Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • Loading Windows Event Logs to Elasticsearch Digital Forensics & Incident Response
  • Using the workflow taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • [Part 1] Building a Threat Integration and Testing Lab Build
  • Deploying (and using) TheHive4 [Part 1] Build
  • Using MISP in an air-gapped environment Design
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response
  • Threat hunting with Elasticsearch and Kibana (Part 1) Digital Forensics & Incident Response
  • Exporting Maltego Graphs to MISP Intelligence

Security Orchestration with Shuffle.io

Posted on April 24, 2021 By A.McHugh No Comments on Security Orchestration with Shuffle.io

For this post I will be talking through the deployment and configuration of Shuffler.io in a self-hosted configuration.
Shuffler.io is a Security Orchestration Automation and Response (SOAR) platform which allows integrations with a number of OpenAPI services (two-way) to better expedite mundane and mandrolic tasks within a Security Operations Centre.

In this implementation, I will talking through the basics of installation and configuration, and some very basic testing through it’s interface.

System Requirements

For this build I will be using a VM with 2 vCPUs, 4GB RAM and a 16GB Ubuntu Server 18.04 installation.

Installation

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt-get install -y docker-ce docker-ce-cli containerd.io
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version
git clone https://github.com/frikky/Shuffle
cd Shuffle
docker-compose up -d
Shuffle.io Docker Container Startup

As soon as docker has completed downloading and starting the containers, you should head over to the web interface pretty much straight-away and set the administrative username and password. If you are doing this on a live Internet accessible server, you may want to implement some form of IP whitelisting for incoming connections before commencing installation.

The first setup administration page will be found at http://yourservername:3001/adminsetup

Shuffle.io Initial Account Creation

There are no default logins for the first setup either, so whatever you set here will be the first account creation (also another reason why you should not do this on an Internet exposed system unless you have some other mitigations in place).

Initial Configuration

Now that the container is running, and you have access to Shuffle, initial configuration can commence. If you have supporting appliances such as MISP, Virustotal etc you should consider having your API keys and configuration handy as well.

All configuration of the individual API integrations are completed within the workflow creation screens which is where we will be heading next.

Creating your first workflow

Under the Workflows screen we are offered the option to create a New Workflow.

Creating your first Shuffle Workflow

For this initial workflow I will be capturing events from external IP addresses which are attempting exploits against webservices we are monitoring. The objective I am trying to achieve here is to determine if the host is a known malicious host, and if not, trigger a separate event to submit to external sources a new disclosure.

The most basic configuration I will build off, is a workflow which creates a Case within TheHive, adds the IP address to the case as an observable, and then begins triggering Analyzers from within Cortex.

Basic Shuffler Workflow to scan submitted IP addresses

When I run this workflow and provide it with an IP address from an interesting range (for this case I have fed Shuffler an IP address from a North Korean IP allocation), I should see a new case created, an observable added, and two executions for analyzers.

Payload Formatting

There are some fiddly bits to be aware of for your POST payloads, and you really need to sort out what that payload structure looks like. For this test I have used the following payload structure.

{"body":"<value>"}

When nodes within the workflow require the <value> in the payload, the variable can be accessed through $NODENAME.body, which can be mixed in with other data. An example of which can be seen in the CreateCase call for TheHive.

Passing values through to nodes for execution

Workflows

Workflows can be very become very complex, but I will be covering this in subsequent posts.

If you have an interest in Shuffle workflows, feel free to subscribe to the blog to get updates.

Related

Design Tags:shuffle, soar, workflows

Post navigation

Previous Post: Building a Cuckoo Malware Analysis Server
Next Post: Building Structured Threat Intelligence (STIX) from FBI notices

Related Posts

  • Using MISP in an air-gapped environment Design

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

18 − 8 =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • Feeding Analysis Information Leak (AIL) Framework AIL Framework
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • Using MISP in an air-gapped environment Design
  • [Part 1] Building a Threat Integration and Testing Lab Build
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence
  • Building a parallel-analysis Cuckoo server Digital Forensics & Incident Response
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme