Whilst I am a big fan of free open source solutions, I am going to bend my preference here a bit for the Elastic Cloud solution functioning as a SIEM.
- Deploying (and using) TheHive4 [Part 1]
- Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
- Building the Assemblyline Analyzer for TheHive’s Cortex.
- TheHive 4.1.0 Deployment and Integration with MISP
Since the last write up I published on TheHive, there have been some significant changes and updates to TheHive. So for this post I will be walking through the installation and deployment of TheHive4 (4.0.5) and the connection to MISP, Cortex and enabling Webhooks.
Cuckoo’s dynamic malware analysis platform is pretty good out of the box. But how can we scale it to allow parallel processing of samples, particuarly where Cuckoo is part of a process driven analysis workflow? In this article we discuss parallel processing for Cuckoo with 5x Windows 7 VMs.
Cuckoo is an automated dynamic malware analysis platform which allows for the analysis of submitted artefacts within a range of custom configured guest operating systems.
Analysis environments may be created for Windows, Linux, MacOS and Android, with all manner of filetypes able to be analyzed through the Cuckoo platform. Including, executables, office documents, pdf files, emails, and even hands-on execution of malware with network connections able to be routed through Tor.
VirusTotal is a subsidiary of Alphabet Inc. (which is also the parent company of Google). The service offers static and dynamic artefact analysis through a combination of free and paid tiers of access, as well as access to broader intelligence harvested from submissions and their own honeypots.
The Virustotal service is quite popular amongst the Information Security profession in performing quick analysis of artefacts, however there are some drawbacks and other aspects to consider before implementing VirusTotal as part of your DFIR stack of tools.
MISP is certainly intended to be used like this, however, with some creativity and some technical effort, the MISP Threat Intelligence Platform could be utilized as a missing person’s intelligence database.
In this post, I will discuss a methodology in using MISP as the Intelligence Platform, and more traditional applications such as Maltego (and some custom transforms) to collect, enrich, and manage your intelligence.
Lately I have been playing with having MISP be the Intelligence Sharing platform for a number of business intelligence functions. However, the main issue with MISP (from a user’s perspective) is the interface, and how a less technical person would generate information for the platform.
This is where pairing MISP and Maltego together goes really well, and even results in less technical people being able to generate technical data for incorporation into intelligence operations.
Intelligence is the enrichment of data or information, its classification and publication by experts within a field. The resultant output is ordinarily a qualitative assessment backed by quantitative metrics, or absolutes which formed part of the data or information it was derived from.
In terms of Cyber Threat Intelligence, this goes beyond the extraction of IOCs, strings, and the generation of cryptographic hashes, and fuzzy hashing – this is the correlation of events, actors, methods, and motives to generate Threat Intelligence which aims to describe the objectives, motives, capability and perhaps the identity of a threat actor.
Over the last few months I have been working away on several work tasks which have had me hunting for threats within an immensely complex environment. Part of this hunt has involved the analysis and selection of threat feeds for incorporation into other tools to hunt known bad indicators. In this post I will be talking through the deployment of MISP to enable aggregation of threat indicators, and the generation of exports which may be ingested into other platforms.
I have posted before on participating in other TraceLabs events (such as the Australian Federal Police Missing Persons Hackathon), so here goes a brief recounting of my experiences with a US missing persons event.