If you are like me and deploy lots of small instances of VMs all over the place for various functions, you will find applying updates to them all consistently and in a responsive manner a logistical issue. Fortunately, there is an auto-update function within Ubuntu which can be configured in a few minutes.
Read More “Auto-updating Ubuntu 20.04 in less than 2 minutes” »
Deploying an incident response platform on the open internet is not always a good idea. For whatever reason you choose to do so, there are some things you need to do before going live with TheHive and Cortex.
In this post, I talk about hardening TheHive and Cortex for an Internet-accessible deployment. This includes the application of TLS v1.2+ and the configuration of multi-factor authentication. Cortex can be further hardened through IP whitelisting, and even walled gardens implemented through Cloudflare.
Read More “Hardening TheHive4 and Cortex for public deployment” »
MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.
Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.
As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.
Read More “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise” »
You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.
For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.
Read More “[Part 1] Building a Threat Integration and Testing Lab” »
For this post I will be talking through the deployment and configuration of Shuffler.io in a self-hosted configuration.
Shuffler.io is a Security Orchestration Automation and Response (SOAR) platform which allows integrations with a number of OpenAPI services (two-way) to better expedite mundane and mandrolic tasks within a Security Operations Centre.
In this implementation, I will talking through the basics of installation and configuration, and some very basic testing through it’s interface.
MISP works really well in an internet connected environment in gathering and creating correlations. However, in air-gapped environments the ability to query MISP for indicators is still incredibly useful, except that an air-gapped environment doesn’t ordinarilly have an Internet connection.
In this article I describe how MISP may be used in an Internet denied environment by leveraging off an existing Internet-connected instance.
Every few months, StrangeBee puts out an update to TheHive (Security Incident Response Platform). This month they have added Elasticsearch as an index engine to alleviate issues with using Cassandra, and they have integrated support for MISP galaxies as well!
Now Incident Responders using TheHive can export IOCs and Galaxy assignment directly from TheHive to MISP.
Read More “TheHive 4.1.0 Deployment and Integration with MISP” »
Whilst I am a big fan of free open source solutions, I am going to bend my preference here a bit for the Elastic Cloud solution functioning as a SIEM.
Read More “Implementing Elastic Cloud and using Elastic Security” »