Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • TraceLabs Missing Persons 11th of April 2020 Open-Source Intelligence
  • Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks. Digital Forensics & Incident Response
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Building a Cuckoo Sandbox Build
  • Security Orchestration with Shuffle.io Design

Category: Build

Hardening TheHive4 and Cortex for public deployment

Posted on June 18, 2021 By A.McHugh 1 Comment on Hardening TheHive4 and Cortex for public deployment

Deploying an incident response platform on the open internet is not always a good idea. For whatever reason you choose to do so, there are some things you need to do before going live with TheHive and Cortex.

In this post, I talk about hardening TheHive and Cortex for an Internet-accessible deployment. This includes the application of TLS v1.2+ and the configuration of multi-factor authentication. Cortex can be further hardened through IP whitelisting, and even walled gardens implemented through Cloudflare.

Read More “Hardening TheHive4 and Cortex for public deployment” »

Build, Digital Forensics & Incident Response

[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

Posted on June 18, 2021 By A.McHugh No Comments on [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

MISP is a threat intelligence platform for sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information.

Within a well structured SIEM environment, a Threat Intelligence Platform may allow an organisation to generate new intelligence relevant to the organisation, and it may allow for the ingestion of external intelligence sources.

Read More “[Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform” »

Build

[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise

Posted on April 28, 2021 By A.McHugh 1 Comment on [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

As a bake off for the Threat Lab and Incident Response capabilities, we will also be installing Splunk Enterprise. This will be in the 30 day trial mode, so it would be advisable to seek advice from your Splunk sales representative prior to using this installation in a production environment.

Read More “[Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise” »

Build

[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)

Posted on April 28, 2021 By A.McHugh 1 Comment on [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

You can potentially use a Cloud-hosted instance of Elastic Cloud Enterprise, however since I am trying to avoid putting this environment on the Internet, I will be building ECE in my home lab environment.

Read More “[Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)” »

Build

[Part 1] Building a Threat Integration and Testing Lab

Posted on April 28, 2021 By A.McHugh No Comments on [Part 1] Building a Threat Integration and Testing Lab
  1. [Part 1] Building a Threat Integration and Testing Lab
  2. [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises)
  3. [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise
  4. [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform

For this article and subsequent articles, I will be talking through the installation, configuration, and integration components in building an integrated threat and incident response lab. The primary purpose of this lab is to be able to replay malicious attack data into a SIEM environment (Splunk and Elastic will be used) and then generate appropriate alerts and actions within those SIEMs for an analyst to action. In addition, both SIEMS will be integrating MISP as a Threat Intelligence Platform to consume enriched intelligence and store and process newly generated intelligence from the lab.

Read More “[Part 1] Building a Threat Integration and Testing Lab” »

Build

TheHive 4.1.0 Deployment and Integration with MISP

Posted on March 20, 2021 By A.McHugh 16 Comments on TheHive 4.1.0 Deployment and Integration with MISP
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

Every few months, StrangeBee puts out an update to TheHive (Security Incident Response Platform). This month they have added Elasticsearch as an index engine to alleviate issues with using Cassandra, and they have integrated support for MISP galaxies as well!

Now Incident Responders using TheHive can export IOCs and Galaxy assignment directly from TheHive to MISP.

Read More “TheHive 4.1.0 Deployment and Integration with MISP” »

Build, Digital Forensics & Incident Response

Implementing Elastic Cloud and using Elastic Security

Posted on March 14, 2021 By A.McHugh No Comments on Implementing Elastic Cloud and using Elastic Security

Whilst I am a big fan of free open source solutions, I am going to bend my preference here a bit for the Elastic Cloud solution functioning as a SIEM.

Read More “Implementing Elastic Cloud and using Elastic Security” »

Build

Deploying (and using) TheHive4 [Part 1]

Posted on April 5, 2020 By A.McHugh 3 Comments on Deploying (and using) TheHive4 [Part 1]
  1. Deploying (and using) TheHive4 [Part 1]
  2. Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
  3. Building the Assemblyline Analyzer for TheHive’s Cortex.
  4. TheHive 4.1.0 Deployment and Integration with MISP

I have been an off and on user of TheHive for nearly a year now, and it is encouraging to see the development and release of TheHive4 (even if in pre-release). In this post I will walk through the deployment, configuration and migration of TheHive to TheHive4, and what improvements have been implemented into this release.

Read More “Deploying (and using) TheHive4 [Part 1]” »

Build

Building a Cuckoo Sandbox

Posted on May 28, 2019 By A.McHugh 1 Comment on Building a Cuckoo Sandbox

Sometimes there is a need to analyse files in a live environment where their composition and provenance may not be entirely certain. For the most part we can try to reply on virus detection and heuristics to detect potentially malicious files, but what about those files which have not yet been identified, or have been specifically crafted for your organisation as a targeted attack?

Note: I have updated this article to reflect the current installation requirements for Cuckoo on Ubuntu 18.04 (as at 22nd Feb 2021).

Read More “Building a Cuckoo Sandbox” »

Build, Digital Forensics & Incident Response

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • Extracting RAM from VirtualBox session Digital Forensics & Incident Response
  • Loading Windows Event Logs to Elasticsearch Digital Forensics & Incident Response
  • Using the Estimative Language Taxonomy in MISP MISP - Open Source Threat Intelligence Platform
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • OSINT for Missing Persons (Part 1 – Intro) Open-Source Intelligence
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Using the Course of Action Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Exporting Maltego Graphs to MISP Intelligence

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme