Category: Digital Forensics & Incident Response

Hardening TheHive4 and Cortex for public deployment

Posted on By McHughSecurity 1 Comment on Hardening TheHive4 and Cortex for public deployment

Deploying an incident response platform on the open internet is not always a good idea. For whatever reason you choose to do so, there are some things you need to do before going live with TheHive and Cortex.

In this post, I talk about hardening TheHive and Cortex for an Internet-accessible deployment. This includes the application of TLS v1.2+ and the configuration of multi-factor authentication. Cortex can be further hardened through IP whitelisting, and even walled gardens implemented through Cloudflare.

Read More “Hardening TheHive4 and Cortex for public deployment” »

Build, Digital Forensics & Incident Response

Building a Cuckoo Malware Analysis Server

Posted on By Adam McHugh No Comments on Building a Cuckoo Malware Analysis Server

I have written this guide a few times in the past, but here is a revised version with some notable inclusions based on more recent experiences with Cuckoo. I have some Github repositories too which aim to expedite the process, but have a read nonetheless and see just how easy and quick it can be…

Read More “Building a Cuckoo Malware Analysis Server” »

Digital Forensics & Incident Response

TheHive 4.1.0 Deployment and Integration with MISP

Posted on By McHughSecurity 14 Comments on TheHive 4.1.0 Deployment and Integration with MISP
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

Every few months, StrangeBee puts out an update to TheHive (Security Incident Response Platform). This month they have added Elasticsearch as an index engine to alleviate issues with using Cassandra, and they have integrated support for MISP galaxies as well!

Now Incident Responders using TheHive can export IOCs and Galaxy assignment directly from TheHive to MISP.

Read More “TheHive 4.1.0 Deployment and Integration with MISP” »

Build, Digital Forensics & Incident Response

Building the Assemblyline Analyzer for TheHive’s Cortex.

Posted on By McHughSecurity No Comments on Building the Assemblyline Analyzer for TheHive’s Cortex.
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

Static analysis for me has become more fun with the inclusion of Assemblyline into my arsenal. But the lack of integration between other elements of my FOSS SOC stack was concerning.

In this post I detail not only how to write a Cortex Analyzer, but also how to integrate with other appliances with that analyzer.

Read More “Building the Assemblyline Analyzer for TheHive’s Cortex.” »

Digital Forensics & Incident Response

Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.

Posted on By McHughSecurity 10 Comments on Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

Since the last write up I published on TheHive, there have been some significant changes and updates to TheHive. So for this post I will be walking through the installation and deployment of TheHive4 (4.0.5) and the connection to MISP, Cortex and enabling Webhooks.

Read More “Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.” »

Digital Forensics & Incident Response

Building a parallel-analysis Cuckoo server

Posted on By Adam McHugh No Comments on Building a parallel-analysis Cuckoo server

Cuckoo’s dynamic malware analysis platform is pretty good out of the box. But how can we scale it to allow parallel processing of samples, particuarly where Cuckoo is part of a process driven analysis workflow? In this article we discuss parallel processing for Cuckoo with 5x Windows 7 VMs.

Digital Forensics & Incident Response

Cuckoo Dynamic Malware Analysis

Posted on By McHughSecurity 1 Comment on Cuckoo Dynamic Malware Analysis

Cuckoo is an automated dynamic malware analysis platform which allows for the analysis of submitted artefacts within a range of custom configured guest operating systems.

Analysis environments may be created for Windows, Linux, MacOS and Android, with all manner of filetypes able to be analyzed through the Cuckoo platform. Including, executables, office documents, pdf files, emails, and even hands-on execution of malware with network connections able to be routed through Tor.

Read More “Cuckoo Dynamic Malware Analysis” »

Digital Forensics & Incident Response

External Analysis with VirusTotal

Posted on By McHughSecurity 1 Comment on External Analysis with VirusTotal

VirusTotal is a subsidiary of Alphabet Inc. (which is also the parent company of Google). The service offers static and dynamic artefact analysis through a combination of free and paid tiers of access, as well as access to broader intelligence harvested from submissions and their own honeypots.

The Virustotal service is quite popular amongst the Information Security profession in performing quick analysis of artefacts, however there are some drawbacks and other aspects to consider before implementing VirusTotal as part of your DFIR stack of tools.

Read More “External Analysis with VirusTotal” »

Digital Forensics & Incident Response

Threat hunting with Elasticsearch and Kibana (Part 1)

Posted on By Adam McHugh No Comments on Threat hunting with Elasticsearch and Kibana (Part 1)

As part of my final Masters degree research component I have been collecting data from honeypots which I have seeded around the globe. The objective being to distil this data in to organisational threat data based on a fictitious business.

Part of the complication I am going to start facing, is how to how Elasticsearch and Kibana to find specific information for me from this live data set.

Previously I have indicated that a data set exists which was produced by the Canadian Institute for Cybersecurity, called IDS 2018, which contains Windows Event Logs and PCAP files relating to a set of simulated attacks generated for the purposes of teaching people how to hunt within similar datasets.

Here I will be discussing the deployment, configuration and interaction with this data set to achieve the outcome required.

Read More “Threat hunting with Elasticsearch and Kibana (Part 1)” »

Digital Forensics & Incident Response, Security Operations, Threat Intelligence

Loading Windows Event Logs to Elasticsearch

Posted on By Adam McHugh No Comments on Loading Windows Event Logs to Elasticsearch

So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer. My Kali laptop for my Christmas challenge was already…

Read More “Loading Windows Event Logs to Elasticsearch” »

Digital Forensics & Incident Response, Operate
%d bloggers like this: