Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Threat hunting with Elasticsearch and Kibana (Part 1) Digital Forensics & Incident Response
  • Loading Windows Event Logs to Elasticsearch Digital Forensics & Incident Response
  • Building a parallel-analysis Cuckoo server Digital Forensics & Incident Response
  • Building Structured Threat Intelligence (STIX) from FBI notices MISP - Open Source Threat Intelligence Platform
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • Exporting Maltego Graphs to MISP Intelligence

[Part 1] Building a Threat Integration and Testing Lab

Posted on April 28, 2021 By A.McHugh No Comments on [Part 1] Building a Threat Integration and Testing Lab
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.

Requirements

For this lab build, I will be deploying the following appliances (and I will be deploying them in a local /24 subnet):

  • Elastic Cloud Enterprise (On-Premises) [192.168.1.202]
  • Splunk Enterprise [192.168.1.204]
  • MISP (Threat Intelligence Sharing Platform) [192.168.1.201]
  • TheHive4 [192.168.1.200]
  • Cortex
  • AssemblyLine [192.168.1.205]
  • Cuckoo
  • Shuffle.io
  • Threat Event Playback

Once all of the above appliances have been built, they will be integrated together with another virtual machine which will replay malicious Windows Event Logs (EVTX) to both Splunk and Elastic SIEM. The preconfigured and customized alerting within each SIEM solution will then trigger actions within MISP and TheHive4 for an analyst to respond to.

Theory of Operations

The full configuration of the environment will be rather complex to explain, and where possible I am consolidating some appliances to conserve resources, and in other cases, I have two appliances running in parallel so the integrations can be truly separate.

A diagram of what I am proposing to build can be seen below, and as you can see, there are two instances of TheHive. This is by design as there are a couple of different integration options available for MISP and Cortex which may need to be kept separate to prove a proper integration.

Environment Theory of Operations

Related

Build

Post navigation

Previous Post: Building Structured Threat Intelligence (STIX) from FBI notices
Next Post: [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)

Related Posts

  • Implementing Elastic Cloud and using Elastic Security Build
  • Building a Cuckoo Sandbox Build
  • TheHive 4.1.0 Deployment and Integration with MISP Build
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • Deploying (and using) TheHive4 [Part 1] Build
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

seventeen + 9 =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • Building CCCS’ AssemblyLine for Static Analysis Static Analysis
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • Security Orchestration with Shuffle.io Design
  • Building a MISP Threat Feed Aggregator Blog
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • Using MISP in a TraceLabs Missing Persons engagement Blog

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme