Keep on Believing

Dear Users,

In the apology we posted last week, we promised you that we’ll come up with a concrete action plan to address our embarrassing miscalculation which left you running an outdated, potentially vulnerable Elasticsearch 5.6 instance to have your daily dose of your favourite Security Incident Response Platform (TheHive, n’est-ce pas ?) and its analysis and orchestration companion (Cortex, what else?).

Well, guess what? We are going to deliver on that promise and we will pay back not only our Elastic debt but also, and as described in our previous post, update the rather old AngularJS version we were using to the latest one.

What Have Been Done so Far on TheHive

We have almost completed TheHive 3.4.0-RC1, the next release candidate of TheHive, which will support ES 6 but also ES 5.6 to give you enough time to migrate before dropping the support of this dead software in the next major version (see below).

AngularJS and its sub projects have been upgraded to 1.7.8, the latest 1.x version as of this writing. Additionally, Grunt build dependencies have also been updated to their latest compatible versions.

What about Cortex?

Cortex 3, which is still a release candidate at this stage, has also been made compatible with ES 6 and 5.6. AngularJS and its sub projects have also been upgraded to 1.7.8.

If you are using Cortex 2, you will need to upgrade to the final release of Cortex 3.0.0 to get ES6 support (or to the next RC if you are a daring soul). Cortex 3 does not introduce breaking changes that would make the upgrade a hair-splitting process and you would still be able to use Cortex 2’s non-dockerized analyzers and configuration. We will provide a step-by-step migration guide in due time.

What is Going to Happen Next?

If we set the oven’s temperature right, TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 should be at your favourite cyberbakery sometime next week, for free as usual. And of course, we’ll give you a shout out as soon as we hear the ding sound indicating that cooking time is over.

We’ll detail how to taste these fresh pieces of code but to put it simply, a new version of elastic4play will be installed as part of the upgrade process and a migration step will occur. You can start by upgrading ES 5.6 to the latest version of ES 6 then update TheHive and Cortex or do it the other way around. You’ll be in control.

Any Regressions?

Well, *cough*, since you’ve asked, we feel compelled to answer:

  • TheHive and Cortex will use HTTP transport (9200/tcp by default) to connect to Elasticsearch instead of its native binary protocol (9300/tcp by default).
  • SSL/TLS, including when using a client certificate, can be configured to connect securely to ES. However this has not been tested yet.
  • Support of X-Pack and Search Guard is discontinued for anything but basic and SSL client authentication, which would still work (but we haven’t got around to check that yet).

How Can You Help

Easy! when we’ll tell you it’s time to take TheHive 3.4.0-RC1 and Cortex 3.0.0-RC3 for a spin, please do so and test them as thoroughly as possible. The better you test and report back any issues you encounter, the faster we’ll be able to polish the final releases for production environments.

Now all you gotta do is to sit tight, grab some popcorn and wait for the next episode of Game of Neurones.

An Apology

Dear Users,

We owe you an apology. We thought we would never need to support Elasticsearch 7 or even 6. We thought we could stick with the latest version of Elasticsearch 5 as the underlying storage and indexing engine for TheHive and Cortex until we would be able to complete the transition to a graph database. Moving to such a database is a necessity for your favourite open source, free Security Incident Response Platform and its analysis and orchestration companion, a necessity that has grown out of our frustration with Elasticsearch and its limitations, with the breaking changes that ES 6 introduced which forbid a smooth transition and puts a significant toll on an open source initiative such as ours.

We initially thought we could complete the transition by October of last year and finally offer you long-desired features such as RBAC and multi-tenancy as well as establish a solid ground to implement some exciting ideas that would help you lower the barrier to entry for junior analysts, save more time and concentrate on your work instead of having to master copy/paste between various interfaces or moving from one tool to the other.

Sadly, things did not play out the way we wanted. As TheHive and Cortex were adopted by more and more organisations, feature requests kept piling up and being generous bees, we have always strived to keep our users happy within the confines of our limited resources. Certainly, our user community helped us significantly by contributing a huge number of analyzers to Cortex in no time, making the total amount fly past the 100 landmark. However, we had to rely mostly on ourselves for heavy-duty backend work while steadily releasing new versions to satisfy the appetite for capabilities that sounded reasonable and feasible within a realistic, acceptable timeframe. Multi-tenancy and RBAC also proved more complex than initially foreseen and since we hate a half-baked recipe (blame it on our French culture and our love for delicious food), we did not want to rush things out and add flimsy ‘patch’ code.

Source : https://kininaru-korean.net/archives/10305

So we focused on supporting graph databases and working on multi-tenancy and RBAC. You certainly noticed our silence these past weeks. And we completely lost sight of the end of life of ES 5.6 until we realised recently that it was no longer supported by Elastic, not even in critical bug fix mode. When ES 7 was released on April 10, the death sentence of ES 5.6 was pronounced and its coffin permanently nailed.

We know this is a lot to stomach. Welcome to the Upside Down! But remember: keep calm. Help is already on the way and hopefully this time around the cops will arrive before the movie is over. We are shifting our priorities to release new major versions of TheHive and Cortex in order to use a supported version of ES. This work should take a few weeks at least. In the meantime, if you are using TheHive and Cortex with their own, standalone ES instance and you have implemented sane network security measures to shield ES against unwanted remote access, you should be fine.

We also took the opportunity to look at what other external code we rely on and that would need to be updated as well, to avoid falling in the EOL trap again. Glad we looked! The current versions of TheHive and Cortex both use AngularJS 1.5 (here, take a stone and throw it the Hulk’s way on Nabil’s forehead). We are going to update our frontends to use AngularJS 1.7.

We will come up imminently with a concrete action plan to address our embarrassing miscalculation. Meanwhile, please accept our sincere apologies and rest assured that we won’t let you down.

ごめんなさい 🙏🏼

A Short Story of Getting Work Done: TheHive 3.3.0

Some of our die-hard fans noticed that we silently released TheHive 3.3.0 a few days ago, after six release candidates. Well. Silently won’t be the right word to use in this case as we are drowning under work and feature requests and we sometimes postpone communication in favour of getting true real work done.

So, without any further ado, we are happy to announce the official availability of our latest (and of course greatest) release of the most-advanced, next-gen, HI (Human Intelligence), gluten-free, (add here any keyword that you fancy to help us get the Gartner attention and land in the Magic Quadrant™), free and open source Security Incident Response Platform Security Orchestration Automation & Response Platform.

As stated earlier, TheHive 3.3.0 went through the largest number of release candidates to date in order to ensure it contains more features than bugs (or unexpected functionality as our dear Nabil call them sometimes).

Since RC5 which we have blogged about on Feb 26, 2019, below is an outline of the changes we made. Check TheHive Installation Guide for installation instructions.

The new Related Alerts tab in Case View introduced in 3.3.0-RC5

Fixed Issues

  • #899: fix a crashing issue encountered with Firefox
  • #907: dynamic (auto-refresh) of cases was broken in 3.3.0-RC5
  • #930: merging cases by CaseID was broken

Implemented Enhancements

  • #666: add support for filtering tags by prefix and wildcard search
  • #901: remove the possibility of creating cases from scratch (i.e. empty cases) when explicitly disabled by an admin
  • #908: add support for text-based widgets to the dashboards
  • #912: responders can now add tags to alerts when triggered thanks to the new AddTagToAlert operation

Looking for Help?

Something does not work as expected? Then please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org.

Since You are Here

TheHive and Cortex are a huge success. According to our estimates, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests. 

We tried finding a solution to keep TheHive Project as healthy as possible. So we created Creative Source, a nonprofit organisation (NPO), in the hope that we could leverage it to hire more developers thanks to the generous donations of our large user community. Sadly, not everyone in this world is generous and altruistic. At the end, all but one company (yes, exactly one) trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.

As we informed you a few weeks ago, some members of our core team are finalising an alternative option to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without making highly bureaucratic, think-in-the-box-but-never-outside procurement departments freak out.

Expect to hear from us soon…

Here comes the Sun (and TheHive 3.3-RC5)

On February 10, 2019, we released TheHive 3.3-RC2. It contained new features such as bulk alert merging, alert sorting, observable tag autocompletion, exporting case tags to MISP & more. Since then your favourite French code Chefs have been beesy refining TheHive 3.3 through new release candidates while getting Cortex 3 ready for prime time.

Over the weekend, Nabil decided he was not working enough already during the week. So he drained his batteries to the very last drop to release TheHive 3.3-RC5 before he crashed headfirst into his bed for a long, reparative sleep. Cumulatively since RC2, we added several features and squashed 10 bugs as described below.

Note that release candidates are beta software. You can get TheHive 3.3-RC5 from the pre-release, beta repositories. As usual, we encourage you to test it and report any bugs or issues you spot so we can address them before the final release. 

Check TheHive Installation guide for further details.

New Features

  • #485: disable clickable widgets when editing a dashboard.
  • #820: provide direct access to MISP events for those alerts that have been generated from such events.
Direct access to the MISP event from which this alert has been generated from
  • #829: improve password-protected ZIP imports.
  • #831: add auto-completion to case and observable tags in their respective Details pages.
  • #838: when you add an observable that already exists in another case, indicate whether the existing observable is an IOC or not.
  • #870: provide a link to copy the alert ID to the clipboard which allows you to easily manipulate an alert through TheHive4py.
Now the Alert ID can be directly copied to the clipboard without resorting to your browser dev mode
  • #884: add a Related Alerts tab to the Case view.
The new Related Alerts tab in Case View
  • #888: add a new UI configuration admin section. One of the first use cases of this section consist in disabling creating empty cases (i.e. cases not associated with a template). It will be gradually improved with new use cases so speak your mind!
  • #893: disable the case template selection when trying to merge multiple alerts for which no case template exists.
  • #897: mouseover text for alert preview.

Fixed Bugs

  • #856: various fixes related to alert updates and, when applicable, associated cases.
  • #869: use the observable TLP instead of the case TLP to decide whether a Cortex responder could be executed or not.
  • #871: fix log messages for MISP synchronisation.
  • #874: fix typo in alert labels (credits: Zachary Priddy).
  • #877: fix Akka version mismatch (credits: Zachary Priddy).
  • #890: the Hide Empty Case button in the new UI admin section was broken.
  • #894: when clicking on a donut or a widget in the dashboards, this should take you to the search page with predefined filters, without generating errors.
  • #895: exclude responder jobs from search results.
  • #896: dashboard clicks are not correctly translated into tag filters.

Looking for Help?

Something does not work as expected? Then please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org.

The Dockerization Will not be Televised

Do you know what the following set of commands achieve?

$ cd /opt/Cortex-Analyzers
$ sudo git pull
$ for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip2 install -U -r $I; done \
&& for I in $(find /opt/Cortex-Analyzers -name 'requirements.txt'); do sudo -H pip3 install -U \
-r $I || true; done

The answer is obvious Doctor Watson, right? These highly readable commands (pun intended) allow you to update your Cortex analyzers and responders to the latest stable versions, downloading new ones in the process, going over all the Python 2 and Python 3 dependencies to install the missing ones and upgrade the old ones to make sure they work correctly. These operations take quite a long time and cause some headaches in the process (Hello, I have Python 3.X and this dependency is no longer required, or Hi, I have an old version of Python 2 and it seems I need this other dependency).

And if you are lucky enough to get it running smoothly, you are still not done as you need to log in to the Cortex UI as an organisation administrator (unlike TheHive, Cortex supports multi-tenancy), click on the Refresh analyzers button under Organization > Analyzers then go to Organization > Responders and click on Refresh responders.

So while the answer to the opening question might be simple, updating analyzers and responders is far from being straightforward, to say the least, even if we forget the ugly fact that both are stored in a repository “conveniently” named Cortex-Analyzers*:

thehive@thehive-training:/opt/Cortex-Analyzers$ ls -d a* r*
analyzers  responders

Unnecessary Complexity Must Die

Your lovely, hard-working bees hate unnecessary complexity. Our project’s front page blatantly states our mission to bring Security Incident Response to the masses. And we have to stand by our words even if TheHive and Cortex are free, open source solutions and we do not gain anything from them save for the huge satisfaction of helping our fellow incident handlers level the fight against cybercriminals & all kinds of other animals of the APT (Advanced Persistent Troll Threat) bestiary.

There is only one possible solution: simplify the installation and update process of the current, official 115 analyzers and responders we have as of this writing, the future ones and any private or unofficial ones written in other programming languages such as those developed in Go by Rosetelecom-CERT.

Docker all the Things!

Starting from Cortex 3.0, the next major release of your favourite analysis and active response engine, all analyzers and responders will be dockerized. It will no longer be necessary to install them along with their various dependencies. They will be dowloaded from our cortexengine Docker organisation. Sysadmins might also configure automatic updates.

As a side advantage of using Docker, analyzers, and responders will also be isolated from each other which gives more flexibility and possibilities.

© Steve Simson. This artwork and the title of this blog post are inspired by The Revolution will not be televised, a song from the late and great Gil Scott-Heron.

For those users who have private, custom analyzers and responders that they don’t want or can’t share with the community, several options will be available:

  • Continue managing their analyzers and responders in the same way as currently supported by Cortex 2 (i.e. launch them as processes, with no isolation whatsoever).
  • Dockerize them and store them locally on their Cortex instance.
  • Dockerize them and publish them on a Docker registry, either the official one or a private registry.

A Docker image of Cortex 3 will still be provided. It will contain a Docker engine to launch dockerized analyzers and responders using DIND (Docker in Docker).

It won’t be necessary to modify the code of the current, official analyzers and responders. A drone job will monitor the analyzer and responder repository and automatically build docker images when it detects changes.

The Cortex Web interface will be slightly modified to accommodate the whole process and allow adding in-house/private Certificate Authorities to allow Cortex to smoothly perform updates in those corporate environments where TLS/SSL inspection is enabled.

Nice Movie Trailer. When is it Coming to a Theatre near me?

We are working hard to get Cortex 3 out of the oven in Q1 (of this year, yes). We will reach out to you, dear reader, in due time, to help us test it and refine it before putting it on the digital shelf for free, as usual. We will provide a smooth migration path in order to move safely your current analyzers and responders and their configuration to Cortex 3.

So to paraphrase the late and great Gil Scott-Heron:

The dockerization will not be televised

The dockerization will not be televised

The dockerization will be live.

Since you are here

The success of TheHive and Cortex continue to grow, far more than we initially foresaw. As far as we know, there are about a hundred organisations of different sizes and locations using or testing them. And as the number of users grows, so does the number of features, professional service and support requests.

We have tried addressing these requests through Creative Source, a nonprofit organisation (NPO). All but one company trusted us enough to make a donation and get tailored services for its needs in return. Most of the others either did not reply to our proposals or explained that their procurement process does not accommodate working with NPOs.

Some members of our core team are actively working on alternative options to ensure not only the viability of TheHive and Cortex as FOSS products on the long run but the ability to provide professional training, support, and services without freaking out highly bureaucratic, think-in-the-box-but-never-outside procurement departments.

Stay tuned 🐝


(*) When the idea behind Cortex was born into our hive mind, we did not initially think about active response capabilities. So we naturally called the repository which was supposed to contain analyzers Cortex-Analyzers . When, at a later stage, we added responders, we put them in the same repository for obvious laziness pretences  ¯\_(ツ)_/¯.

Correction: February 15, 2019
Typographical errors have been corrected. Some rewording has been made for the sake of clarity.

UnshortenLink, SSRF and Cortex-Analyzers 1.15.2

We urge our fellow fighters of cybercrime and funny and not-so-funny animals-in-disguise, to update their Cortex analyzers to the latest 1.15.2 version which plugs a serious vulnerability in the Unshortenlink analyzer and fixes several bugs.

Unshortenlink Vulnerability

On Jan 24, Alexandre Basquin discovered a SSRF vulnerability in the Unshortenlink 1.0 analyzer. By exploiting it, an attacker which has access to a Cortex instance with an analyze role can scan the ports of localhost and possibly of all the hosts reachable by Cortex. This could be automated through Cortex4py by making repetitive calls to the API and thus scanning multiple ports & hosts. In essence, the attacker can perform reconnaissance thanks to Unshortenlink and gain knowledge on which ports are open and which aren’t.

Version 1.1 of Unshortenlink, included in Cortex-Analyzers 1.15.2, plugs this vulnerability by disabling submissions containing IPs & ports. Only URLs are now accepted.

Bug Fixes

Additionally, Cortex-Analyzers 1.15.2 corrects the following bugs:

  • #416: the Mailer responder now supports UTF-8 encoding.
  • #410: remove wrapping of the results produced by crt.sh as a list which ends up breaking the output of the report template. Contributed by Thomas Kastner.
  • #409: enum is not required for Python 3.4+ to make the MISP Search analyzer work.
  • #408: FileInfo’s Manalyze plugin did not work after Manalyze renamed plugin_btcaddress to plugin_cryptoaddress.
  • #406: fix a broken link in the Cymon_Check_IP report, submitted by Manabu Niseki.
  • #313: fix wrong file handling in OTXQuery.

How to Update your Analyzers?

To update your analyzers to version 1.15.2, please read the Updating section of the Cortex installation guide.

Since the version numbers of few analyzers have changed, you’ll need to connect as an orgadmin to Cortex to refresh the analyzer list, disabling old ones and enabling the new versions.

TheHive Report Templates

If you are using TheHive, you must import the new report templates in your instance as follows:

  • download the updated package
  • log in TheHive using an administrator account
  • go to Admin > Report templates menu
  • click on Import templates button and select the downloaded package

Wait a Minute! Where’s the Blog Post about 1.15.1?

Good catch! There was no blog post about Cortex-Analyzers 1.15.1. Call us lazy but there was nothing Earth-shattering, pole-shifting in that release. Nonetheless, here are a list of fixes included in that release and from which you’ll inherit automatically if you update 1.15.0 to 1.15.2 directly:

  • #402: Malwares analyzer code relied on functionality that’s only available in Python 3.7+. It has been fixed to work with 3.4 and up thanks to the work of Arcuri Davide.
  • #404: fixes a bad folder renaming in the HIBP (Have I Been Pwned) analyzer.
  • #398: MISP Search analyzer wouldn’t run without the enum dependency. Contributed by Mars Huang. Later improved in 1.15.2 (see above).

No Luck Luke?

If something does not work as expected, keep calm and ask on our user forum, reach out to fellow users on Gitter, or send us an email at support@thehive-project.org.

TheHive 3.3-RC2, Hot out of the Oven

TheHive Project’s code Chefs, dressed in their outright haute cuisine outfit, including the traditional toque blanche, have been quite busy lately, working on dockerizing all the Cortex analyzers (more on this later in an upcoming post), and doing tedious work to prepare the replacement of Elasticsearch by a GraphDB which will help us finally release much-awaited features such as multi-tenancy, delayed for way too many months (yeah, yeah, don’t chastise them but feel free to help them). In the meantime, they found enough bandwidth to release a new major version of TheHive.

Version 3.3, currently a release candidate includes several bug fixes and many new features as outlined below. Please note that TheHive 3.3-RC2 is beta software. As all our other release candidates, you can grab it from the pre-release, beta repositories. As usual, we would truly appreciate your help making it a great stable release by testing it as thoroughly as possible and reporting back any bugs or issues you encounter so we can address them before the final release.

Check TheHive Installation guide for further details.

Wait! Where’s RC1?

TheHive 3.3-RC1 was very short-lived. Few hours after its release, and thanks to Chris (a.k.a. crackytsi on GitHub), Thomas Franco, our back-end mastermind, discovered an issue with the Debian 8 and Debian 9 packages.

New Features

  • #836: add a new exportCaseTags parameter to the MISP configuration section. If set to true, all the tags associated with a case will be exported along with it to MISP.
  • #861: add support for Java higher than 8, such as OpenJDK 11.
  • #271: bulk merge alerts into a case. Select multiple alerts at once and create a single case out of them or merge them into an existing case using its ID.
  • #824: add ability to sort alerts by reference, status, type, source…
  • #826: when previewing an alert, there are sometimes no overlap with an existing case. However, an analyst might already know, thanks to HI (Human Intelligence), that the alert should be merged into a specific case. This is now possible thanks to a new button.
  • #769: improve case template selection for case creation. If you have defined a large set of case templates, you will be able to sort/filter to find the case you want to use when creating a New Case.
New case template selector
  • #657: add observable tags auto-completion. Contributed by Tyler Chong (Thanks!).
Observable tag auto-completion

Fixed Bugs

  • #864: do not return a session cookie when making an API call.
  • #856: there was a bug where after a followed alert PATCH, if the alert has already been promoted to a case, the case is not updated. Now, if the alert has follow=true, if it gets updated, its status is set to Updated and the related case is updated too.
  • #845: assigned but unstarted tasks were not showing up in My Tasks.
  • #844: enable user account locking through the Delete API endpoint.

Stuck?

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.