Netmux’s Operator Handbook is 436 pages of infosec technology references with a seemingly never ending list of acknowledgements and contributors. I also love that there’s a section dedicated to Health & Wellness right at the start of the book. It’s a timely reminder that life will take everything that you give to it and more but our mental health needs to be looked after. The common signs and symptoms to look out for are put to paper, and more importantly details on how to get help and build a support system which is relevant for you, colleagues, friends, family and loved ones.
TheHive dashboards, while they are great at showing data counts and displaying then as graphs, there is one feature that was lacking in that it cant display a data table of what those cases are. So while you can build a dashboard to get a snapshot of where your team is at, you can’t see what cases and task that are in play. While there is an open issue to add this functionality, I thought i’d try something a little different with TheHive to fill that gap, and export the case and task data into a Splunk kvstore and build it out that way.
Recently I purchased a few infosec books, one of them being the Defensive Security Handbook written by Lee Brotherston & Amanda Berlin. While this book was written back in April 2017, the information contained within is still very relevant today and will give the reader a sound footing when it comes to what you need to have as a secure baseline in your environment. There are 21 chapters that can be read from cover to cover, or each in isolation.
With my Java issue sorted out now, here are the steps to upgrade TheHive from RC1 to RC2. This is a dirty upgrade, but since TheHive is still in Release Candidate status, we can get away with upgrading like this. Ordinarily you should ensure that you have your system backed up in case there are breaking changes. Stop TheHive service sudo service thehive stop Update apt repositories and upgrade May as well apply all the security updates while I am at it.
I was so excited at the thought of all the cool new features that have popped up in TheHive v4.0.0-RC2 that I went straight onto my lab to give it a spin. Little did I know that my system was broken before I even started and I spent the best part of a few hours trying to figure out what exactly happened. For a brief moment I did consider burning the lab down and just rebuilding it, but I asked myself what would happen if this were a prod system?
Docker is something that i’ve not fully embraced to date, I know, I know… I’m a little late off the mark, but as I get to know Docker more, I can see that it has some worthwhile advantages for me in some of the projects I use and generally getting to know technology is never a bad thing. For instance, why spin up a single server for a service that only has 1 of the 65535 ports used when 99% of the time that server will most likely be idle.
Well this one was a bit of a learning experience for me. You see I have dabbled in the past with Traefik which seems to fit naturally when it comes to reverse proxy and Docker, but my efforts have come up short in the past through no fault but my own. Perhaps it was the fact I was trying to run before I could even crawl. Not to worry though.
While im still getting myself familiar with OpenCTI and building out an actor profile, I thought I’d link it up with my MISP instance. OpenCTI provides a connector to do this which will require an update to the docker-compose.yml file and an update of the stack. If you have been following along, this post is a continuation of Installing OpenCTI. To add the MISP connector, login to Portainer and select Stacks, opencti.
OpenCTI is an open source Cyber Threat Intelligence platform that provides a powerful knowledge management database for storing, organising and sharing knowledge about cyber threats and uses the STIX2 schema for it structure. It has been designed for CTI analysts. The platform is built on Modern technologies of Grakn, GraphQL, Elastic, RabbitMQ, Redis and React. The project is available as a docker image which make installation simple. While I’m probably not going to do the best job of talking up the full feature set of this platform, you can view more about it on their website and github page.
This post is a continuation of TheHive v4 RC1 in that I am providing the instructions to add Internal Authentication to Cassandra as well as a reverse proxy so we can connect back to TheHive with https. Add Internal Authentication to Cassandra It is recommended that you don’t allow access to the cqlsh unless there is some sort of authentication mechanism attached to it. There are too many horror stories of databases being dumped, and the internal authentication will make it that little bit harder to access from the cqlsh shell.
TheHive version 4 RC1, it’s here, its been here for a solid few weeks and I’m only just getting around to checking it out now. The new update looks to include a few nice features and a welcome back end technology refresh which should keep the platform in support for a good while yet. At this stage, I would not suggest attempting to either upgrade your existing version 3 installations to version 4, or run a clean install as your main case management production system if you’re just starting out, but get to know this version by spinning up a new virtual machine because when the time comes around, you will give yourself a good leg up.
I’ve been a little absent of late. I’ve been quite busy at home having to get a few last minute things, like additional landscaping, pressure cleaning concrete, putting together flat pack furniture for my house in preparation for sale. Which brings me to why I’m writing this this post. I am a huge UniFi fan having multiple devices in my home network installation which have been flawless since installation. A few of those components include a CloudKey controller and a number of UniFi Protect cameras which naturally became a bit of a selling point for the house.