Well this one was a bit of a learning experience for me. You see I have dabbled in the past with Traefik which seems to fit naturally when it comes to reverse proxy and Docker, but my efforts have come up short in the past through no fault but my own. Perhaps it was the fact I was trying to run before I could even crawl. Not to worry though.
While im still getting myself familiar with OpenCTI and building out an actor profile, I thought I’d link it up with my MISP instance. OpenCTI provides a connector to do this which will require an update to the docker-compose.yml file and an update of the stack. If you have been following along, this post is a continuation of Installing OpenCTI. To add the MISP connector, login to Portainer and select Stacks, opencti.
OpenCTI is an open source Cyber Threat Intelligence platform that provides a powerful knowledge management database for storing, organising and sharing knowledge about cyber threats and uses the STIX2 schema for it structure. It has been designed for CTI analysts. The platform is built on Modern technologies of Grakn, GraphQL, Elastic, RabbitMQ, Redis and React. The project is available as a docker image which make installation simple. While I’m probably not going to do the best job of talking up the full feature set of this platform, you can view more about it on their website and github page.
This post is a continuation of TheHive v4 RC1 in that I am providing the instructions to add Internal Authentication to Cassandra as well as a reverse proxy so we can connect back to TheHive with https. Add Internal Authentication to Cassandra It is recommended that you don’t allow access to the cqlsh unless there is some sort of authentication mechanism attached to it. There are too many horror stories of databases being dumped, and the internal authentication will make it that little bit harder to access from the cqlsh shell.
TheHive version 4 RC1, it’s here, its been here for a solid few weeks and I’m only just getting around to checking it out now. The new update looks to include a few nice features and a welcome back end technology refresh which should keep the platform in support for a good while yet. At this stage, I would not suggest attempting to either upgrade your existing version 3 installations to version 4, or run a clean install as your main case management production system if you’re just starting out, but get to know this version by spinning up a new virtual machine because when the time comes around, you will give yourself a good leg up.
Cortex 3.0.1: The better logging edition has been released now. I am quite surprised that the developers were able to release a point upgrade out while they are working on the new major release of TheHive but I welcome it as it brings a number of fixes and enhancements which you can read about on TheHive project Blog. Some of the bug fixes will make my life easier as some logging issues have been corrected which will make testing and developing responders for Cortex less painful.
In my last post I wrote about Installing and Securing NodeRED. The reason behind this was twofold. First, NodeRED is pretty cool and I want to be able to do some more ETL (Extract, Transform, Load) operations for personal projects I want to start on and secondly, I’ve been looking into TheHive webhooks functionality and needed some way to drive it in a way that didn’t require hundreds of lines of bespoke python code.
User awareness training, it matters, more than you think it does. These days security is everybody’s responsibility and not just those running your information security team. Defense in depth and technical controls are not foolproof and it only takes a single well crafted email and your organisation could be owned. People are the last line of defense so we need to train staff to adopt a critical mindset in the hostility of email.
This is the formal end of this series but I wanted to write a quick conclusion peice, so this post is a reflection about this 4 in 1 open source threat and incident response platform and the journey to get there. All the other posts in this series can be found here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP
This is part 11 of the series about TheHive/MISP/Cortex and im covering off an upgrade of Cortex from 2.1.3 to 3.0.0. The other posts for this series can be found here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP Part IV - Building Cortex Part V - Adding analyzers to Cortex Part VI - Setup reverse proxy for Cortex
This is part 10 of this series. In this part I’m updating multiple minor versions of MISP. The other posts for this series can be found here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP Part IV - Building Cortex Part V - Adding analyzers to Cortex Part VI - Setup reverse proxy for Cortex Part VII - Integrate TheHive and Cortex
This is part 9 where I begin to lifecycle manage TheHive/MISP/Cortex software stack. Previous posts in this series are here: Part I - Building TheHive Part II - Setup reverse proxy for TheHive Part III - Building MISP Part IV - Building Cortex Part V - Adding analyzers to Cortex Part VI - Setup reverse proxy for Cortex Part VII - Integrate TheHive and Cortex Part VIII - Integrate MISP to TheHive
Template by Bootstrapious. Ported to Hugo by DevCows
