Depending on your reliance on Cortex it may be a nice addition to TheHive that is rarely used, or it may be critical to your operation. Either way, getting to the latest version is desirable as there are always welcome bug fixes and improvements with error handling, reporting and general integration.
Template by Bootstrapious. Ported to Hugo by DevCows
