CryptoGen Nepal
Published in

CryptoGen Nepal

Security Analyst’s Trinity: Cortex Installation

TheHive Project developed Cortex, an open-source, and free tool, specifically for this purpose. IP and email addresses, URLs, domain names, files, and hashes may all be analyzed individually or in bulk using a Web interface. The Cortex REST API allows analysts to automate these processes. Cortex attempts to highlight an issue that SOCs, CSIRTs, and security researchers face constantly in the process of threat intelligence, digital forensics, and incident response: how to analyze observables gathered at scale using a single tool.

This blog post focuses on Cortex installation and its potential when combined with platforms like TheHive and MISP as Case management systems and Threat Intelligence respectively.

The following section includes steps for manually installing Cortex using binaries on Ubuntu 20.04

Install Ubuntu VM

Install the Ubuntu 20.04 and make sure the system is up-to-date

sudo apt-get update sudo apt-get upgrade

Install a Java Virtual Machine

We can install either Oracle Java or OpenJDK.

Oracle Java

echo 'deb <http://ppa.launchpad.net/webupd8team/java/ubuntu> trusty main' | sudo tee -a /etc/apt/sources.list.d/java.list
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-key EEA14886
sudo apt-get update
sudo apt-get install oracle-java11-installer

Open JDK

sudo add-apt-repository ppa:openjdk-r/ppa sudo apt-get update sudo apt-get install openjdk-11-jre-headless

Install Elasticsearch

As part of Cortex’s requirements, we’ll need to install the Elasticsearch component. Elasticsearch is a platform for distributed search and analysis of data in real-time. It is a popular choice due to its usability, powerful features, and scalability. We are installing the Elasticsearch package provided by Elastic

PGP key Installation

sudo apt-key adv — keyserver hkp://keyserver.ubuntu.com:80 — recv-key D88E42B4

Alternative PGP key Installation

# wget -qO — https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Debian repository configuration

echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Install https support for apt

sudo apt install apt-transport-https

Elasticsearch installation

sudo apt update && Sudo apt install elasticsearch

Elasticsearch Configuration

Modify the configuration file /etc/elasticsearch/elasticsearch.ymlt and add the following lines:

network.host: 127.0.0.1
script.source: true
cluster.name: thp
thread_pool.get.queue_size: 100000
thread_pool.search.queue_size: 100000
thread_pool.write.queue_size: 100000

Now that Elasticsearch has been set up, start it as a service and check to see whether it is operational:

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
sudo systemctl status elasticsearch

The status must be active (running). If it isn’t running, you can look at the logs to see what’s wrong:

sudo journalctl -u elasticsearch

Install Cortex

Download and unzip the binary package of your choice. Cortex files can be installed anywhere on the filesystem. We have decided to put them under /opt for this article.

sudo apt-get install unzip
cd /opt
sudo apt-get install unzip
cd /opt
sudo wget <https://dl.bintray.com/thehive-project/binary/cortex-latest.zip>
sudo unzip cortex-latest.zip
sudo ln -s cortex-3.1.1-1 cortex
sudo nano /opt/cortex/package/cortex.service
# Change the exec start to this
ExecStart=/opt/cortex/bin/cortex \\
-Dconfig.file=/opt/cortex/conf/application.conf \\
-Dlogger.file=/opt/cortex/conf/logback.xml \\
-Dpidfile.path=/dev/null

Now we need to create the config file and add the secret

sudo mv /opt/cortex/conf/application.sample /opt/cortex/conf/application.conf
(cat << _EOF_
# Secret key
# ~~~~~
# The secret key is used to secure cryptographics functions.
# If you deploy your application to several instances be sure to use the same key!
play.http.secret.key="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
_EOF_
) | sudo tee -a /opt/cortex/conf/application.conf
sudo addgroup cortex
sudo adduser --system cortex
sudo cp /opt/cortex/package/cortex.service /usr/lib/systemd/system
sudo chown -R cortex:cortex /opt/cortex
sudo chown -R cortex:cortex /opt/cortex-2.1.3-1
sudo chgrp cortex /opt/cortex/conf/application.conf
sudo chmod 640 /opt/cortex/conf/application.conf
sudo systemctl enable cortex
sudo service cortex start

Now that Cortex and Elasticsearch have been set up and configured, you can access the cortex via http://<SERVERNAME>:9001

Please remember that the service may take some time to begin.

The database schema must be created the first time you connect. To construct the DB schema, click “Update database.”

Cortex first access prompt

Once done, you should be redirected to the page for creating the administrator’s account.

Administrator account Creation

The super admin for the parent organization is determined by the user information you give when you initially begin. This organization is for the management of other organizations, therefore for your needs, you’ll need to establish a new organization and admin user.

To create a new organization, log in as your super admin account and go to Organizations, then Add Organization.

Create Organization

Then, pick the new org and click Add user. It is worth noting that there are three self-explanatory jobs. Create a new user with the organization admin role. This is the user who will be used to configure the analyzers.

User Creation

So far, we have successfully completed the installation of Cortex. In the follow-up articles, we’ll be installing MISP and configuring integration between those components.

References

https://github.com/TheHive-Project/TheHiveDocs/blob/master/installation/install-guide.md#elasticsearch-installation

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store