Case management
In today’s article we’ll be putting the last piece of the puzzle in its place. We are going to present to you the case management part of our SOC. We have used two open source technologies TheHive and Cortex.
TheHive will be used as an alert management platform for our project that can manage an incident alert from creation to closure. Meanwhile, Cortex is a complementary software product from the same team as TheHive that complements it with data enrichment using its “analyzers” and “responders.”
I encourage you all to check the previous article to have a better understanding of what we are going to discuss here.
This article is divided into these sections:
- Installation and configuration of TheHive and Cortex.
- A walk-through TheHive and Cortex dashboards
- Cortex integration with TheHive
- Installing MISP and integrating it with TheHive
- Investigation: case management
1- Installation and configuration of TheHive and Cortex:
We’re deploying TheHive 3.4.0–1 and Cortex 3.0.1–1 .
TheHive requires Elasticsearch to be running. For that, we chose to use docker-compose to start them together in Docker containers. You can also install and configure Elasticsearch manually if you don’t want to use Docker.
For more details you can refer to:
https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md
Note: TheHive uses ElasticSearch to store data. Both software use a Java VM. We recommend using a virtual machine with 8vCPU, 8 GB of RAM and 60 GB of disk. You can also use a physical machine with similar specifications.
Let’s proceed, so we used the following docker-compose.yml file to start Elasticsearch, TheHive and Cortex together in 3 different containers:
version: "2"
services:
elasticsearch:
image: elasticsearch:6.8.0
ports:
- "0.0.0.0:9200:9200"
environment:
- http.host=0.0.0.0
- cluster.name=hive
- thread_pool.index.queue_size=100000
- thread_pool.search.queue_size=100000
- thread_pool.bulk.queue_size=100000
ulimits:
nofile:
soft: 65536
hard: 65536
cortex:
image: thehiveproject/cortex:3.0.1
depends_on:
- elasticsearch
ports:
- "0.0.0.0:9001:9001"
thehive:
image: thehiveproject/thehive:3.4.0
depends_on:
- elasticsearch
- cortex
ports:
- "0.0.0.0:9000:9000"
command: --cortex-port 9001Copy/paste and save it to docker-composer.yml , and execute this command:
sudo sysctl -w vm.max_map_count=524288
Finally run:
docker-compose up
TheHive is exposed on 9000/tcp port and Cortex on 9001/tcp. These ports can be changed by modifying the docker-compose file.
You can check the creation of the containers by using: docker ps –a
Check if Elasticsearch is responding:
Great! Now everything is set up, let us have a look at TheHive dashboard:
2- A Walk-through TheHive and Cortex dashboards
Navigate to http://YOUR_IP:9001
Note: Don’t forget to create rules for ports 9000,9001,9200 if you are going to set up this installation on the cloud.
Update the database and create an admin user:
Log in with that user:
Voila! This is the main Dashboard of TheHive:
Let’s check now Cortex Dashboard:
Update the database and create an admin user and log in, just like we did for TheHive.
Great! The way Cortex works is your current user can create organizations and users, but you must be logged in under an organization account in order to enable and manage Analyzers.
Create a new organization by clicking the +Add Organization button on this page.
Now switch to the Users tab and click +Add User
Assign the new user to the Organization you created and give them the OrgAdmin role.
After you save, click New Password for the user you just created and type in a password. Hit Enter to save.
Now logout and log back in as the new user.
Navigate to the Organization tab at the top.
Now click on the Analyzers sub-tab in the main body, not the Analyzers tab in blue at the top.
If Cortex is properly configured, you should see your Analyzers. I have 124 available as of today.
Now let us enable some analyzers to use later on. Keep the defaults settings.
Some analyzers will require API-keys so make sure to provide correct information when configuring these analyzers.
3-Cortex Integration with TheHive :
Navigate to the Users sub-tab and create a new user for integration with TheHive. This user should have the read & analyze role. This time don’t set a password for the user, instead click Create API Key and copy the key. Now back to our terminal, stop all the containers running. Create a file and name it application.conf in your home directory :
cortex {
"CORTEX-SERVER-ID" {
# URL of the Cortex server
url = "http://172.18.0.3:9001"
# Key of the Cortex user, mandatory for Cortex 2
key = "nBqA7B6BYc1kHhgAXZOYoXjBnt5vlCgM"
}
}Where url = http://your_cortex_container_ip:cortexPort
And key= “the api key you created for the previous user”
You can use docker inspect <id-container> to retrive the container ip
Save that file and then modify the docker-compose.yml file:
In thehive section , add
volumes:
- /home/your_user/application.conf:/etc/thehive/application.conf
And in command, add — cortex-key <the same api_key used in the previous stp>
Save the file and exit the editor.
Then, run docker-compose up again.
Now go back to theHive dashboard after all containers are up , navigate to “about” under your account onglet, you should see :
As you can see, we have successfully integrated Cortex with TheHive.
4-Installing the MISP and integrating it with TheHive:
4–1 MISP Installation :
1.sudo apt-get update -y && sudo apt-get upgrade -y
2. sudo apt-get install mysql-client -y
3.curl https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh -o misp_install.sh
4.chmod +x misp_install.sh
4. ./misp_install.sh -A
When it asks your for the baseurl , type your IP :
When it asks to create a “misp” user , type “y”.
PS: Dont’t forget to open port 80,443 on your machine.
Once it finishes installing, navigate to https://YOUR_IP/ , you should get the authentication panel:
Login using the initial credentials :
- Username: admin@admin.test
- Password: admin
Then enter a new password
Enable MISP Integration :
Go to your MISP Server webpage > Administration > Add User
Give the user an email. Exp: cortex_integration@admin.test
Add user to the ORGNAME organization
Role is user
Uncheck all the boxes at the bottom
Copy the user AuthKey
Go to Cortex > Organization > Analyzers
In the search box type “misp”
Enable “MISP_2_0”
Give the MISP server a descriptive name
URL = https://<MISP_IP>
key = AuthKey from MISP user you created
cert_check: False
Now navigate to the MISP server webpage > Sync Actions > List Feeds.
Find one of the feeds you’ve subscribed to and click the magnifying glass off to the right. Select an IP from the list and copy it.
Now in Cortex, click +New Analysis, add a data type of IP, and paste in the copied IP.
Select The MISP_2_0 analyzer and run.
On the Job History page click “View” and you should see the name of the list you copied the IP from as well as any other information that list provides.
You can go into TheHive and add this IP as an observable to test from there as well.
5- Investigation : Case Management with TheHive:
The core construct of TheHive is the investigation case. TheHive aims to making it easy for the analyst and ensuring a better understanding between team members working on it. This is vital since the case investigation is the core construct of most security investigations, whether you’re reviewing alerts, reverse engineering malware, or working a declared incident.
You can add tags to cases for quick searching and filtering. You can also rate the severity of a case, track TLP levels which can help govern and facilitate the sharing of data. All the data you put into a case are easily searchable from the search bar at the top of the screen. This makes it easy to determine if the activity you’re currently observing was present in an earlier case.
You can create cases from alerts by Importing them. If two alerts share a link then, you can opt to add this alert to an existing case instead of generating a new one.
After creating the case, you can start setting up tasks to it. A task can really be anything, but We recommend using them to track the actions taken to answer investigative questions.
In addition, multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker.
Case templates :
As SOC evolves, it becomes critical to define playbooks that helps analysts consistently approach investigations that share common attributes. For example, most the steps you take to initially investigate a series of failed passwords attempts or a phishing e-mail will generally be the same. If you can define those steps, you’ll have a great head start for training new analysts and ensuring most investigations start off on a level footing. TheHive provides a unique case template system that allows you to define common investigations and pre-populate case metadata and tasks.
n the example above, we’ve defined a template for investigations related to exploit kit activity. Now, any time I create a new case I can select this template and all the information you see there will be pre-populated into the case details. The real power here is in the ability to automatically create a series of tasks that should be completed when spawning the case. This essentially lays out the investigative playbook for you. With that, you get the added benefit of automatically populating the Waiting tasks queue so that other analysts can jump into the investigation or start completing containment and eradication tasks.
Also, TheHive allows you to create separate entries for interesting observables within the context of a case. An observable is any interesting data artifact. TheHive comes with several common observable types built-in. This includes things like IP addresses, domain names, HTTP URIs, etc. Of course, you can also define your own types which make this capability quite flexible.
There are multiple benefits to tracking observables. The obvious one is that you can search for them during later investigations to bring in additional context. You can also export them for later import into a blacklist, whitelist, or detection mechanisms. Finally, you can use the built-in Cortex integration to automatically submit the observables to any number of OSINT research sites. This is a very simple process and primarily just requires that you input API keys for each service you’ll be using. Some of the existing integrations include Passive Total, Virus Total, and Domain Tools.
When you’re ready to close out a case, click the Close Button in the title bar of the case:
You can set the nature of the case to true positive, false positive etc …
