Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • The Hive Soc

    Загружено:

    Hafiz Safwan
    459 просмотров37 страниц

    Оригинальное название

    the hive soc

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    459 просмотров37 страниц

    The Hive Soc

    Загружено:

    Hafiz Safwan

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 37

    SANS DFIR SUMMIT PRAGUE / 2017-10-08 TLP:WHITE

    THEHIVE, CORTEX & MISP


    UNSHACKLING CTI AND DFIR

    Saâd Kadhi

    TheHive Project Leader
    WHAT’S WRONG?

    OBSERVATIONS
    STATING THE OBVIOUS…

    CTI

    DETECT REACT

    PREVENT

    SHARE RECOVER
    DRIVE DOWN THE TIME TO REACT

    Continuous improvement

    AUTOMATION
    FAST-PACED HIGH NUMBER
    THREAT OF SECURITY
    LANDSCAPE EVENTS
    COLLABORATION

    TALENT LIMITED
    COMPLEXITY
    SHORTAGE MONEY & TIME
    FACTS

    ▸ Threat Intelligence, Digital Forensics, Incident Response =


    team work

    ▸ We shall seek to drive these activities and continuously


    improve them

    ▸ Thanks to operational, meaningful statistics


    SHARING IS CARING / MY DETECTION IS YOUR PREVENTION / …

    ▸ Investigation performed, IOCs


    collected and proper response done
    DETECT REACT
    ▸ Is it time to rest? No

    ▸ Some if not all IOCs should be


    shared

    ▸ They might prove useful to peers for SHARE RECOVER


    defending themselves

    ▸ Hopefully, they will come up with


    complementary IOCs that were
    unbeknownst to us
    LEARNING FROM BEES
    ▸ Security Incident Response Platform (SIRP)

    ▸ Collaboration

    ▸ Task & work log

    ▸ Analysis and IOC storage

    ▸ Authentication: LDAP, Active Directory, API keys & local


    accounts

    ▸ Used by several cybersecurity teams throughout the world


    ▸ Query analyzers through a Web UI to quickly assess the
    malicious nature of observables

    ▸ Automate bulk observable analysis

    ▸ Analyzers can be developed in any programming


    language that is supported by Linux

    ▸ Invoke MISP expansion modules

    ▸ Can be queried from MISP to enrich events


    ARCHITECTURE

    FRONTEND BACKEND CORTEX

    HTTP REST
 HTTP REST



    APIS APIS

    A A A A

    ANALYZERS
    STORAGE
    WORKFLOW

    AUDIT

    CASE CASE ALERT /


    TEMPLATE MISP EVENT

    TASK
    TASK OBSERVABLE
    OBSERVABLE ANALYZER
    ANALYZER
    TASK OBSERVABLE ANALYZER

    LOG ANALYSIS JOB REPORT


    LOG JOB
    JOB
    LOG REPORT TEMPLATE

    USER
    Alert Sources
 Alert
    (SIEM, email, …) Feeders

    Raise alerts
    Security Incident

    Response Platform

    An
    es

    al
    as

    yz
    c

    e
    rt

    nt

    ob
    po

    ve

    se
    Ex

    le

    rv
    l

    a
    Po

    bl
    es
    Threat Sharing
 Observable Analysis

    Platform Engine
    Enrich events

    Additional analyzers

    Sea
    rch Analyzers
    Expansion Modules o bser
    vab
    les w
    ithin
    MIS
    P ev
    ents
    27 ANALYZERS (AND COUNTING)

    FORTIGUARD URL VIRUSSHARE


    PASSIVETOTAL HIPPOCAMPE MAXMIND
    CATEGORY

    GOOGLE SAFE
    CIRCL PSSL CIRCL PDNS JOE SANDBOX CUCKOO
    BROWSING

    MISP SEARCH VIRUSTOTAL DNSDB VMRAY YETI

    DOMAINTOOLS ABUSE FINDER YARA FIREHOL WOT

    PHISHING OTXQUERY
    FILEINFO NESSUS PHISHTANK
    INITIATIVE

    OUTLOOK MSG CERT.AT PDNS WHOISXMLAPI BLUECOAT FIREEYE AX


    PARSER

    SPLUNK SEARCH HYBRID ANALYSIS IRMA MCAFEE ATD FAME


    MAIN FEATURES / RECAP

    ▸ Import from and export to multiple MISP instances

    ▸ Preview alerts from multiple sources (SIEM, IDS, email…)

    ▸ Analyze observables through several Cortex instances

    ▸ Leverage statistics to drive the activity

    ▸ Use webhooks to open tickets in IT ticketing systems

    ▸ Work as a team thanks to the real-time stream


    ADDITIONAL SOFTWARE

    ▸ TheHive4Py - Python lib to create alert/case from multiple


    sources

    ▸ Splunk App - create alerts out of Splunk. dev. by Miles Neff

    ▸ Elastalert Hive Alerter - use a custom Elastalert Alert to


    create alerts. contributed by Nclose

    ▸ Cortex4py - Python lib to submit observables in bulk mode


    through the Cortex REST API from alternative SIRP
    platforms & custom scripts
    SHOW TIME?
    MAIN VIEW
    LIVE STREAM
    ALERT PANEL
    CASE VIEW
    CASE VIEW
    LOG VIEW
    OBSERVABLE VIEW
    OBSERVABLE VIEW
    OBSERVABLE VIEW
    OBSERVABLE VIEW
    OBSERVABLE VIEW
    STATISTICS
    STATISTICS
    STATISTICS
    CORTEX
    CORTEX
    CORTEX
    USE IT
    S
    USE CASE

    EMAIL
    REPORTS

    MISP
    MISP 1
    CIRCL
    SIEM

    SOCIAL MISP 2
    MEDIA
    MONITOR

    THREAT
    INTEL
    PROVIDER

    DOMAIN CUCKOO
    ABUSE FINDER VIRUSTOTAL PASSIVETOTAL MAXMIND TOOLS SANDBOX

    PHISHING
    HIPPOCAMPE PHISHTANK OTXQUERY DNSDB
    INITIATIVE JOE
    SANDBOX
    MISP SEARCH CIRCL PDNS CIRCL PSSL URLCATEGORY MSG PARSER

    Analyzers
    GOOGLE SAFE
    FILEINFO YARA NESSUS YETI
    BR.

    Analyzers
    GET THE SOFTWARE

    TRAINING VM
    AVAILABLE

    ▸ TheHive, Cortex and MISP are available under a, free, open


    source AGPL license

    ▸ TheHive and Cortex can be installed using RPM, DEB,


    Docker image, binary package or built from the source code

    ▸ Linux with JRE 8+, Chrome, Firefox, IE (11), and a decent


    computer

    ▸ https://thehive-project.org/

    ▸ https://misp-project.org/
    QUESTIONS?

    THEHIVE PROJECT
    CORE TEAM

    NABIL ADOUANI THOMAS FRANCO SAÂD KADHI JÉRÔME LEONARD

    CONTRIBUTORS

    CERT-BDF CERT-BUND RÉMI POINTEL MILES NEFF

    GUILLAUME
    ERIC CAPUANO MEHDI ASCHY ANTOINE BRODIN
    ROUSSE

    NICK PRATLEY

    Вам также может понравиться