Cortex 3.0.1: The better logging edition has been released now. I am quite surprised that the developers were able to release a point upgrade out while they are working on the new major release of TheHive but I welcome it as it brings a number of fixes and enhancements which you can read about on TheHive project Blog. Some of the bug fixes will make my life easier as some logging issues have been corrected which will make testing and developing responders for Cortex less painful.
Well what a write off of a year so far. Over the Xmas break, I wasn’t able to get in as many hikes as I would like due to the terrible fires we have had over the last few months. Given the air quality has been rated as hazardous, I’ve erred on the side of caution, not wanting to fill my lungs with it. I was however able to write up the 3 that I did.
I’ve blogged quite a bit about TheHive and Cortex to date, so much so that the wonderful people over at TheHive-project have added this blog onto the Blogs & Articles section of TheHive’s curated Awesome List. Its seems The more I write, the more I realise how much more there is to write about this stacks ability and feature set. Throughout the course of the last year, I wrote a 12 part series about standing up TheHive, MISP and Cortex detailing my experiences in how to install, integrate and upgrade each of them.
For the last 4 years on New Years day, I like to start the year off right, get up nice and early and take a drive out to Healesville to hike up Mt Riddell. Not sure how, why or when I decided that this was going to be a tradition, but I’d completed it a few times in the past and its kinda stuck now. New Years Day 2020 wasn’t going to stop that.
Our local council been quite busy over the years preparing a new 40km trail that is designed to connect with other trails in our area. The concept for this trail went back prior to Black Saturday fires in 2009 where parts of the old bridges were destroyed by fires and the project seemed to stall as a result. Recently stage 1A was opened which is a 7.5km trail from Lilydale to Yering.
The Glasgow firetrail as its affectionately known as (it doesn’t have an official name) is a brutal unmarked track that follows a rocky riverbed up the side of Mt. Dandenong on the outskirts of Melbourne Victoria. It has an initial rise of about 400m over a distance of 1400m, or a 28% grade. It is as technically challenging navigating through the loose rock as it is physically demanding. It is also a much harder alternative than the popular 1000 steps track located on the other side of Mt.
What a crazy year its been for me. It started off with migrating my blog from WordPress to Hugo and setting up some additional AWS services to complement my domain and completing a few AWS based labs off the back of the AWS Certified Cloud Practitioner exam I sat in late 2018. I then started looking at some open source tools namely, Chris Long’s Detection Lab and Quasar RAT before starting a new role which mixed things up in a good way.
In my last post I wrote about Installing and Securing NodeRED. The reason behind this was twofold. First, NodeRED is pretty cool and I want to be able to do some more ETL (Extract, Transform, Load) operations for personal projects I want to start on and secondly, I’ve been looking into TheHive webhooks functionality and needed some way to drive it in a way that didn’t require hundreds of lines of bespoke python code.
Node-RED has traditionally been used for tapping into hardware devices and API endpoints to construct workflows in a drag and drop interface. It is quite extensible given you can add your own code and data manipulations. I’ve seen Node-RED used to connect into power metering hardware which cleans up the data feed, customises the output to multiple destinations (in this case Splunk and an output file). A quick YouTube search shows there are many possible home automations with Node-RED.
Security Orchestration and Automated Response (SOAR), its the natural evolution of where security teams are heading, and as our numbers in this space seems to never be enough, we look to SOAR tools to automate to free up our time to so we can spend it doing more productive things, like drinking coffee and threat hunting. Automation brings standard and repeatable processes which could just buy us that breathing space.
Defense in depth, it’s a good thing. But how much is too much? While you could argue that you can never have enough security, the answer to that question really is, how big is your wallet? You want the best of breed everything, then its going to cost you….. dearly, while it would be amazing if that level of cash could be splashed, its not always the case and its not always the best solution for your organisation.
Now that I’ve gone through a series on TheHive, I’ve started to expand on the capabilities of this DFIR platform by starting to write my own Responders. Responders are essentially a way to perform an enhancement action on a given case, alert or observable. The built in Responders from the Cortex GitHub repo include a responder that will email the case or alert details to you as well as responders that interface with CrowdStrike, QRadar, Umbrella and ZeroFox.