Every few months, StrangeBee puts out an update to TheHive (Security Incident Response Platform). This month they have added Elasticsearch as an index engine to alleviate issues with using Cassandra, and they have integrated support for MISP galaxies as well!
Now Incident Responders using TheHive can export IOCs and Galaxy assignment directly from TheHive to MISP.
Installation of TheHive 4.1.0 on Ubuntu 18.04
System Update and Preparation of Repositories
Let’s first get the updates and the repositories out of the way for the rest of the installation process.
sudo apt update -y && sudo apt upgrade -y
curl -fsSL https://www.apache.org/dist/cassandra/KEYS | sudo apt-key add -
echo "deb http://www.apache.org/dist/cassandra/debian 311x main" | sudo tee -a /etc/apt/sources.list.d/cassandra.sources.list
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add -
echo 'deb https://deb.thehive-project.org release main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
sudo apt update -y && sudo apt upgrade -y
Assuming you have already done an update and upgrade, your output versus mine below will likely be the same. If there are extras to update, this should not be an issue.
Install Java Runtime Environment
JRE 8 is required for this installation. There are issues with 11 & 12 with Cassandra. So please ensure to install JRE 8 for this build.
sudo apt-get install -y openjdk-8-jre-headless -y
echo JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64" | sudo tee -a /etc/environment
export JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"
Install Cassandra
sudo apt install cassandra -y
cqlsh localhost 9042
You will now need to console into Cassandra to perform a configuration change. Perform the following interactively within CQLSH.
UPDATE system.local SET cluster_name = 'thp' where key='local';
exit;
Then perform a flush using the below from the console…
nodetool flush
And then edit /etc/cassandra/cassandra.yaml to reflect the following requirements:
cluster_name: 'thp'
listen_address: '127.0.0.1' # address for nodes
rpc_address: '127.0.0.1' # address for clients
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
# Ex: "<ip1>,<ip2>,<ip3>"
- seeds: '127.0.0.1' # self for the first node
data_file_directories:
- '/var/lib/cassandra/data'
commitlog_directory: '/var/lib/cassandra/commitlog'
saved_caches_directory: '/var/lib/cassandra/saved_caches'
hints_directory:
- '/var/lib/cassandra/hints'
Save the changes in your favourite editor, and then restart Cassandra.
sudo systemctl restart cassandra
sudo systemctl enable cassandra
Cassandra should then advertise on port 7000 shortly after the restart.
Install Elasticsearch
sudo apt install elasticsearch -y
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
No further configuration should be required, unless you really wanted to allow your Elasticsearch instance to be accessible externally (not advised or suggested from my perspective).
After a period of about 30 seconds, Elasticsearch should advertise port 9200 on the localhost. You can verify that has occurred through the following command:
netstat -an | grep 9200
Install TheHive
sudo apt-get install thehive4 -y
sudo mkdir /opt/thp/thehive/index
sudo mkdir /opt/thp/thehive/files
sudo chown thehive:thehive -R /opt/thp/thehive/index
sudo chown thehive:thehive -R /opt/thp/thehive/files
Configure TheHive and Restart
Now we can configure TheHive by editing the configuration file appropriately. This will be a basic setup at first, advanced integrations come later under the Integration headings.
In our editor, update the following variables in /etc/thehive/application.conf
## Database configuration
storage {
## Cassandra configuration
# More information at https://docs.janusgraph.org/basics/configuration-refe$
backend: cql
hostname: ["127.0.0.1"]
# Cassandra authentication (if configured)
// username: "thehive"
// password: "password"
cql {
cluster-name: thp
keyspace: thehive
}
index.search {
backend: elasticsearch
hostname: ["127.0.0.1"]
index-name: thehive
}
}
## Attachment storage configuration
storage {
## Local filesystem
provider: localfs
localfs.location: /opt/thp/thehive/files
## Hadoop filesystem (HDFS)
// provider: hdfs
// hdfs {
// root: "hdfs://localhost:10000" # namenode server hostname
// location: "/thehive" # location inside HDFS
// username: thehive # file owner
// }
}
Save the configuration changes, and then start TheHive from the console
sudo systemctl start thehive
sudo systemctl enable thehive
After about a minute you can issue a grep for port 9000 to show that TheHive is listening and waiting connections. The start-up may take a little bit of time because of the first start, and there is now an Elasticsearch index to be configured as well.
I also very strongly suggest marking both Elasticsearch and TheHive4 from being upgraded as part of apt upgrade. This is next measure is intended to prevent you from bricking your installation through a well intended upgrade which may implement a breaking change.
sudo apt-mark hold elasticsearch
sudo apt-mark hold thehive4
First login should be the same as before, browse to your instance on port 9000, and should be able to login with the below credentials.
First logins to TheHive are still made using the default username and password of [email protected] / secret
Integration of TheHive with MISP
Integrating MISP with TheHive is relatively straightforward… for this you will need an operational MISP instance which is accessible by TheHive. The following information will need to be updated in /etc/thehive/application.conf
play.modules.enabled += org.thp.thehive.connector.misp.MispModule
misp {
interval: 1 hour
servers: [
{
name = "TestMISPInstance" # MISP name
url = "http://mymispinstance/" # URL or MISP
auth {
type = key
key = "PASTEKEYHERE" # MISP API key
}
wsConfig {} # HTTP client configuration (SSL and proxy)
}
]
}
Save the configuration file and then restart thehive
sudo systemctl restart thehive
And then check back in TheHive’s interface for the MISP module status icon in the bottom right of your interface.
Now that MISP is installed, we can install the MISP taxonomies from the Admin menu in the top bar.
Import the taxonomies from the Import Taxonomies button…
The import may take a little while, but once complete you should see a view of the imported taxonomies in TheHive which correspond with that of MISP. Take care though, sometimes MISP will update these taxonomies, and that may result in an out of sync taxonomy state between MISP and TheHive.
Exporting TheHive Case to MISP
For the purposes of this test, I am using a URL from PhishTank to provide from some intelligence to push to MISP. I have added the URL and manually included external intelligence and some other non-IOC flagged information.
From here the IOC marked items are pushed to a MISP event through the Export button. With those observables now being replicated into MISP as the following:
We will look into the next component of assigning Att&ck patterns in TheHive later, however these can also be assigned in MISP too… briefly though you expand the ATT&CK matrix panel and select the appropriate techniques observed per the case.
The case will then be tagged into the galaxies appropriate to those Attack Patterns.
Conclusion
So far, TheHive 4.1.0 has performed pretty well. The true test will come over the following days where I smash alerts and cases through the platform via N8N.
This should give the new Elasticsearch index engine a proper stress test, and be able to test out the webhook authentication which was also added as part of 4.1.0
Happy Incident Responding!
16 Comments