By Adrian | October 12, 2019
This is the formal end of this series but I wanted to write a quick conclusion peice, so this post is a reflection about this 4 in 1 open source threat and incident response platform and the journey to get there. All the other posts in this series can be found here:
Part I - Building TheHive
Part II - Setup reverse proxy for TheHive
Part III - Building MISP
Part IV - Building Cortex
Part V - Adding analyzers to Cortex
Part VI - Setup reverse proxy for Cortex
Part VII - Integrate TheHive and Cortex
Part VIII - Integrate MISP to TheHive
Part IX - Upgrading TheHive
Part X - Updating MISP
Part XI - Upgrading Cortex
Part XII - Wrapup of TheHive, MISP, Cortex
If your currently not using any system to manage your threat intelligence and case management, this this trio is something you really need to take a good look into. A port scan now, could turn into an popped web server or a phishing email could turn into a toehold on your network. These tools really do allow you to see the bigger picture to track, manage and respond to the indicators. It cant be said enough that it does become invaluable when putting the peices together in an investigation.
What started off in April as a necessity of needing to know this platform for work has turned out to be a great learning experience for me as I’ve built, integrated and lifecycle managed this platform. I know that I’m just starting to scratch the surface of this amazing project. Its driving me to tap into the automation capabilities and to dabble even more into Python which is something ive been putting off for too long.
As far as this project went for me, I know that there are probably a few thing along the way that I could have improved on in terms of the build such as
- better server hardening (this is dev, but it isnt a good excuse)
- webserver ssl configuration
- file ownership and permissions for backups
But these are all things that arent show stoppers and can be fixed, and this has been more about the journey, rather than the destination.
I am hoping in the future that I can continue snippets and write ups about other major functionalities available in this platform and I dont think im done, not by a long shot. Off the top of my head I can think of these topics that are worthy of their own posts:
- backup TheHive/Cortex and restore to a new system
- managing analysers/responders with git
- force resetting passwords from the console
- writing analysers and responders
- adding Docker to Cortex for the analysers/responders
- adding Taxonomies/Galaxies to MISP
- adding additional threat feeds to MISP
The people behind both TheHive and MISP really have done an amazing job with these Free and Open Source tools. I hope that this series has been able to provide some value for you and happy hunting.
Github references
TheHive Project
Cortex
Cortex Analysers
TheHive Docs
Cortex Docs
MISP