Meet Buckfast & Cortex, the Dynamic Duo

TheHive Project chefs have been busy at the code kitchen, working on a elaborate, very palatable recipe: Buckfast (v 2.10.0), the latest and greatest iteration of your security incident response platform.

Buckfast contains many new features that will hopefully prove useful for our collective fight against cybercrime and other evil. But instead of covering all of them in detail (which will make for a long, long read), we’d like to concentrate on a few ones that we deem very interesting.

Analysis just got better

When you wanted to analyze an observable with previous versions of TheHive, you had to create a case, add the observable to it then select the analyzer(s) you wanted to run. This was rather time-consuming if your purpose was to quickly assess a domain, URL or other types of observables. Sadly, that was the only way to do it as the analysis engine was embedded in the back-end of TheHive.

This also caused some OPSEC issues. For example, if TheHive is inside your corporate network, you may be reluctant to query some services from it as your IP address will be revealed to them. You also had to think carefully on how to implement an analyzer for your sandbox (or any other tool or service) that sits on a separate network.

To address these issues but also allow fellow analysts to unleash the power of the analyzers using different security incident response platforms, we created Cortex.

Architecture.png
TheHive and Cortex Architecture

Besides MISP, Cortex is the perfect companion of TheHive. Starting from Buckfast, you may connect your instance to one or several Cortex servers depending on your OPSEC needs and security requirements.

a-cortex_jobs.png
Available reports can be accessed using the magnifying glass

TheHive comes with a report template engine that allows you to adjust the JSON output of Cortex analyzers to your taste instead of having to create your own parsers. And to give you a head start, we provide templates for all 13 analyzers that Cortex 1.0.0 is shipped with. Ain’t that sweet?

We also made enhancements to the Observables tab in TheHive Web UI to allow you to run all applicable analyzers with a single click!

Analyzers

Since the previous release of TheHive, we have added 5 new analyzers, bringing the total to 13, that you can use by deploying a Cortex instance. We have also made improvements to existing ones. You’ll find the full list on Github. The new additions, some of which were contributed by our user community, are:

  • Abuse Finder: use CERT-SG’s Abuse Finder to find the abuse contact associated with domain names, URLs, IP and email addresses.
  • OTXQuery: query AlienVault Open Threat Exchange for IPs, domains, URLs, or file hashes.
  • PassiveTotal: leverage RiskIQ’s PassiveTotal service to gain invaluable insight on observables, identify overlapping infrastructure using Passive DNS, WHOIS, SSL certificates and more.
  • URLCategory: checks the Fortinet categories of URLs.
  • Phishing Initiative: queries Phishing Initiative to assess whether a URL has been flagged a phishing site.
  • PhishTank: queries PhishTank to assess whether a URL has been flagged a phishing site.

We have also largely improved the former Olevba analyzer and renamed it File_Info. It is in fact our first meta-analyzer as it leverages a collection of tools to parse files in several formats such as OLE and OpenXML to detect VBA macros, extract their source code, generate useful information on PE, PDF files and much more.

Sorting, Filtering and Statistics

Instead of the latest open cases, Buckfast displays everything on the main page and lets you decide how you want to sort and filter the cases. For example, you can display only cases that contain specific tags or that were assigned to a particular incident handler. We have also added quick filters to display open or closed cases as well as the cases that were assigned to you.

Buckfast has also the ability to display simple statistics on cases without launching the Statistics module page.

TH-current_cases_stats.png
Statistics and Filters

 

Avatars

While previous TheHive versions allowed you to assign tasks to fellow handlers, Buckfast lets you also assign a case to a particular person which would ensure that all tasks are dealt with in a timely fashion and help analysts complete the investigation. The case assignees are now visible on the main page thanks to their avatars which they should provide in their user profile page. And before you ask for it, we won’t support animated GIFs. Seriously.

Current_cases.png
The New Main Screen of Buckfast

Download & Try

There are other interesting features that are worth detailing but we’ll keep those for another installment. In the meantime, we highly encourage you to try Buckfast, Cortex or both and let us know what you think.

If you are an existing  TheHive 2.9.x user, we urge you to upgrade to Buckfast and deploy a Cortex instance to use the analyzers.

One thought on “Meet Buckfast & Cortex, the Dynamic Duo

Comments are closed.